AEPD (Spain) - PS/00128/2020: Difference between revisions
(minor) |
m (Ar moved page AEPD - PS/00128/2020 to AEPD (Spain) - PS/00128/2020) |
(No difference)
|
Latest revision as of 14:02, 13 December 2023
AEPD - PS/00128/2020 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 4(13) GDPR Article 6(1)(b) GDPR Article 9(2)(b) GDPR Article 13 GDPR Article 83(5)(b) GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | 25.02.2021 |
Published: | |
Fine: | None |
Parties: | n/a |
National Case Number/Name: | PS/00128/2020 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | Francesc Julve Falcó |
The Spanish Data Protection Agency (AEDP) imposed a warning sanction on a local council for using a biometric control system to monitor the working hours of employees without having informed them in accordance with Article 13 GDPR.
English Summary
Facts
The AEPD received a letter filed by the interested party against the respondent stating that on 20 March 2019, he addressed requesting information on the fingerprint clocking control in accordance with the provisions of the regulations on the protection of personal data, without having received a response to this request.
The AEPD initiated an investigation procedure, to which the City Council responded with a Security Document in which it reports in accordance with the provisions of the GDPR and points out, among other things, that the body used a fingerprint detection system to control presence and access to its facilities, which does not perform a biometric analysis at any time, but rather produces an identification algorithm based on a reading of several points of the personal fingerprint and that the algorithm data cannot be decrypted or disassembled by any unauthorized entity.
And in response to a new request for information, the Council sent a report including the impact assessment on the processing of fingerprint data for the control of employee presence.
Dispute
Is the use of biometric data to monitor working time without informing data subjects a breach of Article 13 GDPR?
Holding
The AEPD held that the facts complained of involving the violation by the City Council of the provisions of Article 13 of the RGPD, by not informing of the processing provided for in relation to the fingerprint clocking control.
As the investigated party is a public administration, the AEPD applies Article 77 LOPDGDD, according to which a warning sanction must be applied when the offence is committed by a public administration.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/13 Procedure No.: PS / 00128/2020 RESOLUTION OF SANCTIONING PROCEDURE Of the procedure instructed by the Spanish Agency for Data Protection and based on to the following BACKGROUND FIRST: The claim filed by D. A.A.A. (hereinafter, the claimant) has entry dated 05/07/2019 in the Spanish Agency for Data Protection. The claim is directed against CITY COUNCIL OF *** LOCALIDAD.1, with NIF P3002000B (hereinafter, the claimed one). The reasons on which you base the claim are In short: that on 03/20/2019 he wrote to the complained party requesting information on certain questions related to the control of transfer by fingerprint fingerprint, without a response to the request made to date. SECOND: Upon receipt of the claim, the General Sub-Directorate of Data Inspection proceeded to carry out the following actions: On 07/01/2019, the claim submitted for analysis was transferred to the defendant and communication to the complainant of the decision taken in this regard. Likewise, required him to send within a month to the determined Agency information: - Copy of the communications, of the adopted decision that has been sent to the claimant regarding the transfer of this claim, and accreditation that the claimant has received the communication of that decision. - Report on the causes that have motivated the incidence that has originated the claim. - Report on the measures adopted to prevent the occurrence of similar incidents. - Any other that you consider relevant. On 08/08/2019, in response to the request for information, a document is provided Security where it is reported in accordance with the provisions of the RGPD and indicates, among others, that the agency used as a control of presence and access to its facilities a fingerprint detection system that does not perform in any moment a biometric analysis, but elaborates an identification algorithm as a result of a multi-point reading of the personal fingerprint and that the algorithm data does not they can be decrypted or disassembled by any unauthorized entity. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 2/13 And in response to a new request for information, in writing dated 10/21/2019, it provided the report on impact evaluation on the treatment of fingerprint data to control the presence of employees. THIRD: On 11/25/2019, in accordance with article 65 of the LOPDGDD, the Director of the Spanish Agency for Data Protection agreed to admit for processing the claim filed. FOURTH: On 09/30/2020, the Director of the Spanish Protection Agency of Data agreed to initiate a sanctioning procedure for the claimed party, for the alleged infringement of article 13 of the RGPD, contemplated in article 83.5.b) of the aforementioned Regulation, considering that the sanction that could correspond would be that of awareness. FIFTH: Notified the initiation agreement, the one claimed at the time of the present resolution has not submitted a brief of allegations, so it is applicable indicated in article 64 of Law 39/2015, of October 1, on the Procedure Common Administrative of Public Administrations, which in its section f) establishes that in case of not making allegations within the term provided on the content of the initiation agreement, it may be considered a proposal for resolution when it contains a precise statement about the responsibility imputed, for which a Resolution is issued. SIXTH: Of the actions carried out in this proceeding, there have been accredited the following: PROVEN FACTS FIRST: The 05/07/2019 has a written entry in the AEPD presented by the interested party against the defendant stating that on 03/20/2019 he addressed the same requesting information on the control of transfer by fingerprint of in accordance with the provisions of the regulations on data protection of personal character, without a response to said request. SECOND: It is provided by the claimant a letter addressed to the defendant requesting the information in accordance with the GDPR. THIRD: It is provided by the complained party by writing of 10/21/2019 Report of Impact Evaluation of the treatment of the fingerprint data for control of presence of employees. It also provides a security document and document Syon Company, Soluciones & Identification, on the fingerprints of the workers. FOUNDATIONS OF LAW I C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 3/13 By virtue of the powers that article 58.2 of the RGPD recognizes to each control authority, and as established in articles 47 and 48 of the LOPDGDD, the Director of the Spanish Data Protection Agency is competent to initiate and to solve this procedure. II Law 39/2015, of October 1, on the Common Administrative Procedure of the Public Administrations, in its article 64 “Agreement of initiation in the procedures of a sanctioning nature ”, provides: "1. The initiation agreement will be communicated to the instructor of the procedure, with transfer of how many actions exist in this regard, and the interested parties will be notified, understanding in any case the accused as such. Likewise, the initiation will be communicated to the complainant when the regulations regulating the procedure so provide. 2. The initiation agreement must contain at least: a) Identification of the person or persons allegedly responsible. b) The facts that motivate the initiation of the procedure, its possible qualification and the sanctions that may correspond, without prejudice to what result of the instruction. c) Identification of the instructor and, where appropriate, Secretary of the procedure, with express indication of the regime of challenge of the same. d) Competent body for the resolution of the procedure and regulation that attributes such competence, indicating the possibility that the alleged responsible can voluntarily acknowledge their responsibility, with the effects provided for in article 85. e) Provisional measures that have been agreed by the body competent to initiate the sanctioning procedure, without prejudice to those that can be adopted during the same in accordance with article 56. f) Indication of the right to make allegations and to the hearing in the procedure and the deadlines for its exercise, as well as an indication that, in case of not making allegations within the term provided on the content of the initiation agreement, this may be considered a resolution proposal when it contains a precise statement about liability charged. 3. Exceptionally, when at the time of issuing the initiation agreement there are not enough elements for the initial qualification of the facts that motivate the initiation of the procedure, the aforementioned qualification may be carried out in a phase later by preparing a Statement of Charges, which must be notified to the interested". In application of the previous precept and taking into account that they have not formulated allegations to the initiation agreement, it is necessary to resolve the procedure initiated. III The legitimacy for the treatment of the fingerprint for the control of the workers by the employer we must look for it in article 9 and 6 of the RGPD. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 4/13 Article 9 of the RGPD establishes in its sections 1 and 2.b) the following: "1. The processing of personal data that reveal the origin is prohibited ethnic or racial, political opinions, religious or philosophical convictions, or union membership, and the treatment of genetic data, biometric data directed to uniquely identify a natural person, data related to health or data relating to the sexual life or sexual orientations of a natural person. 2. Section 1 shall not apply when one of the following circumstances: b) the treatment is necessary for the fulfillment of obligations and the exercise of specific rights of the person responsible for the treatment or of the interested party the field of labor law and social security and protection, insofar as authorized by the law of the Union of the Member States or a convention collective agreement in accordance with the law of the Member States that establishes guarantees adequate respect for fundamental rights and the interests of the interested." Article 6.1.b) of the RGPD indicates: "1. The treatment will only be lawful if at least one of the following is met terms: b) the treatment is necessary for the performance of a contract in which the interested is part or for the application at the request of this of measures pre-contractual. " The defendant has legitimacy, based on the indicated regulations, to carry out labor control of its workers, provided that it meets the requirements indicated in the sixth Law Foundation. The facts claimed imply the violation by the City Council of what is indicated in article 13 of the RGPD, by not informing about the treatment provided in regarding the fingerprint check-in control, in accordance with the pronouncements established in the aforementioned article. This article determines the information that must be provided to the interested party. at the time of data collection, establishing the following: Article 13. Information that must be provided when personal data is obtained from the interested party. 1. When personal data relating to him are obtained from an interested party, the responsible for the treatment, at the time these are obtained, will provide all the information indicated below: a) the identity and contact details of the person in charge and, where appropriate, of their representative; C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 5/13 b) the contact details of the data protection officer, if applicable; c) the purposes of the treatment to which the personal data are destined and the basis legal treatment; d) when the treatment is based on article 6, paragraph 1, letter f), the legitimate interests of the person in charge or of a third party; e) the recipients or categories of recipients of personal data, in your case; f) where appropriate, the intention of the person responsible to transfer personal data to a third country or international organization and the existence or absence of a Commission adequacy decision, or, in the case of transfers indicated in articles 46 or 47 or article 49, paragraph 1, second paragraph, reference to adequate or appropriate guarantees and means of obtaining a copy of these or the fact that they have been loaned. 2. In addition to the information mentioned in section 1, the person responsible for the treatment will facilitate the interested party, at the time the data is obtained personal information, the following information necessary to guarantee data processing loyal and transparent: a) the period during which the personal data will be kept or, when not where possible, the criteria used to determine this deadline; b) the existence of the right to request the data controller for access to the personal data relating to the interested party, and its rectification or deletion, or the limitation of its treatment, or to oppose the treatment, as well as the right to data portability; c) when the treatment is based on article 6, paragraph 1, letter a), or the Article 9, paragraph 2, letter a), the existence of the right to withdraw the consent at any time, without affecting the legality of the treatment based on consent prior to withdrawal; d) the right to file a claim with a supervisory authority; e) if the communication of personal data is a legal or contractual requirement, or a necessary requirement to enter into a contract, and if the interested party is obliged to provide personal data and is informed of the possible consequences of not providing such data; f) the existence of automated decisions, including profiling, to referred to in article 22, paragraphs 1 and 4, and, at least in such cases, meaningful information about the applied logic, as well as the importance and expected consequences of said treatment for the interested party. 3. When the person responsible for the treatment plans the subsequent treatment of personal data for a purpose other than that for which it was collected, will provide the interested party, prior to said further processing, information on that other purpose and any additional relevant information pursuant to section 2. 4. The provisions of sections 1, 2 and 3 shall not apply when and in the extent to which the interested party already has the information ”. IV In the present case, the claimant wrote to the defendant requesting information on fingerprint control, C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 6/13 Considering that the regulations regarding the protection of data without obtaining a response to said request. The documentation provided to the file does not contain the answer offered to the claimant and, as stated in the second precedent in response to the informative request sent by the AEPD the claimed provides Document is Security in accordance with the provisions of the RGPD, noting that the body local used this system of presence and access control to its facilities that does not involve a biometric analysis at any time, but rather a identification algorithm as a result of a reading of several points of the personal fingerprint and that the algorithm data cannot be decrypted or disassembled by any unauthorized entity. The report on Impact Assessment was also provided in the treatment of the fingerprint data to control the presence of the employees. In relation to the issues raised in this case, first of all It should be noted that the implementation and integration of a time control system based on the employer's fingerprint, must be informed to the employees in a complete, clear, concise manner and, in addition, the aforementioned information must be completed with reference to both the legal bases that cover said type access control, as well as the basic information referred to in the Article 13 of the RGPD. In the case examined, it is true that the respondent's response to the writing submitted by the claimant in which he requested to be informed of the moment in that the information was provided to the workers of the fingerprint check-in system fingerprint and reiterate such information. Second, the installation of a control system based on the collection and treatment of the fingerprint of the employees implies the treatment of their data personal since personal data is all that information about a person physical identified or identifiable in accordance with article 4.1 of the RGPD. As for the fingerprint, it is also data that must be qualified. two as biometric data and in accordance with article 4.14 of the RGPD have this consideration when they have been “obtained from a technical treatment specific, relating to the physical, physiological or behavioral characteristics of a natural person that allow or confirm the unique identification of said person, such as facial images or fingerprint data ”. This means that, in accordance with article 9.1 of the RGPD, in the case present, the specific regime provided for special categories is applied to them of data provided for in article 9 of the RGPD. In this sense, recital 51 of the RGPD highlights the nature of restrictive with which the processing of these data can be admitted: “(51) ... Such personal data should not be processed, unless it is allowed its treatment in specific situations contemplated in this Regulation, given that Member States may lay down provisions C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 7/13 specific data protection in order to adapt the application of the rules of this Regulation to the fulfillment of a legal obligation or to the fulfillment of a mission carried out in the public interest or in the exercise of powers public conferred to the person in charge of the treatment. In addition to the requirements specific to that treatment, the general principles and other rules of this Regulation, especially with regard to the conditions of legality of the treatment. Exceptions to the general prohibition of treatment of these special categories of personal data, among other things when the interested party gives their explicit consent or in the case of specific needs, in particular when the treatment is carried out in the framework of legitimate activities by certain associations or foundations whose The objective is to allow the exercise of fundamental freedoms. And recital 52 indicates that “(52) Likewise, exceptions to the prohibition to treat special categories of personal data when established by the Law of the Union or Member States and provided that appropriate guarantees are given, in order to to protect personal data and other fundamental rights, when it is in the interest public, in particular the processing of personal data in the field of legislation labor law, legislation on social protection, including pensions and for the purposes of safety, supervision and health alert, prevention or control of diseases communicable and other serious threats to health ... " In accordance with these considerations, the processing of biometric data from special categories will require, in addition to the concurrence of one of the bases legal provisions established in article 6 of the RGPD, any of the exceptions provided in article 9.2 of the RGPD. The analysis of the legal basis of legitimacy to carry out this treatment comes of article 6 of the RGPD, regarding the legality of the treatment, which in its section 1, letter b) states: “The treatment will be lawful if at least one of the following is met conditions: (…) b) the treatment is necessary for the execution of a contract in the that the interested party is part of or for the application at his request of measures pre-contractual (…) ”. By virtue of this precept, the treatment would be lawful and would not require the consent, when the data processing is carried out for the fulfillment of contractual relationships of a labor nature. This precept would also cover the data processing of the public employees, even if their relationship is not strictly contractual. There are It should be noted that on occasions, in order to fulfill its obligations in relation to with public employees, the Administration has to carry out treatment of certain data referred to in the RGPD, in its article 9, as "categories special data ”. On the other hand, and as highlighted in recital 51 of the same RGPD, insofar as biometric data is of a special category in the cases of biometric identification (art. 9.1 RGPD), it will be necessary for one of the C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 8/13 the exceptions provided in article 9.2 of the RGPD that would allow lifting the general prohibition of the treatment of these types of data established in the article 9.1. At this point, special mention must be made of letter b) of article 9.2 of the RGPD, according to which the general prohibition of biometric data processing does not it will be applied when “the treatment is necessary for the fulfillment of obligations and the exercise of specific rights of the person responsible for the treatment or of the interested party in the field of labor law and social security and protection, to the extent authorized by the Union law of the Member States or a collective agreement in accordance with the law of the Member States that establishes adequate guarantees of respect for fundamental rights and the interests of the interested". In Spanish law, article 20 of the Consolidated Text of the Statute of workers (TE), approved by Royal Legislative Decree 2/2015, of 23 October, foresees the possibility for the employer to adopt surveillance measures and control to verify compliance with the labor obligations of their workers: "3. The employer may adopt the measures he deems most appropriate in surveillance and control to verify compliance by the worker with his obligations and labor duties, keeping in their adoption and application the consideration due to their dignity and taking into account, where appropriate, the actual capacity of the workers with disabilities ”. And in the Basic Statute of the Public Employee, approved by Royal Decree Legislative 5/2015, of October 30, in its article 54 in relation to the principles of conduct of public employees indicates: “The unemployment of the tasks corresponding to your job will be diligently enhanced and complying with the established day and schedule " It should also be noted that the basic legislation of the local government attributes the Mayor President of the Corporation the direction of the government and administration municipal as well as to exercise the superior direction of the personnel at the service of the Municipal administration. The possibility of using data-based systems is undeniable biometric to carry out access and time control, although it does not seem that is or should be the only system that can be used: thus the use of cards personal codes, the use of personal codes, the direct visualization of the marking, etc., which may constitute, by themselves or in combination with any of the the other systems available, equally effective measures to carry out the control. In any case, prior to the decision on the start-up of such a control system and taking into account its implications, processing of biometric data aimed at uniquely identifying a natural person, it would be mandatory to carry out an impact assessment regarding the protection of personal data to evaluate both the legitimacy of the C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 9/13 treatment and its proportionality as the determination of the existing risks and the measures to mitigate them in accordance with the provisions of article 35 RGPD. In the present case, it must be stated that the entity has accredited the mandatory impact assessment related to data protection regulated in the Article 35 of the RGPD providing the corresponding document. SAW Biometric data is closely linked to a person, given who can use a certain unique property of an individual for their identification or authentication. According to Opinion 3/2012 on the evolution of biometric technologies, “Biometric data irrevocably changes the relationship between the body and the identity, as they make the characteristics of the human body legible by machines and are subject to further use. " In relation to them, the Opinion specifies that it is possible to distinguish different types of treatments by stating that “Biometric data can be processed and stored in different ways. Sometimes the biometric information captured from a person is stored and treated raw, allowing the source from which it came to be recognized without special knowledge; for example, a photograph of a face, a photograph of a fingerprint or voice recording. Other times, raw biometric information captured is treated in such a way that only certain characteristics or traits are extracted and they are saved as a biometric template. " The processing of these data is expressly permitted by the RGPD when the employer has a legal basis, which is usually his own Work contract. In this regard, the STS of July 2, 2007 (Rec. 5017/2003), has legitimately understood the treatment of biometric data carried out by the Administration for the time control of its public employees, without requiring the prior consent of workers. However, the following should be noted: O The worker must be informed about these treatments. O The principles of limitation of the purpose, necessity, proportionality and data minimization. In any case, the treatment must also be adequate, pertinent and not excessive in relation to that purpose. Therefore, biometric data other than necessary for that purpose should be suppressed and creation will not always be justified. of a biometric database (Opinion 3/2012 of the Art. 29 Working Group). O Use of biometric templates: Biometric data must be stored as biometric templates whenever possible. The template should be taken from a way that is specific to the biometric system in question and not used by other data controllers of similar systems in order to ensure that C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 10/13 a person can only be identified in biometric systems that have a legal basis for this operation. O The biometric system used and the security measures chosen must ensure that reuse of the biometric data in question is not possible for another purpose. O Mechanisms based on encryption technologies should be used, in order to prevent unauthorized reading, copying, modification or deletion of biometric data. O Biometric systems should be designed so that they can be revoked the identity bond. O You must choose to use data formats or specific technologies that make it impossible to interconnect biometric databases and disclose data not verified. O Biometric data should be deleted when they are not linked to the purpose that motivated their treatment and, if possible, they should be implemented automated data deletion mechanisms. SAW Article 83.5. b) of the RGPD, considers that the infringement of “the rights of the interested parties according to articles 12 to 22 ”, is punishable, in accordance with the paragraph 5 of the aforementioned article 83 of the aforementioned Regulation, “with fines administrative fees of € 20,000,000 maximum or, in the case of a company, a an amount equivalent to a maximum of 4% of the total global annual business volume of the previous financial year, opting for the one with the highest amount ”. The LOPDGDD in its article 71, Infractions, states that: “The acts and conducts referred to in the paragraphs 4, 5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that are contrary to this organic law ”. The LOPDGDD in its article 72 indicates for the purposes of prescription: "Infractions considered very serious: "1. Based on the provisions of article 83.5 of the Regulation (EU) 2016/679 are considered very serious and will prescribe after three years the infractions that suppose a substantial violation of the articles mentioned in that and, in in particular, the following: (…) h) The omission of the duty to inform the affected party about the treatment of their personal data in accordance with the provisions of articles 13 and 14 of the Regulation (EU) 2016/679 and 12 of this organic law. (…) " VII C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 11/13 However, the LOPDGDD in its article 77, Regime applicable to certain categories of controllers or those in charge of the treatment, establishes the following: "1. The regime established in this article will be applied to the treatments of those who are responsible or in charge: a) The constitutional bodies or those with constitutional relevance and the institutions of the autonomous communities analogous to them. b) The jurisdictional bodies. c) The General State Administration, the Administrations of the autonomous communities and the entities that make up the Local Administration. d) Public bodies and public law entities linked to or dependent on Public Administrations. e) The independent administrative authorities. f) The Bank of Spain. g) Public law corporations when the purposes of the treatment are related to the exercise of powers of public law. h) Public sector foundations. i) Public Universities. j) Consortia. k) The parliamentary groups of the Cortes Generales and the Assemblies Legislative autonomic, as well as the political groups of the Corporations Local. 2. When the managers or managers listed in section 1 commit any of the offenses referred to in articles 72 to 74 of this organic law, the competent data protection authority will dictate resolution sanctioning them with warning. The resolution will establish Likewise, the measures to be adopted to stop the behavior or to correct it the effects of the offense that had been committed. The resolution will be notified to the person in charge of the treatment, at body on which it depends hierarchically, where appropriate, and those affected who have the condition of interested party, if applicable. 3. Without prejudice to the provisions of the previous section, the authority of data protection will also propose the initiation of disciplinary actions when there is sufficient evidence to do so. In this case, the procedure and Sanctions to be applied will be those established in the legislation on disciplinary regime or sanctioner that is applicable. Likewise, when the infractions are attributable to authorities and managers, and the existence of technical reports or recommendations for treatment is accredited that had not been duly attended to, in the resolution imposing the The sanction will include a reprimand with the name of the responsible position and will order the publication in the Official Gazette of the State or Autonomous corresponds. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 12/13 4. The data protection authority must be notified of the resolutions that fall in relation to the measures and actions to which they refer the previous sections. 5. They will be communicated to the Ombudsman or, where appropriate, to the institutions analogous of the autonomous communities the actions carried out and the Resolutions issued under this article. 6. When the competent authority is the Spanish Agency for the Protection of Data, it will publish on its website with due separation the resolutions referring to the entities of section 1 of this article, with express indication of the identity of the person in charge or in charge of the treatment that had committed the infringement. When the competence corresponds to an autonomous protection authority of data will be, in terms of the publicity of these resolutions, to what is available its specific regulations ”. In the case that concerns us and as indicated previously, the This sanctioning procedure shows that the defendant has not reported appropriately in relation to the control of presence and access to its facilities municipalities through a fingerprint system, an arbitrated procedure where the affected develops its activity. In accordance with the evidence available for such conduct constitutes an infringement of the provisions of article 13 of the RGPD. However, the RGPD, without prejudice to the provisions of its article 83, contemplates in its article 77 the possibility of resorting to the sanction of warning to correct the processing of personal data that does not suit their provisions, when the managers or managers listed in section 1 commit any of the offenses referred to in articles 72 to 74 of this organic law. Therefore, in accordance with the applicable legislation and assessed the criteria of graduation of sanctions whose existence has been proven, The Director of the Spanish Data Protection Agency RESOLVES: FIRST: IMPOSE THE CITY COUNCIL OF *** LOCALITY. 1, with NIF P3002000B, for an infringement of article 13 of the RGPD, typified in article 83.5.b) of the RGPD, a warning sanction in accordance with article 77.2 of the LOPDGDD. SECOND: NOTIFY this resolution to the CITY COUNCIL OF *** LOCALIDAD.1, with NIF P3002000B. THIRD: REQUEST the CITY COUNCIL OF *** LOCALITY. 1, with NIF P3002000B, so that within one month from the notification of this resolution, accredit before the AEPD the adoption of the necessary and pertinent measures to C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 13/13 correct the processing of personal data that does not conform to the regulations in matter of protection of personal data and prevent it from reoccurring violations such as those that have given rise to the claim, correcting the effects of the offense, establishing the necessary measures to adapt to the requirements contemplated in article 13 of the RGPD. FOURTH: COMMUNICATE this resolution to the Ombudsman, of in accordance with the provisions of article 77.5 of the LOPDGDD. In accordance with the provisions of article 50 of the LOPDGDD, the This Resolution will be made public once it has been notified to the interested parties. Against this resolution, which ends the administrative procedure in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the interested parties may file, optionally, an appeal for reversal before the Director of the Spanish Agency for Data Protection within a period of month from the day following notification of this resolution or directly contentious-administrative appeal before the Contentious-Administrative Chamber of the National High Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-administrative jurisdiction, within two months from the day following notification of this act, as provided in article 46.1 of the referred Law. Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP, the firm resolution may be suspended in an administrative way If the interested party expresses his intention to file a contentious appeal- administrative. If this is the case, the interested party must formally communicate this made by writing to the Spanish Data Protection Agency, Presenting it through the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica-web/], or through any of the rest records provided for in art. 16.4 of the aforementioned Law 39/2015, of October 1. As well must forward to the Agency the documentation that proves the effective filing of the contentious-administrative appeal. If the Agency is not aware of the filing of the contentious-administrative appeal within a period of two months from the day after the notification of this resolution, I would terminate the precautionary suspension. Mar Spain Martí Director of the Spanish Agency for Data Protection C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es