APDCAT (Catalonia) - PS 49/2019: Difference between revisions

From GDPRhub
No edit summary
 
(3 intermediate revisions by one other user not shown)
Line 59: Line 59:
===Facts===
===Facts===
A public school in Badalona installed a system for controlling the students attendance that used biometric data, including collection of fingerprints and facial recognition.  
A public school in Badalona installed a system for controlling the students attendance that used biometric data, including collection of fingerprints and facial recognition.  
This system gathered the facial vectors of the 1st year of secondary education (it was only used with this grade), with an addition of the fingerprint data for twins, given that they have identical faces but different fingerprints. 
According to the the school, they relied on the consent of the parents of the students. In case a parent would not consent, the attendance data would be gathered manually, instead of via this system. 
The system was provided by a third party, the processor, with which they had not subscribed a processing agreement. Also, the school could not prove that they had properly fulfilled the parents' right to be informed. 
Additionally, the school stopped using this system when the APDCAT launched their investigation.


===Dispute===
===Dispute===
Line 64: Line 72:


===Holding===
===Holding===
in progress
The APDCAT held that the school had violated:
 
* Article 5(1)(a), for having processed data when there was a less invasive option (traditional ways of controlling assistance, that were indeed also carried out by the school).
* Article 9 GDPR, for having processed biometric data without any valid ground from Article 9(2).
* Article 13 GDPR, for not having informed properly the parents about the processing of the data.
* Article 28 GDPR, for lacking a contract or processing agreement with the processor of the data.
 
Given that the school had stopped using the system when the investigation was launched, the APDCAT only issued a warning.


==Comment==
==Comment==

Latest revision as of 08:26, 8 September 2021

APDCAT - PS 49/2019
Apdcat-logo.png
Authority: APDCAT (Catalonia)
Jurisdiction: Spain
Relevant Law: Article 5(1)(a) GDPR
Article 9 GDPR
Article 13 GDPR
Article 28 GDPR
Type: Investigation
Outcome: Violation found
Started:
Decided:
Published: 02.03.2020
Fine: None
Parties: Institut Enric Borràs de Badalona
National Case Number/Name: PS 49/2019
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Catalan
Original Source: APDCAT decision (in CA)
Initial Contributor: n/a

The Catalan DPA (APDCAT) warned a public school for using biometric data (fingerprint and facial recognition system) to control the attendance of the students.

English Summary

Facts

A public school in Badalona installed a system for controlling the students attendance that used biometric data, including collection of fingerprints and facial recognition.

This system gathered the facial vectors of the 1st year of secondary education (it was only used with this grade), with an addition of the fingerprint data for twins, given that they have identical faces but different fingerprints.

According to the the school, they relied on the consent of the parents of the students. In case a parent would not consent, the attendance data would be gathered manually, instead of via this system.

The system was provided by a third party, the processor, with which they had not subscribed a processing agreement. Also, the school could not prove that they had properly fulfilled the parents' right to be informed.

Additionally, the school stopped using this system when the APDCAT launched their investigation.

Dispute

Can a school use biometric data to control the attendance of the students? Are they allowed to contract with a processor to do this?

Holding

The APDCAT held that the school had violated:

  • Article 5(1)(a), for having processed data when there was a less invasive option (traditional ways of controlling assistance, that were indeed also carried out by the school).
  • Article 9 GDPR, for having processed biometric data without any valid ground from Article 9(2).
  • Article 13 GDPR, for not having informed properly the parents about the processing of the data.
  • Article 28 GDPR, for lacking a contract or processing agreement with the processor of the data.

Given that the school had stopped using the system when the investigation was launched, the APDCAT only issued a warning.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Croatian original. Please refer to the Croatian original for more details.

                                                                                        PS 49/2019
Carrer Rosselló, 214, esc. A, 1r 1a
08008 Barcelona






File identification

Resolution of the sanctioning procedure no. PS 49/2019, referring to the Institut Enric Borràs de
Badalona, dependent on the Department of Education.



Background


1. On 02/10/2019 the Inspection Area of the Catalan Data Protection Authority had
knowledge that, on 19/09/2019, the media Business Insider had published
the following news regarding the Institut Enric Borràs in Badalona (hereinafter, the institute):
Catalan Institute is using facial recognition to control class attendance, something for

which has been fined 19,000 euros by a Swedish school. "

2. The Authority opened a prior information phase (IP No. 262/2019), in accordance with
provides for Article 7 of Decree 278/1993, of 9 November, on the sanctioning procedure

applicable to the areas of competence of the Generalitat, and article 55.2 of Law 39/2015, of 1
October, of the common administrative procedure of public administrations (henceforth
hereinafter, LPAC), to determine whether the facts were likely to motivate the initiation of a
sanctioning procedure, the identification of the person or persons who may be

responsible and the relevant circumstances that concurred.

3. In this information phase, on 08/10/2019, the Authority carried out an act
inspection at the institute’s premises to verify certain aspects related to the

student facial recognition system. In that face-to-face inspection, the
representatives of the institute and the Department of Education stated, among others, the
Next:


- That the facial recognition system was installed from the 2011-2012 academic year.
- That the purpose pursued was to reduce absenteeism, by controlling the attendance of
    students, as well as informing families immediately in case of absence.
- That the facial recognition system was only applied to 1st year ESO students. In

    in relation to students in other courses, the control of attendance was done manually by
    of teachers.
- That the system was suspended until the Authority ruled. This course was not available
    initiated the control of the assistance by means of facial recognition. In the application you manage

    attendance control began to load data from various students (goes
    suspended before loading the entire list of students), but were not captured
    vectors of his face.
- That the system allowed the unambiguous identification of people. The only problem is

    identified two twins, but that goes away






                                                                                     Page 1 of 12 PS 49/2019
08008 Barcelona, 214, esc. A, 1r 1a





    resolve by verifying your identity through your fingerprint
    (All other students did not have to identify themselves through the fingerprint).

- At the beginning of the course, the student stood in front of one of the terminals, which collected the
    vectors of his face making various movements. In turn, these vectors were associated
    to the student’s code (it was a random but unique code for each student) and the phone number
    of legal representatives.

- That in order to control their attendance, the student had to approach the terminal through which
    his identity was recognized.
- That when it was detected that a student had not attended high school, before generating the notice
    (SMS), it was checked if his family had warned him that he would not attend. Otherwise, the

    the person managing the attendance control application activated the option to send the SMS
    to their guardians. In the event that the family later contacts the institute, indicating that
    the student had gone there, it was checked if he had attended in person (he was going to
    look for the student in the class).
- That to the students of 1st of ESO, besides the control of assistance by means of recognition

    facial, his class attendance was also monitored by passing list.
- That the data necessary to allow facial recognition were only preserved
    during the 1st ESO course. In June, at the end of the course, the data was deleted.
- That this treatment was based on the consent of the legal representatives of

    the students.
- That in the event that the legal representative of a student does not give consent or the
    later withdrawn, that student’s attendance would be verified manually. Cap
    the person had refused to give consent, nor had he withdrawn it.

- That with regard to the rest of the students of the institute, whose presence was not controlled
    by facial recognition, the family was notified by telephone if they did not attend high school.
    The same would be true if the consent of the parties was not obtained
    legal representatives of a 1st year ESO student. This warning was not immediate as in the case

    of the SMS sent to students subject to facial recognition.
- That the right to information became effective in the letter of educational commitment of the institute. In
    this letter did not enable the possibility of legal representatives of minors
    could express their refusal to process biometric data for purposes of

    control of their children’s attendance through facial recognition.
- That the company installing the facial recognition system carried out the maintenance
    of this system and intervened at the beginning of the course to load the data of the students (associate
    the student’s code with the name).

- That no contract had been signed with the said company in charge of the processing.
- That this system made it possible to achieve the goal of reducing absenteeism.
- That another system is being evaluated for the next academic year to control attendance without
    facial recognition.

- That there is a predisposition to act in accordance with the provisions of the regulations on the protection of
    data.







                                                                                   Page 2 of 12 PS 49/2019
Carrer Rosselló, 214, esc. A, 1r 1a
08008 Barcelona




Also, on the same date, the inspection staff of the Authority verified, between

others:

- That in the lobby of the institute (ground floor) there were 2 terminals installed to allow the
    control of attendance through facial recognition. In turn, it was found that in the

    corridors on the 1st floor there were also 2 more terminals, one of which also allowed the
    fingerprint recognition.
- That the application that allowed to manage the time control system was “School Access
    Attendance Control ”, which was installed on a computer located in the secretariat

    from the high school. It was verified that, in the system there was the data referring to the name and surnames of
    several students, the group (class), the user ID and the mobile of their tutor. It was found that the
    students were listed as absent and all are part of 1st ESO. On the other hand, it is
    verified that in order to access said application it was necessary to authenticate using

    password.

Finally, the inspection staff collected the following documentation, which was handed over by the
representatives of the inspected entity:


- Copy of the letter of commitment signed by 2 legal representatives of 1st ESO students
    (1 for the 2018-2019 academic year and the other 1 for 2019-2020).
- Copy of the image rights authorization form signed by 2 legal representatives (1

    corresponding to the 2018-2019 academic year and the other 1 corresponding to 2019-2020).
- Copy of the technical specifications of the access control by means of systems
    biometrics for facial recognition and two budgets.
- Various documentation relating to facial recognition terminals.


4. On 11/29/2019, the director of the Catalan Data Protection Authority agreed
initiate disciplinary proceedings against the institute, in the first instance, for an alleged infringement
provided for in Article 83.5.a), in relation to Articles 5.1.a) and 9; second, by a presumption

infringement provided for in Article 83.5.b), in relation to Article 13; and, thirdly, by a presumption
infringement provided for in Article 83.4.a), in relation to Article 28; all of them of the Regulation (EU)
2016/679 of the European Parliament and of the Council, of 27/4, relative to the protection of the people
with regard to the processing of personal data and the free movement of such data (in

forward, RGPD). This initiation agreement was notified to the imputed entity on
12/12/2019.

5. On 12/20/2019, the institute made allegations in the initiation agreement.


6. On 06/02/2020, the person instructing this procedure made a proposal
resolution, which proposed that the director of the Catalan Protection Authority of
The Institut Enric Borràs in Badalona was warned of the data as responsible, in the first place, for a

infringement provided for in Article 83.5.a) in relation to Articles 5.1.a) and 9; secondly, of a






                                                                                     Page 3 of 12 PS 49/2019
Carrer Rosselló, 214, esc. A, 1r 1a
08008 Barcelona





infringement provided for in Article 83.5.b) in relation to Article 13; and third, an infringement
provided for in Article 83.4.a) in relation to Article 28 all of them of the RGPD. This proposal of
resolution was notified on 06/02/2020 and a period of 10 days was granted to formulate
allegations.


7. The deadline has been exceeded and no allegations have been made.

Proven facts


Of all the actions carried out in this procedure, the following are considered accredited
facts detailed below.


1. The Enric Borràs Institute in Badalona processed biometric data to control attendance at
educational center for 1st year ESO students.

To this end, in the 2011-2012 academic year he installed a facial recognition system to control

attendance at the school of 1st ESO students. And, in relation to two student people
who were twins, also monitored their attendance by fingerprint, attended to
that the facial recognition system did not guarantee its unambiguous identification.


This system controls attendance by facial recognition or fingerprinting
fingerprint remained active until the end of the 2018-2019 academic year. On 08/10/2019, the staff
Authority inspector verified that this system was no longer used for monitoring

attendance by 1st year ESO students (who were listed as absent).

2. In relation to the control of the attendance of the students of 1st of ESO by means of his
facial recognition or fingerprinting, the institute has not proven that the right has been enforced

of information to the representatives of the students of 1st of ESO during the course 2018-2019.

3. In 2011, the institute commissioned the installation of this system for monitoring the attendance of
1st year ESO students at the company Xip Solucions, SL; as well as its maintenance. He

maintenance of this system meant that, at the beginning of each course, its staff
company would upload student data to the system.


This order was not formalized in a contract or other legal act written with the
content required by Article 28.3 of the RGPD, and this was admitted by the person representing
the institute in the act of face-to-face inspection carried out on 08/10/2019.



Fundamentals of law

1. The provisions of the LPAC and Article 15 of Decree

278/1993, in accordance with the provisions of DT 2a of Law 32/2010, of 1 October, of the





                                                                                         Page 4 of 12 PS 49/2019
Carrer Rosselló, 214, esc. A, 1r 1a
08008 Barcelona




Catalan Data Protection. In accordance with articles 5 and 8 of Law 32/2010, the

resolution of the sanctioning procedure corresponds to the director of the Catalan Authority of
Data Protection.

2. The accused entity has not made any allegations in the motion for a resolution, but it does

to do in the initiation agreement. In this regard, it is considered appropriate to repeat the following below
relevant to the instructor's reasoned response to these allegations.

2.1. About the news.


In its written allegations against the initiation agreement, the accused entity stated
than the figures published in the media on the cost of installing the
facial recognition system were not accurate; that easy recognition system goes

contribute to the improvement of absenteeism; that there was “no intentional misuse of the data of the
students"; and that it had already been agreed to make an educational platform change to manage
assistance.


In advance, it should be made clear that the institute did not question in its writing
of allegations before the initiation agreement nor the facts imputed, nor its qualification
legal.


That said, in terms of the cost of implementation or maintenance, this was a circumstance
irrelevant for the purposes of determining the alleged facts and their legal classification.

In relation to the lack of intentionality invoked by the institute, as stated by the person

instructor in the motion for a resolution, it is necessary to point out that the infringing rates
imputed in the present sanctioning procedure, do not require that the element of the
intentionality.


Regarding the improvement of absenteeism, it is not discussed here whether the recognition system
facial (and fingerprint) could help achieve this goal, but this could be achieved in
through other less intrusive means for the rights of 1st year ESO students, than not
involve the processing of special categories of data (such as biometric data).

Proof of the above is that with respect to other students, their attendance was controlled by
from teachers in high school or the classroom; as well as the presence in the classroom of the students of 1st of ESO
it was also verified by the teacher passing list (the controversial system verified the presence
of students in high school, but not in the classroom).


It should be noted that the Authority has already ruled on CNS opinion 63/2018, in the sense of considering
that the “principle of minimization is not manifested only in opting for alternatives that are not
involve the processing of personal data, or to carry out the processing of data in a manner

that the minimum necessary data be used, but it must also entail that if possible
achieve a certain purpose without having to process data from special categories, this





                                                                                         Page 5 of 12 PS 49/2019
Carrer Rosselló, 214, esc. A, 1r 1a
08008 Barcelona





option must prevail over other options that do involve the treatment of such types
of data. ”

Apart from the above, in the present case the treatment was not based on any of the

exceptions set out in Article 9.2 of the RGPD, which must apply when dealing with
special categories of data, as in the present case.

Lastly, the decision to change the educational platform to manage the attendance of

the students, would come to corroborate that in the present case the treatment of was not necessary
special categories of data to control the attendance of students in the 1st year of ESO.

2.2. About the actions taken.


The accused entity then reported in its written allegations before the agreement
of initiation that the implementation of the system in this course was immediately suspended root
of news published in the media; that the terminals had been dismantled and

the whole installation; as well as the secretarial computer equipment was also disabled.

In this sense, as stated by the instructor in the motion for a resolution, all

the measures that the institute reported having implemented as a result of the face-to-face inspection carried out
on 08/10/2019 by the inspection staff of the Authority, must lead to it happening
unnecessary to require any corrective action to correct the effects of the infringements
imputed, as will be set forth below.


Also noteworthy is the good disposition of the institute to comply with the regulations
on data protection, suspending the facial / fingerprint recognition system as soon as possible
a piece of news was made public that questioned its suitability for the data protection regime;

as well as when following the intervention of the Authority in the framework of the information phase, it has decided
dismantle said system.

On the other hand, in its written allegations before the initiation agreement, the institute also indicated

that no family has "formally commented on the use of the recognition." In
this point, suffice it to say that this circumstance would not allow to consider that the
treatment of special categories of data was lawful (Article 9 RGPD).


3. In relation to the facts described in point 1 of the section on proven facts, both relating to
facial recognition as well as fingerprint recognition, violate the
principles of lawfulness (articles 5.1.a and 9 RGPD).


Article 5.1.a) of the RGPD regulates the principle of lawfulness determining that the data will be “processed
in a lawful manner (...) ”.








                                                                                         Page 6 of 12 PS 49/2019
Carrer Rosselló, 214, esc. A, 1r 1a
08008 Barcelona




For its part, Article 9.2 of the RGPD, concerning the treatment of special categories of

provides that the prohibition of its treatment does not apply if one of the
following circumstances:

        “A) the interested party gave his explicit consent for the treatment of such

        personal data for one or more of the purposes specified, except when the
        Union or Member State law provides that the prohibition
        referred to in paragraph 1 may not be raised by the person concerned;
        b) the treatment is necessary for the fulfillment of obligations and the exercise

        specific rights of the controller or the data subject
        in the field of labor law and social security and protection, to the extent that
        as authorized by the law of the Union of the Member States or a
        collective agreement under the law of the Member States which

        establish adequate guarantees of respect for fundamental rights and
        the interests of the interested party;
        (c) the treatment is necessary to protect the vital interests of the person concerned or
        another natural person, in the event that the interested party is not trained, physical

        or legally, to give their consent;
        (d) the processing is carried out, within the scope of its lawful activities and with
        the due guarantees, by a foundation, an association or any other
        non - profit organization, whose purpose is political, philosophical, religious or

        provided that the treatment relates exclusively to members
        current or former members of such bodies or persons who maintain contacts
        with them in relation to their purposes and provided that personal data
        do not communicate outside them without the consent of the interested parties;

        e) the processing refers to personal data that the interested party has made
        manifestly public;
        (f) treatment is necessary for the formulation, exercise or defense of
        claims or when the courts act in the exercise of their judicial function;

        (g) treatment is necessary for reasons of essential public interest, above
        the basis of Union or Member State law, which must be
        proportional to the objective pursued, to respect in essence the right to
        data protection and establish appropriate and specific measures for

        protect the interests and fundamental rights of the person concerned;
        h) treatment is necessary for the purposes of preventive or occupational medicine,
        assessment of the worker's work capacity, medical diagnosis,
        provision of health or social care or treatment, or management of the

        health and social care systems and services, on the basis of law
        of the Union or of the Member States or under a contract with a
        healthcare professional and without prejudice to the conditions and guarantees contemplated
        in section 3;

        (i) the treatment is necessary for reasons of public interest in the field of
        public health, such as protection against serious cross-border threats





                                                                                      Page 7 of 12 PS 49/2019
Carrer Rosselló, 214, esc. A, 1r 1a
08008 Barcelona




        for health, or to ensure high levels of quality and safety of the

        health care and medicines or health products, on the basis
        of Union or Member State law laying down measures
        appropriate and specific measures to protect the rights and freedoms of the person concerned,
        in particular professional secrecy,

        j) the processing is necessary for archival purposes in the public interest, purposes of
        scientific or historical research or statistical purposes, in accordance with the
        Article 89 (1) on the basis of Union or State law
        members, which must be proportionate to the aim pursued, respect in what

        the right to data protection and to establish appropriate measures and
        to protect the fundamental interests and rights of the
        interested. ”


As indicated by the instructor, during the processing of this procedure has been
duly accredited the conduct described in point 1 of the section on proven facts (referring to
facial recognition and fingerprint recognition), which is constitutive of a
infringement provided for in Article 83.5.a) in relation to Articles 5.1.a) and 9; both of the RGPD.


Article 83.5.a) of the RGPD, classifies as an infraction, the violation of the “basic principles of
including the conditions for consent under Articles 5, 6, 7 and 9 ”,
including the lawfulness of the processing of special categories of data (articles

5.1.a and 9 RGPD).

For its part, this conduct has also been listed as a very serious violation of the article
72.1.e) of Organic Law 3/2018, of 5 December, on the Protection of Personal Data and

guarantee of digital rights (hereinafter, LOPDGDD), as follows:

        “E) The processing of personal data in the categories referred to in the article
        9 of Regulation (EU) 2016/679, without any of the circumstances

        which provide for the aforementioned precept and Article 9 of this Organic Law. ”

4. With regard to the fact described in point 2 of the section on proven facts, regarding the violation of the right
information, reference should be made to Article 13 of the RGPD, which provides that:


        “1. When personal data relating to him are obtained from an interested party, the
        responsible for the treatment, at the time they are obtained, you
        provide all the information below:

        (a) the identity and contact details of the person responsible and, where applicable, of his / her manager;
        representative;
        (b) the contact details of the data protection officer, if any;
        c) the purposes of the processing for which the personal data are intended and the basis

        legal status of treatment;






                                                                                        Page 8 of 12 PS 49/2019
Carrer Rosselló, 214, esc. A, 1r 1a
08008 Barcelona




        (d) where the treatment is based on Article 6 (1) (f), the

        legitimate interests of the controller or a third party;
        (e) the recipients or categories of recipients of the personal data, in
        your case;
        f) where applicable, the intention of the controller to transfer personal data to a

        third country or international organization and the existence or absence of a
        Commission adjustment decision, or, in the case of transfers
        referred to in Articles 46 or 47 or the second subparagraph of Article 49 (1),
        reference to the appropriate or appropriate guarantees and the means to obtain them

        a copy of these or the fact that they have been lent.
        2.In addition to the information referred to in paragraph 1, the head of the
        processing will facilitate the interested party, at the time the data are obtained
        personal information, the following information necessary to ensure treatment of

        Fair and transparent data:
        a) the period during which the personal data will be kept or, if not
        possible, the criteria used to determine this deadline;
        b) the existence of the right to request access to the controller

        personal data relating to the data subject, and its rectification or deletion, or the
        limitation of their treatment, or to oppose the treatment, as well as the right to
        data portability;
        (c) where the treatment is based on Article 6 (1) (a), or

        Article 9 (2) (a), the existence of the right to withdraw the
        consent at any time, without affecting the lawfulness of the
        treatment based on prior consent for withdrawal;
        d) the right to lodge a complaint with a supervisory authority;

        e) whether the communication of personal data is a legal or contractual requirement, or
        a necessary requirement to sign a contract, and whether the interested party is obliged
        to provide personal data and is informed of the possible consequences
        that it does not provide such data;

        f) the existence of automated decisions, including profiling, a
        referred to in Article 22 (1) and (4) and, at least in such cases,
        significant information on the logic applied, as well as the importance and the
        expected consequences of such treatment for the data subject. (...) ”


In accordance with what has been stated, as indicated by the instructor, the fact contained in
point 2 of the section on proven facts constitutes the infringement provided for in article 83.5.b) of the RGPD,
which classifies as such the violation of “the rights of the interested parties under the articles

12 to 22 ”, among which is the right of information of the interested person contemplated in
Article 13 of the RGPD.

In turn, this conduct has also been listed as a very serious infraction in Article 72.1.h) of

the LOPDGDD, as follows:






                                                                                         Page 9 of 12 PS 49/2019
Carrer Rosselló, 214, esc. A, 1r 1a
08008 Barcelona




        “H) The omission of the duty to inform the affected party about the treatment of theirs

        personal data in accordance with the provisions of Articles 13 and 14 of the
        Regulation (EU) 016/679 and 12 of this Organic Law. "

5. With regard to the fact described in point 3 of the section on proven facts, regarding the lack of

contract in charge of the treatment, it is necessary to go to article 28.3 of the RGPD, which provides the
Next:

        “3. The treatment by the manager will be governed by a contract or other legal act

        in accordance with Union or Member State law, which links to
        in charge of the person in charge and establish the object, the duration, the
        nature and purpose of the processing, the type of personal data and categories
        of stakeholders, and the obligations and rights of the person responsible. Said contract o

        legal act shall stipulate, in particular, that the person in charge:
        a) will process personal data only following instructions
        documented by the responsible party, including with regard to transfers of
        personal data to a third country or an international organization, unless

        is required to do so under Union or Member State law
        to be applied to the manager; in such a case, the person in charge will inform the person in charge
        of that legal requirement prior to treatment, unless such right prohibits it by
        important reasons of public interest;

        (b) ensure that persons authorized to process personal data are
        have committed to or are subject to confidentiality
        obligation of confidentiality of a statutory nature;
        (c) take all necessary measures in accordance with Article 32;

        (d) respect the conditions set out in paragraphs 2 and 4 for recourse to another
        in charge of treatment;
        e) assist the person in charge, taking into account the nature of the treatment, through
        appropriate technical and organizational measures, whenever possible, for

        that it can fulfill its obligation to respond to requests that
        have as their object the exercise of the rights of interested parties established in
        Chapter III;
        f) help the person in charge to ensure compliance with the obligations

        set out in Articles 32 to 36, taking into account the nature of the
        treatment and information available to the manager;
        g) at the choice of the person responsible, will delete or return all personal data
        once the provision of treatment services is completed, and will eliminate them

        existing copies unless data retention is required
        under Union or Member State law;
        h) make available to the person in charge all the information necessary for
        demonstrate compliance with the obligations set forth herein

        article, as well as to allow and contribute to the performance of audits,






                                                                                       Page 10 of 12 PS 49/2019
Carrer Rosselló, 214, esc. A, 1r 1a
08008 Barcelona




        including inspections, by the manager or another authorized auditor

        by said person in charge.
        In relation to the provisions of letter h) of the first paragraph, the manager
        he shall immediately inform the person responsible if, in his opinion, an instruction
        infringes this Regulation or other protection provisions

        data of the Union or of the Member States. "

In accordance with what has been stated, as indicated by the instructor, the fact contained in
point 3 of the section on proven facts constitutes the infringement provided for in article 83.4.a) of the RGPD,

which typifies as such, the violation of “the obligations of the person in charge and the person in charge according to
of articles 8, 11, 25 to 39, 42 and 43 ”, among which is the one provided for in article 28 RGPD.

In turn, this conduct has also been listed as a serious violation of Article 73.k) of

the LOPDGDD, as follows:

        “K) To entrust the processing of data to a third party without prior formalization
        of a contract or other legal act written with the content required by the article

        28.3 of Regulation (EU) 2016/679. ”

6. Article 77.2 LOPDGDD provides that, in the case of offenses committed by those responsible or
managers listed in art. 77.1 LOPDGDD, the competent data protection authority:


        "(...) he must issue a resolution sanctioning them with a reprimand. The
        resolution shall also set out the measures to be taken for it to cease
        conduct or correct the effects of the offense that has been committed.

        The decision must be notified to the controller or controller, a
        the body on which it depends hierarchically, where applicable, and those affected who have the
        interested party, if any. ”


In terms similar to the LOPDGDD, article 21.2 of Law 32/2010, determines the following:

        “2. In the case of offenses committed in relation to publicly owned files, the
        director of the Catalan Data Protection Authority must issue

        a resolution declaring the infringement and setting out the measures to be taken for
        correct its effects. In addition, it may propose, if necessary, the initiation of actions
        disciplinary action in accordance with current legislation on the scheme
        disciplinary action of staff in the service of public administrations. This one

        resolution must be notified to the person responsible for the file or processing, a
        the person in charge of the treatment, if applicable, to the body on which they depend and to the
        affected people, if any ”.


In the present case, as stated by the instructor in the motion for a resolution, no
it is appropriate to propose no requirement for corrective action to correct the effects of the





                                                                                         Page 11 of 12 PS 49/2019
Carrer Rosselló, 214, esc. A, 1r 1a
08008 Barcelona





imputed infractions, since the institute has dismantled the facial recognition system and
fingerprint.

Resolution


For all this, I resolve:

1. To admonish the Enric Borràs Institute of Badalona as responsible for three infractions: one

infringement provided for in Article 83.5.a) in relation to Articles 5.1.a) and 9; another infraction
provided for in Article 83.5.b) in relation to Article 13; and a third violation under the article
83.4.a) in relation to Article 28, all of them of the RGPD.


No corrective action is required to correct the effects of the infringement, in accordance with
which has been set out in the 6th foundation of law.

2. Notify the institute of this resolution.


3. Communicate the resolution issued to the Catalan Ombudsman, in accordance with the provisions
Article 77.5 of the LOPDGDD.


4. Order that this resolution be published on the Authority’s website (apdcat.gencat.cat), of
in accordance with Article 17 of Law 32/2010, of 1 October.


Against this resolution, which terminates the administrative procedure in accordance with articles 26.2 of the
Law 32/2010, of 1 October, of the Catalan Data Protection Authority, and 14.3 of Decree
48/2003, of 20 February, approving the Statute of the Catalan Agency for the Protection of
In this case, the accused entity may, on an optional basis, lodge an appeal for reversal

the director of the Catalan Data Protection Authority, within one month from
the day after its notification, in accordance with the provisions of Article 123 et seq
the LPAC. You can also lodge an administrative appeal directly with the courts
administrative disputes, within two months from the day after its

notification, in accordance with articles 8, 14 and 46 of Law 29/1998, of 13 July, regulating
administrative contentious jurisdiction.


If the accused entity expresses to the Authority its intention to lodge a contentious appeal
administrative against the firm resolution in administrative way, the resolution will be suspended
precautionarily in the terms provided for in Article 90.3 of the LPAC.


Likewise, the defendant entity may file any other appeal it deems appropriate for
defend their interests.

The director,







                                                                                           Page 12 of 12