APDCAT (Catalonia) - PS 28/2021: Difference between revisions

From GDPRhub
mNo edit summary
 
(One intermediate revision by one other user not shown)
Line 48: Line 48:
|Appeal_To_Link=
|Appeal_To_Link=


|Initial_Contributor=Carmen Villarroel
|Initial_Contributor=[https://gdprhub.eu/index.php?title=User:Carmen.villarroel Carmen Villarroel]
|
|
}}
}}
Line 61: Line 61:
The data subject had joined the group via a link that was shared through WhatsApp with a text that indicated that people would receive information related to the city council and that anyone could access the group through the following link if they wanted to join.
The data subject had joined the group via a link that was shared through WhatsApp with a text that indicated that people would receive information related to the city council and that anyone could access the group through the following link if they wanted to join.


The DPA verified that, when joining the group, the participants were offered information about the identity of the controller, the legal basis fro the processing, the data retention period, the possibility of exercising the data subject's rights, and a link to the city council's web, where one could exercise their rights or contact the DPO (although not about the possibility of filing a complaint with the DPA).
The APDCAT verified that, when joining the group, the participants were offered information about the identity of the controller, the legal basis fro the processing, the data retention period, the possibility of exercising the data subject's rights, and a link to the city council's web, where one could exercise their rights or contact the DPO (although not about the possibility of filing a complaint with the APDCAT).


This information was also included on the description of the group and on the information of the group. On the information of the group, the names, phone numbers and profile pictures of the participants could also be seen.
This information was also included on the description of the group and on the information of the group. On the information of the group, the names, phone numbers and profile pictures of the participants could also be seen.


The city council claimed that they were using as a legal basis [[Article 6 GDPR#1e|Article 6(1)(e) GDPR]], i.e. processing is necessary for the performance of a task carried out in the public interest, since Article 25 of the Law regulating the Bases of the Local Administration Regime ('Ley reguladora de las Bases del Régimen Local' or 'LBRL'), that allows city council to engage in institutional communication with their citizens. According to the city council, participants were informed that participants in the group could see names, phone numbers and profile pictures of other participants. However, the city council had already decided to continue informing their citizens rather via a WhatsApp broadcast list, instead of a group.
The city council claimed that they were using as a legal basis [[Article 6 GDPR#1e|Article 6(1)(e) GDPR]], i.e. processing is necessary for the performance of a task carried out in the public interest, since [https://www.boe.es/buscar/act.php?id=BOE-A-1985-5392 Article 25 of the Law regulating the Bases of the Local Administration Regime (Ley reguladora de las Bases del Régimen Local - LBRL)], that allows city council to engage in institutional communication with their citizens. According to the city council, participants were informed that participants in the group could see names, phone numbers and profile pictures of other participants. However, the city council had already decided to continue informing their citizens rather via a WhatsApp broadcast list, instead of a group.


The DPA considered [[Article 6 GDPR#1e|Article 6(1)(e) GDPR]] as a valid legal basis, as well as [[Article 6 GDPR#1a|Article 6(1)(a) GDPR]], since participants had consented.
The APDCAT considered [[Article 6 GDPR#1e|Article 6(1)(e) GDPR]] as a valid legal basis, as well as [[Article 6 GDPR#1a|Article 6(1)(a) GDPR]], since participants had consented.


=== Holding ===
=== Holding ===
Firstly, the DPA determined that, when the group was created, the information required by [[Article 13 GDPR|Article 13 GDPR]] had not been provided.  
Firstly, the APDCAT determined that, when the group was created, the information required by [[Article 13 GDPR|Article 13 GDPR]] had not been provided.  


When such information was provided, two days after the creation of the group, there was still missing the information required by [[Article 13 GDPR#2d|Article 13(2)(d) GDPR]]: the the right to lodge a complaint with a supervisory authority; in this case, the APDCAT.
When such information was provided, two days after the creation of the group, some information required by [[Article 13 GDPR#2d|Article 13(2)(d) GDPR]] was still missing, specifically the the right to lodge a complaint with a supervisory authority, which in this case would be the APDCAT.


Additionally, the information provided could not be considered to be provided in a concise, transparent, intelligible and easily accessible form, as required by [[Article 12 GDPR#1|Article 12(1) GDPR]], nor immediate, as required by Article 11 LOPDGDD (the Spanish data protection act), since the data subjects should not need to look for the information but be able to know how and where to access it immediately. This was not the case, since data subjects were referred to the city council's website, without specifying where they could access the information. Also, some information was missing in the first layer of information.
Additionally, the information provided could not be considered to be provided in a concise, transparent, intelligible and easily accessible form, as required by [[Article 12 GDPR#1|Article 12(1) GDPR]]. The information was also not provided in an immediate manner as required by [https://www.boe.es/boe/dias/2018/12/06/pdfs/BOE-A-2018-16673.pdf Article 11 LOPDGDD (the Spanish Data Protection Act)], since the data subjects should not need to look for the information, but rather be able to know how and where to access it immediately. This was not the case, since data subjects were referred to the city council's website, without specifying where they could access the information. Also, some information was missing in the first layer of information.


Also, when creating the group, the city council had not implemented appropriate technical or organisational measures to ensure the confidentiality of personal data, since all the participants could see the names, phone numbers and profile pictures of other participants.
Also, when creating the group, the city council had not implemented appropriate technical or organisational measures to ensure the confidentiality of personal data, since all the participants could see the names, phone numbers and profile pictures of other participants.


During the allegations process, the city council admitted that they had created the group without foreseeing any measures in order to prevent the participants from seen the names, phone numbers and profile pictures of other participants.
During the allegations process, the city council admitted that they had created the group without foreseeing any measures in order to prevent the participants from seeing the names, phone numbers and profile pictures of other participants.


According to the DPA, the city council should have considered the data protection by design principle from [[Article 25 GDPR#1|Article 25(1) GDPR]], and should have realised that, since they prevent the participants from seen the names, phone numbers and profile pictures of other participants, they should have refrained from using this tool (i.e. a WhatsApp group).
According to the APDCAT, the city council should have considered the data protection by design principle from [[Article 25 GDPR#1|Article 25(1) GDPR]], and should have realised that, since they should have prevented the participants from seeing the names, phone numbers and profile pictures of other participants, they should have refrained from using a WhatsApp group as an appropriate tool for these purposes.


The city council claimed that they had stop using it, although the DPA verified that, even if the group was not active anymore, it still existed, and personal data could still be accessed.
The city council claimed that they had stop using the group, but the APDCAT verified that although the group was not active anymore, it still existed, and personal data could still be accessed.


Therefore, according to the DPA, the city council had violated [[Article 13 GDPR|Article 13 GDPR]] and [[Article 25 GDPR#1|Article 25(1) GDPR]].  
Therefore, according to the APDCAT, the city council had violated [[Article 13 GDPR|Article 13 GDPR]] and [[Article 25 GDPR#1|Article 25(1) GDPR]].  


However, since the deficiencies regarding [[Article 13 GDPR|Article 13 GDPR]] were corrected before the end of the procedure, the DPA considered that no further action had to be taken in this respect.
However, since the deficiencies regarding [[Article 13 GDPR|Article 13 GDPR]] were corrected before the end of the procedure, the APDCAT considered that no further action had to be taken in this respect.


On the other hand, the DPA ordered the city council to delete the WhatsApp group and issued a reprimand for the violation of [[Article 13 GDPR|Article 13 GDPR]] and [[Article 25 GDPR#1|Article 25(1) GDPR]].  
On the other hand, the APDCAT ordered the city council to delete the WhatsApp group and issued a reprimand for the violation of [[Article 13 GDPR|Article 13 GDPR]] and [[Article 25 GDPR#1|Article 25(1) GDPR]].  


== Comment ==
== Comment ==

Latest revision as of 14:26, 24 November 2022

APDCAT (Catalonia) - PS 28/2021
Apdcat-logo.png
Authority: APDCAT (Catalonia)
Jurisdiction: Spain
Relevant Law: Article 5(1)(f) GDPR
Article 13 GDPR
Article 25(1) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 13.09.2021
Published:
Fine: None
Parties: Ajuntament de Tiana
National Case Number/Name: PS 28/2021
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Catalan, Valencian
Original Source: APDCAT (in CA)
Initial Contributor: Carmen Villarroel

The Catalan DPA issued a reprimand to a city council for creating a WhatsApp group that allowed participants to see the names, phone numbers and profile pictures of other participants, without taking into account the data protection by design principle and without properly providing the information required by Article 13 GDPR.

English Summary

Facts

A data subject filed a complaint with the Catalan DPA (APDCAT) reporting that a City Council had created a WhastApp group without gathering the explicit consent of the participants and without providing the information required by the GDPR; although two days later, a privacy policy was included in the description of the group. The claimant alleged that the telephone number, name and images of the participants were visible to all of them.

The data subject had joined the group via a link that was shared through WhatsApp with a text that indicated that people would receive information related to the city council and that anyone could access the group through the following link if they wanted to join.

The APDCAT verified that, when joining the group, the participants were offered information about the identity of the controller, the legal basis fro the processing, the data retention period, the possibility of exercising the data subject's rights, and a link to the city council's web, where one could exercise their rights or contact the DPO (although not about the possibility of filing a complaint with the APDCAT).

This information was also included on the description of the group and on the information of the group. On the information of the group, the names, phone numbers and profile pictures of the participants could also be seen.

The city council claimed that they were using as a legal basis Article 6(1)(e) GDPR, i.e. processing is necessary for the performance of a task carried out in the public interest, since Article 25 of the Law regulating the Bases of the Local Administration Regime (Ley reguladora de las Bases del Régimen Local - LBRL), that allows city council to engage in institutional communication with their citizens. According to the city council, participants were informed that participants in the group could see names, phone numbers and profile pictures of other participants. However, the city council had already decided to continue informing their citizens rather via a WhatsApp broadcast list, instead of a group.

The APDCAT considered Article 6(1)(e) GDPR as a valid legal basis, as well as Article 6(1)(a) GDPR, since participants had consented.

Holding

Firstly, the APDCAT determined that, when the group was created, the information required by Article 13 GDPR had not been provided.

When such information was provided, two days after the creation of the group, some information required by Article 13(2)(d) GDPR was still missing, specifically the the right to lodge a complaint with a supervisory authority, which in this case would be the APDCAT.

Additionally, the information provided could not be considered to be provided in a concise, transparent, intelligible and easily accessible form, as required by Article 12(1) GDPR. The information was also not provided in an immediate manner as required by Article 11 LOPDGDD (the Spanish Data Protection Act), since the data subjects should not need to look for the information, but rather be able to know how and where to access it immediately. This was not the case, since data subjects were referred to the city council's website, without specifying where they could access the information. Also, some information was missing in the first layer of information.

Also, when creating the group, the city council had not implemented appropriate technical or organisational measures to ensure the confidentiality of personal data, since all the participants could see the names, phone numbers and profile pictures of other participants.

During the allegations process, the city council admitted that they had created the group without foreseeing any measures in order to prevent the participants from seeing the names, phone numbers and profile pictures of other participants.

According to the APDCAT, the city council should have considered the data protection by design principle from Article 25(1) GDPR, and should have realised that, since they should have prevented the participants from seeing the names, phone numbers and profile pictures of other participants, they should have refrained from using a WhatsApp group as an appropriate tool for these purposes.

The city council claimed that they had stop using the group, but the APDCAT verified that although the group was not active anymore, it still existed, and personal data could still be accessed.

Therefore, according to the APDCAT, the city council had violated Article 13 GDPR and Article 25(1) GDPR.

However, since the deficiencies regarding Article 13 GDPR were corrected before the end of the procedure, the APDCAT considered that no further action had to be taken in this respect.

On the other hand, the APDCAT ordered the city council to delete the WhatsApp group and issued a reprimand for the violation of Article 13 GDPR and Article 25(1) GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Catalan, Valencian original. Please refer to the Catalan, Valencian original for more details.

                                                                                       PS 28/2021
Carrer Rosselló, 214, esc. A, 1st 1st
08008 Barcelona




File identification

Resolution of the sanctioning procedure no. PS 28/2021, referring to Tiana City Council.


Background

1. On 20/07/2020, one had access to the Catalan Data Protection Authority
written by a person against whom he filed a complaint against Tiana City Council, with
alleged breach of personal data protection regulations.

Specifically, the complainant stated that, on 13/07/2020, the City Council went
create a WhatsApp group to communicate information to the public and access to the group
was carried out without the explicit consent of the person concerned and without giving effect to the right
information in data collection.


In the latter sense, the complainant stated that, on 15/07/2020 (two
days after the creation of the group), the policy was included in the description of the group
data protection. In turn, the complainant stated that the members of the

WhatsApp group, could see the phone number, name and profile pictures of the WhatsApp
other members.

2. The Authority opened a prior information phase (IP No 212/2020), in accordance with
provides for Article 7 of Decree 278/1993, of 9 November, on the procedure

sanction of application to the areas of competence of the Generalitat, and article 55.2 of the
Law 39/2015, of 1 October, on the common administrative procedure of administrations
(hereinafter, LPAC), to determine whether the facts were likely to motivate the
initiation of a sanctioning procedure, the identification of the person or persons who

could be responsible and the relevant circumstances involved.

3. In this information phase, on 28/07/2020 the person was requested
denouncing that it contributed the diverse documentation that indicated in its writing of

complaint; as well as to specify if they had included it in the WhatsApp group that is the subject of
complaint, or if you had accessed it through a link.

4. On 28/07/2020, the letter of the complainant for which he contributed was received
the requested documentation and stated that he had accessed the group through a link that

was circulated via WhatsApp with the following content:

       Hello, I am the (...), Mayor of Tiana. I created this channel from

       Whatsapp to share with the neighbors you want, information
       municipal that I think will be of interest to you and very useful. If you want
       participate and agree to receive this information, just click
       here and it will open on your phone so you can sign up.


           https://chat.whatsapp.com/ (...) (...)





                                                                                  Page 1 of 13 PS 28/2021
Carrer Rosselló, 214, esc. A, 1st 1st
08008 Barcelona





       This is a one-way channel of information, remember that if what you want is
       contact Tiana City Council to send us any incident,
       question, query (or congratulation) you always have WhatsApp operational

       municipal at 600 00 (...).

            Share this message with everyone you think

       they may be interested in receiving this information from Tiana.

           Thank you so much and have a great day!

       (...), Mayor of Tiana
       (...) @ tiana.cat ”

Among the documents provided by the complainant were several seizures of
WhatsApp group screen, of which it is found that the complainant is going

join the group on 14/07/2020, the description of the group was modified on
15/07/2020 and also on 15/07/2020 the group was full. In turn, the person
complainant provided a copy of the writ of the City of Tiana of 16/07/2020 by which is
gave answers to the questions she had asked on 15/07/2020 regarding

in the WhatsApp group and compliance with data protection regulations.

5. On 30/07/2020, also within this phase of prior information, the Inspection Area
of the Authority carried out a series of checks on the Internet on the facts which are the subject of

complaint. Through the link provided by the complainant in his writing
complaint (https://chat.whatsapp.com/ (...) (...)), the WhatsApp group was accessed
called "Tiana News" and found, among other things, the following:

- That at the time of joining the group, information was provided about the identity of the

   responsible for the processing, the legal basis, the purpose of the processing, the term of
   data retention; on the possibility of exercising the rights of access, rectification,
   suppression, opposition and limitation; as well as a link to the City Council’s electronic headquarters (a
   http://tiana.eadministracio.cat) to exercise the rights or contact the

   Data Protection Officer (was not informed, however, of the right to file a
   complaint to the Catalan Data Protection Authority).
- That this same information was also included in the "Description of the group" section, which
   it was visible at the top of the screen where the messages were displayed; as well as in
   the “Group Information” section.

- That through the section "Group information", you could also access the number of
   mobile and profile picture of all members of that WhatsApp group (257 in the
   time to do the verification). That section also states that the group was created on
   13/07/2020 at 6:35 p.m.


6. On 08/09/2020 and still in the framework of this phase of prior information, leaves
require the denounced entity to report, inter alia, on the legal basis that





                                                                                   Page 2 of 13 PS 28/2021
Carrer Rosselló, 214, esc. A, 1st 1st
08008 Barcelona




would legitimize the collection of data from people who had subscribed to the group
WhatsApp; on how the right to information to the people who joined became effective
to the group on 13/07/2020 and 14/07/2020 at the time of the collection of their data;
as well as what measures had been implemented to prevent members from subscribing

in the WhatsApp group could check the mobile number and profile picture of the rest in
through the "Group Information" section.

7. On 30/09/2020, Tiana City Council responded to the request mentioned in
in a letter stating the following:


- That, as indicated in the information clause that was included, the legal basis for the
   processing of the contact details of interested citizens is the fulfillment of a
   public interest mission. Specifically, the one that refers to the promotion and compliance of

   municipal powers in accordance with article 25 of Law 7/1985, of April 2,
   regulating the Bases of the Local Regime (hereinafter, LBRL) therefore the purpose
   persecuted is the communication of institutional information to the citizens of the municipality.
- That the WhatsApp channel was created on 13/07/2020 and that it started on

   be operational on 15/07/2020 when protection information was provided
   of data.
- That the information note included states that the other members of the
   group could have access to contact details (picture, first and last name and phone number).
- However, a mailing list was generated so that it could be followed

   informing citizens and that their data could not be viewed by others
   of group members.

The accused entity attached various documents to the letter.


8. On 17/02/2021, the Inspection Area of the Authority tried to re-access the group
WhatsApp “Tiana News” (via the link https://chat.whatsapp.com/ (...) (...)),
noting that the group still consisted of 257 members and that it was not possible to join

in the group "because it's full."

9. On 07/05/2021, the director of the Catalan Data Protection Authority went
agree to initiate disciplinary proceedings against Tiana City Council for two
alleged infringements: an infringement provided for in Article 83.5.b) in relation to Article 13; i

another offense under Article 83.4 (a) in relation to Article 25; all of them from
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2007 on the
protection of individuals with regard to the processing of personal and free data
circulation of these (hereinafter, RGPD). This initiation agreement was notified to

the imputed entity on 11/05/2021.

The initiation agreement set out the reasons why no charges were brought
with respect to the alleged fact of failure to obtain the explicit consent of the

affected people, when they joined the reported WhatsApp group. In





                                                                                  Page 3 of 13 PS 28/2021
Carrer Rosselló, 214, esc. A, 1st 1st
08008 Barcelona




specifically, the treatment was considered lawful as it was necessary for compliance
of a mission in the public interest (art. 6.1.e RGPD) and that could even be reached
consider that the treatment was also based on the consent of the people
affected (art. 6.1.a RGPD), which should not be explicit insofar as it is not

they dealt with special categories of data.

On 18/05/2021, Tiana City Council filed allegations against the initiation agreement.

10. On 02/07/2021, the person instructing this procedure filed a

proposed resolution, by which it proposed that the director of the Catalan Authority of
Data Protection has warned Tiana City Council to be responsible, in the first place, for
an infringement provided for in Article 83.5.b) in relation to Article 13; and secondly, one
infringement provided for in Article 83.4.a) in relation to Article 25.1, all of them of the RGPD.


This motion for a resolution was notified on 07/02/2021 and a deadline was granted
10 days to make allegations.


11. On 19/07/2021, the defendant filed a writ for which, without effect
no allegation on the merits of the alleged violation of the proposed resolution,
reported on the actions taken to comply with the requirement of
corrective measures proposed by the instructor in the motion for a resolution.



Proven facts

1. On 13/07/2020, Tiana City Council created the so-called WhatsApp group

"Tiana News" in order to communicate institutional information to citizens. In the
time of collection of data of persons who joined the said group before the
15/07/2020 (date on which the City Council incorporated an information clause on
data protection and in which the group was also full), the City Council did not provide all the

information required by Article 13 of the RGPD. I only reported through the message that
contained the link to join the group on the person in charge of the treatment and how to contact them
(art. 13.1.a RGPD); as well as on the purpose of the treatment (part of the information provided in
art. 13.1.c RGPD).


2. Also in relation to the said WhatsApp group, Tiana City Council did not implement in the
time to determine the means of treatment, as at the time of treatment itself, the
appropriate technical and organizational measures to effectively implement the principle of
confidentiality. Specifically, there is no guarantee that people who joined the group will

WhatsApp created by the City Council, could not access the mobile number, profile picture and
username of other members.

Fundamentals of law







                                                                                   Page 4 of 13 PS 28/2021
Carrer Rosselló, 214, esc. A, 1st 1st
08008 Barcelona




1. The provisions of the LPAC and Article 15 of the Decree apply to this procedure.
278/1993, in accordance with the provisions of DT 2a of Law 32/2010, of 1 October, of the Authority
Catalan Data Protection. In accordance with Articles 5 and 8 of Law 32/2010, the
resolution of the sanctioning procedure corresponds to the director of the Catalan Authority of

Data Protection.

2. As stated above, the defendant entity filed a writ dated 7/19/2021 by
accredit the adoption of the corrective measures proposed by the instructor
require the City Council in the motion for a resolution. In the written finger, however, it was not formulated

no allegations regarding the motion for a resolution.

On the other hand, the accused entity did make allegations against the initiation agreement.
In this regard, it is considered appropriate to reiterate below the most relevant of the answer

motivated by the instructor to these allegations.

2.1. About the right to information.


In the 1st section of his writ of allegations before the initiation agreement, the imputed entity
stated that he provided certain information through the message transcribed in
the 4th antecedent and through a tweet to the account of the Tiana City Council, carried out on
07/09/2019, with the following content:


       “Whatsapp to communicate through direct messages with
       the City Council. We'll move you to the appropriate area and give you one
       reply as soon as possible. Keep it in your address book: 600 00
       (...) or wa.me/34600002233 # TianaIsCommunication ”


Well, the transcribed tweet did not refer to the WhatsApp group that is the subject of the present
sanctioning procedure, which was created on 13/07/2020 (one year after the tweet
invoked).


That said, in the motion for a resolution it was agreed that the message transcribed in
the 4th antecedent, which was circulated via WhatsApp and contained the link to join
in the “Tiana News” group, it contained certain information about data processing,
circumstance which has already been set out in the Proven Facts section of the proposal and which has been

maintained in this resolution.

Specifically, as indicated by the City Council in its written allegations before the agreement
initiation, the information provided for in Article 13.1.a) of

the RGPD, since the person subscribing to the message was the mayor of Tiana and is
they provided contact details; as well as partially reported
the limit set out in Article 13.1.c) of the RGPD, as it was stated that the purpose was
communicate municipal information (on the other hand, no information was provided on the legal basis,

information also provided for in art. 13.1.c RGPD).





                                                                                  Page 5 of 13 PS 28/2021
Carrer Rosselló, 214, esc. A, 1st 1st
08008 Barcelona





Therefore, it was decided whether the City Council provided the right to information in layers, in the terms
provided for in Article 11 of Organic Law 3/2018, of 5 December, on the Protection of
Personal Data and guarantee of digital rights (hereinafter, LOPDGDD).


In this regard, when the City Council created the WhatsApp group mentioned on 13/07/2020 (i
until 15/07/2020), did not indicate an email address or other means that would allow the
interested parties have easy and immediate access to the rest of the information (art.
11.1 LOPDGDD); nor did it report on the possibility of exercising the rights that

established in articles 15 to 22 of the RGPD (art. 11.2.c LOPDGDD). In this last sense,
it cannot be admitted, as the accused entity claimed, that the information on the exercise of the
rights (art. 11.2.c LOPDGDD) can be understood as coverage, simply by providing a channel of
communication.


Therefore, it should be concluded that until 15/07/2020, Tiana City Council did not provide
to the persons concerned all the information required by Article 13 of the RGPD and, in
in particular, that not even the basic information provided for in Article 11 of

the LOPDGDD.

Based on the above, on 15/07/2020 (date on which the group was also full) the City Council
included a clause in the “Group Description” and “Group Information” sections
data protection policy, which was in line with Article 13 of the RGPD except for the fact

that neither there, nor on the main page of the electronic headquarters to which it was referred
(http://tiana.eadministracio.cat), the people affected were not informed of the possibility
to lodge a complaint with this Authority (art. 13.2.d RGPD).


However, Tiana City Council stated in its letter of allegations before the agreement
that this information was provided in a specific section of the headquarters
and, in particular, its “Privacy Policy”
(https://tiana.eadministracio.cat/privacy), where information on the possibility of submitting

a complaint to the Spanish Data Protection Agency (AEPD). Despite this
admitted that this information was inaccurate given that the supervisory authority
competent authority to hear claims in this matter is the Catalan Authority of
Data Protection (APDCAT). It is worth noting, however, that the information on the supervisory authority
competent authority to which to lodge a complaint, has already been amended accordingly

accredited by the City of Tiana.

On the other hand, Article 12.1 of the RGPD determines that the information indicated in Article 13 of the RGPD
the RGPD must be provided in a concise, transparent, intelligible and easily accessible manner. I

Article 11.1 of the LOPDGDD states that, when the right to information becomes effective
layers, the e-mail address (or other means) must be indicated in the 1st layer (or basic information)
which allows you to access the rest of the information easily and immediately.








                                                                                  Page 6 of 13 PS 28/2021
08008 Barcelona, 214, esc. A, 1st 1st




In the present case, access to the rest of the treatment information (2nd layer) was not possible

consider that it was easy (art. 12.1 RGPD) or immediate (art. 11.1 LOPDGDD). These
requirements imply that the person concerned should not search for the information, but should
to be able to immediately recognize where and how to access other information about the
processing of your personal data. That is, to comply with them,

Tiana City Council had to provide the specific address where the affected person could
consult the rest of the information on the treatment (https://tiana.eadministracio.cat/privacy),
or at least report that your content could be accessed by selecting the “Policy of
privacy ”from the bottom menu of the electronic headquarters. In turn, it should also be specified
which of the two information clauses does the privacy policy contain?

processing of your data.

So, the mere reference to the main page of the electronic headquarters
(http://tiana.eadministracio.cat), without specifying the specific email address where
could consult the rest of the information about the treatment (privacy policy) no

would comply with the requirements set out in Articles 12.1 of the RGPD and 11.1 of the LOPDGDD, which
just mentioned. That is why, in the motion for a resolution and in the event that it is
continue to process the data of the people included in said WhatsApp group with
the purpose of communicating institutional information and the right to information is provided by

layers, it was proposed to require the City Council to specify in the 1st layer
the specific email address where you can get the rest of the information about the treatment.

Ultimately, the motion for a resolution considered the allegations to have been made
addressed in this section could not thrive, except for those relating to information on the

treatment contained in the message that contained the link to join the group of
WhatsApp and in terms of that from 15/07/2020 the information was also provided
concerning the submission of a complaint to the supervisory authority (art. 13.2.d RGPD), although
the authority identified there was not competent.


2.2. About data protection from design.

The accused entity then admitted in its written statement of allegations to the agreement
was aware that he had created a WhatsApp group without anticipating one

security measure to prevent the data of the people involved from being
accessible to other participants. However, he considered that the City Council could not
prevent people who joined the WhatsApp group from being able to access the WhatsApp group
mobile number, profile picture and username of other members, “since
any user of the WhatsApp Platform already knows that this fact will happen in the moment

which accesses a distribution list ”.

It should be noted that Tiana City Council did not create a list
dissemination or distribution as indicated in his statement of allegations, but a group in which he goes
limit who could send messages and who could edit group information (only

could do group administrators).





                                                                                 Page 7 of 13 PS 28/2021
Carrer Rosselló, 214, esc. A, 1st 1st
08008 Barcelona





Based on the above and regardless of the operation of WhatsApp that the City Council
detailed in his written allegations before the initiation agreement, in compliance with the
principle of data protection from the design (art. 25.1 RGPD), if it was aware

which could not guarantee the principle of confidentiality with the creation of a WhatsApp group
to send institutional information, all you had to do was refrain from using it
tool and look for others that do not violate this principle. But even that
all WhatsApp has an option to ensure the principle of confidentiality when
you want to send messages to multiple recipients or contacts. Indeed, if one is created

mailing list sent messages appear to each contact in the mailing list as
an individual message, so that people included in the mailing list
they do not know who the other members of the list are and therefore cannot access them
data from other people.


On the other hand, the City Council argued in that letter of allegations that it had already adopted the
corrective measures to correct the effects of the infringement addressed here. However,
the WhatsApp group "Tiana News" was still active at the time of writing

of allegations before the initiation agreement and could continue to access mobile number, photo
profile and username of the other members of the group.

3. In relation to the facts described in point 1 of the section on proven facts, it is necessary to go to the
paragraphs 1 and 2 of Article 13 of the RGPD, set out the information to be provided

when personal data is obtained from the person concerned:

       “1. When personal data concerning him are obtained from an interested party, the
       responsible for the treatment, at the time they are obtained, you

       provide all of the following information:
       (a) the identity and contact details of the person responsible and, where applicable, his / her contact details;
       representative;
       (b) the contact details of the data protection officer, if any;

       c) the purposes of the processing for which the personal data are intended and the basis
       treatment law;
       (d) where the treatment is based on Article 6 (1) (f),
       legitimate interests of the controller or a third party;
       e) the recipients or categories of recipients of the personal data,

       in your case;
       f) where applicable, the intention of the controller to transfer personal data to
       a third country or international organization and the existence or absence of one
       Commission adjustment decision, or, in the case of transfers

       referred to in Articles 46 or 47 or Article 49 (1), subparagraph
       second, reference to adequate or appropriate safeguards and means
       to obtain a copy of these or the fact that they have been lent.
       2. In addition to the information referred to in paragraph 1, the person responsible

       of the treatment will facilitate the interested party, at the time they are obtained





                                                                                   Page 8 of 13 PS 28/2021
Carrer Rosselló, 214, esc. A, 1st 1st
08008 Barcelona




       personal data, the following information necessary to secure a
       Fair and transparent data processing:
       a) the period during which the personal data will be kept or, when not
       if possible, the criteria used to determine this deadline;

       b) the existence of the right to request the controller
       access to personal data relating to the data subject, and its rectification or
       suppression, or limitation of its treatment, or to oppose treatment as well
       such as the right to data portability;
       (c) where the treatment is based on Article 6 (1) (a), or

       Article 9 (2) (a), the existence of the right to withdraw the
       consent at any time, without affecting the lawfulness of the
       treatment based on prior consent for withdrawal;
       (d) the right to lodge a complaint with a supervisory authority;

       e) whether the communication of personal data is a legal or contractual requirement,
       or a requirement for signing a contract, and if the interested party is
       obliged to provide personal data and is informed of possible
       consequences of not providing such data;

       f) the existence of automated decisions, including profiling,
       referred to in Article 22 (1) and (4) and, at least in such cases,
       significant information on the logic applied, as well as the importance and
       the intended consequences of such treatment for the person concerned. "


For its part, paragraphs 1 and 2 of Article 11 of the LOPDGDD, concerning the
transparency and information of the affected party, provide that:

       “1. When personal data is obtained from the data subject, the person responsible for it

       treatment may comply with the duty of information set out in the article
       13 of Regulation (EU) 2016/679 providing the data subject with basic information a
       referred to in the next section and indicating one email address or another
       means that allow you to easily and immediately access the rest

       information.
       2. The basic information referred to in the preceding paragraph shall contain,
       at least:
       a) The identity of the controller and his representative, if
       if applicable.

       b) The purpose of the treatment.
       c) The possibility of exercising the rights established in articles 15 to 22 of the
       Regulation (EU) 2016/679.
       If the data obtained from the affected party must be processed for the preparation of

       profiles, the basic information must also understand this
       circumstance. In this case, the data subject must be informed of his / her right to
       to make automated individual decisions that produce
       legal effects on him or significantly affect him in a similar way, when







                                                                                   Page 9 of 13 PS 28/2021
Carrer Rosselló, 214, esc. A, 1st 1st
08008 Barcelona




       this right is granted in accordance with the provisions of Article 22 of the Regulation
       (EU) 2016/679. ”

The fact described in this point has been duly substantiated during the processing of this procedure

1st of the section of proven facts, which constitutes the infraction provided for in article 83.5.b)
of the RGPD, which criminalizes the violation of “the rights of those concerned under the
Articles 12 to 22 ”, including the right to information provided for in Article 13 of the RGPD.

The conduct addressed herein has been found to be a minor violation of Article 74 (a) of

the LOPDGDD, as follows:

       “A) Failure to comply with the principle of transparency of information or the law
       information of the affected party so as not to provide all the information required by the

       Articles 13 and 14 of Regulation (EU) 2016/679. ”

4. With regard to the fact described in point 2 of the section on proven facts, relating to the protection of
data from the design, it is necessary to go to article 25.1 of the RGPD that establishes the following:


       “1.Considering the state of the art, the cost of the application and the
       nature, scope, context and purposes of the treatment, as well as the risks of
       varying probability and severity of treatment for
       rights and freedoms of individuals, the controller

       will apply, both when determining the means of treatment and
       at the time of the treatment itself, technical and organizational measures
       appropriate, such as pseudonymization, designed to apply formally
       effective data protection principles, such as minimizing data protection

       data, and integrate the necessary guarantees in the treatment, in order to comply
       the requirements of this Regulation and to protect the rights of
       interested parties. ”


In accordance with the above, the fact set out in point 2 of the section on proven facts
constitutes the infringement provided for in Article 83.4.a) of the RGPD, which classifies as such the
violation of “the obligations of the person in charge and the person in charge under Article 8,
11, 25 to 39, 42 and 43 ”, among which is the protection of data from the design (art. 25.1
RGPD).


The conduct addressed herein has been found to be a serious violation of Article 73.d) of
the LOPDGDD, as follows:


       "D) Failure to adopt any technical and organizational measures
       appropriate to effectively apply the principles of protection of
       data from the design, as well as the non-integration of the necessary guarantees
       treatment, in the terms required by Article 25 of Regulation (EU)

       2016/679. ”





                                                                                  Page 10 of 13 PS 28/2021
Carrer Rosselló, 214, esc. A, 1st 1st
08008 Barcelona





5. Article 77.2 LOPDGDD provides that, in the case of offenses committed by the
responsible or in charge listed in art. 77.1 LOPDGDD, the protection authority of
competent data:


       "(...) he must issue a resolution sanctioning them with a reprimand. The
       resolution must also set out the appropriate measures to be taken because
       cease the conduct or correct the effects of the infringement
       How is it.

       The decision must be notified to the controller or controller, a
       the body on which it depends hierarchically, if any, and those affected who
       have the status of interested party, if any. "


In terms similar to the LOPDGDD, article 21.2 of Law 32/2010, determines the following:

       “2. In the case of infringements committed in relation to publicly owned files,
       the director of the Catalan Data Protection Authority must

       issue a resolution declaring the infringement and establishing the measures to be taken
       to correct its effects. In addition, it may propose, as appropriate, initiation
       disciplinary action in accordance with current legislation
       on the disciplinary regime of the personnel in the service of the administrations
       public. This decision must be notified to the person responsible for it

       file or of the processing, to the person in charge of the processing, if applicable, to the body of the
       and the people affected, if any. "



As announced, on 07/19/2021, Tiana City Council submitted a brief
by which it reports on the actions carried out in relation to the measures
correctors proposed to require the instructor in the motion for a resolution.
Among other things, the City Council states that it has proceeded to modify the information that is

provides the affected persons through the electronic headquarters, in terms of authority
before which you have the right to file a complaint (the APDCAT), which
has been found.

So, bottom line is that we're really looking forward to Tiana City Council action

it is not necessary to maintain the requirement of corrective measures proposed in this regard by the
instructing person in the motion for a resolution.

On the other hand, and as far as it is concerned here, the City Council also reports that it has proceeded to

delete the WhatsApp group "Tiana News". However, it is known that
this group has not been deleted, but has been left inactive. Specifically, it consists of this
Authority that on 09/07/2021 a message was posted to the said group indicating that it remained
inactive and that on 29/07/2021 (20 days later) there were still 142 members in the







                                                                                  Page 11 of 13 PS 28/2021
Carrer Rosselló, 214, esc. A, 1st 1st
08008 Barcelona




group, so you could still access your mobile number, profile picture, and
username of these group members.


Given the above, although it is appropriate to positively assess the will of the City of Tiana de
correct the effects of the infringement before the issuance of this resolution, it may be necessary to
because as soon as possible, and in any case within a maximum period of 10 days from
the day after notification of this resolution, delete the WhatsApp group “News

Tiana ”created on 07/13/2020, or in the case of leaving it inactive, take the relevant measures
so that group members cannot access the personal data of others.

Once the described corrective action has been taken, within the specified period, it is necessary to

within 10 days, Tiana City Council will inform the Authority, without prejudice to the faculty
inspection of this Authority to carry out the corresponding verifications.

For all this, I resolve:


1. To warn the City Council of Tiana of being responsible for two infractions: one infraction
provided for in Article 83.5.b) in relation to Article 13; and another violation of the article
83.4.a) in relation to Article 25.1; all of them from the RGPD.


2. To request the City Council of Tiana to adopt the corrective measure indicated in
5th basis of law and accredit before this Authority the actions carried out by
comply with them.


3. Notify Tiana City Council of this resolution.

4. Communicate the resolution to the Catalan Ombudsman, in accordance with the provisions of the article
77.5 of the LOPDGDD.


5. Order that this resolution be published on the Authority’s website (apdcat.gencat.cat), of
in accordance with Article 17 of Law 32/2010, of 1 October.


Against this resolution, which terminates the administrative procedure in accordance with Articles 26.2
of Law 32/2010, of 1 October, of the Catalan Data Protection Authority, and 14.3
Decree 48/2003, of 20 February, approving the Statute of the Catalan Agency for
Data Protection, the imputed entity may file, on an optional basis, an appeal

replacement before the director of the Catalan Data Protection Authority, within the deadline
one month from the day after its notification, in accordance with the provisions
Article 123 et seq. of the LPAC. You can also lodge a contentious appeal directly
administrative before the contentious administrative courts, within two months a

count from the day after its notification, in accordance with Articles 8, 14 and 46 of the
Law 29/1998, of 13 July, regulating administrative contentious jurisdiction.








                                                                                    Page 12 of 13 PS 28/2021
Carrer Rosselló, 214, esc. A, 1st 1st
08008 Barcelona





If the accused entity declares to the Authority its intention to lodge a contentious appeal
administrative against the firm resolution in administrative proceedings, the resolution will be suspended

precautionarily in the terms provided for in Article 90.3 of the LPAC.


Likewise, the accused entity may file any other appeal it deems appropriate
to defend their interests.


The director,

























































                                                                                              Page 13 of 13