AEPD (Spain) - EXP202310096: Difference between revisions

AEPD - EXP202310096
Authority:	AEPD (Spain)
Jurisdiction:	Spain
Relevant Law:	Article 5(2) GDPR Article 9(2)(a) GDPR Article 13(1) GDPR Article 13(2) GDPR Article 30 GDPR
Type:	Complaint
Outcome:	Upheld
Started:	08.09.2021
Decided:	11.07.2024
Published:	30.07.2024
Fine:	15,000 EUR
Parties:	Gomera Trail Paradise Data subject
National Case Number/Name:	EXP202310096
European Case Law Identifier:	n/a
Appeal:	Unknown
Original Language(s):	Spanish
Original Source:	aepd.es (in ES)
Initial Contributor:	Arran

The DPA fined a race organiser €15,000 for unlawfully collecting participants' health data related to COVID-19. The organiser failed properly inform the participants and to collect their explicit consent under Article 9(1)(a) GDPR

English Summary

Facts

The organiser of the "Gomera Paradise Trail" race, the data controller, required participants (the data subjects) to submit proof of full COVID-19 vaccination, proof of past infection, or a negative PCR test taken within 48 hours before the event in order for them to participate. This requirement was communicated to participants via email on August 19, 2021, shortly after the registration period closed. The email instructed participants to upload the required documents to their private participant area on the event’s official website, accessible via their registration ID and email.

A second email sent on August 24, 2021, clarified that submission of these documents was not mandatory, but encouraged as a measure to ensure event safety. Despite this, many participants uploaded their health data to the platform (690 participants out of 1,350 in total). The Spanish DPA (AEPD) initiated an investigation following a complaint filed on September 8, 2021, questioning the legality of collecting such sensitive health data under the GDPR. The initial investigation expired due to procedural deadlines, but a new proceeding was initiated.

The AEPD found that the controller lacked a valid legal basis for processing health data, failed to provide adequate information to participants, and did not maintain a proper record of processing activities.

Holding

The Spanish Data Protection Agency (AEPD) held that the event organiser processed health data by collecting COVID-19 vaccination certificates, proof of past infection, or negative test results. The AEPD found that while the organiser relied on explicit consent under Article 9(1)(a) GDPR, they failed to ensure it was freely given, explicit, and informed as participants felt pressured to provide their health data to take part in the race. The organiser did not clearly explain that sharing this information was optional until days after, very close to the race day. Many participants may have believed it was a requirement, invalidating their consent.

The AEPD also found a violation of Article 13 GDPR. The organiser failed to provide clear information about why health data was being collected, how long it would be kept, or who would have access to it. The event’s privacy policy did not mention these details, leaving participants without proper knowledge of how their data would be used.

Additionally, the AEPD ruled that the organiser did not maintain proper records of data processing, violating Article 30 GDPR. There was no clear documentation of how health data was collected and managed. This lack of records showed poor compliance with data protection rules.

As a result, the AEPD imposed a fine of €15,000 for violations of Articles 9, 13, and 30 GDPR. The decision highlights the need for valid consent, clear communication with data subjects, and proper record-keeping when processing sensitive data.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

1/45

 File No.: EXP202310096

SANCTIONING PROCEDURE RESOLUTION

From the procedure instructed by the Spanish Data Protection Agency and based on the

following

BACKGROUND

FIRST: A.A.A. (hereinafter, the complaining party) filed a
complaint with the Spanish Data Protection Agency on 09/08/2021. The claim is directed

against B.B.B. with NIF ***NIF.1 (hereinafter, respondent). The reasons on which the
claim is based are that in order to participate in the “Gomera Paradise Trail” race, personal data associated with COVID
vaccines and diagnostic tests are collected.

Provides:

1) Printing of a message from “Gomera Paradise”, 08/19/2021, to the claimant, with the “X Gomera Paradise” logo, “vaccination certificate or antigen or PCR test”. It is
reported: “after analyzing the current situation derived from the COVID-19 pandemic, the
organization has decided to request the following from the participants, as recommended by the
different public organizations:

-Certificate of complete vaccination schedule or, failing that, certificate of having
the relevant dose for having already had COVID-19.

-Failing that, with a maximum of 48 hours prior to the celebration of the test

to be carried out, a PCR or antigen test with a negative result.

The format to be carried out will be through the website gomeraparadise.com in which the
organisation will enable a private participant area, through which they will access
using the registration ID and the email that they indicated when registering-

(attached file of the registration confirmation). In their account they will have a
section where they can attach said certificate via PDF or JPG”.

SECOND: The claim gave rise to the initiation of the sanctioning procedure
EXP202103884, action code PS/00291/2022, which was archived due to expiration of the
file on 11/07/2023.

In this resolution it was indicated:

“As for the effects, article 95 of Law 39/2015, of 1/10, of the Common Administrative Procedure of the Public Administrations (hereinafter, LPACAP) states:

“3. The expiration will not produce by itself the prescription of the actions of the individual or of the
Administration, but the expired procedures will not interrupt the prescription period.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/45

In cases where the initiation of a new procedure is possible because the prescription has not occurred, the acts and procedures whose content would have remained the same if the expiration had not occurred may be incorporated into it. In any case, in the new

procedure the procedures of allegations, proposal of evidence and hearing of the interested party must be completed.”
“In this specific case, it was a few days after the registration period for the race closed, on 08/19/2021, when the respondent sent the participants an email, stating:
“after analyzing the current situation arising from the COVID-19 pandemic, the organization has
decided to request the following from the participants, as recommended by the different public
bodies:

-Certificate of complete vaccination schedule or, failing that, certificate of having
the relevant dose for having already had COVID-19.

-Failing that, with a maximum of 48 hours prior to the celebration of the test
to be carried out, a PCR or antigen test with a negative result.”

The aforementioned resolution was notified to the respondent on 07/11/2023, and is final in the administrative
way, as the one-month period has elapsed without the claimant having
filed an optional appeal for reconsideration.

THIRD: On the date on which the archiving agreement was issued, it was estimated that the

limitation period for the alleged infringements provided for in article 71 and following of the LOPDGDD had not elapsed.

Pursuant to article 95.3, second paragraph of the LPACAP, since the possible infringements are not considered to be prescribed, the agreement to start this procedure incorporated "the acts and procedures whose content would have remained the same if the expiration had not occurred", namely:

1)- The verification actions of the General Subdirectorate of Data Inspection
of EXP202103884, action code PS/00291/2022, specifically with the literal:

"The General Subdirectorate of Data Inspection verified the following:

a) Print of 10/21/2021, of the page gomeraparadise.com/regulation/, which contains the
REGULATION OF THE RACE: "regulation X Gomera Paradise Trail21", of which
it stands out:

-Mountain race organized by "GOMESPORT EVENTOS" that will be held on 10 and
11/09/2021.

-According to its modalities, people from 14 years old can participate.

-To participate, among other requirements to be met, they must formalize the registration

by filling out a form published on the official website, www.gomeraparadise.com
in the registration section. The deadline for this is from 14/05 to 15/08/2021.

-Acceptance of the Race Regulations is derived from the formalization of the registration
of participation (art. 1).

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/45

-In article 14 of “collection of bibs”, which is carried out once registered, from 6 to 10/09/2021, it is stated that “the participant must submit a covid-19 protocol document

in which he/she undertakes to have complied with the measures stipulated therein”.

-In article 9, it is indicated that the payment of the registration fee will be divided into two: the first being from 14/05 to 14/07/2021.

b) On 10/21/2021, on the gomeraparadise.com page, there is a “Privacy Policy and

Data Protection”, with the “Gomera Paradise Trial” logo indicating: “B.B.B.”, the
respondent, as the data controller, “processes the data of “clients and visitors to
provide the services requested by users, or to resolve doubts or questions
raised by our visitors”. It is reported that “all data provided by our
clients or visitors to the website will be included in the record of activities for the
processing of Personal Data” of the data controller “essential to provide
the services requested by users, or to resolve doubts or questions raised
by our visitors.

“Legitimacy of the treatment: Why do we need your data?

1. a) Contractual relationship: This is the one that applies when you buy one of our products or
hire one of our services.

b) Legitimate interest: To respond to queries and claims you submit to us and to
manage the collection of amounts owed.

c) Your consent: If you are a user of our website, by checking the box that
appears in the contact form, you authorize us to send you the communications
necessary to respond to the query or request for information raised.”

1) As part of the preliminary actions, AI/00029/2022, which also appeared in the
previous initiation agreement, under the following:

“- On 01/25/2022, the Data Inspection sent a request for information
to the respondent by postal mail that was delivered on 02/04/2022, as shown in the
proof of delivery of the Postal service. The respondent was asked to provide the following information and documentation:

“1.- The legal basis for the processing and, where applicable, the circumstance that lifts the prohibition
to process special categories of data, according to article 9 of the GDPR.

2.- The purpose of the processing. Copy of the Activity Record of the processing.

3.- The appropriate guarantees implemented for the protection of the rights and freedoms of individuals.

4.- The categories of interested parties (workers, clients, users, etc.) and the information
provided to them about the processing of the data. Number of interested parties from whom the data has been
collected and description of the data collected.

5.- The Impact Assessment carried out or the reasons why it has not been carried out (to
know the list of personal data processing that requires an impact assessment, as well as any other information related to impact assessments,

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/45

you can consult the “Manage EIPD” tool at https://www.aepd.es/es/guias-y-
herramientas/herramientas/gestiona-eipd)

6.- The decision adopted regarding this claim.

7.- Report on the measures adopted to prevent similar incidents from occurring,
implementation dates and controls carried out to verify their effectiveness.

8.- Any other measures that you consider relevant.”
After the given period had elapsed without obtaining a response to the request, dated 03/29/2022,

the request for information was reiterated, with the Agency receiving a letter from the respondent dated 04/08/2022
in which he states the following:
- The event for which the PCR or vaccination certificate is requested is a

private event, "which is organized by him as a self-employed person and person responsible for it" and is governed by a regulation that those who participate in the race must accept. Its
article 24 indicates that it can be rectified, modified, improved at any time
by the organization.

- “All registrations and all relevant data collected from participants are
hosted on an Online Sports Event Registration Platform, which
is governed by the following privacy policy, and through which all relevant information of each and every participant is
distributed, including both the vaccination or test schedule certificate.”

Provides a copy-paste transcript on the “RULES OF USE AND CONDITIONS

ACCEPTED WHEN MAKING A REGISTRATION” page, “text in force since 11/18/2021”, which
contains, among others, the following clauses:

1ACCEPTANCE
1.1. You are making a registration through the AVAIBOOK SPORTS system, which is
a technological solution contracted by the event registration manager and provided by

AVAIBOOK ON-LINE S.L.
1.2. By registering, you expressly accept these General Conditions (GC)

in their entirety.
2. CONTRACT

2.1 “By registering for the event through the AVAIBOOK Sports system, the legal relationship
that is generated is exclusively between you -hereinafter the registrant- and the event registration
manager -hereinafter MANAGER-.

AVAIBOOK simply provides the technological tool that allows the
registrations to be managed for the event, and therefore has no liability whatsoever for the
holding or suspension of the event, the information provided by the MANAGER about it, possible
organizational failures, any damage or harm that the registrant or his/her
belongings may suffer during the holding of the event or for any other reason
not related to its technological solution.

(…)

6. PROTECTION OF PERSONAL DATA 6.1. In accordance with the provisions of
Article 33 of Organic Law 3/2018 on Data Protection and Guarantee of Digital Rights, AVAIBOOK will be considered the “Data Processor” and,
therefore, access by AVAIBOOK to the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/45

personal data of REGISTRANTS, for the sole purpose of providing the event registration
service, will not be considered communication or transfer of data.

- The respondent states that given the epidemiological situation derived from the COVID-19 pandemic, "after having obtained authorization from the Health Department for the holding of the event,
he considered it appropriate to request one of the two options explained above, simply
for the sole and exclusive reason of guaranteeing the maximum possible safety of all

participants in the event and, if an outbreak of said disease occurs at the event,
to be able to have greater control and limitation of possible serious infections, all
by exposing all the information to the competent public entities of the same."

- The respondent states that "On 08/19/2021, an email was sent to the participants,

through the online registration platform and requesting that this information be
uploaded to the online registration platform, through which it can only be accessed
having formalized the registration and having previously accepted the privacy policy of the same."

The message, which is provided by a screenshot, included the same text as the printout of the message provided by the complainant, which was missing, continuing that literal:

“This option will be enabled from Monday 23/08 to Sunday 5/09 for the option of the
Vaccination Certificate. In the case of PCR or Antigen tests, you must provide it to the
Organisation when collecting the bibs.

At this time, if we want competitions to continue to be organised, we must adapt
to the current situations.

Finally, it should be remembered that, if you have any questions about this email, you should send an email to
info@gomeraparadise.com, only for questions, even if you believe that the information is

quite clear and transparent.”

- The respondent states that on 08/24/2021, “another email is sent”, which he provides
as a copy-paste:
“You already have the box available in your Private Participant Area to be able to upload the

vaccination certificate or relevant Certificate based on COVID 19 (having
immunity, having at least one dose, etc.). Regarding the doubts and/or
suggestions that have been sent to us regarding said certificate, WE CLARIFY:

• At no time have we referred to the obligation to either submit documentation or
remove the participant from the event.

• Said certificate is requested in order to have the maximum guarantees of
security in matters of COVID-19. Since in a time of health alert like the one we
are experiencing, we believe that the best thing for everyone is to guarantee maximum
security and to be supportive.

• We understand that we must all be supportive, in order to be able to hold events
safely and responsibly. Therefore, we appeal to responsibility,
solidarity and common sense to be able to make the X GOMERA PARADISE TRAIL a

safe and secure event.
…, the procedure to be carried out is the following:

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/45

Access your Private Area: https://inscripciones.gomesporteventos.com/inscripcion/ix-
gomera-paradise/ zona_privada/logeo/

• Enter your registration ID (you can find it on your registration receipt).

• Enter the email.
• Upload (in a supportive manner) the vaccination certificate or certificate that guarantees the

availability of antibodies, etc.”
-The respondent ends by stating that: "With regard to the decision taken regarding

this claim, as we do not know the sender of this claim, among 1200 participants, we
cannot confirm whether a decision was made regarding the complainant."
3.- On 04/22/2022, the Data Inspection sent a new request for

information to the respondent through the Single Authorized Electronic Address service, which
was accepted by the recipient on 04/25/2022. The respondent was required to

provide the following information and documentation, without obtaining a response:

1.- Copy of the data processing manager contract signed between the owner of the
website "gomeraparadise.com" and AvaiBook On-Line S.L.

2.- Total number of reports on PCR or antigen tests and certificates of the
complete vaccination schedule collected from the interested parties. Data retention period.

3.- The legal basis for the processing of such health-related data and, where applicable, the circumstance that lifts the prohibition to process special categories of data,
according to article 9 of the GDPR.

4.- The purpose of the processing. Copy of the Activity Record of the processing.

5.- The Impact Assessment carried out, or reasons why it has not been carried out
(to find out the list of personal data processing that requires an impact assessment, as well as any other information related to impact assessments,
you can consult the “Manage EIPD” tool at https://www.aepd.es/es/guias-yherramientas/herramientas/gestiona-eipd).”

FOURTH: On 08/28/2023, the director of the AEPD agreed:

“TO START SANCTIONING PROCEDURE against B.B.B., with NIF ***NIF.1, for the alleged
infringement of the GDPR, in the following articles:

-9 of the GDPR, in accordance with article 83.5.a) of the GDPR and classified as very serious
for the purposes of prescription in article 72.1.e) of the LOPDGDD.

-13 of the GDPR, in accordance with article 83.5.a) of the GDPR and classified as very serious
for the purposes of prescription in article 72.1.h) of the LOPDGDD.

-30 of the GDPR, in accordance with article 83.4.a) of the GDPR and classified as serious for
the purposes of prescription in article 73.n) of the LOPDGDD.”

“WHAT for the purposes provided for in art. 64.2 b) of law 39/2015, of 1/10, of the Common Administrative Procedure of Public Administrations, the sanction that may
be applicable would be three administrative fines, for the infringement of:

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/45

-article 9 of the GDPR, a fine of 8,000 euros could be imposed.

-article 13 of the GDPR, a fine of 6,000 euros could be imposed.

-Article 30 of the GDPR, a fine of 1,000 euros could be imposed.”
FIFTH: On 27/09/2023, allegations were received from the respondent, stating:

-The request for data related to COVID vaccination and diagnostic tests
referring to the event, was based on the free, unequivocal and informed consent of
the interested parties, which exempts from the prohibition of treatment.

It adds that consent may be unequivocal and granted implicitly, when

it is deduced from an action of the interested party, such as uploading their data to the platform.

-On 08/19/2021, the respondent informed the interested parties of the rules and conditions that
would regulate the holding of the event, including the request for the aforementioned documentation, and informed them of the
procedure to provide it in case they decided to do so, "from the

conscience and solidarity with the rest of the participants."

To clarify the content of said documentation, on the 24th of the same month and year, the
respondent sent the participants a second communication clarifying the voluntary, optional and
non-mandatory nature of the provision of this data, specifying the time frame

(08/23 to Sunday 09/05: vaccination certificate), in the case of PCR or antigen tests,
they must provide it to the organization at the time of collecting the bibs.

The respondent considers that these documents constitute proof of the legality of the
processing and the unequivocal consent of the users.

The communication of 24/08/2021 stated: “At no time have we referred to the
obligation to either submit documentation or the participant is eliminated from the event”, and
the respondent adds that “in no case was anyone prevented from participating in the event
on the grounds of not providing documentation relating to health data, nor was there any
collection or verification on site on the day of the event itself”. “Proof of this is that the

number of participants in the event amounted to a total of 1,350, and only 690 of these
participants voluntarily uploaded the certificate in question to the platform, with
660 participants having not provided a COVID certificate, diagnostic test or any
similar document.”

The respondent states that “on the day of the race, no COVID vaccination certificate or similar was requested, there was no one asking the participants for any type of document
at the entrance to the sporting event”.

-The respondent states that the purpose of the treatment was to guarantee the safety and health
of the participants in the face of the pandemic situation and health crisis derived from COVID-19,

informing about this, for example, in the communication of 08/24/2021.

The respondent states that the intention of the respondent was to act diligently regarding
criteria and guidelines that the health authority had given at that time, taking into account
that, on the date of request and processing of the data, the measures and circumstances

were different for those who were vaccinated from those who were not. C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 8/45

-Regarding the infringement of article 13 of the GDPR, the respondent indicates that in the “rules of use and

conditions”, as well as in the “platform”, the identity and contact details of the

responsible party and its representative were reported, and in point 2 of the “conditions”, that the recipient

of the data is AVAIBOOK SPORTS, “which makes several references to the policies of the

MANAGER, that is, the policies of the websites of “GOMERA PARADISE” - in which reference is
made to that of GOMESPORT, for additional information,” and in this same one, in which detailed

information is given-Provides DOCUMENT 1, on-screen copy of “PRIVACY
POLICY AND REGULATIONS 2023”, extracts, link to the full text in:“

https://gomesporteventos.com/politica-privacidad. In document 1, extract, it can be seen
that despite being 2023, the literal statement that “health data,
medical certificates, vaccination certificates or antigen tests provided by interested parties” will be processed
has been left, related to “purposes” “to guarantee the development of the safe event by adopting
health measures…medical certificates and antigen tests”. In legitimation it reiterates

that “the processing of health data is based on the user's consent required
in article 9.2.a of the GDPR, which will be accredited by uploading the documentation to our
platform and displaying it to the staff on the day of the event. The user
may revoke the consent given at any time”.

The respondent states that prior to the present procedure and with a corrective purpose, an updated information clause of accessible understanding for the interested party has already been incorporated into the AVAIBOOK Sport platform. In it, all the details regarding the protection of the requested data can be read clearly and simply. Although this has been done with the intention of improving the management of the respondent - who has collaborated at all times and has not put up any obstacles to collaboration with the AEPD - and the events that it organizes. At all times there was a desire for clarity and simplicity in the communications regarding the data of the participants.

The respondent states that although it is true that the information could have been provided in a more complete, clear and precise manner in a single document; due to some confusion caused by the information on the processing displayed on the website of the controller, it was considered appropriate and necessary to make clarifications in this regard.
For this reason, the purposes and legitimacy for the processing of the data of the event participants were communicated via email. Specifically, as we have already
referred to at the beginning of this document, two emails were sent with the following dates and
clarifications: - August 19, 2021: "Your account will have a

section where you can attach this certificate via PDF or JPG. This option will be
enabled from Monday, August 23 to Sunday, September 5 for the
Vaccination Certificate option. In the case of a PCR or Antigen test, you must provide it to the
Organization when collecting your race numbers." - August 24, 2021:

-The respondent also provides the response to his request sent on 08/14/2021 to the Canary Islands Health Service regarding "holding a mass event", due to the COVID 19 crisis,
and the response of this, dated 08/23/2021, the respondent stating that it was received on
08/28/2021. He indicates that it is a sign of diligent treatment, given the respondent's interest
in ensuring his performance and the correct sports development with the national health

situation and the health measures to be complied with. From DOCUMENT 2 provided, it follows:

 The Canary Islands Government Agreement adopted in a session
held on 08/05/2021, BOC 08/09/2021, which approves the update of the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 9/45

prevention measures established by Government agreement of 06/19/2020 to
address the health crisis caused by COVID-19, is applicable, once phase 3
of the plan for the transition to a new normal has been overcome, section 3.15 “celebration of

non-professional, professional and federated sporting events that take place in
the Canary Islands”, determining the statement, the organizers of events on official calendars of sports federations must have prior authorization. On the other hand, the organizers of scheduled sporting events will not need prior authorization from the Directorate of the Canary Islands Health Service, although they must comply with the provisions of the same section as far as applicable and mention a series of measures according to the alert levels, sporting events with public capacity or interpersonal separation measures, cleaning and disinfection.

The respondent deduces that, for all this, it is even more noticeable how the certificate was requested, "albeit voluntary", to guarantee the safety of those interested.

-He points out that he has a RAT that complies with the content prescribed by article 30 of the
RGPD and has carried out the mandatory risk analyses required by article 32 of the
RGPD, "obtaining risks that classify them as marginal and "acceptable", adopting
preventive and corrective measures so that the residual risk reaches an "acceptable" level. Provides DOCUMENT 3, which has been updated with the designation of the DPO.

The aforementioned DOCUMENT 3 is the RAT for “sports event management”, in which it reproduces the
content of part of the “PRIVACY POLICY AND REGULATIONS 2023”. It reproduces
“legitimation: art 9.2.a RGPD, 6.1.e) of the RGPD and Law 2/2021 of 03/29, on urgent measures
for prevention, containment and coordination to deal with the health crisis caused

by COVID 19, “purpose: to identify the participants of the sporting event, as well as the
management of the same to guarantee the safety and health of the participants through
adequate and agile prevention management in the face of the pandemic situation and health crisis
derived from COVID 19”. In data categories, it appears, among others, “health relevant
for participation in the event”, and “to guarantee safety in a health crisis

situation - COVID vaccination certificate)”, and in recipients, which will be communicated to
“AVAIBOOK SPORTS”.

In DOCUMENT 4, it provides the communication on 06/23/2023 to the AEPD of the appointment of
Data Protection Officer. dated 07/10/2023.

-Regarding the measures adopted as a result of this procedure, the respondent
indicates that “it has activated the security breach procedure by notifying the necessary
parties, analyzing and documenting the breach”, indicating:

a. Adoption of confidentiality, integrity and availability measures

b. In accordance with article 17 of the RGPD, the data was deleted
after the time strictly necessary for the purpose for which they were requested.

c. Adoption of measures to ensure the resilience of the processing systems and

services, as well as to restore the availability and access to personal data quickly in the
event of a physical or technical incident.

d. Regular verification, evaluation and assessment processes of security measures.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 10/45

e. Pseudonymisation and encryption of personal data.

f. Data unlinking processes.
g. Execution of data deletion.

h. Updating and reviewing data protection and security policies.

i. Updating incident management procedures.

j. Incorporation of procedures to respond to GDPR obligations.

k. Procedures, resources and means of detection and management (own or through third parties) as well as guarantees that all of the above is working correctly.

l. Review and update of the breach notification procedure. Document No. 5

m. Review and update of the procedure for exercising rights involving the
figure of the Data Protection Officer. DOCUMENT No. 6

n. Periodic audits.
o. Also, as a measure pending execution, but planned, carry out new

training, the date of which is pending confirmation.

p. Update of the information clause on the platform.”

The respondent understands that he has adopted measures to avoid further incidents of the

type dealt with in the procedure.

The respondent states that there is good faith and the desire to act in accordance with the guidelines and criteria of the health authority at that time and the intention to organize a sporting event without putting any participant at risk.

-He requests that the application of mitigating factors be applied, that the request for documentation did not
involve benefit for the respondent, but on the contrary, due to the cost of the platform, but it was done to
assume the common good of the participants, for the benefit of the collective interest, and a
DPD was appointed voluntarily and the other measures already indicated.

SIXTH: On 06/14/2024, it was decided to open a period of evidence practice,
agreeing:

1. To reproduce for evidentiary purposes the claim filed by the claimant and
its documentation.

2. To incorporate the documents cited in the initiation agreement and in which
a reference was already expressly made to them.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 11/45

3.Likewise, the allegations to the agreement to initiate the referenced sanctioning procedure, presented by the respondent, and the
documentation accompanying them, are reproduced for evidentiary purposes.

In addition, the respondent is requested to provide and/or report:

4.According to his statements, on the website of the “X Gomera Paradise Trail” there was a
PRIVACY AND DATA PROTECTION POLICY section, the content of which
is available in the file of the printed version of 21/10/2021. He is requested to report
in which section of the website was said information found?, whether it was in the general access section,
or in the registration section of the race, proving it.

On 07/05/2024, your response was received, stating:

“The Privacy Policy that included the necessary information to be provided to users was
included at the time of the event organization on the registration

screen.” You provide what you state was ANNEX I, which does not match the one that appears
incorporated into the file, extracted by the SGID on 10/21/2021, which appeared on the race website
www.gomeraparadise.com. The one you now provide bears the GOMESPORT logo, and was not
included in the procedure. It does not bear the date of the version or start of validity.

In ANNEX I provided, called “Privacy Policy
www.GOMESPORTEVENTOS.COM”, information is provided regarding participation
in the race:

“Privacy Policy at a glance”

- “we use the data you have provided us online, or through any other means
to register your registration,

- Why do we have them? “we are authorized to process the data

“When you register for any of our events, as well as in any of our
forms”.

In section 1, entitled: Who is responsible for the processing of your data?, the
complainant appears, associated with the website www.gomesporteventos.com, a different address appears

than that of another Privacy Policy incorporated into the file on 10/21/2021, and the
reference to the DPD appears. It also states that the data provided by the various data collection forms will be processed by the respondent, and that such processing is recorded in the Register of processing activities.

In section 2 “What are your personal data used for?” it is indicated that “at
www.gomesporteventos.com” we process data from both users of our website and third parties who maintain a relationship with us. It differentiates the information by type of

person whose data we “process”, highlighting the content on “data of the
participants who register on our platforms for events” in which it informs that it
processes special category data, health data, medical certificates, vaccination certificates
or antigen tests provided by the interested parties, and identifying data: name,
surname, postal and email address, telephone number. In “How do we obtain your data?”, it indicates
that “through the online form that you fill out to register for the event and activities

developed by GOMESPORT”. “The processing of data is subject to the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 12/45

acceptance of the privacy policy by checking a box included in the
registration form for the sporting event”

In the purposes for which the data will be processed, it states: “generate and manage the
documentation associated with the registration, provide information about the event to those you have
registered, process your requests and queries through the website, guarantee the development of a
safe event by adopting the appropriate health measures and guaranteeing the
safety of all participants through solidarity by providing documentation on medical certificates and antigen tests”.

In the section on legitimacy for data processing, it is indicated that “the processing of
health data is based on the user's consent required in article 9.2. a
RGPD, which will be accredited by uploading the documentation to our platform and showing it to the staff on the day of the event. The user can revoke the consent given at
any time”.

In the section “for how long do we keep your data?”, for event participants,
it is indicated that “those data that are processed based on the participant's consent will

be kept as long as they are relevant for the purpose for which they were collected and the
consent is not revoked.

Health data can be deleted directly by the participant on the platform
and will be deleted once the event has ended by GomesSport”.

Section 4 “additional information on data processing” indicates that the personal
data processed by the respondent “may be mandatory or voluntary. Through
the web forms, you will be asked for data from special categories to guarantee your
privacy. The provision of health data is not mandatory, the data that will be requested in the forms being: 1 identification data, 2 data related to the

registration, and 3, data related to transactions.

In the section on exercising rights, it is also reported that the respondent has appointed
DPD, with the address (...)@dpocanarias.com and an address for exercising rights
different from the one that appeared in the privacy policy of 10/21/2021.

The respondent states that "This information layer was incorporated into the
registration form, so that future participants would know the type of data that was going to be
collected, as well as who is responsible, the purpose, the recipients and the rights, referring to the
legal notice of the website itself and to the privacy policy of the website
www.gomesporteventos.com to access the second information layer. However, this

layer is currently not operational since the content and the link to the event registration were removed”

The requested ANNEX II is provided under the title “denial of access to the registration form”, in which a screenshot of a website WITHOUT IDENTIFYING WHICH ONE IT CORRESPONDS TO is shown, informing about the “X Trail GOMERA PARADISE”, “the registration period is closed” and the tabs “home”, “private participant area”
“this event has already been held” are visible.

The respondent states that “without prejudice to the foregoing, in the Legal Notice of the website
https://gomeraparadise.com/aviso-legal/, specifically, in its section 9, regarding the

PRIVACY POLICY, the possibility of expanding the information regarding the
processing of data is mentioned”, as indicated in its literal that reproduces, with the following tenor:
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 13/45

“The user can consult how the respondent uses their data and the security measures
implemented in the Privacy Policy link on this website and in the “Privacy Policy” of the website www.gomesporteventos.com where they can expand the information
on the processing of the data of the participants in our events in the following

link: https://gomesporteventos.com/politica-privacidad/

On the other hand, if We go to the link https://gomesporteventos.com/politica-privacidad/
we will be able to see the content shown in ANNEX III of this document framed
in red, where specific reference is made to the processing of health data and the basis of
legitimacy, which includes the express consent of the user, which can be

revoked at any time, although this fact does not affect the treatments carried out
previously.“

A Regarding ANNEX III that is provided, insofar as it may affect the participants in the
race, the document is entitled “Information regarding consent”, with the

GOMESPORT logo. It stands out because it starts at point 2 What are your personal data used for?, the information provided coinciding with the same one that has been seen in the
ANNEX I previously cited that the respondent provides.

B 5. The respondent was also asked to report: “Regarding the same information
contained in the PRIVACY AND DATA PROTECTION POLICY, it is requested that

the version that was in force on the date of the registration period for the race -
05/14 to 08/15/2021 - and the collection of COVID health data from 08/23 to 09/05/2021, which
was when this additional health data was collected (accrediting the validity of the
version or versions).

C Please also respond if said informative content was modified after the
emails of 08/19 and 08/24/2021. Indicate the date of the version and provide a copy/s that
support your statements.

D (Note that information regarding the section “RULES OF USE AND
CONDITIONS WHEN REGISTERING” is not requested).

He replied that “in any case, no changes were made to the legal text after the email sent on 08/19/2021.

He provides in ANNEX IV and V, the screenshots of the messages sent to the participants of the

race. In both texts they appear to have been sent from a gomeraparadise.com address in which

it has already been seen that, in the first message, dated 08/19/2021, it was indicated that the certificates
would be sent through the participant's private area, on the website
www.gomeraparadise.com. In addition, in this first message it appears at the bottom that
“you have received this email because you registered for an event organized by GOMESPORT
EVENTOS”.

In the second message dated 08/24/2021, it was also indicated that the procedure was
“access your private area: https://inscripciones.gomesporteventos.com/inscripcion/ix-
gomera-paradise/ private area/logeo/, enter your registration ID (on the registration receipt
and the email with which you registered). The footer of the message states:
“GOMESPORT EVENTOS-to resolve any doubts, contact us info@gomeraparadise.com.

You have received this email because you registered for an event organized by GOMESPORT
EVENTOS”.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 14/45

6- Regarding the RAT provided - Please provide a copy of the RAT “sports event management” in the current version that corresponds to the stage and time situation of

the date on which the health data cited were collected (certifying this).
Please explain why the RAT you provide (refers to the appointment of the DPD

6/2023) contains the reference to the health data that is going to be collected or is being

collected, if the collection of said data related to COVID is not foreseeable in the future.

He replied that the RAT provided in his allegations was the one in force at that date and therefore the reference to the DPD appointed on 06/29/2023 is included, having been modified to the current version in the month of October 2023.

He states that he provides a copy of it, in force at the time of organizing the event, which
according to him, already mentioned all the data processing that was being carried out at the time,
including health data, and which was in force since 08/17/2021.

He provides ANNEX VII which he states contemplates the evolution of the versions of the treatment
“management of sporting event”.

Said ANNEX is accessed. Each of the alleged versions is only differentiated by the
addition of the preceding literal, explanatory made for this response with the titles
“RAT in force at the time of the event”, “RAT sent to the AEPD before its full review”, “RAT in force at the current date”. None of them has a date that can be correlated with that of its approval or renewal/modification, therefore, it is not possible to deduce the initial period in which it was valid.

All of the data provided contain the information prescribed by article 30, differing
by slight nuances in their content. Regarding the one supposedly in force at the time of registration in the race, which has been included for the answer “RAT in force at the time of the event”, the following is notable:

- legitimation, article 9.2.a) RGPD,

- purpose: to identify the participants of the sporting event, as well as the management
of the event to guarantee the safety and health of the participants through adequate and
agile management of prevention in the pandemic situation and health crisis derived from

COVID-19.
- data category: identifying data and characteristic data, health data

relevant to participation in the event. Health data to guarantee safety in
health crisis situations (COVID vaccination certificate).”

7-Regarding the communication of 08/24/2021 to the participants of the race, it is requested that
they send a literal copy of it, in the format in which it was sent, the way in which it was sent
to the participants and how they prove that it was sent to the complainant or the rest of the participants and that they read it.

It is understood that it has been answered with ANNEXES IV and V provided. The complainant adds that it was
sent to the registered participants to the email address that they included

in the registration form by filling out, the only form of contact available.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 15/45

It indicates that it is in this “own email where access to the private area at
https://inscripciones.gomesporteventos.com/inscripcion/ix-gomera-paradise/ private
zone/logeo/ is sent, and therefore to its privacy policy”. It is in this section and in the “LEGAL

NOTICE” of the website where the interested party is informed that they must access periodically to
verify changes in the data protection policy”, “but the respondent considered the
email as the way to modify and clarify the conditions of participation in the event”.

8-On the same aspect of the previous point, if the start of the option to upload them to the
vaccination certificate platform in the private area was from 08/23 to 09/05/2021,
indicate, proving it, the certificates collected (number at least) on the dates, from
the same day 08/23.

The respondent responded that the numbers given in allegations are an estimated figure of
certificates that were collected, and he cannot corroborate the exact number, since at the
end of the event they were deleted, considering their conservation not necessary.

9- In their allegations they specify the number of people who uploaded the
certificate to the platform. Documentary proof of the aforementioned number is requested, or how they carried out the
count. Please report whether there was any control at the start of the race or on the contracted platform regarding the people who provided the certificates, tests or recovery certificates and the number of people who used the antigen tests and the certificate of recovery from the disease, or if you can break down the number that you provide in your allegations of 690 people.

The respondent responded that “During the registration periods for the event, the respondent was able to access the information regarding the certificates that had been provided. However, there was no access by the person responsible, since it was only necessary to
verify who had sent it, and at no time was there access to the content.” This

statement could be erroneous since the respondent is the person responsible and declares that he was able to access it and then says that there was no access by the person responsible, who is the
same person.

The respondent indicates that there is no exact number of people who provided their certificate, also because the relationship with the person in charge was terminated. The data
provided in allegations was obtained on 09/05/2021 by counting the platform itself.

He adds that, since the provision of the certificates was voluntary, the certificate was not requested in person,
nor was it verified who had presented that certificate through the platform, without prohibiting the participation of users who did not provide it.

The initial intention was to guarantee the safety of all participants, even if it was held
outdoors.

The respondent indicates that given the suspicions and "the changes and the communication presented
on 08/28 with the health authority, it was decided not to take any verification measures, allowing the
participation of all those registered, regardless of the number of participants
who have provided the certificates."

10-Report on the system implemented for the elimination of health data collected,

date and how they ensured that the data were no longer processed on the contracted
platform.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 16/45

The respondent replied that the respondent himself arranged for all certificates provided by the
participants to be eliminated, since their retention was not necessary for any
subsequent procedure, “especially given their controversy”.

SEVENTH: On 07/11/2024, a resolution proposal was issued, with the following literal:

"That the Director of the Spanish Data Protection Agency sanction B.B.B.,
with NIF ***NIF.1, for the following violations of the GDPR:

-9, in accordance with article 83.5.a) of the GDPR and classified as very serious for the purposes of
prescription in article 72.1.e) of the LOPDGDD, with a fine of 8,000 euros.

-13 in accordance with article 83.5.a) of the GDPR and classified as very serious for the purposes of
prescription in article 72.1.h) of the LOPDGDD, with a fine of 6,000 euros

-30, in accordance with article 83.4.a) of the GDPR and classified as serious for the purposes of
prescription in article 73.n) of the LOPDGDD., with a fine of 1,000 euros”

EIGHTH: On 07/30/2024, allegations were received from the respondent, stating:

-1 “In the Race Regulations, it is indicated that the race organizer is
GOMESPORT EVENTOS. The header of the document includes its logo,
referring to it as “data controller”. “In these Regulations, the

first layer of information is provided, containing who is responsible, the purpose:
registration and management of the event. This responds to some of the requirements
demanded by article 13 of the GDPR and to all those included in article 11 of the
LOPDGDD, “by containing the basic information”, in said article, in section 2.”

The respondent indicates that the modification of the Race Regulations took place,
proceeding to communicate its clarifying aspects by email on

08/24/2021. “The provisions of article 14 were an error in the wording, and the obligation of the COVID certificate could be inferred
initially, from the message sent on
08/24, the “rectification of such obligation can be inferred, delving further into the solidarity
character, and giving rise to the basis of legitimacy of article 6.1.a) of the GDPR”.

“On the other hand, after examining the Privacy Policy of www.gomeraparadise.com, it can be
extracted that, in general terms, interested parties were already informed about the identity of the
Data Controller, among other aspects: “the person responsible for the page and for the

collection of data as “data controller” is B.B.B., which processes the data of
“customers and visitors to provide the services requested by users”. Although this
Privacy and Data Protection Policy indicates that the legitimacy is based on article
6.1.b) of the GDPR, the processing will only be lawful if at least one of the following
conditions is met: the processing is necessary for the execution of a contract to which the

interested party is a party or for the application at the request of the latter of pre-contractual measures",
in the registration form a specific clause was included in which the
article 6.1.a) of the GDPR was used to justify such specific processing.

“This was decided because the collection was going to be limited in time and
it was not considered appropriate to modify the entire Web Policy, since

it could mislead the rest of the users (the Web Policy has a generic wording for all users who access the Web, regardless of whether they

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 17/45

register or not). Therefore, it was decided to include a specific clause directly
related to the characteristics of the event at the time of registration.

Without prejudice to understanding that the duty of information stipulated in article 13
of the GDPR has been fulfilled by including the corresponding Privacy Policy on the website and the
corresponding clause in the registration form, seeing that the complainant stated
that the voluntary nature of the contribution of the COVID certificate had not been made clear, one
day after the opening of the registration period, that is, on August 24, 2021, a
clarification email was sent that praised consent as a basis for legitimacy on the part
of users. With this, a margin of 11 days was left so that those users
who had uploaded it under the belief that it was mandatory could freely delete it.

“It should be noted that the deadline for providing the COVID certificate was from Monday, August 23, 2021 to Sunday, September 5 of the same year, reducing, in any case,
the damage derived from the confusion that could have arisen in the participant to one day and giving
participants the possibility of revoking consent by deleting the
COVID documentation provided. Thus, and for more information, an email was sent on

08/24/21, just five days after the communication of 08/19/24 and one day after the
opening of the deadline for submitting the documentation, informing about the purpose
for the processing of these data, specifically “said certificate is requested in order to
be able to have the maximum security guarantees in matters of COVID-19”.

-2 The respondent states that he is against the content of the eighth proven fact,
considering that the information provided was not taken into account, and that although the LINK to the registration form was deleted -
for reasons of limitation of the conservation period- (it provides a link, which if clicked gives a 404 error, and if pasted into the search bar of the

browser, it contains the regulations of the race for the 2021 edition (already seen), and with it the
corresponding information clause), the purpose of the treatment was communicated to the
participants in the email sent on 08/24/21.

“Likewise, information was provided on how the data would be collected in the first email “the
format to be carried out will be through the website www.gomeraparadise.com, in which
the Organization will enable a Private Participant Area”.

The respondent considers that the basic information stipulated in article 11.2 of the
LOPDGDD must be considered provided "through emails, as well as
through the privacy and data protection policy included on the website, ignoring what

was included in the registration form clause whose main purpose was to replicate
what is contained in the privacy policy and add the specific treatments of the event

For its part, the legal texts included on the website
www.gomesporteventos.com were sent as proof to verify the information that the person responsible provided
to the participants. Although it has been considered that the sending of these legal texts was not appropriate
as it was not part of the event, we consider that this fact should be clarified.

As has already been demonstrated, the official website of the event was
www.gomeraparadise.com, as indicated in the Regulations. However, and because
the Data Controller had at that time, and still has

currently, two websites, registration was carried out from
www.gomesporteventos.com, although it was accessed from
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 18/45

www.gomeraparadise.com. Therefore, it is necessary to take into account the information that was
provided through these legal texts, since this represents a large part of the information
provided to the participants.

The lack of information provided to the participants in relation to the collection of health data is again indicated in the proven facts, especially the tenth. In this context,
it is considered that such information has already been provided, as well as sufficient evidence to
verify it, these being the following:

1. Race regulations (article 14 in relation to article 24).
2. Privacy Policy of www.gomesporteventos.com and
www.gomeraparadise.com.

3. Clause inserted in the registration form.
4. Email sent on 08/24/21.

The respondent adds that, in other resolutions, with the same infraction, such as
file 202312720, no sanction was imposed, but rather a warning was issued, requesting it based on the fact that,

of 1,350 participants, voluntarily presented the certificate 690, only 660 chose
not to give their consent, understanding that this had a solidary and not
mandatory nature. The issue was already clarified by email dated 08/24/2021, and given
its specific nature, as well as the intention to provide participants with as much
information as they requested. Alternatively, the respondent requests that the sanction on this

article be reduced.

3-The respondent reiterates the validity of the consent given in art. 9 of the GDPR, and that
this can be “unequivocal and granted implicitly when it is deduced from an action
of the interested party (such as uploading their data to the platform)”. In this case we find
an active action on the part of the participants/interested parties, who uploaded their data,

thus constituting explicit consent.
He adds that the voluntary and optional nature of providing the aforementioned documents is proof
of the legality of the treatment and the unequivocal consent of the users.

4-Regarding the RAT, “the RAT version control table is attached in Document No. 2, where the version control table for “PARTICIPANT MANAGEMENT” is included, following the Agency’s

new request; not considering it appropriate to provide again the version history that the Agency already has in the documents of this procedure.”

Document 2 reads: “Record of processing activities-B.B.B.-Gomesport Events”
“management of sporting events”,

“Record of changes”,
It appears in v.1: “initial creation”, date of change “05/01/2021”,

v.2: date of change 08/17/2021 “change: Incorporation of COVID certificate and vaccination into the data collected from participants”,

in v.3: “change: Incorporation of the data of the designated DPO” “date 07/10/2023,

v.4: “elimination from the RAT of the data relating to COVID vaccination certificates and greater definition in the data in the treatment”, “date of change 10/14/2023”.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 19/45

5- The respondent indicates the circumstances that occurred: good faith, acting
in accordance with the guidelines and criteria of the health authority in times of pandemic and
health crisis with the intention of organizing a sporting event, without putting any participant at risk,
incurring an additional cost for the implementation of the platform to ensure

the common good of the participants.

He requests that the lack of obtaining benefits, the voluntary appointment of the
Data Protection Officer and other measures already indicated throughout this document be taken into account as mitigating criteria, in accordance with the provisions of the
RGPD.

NINTH: In view of all the actions taken, the Spanish Data Protection Agency considers the following facts to be proven in this procedure:

PROVEN FACTS

1) The private race “X Gomera Paradise Trail” was held on 10 and 11/09/2021,
with different modalities and with open participation for people over 14 years of age,
as stated in the Regulations of said race (RC), at
https://gomeraparadise.com/reglamento (printed version incorporated into the file of
21/10/2021).

2) The official website of the race, according to the respondent: B.B.B. with NIF ***NIF.1, and the RC itself, was www.gomeraparadise.com. To participate in the race, a form had to be filled out

through the website in its "registration" section. The deadline for this was,
from 05/14 to 08/15/2021 (articles 7 and 8 of the RC). Such completion implied the
acceptance of the conditions and requirements of the RC, (article 1), informing that this could
be modified, rectified or improved at any time by the
organisation (art 24).

3) In the RC, in the version obtained for this file, which bears the X TRAIL Gomera Paradise logo, it was initially only specified regarding the data related to COVID 19, in section 14, within “collection of bib numbers”, which was carried out, once registered, from 6 to 10/09/2021, that “the participant must submit a Covid-19 protocol document in which he/she undertakes to have complied with the measures stipulated therein”,

without proving that said protocol was part of the registration form. It was also
indicated that it was organized by GOMESPORT EVENTOS. The RC did not include
any aspect regarding the protection of personal data collected.

4) On 21/10/2021, the General Subdirectorate of Data Inspection obtained a printed copy of the “privacy and data protection policy” with the information that was on the race website www.gomeraparadise.com, located at
https://gomeraparadise.com/politica-privacidad/, containing the X TRAIL Gomera
Paradise logo, informing about personal data, that:

- the person responsible for the page and for the collection of data as “data controller”
is B.B.B., which processes the data of “clients and visitors to provide the services requested

by users”.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 20/45

- The headquarters where you can exercise your rights and the option to file a claim with the
AEPD.

-In legitimation of the treatment, information was only provided regarding the products or services offered by the
complainant, with the basis for legitimation of the treatment, as a "Contractual
Relationship", derived from the purchase or contracting of its services. Regarding the collection and
processing of health data, nothing was indicated.

5) It is proven that a few days after the registration period closed, on

08/19/2021, the respondent sent the participants a message through the online
registration platform for the event (affirmation of the respondent in previous investigation actions on
04/08/2022, with a printed copy of the message and provided in evidence),
requesting the participants of the race to "provide":

-Certificate of complete vaccination schedule or, failing that, certificate of having the
pertinent dose for having already had COVID-19. (the underlined, literal, could refer to
having had the disease, “having to provide” a certificate to this effect).

- Failing that, with a maximum of 48 hours prior to the celebration of the test to be carried out, a PCR or antigen test with a negative result.

To provide the aforementioned documents, the race website was enabled:
gomeraparadise.com, in the “private participant area”, entering with the data that were
given when making the pre-registration: assigned registration ID and the email that they wrote down
when they registered. The deadline established by the respondent for this was from 08/23

to Sunday 09/05/2021. In the case of PCR or antigen tests, they had to be provided to the
organisation at the time of collecting the bibs.

6) On 08/24/2021 (it is proven with a screenshot provided by the respondent on 04/08/2022 in the requested evidence), the respondent sends another message to the participants of the race

by the same means as that of 08/19. The communication advises that the private area of the participant is
now available to upload the vaccination certificate based on COVID 19, "in view of the doubts and/or suggestions that have been sent to us: At no time
have we sent the obligation to either submit documentation or the participant is eliminated from the
event. Said certificate is requested in order to have the
maximum security guarantees in terms of COVID-19, due to the health alert such as the one we

are experiencing, we believe that the best thing for everyone is to guarantee maximum
security", appealing to the solidarity of all to be able to celebrate events in a safe
and responsible manner.

In this second communication, participants are informed that the procedure to

upload the vaccination certificate or certificate that guarantees the availability of antibodies is:
access your Private Area: https://inscripciones.gomesporteventos.com/inscripcion/ix-
gomera-paradise/ zona_privada/logeo/

7) The space in which the collected data was stored had been contracted by the
complainant with AVAIBOOK ON-LINE S.L, being the online registration platform system for the event, in which the data was hosted.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 21/45

8) In the allegations to the agreement, the respondent bases the request for health data from the
participants in the race related to COVID 19, collected from 23/08/2021
to 05/09/2021, on obtaining consent, which he considers would enable

treatment in accordance with article 9.2.a) of the GDPR. However, it is not proven that there was
any data protection policy clause, information clause or means that
explains and informs the participants in the race what the treatment would consist of, the
request for their consent, what such consent would consist of, its purpose, or how it would
be collected, to enable this treatment.

9) The respondent indicated in the allegations to the start agreement that 1,350 people participated in the race, uploading the COVID 19 data certificate to the platform, a total of 690 people, with 660 participants without having provided a COVID certificate, diagnostic test or any similar document.

10) It is not proven that the respondent reports in any way on this treatment of health data at the time of collecting the data of those affected (08/23/2021 to
09/05/2021) on the race privacy policy page www.gomeraparadise.com,
owned by the respondent, considering the forecast and start of the collection of health data
in emails dated 08/19 and 08/24/2021.

11) The claimant claims on 09/08/2021 that in order to participate in the “X Gomera Paradise Trail” race, personal data associated with the COVID 19 vaccine and a certificate of recovery from the disease are collected, as well as COVID diagnostic tests (antigen and/or PCR tests) at the participant’s choice.

12) The copy of the treatment activity record (RAT) in force at the time of the collection of health data related to the claim was requested on two occasions in previous proceedings from the claimant, but was not provided until the allegations to the agreement to start this procedure. The RAT requested in evidence “in force at the time of the date of collection of the health data”, and provided includes the RAT of “treatment activity:

Sports event management”. It contemplates historical variations without any
mark of validity or period of validity or entry into force. It only includes in the three
versions provided, the title given by the respondent to differentiate it, from:

- “RAT in force at the time of the event”,

-“RAT sent to the AEPD, before its full review” (in allegations, where it is
appreciated that the existence of DPD is contained, a fact that occurs as of 6/2023, continuing to
that date referencing in the “purpose” section the health crisis derived from COVID
19, as well as in legitimation a law on the subject, Law 2/21 of 03/29, and

- “RAT currently in force”, according to the respondent in force, since October 2023. In
this way, it does not prove the date of implementation, nor of validity or update in the
subsequent ones.

The respondent maintains the validity of the RAT on the date on which the health data was

collected, from 08/24/2021 to 5/09/2021, with the title: “RAT in force at the time of the
event” with the mere statement that the document was in force since 08/17/2021,
the others being two versions of this.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 22/45

LEGAL BASIS

I

In accordance with the powers that article 58.2 of Regulation (EU) 2016/679
(General Data Protection Regulation, hereinafter RGPD), grants to each supervisory authority and as established in articles 47, 48.1, 64.2 and 68.1 of Organic Law
3/2018, of 5/12, on the Protection of Personal Data and guarantee of digital rights (hereinafter, LOPDGDD), it is competent to initiate and The Director of the

Spanish Data Protection Agency shall resolve this procedure.

Likewise, article 63.2 of the LOPDGDD determines that: "The procedures processed
by the Spanish Data Protection Agency shall be governed by the provisions of
Regulation (EU) 2016/679, in this organic law, by the regulatory
provisions issued in its development and, insofar as they do not contradict them,
in a subsidiary manner, by the general rules on administrative procedures."

II

The data collected by the respondent, first those relating to registration in the race, and

then, through vaccination certificates and antigen or PCR tests uploaded to
the respondent's website platform gomeraparadise.com, would be included in the concept of
personal data processing, including at a time after the registration period, personal health data, the data controller of which is the respondent.Article 4 of the GDPR defines:

1) “personal data” means any information relating to an identified or identifiable natural person
(“data subject”); an identifiable natural person is any person whose identity
can be determined, directly or indirectly, in particular by reference to an identifier
such as a name, an identification number, location data, an online
identifier or to one or more factors specific to the physical, physiological, genetic,
mental, economic, cultural or social identity of that natural person;

(…)

2) “processing” means any operation or set of operations which is performed on personal

data or on sets of personal data, whether or not by automated means,
such as collection, recording, organisation, structuring, storage, adaptation or
alteration, retrieval, consultation, use, disclosure by transmission, dissemination or
otherwise making available, alignment or combination, restriction, erasure or
destruction;”

(…)

7) “controller” or “controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing; where the purposes and means of the processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be determined by Union or Member State law;

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 23/45

8) “processor” or “processor” means the natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;”

(…)

“15) “health data” means personal data relating to the physical or mental health of a
natural person, including the provision of health care services, which reveal
information about his or her health status;”

(…)

At first, it is deduced from the Race Regulations that it was not foreseen that during the
registration period COVID certificates had to be provided, since nothing was indicated in
them.

It was not until 19 and 24/08/2021, when two mailings were made to the participants,

the respondent inquiring about the responsibility of the participants, the second clarifying that
those who did not provide the health data would not be excluded from participation, although appealing
to the safety of the race and solidarity. However, the nature of the first, sent
six days before, was imperative in the sense that it indicated the need for the literal "The
organisation has decided to request the participants", and the place where to access for this,

and the form, adding that for the "PCR or antigen test option, it must be provided to the
organisation at the time of collecting the bib numbers".

These health data, classified as special category data ("sensitive data") in
Article 9 of the GDPR, are considered as such, since they are particularly sensitive in
relation to fundamental rights and freedoms, since the context of their
processing could entail significant risks for fundamental rights and freedoms. This is specified in recital 51 of the GDPR, which states that

personal data that, by their nature, are
particularly sensitive in relation to fundamental rights and freedoms, deserve special protection, since
the context of their processing could entail significant risks for these rights and
freedoms.

The Court of Justice of the EU has stated that the purpose of Article 9(1) of
the Regulation is to ensure greater protection against data processing which, due to the particular sensitivity of the data to which it is subject, may constitute a particularly serious interference with the fundamental rights to respect for private life and the protection of personal data, guaranteed by Articles 7 and 8 of the Charter of Fundamental Rights,
see in this regard, the judgment of 5/06/2023, Commission/Poland - independence and privacy of judges - case c/204/21 paragraph 345, and cited case law

It can thus be clearly deduced that the respondent acted as controller, as defined in Article 4.7 of the GDPR, by deciding and defining the carrying out of the
processing of the requested data, being responsible for compliance with the principles

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 24/45

established in the form of obligations in section 1 of said article 5, pursuant to
article 5, section 2, of the GDPR, and must be able to demonstrate that these principles are met.

III

The lawful processing of personal data requires compliance with the principles of data protection

provided for in article 5 of the GDPR and one of the bases of legitimacy determined

by article 6 of the GDPR.
Article 6.1 of the GDPR establishes the assumptions that allow the processing of personal data to be considered lawful.

1. The processing will only be lawful if at least one of the following conditions is met:
a) the interested party gave his consent for the processing of his personal data for one
or several specific purposes;

(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
(c) processing is necessary for compliance with a legal obligation to which the controller is subject;
(d) processing is necessary to protect the vital interests of the data subject or of another natural person;

(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Point (f) of the first paragraph shall not apply to processing carried out by public authorities acting in their capacity.

Apart from consent as the legal basis for processing, the rest of the ones contemplated in 6.1 of the GDPR all imply the “need” for processing, a term that is expressly contained therein. In this sense, the European Data Protection Committee (formerly the Article 29 Working Party) in its opinion on “Guidelines on automated individual decisions and profiling for the purposes of Regulation 2016/679” indicates that, in order to process special categories of data, coverage must be found in Article 9.2 of the GDPR and, once the general prohibition has been excepted, the assumptions of Article 6 of the GDPR must be used to make the processing in question lawful. (…) “Data controllers may only process special category personal data if one of the conditions provided for in Article 9, paragraph 2, as well as a condition in Article 6, are met. (…).”

There could be a legitimate basis for processing the data in general of the group of participants in the race due to the fact of registering and following the rules that are regulated, rules in which, in section 14 of the race regulations, it was indicated
initially and exclusively, after the registration section: "collection of bibs", which is
done once registered, from 6 to 10/09/2021: "the participant must submit a covid-19 protocol

document in which he/she undertakes to have complied with the measures stipulated therein." - a document whose content is also unknown.

In this case, the data of persons who refer to a sporting event are being processed and whose

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 25/45

regulations may be modified, in fact, they are by requests made on 19
and 24/08/2021, once the registration period for the race has ended (on 15/08/2021),
based, the respondent states, on a consultation with public bodies that is

unknown and not provided. As an added result, athletes who have registered are asked to provide COVID tests or a vaccination certificate, which are collected,
stored and kept (broad concept of data processing).

In any case, it could be considered that there is a legitimate basis for the treatment in general
of the group that registers for the test because it is related to its celebration and

connected with its development.

As an element to be considered in the treatment carried out, it must be assessed whether the
respondent also exceeds the threshold that entails the prohibition of the treatment of health data of these registered participants.

It should be reiterated that, pursuant to article 5, section 2, of the GDPR, the data controller is responsible for compliance with the principles established in the form of
obligations in section 1 of said article and must be able to demonstrate that these
principles are met. That is, the burden of proof that personal data is processed in accordance
with the GDPR rule falls on the data controller, in this case, the
respondent.

The “principles” covered by Chapter II of the GDPR include, inter alia, Articles 5 and 6 of
the Regulation.

On the other hand, the obligations of the controller include that of Article 24,

which states:

“1. Taking into account the nature, scope, context and purposes of processing and the
risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate
technical and organisational measures to ensure and demonstrate that processing is in compliance with

this Regulation. These measures shall be reviewed and updated as necessary.

2. Where they are proportionate to the processing activities, the measures referred to in
paragraph 1 shall include the implementation by the controller of appropriate data protection
policies.”

IV

The aforementioned processing of health data, as defined by the GDPR, like any
processing, requires that personal data be (mandatory)

-“collected for specific, explicit and legitimate purposes”, art. 5.1.a) of the GDPR.

-“adequate, relevant and limited to what is necessary in relation to the purposes for which they are
processed”, art. 5.1.c) of the GDPR

Regarding the limitation of data processing to what is necessary in relation to the purposes for which they are
processed, it can be suggested that, if the request for data to provide or not provide
COVID certificates were left to the will of the participants, it would cast doubt on such need for
processing, since the objectives that the claimant intends to achieve cease to be

necessary as soon as they are left to the will of the persons who are going to participate, showing
the facts that less than half of the participants did not provide it, so that the effectiveness
of the measure for the objective pursued would not be met. On the contrary, the supposed need or relevance of the certificates would not be proven, together with the limitation to the right to data protection of the participants.

The health data that the respondent requests must contemplate certain purposes, one of its characteristics being that they are “legitimate”, which is related to the fact that the requirement of a vaccine for an individual, as a general rule, is not mandatory according to the regulations in force in Spain, nor with the regulations on the COVID 19 disease stated by the respondent. Therefore, its requirement must be based on some reason that allows and legitimizes such treatment, the respondent giving in allegations to the start agreement, as a reason, its literal is reproduced: “the existence of the informed, free and unequivocal consent of the interested parties, included in article 9.2.a) of the Regulation, as a circumstance that would lift the prohibition of the processing of health data”, whose features will be analyzed
whether they are fulfilled or not.

It should be recalled that Article 9 of the GDPR, which includes health data, refers, as its title indicates, to the “processing of special categories of personal data”,
also qualified as “sensitive” data in recitals 10 and 51 of this Regulation.

Article 9 of the GDPR, “Processing of special categories of personal data”,
provides:

“1. The processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership,
and the processing of genetic data, biometric data intended to uniquely identify a natural person, data concerning the health or data concerning the sex life or sexual orientation of a natural person shall be prohibited.

2. Paragraph 1 shall not apply where one of the following applies:

a) the data subject has given explicit consent to the processing of those personal data for one or more of the specified purposes, except where Union or Member State law provides that the prohibition referred to in paragraph 1 may not be lifted by the data subject;

(…)

b) the processing is necessary in order to protect the vital interests of the data subject or of another natural person, where the data subject is not physically or legally capable of giving consent;

(…)

g) processing is necessary for reasons of essential public interest, on the basis of Union or Member State law, which must be proportionate to the objective pursued, substantially respect the right to data protection and provide for appropriate and specific measures to protect the interests and fundamental rights of the data subject;

(…)

i) the processing is necessary for reasons of public interest in the field of public health,
such as protection against serious cross-border threats to health, or to
ensure high levels of quality and safety of healthcare and
medicines or medical devices, on the basis of Union or Member State law that
establishes appropriate and specific measures to protect the rights and freedoms of the
data subject, in particular professional secrecy,

(…)
4. Member States may maintain or introduce additional conditions, including

limitations, with respect to the processing of genetic data, biometric data or data
relating to health.”

In relation to the circumstances set out in letters g), h) and i) of article 9.2 of the
RGPD, it should be noted that the requirement of law to restrict fundamental rights
is imposed by the Spanish Constitution. In the words of the Constitutional Court, in the

STC of 76/2019, of 05/22/2019, legal basis 5 “(…) by express mandate of the
Constitution, any state interference in the area of fundamental rights and
public freedoms either directly affects their development (article 81.1 CE), or limits
or conditions their exercise (article 53.1 CE), requires legal authorization (for all, STC
49/1999, of April 5, FJ 4). “Thus, the reservation of Law is a constitutional requirement”

(…)

The normative coverage of the measures that the health authorities consider urgent and

necessary for public health, and imply limitation or restriction of fundamental rights, are found in health legislation. Specifically, in Organic Law 3/1986, of 04/14, on Special Measures in Public Health Matters, Law 14/1986, of 04/25, General Health, Law 33/2011, of 10/4, General Public Health.

Law 2/2021 Law 2/2021, of 03/29, on urgent measures for prevention, containment and
coordination to deal with the health crisis caused by COVID19, establishes
protocols that contemplate ventilation, cleaning and disinfection measures
appropriate to the characteristics of the work centers, centers, entities or owners of
economic activities. This Law indicates that the adoption of the necessary measures for

compliance with the law will correspond to the General Administration of the State with the
collaboration of the Autonomous Communities.

Otherwise, the "performance of diagnostic tests for the detection of COVID-19 is limited to those cases in which there is a prior prescription by a physician and they comply with criteria established by the competent health authority."

(Section two of Order SND/344/2020 of 13/04, which establishes exceptional measures to strengthen the National Health System and contain the health crisis caused by COVID-19, BOE (14/04/2020). The approval of health protection rules related to competitions must be carried out, in accordance with the provisions of the general prevention and hygiene measures against COVID-19, by the health authorities.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 28/45

With this in mind, it is worth mentioning, even if only as an example, the Order of the
Superior Court of Justice of the Canary Islands, of Santa Cruz de Tenerife, administrative-contentious chamber, section 2, issued Order 249/2021 of 29/07/2021. This ruling
analyzed the regulation that, in the Canary Islands, approves the update of the prevention measures
established by the Government Agreement of 19/06/2020, to deal with
the health crisis caused by COVID-19, once Phase III of the Plan for the
transition to a new normality has been overcome, after the validity of the measures of the
state of alarm has ended. Specifically, it was the resolution of 23/07/2021, BOC 26. The ruling

declares the measure of requiring a complete vaccination certificate or test as an additional measure in access to hotels and restaurants suspended.

The respondent has also stated about consent that “it can be unequivocal and
granted implicitly, when it is deduced from an action of the interested party, such
as, for example, by uploading that data to the platform that was established.”

Article 4.11) of the GDPR defines consent as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or a clear affirmative action, agrees to the processing of personal data relating to him or her;

Recital 32 states: “Consent should be given by a clear affirmative act
evidencing a freely given, specific, informed and unambiguous indication of the data subject’s wishes to agree to the processing of personal data relating to him or her, such as
a statement in writing, including by electronic means, or an oral statement.
This could include ticking a box on a website, choosing technical

parameters for the use of information society services, or any other
statement or conduct which clearly indicates in this context that the data subject agrees to the
proposed processing of his or her personal data. Therefore, silence, pre-ticked boxes or inaction should not constitute consent. Consent must be given
for all processing activities carried out for the same purpose(s).

Where processing has multiple purposes, consent must be given for all of them. If

the data subject's consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disrupt the use of the
service for which it is provided.”

As part of the conditions for consent, Article 7.1 and 7.3 of the GDPR states

that “1. Where processing is based on the data subject's consent, the controller
should be able to demonstrate that the data subject has consented to the processing of his or her personal data.”

(…)

“3. The interested party will have the right to withdraw their consent at any time. The
withdrawal of consent will not affect the legality of the treatment based on the
consent prior to its withdrawal. Before giving their consent, the interested party will

be informed of this. It will be as easy to withdraw consent as to give it.

It should be noted that, in the version of the Race Regulations, dated 20/10/2021, only section 14 of “collection of bibs” was

mentioned, which is carried out once registered, from 6
to 10/09/2021, stating that “the participant must submit a covid-19
protocol document in which they undertake to have complied with the measures stipulated therein.”
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 29/45

As far as can be estimated, it was as a result of the messages sent to the participants on
19 and 24/08/2021, as and when the request for COVID health certificates and data was established,

outside the Race Regulations.

Analyzing the first message of 19/08/2021 that the respondent sent to the participants, there is no mention of
the voluntary nature or the need for consent or measures aimed at obtaining it, but rather “he has decided to request” “as recommended by the different
Public Agencies”.

The respondent does not provide such recommendations, instead providing the response to his
request for authorization to hold the test in which he explains the preventive
measures to be adopted, providing a letter from said Canary Islands Health Service dated 23/08/2021
(before, the respondent had made his decision).

The message sent by the respondent to the participants of the race on 24/08/2021, adds
information from which it can be assumed that the certificates are sent voluntarily, by
adding the literal: “At no time have we sent the obligation to either submit
documentation or the participant is eliminated from the event”, although it did not contain any
information about the information about the treatment that was going to be carried out and it was
encouraged to send it. There was no proposal about the data processing that was going to be carried out,
with those participants who would voluntarily send their health data. Nor was there any
mention of the withdrawal of consent, which the respondent
indicates in the allegations to the proposal.

Thus, those participants who decided to send them, or those who had already sent them,
since the deadline for this began on 08/23/2021, did not know any information about the
processing of such data and their guarantees and rights, even if it was voluntary in their case,
to provide the data, which in no way reduces the obligations established by the GDPR or the
rights of those affected, if their collection is foreseen as in this case.

In recital 42 of the GDPR it is added “…For consent to be informed, the
interested party must know at least the identity of the controller and the
purposes of the processing for which the personal data are intended”. The note of
“informed” thus fails, which implies that all the necessary information must be provided at the
time consent is requested, and that it must address the substantive aspects of the
processing that the consent is intended to legitimize.

As for the manifestation of will being “unequivocal”…”accepting” “either
through a declaration or a clear affirmative action”, it must be evident that the
interested party has given his consent to a specific data processing operation. It

cannot be deduced from the sending of the aforementioned certificates to the platform indicated by the
respondent, when what is clear is what is sent, but there is no awareness that
any proposal is being accepted, as there is none at the level of data protection,
on the processing of his data.

Valid consent requires the use of mechanisms that leave no doubt as to the
intention of consent of the interested party.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 30/45

Nor can it be agreed that consent is valid because it must be
specific. In other words, indiscriminate consent without specifying the exact purpose of the processing is not admissible. To be specific, consent must be

understandable: it must refer clearly and precisely to the scope and consequences of the
data processing.

Therefore, it is not proven that the participants gave their explicit consent for the
processing of said personal data for one or more of the specified purposes, as
indicated in article 9.2 a) of the GDPR, nor that the respondent obtained it by virtue of said
legitimizing basis.

The fact is that consent in this case cannot be derived from
behavior such as the sending of COVID certificates, since, if not, it would not
be consent, nor explicit. On the other hand, in no writing (message), privacy

policy or conditions of use of registrations with third parties, is there any reference to said
consent. Therefore, the consent given by the participants cannot be considered informed, free and unequivocal, regardless of whether the contribution was voluntary, because when the consent was given, and for this purpose, the consent must have been obtained, which must also be explicit, as a distinctive feature.

The term explicit refers to the way in which the interested party expresses his consent.
It means that the interested party must give an express declaration of consent. An
obvious way to ensure that the consent is explicit would be to expressly confirm the
consent in a written statement. Where appropriate, the controller could ensure that the written statement is signed by the interested party, in order to

eliminate all possible doubts and possible lack of evidence in the future.

However, such a signed statement is not the only way to obtain explicit consent,
and it cannot be said that the GDPR prescribes written and signed statements in
all circumstances requiring explicit consent.

According to the defendant's arguments, there was unequivocal, free and informed information. To do so, it must be assumed that this consent, which would lift the
prohibition of processing health data, would also have to be "explicit", which is the opposite of
implicit, or deduced from a certain behaviour. Therefore, uploading the certificates
can never be qualified as obtaining explicit consent. Furthermore,

the terms in which consent is given, that is, "informed, free and specific consent",

would be missing. In this case, athletes are imposed a limitation on their individual and
fundamental right to their personal data, with a triple option, all referring to information

on their health, which may consist of providing the respondent with a vaccination certificate,

"certificate of having the relevant dose for having already had COVID-19", which is
about having developed antibodies for having suffered the infection, and accreditation of
having PCR or antigen detection diagnostic tests. The voluntary nature of the
provision of the certificates should not mean ignoring the requirements that the RGPD and the
LOPDGDD require for their treatments, nor the reduction in rights of the person who considers that he
has to provide them, which as is maintained in this basis, does not comply with obtaining explicit
consent.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 31/45

Therefore, the conditions that may lift the prohibition of processing special category data are set out in section 2 of the aforementioned article 9.

However, in this case it is not clear that any of these circumstances occurred in the
processing carried out by the respondent, which was what motivated the initiation of the procedure, nor

the particularly analysed explicit consent.

Thus, in accordance with the evidence available, it is considered that the
conduct of the respondent constitutes an infringement of article 9 of the GDPR.

V

Another infringement imputed to the respondent is that of article 30 of the GDPR, for not having at the
date of the processing of health data the record of processing activity and which
specifies:

“1. Each controller and, where applicable, its representative shall keep a record of the processing activities carried out under its responsibility. That record shall contain all of the following information:

(a) the name and contact details of the controller and, where applicable, of the joint controller,
the controller's representative and the data protection officer;

(b) the purposes of the processing;

(c) a description of the categories of data subjects and the categories of personal

data;

(d) the categories of recipients to whom the personal data have been or will be disclosed,

including recipients in third countries or international organisations;

(e) where applicable, transfers of personal data to a third country or an international

organisation, including the identification of that third country or international organisation and,
in the case of transfers referred to in the second subparagraph of Article 49(1),
documentation of appropriate safeguards;

(f) where possible, the envisaged time periods for the erasure of the different categories of data;

g) where possible, a general description of the technical and organisational security measures referred to in Article 32, paragraph 1.

(…)
3. The records referred to in paragraphs 1 and 2 shall be kept in writing, including

electronic format.

4. The controller or processor and, where applicable, the
controller's or processor's representative shall make the record available to the supervisory authority that
requests it.

5. The obligations set out in paragraphs 1 and 2 shall not apply to any company or
organisation employing fewer than 250 people, unless the processing carried out by it
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 32/45

may entail a risk to the rights and freedoms of the data subjects, is not
occasional, or includes special categories of personal data indicated in article 9,
paragraph 1, or personal data relating to criminal convictions and offences referred to in

article 10.”

Article 30 of the GDPR is found in Chapter IV “Data controller and
data processor”, in Section 1 “General obligations”, relating to data controllers. Recital 82 of the GDPR states: “In order to demonstrate compliance with this Regulation, the controller or processor must

keep records of the processing activities under its responsibility. All controllers and processors are obliged to cooperate with the supervisory authority and to
make such records available to it upon request so that they can be used to
monitor processing operations.”

This RAT constitutes a means of ensuring that these controllers comply with

the guarantees provided for by this Regulation for the protection of the rights and
freedoms of data subjects.

This general obligation to maintain properly documented records, including their
chronology and content, is framed in the principle of article 5.2 of the GDPR, which states
that: “The data controller shall be responsible for compliance with the provisions of
paragraph 1 and able to demonstrate this (<<proactive accountability>>)” accountability
which requires that data controllers be able to demonstrate compliance with their
obligations under the GDPR.

In this case, the risk posed by the processing of health data, classified

as sensitive, and the impact on privacy related to the processing is clear.

Given the plausible modification of the records of processing activities, or even the
extinction over time, when these activities change or disappear, they must be
updated and up to date. The RATs provided by the respondent regarding the dates of validity do not reliably prove that such versions of the contents that appear were the ones that existed at the time the health data was collected (08/24/2021), although the respondent stated that it has been in force since 08/17/2021, without providing any element or
indication that would lead to this. Likewise, the RAT that was provided in evidence, despite being
from after June 2023, still refers to the collection of health data for reasons of
COVID, and for the purpose of crisis control, which proves the lack of updating in the

keeping of said records.

In accordance with all this, the violation of article 30 of the GDPR is proven.

VI

Article 5 of the GDPR, indicates among its principles:

“1. Personal data will be:

a) processed in a lawful, fair and transparent manner in relation to the interested party («lawfulness,
loyalty and transparency»)”

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 33/45

Article 5.1 a) of the GDPR establishes the principle of transparency in the processing of personal data, in connection with the obligations derived from this principle,
established in articles 13 and 14 of the GDPR, as well as the general conditions of the
information that must be provided to the interested party, contained in article 12 of the same legal text.
Likewise, article 5.1 a) of the GDPR must be connected with the provisions of
article 11 of Organic Law 3/2018, of 5/12 (“LOPDGDD”).

This principle of transparency is materialised according to recital 39, in the obligation of the controller to inform data subjects about the processing of their personal data in a concise, easily accessible and easy-to-understand manner (recital 58) and to inform them about the existence of the processing operation and its purposes.

Article 13 of the GDPR states:

“1. Where personal data relating to a data subject are obtained from him or her, the controller shall, at the time of obtaining such data, provide him or her with all of the following information:
a) the identity and contact details of the controller and, where applicable, of his or her representative;

b) the contact details of the data protection officer, where applicable;
c) the purposes for which the personal data are processed and the legal basis for the processing;
(d) where the processing is based on Article 6(1)(f), the legitimate interests
of the controller or of a third party;

(e) the recipients or categories of recipients of the personal data, where applicable;
(f) where applicable, the intention of the controller to transfer personal data to a third country or
international organisation and the existence or absence of an adequacy decision by the
Commission, or, in the case of transfers referred to in Articles 46 or 47 or the second subparagraph of Article 49(1), reference to adequate or appropriate safeguards and the
means of obtaining a copy of these or the fact that they have been provided.

2. In addition to the information referred to in paragraph 1, the controller shall, at the time when personal data are obtained, provide the data subject with the following information
necessary to ensure fair and transparent processing:
a) the period for which the personal data will be stored, or, where that is not possible,
the criteria used to determine that period;

b) the existence of the right to request from the controller access to, rectification or erasure of, or restriction of processing of, personal data concerning the data subject, or to object to processing, and the right to data portability;

c) where processing is based on point (a) of Article 6(1) or point (a) of Article 9(2), the existence of the right to withdraw consent at any time,

without affecting the lawfulness of processing based on consent prior to its withdrawal;

d) the right to lodge a complaint with a supervisory authority;
(e) whether the communication of personal data is a legal or contractual requirement, or a requirement
necessary to enter into a contract, and whether the data subject is obliged to provide the personal
data and is informed of the possible consequences of not providing such data;

(f) the existence of automated decision-making, including profiling, referred to in
Article 22, paragraphs 1 and 4, and, at least in such cases, meaningful information
on the logic involved, as well as the significance and the envisaged consequences of such

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 34/45

processing for the data subject. 3. Where the controller plans to further process personal data
for a purpose other than that for which they were collected, it shall provide the data subject,

prior to such further processing, with information on that other purpose and any
additional information relevant to the purposes of paragraph 2.

4. The provisions of paragraphs 1, 2 and 3 shall not apply when and to the extent that
the data subject already has the information.”

The GDPR itself highlights the absolute link between the principle of
transparency and the duty to inform the data subject, when it sets out its article 12
“Transparency of information, communication and methods of exercising the rights of the
data subject”, establishing in its section 1 the following: “The controller shall
take appropriate measures to provide the data subject with all information

indicated in articles 13…”

The LOPDGDD indicates in its article 11, “Transparency and information to the data subject:

1. When the data subject has access to the data subject’s personal data, it shall provide the data subject with the following information:
When personal data is obtained from the affected party, the data controller
may comply with the duty of information established in article 13 of
Regulation (EU) 2016/679 by providing the affected party with the basic information referred to in the

following section and indicating an electronic address or other means that allows easy and immediate access to the remaining information.

2. The basic information referred to in the previous section must contain, at least:

a) The identity of the data controller and of his representative, where applicable.

b) The purpose of the processing.

c) The possibility of exercising the rights established in articles 15 to 22 of
Regulation (EU) 2016/679.”

Regarding the form and content of complying with the right to information for those affected
in the collection of health data that occurs after the sending of the message 19 and 24/08/2021,
by which the provision of proof or vaccine certificates is required, it should be
specified that the race website, in its privacy policy, only mentions

clients or users who contract a service, and based on this they offer several
legitimations.

However, no aspect of the information on the collection of health data contained in the vaccination certificate or in the reports of the diagnostic tests required to participate in the race is specified.

Two moments must be distinguished regarding the collection of data related to COVID-19. Firstly, regarding the race registration forms, such registrations were made in the period open for this purpose, from 05/14/2021 to 08/15/2021,
in accordance with what was indicated in the Race Regulations. Neither in the Race Regulations, nor therefore in that form is it proven that information was provided on the processing of COVID 19 data, taking into account, in addition, that said processing was decided and
projected in the emails of 19 and 24/08/2021. Thus, it is not possible, as the

respondent states, that, in the registration form, whether on the gomeraparadise website or on the
gomesport website, there was any element that informed that the participants' health data
were going to be subject to processing, nor the issues related to it (exercise of rights, conservation period, purpose of processing,
recipients, etc.). The time of the registration form should not be confused with the
subsequent stage of the option to upload health documents started on 23/08/2021. Thus,

when the race regulations were approved, the collection of the disputed data was not planned, so it was impossible to provide information on the registration form, as the respondent alleges and maintains in evidence. On the other hand, together with the fragmentation of some aspects that are offered regarding the treatment, it generates additional confusion that it is indicated in
the race regulations that the official page of the race is gomeraparadise, where

they have to register, and according to the respondent's allegation, the information was provided from another
website, from gomesport, also owned by the respondent.

It is also not proven that the space for uploading certificates on the website of the respondent through which he organised his participation, gomeraparadise.com, or gomesport, contained
complete information required by article 13, not even the basic information indicated
in article 11.1 and 2 of the LOPDGDD, which are based on the basis of supplementing the aforementioned
information, facts that the respondent does not prove either.

Traces of information could be found, but fragmented in different elements: e-mails, race page, privacy policy, but none of them unitary, unstructured.
In the privacy policy of the website incorporated into the file, 10/21/21, the

claimant was indicated for the provision of services, without any reference to health data, in the email
of 08/24/21 the purpose of the health security of the participants was guessed, but no
complete information regarding compliance with the requirements of article 13 of the GDPR at
the time of collecting the data, even if they were collected voluntarily,
an element that has nothing to do with the fact that said information was provided.

Thus, regarding the treatment of health data related to COVID 19, the statement made by the respondent in evidence, point I, stating that the privacy policy so that participants knew the type of data that was going to be collected, was contained in the race registration form, “on the registration screen” as the
first information layer, referring to the “Legal notice of the website itself” and to the “privacy policy of the gomesporteventos.com website, to access the second information layer” is not credible.

The respondent also states that the “legal notice” refers to point “9 PRIVACY POLICY” which states: “The User can consult how the respondent
“uses their data and the security measures implemented in the privacy policy link of this website, and in the privacy policy of the website

www.gomesporteventos.com, where they can expand the information on the treatment of the data of the participants in our events in the following link

https://gomesporteventos.com/politica-privacidad”. It has already been seen that, in the privacy policy of the race website, printed version 21/10/2021, there was no information
on the treatment of health data subject to this procedure.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 36/45

In addition, the respondent refers to the Gomesport privacy policy, ANNEX III, which
was provided by a website that is not that of the competition, to try to prove that it was the

information clause that appeared on the date on which the voluntarily request was made, 08/24/2021, the
upload of the COVID 19 certificates. This ANNEX III is a part of ANNEX I, also
provided in evidence, also by Gomesport (it bears the logo), and which the claimant
considers was used to inform participants of the processing of COVID 19 data.

However, this statement cannot be validated, not only because it is not the
official website of the competition, or because it cannot be proven that it could appear at the time of
registration for the event, which has already been closed since the 08/15/2021 to 08/24/2021. It also does not deserve credibility due to several factors, highlighting:

-The accreditation of the facts or circumstances of the treatment, including when and
how the information is given corresponds to the respondent. The document does not bear any date of the
version, or indication that suggests the date of application or validity.

-The same person responsible for the treatment as in the privacy policy of the official website printed on 10/21/2021 appears, the addresses to exercise the rights are different.

-The DPD is included in the evidence, which does not occur until
June 23.

-It is also confirmed that the version provided was not the one in force at the time of the

actual collection of health data, because in the respondent's response in evidence regarding
the information requested, after the email indicating the collection of health data from
08/23 to 09/05/2021, the information on the privacy and data protection policy that appeared in the printed version of
10/21/2021 had been changed, the respondent stated that "no changes were
made."

All this taking into account that the information to the data holders must be
provided before the data is collected.

The meaning and effects of providing complete and exhaustive information provided for in
Article 13 are not fulfilled by the reference to whether data will be collected voluntarily or not,

or by requesting the solidarity of the participants, since in any case and in this specific case, the respondent carried out the data collection and processed it for a purpose.

The respondent only refers to the fact that participants upload the data to the online platform and that
there they can consult the instructions and some reviews about the person in charge of
processing.

However, the specific information clause on the collection of data from
COVID tests or antigen tests/vaccination certificates was not provided.

Recital 60 states: “The principles of fair and transparent processing require that the interested party be
informed of the existence of the processing operation and its purposes. The data controller must provide the data subject with all additional information
necessary to ensure fair and transparent processing, taking into account the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 37/45

specific circumstances and context in which personal data are processed.”
The GDPR lists the categories of information that must be provided to a data subject in
relation to the processing of their personal data when these are obtained from the

data subject (Article 13). All the information referred to in these sections is equally
important and must be provided to the data subject.

In principle, the data of the participants are collected with their registration, a period that runs from
14/05 to 15/08/2021. Payment of the registration fee occurs in an initial period,
from 14/05 to 14/07/2021.

According to the respondent, all registrations and all relevant data collected from participants are hosted on an online platform for registration of sporting events, which is governed by "the following Privacy Policy, and through which all relevant information on each and every participant is uploaded, including the vaccination or test certificate", making known the "rules of use and conditions accepted when making a registration", which informs that the technological tool that allows the registration to be managed is provided by a data processor, without providing any information about the processing that would be carried out.

In addition, the Race Regulations indicate that, on the official race page,
www.gomeraparadise.com (art. 4 of the Race Regulations), the form published on said website, registration section, must be completed.

Regarding the defendant's allegations stating that the emails dated

19 and 24/08/2021 provided information on the purposes and legitimacy for the processing of the
data, this should be noted as not being true, since they provided information on how to upload the certificates to the
platform and referred to the difficult situation of the pandemic, and that in times of health alert the best thing for everyone is to "guarantee maximum
security", statements that are far from the minimum content indicated in

Article 13 of the GDPR.

Regarding the statement made in the allegations that the information was contained in the
“rules of use and conditions”, its content has already been described, which reported on the
access of the data to the platform of a third party contracted for this purpose, as the person in charge of the
treatment, considering that this figure processes the data on behalf of the person responsible, without

implying in any way a differentiated treatment or a transfer of data to a third party. The content of the order to a third party is not mandatory in the information to
provide to users. The references that these rules of use and conditions contained
to the “manager” (according to the allegations to the start agreement) who, by the way, as
MANAGER, is not identified as the respondent, contain only general statements,

and do not have any link as stated in the allegations to any page of the respondent. The
statements made in the allegations about “AIVABOOK Sports make several references to
the policies of the MANAGER. That is, the policies of the Gomera Paradise websites (in which
there is a reference to that of GomeSport, for additional information), and that of GomeSport (in which detailed information is provided)” providing document 1 of allegations,

therefore result in deductions by the respondent without any basis, since no connection with GOMESPORT is verified on the race page,
or at least it has not been explained by the respondent, despite the fact that it appears in the Race Regulations as the organizer of the same,
and on the official page of this one the respondent appears as responsible for the treatment of the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 38/45

data that is collected for the same through the registration form.

Regarding the content of your claim that “prior to this procedure, an accessible and updated information clause of understanding for the interested party has been corrected and incorporated into the AVAIBOOK platform”, it should be said that the clause provided in document 1, referring to your “privacy policy for the 2023 race”, an extract located on the gomesport website, is unknown, the relationship or function that it fulfills with that of the race, and it turns out that, being clauses referring to 2023, they continue to contemplate the collection and processing of health data related to COVID, despite the passage of time, and again referring to consent.

Statements without documentary evidence of the specific period in which the data is collected do not have the scope to release the obligation required of persons or entities that process personal data, with the respondent proving the

breach of the aforementioned article 13 of the GDPR.

VII

The offending conduct is defined in Article 83.5 of the GDPR:

“Infringements of the following provisions shall be punishable, in accordance with paragraph 2, by administrative fines of not more than EUR 20,000,000 or, in the case of an undertaking, not more than 4% of the total annual turnover of the preceding financial year, whichever is higher:

a) the basic principles for processing, including the conditions for consent pursuant to Articles 5, 6, 7 and 9;

b) the rights of data subjects pursuant to Articles 12 to 22.”

And in article 83.4:

“Infringements of the following provisions shall be punished, in accordance with
section 2, with administrative fines of a maximum of EUR 10,000,000 or, in the case of a
company, an amount equivalent to a maximum of 2% of the total annual turnover of the
previous financial year, whichever is greater:

a) the obligations of the controller and the processor pursuant to articles 8, 11, 25 to 39,

42 and 43;”

In this regard, the LOPDGDD, in its article 71, establishes that “The acts and conduct referred to in
sections 4, 5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that are contrary to this organic law, constitute infringements.”

For the purposes of the limitation period, article 72 of the LOPDGDD states:

“Infringements considered very serious.

“1. In accordance with the provisions of article 83.5 of Regulation (EU) 2016/679, infringements that constitute a

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 39/45

substantial violation of the articles mentioned therein and, in particular, the following are considered to be very serious and will be subject to a three-year statute of limitations:

(…)

“e) The processing of personal data of the categories referred to in article 9 of
Regulation (EU) 2016/679, without any of the circumstances provided for in
said provision and in article 9 of this organic law occurring.”

(…)

“h) The failure to inform the affected party about the processing of their personal data in accordance with the provisions of articles 13 and 14 of Regulation (EU) 2016/679

and 12 of this organic law.”

And article 73 of the LOPDGDD considers, for the purposes of the limitation period, as
serious infringements:

“According to the provisions of article 83.4 of Regulation (EU) 2016/679, infringements that constitute a
substantial violation of the articles mentioned therein and, in particular, the following are considered serious and will be subject to a two-year statute of limitations:

(…)

“n) Not having the record of processing activities established in article 30 of

Regulation (EU) 2016/679.”

VIII

Paragraphs b, d) and i) of Article 58.2 of the GDPR provide as follows:

“Each supervisory authority shall have all of the following corrective powers:

(…)

“(b) issue a warning to any controller or processor where processing operations have infringed this Regulation;”

(…)

“(d) order the controller or processor to conform processing operations to this Regulation, where appropriate, in a specified manner and within a specified period;”

“(i) impose an administrative fine in accordance with Article 83, in addition to or instead of the measures referred to in this paragraph, according to the circumstances of each particular case;”

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 40/45

The respondent also asserts that a warning would be appropriate since “in other
resolutions, with the same infringement, such as file 202312720, no sanction was imposed, but
a warning was issued”. On this point, it should be noted that the files are

manifestly different, because in the one referenced by the respondent it affects only one
complainant and only due to lack of information, when in the case now examined there are three
infringements charged, referring to the processing of health data not necessary for the
provision of the service and affecting the 1,350 participants who were asked for their
health data without informing them and without exception of art. 9.2 of the RGPD that would allow the
processing of the data, of which 690 supplied the data.

In this case, given the category of the data collected and the risks to the rights and freedoms that are compromised by them, the sanctioning procedure of an administrative fine is used. The information in the data collection, even if it was voluntary, appears directly related to the processing of the health data of the participants, so it is not possible to separate the connection and importance of one from the other.

It is not possible to issue a warning as the respondent claims. Furthermore, on the other hand, the structured provision of the RAT also contains a guarantee of the correct processing of the data.

IX

The determination of the sanctions to be imposed in the present case requires observing the provisions of articles 83.1) and .2) of the GDPR, precepts that, respectively,
provide the following:

“1. Each supervisory authority shall ensure that the imposition of administrative fines
pursuant to this Article for infringements of this Regulation referred to in
paragraphs 4, 5 and 6 are in each individual case effective, proportionate and dissuasive.”

“2. Administrative fines shall be imposed, depending on the circumstances of each individual case, in addition to or as an alternative to the measures referred to in Article 58(2)(a) to (h) and (j). When deciding on the imposition of an administrative fine and its
amount in each individual case, due account shall be taken of:

(a) the nature, gravity and duration of the infringement, taking into account the nature,
scope or purpose of the processing operation concerned, as well as the number of
data subjects affected and the level of damage suffered by them;
(b) the intentionality or negligence of the infringement;
(c) any measures taken by the controller or processor to mitigate the
damage suffered by data subjects;

(d) the degree of responsibility of the controller or processor, taking into account any
technical or organisational measures they have implemented pursuant to Articles
25 and 32;
(e) any previous infringement committed by the controller or processor;
(f) the degree of cooperation with the supervisory authority in order to remedy the

breach and mitigate any adverse effects of the infringement;
(g) the categories of personal data affected by the infringement;
(h) the manner in which the supervisory authority became aware of the infringement, in particular whether

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 41/45

the controller or processor notified the infringement and, if so, to what extent;
(i) where measures referred to in Article 58(2) have been previously ordered against the controller or processor concerned in relation to the same matter, compliance with such measures;

(j) adherence to codes of conduct pursuant to Article 40 or to certification mechanisms approved pursuant to Article 42, and
(k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as
financial benefits obtained or losses avoided, directly or indirectly, through the infringement.”

Within this section, the LOPDGDD provides in its article 76, entitled: “Sanctions and
corrective measures”:

“1. The sanctions provided for in paragraphs 4, 5 and 6 of article 83 of Regulation (EU)

2016/679 shall be applied taking into account the grading criteria established in
paragraph 2 of the aforementioned article.

2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679, the following may also be taken into account:

a) The continued nature of the infringement.
b) The connection between the offender's activity and the processing of personal data.
c) The benefits obtained as a result of committing the infringement.
d) The possibility that the affected party's conduct could have led to the commission of the infringement.

e) The existence of a merger by absorption process subsequent to the commission of the infringement, which cannot be attributed to the absorbing entity.
f) The impact on the rights of minors.
g) Having, when not mandatory, a data protection officer.

h) The voluntary submission by the controller or processor to
alternative dispute resolution mechanisms, in cases where
there are disputes between them and any interested party.
3. It will be possible, additionally or alternatively, to adopt, where appropriate, the
remaining corrective measures referred to in Article 83.2 of Regulation (EU)
2016/679.”

In accordance with the transcribed provisions, for the purposes of setting the amount of the fines to be imposed in the present case, for the infringement of article 9 of the GDPR for which the respondent is held responsible, the following factors are considered to be concurrent as aggravating factors that reveal greater unlawfulness and/or culpability in the conduct of the respondent:

-Article 83.2.a) GDPR “nature, seriousness and duration of the infringement, taking into account the nature, scope or purpose of the processing operation in question, as well as the number of interested parties affected and the level of damages they have suffered;” Although the purpose was intended to ensure the avoidance of contagion during the competition, leaving it up to the participants to provide the data does not mean that the legitimizing basis for this type of data should not be taken into account. The fact that more than half of the participants, 690 out of 1,350 participants, gave their data represents a

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 42/45

very high number of participants and does not mean that it is not serious, given the data on which they
affect. The nature of the damage could potentially imply that athletes are forced to get vaccinated in order to comply with the recommended guidelines for

participating in the test if they were not.

For the infringement of article 9 of the GDPR, the fine is considered to be 8,000 euros.

For the infringement of article 13 of the GDPR, article 83.2 is considered to be concurrent as an aggravating

factor. b) “the intention or negligence in the infringement”, which reveal a greater
unlawfulness and/or culpability in the conduct of the defendant. This aspect relates the
execution of the action with the subject, in the sense of, not only the imputability of the infringement to
the person responsible, but also the fact of being able to aggravate or reduce the sanction, according to the degree of
guilt. As for the imputability to the responsible subject, the principle of guilt

prevents the admission in the administrative sanctioning law of objective liability,
although it is also true that the absence of intention is secondary since this
type of infringement is normally committed by a culpable or negligent act, which
is sufficient to integrate the subjective element of guilt. What is assessed in this section is its analysis for the graduation of the sanction (art. 40 LRJPAC), observing the
specific diligence displayed in the action by the responsible party, and in this specific case, there is

a notable negligence on the part of the defendant, proven in an omission of
compliance with his basic duty to inform in the treatment of the holders of the rights that, due to
the fact that the regulations of the race can be changed to request data and they have to
register in the competition, or their voluntary nature in providing the data, does not detract from the
lack of the diligence required to comply with this basic duty.

For the infringement of article 13 of the RGPD, a fine of 6,000 euros is imposed.

For the infringement of article 30 of the RGPD, an amount of 1,000 euros is considered.

Regarding the defendant's allegations that there is good faith and the desire to act
in accordance with the guidelines and criteria of the health authority, with the intention of organizing
the sporting event without risk, it must be indicated that no guideline or
criteria of the health authority has been provided that foresees the need to provide vaccination certificates,
not even on a voluntary basis. A need that is not ratified either by the

voluntariness of the contribution that resulted in just under half not providing such
certificates.

Regarding good faith and intention, they do not make the unlawful action and guilt imputed to him disappear,
not considering, however, resuming the analysis of the treatment

projected when in the email of 24/08/2021 he sends it to answer the doubts and
clarifications, informing that those who do not provide it will not be excluded from the race, which
calls into question the need and purpose of the aforementioned treatment. These allegations are not
sufficient in scope to reduce the amount of the infringements, and are therefore
dismissed.

Regarding the lack of benefits obtained in the processing of the data subject to the claim,
as an attenuating circumstance, this grading criterion is established in the LOPDGDD, in accordance with
the provisions of article 83.2.k) of the GDPR, according to which administrative fines will be

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 43/45

imposed taking into account any “aggravating or attenuating factor applicable to the
circumstances of the case, such as the financial benefits obtained or the losses avoided,
directly or indirectly, through the infringement”, it being understood that avoiding a loss

has the same nature for these purposes as obtaining benefits. If we add to this that the sanctions must be “effective, proportionate and dissuasive in each individual case”, as provided for in article 83.1 of the GDPR, admitting the absence of benefits as an attenuating circumstance is not only contrary to the factual assumptions contemplated in article 76.2.c), but also contrary to the provisions of article 83.2.k) of the GDPR and the principles indicated. Thus, assessing the absence of benefits as an attenuating circumstance would nullify the deterrent effect of the fine, to the extent that it reduces the effect of the circumstances that effectively affect its quantification, giving the responsible party a benefit that he has not earned. It would be an artificial reduction of the sanction that could lead to the understanding that violating the rule without obtaining benefits, financial or of any other type, “will not produce a negative effect proportional to the seriousness of the offending act”. It should be added that “In any case, the administrative fines established in the GDPR, in accordance with the provisions of article 83.2, are imposed based on the circumstances of each individual case”, and, at present, it is not considered that the absence of benefits is an adequate and determining grading factor to assess the seriousness of the infringing conduct. Only in the event that this absence of benefits is relevant to determine the degree of unlawfulness and culpability present in the specific infringing conduct may it be considered as an attenuating circumstance, in application of article 83.2.k) of the GDPR, which refers to “any other aggravating or attenuating factor applicable to the circumstances of the case”. This paragraph leaves the door open to those cases in which the absence of benefits may be considered an attenuating circumstance, but not according to the literal and teleological interpretation of the legislator in accordance with the provisions of art. 83.2.k) of the GDPR. Also the AN Judgment, of 05/05/2021, rec.
1437/2020, indicates: “It considers, on the other hand, that the non-commission of a previous infringement must be considered as an attenuating circumstance. Well, article 83.2 of the GDPR establishes that
the following must be taken into account for the imposition of the administrative fine, among others, the
circumstance "e) any previous infringement committed by the controller or the person in charge of the

treatment". This is an aggravating circumstance, the fact that the
prerequisite for its application does not exist means that it cannot be taken into consideration, but
it does not imply or allow, as the plaintiff claims, its application as an attenuating circumstance”; applied to the
case under trial, the lack of the prerequisite for its application with respect to art. 76.2.c) of
the LOPDGDD, that is, obtaining benefits as a result of the infringement, does not allow its application as an attenuating circumstance.

As for the measures implemented by the defendant after the initiation agreement,
some are not understandable, such as the notification to necessary parties of the data security breach, and others are general to an ordinary data protection administration implemented at the beginning of the treatment.

the Director of the Spanish Data Protection Agency RESOLVES:

FIRST: IMPOSE on B.B.B., with NIF ***NIF.1, administrative fines for the infringements of the GDPR of the following articles:

-9, in accordance with article 83.5.a) of the GDPR and classified as very serious for the purposes of prescription in article 72.1.e) of the LOPDGDD, with a fine of 8,000 euros.

   C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 44/45

-30, in accordance with article 83.4.a) of the GDPR and classified as serious for the purposes of
prescription in article 73.n) of the LOPDGDD., with a fine of 1,000 euros

-13 in accordance with article 83.5.a) of the GDPR and classified as very serious for the purposes of
prescription in article 72.1.h) of the LOPDGDD, with a fine of 6,000 euros

SECOND: NOTIFY this resolution to B.B.B..

THIRD: This resolution will be enforceable once the deadline for filing the
optional appeal for reconsideration ends (one month from the day following the notification of
this resolution) without the interested party having made use of this faculty. The sanctioned party is warned that he/she must pay the sanction imposed once this resolution is enforceable, in accordance with the provisions of art. 98.1.b) of the LPACAP, within the voluntary payment period established in art. 68 of the General Collection Regulations, approved by Royal Decree 939/2005, of 29/07, in relation to art. 62
of Law 58/2003, of 17/12, by means of its payment, indicating the NIF of the sanctioned party and the procedure number that appears in the heading of this document, in the restricted account nº IBAN: ES00-0000-0000-0000-0000-0000 (BIC/SWIFT Code:

CAIXESBBXXX), opened in the name of the Spanish Data Protection Agency in the banking entity CAIXABANK, S.A. Otherwise, it will be collected during the enforcement period.

Once the notification has been received and has been enforced, if the date of enforceability is between the 1st and 15th of each month, both inclusive, the deadline for making the voluntary payment will be
until the 20th of the following month or the next business day thereafter, and if it is between the 16th and last day of each month, both inclusive, the payment deadline will be until the 5th of the second
following month or the next business day thereafter.

In accordance with the provisions of article 50 of the LOPDGDD, this Resolution
will be made public once it has been notified to the interested parties.

Against this resolution, which ends the administrative procedure in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, interested parties may optionally file an appeal for reconsideration before the Director of the Spanish Data Protection Agency within one month from the day following notification of this resolution or directly an administrative appeal before the Administrative Litigation Division of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of 13/07, regulating the Administrative Litigation Jurisdiction, within two months from the day following notification of this act, as provided for in article 46.1 of the aforementioned Law.

Finally, it is noted that in accordance with the provisions of art. 90.3 a) of the LPACAP, the final decision may be provisionally suspended by administrative means if the interested party

states his intention to lodge an administrative appeal. If this is the case, the interested party must formally communicate this fact by means of a letter addressed to the Spanish Data Protection Agency, submitting it through the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica-web/], or through one of the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 45/45

remaining registries provided for in art. 16.4 of the aforementioned Law 39/2015, of October 1.
He must also transfer to the Agency the documentation that proves the effective filing of the administrative appeal. If the Agency is not aware of the

filing of the administrative appeal within two months from the day
following notification of this resolution, it will consider the precautionary suspension to be terminated.

938-16012024
Mar España Martí
Director of the Spanish Data Protection Agency

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es