AEPD (Spain) - TD/00262/2019: Difference between revisions

From GDPRhub
(Created page with "{| class="wikitable" style="width: 25%; margin-left: 10px; float:right;" ! colspan="2" |AEPD - E/08501/2019 |- | colspan="2" style="padding: 20px; background-color:#ffffff;" |...")
 
No edit summary
Line 1: Line 1:
{| class="wikitable" style="width: 25%; margin-left: 10px; float:right;"
{| class="wikitable" style="width: 25%; margin-left: 10px; float:right;"
! colspan="2" |AEPD - E/08501/2019
! colspan="2" |AEPD - TD/00262/2019
|-
|-
| colspan="2" style="padding: 20px; background-color:#ffffff;" |[[File:logoES.jpg|center|250px]]
| colspan="2" style="padding: 20px; background-color:#ffffff;" |[[File:logoES.jpg|center|250px]]
Line 10: Line 10:
[[Category: Spain]]
[[Category: Spain]]
|-
|-
|Relevant Law:||[[Article 33 GDPR|Article 33 GDPR]]
|Relevant Law:||[[Article 17 GDPR]]


|-
|-
|Type:||Investigation
|Type:||Complaint
|-
|-
|Outcome:||n/a
|Outcome:||n/a
Line 19: Line 19:
|Decided:||n/a
|Decided:||n/a
|-
|-
|Published:||21.01.2020
|Published:||7.01.2020
|-
|-
|Fine:||n/a
|Fine:||n/a
|-
|-
|Parties:||CaixaBank S.A.
|Parties:||CGT Sector Federal de Telemarketing
A.A.A.
|-
|-
|National Case Number:||E/08501/2019
|National Case Number:||TD/00262/2019
|-
|-
|European Case Law Identifier
|European Case Law Identifier
Line 35: Line 36:
Spanish
Spanish
|-
|-
|Original Source:||[https://www.aepd.es/es/documento/e-08501-2019.pdf AEPD (in ES)]
|Original Source:||[https://www.aepd.es/es/documento/td-00262-2019.pdf AEPD (in ES)]
|}  
|}  


The AEPD decided that the corrective actions taken by CaixaBank S.A. after the reported data breach were in accordance with the data protection law.  
The AEPD decided to initiate disciplinary proceedings against Vodafone España, S.A.U. and impose a fine of € 100.000 for the alleged infringement of Article 6(1) GDPR.  


==English Summary==
==English Summary==


===Facts===
===Facts===
On 30 May 2019 CaixaBank S.A. notified the Spanish Data Protection Agency (AEPD) about a security breach relating to the paper documentation which related to its customers and which was deposited in a public waste container. There was no evidence, but it could not be ruled out that the documentation did not contain personal data.   
On 15 February 2019, Mrs A.A.A.  (hereinafter, the complainant) exercised her right to erasure against CGT Sector Federal de Telemarketing (hereinafter, the respondent) and had not received a response to her request. In particular, the request included  that complainant's personal data (such as name, surname and telephone number) should not appear in a bulletin posted on the CGT Telemarketing website when a search is made.   


On 12 September 2019, the director of the AEPD agreed to initiate an investigation to clarify the facts that have not were not mentioned in the notification. 
In response to the request "to be forgotten", the respondent instructed the complainant to address Google in order to remove the links or the text.  
 
CaixaBank S.A. submitted further documentation and a security protocol which was in place during the data breach.
===Dispute===
===Dispute===
In the present case, it is presumed that the personal data breach occurred in the circumstances categorised as a possible breach of confidentiality as a result of the deposit in public access containers of documentation on clients of the entity during a transfer.  
In summary, the following delegations were made: The representative of the respondent states in the allegations made during the processing of this procedure that the complainant has voluntarily joined the CGT as a member of the Works Council. That a response was given to the complaint raised, that the data appeared on the union website because she belonged to the union and to the Workers' Committees and because of her participation in the bulletins and in a company with thousands of workers, which means that the contact details are published in case any worker needs help or to locate their representatives. That the bulletins are uploaded on the Internet by the union sections in a self-managed manner, with the complainant herself participating in the distribution of union information bulletins. However, in response to her complaint, she has censored her name and telephone number in the PDF documents. It was reported that in reference to external pages such as social networks or search engines must be time to stop indexing that content or request the cancellation oborrados to the website that stores such information outside the CGT. That the telemarketing sector is not itself the CGT but an entity that is part of it and therefore only has control over the web and content of "www.cgt-telemarketing.That CGT is an Association of Trade Unions and sectors, each of which has its own legal personality and therefore its own C.I.F. and has not maintained any relationship with the claimant. That it is not recorded, furthermore, that it has exercised the right before this headquarters, and that, the data of this one do not appear in the files of this headquarters.  
 
In the present case, there is no evidence that such documentation contained personal data of the Bank's clients. The investigation revealed that CaixaBank S.A. had taken a number of technical and organisational measures to prevent this type of incident, and these measures were passed on to the collaborating agencies and employees.  
 
It is also noted that on the occasion of the incident, an impact assessment was carried out on the affected treatments and technical and organisational improvements were implemented.


===Holding===
===Holding===
As a result of the investigation and taking into account all the risk minimisation corrective actions after the data breach, the AEPD found that the actions taken by CaixaBank S.A. as the entity responsible for the processing were in accordance with the law on personal data protection.   
In the case analyzed here, the claimant exercised its right of deletion and in accordance with the rules indicated above, its request obtained the legally required response within the established period, the claimant indicates that they have proceeded to the deletion of their data. Furthermore, as regards the fact that their personal data are deleted when they are entered in the search engine and that they are not associated with the search results from their names in the already referenced URLs, during the processing of the present proceedings this Agency has verified that, when a search is made by the name of the party in the search engine, the result is "No results found" for each of the urls in question.The purpose of this procedure is to ensure that the guarantees and rights of those affected are duly restored, and therefore, in this case, regardless of whether the search engine refuses to cancel the URLs, there would be grounds for analysing the relevance or otherwise of what has been published, and given that your name is not linked to the search results in the URLs in question and that the person responsible for the file states that your data has been cancelled, the claims of the complainant have been satisfied, and therefore the complaint is rejected as not having any purpose. In view of the above-mentioned precepts and others of general application, the Director of the Spanish Data Protection Agency RESOLVES:FIRST: TO DISMISSUE the claim formulated by Ms. A.A.A. against CGTSECTOR FEDERAL DE TELEMARKETING.SECOND: TO NOTIFY this resolution to A.A.A.A. and CGT SECTOR FEDERAL DE TELEMARKETING In accordance with the provisions of Article 50 of the LOPDGDD, this resolution will be made public once it has been notified to the interested parties..6 of the LOPDGDD, and in accordance with the provisions of Article 123 of the LPACAP, the interested parties may, optionally, lodge an appeal for reversal with the Director of the Spanish Data Protection Agency within a period of one month starting from the day following notification of this resolution or the address of the contentious-administrative proceedings before the Contentious-Administrative Chamber of the National Court, in accordance with the provisions of Article 25 and paragraph 5 of the fourth additional provision of Law 29/1998 of 13 July, regulating the Contentious-Administrative Jurisdiction, within a period of two months from the date on which it was issued.are manifestly unfounded foreseen on the day following the notification of this act, in accordance with the provisions of article 46.1 of the aforementioned Act.   


==Comment==
==Comment==
Line 70: Line 65:


<pre>
<pre>
Procedure No.: E/08501/2019940-0419
File No.: TD/00262/20191034-080719
 
RESOLUTION Nº: R/00651/2019


RESOLUTION OF ACTIONS
Having regard to the complaint made on 8 April 2019 to this Agency by Ms. A.A.A., against the CGT SECTOR FEDERAL DE TELEMARKETING, for not having duly attended to its right of deletion, the following procedural actions have been carried out as provided for in Title VIII of the Organic Law 3/2018, of 5 December, on the Protection of Personal Data and Guarantee of Digital Rights (hereinafter LOPDGDD)


From the actions carried out by the Spanish Data Protection Agency and based on the followingFIRST ACTS: On 30 May 2019 the entity CAIXABANK, S.A. (hereinafter CAIXABANK) notified this Agency of a security breach relating to the paper documentation of customers deposited in a public waste container, among which there is no evidence, but it could not be ruled out, that there were personal data.SECOND: On September 12, 2019, the director of the Spanish Data Protection Agency agreed to initiate investigative actions urging the Subdirectorate General of Data Inspection to proceed with the realization of investigations to clarify the facts that were the object of the notification, having knowledge of the following points: ENTIDADES INVESTIGADASCAIXABANK S.A. ENTIDADES INVESTIGADASCAIXABANK S.A. with NIF A08663619 and domiciled in C/ PINTOR SOROLLA 2-4 -46002 VALENCIA (VALENCIA)RESULTS OF THE INVESTIGATION ACTIONSWith regard to the factsCaixabank has communicated to this Agency the following facts in the notification of security work: "During the transfer of an office of the entity, some boxes with confidential documents for internal use, among which it is not stated, but it has not been ruled out, that there were personal data, were deposited in the wrong waste container (not dedicated to paper destruction) that took 3 days to be removed from the public road."They declare that they found out about the gap through comments on a social network. The approximate number of people affected by the gap Caixabank consign zero. Caixabank was asked to print the commentary published on the social network, which reads: "It is normal that a huge amount of internal papers from the branch 4364-AUDITORIUM are thrown in a container of works in Valencia?  This is internal documentation with details of customer accounts, reports, etc... from 1999 to 2004! ..." "In the report made by the entity, which includes the investigations carried out as a result of the incident detected, a possible account of the events is included:
FACTS


"In the final work of emptying the furniture, documentation, equipment, materials and equipment and cleaning of the integrated office, which was carried out on Friday 24 May, two cardboard boxes were removed from the office which had been erroneously classified by the Office as obsolete advertising material and were therefore considered to be waste. ...] All the material resulting from the final work that was classified as waste was transferred to the management facility located in the Campanar district of Valencia's municipal district in the late afternoon of Friday 24 May. This facility was closed at that time so the material was deposited in the containers located for that purpose at the access to the facility with the idea that they were treated for management and destruction by the facility the next working day, Monday 27/5. During the period of time that elapsed between Friday afternoon/night (when the material was deposited there) and the first hour of Monday (when it was managed and destroyed), the deposited materials (including documentation incorrectly classified at source) were placed in the aforementioned containers.  It was in these containers (or around them) where the complainant located the reference documents and proceeded to make the complaint through social networks.  It can be assumed that someone, at some point prior to the arrival of the denouncer, must have rummaged through these containers, breaking and/or emptying the boxes of documents mentioned and that they arrived there closed, thus exposing their contents". In response to the Agency's request for information, the representatives of CaixaBank stated: 'This incident was communicated to the Agency as a matter of prudence, since neither at the time nor at the date of issue of this letter has it been confirmed that the documents deposited in the destruction containers referred to in this procedure actually contained personal data.   In particular, it is not possible to determine from the photograph that accompanied a citizen's commentary published on social networks that this incident was brought to our attention whether the documents thrown into the container included personal data (books, a financial report of a legal entity, accounting balances of CaixaBank branches, etc.). "With respect to the measures implemented before the breach: Caixabank has provided the following information and documentation at the request of the Data Inspection Authority:-With respect to general security policies and measures: Caixabank has provided a copy of the Registry of Processing Activities, in which they are recorded as activities: (i) Transfer of paper documentation and (ii) Destruction of paper documentation: The representatives of Caixabank indicate that the data processing activities that were compromised were carried out before the General Data Protection Regulation came into force and have not been modified in any way, so it was not necessary to carry out a Risk Analysis or an Impact Assessment, and that, notwithstanding the above, in response to the security breaches that have occurred, the process has been initiated to carry out the corresponding impact assessment.The entity has implemented a procedure for the management of security breaches, a copy of which has been provided.With regard to specific policies for the transfer/destruction of documentation, in order to guarantee the security of documentation and material in paper format during the branch integration process, CaixaBank has had a Branch Integration Protocol in place since October 2018, which specifies how to act during the transport of documentation and which security measures must be adopted. A copy of the Branch Integration Protocol is provided in section three of the Branch Integration Protocol, which refers to the operational aspects and defines the tasks to be carried out during the branch integration process in all matters relating to the transfer and destruction of documents and paper material. According to the Protocol, documentation is treated differently depending on whether it contains confidential client information or simply paper-based material, mainly advertising material, posters, etc. According to the provisions of the Office Integration Protocol, days before the transfer of documentation and paper-based material, the office to be transferred is obliged to separate all the archives, distinguishing (i) documentation to be destroyed, (ii) documentation to be filed and (iii) documentation to be sent to the receiving office. Once classified, the documentation must be stored in boxes, clearly indicating what type of documentation it contains and then transported. They also provide a copy of the CaixaBankFacilities Management Integration Task Protocol, which defines the functions and responsibilities in relation to the transport and destruction of documentation in the case of office integrations. Under this protocol, branches must first destroy all documentation in accordance with the internal standards of CaixaBank. Once this has been done, the branch must determine which documentation must be sent and stored at the integrating branch and which must be filed at a third branch or removed by third party file management companies. Once all the documentation is classified and packed in boxes, it is then moved. The transfer is supervised by the technical service. All the documentation that has not been destroyed on the day the office closes is transferred to the integrating office, with a copy of the integration protocol of LEVIRA Spain, the supplier contracted to transport the boxes. According to the protocol, the documentation is only handled by the office and is always packed in the transfer boxes, so that LEVIRA employees never have access to the documentation. As an additional security measure, it establishes the obligation to count the number of boxes that are withdrawn and the number of boxes that are delivered, confirming if the number coincides. The number of boxes must be noted in the register and both the issuing and receiving offices must sign it.
FIRST: On February 15, 2019, Mrs. A.A.A. (hereinafter, the complainant) exercised her right of withdrawal against CGT SECTOR FEDERAL DETELEMARKETINGcon (hereinafter, the respondent), without receiving the legally established response to her request. In particular, he requests that his personal data not be published in the URLs when a search is made with his name, the name, surname and telephone number appear in a bulletin posted on the cgt telemarketing website:


-Regarding the reason why the measures implemented could not serve to avoid the alleged access to the documentation by a third party, the representatives of the entity state: Before analyzing the possible reasons why the described security measures were not sufficient to avoid the access to the documentation by a third party, Caixabank wants to show that they have been carried out numerous integrations of offices without any incidence.Specifically, the only two incidents that occurred were notified to the Spanish Data Protection Agency on 20 March and 30 May 2019.They understand that the security measures provided for in the protocols in force prior to the security breach that occurred were effective and have been effective in general, and as to why the existing measures did not prevent the incident, they conclude that, as described in the protocols, in office integration processes, the responsibility for classifying the documentation and deciding when it should be destroyed in a confidential manner, which should be filed and which should be transferred directly to the integrating office, lies with the offices. In this way, it was the offices themselves that decided whether paper material should be destroyed on a routine basis, i.e., without the guarantees of destruction of confidential documentation.   This process implies that the classification of the documentation as confidential or as mere paper-based material depended on the criteria of the office staff, and therefore there was a margin of error. With respect to the actions taken and the measures implemented as a consequence of the occurrence of the breach: Caixabank has provided a copy of a report that includes the investigations carried out as a result of the incident detected during the documentation transfer phase in the integration of offices 4364 and 5052. The report details the analysis of the actions carried out by each of the parties involved in the integration process of offices 4364 and 5052. It includes a chronological list of the actions carried out during the integration, a detailed description of the incident that occurred and a proposal for corrective measures. An action plan has been drawn up to modify the Integration Protocols of the offices and add additional security measures. A copy of the modified version of the Integration Protocol, dated May 2019, is included in the action plan drawn up to reinforce the guarantees of the office integration protocols and to strengthen the traceability and centralisation of the archive.Specifically, these measures are:(i) Assurance of the early delivery of material (boxes) to the office to facilitate the appropriate classification of the documentation to be transferred to the integrating premises, documentation to be transferred to the Centralised Archive and documentation to be managed by means of confidential destruction.  
1.***URL.12.***URL.23.***URL.34.***URL.45.***URL.56.***URL.67.***URL.78.***URL.89.***URL.910.***URL.1011.***URL.1112.***URL.1213.***URL.1314.***URL.14
(ii)Classification of all documentation into one of the three groups indicated. All documentation that is not transferred to the destination location or that is not filed centrally must be managed by confidential destruction. (iii) The documentation to be transferred will be organized in boxes that will be numbered and classified, leaving a photographic record both in the location of origin and destination.(iv) The supplier in charge of the confidential destruction will always be summoned at the time of closing of the integrated premises in order to manage any documentation that may arise at the last moment. (v) The offices will sign a delivery note showing the documentation from the office of origin and the documentation that arrives at the office of destination.(vi)An employee of the office must always be present in both locations when the transfer work is carried out. (vii)At the beginning of the integration campaign, the delivery of the current integration protocol to the intervening technical services must be expressly recorded.(viii)An incident register is created for the transfer and integration processes so that they can be traced. The action plan expressly indicates that all the modifications and safety measures described must be incorporated into the protocols in force and communicated to the intervening agents. The incorporation of the above security measures into the protocols is intended to ensure greater traceability of the actions carried out in the integration processes of the offices and greater security of the documentation as all materials on paper are treated as confidential documents.According to the powers of investigation and correction that Article 58 of Regulation (EU) 2016/679 (General Regulation on Data Protection, hereinafter referred to as GPRD) grants to each supervisory authority, and in accordance with the provisions of Article 47 of Organic Law 3/2018, of December 5, on Personal Data Protection and Guarantee of Digital Rights (hereinafter referred to as LOPDGDD), the Director of the Spanish Data Protection Agency is competent to resolve these investigative actions.The RGPD defines, in a broad way, the "personal data security violations" (from now on security breach) as "all those security violations that cause the destruction, loss or accidental or illicit alteration of personal data transmitted, kept or otherwise treated, or the unauthorized communication or access to such data".


In the present case, it is presumed that a breach of security of personal data occurred in the circumstances indicated above, categorised as a possible breach of confidentiality as a result of the deposit in public access containers of documentation on clients of the entity during an unbundling transfer.  However, in the present case, there is no evidence that such documentation contained personal data of clients. The investigation revealed that Caixabank had taken a number of technical and organisational measures to prevent this type of incident, and these measures were passed on to the collaborating agencies and employees. Likewise, Caixabank had action protocols to deal with an incident like the one analyzed here, which allowed for the identification, analysis and classification of the personal data security breach as well as the diligent reaction to it in order to notify and communicate, minimize the impact and implement new reasonable and timely measures to avoid the repetition of the incidence in the future through the implementation and effective execution of an action plan by the various figures involved such as the person responsible for the treatment and the collaborating agencies as managers, as well as the Data Protection Delegate. It is also recorded that on the occasion of the incident, an impact assessment was carried out on the affected treatments and technical and organisational improvements were implemented.  As a result, it is recorded that Caixabank had reasonable technical and organizational measures in place to avoid this type of incident and that, as they were insufficient, they were diligently updated. However, in order to close the security gap, it is suggested that a Final Report be drawn up on the traceability of the event and its assessment, particularly with regard to the final impact. This report is a valuable source of information to feed into risk analysis and management and will serve to prevent the repetition of a gap of similar characteristics as the one analyzed, which could be caused by a specific error.III Therefore, it has been accredited that the action of Caixabank as the entity responsible for the processing has been in accordance with the regulations on personal data protection analysed in the previous paragraphs.
The complainant provides documentation where the respondent informs him that he must go to the branch union and that he must go to Google in order to remove the links or text of the branch union.4 of the Organic Law 3/2018, of December 5, on the Protection of Personal Data and the guarantee of digital rights, and the Director of the Spanish Data Protection Agency agreed to admit the claim presented by the claimant against the defendant and agreed to postpone the claim, so that within fifteen working days he can present the allegations he considers appropriate and the parties are informed that the maximum period for resolving the procedure will be six months. In summary, the following delegations were made: The representative of the respondent states in the allegations made during the processing of this procedure that the complainant has voluntarily joined the CGT as a member of the Works Council. That a response was given to the complaint raised, that the data appeared on the union website because she belonged to the union and to the Workers' Committees and because of her participation in the bulletins and in a company with thousands of workers, which means that the contact details are published in case any worker needs help or to locate their representatives.That the bulletins are uploaded on the Internet by the union sections in a self-managed manner, with the complainant herself participating in the distribution of union information bulletins. However, in response to her complaint, she has censored her name and telephone number in the PDF documents. It was reported that in reference to external pages such as social networks or search engines must be time to stop indexing that content or request the cancellation oborrados to the website that stores such information outside the CGT. That the telemarketing sector is not itself the CGT but an entity that is part of it and therefore only has control over the web and content of "www.cgt-telemarketing.That CGT is an Association of Trade Unions and sectors, each of which has its own legal personality and therefore its own C.I.F. and has not maintained any relationship with the claimant. That it is not recorded, furthermore, that it has exercised the right before this headquarters, and that, the data of this one do not appear in the files of this headquarters.


SECOND: TO NOTIFY the present resolution CAIXABANK S.A. with NIFA08663619 with address in C/ PINTOR SOROLLA 2-4 - 46002 VALENCIA(VALENCIA) In accordance with the provisions of article 50 of the LOPDGDD, the present resolution will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure according to the provisions of article 114.1.c) of Law 39/2015, of 1st October, on the Common Administrative Procedure of Public Administrations, and in accordance with the provisions of articles 112 and 123 of the aforementioned Law 39/2015, of 1 October, the interested parties may lodge, optionally, an appeal for reversal with the Director of the Spanish Data Protection Agency within a period of one month starting from the day following notification of this decision or from the day of the contentious-administrative proceedings before the Contentious-Administrative Chamber of the National Court, in accordance with the provisions of Article 25 and paragraph 5 of the fourth additional provision of Law 29/1998, of 13 July, regulating the Contentious-Administrative Jurisdiction, within a period of two months from the day following notification of this act, as provided for in Article 46.1 of the above-mentioned Law. Mar Spain Martí Director of the Spanish Data Protection Agency
LEGAL GROUNDS FIRST:  The Director of the Spanish Data Protection Agency is competent to decide, in accordance with the provisions of Article 56(2) in relation to Article 57(1)(f), both of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (hereinafter, RGPD);  anddArticle 47 of the Organic Law 3/2018 of December 5,,onnPersonal Data Protection anddGuarantee of Digital Rights (hereinafter referred too as LOPDGDD).SECOND: Article 64.1 of the LOPDGDD, provides that: "1. When the procedure refers exclusively to the failure to comply with a request to exercise the rights established in articles 15 to 22 of Regulation (EU) 2016/679, it will be initiated by an admission agreement, which will be adopted in accordance with the provisions of the following article.  Once this period has elapsed, the interested party may consider his or her claim to be accepted". Third: Article 12 of Regulation (EU) 2016/679, of 27 April 2016, General Data Protection Regulation (RGPD), provides the following: "1. The controller shall take appropriate measures to provide any information referred to in Articles 13 and 14 and any communication pursuant to Articles 15 to 22 and 34 relating to the processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and simple language, in particular any information addressed specifically to a child. The information shall be provided in writing or by other means, including, where appropriate, by electronic means.  At the request of the data subject, the information may be provided orally provided that the identity of the data subject is established by other means.2.  In the cases referred to in Article 11(2), the controller shall not refuse to act on request of the data subject for the purpose of exercising his rights under Articles 15 to 22, unless he can prove that he is not able to identify the data subject.3. The data controller shall provide the data subject with information concerning his or her actions on the basis of a request pursuant to Articles 15 to 22, and in any case within one month of receipt of the request. This period may be extended by another two months if necessary, taking into account the complexity and number of requests.  The official shall inform the applicant of any such extension within one month of receipt of the application, stating the reasons for the delay.  Where the interested party submits the request by electronic means, the information shall be made available by electronic means where possible, unless the interested party requests otherwise.4. If the data controller does not comply with the request of the data subject, he shall inform the data subject without delay, and at the latest one month after receipt of the request, of the reasons for his failure to act and of the possibility of lodging a complaint with a supervisory authority and of taking legal action.5.  The information provided under Articles 13 and 14 as well as any communication and any action taken under Articles 15 to 22 and 34 shall be free of charge. (a) charge a reasonable fee commensurate with the administrative costs incurred in providing the information or communication or in taking the action requested; or (b) refuse to act on the request.  Without prejudice to the provisions of Article 11, where the data controller has reasonable doubt as to the identity of the natural person making the request referred to in Articles 15 to 21, he may request that additional information necessary to confirm the identity of the data subject be provided.7. The information to be provided to the data subject under Articles 13 and 14 may be transmitted in combination with standardised icons which provide an easily visible, intelligible and clearly legible overview of the intended processing.  Icons presented in electronic form shall be mechanically legible.8. The Commission shall be empowered to adopt delegated acts in accordance with Article 92 to specify the information to be displayed by means of icons and the procedures for providing standardised icons.  The rights recognised in Articles 15 to 22 of Regulation (EU)2016/679, may be exercised directly or through a legal or voluntary representative.2 The data controller shall be obliged to inform the data subject of the means at his disposal to exercise the rights to which he is entitled.  The means must be easily accessible to the data subject.  The exercise of the right may not be denied on the sole ground that the data subject has opted for otromedio.3.  The person in charge may process, on behalf of the person responsible, the requests for the exercise of his rights made by the affected parties if this is established in the contract or legal act that binds them.4.  When the laws applicable to certain processing operations establish a special regime affecting the exercise of the rights provided for in Chapter III of Regulation (EU) 2016/679, the provisions of those laws shall apply.6. In any case, the holders of the parental authority may exercise the rights of access, rectification, cancellation, opposition or any other rights that may correspond to them in the context of this law in the name and on behalf of minors under fourteen years of age.7  The actions carried out by the person in charge of the treatment to attend the requests of exercise of these rights will be free of charge, without prejudice of the articles 12.5 and 15.3 of the Regulation (UE)2016/679 and in the paragraphs 3 and 4 of article 13 of this organic law "FIFTH: The article 17 of the RGPD establishes that: "1. The data subject shall have the right to obtain without undue delay from the data controller the deletion of personal data relating to him, who shall be obliged to delete the personal data without undue delay in any of the following circumstancesa) personal data are no longer necessary for the purposes for which they were collected or otherwise processed; b) the data subject withdraws the consent on the basis of which the processing was carried out in accordance with Article 6(1)(a) or Article 9(2)(a) and this is not based on any other legal basis; c) the data subject opposes the processing according to Article 21(1) and no other legitimate grounds prevail for the processing, or the data subject opposes the processing according to Article 21(2); (e) personal data must be deleted in order to comply with a legal obligation under Union law or the law of the Member States applicable to the controller 2. Where he has made personal data public and is required, pursuant to paragraph 1, to delete such data, the controller shall, taking into account the technology available and the cost of implementation, take reasonable steps, including technical measures, to inform the controllers who are processing the personal data of the request of the data subject to delete any link to such personal data or any copy or replica thereof. 3. Paragraphs 1 and 2 shall not apply where processing is necessary: (b) in order to comply with a legal obligation requiring the processing of data imposed by Union law or by law of the Member States on the controller or in order to carry out a task carried out in the public interest or in the exercise of public authority vested in the controller; (d) for archiving purposes in the public interest, for the purposes of scientific or historical research or for statistical purposes, in accordance with Article 89(1), insofar as the right referred to in paragraph 1 is likely to make impossible or seriously impede the achievement of the purposes of such processing; or"SIXTH: In the case analyzed here, the claimant exercised its right of deletion and in accordance with the rules indicated above, its request obtained the legally required response within the established period, the claimant indicates that they have proceeded to the deletion of their data. Furthermore, as regards the fact that their personal data are deleted when they are entered in the search engine and that they are not associated with the search results from their names in the already referenced URLs, during the processing of the present proceedings this Agency has verified that, when a search is made by the name of the party in the search engine, the result is "No results found" for each of the urls in question.The purpose of this procedure is to ensure that the guarantees and rights of those affected are duly restored, and therefore, in this case, regardless of whether the search engine refuses to cancel the URLs, there would be grounds for analysing the relevance or otherwise of what has been published, and given that your name is not linked to the search results in the URLs in question and that the person responsible for the file states that your data has been cancelled, the claims of the complainant have been satisfied, and therefore the complaint is rejected as not having any purpose. In view of the above-mentioned precepts and others of general application, the Director of the Spanish Data Protection Agency RESOLVES:FIRST: TO DISMISSUE the claim formulated by Ms. A.A.A. against CGTSECTOR FEDERAL DE TELEMARKETING.SECOND: TO NOTIFY this resolution to A.A.A.A. and CGT SECTOR FEDERAL DE TELEMARKETING In accordance with the provisions of Article 50 of the LOPDGDD, this resolution will be made public once it has been notified to the interested parties..6 of the LOPDGDD, and in accordance with the provisions of Article 123 of the LPACAP, the interested parties may, optionally, lodge an appeal for reversal with the Director of the Spanish Data Protection Agency within a period of one month starting from the day following notification of this resolution or the address of the contentious-administrative proceedings before the Contentious-Administrative Chamber of the National Court, in accordance with the provisions of Article 25 and paragraph 5 of the fourth additional provision of Law 29/1998 of 13 July, regulating the Contentious-Administrative Jurisdiction, within a period of two months from the date on which it was issued.are manifestly unfounded foreseen on the day following the notification of this act, in accordance with the provisions of article 46.1 of the aforementioned Act.


Mar Spain Martí
Director of the Spanish Data Protection Agency
</pre>
</pre>

Revision as of 12:48, 12 February 2020

AEPD - TD/00262/2019
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 17 GDPR
Type: Complaint
Outcome: n/a
Decided: n/a
Published: 7.01.2020
Fine: n/a
Parties: CGT Sector Federal de Telemarketing

A.A.A.

National Case Number: TD/00262/2019
European Case Law Identifier n/a
Appeal: n/a
Original Language:

Spanish

Original Source: AEPD (in ES)

The AEPD decided to initiate disciplinary proceedings against Vodafone España, S.A.U. and impose a fine of € 100.000 for the alleged infringement of Article 6(1) GDPR.

English Summary

Facts

On 15 February 2019, Mrs A.A.A.  (hereinafter, the complainant) exercised her right to erasure against CGT Sector Federal de Telemarketing (hereinafter, the respondent) and had not received a response to her request. In particular, the request included that complainant's personal data (such as name, surname and telephone number) should not appear in a bulletin posted on the CGT Telemarketing website when a search is made.

In response to the request "to be forgotten", the respondent instructed the complainant to address Google in order to remove the links or the text.

Dispute

In summary, the following delegations were made: The representative of the respondent states in the allegations made during the processing of this procedure that the complainant has voluntarily joined the CGT as a member of the Works Council. That a response was given to the complaint raised, that the data appeared on the union website because she belonged to the union and to the Workers' Committees and because of her participation in the bulletins and in a company with thousands of workers, which means that the contact details are published in case any worker needs help or to locate their representatives. That the bulletins are uploaded on the Internet by the union sections in a self-managed manner, with the complainant herself participating in the distribution of union information bulletins. However, in response to her complaint, she has censored her name and telephone number in the PDF documents. It was reported that in reference to external pages such as social networks or search engines must be time to stop indexing that content or request the cancellation oborrados to the website that stores such information outside the CGT. That the telemarketing sector is not itself the CGT but an entity that is part of it and therefore only has control over the web and content of "www.cgt-telemarketing.That CGT is an Association of Trade Unions and sectors, each of which has its own legal personality and therefore its own C.I.F. and has not maintained any relationship with the claimant. That it is not recorded, furthermore, that it has exercised the right before this headquarters, and that, the data of this one do not appear in the files of this headquarters.

Holding

In the case analyzed here, the claimant exercised its right of deletion and in accordance with the rules indicated above, its request obtained the legally required response within the established period, the claimant indicates that they have proceeded to the deletion of their data. Furthermore, as regards the fact that their personal data are deleted when they are entered in the search engine and that they are not associated with the search results from their names in the already referenced URLs, during the processing of the present proceedings this Agency has verified that, when a search is made by the name of the party in the search engine, the result is "No results found" for each of the urls in question.The purpose of this procedure is to ensure that the guarantees and rights of those affected are duly restored, and therefore, in this case, regardless of whether the search engine refuses to cancel the URLs, there would be grounds for analysing the relevance or otherwise of what has been published, and given that your name is not linked to the search results in the URLs in question and that the person responsible for the file states that your data has been cancelled, the claims of the complainant have been satisfied, and therefore the complaint is rejected as not having any purpose. In view of the above-mentioned precepts and others of general application, the Director of the Spanish Data Protection Agency RESOLVES:FIRST: TO DISMISSUE the claim formulated by Ms. A.A.A. against CGTSECTOR FEDERAL DE TELEMARKETING.SECOND: TO NOTIFY this resolution to A.A.A.A. and CGT SECTOR FEDERAL DE TELEMARKETING In accordance with the provisions of Article 50 of the LOPDGDD, this resolution will be made public once it has been notified to the interested parties..6 of the LOPDGDD, and in accordance with the provisions of Article 123 of the LPACAP, the interested parties may, optionally, lodge an appeal for reversal with the Director of the Spanish Data Protection Agency within a period of one month starting from the day following notification of this resolution or the address of the contentious-administrative proceedings before the Contentious-Administrative Chamber of the National Court, in accordance with the provisions of Article 25 and paragraph 5 of the fourth additional provision of Law 29/1998 of 13 July, regulating the Contentious-Administrative Jurisdiction, within a period of two months from the date on which it was issued.are manifestly unfounded foreseen on the day following the notification of this act, in accordance with the provisions of article 46.1 of the aforementioned Act.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the original. Please refer to the Spanish original for more details.

File No.: TD/00262/20191034-080719

RESOLUTION Nº: R/00651/2019

Having regard to the complaint made on 8 April 2019 to this Agency by Ms. A.A.A., against the CGT SECTOR FEDERAL DE TELEMARKETING, for not having duly attended to its right of deletion, the following procedural actions have been carried out as provided for in Title VIII of the Organic Law 3/2018, of 5 December, on the Protection of Personal Data and Guarantee of Digital Rights (hereinafter LOPDGDD)

FACTS 

FIRST: On February 15, 2019, Mrs. A.A.A.  (hereinafter, the complainant) exercised her right of withdrawal against CGT SECTOR FEDERAL DETELEMARKETINGcon (hereinafter, the respondent), without receiving the legally established response to her request. In particular, he requests that his personal data not be published in the URLs when a search is made with his name, the name, surname and telephone number appear in a bulletin posted on the cgt telemarketing website:

1.***URL.12.***URL.23.***URL.34.***URL.45.***URL.56.***URL.67.***URL.78.***URL.89.***URL.910.***URL.1011.***URL.1112.***URL.1213.***URL.1314.***URL.14

The complainant provides documentation where the respondent informs him that he must go to the branch union and that he must go to Google in order to remove the links or text of the branch union.4 of the Organic Law 3/2018, of December 5, on the Protection of Personal Data and the guarantee of digital rights, and the Director of the Spanish Data Protection Agency agreed to admit the claim presented by the claimant against the defendant and agreed to postpone the claim, so that within fifteen working days he can present the allegations he considers appropriate and the parties are informed that the maximum period for resolving the procedure will be six months. In summary, the following delegations were made: The representative of the respondent states in the allegations made during the processing of this procedure that the complainant has voluntarily joined the CGT as a member of the Works Council. That a response was given to the complaint raised, that the data appeared on the union website because she belonged to the union and to the Workers' Committees and because of her participation in the bulletins and in a company with thousands of workers, which means that the contact details are published in case any worker needs help or to locate their representatives.That the bulletins are uploaded on the Internet by the union sections in a self-managed manner, with the complainant herself participating in the distribution of union information bulletins. However, in response to her complaint, she has censored her name and telephone number in the PDF documents. It was reported that in reference to external pages such as social networks or search engines must be time to stop indexing that content or request the cancellation oborrados to the website that stores such information outside the CGT. That the telemarketing sector is not itself the CGT but an entity that is part of it and therefore only has control over the web and content of "www.cgt-telemarketing.That CGT is an Association of Trade Unions and sectors, each of which has its own legal personality and therefore its own C.I.F. and has not maintained any relationship with the claimant. That it is not recorded, furthermore, that it has exercised the right before this headquarters, and that, the data of this one do not appear in the files of this headquarters.

LEGAL GROUNDS FIRST:   The Director of the Spanish Data Protection Agency is competent to decide, in accordance with the provisions of Article 56(2) in relation to Article 57(1)(f), both of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (hereinafter, RGPD);   anddArticle 47 of the Organic Law 3/2018 of December 5,,onnPersonal Data Protection anddGuarantee of Digital Rights (hereinafter referred too as LOPDGDD).SECOND: Article 64.1 of the LOPDGDD, provides that: "1. When the procedure refers exclusively to the failure to comply with a request to exercise the rights established in articles 15 to 22 of Regulation (EU) 2016/679, it will be initiated by an admission agreement, which will be adopted in accordance with the provisions of the following article.   Once this period has elapsed, the interested party may consider his or her claim to be accepted". Third: Article 12 of Regulation (EU) 2016/679, of 27 April 2016, General Data Protection Regulation (RGPD), provides the following: "1. The controller shall take appropriate measures to provide any information referred to in Articles 13 and 14 and any communication pursuant to Articles 15 to 22 and 34 relating to the processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and simple language, in particular any information addressed specifically to a child. The information shall be provided in writing or by other means, including, where appropriate, by electronic means.   At the request of the data subject, the information may be provided orally provided that the identity of the data subject is established by other means.2.   In the cases referred to in Article 11(2), the controller shall not refuse to act on request of the data subject for the purpose of exercising his rights under Articles 15 to 22, unless he can prove that he is not able to identify the data subject.3. The data controller shall provide the data subject with information concerning his or her actions on the basis of a request pursuant to Articles 15 to 22, and in any case within one month of receipt of the request. This period may be extended by another two months if necessary, taking into account the complexity and number of requests.   The official shall inform the applicant of any such extension within one month of receipt of the application, stating the reasons for the delay.   Where the interested party submits the request by electronic means, the information shall be made available by electronic means where possible, unless the interested party requests otherwise.4. If the data controller does not comply with the request of the data subject, he shall inform the data subject without delay, and at the latest one month after receipt of the request, of the reasons for his failure to act and of the possibility of lodging a complaint with a supervisory authority and of taking legal action.5.   The information provided under Articles 13 and 14 as well as any communication and any action taken under Articles 15 to 22 and 34 shall be free of charge. (a) charge a reasonable fee commensurate with the administrative costs incurred in providing the information or communication or in taking the action requested; or (b) refuse to act on the request.   Without prejudice to the provisions of Article 11, where the data controller has reasonable doubt as to the identity of the natural person making the request referred to in Articles 15 to 21, he may request that additional information necessary to confirm the identity of the data subject be provided.7. The information to be provided to the data subject under Articles 13 and 14 may be transmitted in combination with standardised icons which provide an easily visible, intelligible and clearly legible overview of the intended processing.   Icons presented in electronic form shall be mechanically legible.8. The Commission shall be empowered to adopt delegated acts in accordance with Article 92 to specify the information to be displayed by means of icons and the procedures for providing standardised icons.   The rights recognised in Articles 15 to 22 of Regulation (EU)2016/679, may be exercised directly or through a legal or voluntary representative.2 The data controller shall be obliged to inform the data subject of the means at his disposal to exercise the rights to which he is entitled.   The means must be easily accessible to the data subject.   The exercise of the right may not be denied on the sole ground that the data subject has opted for otromedio.3.   The person in charge may process, on behalf of the person responsible, the requests for the exercise of his rights made by the affected parties if this is established in the contract or legal act that binds them.4.   When the laws applicable to certain processing operations establish a special regime affecting the exercise of the rights provided for in Chapter III of Regulation (EU) 2016/679, the provisions of those laws shall apply.6. In any case, the holders of the parental authority may exercise the rights of access, rectification, cancellation, opposition or any other rights that may correspond to them in the context of this law in the name and on behalf of minors under fourteen years of age.7   The actions carried out by the person in charge of the treatment to attend the requests of exercise of these rights will be free of charge, without prejudice of the articles 12.5 and 15.3 of the Regulation (UE)2016/679 and in the paragraphs 3 and 4 of article 13 of this organic law "FIFTH: The article 17 of the RGPD establishes that: "1. The data subject shall have the right to obtain without undue delay from the data controller the deletion of personal data relating to him, who shall be obliged to delete the personal data without undue delay in any of the following circumstancesa) personal data are no longer necessary for the purposes for which they were collected or otherwise processed; b) the data subject withdraws the consent on the basis of which the processing was carried out in accordance with Article 6(1)(a) or Article 9(2)(a) and this is not based on any other legal basis; c) the data subject opposes the processing according to Article 21(1) and no other legitimate grounds prevail for the processing, or the data subject opposes the processing according to Article 21(2); (e) personal data must be deleted in order to comply with a legal obligation under Union law or the law of the Member States applicable to the controller 2. Where he has made personal data public and is required, pursuant to paragraph 1, to delete such data, the controller shall, taking into account the technology available and the cost of implementation, take reasonable steps, including technical measures, to inform the controllers who are processing the personal data of the request of the data subject to delete any link to such personal data or any copy or replica thereof. 3. Paragraphs 1 and 2 shall not apply where processing is necessary: (b) in order to comply with a legal obligation requiring the processing of data imposed by Union law or by law of the Member States on the controller or in order to carry out a task carried out in the public interest or in the exercise of public authority vested in the controller; (d) for archiving purposes in the public interest, for the purposes of scientific or historical research or for statistical purposes, in accordance with Article 89(1), insofar as the right referred to in paragraph 1 is likely to make impossible or seriously impede the achievement of the purposes of such processing; or"SIXTH: In the case analyzed here, the claimant exercised its right of deletion and in accordance with the rules indicated above, its request obtained the legally required response within the established period, the claimant indicates that they have proceeded to the deletion of their data. Furthermore, as regards the fact that their personal data are deleted when they are entered in the search engine and that they are not associated with the search results from their names in the already referenced URLs, during the processing of the present proceedings this Agency has verified that, when a search is made by the name of the party in the search engine, the result is "No results found" for each of the urls in question.The purpose of this procedure is to ensure that the guarantees and rights of those affected are duly restored, and therefore, in this case, regardless of whether the search engine refuses to cancel the URLs, there would be grounds for analysing the relevance or otherwise of what has been published, and given that your name is not linked to the search results in the URLs in question and that the person responsible for the file states that your data has been cancelled, the claims of the complainant have been satisfied, and therefore the complaint is rejected as not having any purpose. In view of the above-mentioned precepts and others of general application, the Director of the Spanish Data Protection Agency RESOLVES:FIRST: TO DISMISSUE the claim formulated by Ms. A.A.A. against CGTSECTOR FEDERAL DE TELEMARKETING.SECOND: TO NOTIFY this resolution to A.A.A.A. and CGT SECTOR FEDERAL DE TELEMARKETING In accordance with the provisions of Article 50 of the LOPDGDD, this resolution will be made public once it has been notified to the interested parties..6 of the LOPDGDD, and in accordance with the provisions of Article 123 of the LPACAP, the interested parties may, optionally, lodge an appeal for reversal with the Director of the Spanish Data Protection Agency within a period of one month starting from the day following notification of this resolution or the address of the contentious-administrative proceedings before the Contentious-Administrative Chamber of the National Court, in accordance with the provisions of Article 25 and paragraph 5 of the fourth additional provision of Law 29/1998 of 13 July, regulating the Contentious-Administrative Jurisdiction, within a period of two months from the date on which it was issued.are manifestly unfounded foreseen on the day following the notification of this act, in accordance with the provisions of article 46.1 of the aforementioned Act.

Mar Spain Martí
Director of the Spanish Data Protection Agency