AEPD (Spain) - PS/00267/2020: Difference between revisions
No edit summary |
No edit summary |
||
(One intermediate revision by one other user not shown) | |||
Line 17: | Line 17: | ||
|Type=Complaint | |Type=Complaint | ||
|Outcome=Upheld | |Outcome=Upheld | ||
|Date_Started= | |Date_Started=28.11.2019 | ||
|Date_Decided= | |Date_Decided= | ||
|Date_Published=11.02.2022 | |Date_Published=11.02.2022 | ||
Line 55: | Line 55: | ||
|Appeal_To_Link= | |Appeal_To_Link= | ||
|Initial_Contributor=Carmen Villarroel | |Initial_Contributor=[https://gdprhub.eu/index.php?title=User:Carmen.villarroel Carmen Villarroel] | ||
| | | | ||
}} | }} |
Latest revision as of 14:25, 24 November 2022
AEPD (Spain) - PS/00267/2020 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 6(1) GDPR Article 7 GDPR Article 10 GDPR Article 49 GDPR Article 46 GDPR Article 10 LOPDGDD |
Type: | Complaint |
Outcome: | Upheld |
Started: | 28.11.2019 |
Decided: | |
Published: | 11.02.2022 |
Fine: | 2000000 EUR |
Parties: | AMAZON ROAD TRANSPORT SPAIN, S.L. Unión General de Trabajadores |
National Case Number/Name: | PS/00267/2020 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | Carmen Villarroel |
The Spanish DPA fined Amazon Road Transport Spain €2,000,000 for violating Article 10 GDPR by requesting criminal record certificates in their hiring process.
English Summary
Facts
A Spanish union (Unión General de Trabajadores, 'UGT') filed a complaint with the Spanish DPA (AEPD) against Amazon Road Transport Spain (Amazon Road). They reported that in their hiring process, Amazon Road asked potential candidates to provide a criminal record certificate. Amazon claimed that they had a legitimate interest in verifying that their transport workers did not have past criminal offenses or convictions in order to protect their customer's safety and trust, since the delivery workers would be entering or coming in close proximity with their customer's households, and would be entrusted with handling products which at times could be of very high value.
Amazon also claimed that processing the of the criminal record certification was necessary in order to perform a contract with the potential transport workers, and that this processing was based on the consent of the data subjects, which if hired would be considered self-employed transporters by Amazon Road. As part of the hiring process, the candidates were required to download the 'Amazon Delivery' app and create an account. In order to advance in the process within the app (which would determine if they were suitable candidates for the job) the candidates were required to consent to the processing of personal data, which included the criminal record certificate.
This process also required candidates to consent to international data transfers of their personal data with third parties. Specifically, Amazon Road asked for the candidates' consent to allow Amazon Road and its related entities (Amazon) to transfer their personal data to third parties outside the European Economic Area (EEA). Such consent allowed a third party located in the United States (Accurate Background) to process the candidates' data in order to verify their criminal records, and the processing of data by one of the company's subdivisions located in India (Amazon Development Centre India - Amazon India) for "support" with the collection, handling and storage of personal data. This general consent clause also stated that it would exonerate Amazon of any responsibility, damages claims, or other charges related to the processing and transfer of data as far as the law permits it.
Amazon Road established an Intra-Group Data Transfer and Processing Agreement with Amazon India and a Data Processing Agreement with Accurate Background, which both included Standard Contractual Clauses (SCCs) with technical and organisational measures required for data processing. Additionally, Accurate Background was adhered to the EU-US Privacy Shield transatlantic data transfer framework.
Holding
The AEPD dismissed Amazon's claims that a certificate of absence of criminal records did not amount to processing of personal data relating to criminal convictions and offences under Article 10 GDPR. According to Amazon, the requirement was limited to a "negative certificate" that did not include the actual content of any criminal convictions and offences, just a certification that there was an absence of these. The AEPD considered that this negative certificate to prove the absence of criminal convictions and offences in itself does constitute personal data related to these, and therefore should not be processed unless authorised by law according to Article 10 GDPR and Article 10 of the Spanish Data Protection Act (Ley Orgánica 3/2018 de Protección de Datos Personales y Garantía de los Derechos Digitales - LOPDGDD).
The AEPD held that there was no national law which Amazon could rely on in order to lawfully process this personal data. The AEPD also noted that not even the law under which the competent national authority issued transport licenses (Real Decreto 1211/1990 por el que se aprueba el Reglamento de la Ley de Ordenación de los Transportes Terrestres - ROTT) established criminal records as a necessary requirement for carrying out these activities. Furthermore, the AEPD stated that admitting Amazon's reasoning would amount to permitting any entity to create a database of people with no criminal records, which would also be at odds with Article 10 GDPR, which states that a register of criminal convictions should be kept only under the control of an official authority.
The AEPD held that in light of the fact that the only valid legal basis for the processing of personal data related to criminal convictions and offences would be a specific law that authorised the processing of this type of data, Amazon's arguments regarding the necessity of this processing for performance of a contract, its legitimate interest, or the data subject's consent as valid legal bases were irrelevant in this case. However, the AEPD went on to make some pertinent observations related to Amazon's arguments in this sense. Regarding the necessity of requiring the criminal record certificate for the performance of a contract with the transport workers, the AEPD reiterated that since there was no national law that established this requirement, this was not a valid argument.
With regards to the legitimate interest Amazon claimed to have to protect their customer's safety and trust, the AEPD noted that Amazon had not provided any proof that they had pondered this potential legitimate interest against the interests and fundamental rights of the candidates in the hiring process, as required by Article 6(1)(f) GDPR. The AEPD stated that because there was no evidence that this balancing exercise had actually been carried out, and that consequently the candidates had not been given any information related to this pondering of interests as a legal basis for processing their criminal record certificate, this could not be invoked as a justification for processing this personal data. Additionally, the AEPD cited the Court of Justice of the European Union (CJEU) C-13/16 – Rigas Satiksme decision when assessing the necessity of the processing for Amazon's claimed legitimate interest, and stated that 'necessity' must be interpreted according to the 'data minimisation' principle under Article 5(1)(c) GDPR. Furthermore, the AEPD stated that 'necessity' should be interpreted strictly, and not as mere 'usefulness' or 'desirability'. According the AEPD, the processing of the criminal record certificate in this case did not meet the CJEU proportionality doctrine (purpose test, necessity test, balancing test), and was excessive since there were less intrusive ways to protect Amazon customers' safety and trust, and to guarantee that Amazon's position as a transport operator was not compromised.
With regard to consent, the AEPD stated that it would have not been freely given or valid either in this case according to the requirements in Article 7 GDPR. Specifically, the candidates did not have the option of refusing to consent to the processing of their criminal record within the contract or in the hiring process through the mobile app, and did not have the option to consent separately for each particular processing. Additionally, the AEPD held that Amazon did not offer proper information about the collection of this personal data as required by Article 13 GDPR.
The AEPD also evaluated the position of the three entities involved in the case, and held that according to the processing agreements that were in place, Amazon Road was the controller responsible for the processing carried out by Amazon India and Accurate Background, and that because these processors were located outside the EEA (in India and the United States respectively), international data transfers were taking place. The AEPD found that, in this case, data subjects' consent to data transfers would not be valid in accordance with Article 49(1) GDPR and Article 7 GDPR, given that consent was required within the contract without an option to refuse, it was not explicit, and no information was given to the data subject regarding the risks of these data transfers. However, the AEPD found that the data transfers were lawful according to Article 46 GDPR, since the SCCs in Amazon's processing agreements included appropriate technical and organisational data protection measures, and Accurate Background was adhered to the EU-US Privacy Shield during the time that the data transfers took place. The AEPD also noted that Amazon had stated it had already stopped requiring the negative criminal certificates in their hiring process before the date the Privacy Shield was invalidated by the CJEU C-311/18 - Schrems II decision, and if so, no unlawful data transfers to Accurate Background would have taken place.
Accordingly, the Spanish DPA fined Amazon Road €2,000,000 for a violation of Article 6(1) GDPR, Article 10 GDPR and Article 10 LOPDGDD for requesting criminal record certificates in their hiring process without a valid legal basis to do so. The AEPD also ordered Amazon Road to provide documentation to prove that their current practices are GDPR compliant. Specifically to prove that the criminal record certificate requirement for job applicants is no longer in place (both in the contract with transport workers as well as in the registration mobile app in their hiring process), that the data related to these certificates previously processed has been deleted, and that it provides workers with adequate information related to the nature and purpose of data transfers that are still being carried out with the processors in this case.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/64 File No.: PS/00267/2020 RESOLUTION OF PUNISHMENT PROCEDURE Of the procedure instructed by the Spanish Agency for Data Protection and based on to the following BACKGROUND FIRST: A.A.A., on behalf of the General Union of Workers (in what hereafter, UGT, the claimant or claimant entity), on 11/28/2019 filed claim before the Spanish Data Protection Agency. The claim is directs against AMAZON ROAD TRANSPORT SPAIN, S.L with CIF B88405303 (in hereafter, AMAZON ROAD, the respondent or respondent entity). The reasons in which the claim is based on are as follows: 1. For the contracting of autonomous carriers as service providers, (program “***PROGRAMA.1”), the respondent entity asks the candidates for various documentation, including a certificate of absence of a criminal record penalties. 2. AMAZON ROAD requires the consent of the candidates so that “Amazon”, and any related entity, carry out transfers of personal data to any related entity located outside the EEA to promote the interests legitimate rights of "Amazon" and/or any related entity ("Entity means Related “Amazon holding company, subsidiary company or affiliate of its holding company” briefcase"). 3. “Likewise, consent is required so that: . Accurate Background is responsible for collecting and processing the information on behalf of Amazon to perform the background checks detailed above. . Amazon Development Center (India) Private Limited, in India, will be able to access to the data provided by Amazon during this process to support the information provided by me. On the other hand, they require consent to exonerate “Amazon, Accurate Fund, its affiliates and their respective agents that provide data reports on me from any claims, damages, liabilities, costs and expenses; or for any other charges or complaints arising from the collection, use of processing or disclosure of any information or report, to the extent permitted by the applicable legislation”. The complainant indicates that these two companies do not have a physical or tax office in Spain. or in the territory of the European Union. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 2/64 The claimant considers that the following precepts are not complied with: . Article 7.5 of Organic Law 15/1999, of December 13, on Data Protection of Personal Character (LOPD), “Specially protected data”: those related to the commission of criminal or administrative offenses. . Article 10 of Organic Law 3/2018, of December 5, on Data Protection Personal and guarantee of digital rights (hereinafter, LOPDGDD): data processing of a criminal nature. . Article 35.3 of Regulation (EU) 2016/679, of the European Parliament and of the Council, of 04/27/2016, regarding the Protection of Natural Persons with regard to the Processing of Personal Data and the Free Circulation of these Data (as successive RGPD): cases in which the impact assessment is required. With the claim, a copy, among others, of the following documents is provided: 1. Commercial contract (screenshot), which information on protection of personal data addressed to carriers, whose detail is outlined in the Proven fact 9. 2. Section of the application of "***PROGRAMA.1" related to the verification of background (screenshot). "Background Check The background check may include, but is not limited to, the aspects listed below. I agree to assist Amazon and participate in conducting these checks in the manner necessary to successfully complete my background check: 1. The certificate of my registration with Social Security. 2. A certificate from the Ministry of Justice confirming that I do not have a criminal record penalties of any kind; 3. Checking against any terrorist and sanctions list; Y 4. Verification that I have a valid driving license In connection with this process, I consent to the verifications mentioned and others that are considered necessary for the position. I understand and consent that Accurate Background is responsible for collecting and processing the information on behalf of Amazon to perform detailed background checks previously. I understand that I will be informed of any omissions or falsehoods detected by me in the background check process or any other supporting documentation sent along with the collaboration request, and, in the absence of a satisfactory explanation, this may constitute a reason for termination or non-contracting for the provision of the service or collaboration. I understand that information received from Amazon and any agents acting on its behalf name will be kept confidential and used exclusively by Amazon and any agents acting on your behalf for business purposes, and during the term of my provision of services to Amazon if hired and to the extent permitted C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 3/64 by applicable law. I confirm that I have been informed about the inclusion of my personal data in a file controlled by Amazon, the purpose of such processing, the identity of the data controller of the data and the recipients of my personal data, such as authorities and agents premises, in order to comply with legal requirements (e.g., those established by the Tax agency). I understand Amazon Development Center (India) Private Limited, in India, may have access to the data you provide to Amazon during this process to give support in the collection of the information provided by me, and I give my consent to said access. I have also been informed of my right to consult, rectify and cancel the data information held about me by Amazon and any agents acting on its behalf name, as well as to oppose their treatment. I am aware that I will be able to exercise these rights at any time by writing a letter identifying the right you I want to exercise and attaching a copy of my ID to Avda… I release Amazon, Accurate Fund, their affiliates, and their respective agents for providing data or reports about me of any claims, damages, responsibilities, costs and expenses; or any other charges or complaints arising from the collection, processing or disclosure of any information or report, to the extent permitted by applicable law. ( ) By checking this box, I give my authorization.” 3. Copy of several emails sent from the address “***EMAIL.1”, in which explains the process to complete the application in "*** PROGRAM.1" and the documentation that must be provided. In one of these emails it is indicated: “The verification process ends on the Accurate website. You have not yet completed the verification process in Accurate. Check your email account email and look for an email from “***EMAIL.2”, open it and click on the access link. You will see that your request is in progress, click “in progress” to continue and finish the process” 4. Copy of an email sent by Accurate Background from the address “***EMAIL.2” about the procedure to complete the request: “***PROGRAMA.1 Spain invites you to fill out the Background Verification Form online through Accurate Background as part of the onboarding process. You will need to access the Accurate Background web page via the link below to validate your personal data and complete the online application process. will have another 20 days to upload the required documents… You will also be required to submit a copy of the criminal record certificate It is confirmed that he has no criminal record. You can find instructions on how to get this certificate in the following link…. SECOND: Prior to the acceptance of this claim for processing, it is transferred to the claimed, in accordance with the provisions of article 65.4 the LOPDGDD. AMAZON ROAD submitted a letter on 06/30/2020 in which it highlights the following: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 4/64 1. From Amazon Road, the program “***PROGRAMA.1” and other relevant information Amazon Road is an Amazon group company that provides logistics and distribution to said group and that has the required license or Authorization to carry out the activity of freight transport operator. Amazon Road is the entity in charge of managing the program “***PROGRAMA.1” that allows autonomous carriers to register as service providers of Amazon Road (“Autonomous Carriers”). In order to participate in this program, autonomous carriers must accept the terms and conditions that regulate said program, where they are informed of the data processing that the entity may carry out for the management of the program, and download the "Amazon Delivery" application on your mobile device. Through this application, Amazon Road collects the necessary data from the Autonomous Carriers for the purpose of (i) verifying that they comply with the requirements to be able to participate in the program, (ii) create the corresponding account user necessary to be able to access the service offers and (iii) control the development of service provision. Once registered in the system, the Autonomous Carriers have access to the necessary information to be able to provide services through the program “***PROGRAMA.1”. Among the requirements that autonomous carriers must meet to participate in the program is the need to have their own means of transport to carry out deliveries, (car, van or light truck, all with a gross weight maximum 2 tons). The legitimating bases of the data processing that the aforementioned program entails, depending on the type of data collected and the intended purposes, are the execution of the contract between the carrier and the claimed party, the informed consent of the autonomous carrier or the legitimate interest of AMAZON ROAD. 2. Of the information requested by AMAZON ROAD to be able to participate in the program “***PROGRAM.1”: negative certificates Among the information that is collected from autonomous carriers who want to participate in the program "***PROGRAMA.1" is a certificate of absence criminal record or negative certificate, similar to the one that must be provided by the managers who want to provide transport services, in accordance with the regulations in matter of transportation, for the purpose of proving its honorability, but with a scope more limited in that it only refers to the absence of a criminal record. This certificate does not provide criminal history information, but rather consists of a "blank" certificate in which no information is contained relating to said type of data and which, therefore, cannot be equated to the certificate "positive" criminal record, which does contain information regarding said antecedents, such as the type of crime committed, the date it was committed, the sentence of conviction, the sentencing body or information about the sentence C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 5/64 imposed and its duration. None of this information appears on the certificates require carriers, in which only their identification data and the mention of the absence of a criminal record. This documentation is part of the suitability assessments that the claimed performs to potential carriers, considering that they are provided with sensitive information of Amazon group customers (such as their data contact and address) so that they can provide the contracted service (delivery of goods). 3. When obtaining a negative certificate, data relating to convictions or criminal infractions, since it does not contain any data related to the commission of crimes. On this issue, it points out that articles 10 of the RGPD and 10 of the LOPDGDD are not refer specifically to criminal record data, but to data relating to criminal convictions and infractions, which is a more specific concept that, therefore, would not include a certificate of lack of criminal record. Thus, from a literal interpretation of the provisions of said articles, would infer that what they prohibit is only the processing of data relating to criminal convictions and offenses, so that the treatment of negative certificates would fall outside the scope of these two articles. The only action that Amazon Road takes by processing such certificates is to verify that there are no data related to convictions or infractions penalties. And in the absence of such data, it can hardly be concluded that a treatment of them. The AEPD itself has been applying rigorous criteria in rating the nature of the data when it comes to sensitive data, such as be seen in Legal Report 0129/2005, issued by this AEPD prior to the entry into force of the GDPR, which indicates what information should be considered as health information. In that case, the AEPD concluded that the mere fact that a person is a smoker, without being associated with other data that establish a certain habit, does not imply the treatment of information directly related with the health of the affected: The same strict qualification criterion would apply in the case that we now occupies: the mere knowledge of the non-existence of a criminal record cannot considered as the treatment of data related to convictions or infractions criminal, because this information, by itself, does not involve the treatment of this type of data. 4. The treatment carried out with the collection of these negative certificates is proportional and not excessive, which is covered by the concurrence of interest legitimate, in accordance with the provisions of article 6.1.f) of the RGPD Said treatment, not being included in what is established by the articles before mentioned, you must only comply with the legality requirements of article 6 of the RGPD. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 6/64 Access by Autonomous Carriers to the entrance of homes particulars of the clients, for the purpose of carrying out the delivery of merchandise, and the personal information of customers to which they have access in order to provide their transport services entails an intrusion into the private and personal sphere of the customers of the Amazon group, protected in accordance with the RGPD. It is a interference that Amazon customers accept as a result of trust that they have deposited in the group. Therefore, it is important for AMAZON ROAD to protect that customer trust. with the selection of carriers, taking extreme precautions regarding the suitability of the same, for which it must adopt all the measures that are within its reach, within the framework of current legislation, to guarantee the security and confidence of Your clients. And one of these measures consists of requesting the certificates negative criminal record. When carrying out the weighting exercise of the rights and interests at stake in the this case, Amazon Road has had its own interest, mentioned above, and the right to the data protection of said autonomous carriers and, specifically, the right unless it is known that they have no criminal record. For the purposes of assess which right or interest should prevail, have been taken into account, among other facts, the following: . The nature of the services provided under the program “***PROGRAMA.1”, which involves access to customer contact data and the movement of suppliers to their private addresses in order to make deliveries; . The risk inherent in the relationship of trust established by the people who located within private homes, in relation to the Carriers Freelancers of the program “***PROGRAMA.1”; . The condition of depositaries of the merchandise acquired by carriers, some of them high value, and the access they have to order inventory managed by the claimed party, when they access the facilities of the latter to order picking; . AMAZON ROAD's obligation to ensure that the services are offered with all guarantees and without any type of risk for customers; Y . The slight intrusion and impact on the privacy of autonomous carriers who supposes the fact that the claimed entity knows that they lack criminal record. The weighting carried out is similar to the proportionality judgment carried out by the AEPD in the resolution to file the actions issued in file E/00037/2013, in which the treatment by an employer of a certificate of their workers about the lack of criminal records. In said resolution, the AEPD concluded that the treatment by the employer of a declaration of employees regarding the absence of a criminal record constituted a proportional treatment that, taking into account the specific circumstances of the case, would C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 7/64 fit within “the business control measures appropriate to its activity with Respect for human dignity". In our opinion, the data processing carried out by AMAZON ROAD would exceed the proportionality judgment indicated above, taking into account, in the first place, the sensitivity of data processed by carriers; second, because it is of a suitable measure for the purpose pursued by the company and non-invasive in the sphere of the interested parties, since the information collected does not contain data regarding criminal convictions or offenses; and, thirdly, by the obligation that Amazon Road, as a transport operator, has to act diligently and adopt all those measures that are within its reach to minimize the maximum any risk to its clients as a result of the services provided. 5. The legitimate interest of the company in the processing of personal data would also be justified by the provisions of the Law for the Organization of Land Transport, whose article 119 subjects the activity of the operators of transport to obtain an administrative authorization, with the same requirements that are required for the public transport of goods. Among these requirements, according to articles 42 et seq. of the Law for the Regulation of Land Transport, and 33 of Royal Decree 1211/1991, of September 28, by which approves the Land Transport Management Regulations, meets the requirement of honorability, that is, not having been convicted by the commission of crimes or criminal offenses or sanctioned for the commission of infractions related to the commercial, social or labor fields, road safety or management of land transport. Well, by treating the carriers' negative certificates participating in the “***PROGRAMA.1” program, AMAZON ROAD intends to ensure because its position as a transport operator is not compromised by those carriers. To this end, it applies a minimum standard of diligence. Hence Amazon Road requests such negative certificates. 6. The treatment of negative certificates would also be necessary for the execution of the contract concluded between the autonomous carriers and AMAZON ROAD. The treatment of negative certificates is the only means through which Amazon Road can guarantee the application to the Autonomous Transporters of the same standards of diligence that it applies to itself, as an operator of transport and, at the same time, guarantee the maximum security and confidence of the Amazon group customers. For this reason, the treatment of repeated negative certificates, while referring to information necessary to be able to assess the suitability of the carriers for the provision of services, would also be covered by the provided in article 6.1.b) of the RGPD, as it would be necessary for the execution of the contract between the entity and the carriers. 7. AMAZON ROAD does not communicate to third parties the information collected through the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 8/64 negative certificates, including companies belonging to the same group. Notwithstanding the foregoing, it does have the help of companies that provide services that assist you in some of the activities you carry out within the framework of the program “***PROGRAM.1”, such as, among others, the initial checks to ensure that the Autonomous Carriers meet the requirements or the verifications of the records provided by the latter. between sayings providers would be the entities Accurate Fund, Inc. and Amazon Development Center (India) Private Limited, which the claimant cites in her brief. However, these entities, as providers of services to AMAZON ROAD, have signed the corresponding commission contracts with the claimed under the provisions of the regulations on data protection, so it is not may be considered as third-party companies to which personal data is transferred. personal character. Likewise, the international transfer of data involved in the access by said companies to AMAZON ROAD's data complies with the requirements established in articles 44 and following of the RGPD. 8. Of the security measures applied in the treatment of data derived from the program “***PROGRAM.1”. AMAZON ROAD, as a company part of the Amazon group, has implemented various internal policies aimed at guaranteeing the protection of data processing personal data that it carries out, including the processing of data derived of the “***PROGRAMA.1” program, which are also required of those suppliers with whom it has signed custom treatment contracts. All these measures have been adopted taking into account the nature of the data to be processed and the risks associated with such processing, such as those derived from the loss, communication or unauthorized access of data. 9. Lastly, the respondent states that since last March 2020 she has temporarily suspended the processing of personal data relating to the negative certificates of autonomous carriers as a result of the situation caused by the COVID-19 pandemic, therefore being an activity that not made at the date of filing your brief. THIRD. The claim was admitted for processing by agreement on 08/12/2020. FOURTH: On 05/12/2021, the Director of the Spanish Protection Agency of Data agreed to initiate sanctioning proceedings against the entity AMAZON ROAD, with in accordance with the provisions of articles 63 and 64 of Law 39/2015, of October 1, of the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP), for the following alleged violations: 1. Breach of article 6.1 of the RGPD, in relation to article 10 of the RGPD and of article 10 of the LOPDGDD, typified in article 83.5 of the RGPD and in article 71 of the LOPDGDD. 2. Breach of article 7 of the RGPD, in relation to article 6.1.a) of the same C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 9/64 Regulation, typified in article 83.5 of said legal text. 3. Breach of article 49.1 of the RGPD, typified in article 83.5 of the aforementioned rule. In the opening agreement it was determined that the sanction that could correspond, attended the existing evidence at the time of opening and without prejudice to what resulting from the investigation, would amount to a total of 3,300,000 euros (2,000,000 euros for the infringement of article 6.1 of the RGPD in relation to article 10 of the same norm, as well as article 10 of the LOPDGDD; 300,000 euros for the infringement of article 7 of the RGPD, in relation to article 6.1.a) of the same legal text; Y 1,000,000 euros for the infringement of article 49.1.a) of the RGPD). In the same agreement to open the procedure, it was warned that the infractions imputed, if confirmed, may lead to the imposition of measures, in accordance with the provisions of the aforementioned article 58.2 d) of the RGPD. FIFTH: Notification of the aforementioned initial agreement and extension of the term granted for make allegations, AMAZON ROAD filed a brief dated 06/07/2021, in which that requests the file of the sanctioning procedure or, subsidiarily, the imposition of a minimum fine, in accordance with the considerations following: 1. The certificate of absence of criminal records that must be provided by the applicants to participate in the program "***PROGRAMA.1" does not contain data related to criminal convictions and infractions, which are specifically referred to in the Recital 75 and article 10 of the RGPD and article 10 of the LOPDGDD (literal interpretation). The same was established in Directive 95/46/CE, in the repealed Organic Law 15/1999 and also in Convention 108 of the Council of Europe. All of these rules refer to data relating to criminal convictions and offenses and not to data related to the existence or absence of a criminal record. It is a “blank” certificate whose content is not comparable to a “positive” criminal record certificate, which does include information on the type of crime committed, date of commission, conviction and sentence imposed. 2. Cites a precedent of the AEPD, indicated with the file number E/00037/2013, which dealt with the request for a responsible declaration in the one that the subjects affirmed that they had no criminal record (not the request of the certificate). According to Amazon, the Agency admitted in this precedent the treatment of negative certificates issued by employees (statements) without subjecting them to the specific regulation of data relating to criminal convictions. In relation to this precedent, which was already cited by the respondent in the process of Transfer, in the opening agreement it is answered that the Judgment of the Chamber of the Social of the National Court 14/2020, of February 10, 2020, indicates that the request for a responsible declaration on the lack of a criminal record It must be considered a treatment of data related to criminal convictions. amazon questions this argument by pointing out that the sentence is dictated by the jurisdiction social, which is not competent to review the decisions of the Agency; and what a joy C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 10/64 sentence does not justify why a negative certificate constitutes treatment of data relating to criminal convictions. 3. According to the entity claimed, other Member States have been accepting a different interpretation in relation to the provisions of article 10 of the RGPD: . The Netherlands accepts certificates that prove the absence of criminal records penalties, known as “Verklaring omtrent gedrag” (VOG). . In France, employers are authorized to request, during a process of selection of job applicants, a certificate of their criminal record, positive or negative (“Certificate B3”). . In Germany it is allowed to ask the person to be hired for confirmation of that you have no criminal record that is relevant to employment. 4. The most consistent interpretation with the spirit and purpose of the indicated standards implies that its purpose is to prevent the creation of records of convictions and criminal offenses. 5. Subsidiarily, he alleges lack of guilt in the imputed violation. AMAZON ROAD understands that it has used the diligence that was required of it, having taking into account the arguments made above. Add that only Accurate Background accesses this data; and that it suspended the request for these certificates in March 2020 due to the pandemic, not having resumed the treatment of negative certificates in view of the interpretations of this Agency and the Judgment cited above, as indicated in the process of transfer of the claim. 6. There is no breach of the provisions of article 7 of the RGPD by the processing activities carried out by Accurate Background Inc. and Amazon Development Center (India) Private Limited, which is not acting as a third party nor is this Intervention is based on the consent of the interested parties. Amazon Road does not share negative certificate information with any entity of the Group or with third parties. The aforementioned entities attend the claimed as service providers in the initial checks on the carriers participating in the program, by virtue of a contract of treatment order signed by the intervening entities. Thus, these companies cannot be considered as third parties and the processing of data that they carry out does not require consent. This is already mentioned in the registration process when informing “I understand and agree that Accurate Background is responsible for collecting and processing the information on behalf of Amazon to perform the background checks detailed above.” It adds that Amazon Development Center (India) Private Limited acts as responsible for the treatment of AMAZON ROAD for the registration process of the participants in the program “***PROGRAMA.1”, but has never had access to the negative criminal record certificates. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 11/64 7. On the imputation of a possible infringement of the provisions of article 49 of the GDPR, after pointing out that the startup agreement does not clarify what you specify international data transfers refers to the AEPD, alleges that the international data transfers made to group companies or their providers located outside the EEA are not based on the consent of the interested parties and comply with the guarantees required by the RGPD. It warns that it has signed with each entity the corresponding clauses standard contracts approved by the European Commission through Decision 2010/87/UE, of February 5, 2010, relative to the standard contractual clauses for the transfer of personal data to those in charge of the treatment established in third countries, in accordance with Directive 95/46/EC, which are one of the guarantees that can be offered by data controllers in accordance with the provided in article 46 of the RGPD. In relation to Accurate Background Inc. indicates that, since 2016, it was an entity adhered to the EU-US Privacy Shield. And he clarifies that, although the Shield of Privacy ceased to have effect with the Judgment of the CJEU of 07/16/2020, in this date no longer requested or required the presentation of negative certificates of criminal record. 8. In relation to the graduation of the sanctions, it alleges, subsidiarily, that The following circumstances must be taken into account: . Data processing related to negative background certificates penalties only affected 16.76% of all last-mile drivers registered in Spain, as the program “***PROGRAMA.1” represents a small proportion of transport providers that make deliveries in Spain (never have exceeded 5%). . Data processing related to negative background certificates criminal charges cannot be compared to the processing of data on convictions and criminal offenses. . The activity carried out by AMAZON ROAD, as a logistics company that acts As a transport operator, it is not intensive in the processing of personal data, nor is based on the exploitation of personal data. The treatment you perform, for staff management and package management for delivery, is instrumental. . The data processing object of the claim was suspended in March 2020 and has not been resumed. . AMAZON ROAD has not been penalized for violating the protection regulations of personal data nor has it received any claim from any third party in relation to negative criminal record certificates. With its allegations, AMAZON ROAD provides, among others, the following documents: a) Provide a copy of the “Intra-Group Agreement for the Transfer and Treatment of C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 12/64 Data” (“Intra-Group Data Transfer and Processing Agreement”), dated 01/01/2019, signed between different entities of the Amazon group, including the AMAZON entities ROAD, as the “exporting” entity, and Amazon Development Center (India) Private Limited, as the “importer/processor” entity. The content of this "Agreement" is outlined in Proven Fact 3. b) “Data Processing Agreement” of 10/18/2018, signed by some entities of the Amazon group and Accurate Fund Inc. Among those entities of the group include the entity Amazon Spain Fulfillment, S.L.U., which was in charge of managing the half-mile and last-mile business (“business of transport operator”). The content of this "Agreement" is outlined in Proven Fact 4. c) Project for the Partial Spin-off of Amazon Spain Fulfillment, S.L.U., dated 06/28/2019, under which AMAZON ROAD received the “transportation operator business” and produced a universal succession of all juridical relations affected by the assets of the business. d) Copy of the extract obtained from the website "www.privacyshield.gov" in relation with Accurate Background Inc.'s adherence to the “EU-US Privacy Shield”. In this document is indicated “Original certification date: 08/11/2016”. e) Information obtained from the Mercantile Registry of Madrid regarding AMAZON ROAD. The start date of operations is stated as 05/31/2019 and as corporate purpose “the provision of logistics and distribution services, in particular transport, handling and storage. The subscribed capital is 6,259.00 euros. SIXTH: On 12/03/021, the instructor of the procedure agreed to open a evidence practice period, considering as reproduced for evidentiary purposes the claim filed and its documentation, as well as the documents obtained and generated during the claim admission phase; and by presented the allegations made by AMAZON ROAD to the agreement to initiate the procedure and the accompanying documentation. Likewise, it was agreed to include in the actions the information related to the entity AMAZON ROAD in “Axesor” (“Monitoring report”). (...). SEVENTH: On 12/29/2021, a resolution proposal was issued in the sense following: 1. That the Director of the AEPD sanction the entity AMAZON ROAD, for a infringement of article 6.1 of the RGPD, in relation to article 10 of the same Regulation and article 10 of the LOPDGDD, typified in article 83.5 of the RGPD and in article 71 of the LOPDGDD, and classified as very serious for the purposes of prescription in article 72.1 of the LOPDGDD, with a fine amounting to 2,000,000 euros (two million euros). 2. That the Director of the AEPD impose on the entity AMAZON ROAD, in the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 13/64 term to be determined, the adoption of the necessary measures to adapt its action to the personal data protection regulations, with the scope expressed in the Legal Basis VII of the proposed resolution. EIGHTH: Notification of the proposed resolution and extension of the term granted for the formulation of allegations, a letter was received from AMAZON ROAD requesting the dismissal of the file or, subsidiarily, the imposition of a sanction in its minimum amount, according to the following considerations: 1. Reiterates that a negative criminal record certificate does not entail a processing of data relating to criminal convictions and offenses within the meaning of article 10 of the RGPD and article 10 of the LOPDGDD, noting in this regard that the Articles 136.4 of the Penal Code and 17 of Royal Decree 95/2009, nor the Judgment of the National High Court of June 20, 2017, cited in Motion for Resolution no. confirm that it is. These articles refer to the issuance of these certificates, differentiating between negative and positive certificates, the latter being the only ones that contain data relating to criminal convictions and infractions. These articles, in the opinion of the claimed, do not endorse what was stated in the resolution proposal. It understands that the same conclusion results from the cited Judgment, which analyzes the impossibility of omitting in a certificate data related to a foreign conviction, and refers to positive certificates, by virtue of the provisions of article 17.2 of the Royal Decree 95/2009. 2. It also reiterates that there is no unanimous and consolidated opinion among the States members on the interpretation made by the AEPD. As he already stated in the opening arguments, he points out that the authority of Netherlands data protection accepts these negative certificates (Verklaring omtrent gedrag or "VOG") and provides excerpts from the website of the Ministry of Justice of that country with information on said document; and from the website of the authority of control that admits its use when there is a legitimate interest of the employer. In the French case, the control authority (CNIL) has included information on its website according to which, in the absence of a specific rule that provides for verification of this type background check, the employer may require an employee to submit an extract your criminal record during an interview and make a note about it “yes/no” verification, without obtaining a copy of the document. It is a treatment equivalent to negative certificate that collects the claimed. Based on this criterion, the most consistent interpretation with the spirit and purpose of the rule is to avoid unjustified treatment and the creation of files with these data. 3. Subsidiarily, alleges inexistence of guilt in the imputed violation, also invoked in the arguments at the opening of the procedure, to which expressly remits. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 14/64 4. In the event that it is considered that there has been an infringement, allege the following circumstances, to be taken into account in the graduation of the sanction: A) On the aggravating circumstances considered in the proposed resolution. a) Duration of the infraction: the negative certificates that it was able to collect before March 2020 were kept for 90 days for verification (provides Accurate Background certification, dated 01/19/2022, in which it is shown that, according to the instructions of the Amazon account, any data related to candidates of the “***PROGRAMA.1” program is removed from the platform after 90 days, including any documents provided as part of the process of verification), so since May 2020 it does not have any data of this type. This being the case, the existence of a permanent infringement cannot be considered. b) Number of affected: although the proposal indicates that AMAZON ROAD did not contribute evidence regarding the number of affected, in the pleadings brief at the opening it was indicated that the program “***PROGRAMA.1” represents 5% of the suppliers who make deliveries in Spain and, with regard to last-mile drivers, only 16.7% are participants in this program. c) Level of damages: does not understand to what extent the treatment of a negative certificate has been able to condition the contracting options of the subjects participants, given that the entity has contracted the carriers that had this document, and those who did not have it have not been participants in the Program. d) Intentionality or negligence: The absence of a clear and solid criterion on the part of this Agency when the entity began to require the certificates in question and the subsequent appearance of the Judgment of the National High Court of February 10, 2020, that would seem to endorse one of the possible interpretations of article 10 of the RGPD, not can an entity that acted with all due diligence and ceased such activity As soon as they became aware of the possible existence of a criterion contrary to the interpretation that Amazon Road understood to be adjusted to the law, appropriate to the activities that were going to be carried out under the program “***PROGRAMA.1”. To the above it should be added that other data protection authorities subject to RGPD, such as that of the Netherlands or France, do not consider this treatment to be contrary to article 10 of the RGPD. Likewise, there were resolutions of the Agency itself that endorsed the interpretation that AMAZON ROAD made of article 10 of the RGPD and after making a consultation phone call with the Ministry of Justice which, informally, endorsed said proposal. Therefore, being a disputed issue, in good faith he understood that his interpretation was correct according to the information available at the time of starting treatment and accommodated his behavior as soon as he became aware of the interpretation supported by the Agency or by a Spanish judicial authority. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 15/64 e) The degree of responsibility of the person in charge taking into account the technical measures or organizational: the infringement declared by the Agency, resulting from a interpretation of the standard, has nothing to do with the data management system designed by AMAZON ROAD when collecting the data of the participants in the Program. In this regard, it refers to its previous pleadings brief. It adds that in its response to the transfer procedure, it explained the technical and organizational measures implemented in relation to the processing of data derived from the program “***PROGRAMA.1”, without the Resolution Proposal indicating that these measures are insufficient or what would be the omitted measures. f) Categories of personal data: the treatment of a certificate indicating that a person is not registered in a register, than the one that actually refers to criminal convictions and infractions, so that the same aggravating circumstance cannot be applied. This interpretation coincides with that made by the Dutch supervisory authority. g) Link between the activity of AMAZON ROAD and the processing of personal data: It is a logistics company that acts as a transport operator for goods, whose activity is not intensive in the processing of personal data, even if it involves the processing of personal data (basically for the management of your own staff and for the management of packages for delivery), this is instrumental without its main activity being based on the exploitation of data personal, nor does it use them for purposes other than the management of its activity. That treats a certain number of data of employees, clients and contractors not should be reason to consider a "high" link, being only relevant the nature of the activity carried out and, therefore, the impact or affectation that said activity has in data processing. In fact, in the Resolution of October 26, 2021, issued in the procedure sanctioning PS/00050/2021, a low link between the person responsible and the performance of data processing has been considered by this Agency as mitigating factor: "On the other hand, it is observed that it concurs as a mitigating that the claimed party is an entity in the logistics sector in which data of its employees although there is no link between the offender's activity and the processing of personal data (76.2.b LOPDGDD). h) Condition of a large company and volume of business: the Agency takes into account consideration the figures of the year 2020, in which it stopped treating the data of the negative certificates. For this reason, it understands that it is more adjusted to the law to consider the data accounts for 2019 and, therefore, (i) because 2019 is the year prior to the year in which the Agency issued its request for information and (ii) because it was the year in which the claim that has given rise to this sanctioning file. The turnover of Amazon Road for the year 2019 amounted to 237,000,000 euros with a result of exercise of 1,862,000 euros (provides an extract of the accounts). B) Extenuating circumstances. a) The data processing object of this claim was suspended in March C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 16/64 2020, as already indicated in the brief responding to the transfer and in the brief with allegations to the opening of the procedure. Attach the mail model that the entity sent in March 2020 to the users of the Program “***PROGRAMA.1” that were in the registration process (although the email It is dated 2022, this is due solely to the fact that for its contribution to this procedure it has had to send the model template, leaving as the date of shipment). As can be seen, it was the circumstances of the moment (that is, Covid-19) which led the entity to temporarily suspend the request for negative certificates. This temporary suspension became definitive after becoming aware of the Judgment of February 10, 2020, issued by the Social Chamber of the High Court Nacional, although it did not share the interpretation contained in this Judgment, and the negative certificate ceased to be requested, even from carriers who received that mail. Although this part did not share this interpretation, the truth is that once Once the sentence was known, the request for the negative certificates was definitively stopped. All of this occurred before the agreement to open the procedure was issued and without said decision was adopted as a result of the intervention of this Agency. b) Any previous infraction committed by the data controller. Contrary to what is indicated in the proposal, the resolutions of the AEPD issued in the procedures PS/00165/2021, PS/00227/2021 and PS/00015/2021 consider as extenuating the fact of not having been sanctioned previously: Therefore, the respondent understands that, if said circumstance does not constitute a mitigating in light of the provisions of article 83.2 e) of the RGPD, as indicated in the Resolution Proposal, nothing prevents it from being constituted under the provisions of Article 83.2 (k) of the RGPD, taking into account the practice of this Agency. AMAZON ROAD has never been sanctioned for an infringement of the regulations on data protection, nor has it received any claim from any third party in regarding the treatment of negative certificates. c) AMAZON ROAD has not obtained any benefit from the facts claimed. Under the provisions of articles 83.2.k) of the RGPD and 76.2.c) of the LOPDGDD, this party understands that in the present case it must also be of application of this mitigating factor, since the treatment of negative certificates has not reported any additional benefit. This graduation factor has been considered by the Agency in its resolution of the procedure indicated with the number PS/00227/2021. d) The diligence present in the performance of AMAZON ROAD. If for the AEPD the diligence with which AMAZON ROAD has acted at all times in relation to the treatment of the data of the negative certificates is not C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 17/64 enough to consider that he concurs in a absence of guilt, as maintains in its allegations, said diligence should be considered, as less, as a mitigating factor under the provisions of article 83.2 sections b) and/or k) of the RGPD, taking into consideration the following circumstances: . The literal interpretation of article 10 of the RGPD and 10 of the LOPDGDD suggested that said articles do not refer to any data related to antecedents but the data related to criminal convictions and infractions, which in the opinion of this part did not reach the confirmation of the absence of antecedents penalties. . The previous interpretation was consistent with the previous regulations on data protection applicable in Spanish territory. . There was no consolidated, express and public criterion on the part of the Agency in regarding the processing of data relating to the absence of a criminal record (not in relation to data relating to the commission of offenses and the existence of criminal convictions). . There were resolutions of the Agency itself that support the interpretation that AMAZON ROAD complied with article 10 of the RGPD. . AMAZON ROAD even made a telephone consultation with the Ministry of Justice that, informally, endorsed said proposal. . To proceed with the processing of data relating to negative certificates contracted an entity specialized in the selection and suitability control of the contractors. . The interpretation of article 10 of the RGPD given by other jurisdictions endorsed also the interpretation of AMAZON ROAD. . In March 2020 Amazon Road suspended the treatment of such certificates negative, as stated above. These circumstances demonstrate that AMAZON ROAD's conduct cannot be branded as reckless or irresponsible, but rather the opposite: diligent and accommodating their behavior to the interpretation of the privacy protection regulations data arising from the Agency itself and from the courts of Justice. 5. Of the corrective measures contained in the Resolution Proposal. Well, having been accredited that it does not collect the negative certificates of the participants in the program “***PROGRAMA.1” since March 2020 and neither retains said certificates, understands that, in the event that it is finally It is considered that there is an infringement of article 6.1 of the RGPD in relation to the article 10 of the RGPD and article 10 of the LOPDGDD, none of the proposed measures. With your statement of arguments, you provide, among others, the following documents: 1) Extracts from the website of the Ministry of Justice of the Netherlands, together with its translation, in which information about the "VOG" document is provided. In this information is indicated: “What is a VOG? A Certificate of Good Conduct (VOG) is often required for a (new) job. In C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 18/64 some sectors, such as child care, this is even required by law. justice handles VOG applications and is the only body in the Netherlands that issues the VOG. A VOG is a statement showing that your (judicial) past is not an obstacle to fulfill a specific task or function in society. When evaluating a VOG request, Justis checks if you have committed criminal offenses that represent a risk to the position or purpose for which you are requesting the VOG. Some criminal offenses constitute an objection to a job or internship, but not to other… Do you have no criminal record or have you committed any criminal offense that is relevant for the purpose of the application? You will then receive a VOG.” “Why and when should you do a screening? ...As an employer, you have a great responsibility in evaluating the reliability of the future staff. One of the instruments that you, as an organization, can use in your integrity directive is the certificate of good conduct (VOG). It is advisable to select for all positions where it is important that the employee is trustworthy. Think about: managers with many powers; employees working with groups vulnerable such as children, elderly, sick or people with a restriction; employees who they work with money and goods; employees who can access confidential information… That has to do with the powers and the nature of the work… Rules for screening Screening can be very drastic for the privacy of the applicant or employee. For the Therefore, detection is only under certain legal conditions (General Protection Regulation (GDPR)) permitted: You must have a legitimate reason (legitimate interest) for the screening. Screening must be necessary. You must comply with the obligation to provide information. You may not use the data obtained from the projection for any purpose other than what you got them for. You can only keep the data for as long as it is necessary for the purpose of the screening. You must protect the data properly. Not sure if you're allowed to test? For more information, visit the site website of the “Dutch Data Protection Authority”. By clicking on the link “Dutch Data Protection Authority” inserted at the end of the text is accessed to the website of this entity, to the information provided by AMAZON ROAD as “Document 2”. 2) Extracts from the website of the Control Authority of the Netherlands (Autoriteit Persoonsgegevens), and its translation, in relation to the treatment of certificates "VOG". “Background investigation (screening) It is important for employers to select and employ reliable employees. the screening it is a tool to limit risks. For certain positions (for example, in the care of children) screening is even required by law. Screening means that an employer requests information about an applicant or employee 28001 – Madrid 6 sedeagpd.gob.es, 19/64 to estimate its integrity. For example, calling an applicant's references or finding out if he or she is in a "Blacklist". Screening conditions Screening can be very invasive to the privacy of the applicant or employee in question. Therefore, screening is only allowed under certain “legal conditions”. The most important conditions are that the employer has a legitimate reason (interest legitimate), that the screening is necessary and that the employer adequately informs the applicant or employee before and after. legitimate interest An employer's "legitimate interest" in a screening is generally that it should be able to trust that your (future) employee is honest and trustworthy. Need The fact that screening must be "necessary" means, among other things, that the employer must not be able to achieve his objective by less drastic means than screening. Report The employer must inform the applicant or employee “about the screening”. The employer must inform this person in advance that a screening will be carried out and then what are the the results". “Questions from employers about the screening […] As an employer, how do I determine that screening is necessary? You take an inventory of the risks associated with the various groups of functions within of your organization. Then check to see if you can limit the risks other than by through screening. …For example, positions where staff work with sensitive information are aware of the risk of selling or transmitting this information... Risk mitigation Have you mapped out the risks? Next, you need to set up your organization in such a way as to reduce inventoried risks. You can think of strict internal controls or distribution of powers. Good organizational measures can ensure that risks to your organization are completely eliminated. Otherwise, screening may be necessary. applicants or employees. [...]”. “Requests… Application data retention period An applicant did not obtain the position? So, it is common for the organization to remove its data no later than 4 weeks after the end of the application procedure. Applicants can give permission to keep their data for a longer time. For example, because a suitable position may become available at a later date. A maximum period of 1 year after the completion of the application procedure is reasonable for this. “Questions about personal data in job applications… Screening in the job application C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 20/64 It is important for employers to hire reliable employees. Therefore, the employer the one you are applying for can decide to examine you… legal screening Screening is required by law for some positions, for example, in child care. In the case of a legally required screening, the employer may request a Certificate of Good Conduct (VOG). In addition, special provisions apply to the screening of positions of trust, such as police officers, employees of private security organizations, employees of investigative agencies, aviation personnel, and some government posts.” This Agency verifies the information provided by AMAZON ROAD. Likewise, click on the link "legal conditions" that appears in the document “Background investigation (screening)”, and access to the “Questions from the employers on screening. In this section, in addition to what is indicated by the claimed, the following should be noted: “When you select candidates or employees, you are processing their personal data. This means that the General Data Protection Regulation (GDPR) and the Data Protection Act apply. AVG implementation (UAVG). As an employer, you are responsible for ensuring that the evaluation meets the requirements of these laws. In any case, the RGPD and the UAVG impose the following selection requirements: .Has a legitimate interest in the projection. . Screening is necessary. This means, among other things, that you cannot achieve your target in another way or through a less invasive means than screening. . You comply with the information obligation. This means that it informs the candidate or relevant employee in advance who is conducting an assessment and then what are the results. . It does not use the data obtained from the projection for any other purpose. . It does not store the data for longer than is necessary for the purpose of the evaluation. . The projection data is sufficient, it is relevant, and you do not collect more data from the necessary ones. . You protect the data well. . You assess whether you need to carry out a data protection impact assessment (DPIA), because detection is data processing with a high risk of Privacy. . Has the DPIA shown that the intended detection poses a high risk? And not find measures to limit this risk? Then you should check with the Authority of Dutch Data Protection (AP) before starting the selection. This is called prior consultation”. “As an employer, can I review someone without telling them? No, that is not allowed... Pre-selection information You must inform the applicant or employee in question in advance that you are taking carry out an evaluation. In addition, you must state why an exam is necessary. Too you should make it known what data you are researching and why it is relevant to the position in question. Post-Assessment Information…must inform the applicant or employee of the evaluation results”. Through the link “legitimate interest” that appears in the document “Investigation of background (screening)”, the following information is accessed: 28001 – Madrid 6 sedeagpd.gob.es, 21/64 “When can I rely on the basis of legitimate interest? You only have the right to process (ordinary) personal data if you can trust 1 of the 6 principles of the General Data Protection Regulation (GDPR). One of these bases is that the processing of personal data is necessary to represent your interest legitimate. Every time you process personal data, this is an invasion of data privacy. interested. These are the people whose data you process. Every human being has the right to privacy, which is a right to privacy, which is a fundamental right. But as an organization, you can also have the law on your side. That is the case if has an interest that society considers so important that it has found recognition In the law. And you can only represent this interest by processing personal data. we call such interest a legitimate interest. conflict of rights This creates a situation in which their right "collides" with the fundamental right of interested. It is then up to you to weigh these rights against each other and see what weighs more, your interest or that of the parties involved. Does his interest finally get the better of him? You can then base your processing on the basis (necessary for the representation of a) legitimate interest”. 3) Extract from the website of the French Control Authority (CNIL), and its translation. “Excerpt from criminal record: can the employer request and keep it? In the absence of a specific text that provides for the verification of the criminal record of the employees, the employer may ask a candidate or an employee to present the extract of your criminal record (B3) during an interview, for example, to verify your criminal history. However, in this case, the entrepreneur cannot keep a copy or allow these Data is subject to a specific treatment. The mention of the verification in the boxes of the personnel management file in the form "yes/no" is sufficient. For access to certain so-called "sensitive" functions, the texts may provide for the verification, by the employer or certain authorities that issue authorizations (for example, for security guards or babysitters), of the criminal records of employees (B2 or B3 bulletins). These texts may provide for the period during which the employer is obliged to keep excerpt from criminal record (3 months is often used, particularly for administrations). In the absence of details in the text, the document should not be kept. When the verification is carried out by an authority, the employer does not need to consult the criminal record since the verifications are carried out by an authorized authority and the issuance of the authorization is by itself sufficient to ensure the capacity to occupy the proposed job...". 4) Extract from the website of the Control Authority of the Netherlands (Autoriteit Persoonsgegevens), together with its translation, in relation to the content of the "VOG" certificates. “As an employer, can I request criminal information during an evaluation? For some positions, it may be necessary for you to know the criminal history of a applicant or employee. In most cases, it is sufficient for the interested party to request a certificate of good conduct (VOG). VOG A VOG is a statement showing that someone's past behavior is not constitutes an obstacle to fulfilling a specific (future) position. A VOG is issued by 28001 – Madrid 6 sedeagpd.gob.es, 22/64 Justis of the Ministry of Justice and Security. Selection of criminal data Only if requesting a VOG is not enough, you can request (other) criminal data. May process personal data of a criminal nature if this is necessary for the assessment of a request from a data subject to make a decision about him or to provide him with a service. An example is a selection during an application procedure for a job integrity. In certain circumstances, criminal personal data may be treated for this purpose.” 5) Email template that AMAZON ROAD sent in March 2020 at regarding the suspension of the request for negative certificates. "Background Check In order to complete the background check process, you need to upload a copy of the certificate showing the absence of a criminal record. Since it is currently not possible to obtain this certificate in person due to the alarm state, we have allowed you to complete the verification without this document. No However, you must upload this document within 60 days from the end of the registration in ***PROGRAM.1. If after this period you have not uploaded the document, you will no longer be eligible to participate in the program ***PROGRAM.1. You must upload this document on the Accurate page. Check the email periodically to follow instructions received from Accurate. Of the actions carried out in this procedure and the documentation in the file, the following have been accredited: PROVEN FACTS 1. AMAZON ROAD is an Amazon group company that provides transportation services logistics and distribution to said group. This entity began its operations on 05/31/2019 and its corporate purpose is "the provision of logistics services and distribution, in particular transport, handling and storage”. Following the spin-off of Amazon Spain Fulfillment, S.L.U., which took place on 06/28/2019, AMAZON ROAD received the “transport operator business” and it happened to that entity in all legal relationships affected by the elements business assets. 2. AMAZON ROAD is the entity in charge of managing the program “***PROGRAMA.1”, whose purpose is to contract self-employed carriers as service providers. 3. The entity Amazon Development Center (India) Private Limited, based in India, provides services to the entity AMAZON ROAD in the management of the program “***PROGRAMA.1” by virtue of the “Intra-Group Agreement for the Transfer and Data Processing” (“Intra-Group Data Transfer and Processing Agreement”), of dated 01/01/2019, signed between different entities of the Amazon group, including the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 23/64 entities AMAZON ROAD, as an “exporting” entity, and Amazon Development Center (India) Private Limited, as “importer/processor” entity. By reason of this contract, the aforementioned service provider assists AMAZON ROAD in the collection of information provided by autonomous carriers. The aforementioned “Agreement” deals with access to personal data that entities importers must make for the provision to the importing entities of the services specified in Annex 1, including access to the data of contractors and their employees and subcontractors. It is established that the importing entities will process the data on behalf of the responsible and in accordance with your instructions, in order to provide the services, without being able to determine the purposes and the way in which the data is processed; and they come obliged to notify the person in charge of any instruction that, in their opinion, violates the applicable law, any data breach or claim you receive and to provide the controller with full cooperation and assistance; as well as establish the appropriate technical and organizational measures to protect the data. I know It also provides that the person in charge of the treatment return to the person in charge all the personal data or proceed to its destruction at the termination of the contract, at the option of the data controller. By virtue of this “Agreement”, the parties undertake to comply with “the terms of the standard clauses for the transfer of personal data to those in charge of the treatment established in third countries, approved by Decision of the Commission of the CE of February 5, 2010” (standard contractual clauses for the transfer of data), which are reproduced in Annex 3 of said Agreement and are signed by signing the same Agreement or by means of a letter of adhesion according to the form incorporated as Annex 6. The technical and organizational measures to be applied and maintained by the person in charge of the treatment are listed in Annex 2. The entire content of this “Agreement” is declared to be reproduced in this act for purposes evidence. 4. Accurate Background Inc., based in the United States, provides services to the entity AMAZON ROAD in the management of the program “***PROGRAMA.1” under of the "Data Processing Agreement" of 10/18/2018, signed by some entities of the Amazon group and Accurate Fund Inc. Among those entities of the group include the entity Amazon Spain Fulfillment, S.L.U., which was in charge of managing the half-mile and last-mile business (“business of transport operator”) until the date on which the spin-off of said business took place in favor of AMAZON ROAD, in the year 2019. This Agreement is formalized by reason of the Framework Agreement entered into between the parties on 03/05/2008 (it appears in the proceedings copy of the Service Framework Agreement -“Master Service Agreement”- between Amazon Corporate LLC and Accurate Background Inc. and the specific Work Order for Spain, of 02/12/2017). By reason of this contract, the aforementioned service provider assists AMAZON ROAD in the collection of information provided by autonomous carriers, as well as C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 24/64 as in the verification of compliance with the requirements that this entity demands from these carriers in order to participate in the program. The aforementioned "Agreement" regulates access to personal data by Accurate Background Inc. in its capacity as data processor and contemplates the signing of the EU standard contractual clauses, incorporated as Annex 3. Details about the processing activities to be carried out by the processor are contained in Annex 1 of the "Agreement", including those related to the selection process for personnel, contractors and subcontractors. It is established that the importer receives information from third parties and collects the relevant data in reports of job screening for which the data exporter assesses the applicant. The content of this "Agreement", in terms of the obligations of the person in charge of the treatment, is similar to that outlined in the Third Proven Fact and also includes a Annex 2 in which the security measures to be applied are listed. The entire content of this “Agreement” is declared to be reproduced in this act for purposes evidence. 5. The entity Accurate Background Inc. appeared adhered to the "EU Privacy Shield- USA". The “original certification” of this adhesion is dated “08/11/2016”. 6. In order to participate in the “***PROGRAMA.1” program, carriers Freelancers must download the “Amazon Delivery” app on their mobile device. Through this application, AMAZON ROAD collects the necessary data from the autonomous carriers for the purpose of (i) verifying that they comply with the requirements to be able to participate in the program, (ii) create the corresponding account user necessary to be able to access the service offers and (iii) control the development of service provision. This application provides information on the process of "verification of records" required of self-employed carriers, whose detail consists outlined in the First Precedent. This application has a box enabled so that carriers can give their consent to the actions contained in said information (“By checking this box, I give my authorization”). 7. Carriers interested in participating in the program “***PROGRAMA.1” They also have an online application process, through the website of Accurate Background Inc., which includes an “Account Verification Form” background". 8. For the contracting of autonomous carriers as service providers in the program “***PROGRAMA.1”, AMAZON ROAD asks candidates for a diverse documentation, including a certificate of absence of a criminal record criminal cases (“A certificate from the Ministry of Justice confirming that I do not have criminal record of any kind”). 9. Carriers who complete the background check process and are selected as AMAZON ROAD service providers sign a C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 25/64 commercial contract that includes the following information regarding the protection of personal information: “13. Data Protection. a) Amazon may keep and process data related to you for the execution of the contract that Amazon has entered into with you, and for legal, administrative, and management purposes, as described in more detail in Annex A. b) You consent to Amazon and any Related Entities (as such term is defined below) carries out the transfer of “personal data personal” (in the sense foreseen in the RGPD and in the Organic Law 15/1999) related to you to any Related Entity outside the EEA to further the legitimate interests of Amazon and/ or any Related Entity. For the purposes of this Clause 13, "Related Entity" means means "holding company" of Amazon, any "affiliated company" or an affiliate of its company portfolio. c) The parties undertake to comply with all applicable regulations regarding the protection of data… I agree and accept the above. ACCEPT AND CONTINUE ( ) I agree and accept the above”. The entire content of this contract is declared reproduced in this act for the purposes of evidence. FOUNDATIONS OF LAW I By virtue of the powers that article 58.2 of the RGPD recognizes to each Authority of Control and, as established in articles 47 and 48 of the LOPDGDD, the Director of the Spanish Agency for Data Protection is competent to initiate and resolve this procedure. Article 63.2 of the LOPDGDD determines that: "The procedures processed by the Spanish Agency for Data Protection will be governed by the provisions of the Regulation (EU) 2016/679, in this organic law, by the provisions regulations issued in its development and, as long as they do not contradict them, with a subsidiary, by the general rules on administrative procedures. II In this proceeding, it is necessary to analyze, in the first place, the presumed illegality of data processing carried out by the claimed entity when requesting a certificate of criminal records to self-employed carriers who have requested to subscribe a service contract with the one in the program “***PROGRAMA.1”. Article 5.1.a) of the RGPD, on the Principles related to treatment, establishes that personal data will be “processed in a lawful, loyal and transparent manner in relation to with the interested party (“lawfulness, loyalty and transparency”)” and article 6.1 specifies the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 26/64 assumptions in which the treatment will be lawful: “The treatment will only be lawful if at least one of the following conditions is met: a) the interested party gave his consent for the treatment of his personal data for one or various specific purposes; b) the treatment is necessary for the execution of a contract in which the interested party is a party or for the application at the request of the latter of pre-contractual measures; c) the treatment is necessary for the fulfillment of a legal obligation applicable to the data controller; d) the processing is necessary to protect the vital interests of the data subject or another person physical; e) the treatment is necessary for the fulfillment of a mission carried out in the public interest or in the exercise of public powers conferred on the data controller; f) the treatment is necessary for the satisfaction of legitimate interests pursued by the responsible for the treatment or by a third party, provided that said interests are not prevail the interests or the fundamental rights and freedoms of the interested party that require the protection of personal data, in particular when the interested party is a child The provisions of letter f) of the first paragraph shall not apply to the treatment carried out by public authorities in the exercise of their functions. For its part, article 10 of the same rule refers to the processing of data related to convictions and criminal offenses and provides the following: “The processing of personal data related to criminal convictions and offenses or measures of related security on the basis of article 6, paragraph 1, may only be carried out under the supervision of public authorities or when authorized by the Law of the Union or of the Member States that establish adequate guarantees for the rights and freedoms of interested. A complete record of criminal convictions may only be kept under the control of the public authorities”. In our legal system, article 10 of the LOPDGDD provides: "one. The processing of personal data related to criminal convictions and offenses, as well as to procedures and precautionary and related security measures, for purposes other than those of prevention, investigation, detection or prosecution of criminal or enforcement offenses of criminal sanctions, it can only be carried out when it is covered by a norm of Law of the Union, in this organic law or in other norms of legal rank. 2. The complete record of the data referring to criminal convictions and infractions, as well as to procedures and precautionary and related security measures referred to in article 10 of the Regulation (EU) 2016/679, may be carried out in accordance with the provisions of the regulation of the System of administrative records to support the Administration of Justice. 3. Apart from the assumptions indicated in the previous sections, the data processing referring to convictions and criminal offenses, as well as procedures and precautionary measures and related security measures will only be possible when carried out by lawyers and solicitors and have the purpose of collecting the information provided by their clients for the exercise of their functions”. 28001 – Madrid 6 sedeagpd.gob.es, 27/64 The RGPD refers, in its Recital 75, to the possibility that certain data processing may entail a risk to the rights and freedoms of the people, among which are the data related to the convictions and criminal offenses and related security measures, hence the Article 10 of the legal text chooses (i) to confer the legitimacy of its treatment to the public authorities or when there is an authorization under Union Law or a national standard that provides adequate guarantees, and (ii) for assigning custody of the registers where these data are recorded also to the public authorities. This regulation, far from being new in Europe, was already manifested in similar terms in Directive 95/46 CE, of the Parliament and of the Council, of 24 October 1995, on the protection of natural persons with regard to processing of personal data and the free movement of such data. The origin of this special guarantee can be found in Agreement No. 108 of the Council of Europe, of January 28, 1981, for the protection of people with respect to to the automated processing of personal data, which in its article 6 provides that certain categories of data, including data from personal nature relating to criminal convictions, may not be automatically processed unless domestic law provides adequate guarantees. Article 10 of the LOPDGDD, for its part, specifies the reference to the Law of Member States emphasizing that, when the treatment has a purpose other than “prevention, investigation, detection or prosecution of criminal offenses criminal or execution of criminal sanctions” - treatment excluded from the scope material of the data protection regulations in application of article 2.1.d) of the RGPD-, so that its treatment can be considered legitimate, it must be covered by a European standard, the LOPDGDD or another standard with legal status. Prior to examining the legitimacy of the treatment, it is necessary to analyze whether requesting a "negative" criminal record certificate constitutes a “processing of personal data related to criminal convictions and infractions”, according to the wording of article 10 of the RGPD, and if said treatment is subject, not only to the generic data protection regulations, but also to the consideration of data included in the field of application of article 10 of the RGPD and of article 10 of the LOPDGDD and, therefore, deserving of guarantees specific. The criminal record certificate is the public document that certifies the lack or existence of criminal records that are registered in the Registry Penitentiary Center. Criminal records are defined as resolutions firm orders issued by the Judges and Courts of the criminal order for the commission of a crime that imposes penalties or security measures that are in force in accordance with the provisions of the Penal Code. The information contained in the criminal record certificate subject to the This procedure constitutes personal data in the light of the definition of article 4.1 of the RGPD since it is "information about a natural person identified”, whether it is a certificate that refers to the existence of such C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 28/64 background as if it reveals your absence, and your request is a data treatment. In relation to the category of personal data on which that information relates, is precisely the one related to the final criminal convictions of which he may have been object (and are in force) a specific person, both to highlight I manifest that there are those firm resolutions that impose penalties or measures and what these are, to prove that they do not exist. That is, the information is dealing with is the data related to criminal convictions -which includes the absence of You are linked to a specific natural person. Therefore, what is stated by the respondent in her allegations cannot be accepted. when he points out that a criminal record certificate that shows that a specific person lacks criminal convictions does not strictly collect any data related to criminal convictions and infractions, since it is doing by showing and proving that said person lacks them. Admitting the position maintained by AMAZON ROAD in this regard would be equivalent to admitting that any person or entity could create a registry of people without criminal records criminal, despite the fact that it is a matter reserved for public authorities. It also takes into account section 4 of article 136 of the Organic Law 10/1995, of November 23, of the Penal Code, which after pointing out that "The registration of criminal records in the different sections of the Central Registry of Prisoners and Rebels will not be public”, provides that “During its validity, only will issue certifications with the limitations and guarantees provided for in their regulations specific and in the cases established by law. This specific regulation is contained in Royal Decree 95/2009, of February 6, which regulates the System of administrative records to support the Administration of Justice, which in its Article 17 establishes that "(...), the data related to his person contained in the inscriptions of the Central Registries of Prisoners, of Required Precautionary Measures and Non-Final Judgments, for the Protection of Victims of Domestic Violence, of Sentences of Criminal Responsibility of the Minors and Civil Rebels and sign negative certifications regarding people who are not registered in them. Provided in section 2 of this same article that “The positive certification will contain the transcript of the registered data, as they exist in the Registry at the time of their issuance, excluding inscriptions that, in accordance with a regulation with the force of Law, are found available only to the courts. Likewise, the National High Court in various sentences (for all the SAN of 20 June 2017) has stated that "There is no precept that establishes that the criminal record certificate omit to refer to criminal record that are duly registered, except in the case that a regulation with the rank of Law so establishes it and this regardless of whether the certificate is requested for a criminal proceedings or for a purpose other than criminal proceedings. From this it can be inferred that the negative criminal record certificate is also considered a piece of information relating to convictions and criminal offenses, as well as procedures and measures Prudential and related security. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 29/64 Both the issuance of a positive criminal record certificate and that of a certificate of the absence of such antecedents require, therefore, the consultation of the mentioned public records. Therefore, it cannot be said that the certificates negative or absence of criminal record do not contain information regarding criminal convictions and offenses or related security measures. An example that the negative criminal record certificate is a treatment of personal data related to convictions and criminal offenses we can see it in related to the certificate of crimes of a sexual nature. This certificate is similar to that we are now examining, since it refers to the existence or non-existence of final convictions issued by the judicial bodies, recorded in the Central Registry of Sex Offenders. Thus, the certificate for crimes of a sexual nature is issued indicating the existence or non-existence of criminal convictions on the date on which it is issued. In addition to the fact that this certificate can be requested in accordance with the provisions of the Law Organic 8/2021, of June 4, on comprehensive protection for children and adolescents against violence -norm of legal rank that enables their request in relation to the access to professions, trades and activities that involve regular contact with minors -, the truth is that the fact of obtaining a certificate negative shows that someone lacks criminal convictions in relation to crimes of a sexual nature. This implies processing personal data “related” to criminal convictions, since the data contained in the aforementioned certificate, in the same way that in the one now examined, have to do indissolubly with the existence of criminal convictions. They are personal data related to criminal convictions either by their possession or absence. And the request made by AMAZON ROAD that by part of this Agency a strict interpretation is made in a manner analogous to the assumption included in the Legal Cabinet Report 0129/2005. In this sense, it that came to show the mentioned report is that the data of "smoker" considered by itself would not belong to the category of health data, for when, in accordance with Recommendation No. R (97) 5, of the Committee of Ministers of the Council of Europe, referring to the protection of medical data, the data referring to the mere consumption of tobacco, without specifying the quantity consumed, would not be principle a data linked to health, if it is not accompanied by a complementary information that allows to determine that the situation of “nicotine abuse”. However, in the case that is the subject of this proceeding, as As has been stated, the relationship between a criminal record certificate and the category of data relating to criminal convictions and offenses is unambiguous, since its information refers to them, both to show their existence and your absence. It is also interesting to bring up at this point the file E/00037/2013 that the claimed refers to in his reply to the transfer. In this file, the issue was about the request for a responsible statement in the one that the subjects affirmed that they had no criminal record (not the request of the certificate). Well, on a case of a similar nature, the Judgment of the Chamber of the Social of the National Court 14/2020, of February 10, 2020, indicates that including the request for a responsible statement that there is no criminal record C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 30/64 criminal offenses must be considered as a treatment of data related to convictions penalties. AMAZON ROAD, in its arguments at the opening of the procedure, dismisses the statement made by the National High Court in this Judgment stating that the The same was issued by the Social Chamber, which is not competent to review the decisions of this Agency, thereby denying the ability of judges and courts to interpret the rules that are applicable to the alleged object of the process in question. Regarding this allegation, we must mean that, although the Social Chamber of the The National Court is not competent to review administrative resolutions dictated by the AEPD, in attention to the competence attributed to the social order, article 25 of the Organic Law 6/1985, of July 1, of the Judicial Power (LOPJ), this does not prevents interpreting and applying the data protection regulations or any other that could be relevant to the resolution of the disputed matter; moreover, the Article 4.bis of the LOPJ mandates the application of the Law to judges and courts of the European Union. As a consequence of the foregoing, once established that the background certificate criminal charges requested by AMAZON ROAD assumes information regarding the convictions criminal of an identified natural person and, therefore, a personal data subject to the special guarantees established by articles 10 of the RGPD and 10 of the LOPDGDD, It is appropriate to examine whether there is an authorization that allows the entity claimed to treat such information. These precepts confer the treatment of said data to the public powers restricting their treatment to individuals only for those cases in which a rule of European law or a national rule with the force of law enable it (in addition to what is established in point 10.3 for the processing of criminal data by part of lawyers and solicitors). Only, therefore, in those exceptional cases in which, authorized by a Law and with the due guarantees, if said measure is contemplated, said certificate; In this sense, there are specific regulations that, in different areas, expressly contemplate. In relation to this point, there is no standard of the Law of the Union or a legal norm of our system that allows carrying out carry out the processing of criminal record data intended by the entity claimed. Analyzing the sectoral regulations brought up by the one claimed in his writing, the Article 43.2 of Law 16/1987, of July 30, on Transport Planning Terrestrial (hereinafter, LOTT) provides that "when the authorization enables the performance of public passenger transport by bus or goods in vehicles or groups of vehicles with own traction capacity whose maximum mass authorized is greater than 3.5 tons, they must meet the requirements of establishment, honorability, financial capacity and professional competence required by the regulations of the European Union establishing standards relating to the conditions that must be met for the exercise of the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 31/64 profession of road carrier, in accordance with what in said regulation is available and with what is established in this law and in its implementing regulations. points out for the execution of such provisions”. Article 45 refers specifically to the requirement of good repute, stating that "In accordance with the provided in the regulations of the European Union establishing standards relating to the conditions that must be met for the exercise of the profession of road carrier, in order to meet the requirement of good repute, Neither the company nor its transport manager may have been convicted of the commission of crimes or criminal offenses or sanctioned for the commission of infractions related to the commercial, social or labor fields, road safety or management of land transport that gives rise to the loss of this requirement, in accordance with the provisions of this law and in the regulations of the Union European. For its part, the Regulations of the Land Transport Planning Law (ROTT), approved by Royal Decree 1211/1990, of September 28, collects in its article 109 that “In accordance with the provisions of article 43.2 of the LOTT, for Obtaining and maintaining authorizations for public passenger transport by bus and public transport of goods in vehicles that can exceed the 3.5 tons of maximum authorized mass, it must be proven that the company complies, in addition to the conditions indicated in article 43.1 of the LOTT, the requirements of establishment, professional competence, honor and capacity financial, with the specifics indicated in these Regulations”; and in article 115 that “1. For the purposes of the provisions of article 45 of the LOTT, both the owner of the the authorization, whether a natural or legal person, such as the transport manager of the company in a personal capacity, must meet the requirement of good repute. 2. In the verification of compliance with the conditions indicated in the previous section, The competent body must exclusively refer to the data contained in the Register of Transport Companies and Activities and in the European Register of Road Transport Companies”. Articles 116 to 120 regulate in detail the legal regime and the specifications to be taken into account regarding the concept of honor. Based on the foregoing, it can be deduced that only compliance of the honorability requirement for those authorizations that imply the use of vehicles whose maximum authorized mass is greater than 3.5 tonnes. Your exam would correspond, in any case, to the competent Administration to grant and manage transport authorizations, and also with the added limitation of abide exclusively by what is registered in the Registry of Companies and Activities of Transport and in the European Register of Road Transport Companies. Is In other words, not even the competent Administration to manage the authorization can, in these cases, request or enter to examine a criminal record certificate, but must abide by the information that has been registered in the aforementioned records. Furthermore, it means that not even the existence of a criminal conviction or administrative sanction automatically determines the loss of honorability necessary to be the holder of a transport authorization, since there is a subsequent administrative procedure, once said sentence is registered or resolution in the Registry of Transportation Companies and Activities, as of articles 118 and 119 of the Regulations of the Law on Transport Management Terrestrial (ROTT), according to which the competent authority of transport can C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 32/64 determine that even with said conviction or sanction, the consequence of the loss of honor, and therefore of authorization, is disproportionate. The ROTT itself additionally establishes a circumstance in which, even sanctioning resolution, considers that in no case can the loss of the honorability (article 119.3 of the ROTT). After these precepts it turns out that they can exist carriers with convictions or sanctions that do not entail the loss of this requirement. In any case, it would only be in the event that AMAZON ROAD intended sign contracts for the provision of services with autonomous carriers in which the vehicles to be used by them had a maximum authorized mass greater than 3.5 tons (a situation that does not occur in this case because the mass of vehicles admitted to the program must be less than 2 tons) when data from certain criminal records, as components of the requirement of honorability as defined in the LOTT, would come into play for the concession and maintenance of the mandatory authorization by the Administration that grants. However, the exclusive competence for its control corresponds to said Administration with the limitations indicated above, and without in any case there is legitimacy that enables the company to request a background certificate criminal charges or to verify such information. In the absence of legal authorization, it is not possible, in this case, to resort to other legal bases to legitimize the processing of personal data related to convictions and offenses penalties. However, AMAZON ROAD, in its response to the process of transfer of the claim, stated that the legitimizing bases of the data processing that carried out, depending on the type of data collected and the intended purposes, are the execution of the contract between the autonomous carrier and the entity, the consent of those and the legitimate interest. In relation to the processing of personal data contained in the certificates of criminal records that it collects from the carriers that participate in the "Amazon lex" program, states that the legal basis is the execution of the contract and the legitimate interest of AMAZON ROAD in protecting the trust that customers have deposited in the entity and in guaranteeing that its position as a transport operator not be compromised. On the other hand, in the information that is offered to the interested parties during the "background check" (the details are outlined in the Background First) it is indicated as the legal basis for those data treatments the consent of the interested parties (“In relation to this process, I give my consent to carry out the aforementioned checks…”, among which figure “A certificate from the Ministry of Justice confirming that I do not have criminal record of any kind”). None of these legal bases can legitimize the processing of personal data which, as has been said, can only be carried out in those cases in which there is legal authorization, so its analysis is not necessary. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 33/64 However, it is considered appropriate to make some clarifications in this regard: a) The entity complained against considers that the treatment of the certificates in question it is necessary for the execution of the contract that you sign with the carriers self-employed, to guarantee the security and confidence of the clients, to apply a minimum standard of diligence in contracting services from suppliers and for prevent your position as a transport operator from being compromised (the same reasons that it gives to justify the legitimate interest). This Agency does not share that the criminal record certificates that the claimed requests autonomous carriers to be necessary for the execution of this contract for the provision of services, for the reasons already stated when referring to the regulations governing the transport of goods. The public authorities are responsible for granting the necessary authorizations for the public transport of goods, so that AMAZON ROAD only It is up to him to verify that the autonomous carrier intends to contract has this concession. b) In relation to the legal basis of legitimate interest, article 6 of the RGPD establishes: "one. The treatment will only be lawful if at least one of the following conditions is met: f) the treatment is necessary for the satisfaction of legitimate interests pursued by the responsible for the treatment or by a third party, provided that said interests are not prevail the interests or the fundamental rights and freedoms of the interested party that require the protection of personal data, in particular when the interested party is a child...”. Recital 47 of the RGPD specifies the content and scope of this base legitimizer of the treatment: “(47) The legitimate interest of a controller, including that of a controller to whom may communicate personal data, or of a third party, may constitute a legal basis for treatment, provided that the interests or the rights and freedoms of the user do not prevail. data subject, taking into account the reasonable expectations of data subjects based on their relationship with the person in charge. Such legitimate interest could occur, for example, when there is a relevant and appropriate relationship between the data subject and the controller, such as in situations where which the interested party is a client or is at the service of the person in charge. In any case, the existence of a legitimate interest would require careful assessment, even if a The interested party can reasonably foresee, at the time and in the context of the collection of personal data, which may be processed for this purpose. In particular, the interests and the fundamental rights of the interested party could prevail over the interests of the responsible for the treatment when proceeding to the treatment of personal data in circumstances in which the data subject does not reasonably expect that a further treatment. Since it is up to the legislator to establish by law the legal basis for the processing of personal data by public authorities, this legal basis does not should apply to processing carried out by public authorities in the exercise of their duties. functions. The processing of personal data strictly necessary for the prevention of fraud also constitutes a legitimate interest of the data controller. that it is The processing of personal data for direct marketing purposes may be considered carried out for legitimate interest”. The interpretative criteria that are extracted from this Considering are, among others, (i) C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 34/64 that the legitimate interest of the person in charge prevails over the interests or rights and fundamental freedoms of the owner of the data, in view of the expectations reasonable that he has, based on the relationship he maintains with the person in charge of the treatment; (ii) it will be essential to carry out a "meticulous evaluation" of the rights and interests at stake, also in those cases in which the interested party can reasonably foresee, at the time and in the context of the data collection, which may be processed for this purpose; (iii) interest and fundamental rights of the owner of the personal data could prevail against the legitimate interests of the person in charge when the processing of the data is carried out in such circumstances in which the data subject "does not reasonably expect" carry out further processing of your personal data. The respondent entity did not carry out this prior analysis, although it refers to it in its written arguments for the proposal, and there is no evidence that he has duly informed stakeholders on this legitimate basis. In the absence of information regarding the weighting test, the interested party is deprived of their right to know the legal basis of the treatment alleged by the person in charge, and specifically, when referring to the legitimate interest, he is deprived of his right to know what are said legitimate interests alleged by the person in charge or by a third party that would justify treatment. In the same way, the interested party is deprived of his right to claim for what reasons Said legitimate interest of the person in charge of the treatment could be counteracted by the rights or interests of the interested party. Not having given the interested party an opportunity to allege them against the person in charge, any weighing carried out by the person in charge without taking into account the circumstances that the interested party could allege, to whom it was not allowed to do so would be vitiated, as it is an act contrary to a mandatory norm. It is not possible, therefore, to invoke this legal basis of legitimate interest on the occasion of a administrative procedure, such as transfer of the claim. Accepting it would be so much such as admitting a legitimate interest arising, or a posteriori, in respect of which no have complied with the requirements set forth in the data protection regulations personal and about which the interested parties are not informed. Although the legitimate interest is not applicable, it is interesting to analyze the terms in which it must carry out the weighting provided for in article 6.1.f) of the RGPD between the legitimate interest of the person responsible for the data and the protection of personal data of the interested, that is, how it plays said legitimate interest, if applicable. The CJEU, in its ruling of 05/04/2017, C-13/16, Rigas Satskime, sections 28 to 34, determined what are the requirements for a treatment to be lawful on the basis of legitimate interest. The CJEU ruling of 07/29/2019, C-40/17, Fashion ID, Echoing the sentence cited, it collects said requirements. 28. In this regard, article 7, letter f), of Directive 95/46 -(current article 6.1.f) of the RGPD)- sets three cumulative requirements for the processing of personal data to be lawful: first, that the data controller or the third party or third parties to whom they are communicated the data pursues a legitimate interest; second, that the treatment is necessary for the satisfaction of that legitimate interest and, third, that the rights and freedoms fundamentals of the interested party in the protection of data. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 35/64 This legal basis requires the existence of real interests, not speculative and that, Also, they are legitimate. And not only does the existence of that legitimate interest mean that those treatment operations can be carried out. It is also necessary that these treatments are necessary to satisfy that interest and consider the repercussion for the interested party, the level of intrusion on their privacy and the effects that may negatively impact it. Even if the data controller has said legitimate interest, this does not, in itself, mean considered, that this legal basis can simply be invoked as a basis of the treatment. The legitimacy of this interest is only a starting point, one of only items to be weighed. In this case, it is considered that the processing of personal data carried out by AMAZON ROAD is not necessary or strictly necessary for the satisfaction of the alleged legitimate interest (the cited judgment of 05/04/2017, C-13/16, Rigas Satskime, in its section 30, it declares “Regarding the requirement that the treatment of data is necessary, it should be remembered that the exceptions and restrictions at the beginning protection of personal data must be established without exceeding the limits of what is strictly necessary”). This principle, according to which the treatment must be strictly necessary for the satisfaction of legitimate interest, it must be interpreted in accordance with what established in article 5.1.c) RGPD, which refers to the principle of data minimization, noting that personal data will be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are treaties”. Thus, less invasive means of serving a patient should always be preferred. same end. Necessity implies here that the treatment is essential for the satisfaction of said interest, so that, if said objective can be achieved reasonable manner in another manner that is less impactful or less intrusive, the Legitimate interest cannot be invoked. The term “necessity” used in article 6.1 f) of the RGPD has, in the opinion of the CJEU, a own and independent meaning in Community law. It's about a “autonomous concept of Community Law” (STJUE of 12/16/2008, case C- 524/2006, section 52). On the other hand, the European Court of Human Rights (ECHR) has also offered guidelines to interpret the concept of necessity. In its Judgment of 03/25/1983 specified that, without prejudice to the treatment of data of the claimants is "useful", "desirable" or "reasonable", as specified by the ECHR in its Judgment of 3/25/1983, the term “necessary” does not have the flexibility that is implicit in those expressions. The more "negative" or "uncertain" the impact of treatment may be, the more It is unlikely that the processing as a whole can be considered legitimate. As can be seen, what was stated above is in line with the doctrine of Constitutional Court on the proportionality trial that must be carried out on a restrictive measure of a fundamental right. According to this doctrine, they should C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 36/64 three requirements must be verified: suitability (if the measure allows the objective proposed); necessity (that there is no other more moderate measure); proportionality in strict sense (more benefits or advantages than harm). In short, it is understood that the collection and use of the background certificate criminal charges that the claimed entity carries out involves the processing of personal data excessive, considering that there are other less intrusive ways to protect the trust that customers have deposited in the entity and to ensure that their position as transport operator is not compromised. Therefore, the legitimate interest invoked by AMAZON ROAD does not prevail against the fundamental rights and freedoms of those interested in the protection of their data personal, so it cannot be considered that the processing of personal data that carried out is protected by the legitimate interest provided for in article 6.1.f) of the GDPR. c) And neither the acceptance by the interested carriers of the process of “background check” implies a valid consent for the treatment of personal data related to criminal records. According to what is stated in the rules outlined, the processing of personal data subject to the claim require the existence of a legal basis that legitimizes it, such as the consent of the interested party validly provided, necessary when there is no other basis legal of the one mentioned in article 6.1 of the RGPD or the treatment pursues a purpose compatible with the one for which the data was collected, and provided that the treatment does not require, as in this case, a legal authorization. Article 4 of the GDPR defines "consent" in the following terms: “Article 4 Definitions For the purposes of this Regulation, the following shall be understood as: 11. «consent of the interested party»: any manifestation of free will, specific, informed and unequivocal by which the interested party accepts, either by means of a declaration or a clear affirmative action, the treatment of personal data that concerns you”. In relation to the provision of consent, the following must be taken into account: established in article 6 of the RGPD, already cited, and in articles 7 of the RGPD and 7 of the LOPDGDD. Article 7 “Conditions for consent” of the RGPD: "one. When the treatment is based on the consent of the interested party, the person in charge must be able to demonstrate that they consented to the processing of their personal data. 2. If the data subject's consent is given in the context of a written statement that also refers to other matters, the request for consent will be presented in such a way clearly distinguishable from other matters, in an intelligible and easily accessible manner and using clear and simple language. No part of the declaration will be binding. constitutes an infringement of this Regulation. 3. The interested party shall have the right to withdraw their consent at any time. The retreat of consent will not affect the legality of the treatment based on the consent prior to his withdrawal. Before giving their consent, the interested party will be informed of it. it will be so easy Withdraw consent as give it. 4. When assessing whether consent has been freely given, it will be taken into account to the greatest C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 37/64 extent possible whether, among other things, the performance of a contract, including the provision of a service, is subject to consent to the processing of personal data that are not necessary for the execution of said contract”. Article 6 “Treatment based on the consent of the affected party” of the LOPDGDD: "one. In accordance with the provisions of article 4.11 of Regulation (EU) 2016/679, consent of the affected party means any manifestation of free will, specific, informed and unequivocal by which it accepts, either through a statement or a clear affirmative action, the treatment of personal data that concerns you. 2. When the data processing is intended to be based on the consent of the affected party for a plurality of purposes it will be necessary to state specifically and unequivocally that said consent is granted for all of them. 3. The execution of the contract may not be subject to the affected party consenting to the treatment of personal data for purposes that are not related to the maintenance, development or control of the contractual relationship”. Consent is understood as a clear affirmative act that reflects a free, specific, informed and unequivocal manifestation of the interested party's accept the treatment of personal data that concerns you, provided with sufficient guarantees to prove that the interested party is aware of the fact that you give your consent and the extent to which you do so. And it must be given to all treatment activities carried out with the same or the same purposes, so that, when the treatment has several purposes, consent must be given for all them in a specific and unequivocal manner, without the execution of the contract that the affected party consents to the processing of their personal data for purposes that are not related to the maintenance, development or control of the business relationship. In this regard, the legality of the treatment requires that the interested party be informed about the purposes for which the data is intended (consent informed). Consent must be given freely. It is understood that consent is free when the interested party does not enjoy true or free choice or cannot deny or withdraw your consent without prejudice; or when you don't know allows separate authorization of the different data processing operations despite being appropriate in the specific case, or when the fulfillment of a contract or provision of service is dependent on consent, even when it not necessary for such compliance. This occurs when consent is included as a non-negotiable part of the general conditions or when imposes the obligation to agree to the use of additional personal data to those strictly necessary. Without these conditions, the provision of consent would not offer the data subject a true control over your personal data and its destination, and this would Illegal treatment activity. The Article 29 Working Group analyzed these issues in its document “Guidelines on consent under Regulation 2016/679”, revised and approved on 04/10/2018; which has been updated by the European Committee for Data Protection on 05/04/2020 through the document “Guidelines 05/2020 on consent in accordance with Regulation 2016/679”. From what is stated in this document, it is now interesting to highlight some aspects related to the validity of the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 38/64 consent, specifically on the elements “specific”, “informed” and "unequivocal": “3.2. Specific declaration of will Article 6, paragraph 1, letter a), confirms that the consent of the interested party for the processing of your data must be given "for one or more specific purposes" and that an interested party may choose with respect to each of such purposes. The requirement that consent should be 'specific' is intended to ensure a level of control and transparency for the interested. This requirement has not been changed by the GDPR and remains closely linked to the requirement of “informed” consent. At the same time, it must be interpreted in line with the “dissociation” requirement to obtain “free” consent. In sum, In order to comply with the “specific” character, the data controller must apply: i) specification of the purpose as a guarantee against deviation from use, ii) dissociation in consent requests, and iii) a clear separation between information related to obtaining consent for data processing activities and information relating to other matters. Ad. i): In accordance with article 5, paragraph 1, letter b), of the RGPD, obtaining the Valid consent is always preceded by the determination of a specific, explicit and legitimate for the intended treatment activity. The need for specific consent in combination with the notion of purpose limitation in Article 5, paragraph 1, letter b), works as a guarantee against the gradual expansion or blurring of the purposes for which the data processing is carried out once an interested party has given their Authorization for the initial data collection. This phenomenon, also known as deviation of the use, supposes a risk for the interested parties since it can give rise to a use unforeseen personal data by the data controller or third parties parties and the loss of control by the interested party. If the data controller relies on Article 6(1)(a), the data subjects They must always give their consent for a specific purpose for data processing. In line with the concept of purpose limitation, with Article 5, paragraph 1, letter b), and with recital 32, the consent may cover different operations, provided that these operations have the same purpose. It goes without saying that the specific consent can only be obtained when the interested parties are expressly informed about the purposes provided for the use of data concerning them. Without prejudice to the provisions on the compatibility of purposes, the consent must Be specific for each purpose. The interested parties will give their consent on the understanding that they have control over your data and that these will only be processed for those specific purposes. If a responsible processes data based on consent and, in addition, wishes to process said data for another purpose, you must obtain consent for that other purpose, unless there is another basis law that best reflects the situation... Ad. ii) Consent mechanisms should not only be separated in order to comply the requirement of “free” consent, but must also comply with the requirement of "specific" consent. This means that a data controller seeking the consent for several different purposes, you must facilitate the possibility of opting for each purpose, so that users can give specific consent for specific purposes. Ad. iii) Finally, data controllers must provide, with each data request, separate consent, specific information on the data to be processed for each purpose, in order that the interested parties know the repercussion of the different options that have. In this way, data subjects are allowed to give specific consent. Is issue overlaps with the requirement that controllers provide clear information, as as discussed above in section 3.3”. “3.3. Manifestation of informed will The GDPR reinforces the requirement that consent must be informed. in accordance C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 39/64 with article 5 of the RGPD, the requirement of transparency is one of the principles fundamental, closely related to the principles of loyalty and legality. To ease information to the interested parties before obtaining their consent is essential so that they can make informed decisions, understand what they are authorizing and, for example, exercise your right to withdraw your consent. If the controller does not provide information accessible, user control will be illusory and consent will not constitute a valid basis for data processing. If the requirements for informed consent are not met, the consent is not will be valid and the person in charge may be in breach of article 6 of the RGPD. 3.3.1. Minimum content requirements for consent to be “informed” In order for the consent to be informed, it is necessary to communicate to the interested party certain elements that are crucial to be able to choose. Therefore, the WG29 is of the opinion that it is required, least, the following information to obtain valid consent: i) the identity of the data controller, ii) the purpose of each of the treatment operations for which the authorization is requested. consent, iii) what (type of) data will be collected and used, iv) the existence of the right to withdraw consent, v) information on the use of data for automated decisions in accordance with the article 22, paragraph 2, letter c), when relevant, and vi) information on the possible risks of data transfer due to the absence of a decision of adequacy and adequate guarantees, as described in the article 46”. In the alleged case, there is no evidence of the provision of a valid consent on the part of the autonomous carriers participating in the program "***PROGRAMA.1" that covers the processing of personal data that AMAZON ROAD performs with the criminal record you request. this entity does not even duly inform about this data processing, about its purpose and legal basis or the right to withdraw consent, in accordance with the established in article 13 of the RGPD; nor has it established any mechanism for The interested parties can consent to this collection of personal data through an act separate statement for these specific processing operations; neither him consent can be considered free, by imposing the processing of personal data as a requirement to access the contract. It is significant that AMAZON ROAD, in its brief of arguments regarding the proposal for resolution, has not made a single argument to the contrary on the reasoning developed in this Law Foundation, either in relation to the nature of personal data related to criminal convictions and offenses that must be attributed to the negative background certificate, or to the non-existence of Legal authorization that protects the data processing questioned in the proceedings. Nor does it even mention the reasons given to justify the impossibility of resorting, in this case, to other legal bases that could make it lawful said data processing, such as the legitimate interest or the consent of the interested party validly borrowed. It should be noted that he would have invoked the interest legitimate as a legitimizing basis for the treatment and now, in its pleadings letter to the motion for a resolution, do not make any statement that responds to the previous arguments, which were already included in the proposal prepared by the instructor of the procedure. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 40/64 In said written arguments for the proposal, AMAZON ROAD has limited itself to affirm again, without providing any reasoning, that the certificate of absence of criminal records does not involve the processing of data related to convictions and criminal offenses and to point out in this regard that the Penal Code, the Royal Decree 95/2009 and the Judgment of the National Court of June 20, 2017 do not confirm so be it. However, what is stated by the respondent does not coincide with what is indicated in this resolution and in the proposal. The above indicates that the Penal Code establishes that the annotations in the "Central Registry of Prisoners and Rebels" are not public; that Royal Decree 95/2009 provides for the issuance of certificates on the inscriptions included in the records of support to the Administration of Justice and "Negative certifications regarding people who are not registered in them", that require a query to the same registers in both cases; and about the Judgment cited, it is said that it is inferred that the background certificate negative penalties is also considered a data relative to convictions and infractions criminal, to the extent that it raises what information must be provided by the Central Registry and that must be included in the background certificate penalties. On the other hand, in the aforementioned brief of arguments to the proposed resolution, AMAZON ROAD alleges that there is no unanimous and consolidated criterion on the use of negative criminal record certificates between Member States on the interpretation made by the AEPD. In the pleadings brief at the opening, he already raised this issue in relation to Netherlands, France or Germany, pointing out that in these countries a different interpretation in relation to the provisions of article 10 of the RGPD and allow employers to confirm that a person applying for a job does not have criminal record. In the proposed resolution it was noted that the entity claimed had not contributed no evidence on this allegation or verified if in said countries there is a norm that enables this verification of data and in what cases, as is also the case in our legal system for different areas of employment (among others, lawyers, Lottery administrators and bookmakers, agencies in charge of international adoptions, taxi drivers, some casino employees, public officials, or the same drivers of passenger vehicles and merchandise in the aforementioned cases). Now, in response to what is stated in the proposal, AMAZON ROAD reiterates that the Dutch data protection authority accepts these negative certificates (Verklaring omtrent gedrag or "VOG") and provides excerpts from the Ministry of Justice of that country with information on said document; and from the website of control authority that admits its use when there is a legitimate interest of the employer. In relation to the French case, the claim indicates that the supervisory authority (CNIL) has included information on its website according to which, in the absence of a specific rule that provides for the verification of this type of background, the employer may request a C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 41/64 employee to present an abstract of his criminal record during a interview and make a note about this “yes/no” verification, without obtaining a copy of the document, which is equivalent, in his opinion, to the negative certificate obtained by the claimed. And it provides information obtained from the CNIL website. Nothing indicates this time, however, in relation to the position held on the matter by Germany. After analyzing the information obtained from the websites of the Ministry of Justice and the Dutch data protection authority and the CNIL website, considers this Agency that substantially coincides with what is argued in this resolution. In relation to the Netherlands, the respondent entity reaches a conclusion that does not considers some aspects reflected in the information provided by those entities, such as: According to the information available on the website of the Ministry of Justice, the certificate "VOG" issued by said Ministry verifies whether the interested party has committed criminal offenses that represent a risk for the job in question. The employer is informed that this “VOG” certificate is one of the instruments that can be used to assess the reliability of future staff, recommended for positions where trust in the employee is important, although it is noted that this evaluation affects the privacy of the employee and that, therefore, only that evaluation under certain legal conditions, expressly mentioning the RGPD. This information refers to legitimate interest, indicating that such interest must exist and be necessary. And adds in this regard that the employer has the obligation to provide information, not use the data for another purpose and keep the data just for as long as necessary. As for the Dutch data protection authority, it also informs through its website that the evaluation is only allowed under certain conditions legal, being the most important that the employer has a legitimate reason, requiring that the evaluation be necessary, that the applicant or employee, that the data collected is relevant, so that it is not collect more data than necessary, not use it for any other purpose and weigh rights against each other to see whose interest weighs more, that of the employer or that of employees or applicants. But it is also indicated that the "VOG" can be requested for some cases in which that the check is required by law. And that special provisions apply to positions of trust, such as police officers, private security, aviation and others. In relation to the legitimate interest and the meaning of that "necessity" requirement, clarifies that the employer must not be able to achieve his objective with less drastic. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 42/64 It also recommends carrying out an inventory of the risks associated with the functions within your organization to verify whether these risks can be adequately limited. a different way, highlighting that a good organization, with internal controls or distribution of powers, you can ensure that the risks are completely eliminated and not necessitate repeated evaluation of the employee. On the other hand, the need to analyze whether it is appropriate to carry out an evaluation of data protection impact and the possibility of sending a prior consultation to the data protection authority if it cannot find a way to limit the risk. In the French case, its regulations distinguish three types of background certificates penalties, which he calls Bulletin nº 1, 2 and 3 (B1, B2 and B3). The first includes all recorded convictions and decisions, and can only be handed over to authorities judicial and penitentiary establishments; B2 contains felony convictions police, suspended sentences, etc., and can be issued to certain authorities and private bodies for reasons listed exhaustively by law; and the B3 contains only the most serious sentences for crimes or misdemeanors, custodial sentences liberty and certain ongoing disqualifications or disabilities, follow-up measures and prohibitions to carry out an activity that implies contact with minors, which only It can be delivered to the interested party, at his request. The information offered by the CNIL entity on its website distinguishes two cases. For On the other hand, the background check provided for in a regulation for certain “sensitive” functions (bullets B2 and B3); and, on the other, in the absence of a rule that provides background check, the possibility of the employer requesting a candidate or employee an extract of their criminal record (B3) during a interview, without the employer being able to obtain a copy or process the data (only write down the verification in the boxes of the personnel management file the “yes/no” forms). But, contrary to what AMAZON ROAD indicates, it does not mention in the information No legal basis has been provided to support this data processing. This information is completed by pointing out that when the verification is carried out by a authority, the employer does not need to check criminal records. As well occurs in the case at hand, in which the transport sector regulations already contemplates this verification for the cases in which it is necessary in order to issue carrier authorization. In accordance with all the foregoing, the claim made by AMAZON ROAD on the absence of guilt. Consequently, in accordance with the exposed evidence, the aforementioned facts represent a violation of the provisions of article 6 of the RGPD, which gives rise to the application of the corrective powers that article 58 of the aforementioned Regulation grants to the Spanish Data Protection Agency. III C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 43/64 The second aspect of those included in the claim to be analyzed is what makes reference to the legal position that companies occupy in data processing Accurate Fund, Inc. and Amazon Development Center (India) Private Limited. The information available comes from the text of the screenshots of the contract business, from the background check section of the application (provided by the claimant next to the claim) and the responses provided by the claimed in his briefs of 06/30/2020 and 06/07/2021, in response to the transfer and arguments at the opening of the procedure. Clause 4(d) of the contract states that the participant undertakes “to provide complete and accurate answers to all questions related to verifying your professional history and providing a certificate of absence from criminal record and information about your driving license.” And in the clause 13 it is reported that the data of the participants are treated for the execution of the contract and for legal, administrative and management purposes. For its part, in the background check section of the application, which appears configured as a procedure in which the suitability of the participants to determine their admission to participate in the program "*** PROGRAM.1" and carry out the provision of services, reference is made to the entities Accurate Fund, Inc. and Amazon Development Center (India) Private Limited under the following terms: “I understand and consent that Accurate Background is responsible for collecting and treating the information on behalf of Amazon to perform detailed background checks previously". “I understand Amazon Development Center (India) Private Limited, in India, will be able to access to the data you provide to Amazon during this process to support the collection of the information provided by me, and I consent to such access”. From the transcribed texts it is evident that they intervene in the verification process background checks of the commercial companies Accurate Background, Inc. (collection and treatment of information) and Amazon Development Center (India) Private Limited (access to data to support its collection). Now, some confusion results from the fact that background checks is presented as an obligation arising from the contract while on the screen of background check the consent of the participant is requested for this process and for those entities to collect and process your information or give medium. And this confusion increases if we consider the doubts generated by the paragraphs transcribed, indicating that Accurate Background, Inc. collects and processes the information “on behalf of Amazon” and that Amazon Development Center (India) Private Limited may have access to the information to provide “support” to “Amazon”; along with AMAZON ROAD's representations contained in its statement of response of 06/30/2020, according to which those entities hold the nature of treatment managers. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 44/64 This uncertainty about the condition under which the repeated mercantile and the inexistence of any proof that accredited the access on the part of these to the personal data as in charge of the treatment (the claimed did not provide no documentation in this regard with his letter of 06/30/2020), motivated that in the opening agreement of this sanctioning procedure will be qualified to the aforementioned entities as “third parties” in relation to data processing, and determined the imputation of an infraction for the alleged non-compliance with the provisions of the article 7 of the RGPD, in relation to article 6.1.a) of the same legal text. Under this premise, said imputation was based on the fact that the treatment of the personal data of the participants in the program “***PROGRAMA.1” by part of Accurate Fund, Inc. and Amazon Development Center (India) Private Limited required the consent of the data subjects; and that the consent provided in this case did not meet the requirements for it to be considered a valid consent, since it would not be free nor could it be considered informed, in the meaning expressed in article 7 and Recitals 32, 42 and 43 of the RGPD, article 6 of the LOPDGDD and according to the interpretations of the European Committee for the Protection of Data contained in Guidelines 5/2020. However, AMAZON ROAD, with its pleadings brief at the opening of the procedure has provided a copy of the treatment commission contracts signed with Accurate Fund, Inc. and Amazon Development Center (India) Private Limited, in which it is stipulated that these entities will process the data on behalf of AMAZON ROAD and in accordance with its instructions, in order to provide the services. According to these contracts, those entities intervene as responsible for the treatment and, as such, are obliged to notify the person in charge of any instruction that, in your opinion, violates applicable law, any data breach or claim it receives and to provide the responsible party with cooperation and assistance full; as well as to establish the appropriate technical and organizational measures to protect data. It is also expected that the person in charge of the treatment returns to the responsible for all personal data or proceed to its destruction upon completion of the contract, at the choice of the data controller. These are, therefore, companies that provide services to AMAZON ROAD in the initial checks on carriers participating in the program “***PROGRAMA.1”, for which they have signed a treatment order contract. In accordance with this, the aforementioned entities cannot be considered as third parties. and the treatment of the data they carry out does not require the consent of the users. interested. The figures of "responsible for the treatment" and "in charge of the treatment" are defined in article 4 of the RGPD as follows: . “Responsible for the treatment or responsible: the natural or legal person, public authority, service or other body which, alone or jointly with others, determines the ends and means of the treatment; if the law of the Union or of the Member States determines the ends and means of the treatment, the person in charge of the treatment or the specific criteria for their appointment may be established by the Law of the Union or of the Member States”. . “In charge of the treatment or in charge: the natural or legal person, public authority, C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 45/64 service or other body that processes personal data on behalf of the person responsible for the treatment". The concepts of controller and processor are not formal, but functional and must attend to the specific case, to the specific activities in a specific context. The data controller is from the moment it decides the purposes and means of treatment, not losing such condition the fact of leaving a certain margin of action to the person in charge of the treatment. This is unquestionably expressed in the Guidelines 07/2020 of the European Committee for Data Protection (CEPD) on the Concepts of data controller and manager in the GDPR: “A data controller is one who determines the purposes and means of processing. treatment, that is, the why and how of the treatment. The data controller must decide on both ends and means. However, some more practical aspects of implementation ("non-essential means") can be left to the person in charge of the treatment. It is not necessary that the person in charge actually has access to the data that is they are trying to qualify themselves as responsible” (the translation is ours). In the present case, it is clear that AMAZON ROAD is responsible for the data processing now analyzed, since, as defined in article 4.7 of the RGPD, is the entity that determines the purpose and means of the treatments made. In its capacity as data controller, it is obliged to comply with the provisions of the transcribed article 24 of the RGPD and, in particular, regarding the control effective and continued implementation of the “appropriate technical and organizational measures in order to guarantee and be able to demonstrate that the treatment is in accordance with this Regulation”, among which are those provided in article 28 of the RGPD in relation to those in charge of the treatments that act in the name and on behalf of of the person in charge. Section 3 of this article 28 establishes the following: "3. The treatment by the person in charge will be governed by a contract or other legal act in accordance with the Law of the Union or of the Member States, which binds the person in charge with respect to the responsible and establishes the object, duration, nature and purpose of the treatment, the type of personal data and categories of interested parties, and the obligations and rights of the responsable. Said contract or legal act shall stipulate, in particular, that the person in charge: a) will process personal data only following documented instructions of the responsible, including with respect to transfers of personal data to a third country or an international organisation, unless required to do so under Union law or of the Member States that applies to the person in charge; in such a case, the person in charge will inform the responsible for that legal requirement prior to treatment, unless such Law prohibits it by important reasons of public interest; b) will guarantee that the persons authorized to process personal data have committed to respecting confidentiality or are subject to an obligation of confidentiality of a statutory nature; c) take all necessary measures in accordance with article 32; d) will respect the conditions indicated in sections 2 and 4 to resort to another person in charge of the treatment; e) will assist the person in charge, taking into account the nature of the treatment, through measures appropriate technical and organizational measures, whenever possible, so that it can comply with their obligation to respond to requests that have as their object the exercise of rights of the interested parties established in chapter III; C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 46/64 f) will help the person in charge to guarantee the fulfillment of the obligations established in the articles 32 to 36, taking into account the nature of the treatment and the information to disposal of the manager; g) at the choice of the person in charge, will delete or return all personal data once ends the provision of treatment services, and will delete existing copies unless that the conservation of personal data is required by virtue of the Law of the Union or of the member states; h) will make available to the person in charge all the information necessary to demonstrate the compliance with the obligations established in this article, as well as to allow and contribute to the performance of audits, including inspections, by the person in charge or another auditor authorized by said person in charge. In relation to the provisions of letter h) of the first paragraph, the person in charge will inform immediately to the controller if, in his opinion, an instruction violates this Regulation or other provisions on data protection of the Union or of the Member states". It is AMAZON ROAD, as responsible, which can decide to carry out by itself certain treatment operations or contract all or part of the treatment with a manager. The essence of the function of the person in charge of the treatment is that the personal data are processed in the name and on behalf of the data controller. In practice, it is the person in charge who determines the purpose and the means, at least the essential ones, while the person in charge of the treatment has the function of providing services to the responsible for the treatment. In other words, “acting in the name and on behalf of of the data controller” means that the data controller is at the servicing the interest of the controller in carrying out a task and that, therefore, follows the instructions established by it, at least in what refers to the purpose and the essential means of the entrusted treatment. The person in charge of the treatment is the one who has the obligation to guarantee the application of the data protection regulations and the protection of the rights of the interested, as well as being able to demonstrate it (articles 5.2, 24, 28 and 32 of the RGPD). The control of compliance with the law extends throughout the treatment, From the beginning to the end. The data controller must act, in in any case, in a diligent, conscious, committed and active manner. This mandate of the legislator is independent of whether the treatment is carried out directly the person in charge of the treatment or that it is carried out using a treatment manager. In addition, the treatment carried out materially by a treatment manager for account of the person in charge of the treatment belongs to the sphere of action of this last, in the same way as if he did it directly himself. The person in charge of treatment, in the case examined, is an extension of the person responsible for the treatment. In light of the principle of proactive responsibility (art 5.2 RGPD), the person in charge of the treatment must be able to demonstrate that it has taken into account all the elements provided for in the GDPR. Before outsourcing a treatment and in order to avoid possible violations of the rights and freedoms of those affected, the person responsible for the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 47/64 treatment must enter into a contract, other legal act or a binding agreement with the another entity that establishes clear and precise obligations regarding the protection of data. The person in charge of the treatment can only carry out treatments on the instructions documentation of the controller, unless required to do so by law of the Union or of a Member State, which is not the case. In this regard, article 29 of the RGPD refers to the “Processing under the authority of the person in charge or the person in charge of treatment” in the following terms: “The person in charge of the treatment and any person acting under the authority of the person in charge or the person in charge and has access to personal data may only process said data following instructions of the person in charge, unless they are obliged to do so under the Law of the Union or of the Member States. The person in charge of the treatment also has the obligation to collaborate with the responsible for guaranteeing the rights of the interested parties and fulfilling the obligations of the person in charge of the treatment in accordance with the provisions of the aforementioned article 28 of the GDPR (and related). Therefore, the data controller must establish clear modalities for said assistance and give precise instructions to the person in charge of the treatment on how comply with them adequately and previously document it through a contract or or in another (binding) agreement and check at all times of the development of the contract its fulfillment in the manner established therein. In the present case, the intervening entities have formalized the corresponding treatment contract, which includes the provisions of article 28 of the RGPD, and have arranged the technical and organizational measures that must be applied and maintain the entity in charge of the treatment. It is concluded, therefore, that the facts that determined the opening of the sanctioning procedure, in relation to the access and treatment of data by part of Accurate Fund, Inc. and Amazon Development Center (India) Private Limited, are not constitutive of an infringement of the provisions of article 7 of the RGPD, in relation to article 6.1.a) of the same Regulation. IV The RGPD, as a common standard and directly applicable to the Member States of the European Union, establishes a system of protection in those cases in which that the international transfer of personal data covered by your regulation. The purpose of this system is to guarantee that the protection granted by the community standard is not diminished by the export of said data to countries outside the European Union. The general principle of this protection system, established in article 44 of the RGPD, is that the data can only be exported if, on the one hand, the treatment object of the transfer is lawful and complies with the provisions of the RGPD and, on the other, if it complies with the conditions established in Chapter V of the same C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 48/64 legal text (articles 44 to 50). Article 45 of the RGPD establishes, as a main rule, that a transfer of personal data if the country, territory or international organization addressee guarantees an adequate level of protection recognized by a decision of adequacy dictated by the European Commission. In the absence of said adequacy decision, article 46 of the RGPD authorizes carry out transfers if the person in charge or the person in charge had offered guarantees adequate. These adequate guarantees, which can materialize through a series of instruments referred to in the same article, are subdivided in turn into two groups: those to which the RGPD itself grants the nature of adequate guarantee by themselves, and those who will additionally need the authorization of the competent control authority. The following scenario contemplated by the RGPD, in the absence of a decision to adequacy and adequate safeguards (including binding corporate rules) is to allow transfers to be made if any of the conditions stated in article 49.1. of the RGPD, which establishes the following: "one. In the absence of an adequacy decision in accordance with Article 45(3), or adequate guarantees in accordance with article 46, including corporate rules binding, a transfer or set of transfers of personal data to a third party country or international organization will only be carried out if any of the following conditions: a) the data subject has explicitly consented to the proposed transfer, after have been informed of the possible risks to him of such transfers due to the absence of an adequacy decision and adequate guarantees; b) the transfer is necessary for the execution of a contract between the interested party and the responsible for the treatment or for the execution of pre-contractual measures adopted to request of the interested party; c) the transfer is necessary for the conclusion or execution of a contract, in the interest of the interested party, between the data controller and another natural or legal person; d) the transfer is necessary for important reasons of public interest; e) the transfer is necessary for the formulation, exercise or defense of claims; f) the transfer is necessary to protect the vital interests of the interested party or of other persons, when the interested party is physically or legally incapable of giving his consent; g) the transfer is made from a public registry which, in accordance with Union Law or of the Member States, is intended to provide information to the public and is open to consultation of the general public or of any person who can prove a legitimate interest, but only to the extent that, in each particular case, the conditions that establishes the Law of the Union or of the Member States for consultation. When a transfer cannot be based on the provisions of articles 45 or 46, C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 49/64 including the provisions on binding corporate rules, and no applicable of the exceptions for specific situations referred to in the first paragraph of the this section, it can only be carried out if it is not repetitive, affects only a number limited number of data subjects, is necessary for the purposes of compelling legitimate interests pursued by the person in charge of the treatment over which the interests or rights do not prevail and freedoms of the data subject, and the data controller assessed all the circumstances concurrent in the transfer of data and, based on this evaluation, offered guarantees appropriate with respect to the protection of personal data. The data controller will inform the control authority of the transfer. In addition to the information they do reference to articles 13 and 14, the data controller shall inform the interested party of the transfer and the compelling legitimate interests pursued. In this case, as already stated in Basis of Law III, the prior process background check requests the consent of the interested parties for the communication of data to the merchants Accurate Background, Inc. and Amazon Development Center (India) Private Limited. When these companies are located in the United States and India, respectively, there would be a transfer international data collection for whose execution it would be necessary to comply with the requirements that around this figure establishes the RGPD. In addition, the service contract that AMAZON ROAD and the participants in the program “***PROGRAMA.1” sign, in its clause 13(b), refers to the issue of international transfers as follows: “You consent to Amazon and any Related Entities (as such term is defined below) carries out the transfer of “personal data personal” (in the sense provided for in the General Data Protection Regulation – Regulation (EU) 2016/679 and Organic Law 15/1999, of December 13, on the Protection of Personal Data relating to you to any Related Entity located outside the European Economic Area (the “EEA”) to promote the legitimate interests of Amazon and/or any Related Entity […] “Related Entity” is understood as the “holding company” of Amazon, any “affiliated company” or an affiliate of its holding company.” From this it seems to be inferred, in principle, that the entity claimed intends to base the international transfer of personal data on the figure of the consent of the interested party, which article 49.1.a) of the RGPD configures as a of the conditions that, exceptionally, allow transfers to be made in the absence of an adequacy decision and adequate guarantees. Now, for this circumstance to occur, this consent must not only comply with the general requirements that the RGPD imposes in relation to the consent (free, informed, specific and unequivocal), but would also have to be granted explicitly and the information to be provided in advance should refer to the risks for the interested party about the realization of an international transfer in the absence of adequacy decision and guarantees adequate. The additional requirement that consent in this circumstance be formality of being explicit is equivalent, in accordance with Guidelines 5/2020 of the Committee European Data Protection, to make an express declaration of the consent. The most obvious way would be to make a written declaration, although in the digital or online environment forms can be enabled that could C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 50/64 valid explicit consent, such as filling out an electronic form or use the electronic signature. Likewise, in the case of web pages, this explicit consent could be collected by inserting some boxes with the options to accept and not accept together with a text referring to consent that is clear to the interested party, provided that appropriate security measures are adopted for the environment in which which consent is given. In this case, taking into account what has been stated about the requirements that the consent, in the agreement to open the procedure an analysis of the clauses of the contract in reference to international transfers (clause 13.b), resulting in the requested consent not being in accordance with the provisions of the RGPD, taking into account the indefinite information provided to the interested parties and that only the final acceptance of the clauses of the contract is enabled. For this reason, said opening agreement contains an imputation for infraction of what is established in article 49.1 of the RGPD, typified in article 83.5 of the same norm. Subsequently, on the occasion of the processing of allegations at the opening, AMAZON ROAD has stated that the international transfers it makes to companies in the group or its suppliers located outside the EEA are not based on the consent of the interested party and comply with the guarantees required by the RGPD. And it points out in this regard that it has signed with each entity the corresponding standard contractual clauses approved by the European Commission through Decision 2010/87/UE, of February 5, 2010, relative to the standard contractual clauses for the transfer of personal data to those in charge of the treatment established in third countries, in accordance with Directive 95/46/CE, which constitute a of the guarantees that can be offered by data controllers in accordance with the provisions of article 46 of the RGPD. In addition, it has proven that Accurate Background Inc, since 08/11/2016, was a Entity adhered to the EU-US Privacy Shield. With the allegations to the opening, it has provided the commission contracts of the treatment, the standard clauses signed and the measures that must be applied. sayings standard contractual clauses correspond to those approved by the Commission European through Decision 2010/87/EU. As stated above, article 46 of the RGPD admits that they may international transfers, without requiring any authorization of a control authority, when the person in charge or the person in charge offers adequate guarantees. This article establishes the following: “Article 46. Transfers through adequate guarantees 1. In the absence of a decision pursuant to Article 45(3), the controller or processor treatment may only transmit personal data to a third country or international organization if it had offered adequate guarantees and provided that the interested parties have enforceable rights and effective legal actions. 2. Adequate guarantees in accordance with paragraph 1 may be provided, without requires no express authorization from a control authority, by: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 51/64 […] d) standard data protection clauses adopted by a supervisory authority and approved by the Commission in accordance with the review procedure referred to in Article 93, section 2; [...]”. This would be the case of transfers covered by the guarantees provided for contracts based on the standard contractual clauses of the Decision 2010/87/EU, such as those signed by AMAZON ROAD, which remain in force. The Execution Decision (EU) 2021/914, of the Commission, of June 4, 2021, which approves the new standard contractual clauses for the transfer of data data to third countries in accordance with the RGPD, establishes a period of transitory validity for contracts concluded within the framework of decision 2010/87/EU until 09/27/2022 (this decision is repealed with effect from 09/27/2021, but contracts concluded before this date are considered to offer guarantees adequate in the sense of article 46.1 of the RGPD until 09/27/2022, provided that the treatment operations that are the object of the contract remain unchanged and that the standard contractual clauses guarantee that the transfer of data is subject to adequate guarantees - Article 4 of the Execution Decision (EU) 2021/914). Consequently, in accordance with the foregoing, international transfers object of the actions do not require the interested party to give their consent, since that this consent only operates, according to article 49.1.a) of the RGPD, as a exception that would enable to carry out this transfer in the absence of a decision specific adequacy and adequate guarantees in accordance with article 46 of the same regulation. It is appropriate to conclude, therefore, that the facts that determined the opening of the sanctioning procedure, in relation to international transfers that AMAZON carries out within the framework of the “***PROGRAMA.1” program, they are not constituting an infringement of the provisions of article 49.1 of the RGPD. v In the event that there is an infringement of the provisions of the RGPD, between the corrective powers available to the Spanish Data Protection Agency, as a control authority, article 58.2 of said Regulation contemplates the following: “2 Each control authority will have all the following corrective powers indicated below: continuation: (…) b) sanction any person responsible or in charge of the treatment with a warning when the treatment operations have violated the provisions of this Regulation;” (...) d) order the person responsible or in charge of the treatment that the treatment operations be comply with the provisions of this Regulation, where appropriate, of a given C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 52/64 manner and within a specified time; (…) i) impose an administrative fine under article 83, in addition to or instead of the measures mentioned in this section, according to the circumstances of each case particular;". According to the provisions of article 83.2 of the RGPD, the measure provided for in letter d) above is compatible with the sanction consisting of an administrative fine. SAW The exposed facts do not comply with the provisions of article 6.1 of the RGPD, in relation to article 10 of the same law, as well as article 10 of the LOPDGDD, in relation to the processing of personal data related to convictions and criminal offences, which supposes the commission of an infraction typified in the article 83.5 of the RGPD and in article 71 of the LOPDGDD. Article 83 of the RGPD, under the heading "General conditions for the imposition of administrative fines” provides the following: "5. Violations of the following provisions will be sanctioned, in accordance with the section 2, with administrative fines of a maximum of EUR 20,000,000 or, in the case of a company, of an amount equivalent to a maximum of 4% of the total annual turnover of the previous financial year, opting for the highest amount: a) the basic principles for the treatment, including the conditions for the consent to tenor of articles 5, 6, 7 and 9”. Likewise, article 71 of the LOPDGDD states that "Infractions are those acts and conduct referred to in sections 4, 5 and 6 of article 83 of the Regulation (EU) 2016/679, as well as those that are contrary to this law organic.” For its part, article 72.1 of the LOPDGDD considers as "very serious", for the purposes of of the limitation period for infractions: "one. Based on the provisions of article 83.5 of Regulation (EU) 2016/679, considered very serious and will prescribe after three years the infractions that suppose a substantial violation of the articles mentioned therein and, in particular, the following: b) The processing of personal data without the concurrence of any of the conditions of legality of the treatment established in article 6 of Regulation (EU) 2016/679. […] f) The processing of personal data related to convictions and criminal offenses or measures of related security outside the cases allowed by article 10 of the Regulation (EU) 2016/679 and in article 10 of this organic law. [...]”. In order to determine the administrative fine to be imposed, the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 53/64 provisions of articles 83.1 and 83.2 of the RGPD, precepts that indicate: "one. Each control authority will guarantee that the imposition of administrative fines with in accordance with this article for the infringements of this Regulation indicated in the sections 4, 9 and 6 are in each individual case effective, proportionate and dissuasive. 2. Administrative fines will be imposed, depending on the circumstances of each case individually, in addition to or as a substitute for the measures referred to in article 58, section 2, letters a) to h) and j). When deciding to impose an administrative fine and its amount In each individual case, due account shall be taken of: a) the nature, seriousness and duration of the offence, taking into account the nature, scope or purpose of the treatment operation in question as well as the number of affected parties and the level of damages they have suffered; b) intentionality or negligence in the infringement; c) any measure taken by the person responsible or in charge of the treatment to alleviate the damages suffered by the interested parties; d) the degree of responsibility of the data controller or processor, taking into account of the technical or organizational measures that they have applied by virtue of articles 25 and 32; e) any previous infringement committed by the person in charge or the person in charge of the treatment; f) the degree of cooperation with the supervisory authority in order to remedy the infringement and mitigate the possible adverse effects of the infringement; g) the categories of personal data affected by the infringement; h) the way in which the supervisory authority became aware of the infringement, in particular if the The person responsible or the person in charge notified the infringement and, if so, to what extent; i) when the measures indicated in article 58, section 2, have been ordered previously against the person in charge or the person in charge in question in relation to the same matter, compliance with said measures; j) adherence to codes of conduct under Article 40 or certification mechanisms approved under article 42, and k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits obtained or losses avoided, directly or indirectly, through the infraction”. For its part, article 76 “Sanctions and corrective measures” of the LOPDGDD has: "one. The sanctions provided for in sections 4, 5 and 6 of article 83 of the Regulation (EU) 2016/679 will be applied taking into account the graduation criteria established in the section 2 of the aforementioned article. 2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679, also may be taken into account: a) The continuing nature of the offence. b) The link between the activity of the offender and the performance of data processing personal. c) The profits obtained as a result of committing the offence. d) The possibility that the conduct of the affected party could have induced the commission of the crime. infringement. e) The existence of a merger by absorption process subsequent to the commission of the infraction, that cannot be attributed to the absorbing entity. f) Affectation of the rights of minors. g) Have, when not mandatory, a data protection delegate. h) Submission by the person in charge or person in charge, on a voluntary basis, to alternative conflict resolution mechanisms, in those cases in which there are controversies between them and any interested party”. 28001 – Madrid 6 sedeagpd.gob.es, 54/64 In this case, considering the seriousness of the infringement found, the imposition of a fine and, where appropriate, the adoption of measures. In this regard, the fine imposed must be, in each individual case, effective, proportionate and dissuasive, in accordance with the provisions of article 83.1 of the RGPD. In accordance with the precepts indicated, in order to set the amount of the penalties to impose in the present case, it is considered appropriate to graduate the fines of according to the following criteria: 1. Infringement of article 6.1 of the RGPD in relation to article 10 of the same standard, as well as article 10 of the LOPDGDD, typified in article 83.5.a) and in the Article 71 of the LOPDGDD, and classified as very serious for the purposes of prescription in Article 72.1 of the LOPDGDD: The following graduation criteria are considered concurrent as aggravating: . Article 83.2.a) of the RGPD: “a) the nature, seriousness and duration of the infringement, taking into account the nature, scope or purpose of the operation of treatment in question as well as the number of interested parties affected and the level of damages they have suffered. . The nature and seriousness of the infringement, taking into account the nature of the personal information to which the offending conduct refers. . The duration of the infringement, considering the period during which AMAZON ROAD required carriers to provide a certificate of absence of criminal record. In addition, the infraction that is sanctioned has the character of an infraction permanent, considering that its effects are maintained over time beyond the initial act and throughout the duration of the offending conduct. With the collection and preservation of the certificate of absence of criminal records penalties creates an unlawful state that lasts over time, whose cessation depends on who commits the infraction. On this concept, Judgment of 05/27/2006, the TS has declared that "they constitute infractions those unlawful conducts that persist over time and do not are exhausted with a single act, determining the maintenance of the situation unlawful at the will of the author, case of development at the time of activities without the required authorizations and other similar assumptions. In relation to this graduation factor, the respondent has argued that the negative certificates were kept for 90 days to carry out the verification, so currently and since May 2020 (three months after suspending the collection of these certificates in March 2020), does not have any data of this type. As proof, it provides a “certification” of Accurate Background, of 01/19/2022, in which it declares that any data relative to the candidates of the program “***PROGRAMA.1” is eliminated at 90 days, according to the instructions of the Amazon account. So understand that entity that the infringement cannot be classified as permanent. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 55/64 However, these circumstances do not conform to the findings made manifested in the proceedings, nor had they been manifested by AMAZON ROAD previously. The only instructions given by that entity to Accurate Background on the treatment of the data are those that consist in the treatment contract, which, in terms of the conservation of the data, stipulate that the person in charge of the treatment return all the personal data to the person in charge or proceed to its destruction at the termination of the contract, at the choice of the person responsible for the treatment, and that the personal data will be treated by the person in charge of the treatment during the term of the services. In addition, as it was a requirement that conditioned the hiring, since the claimant knows that carriers adhering to the program “***PROGRAMA.1” do not have a criminal record. In any case, the infraction would not lose its permanent character, in the extent to which it has been occurring since AMAZON ROAD received the “transport operator business” and succeeded Amazon Spain Fulfillment, S.L.U. in all legal relationships affected by said business, after the split that took place on 06/28/2019. . The number of interested parties: the treatment operations that incur the indicated infraction derive from a general procedure established by the claimed that affects all applicants to participate in the program “***PROGRAMA.1”, with respect to which the certificate of criminal record. The respondent has stated that the processing of data related to the negative criminal record certificates only affected 16.76% of all registered last-mile drivers in Spain, at represent the program “***PROGRAM.1” a small proportion of the transport providers that deliver in Spain (they have never exceeded 5%). However, it does not provide any evidence in this regard or detail how much are those affected that are included in such percentages. In the allegations to the proposal, the respondent insists on the figures indicated, but without providing any evidence and without specifying the number of affected that supposedly represent these percentages, despite the fact that this lack of justification and detail was already evident in the proposal for resolution. . The level of damages suffered by the interested parties, to the extent that the processing of data relating to criminal records has conditioned their hiring options and has increased the risks about your privacy. Regarding this aggravating factor, AMAZON ROAD points out that requiring the negative criminal record certification has not harmed the participants in the program because it contracted with all the carriers that they had that document, which implies, on the contrary, that he did not hire C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 56/64 those who did not have such a document when they applied for the job; Likewise, it does not consider possible interested parties who could choose not to attend the program for this reason. Nothing alleges, however, about the intrusion into the privacy of the interested parties and the risks that this certificate represents for it. . Article 83.2.b) of the RGPD: "b) the intention or negligence in the infringement". The negligence found in the commission of the offence, taking into account that the requirements demanded by the claimed entity to the carriers go beyond of what is required by the regulations governing the transport of goods. This circumstance, in addition to the meanings in the previous section, highlight manifest the negligent action of AMAZON ROAD. In this regard, one has taking into account what was declared in the Judgment of the National High Court of 10/17/2007 (rec. 63/2006) that, based on the fact that these are entities whose activity has coupled with continuous data processing, indicates that “…the Supreme Court has come to understand that recklessness exists whenever a duty is neglected legal care, that is, when the offender does not behave with due diligence required. And in assessing the degree of diligence, it must be weighed especially the professionalism or not of the subject, and there is no doubt that, in the case now examined, when the activity of the appellant is constant and abundant handling of personal data, it must be insisted on the rigor and exquisite care to adjust to the legal precautions in this regard”. It is a company that processes personal data in a systematic and continuous and that it must take extreme care in the fulfillment of its data protection obligations. AMAZON ROAD questions the negligence appreciated in the commission of the infraction and considers, even, that his action cannot be branded as reckless or irresponsible, but diligent and worthy of being valued as a mitigating factor, having accommodated his behavior to the interpretation of the data protection regulations arising from the Agency itself and from the courts of Justice. According to said entity, it began to require certificates of absence of criminal record before the Agency had a clear criterion, consolidated, express and public in this regard, which, moreover, does not coincide with that of other data protection authorities; and before it was issued Judgment of the National Court of February 10, 2020; having ceased in this collection of the certificate as soon as it became aware of the existence of a criterion Contrary to the interpretation that, in good faith, it understood appropriate to the activities that were going to take place. Likewise, it alleges in this regard that there were resolutions of the Agency itself that endorsed the interpretation that Amazon Road made of article 10 of the RGPD; made a telephone inquiry to the Ministry of Justice which, informally, endorsed said proposal; that the literal interpretation of article 10 of the RGPD and 10 C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 57/64 of the LOPDGDD suggested that these articles do not refer to any data related to criminal records, but data related to convictions and criminal offenses; that this interpretation is supported by other jurisdictions; and it was in accordance with the previous regulations on data protection; and what in March 2020 suspended the treatment of such negative certificates. AMAZON ROAD's claim cannot be accepted. Understand this Agency that the diligence must be deduced from conclusive facts, which duly accredited and directly related to the elements that constitute the infraction in the current regulations, in such a way that it can be deduced that it has occurred despite all the means provided by the responsible to avoid it. In this case, this Agency does not understand that the arguments defended by the claimed entity have that character. Said entity does not explain how it can be accepted that its conduct has been diligent for being adjusted to a regulation that is not in force, in the event that it were so, that it is not. In the foundations of this resolution it has already been explained that the Previous regulations already contemplated the prohibition of processing personal data relating to criminal offences, with express reference to Directive 95/46/EC and to Convention No. 108 of the Council of Europe. The repealed Organic Law 15/1999, of December 13, on the protection of personal data, in its article 7.5, established that these data could only be recorded in records of the Competent Public Administrations. Nor does AMAZON ROAD explain what other jurisdictions have endorsed its “interpretation” of the applicable norms. It is even less acceptable to defend that diligence on the basis of a supposed consultation that the respondent entity itself qualifies as "informal". Facing it, The RGPD has provided for a mechanism such as "prior consultation" so that the Those responsible can consult the supervisory authority before carrying out a high-risk data processing. It is confirmed, on the other hand, that the suspension in the collection of the criminal record certificates was adopted in March on a temporary basis, but for reasons other than those stated. This decision was made by the state of alarm situation and the difficulty of obtaining repeated certificates during this period. Nothing is said, on the other hand, about the previous analyzes carried out to determine the feasibility of data processing and its legal basis; nothing about the risks entails and the impact assessments carried out; and not about the weighting of interests at stake that requires data processing based on in the legitimate interest of the controller. AMAZON ROAD has generally sought to reduce the issue raised, also in relation to diligence, to an interpretive question of the norm, but omitting substantial aspects of it that would also determine the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 58/64 unlawfulness of the processing of personal data, even if the "interpretation" of the claimed. It does not deny that personal data is processed, but it omits that the The processing of these data requires in any case a legal basis and omits also all the arguments that are exposed in this respect in the Legal foundations of this act. According to these arguments, sufficiently developed, which have been completely ignored by AMAZON ROAD, it cannot be concluded that the actions of this entity have been diligent. . Article 83.2.d) of the RGPD: “d) the degree of responsibility of the person in charge or of the data processor, taking into account the technical or organizational measures that they have applied by virtue of articles 25 and 32”. The imputed entity does not have adequate procedures in place for performance in the collection and processing of personal data, in what refers to the collection and processing of personal data of carriers applicants to participate in the program "***PROGRAMA.1", so that the infringement is not the consequence of an anomaly in the functioning of said procedures but a defect in the personal data management system designed by the person in charge. Said procedure was adopted by the respondent to own initiative establishing requirements that exceeded the forecasts applicable regulations. In the opinion of AMAZON ROAD, the infringement results from an interpretation of the standard and has nothing to do with the personal data management system designed by the same, and adds that in his previous writings he exposed the technical and organizational measures implemented. However, what is here values has to do, as has been well expressed above, with the decision adopted by the claimed entity itself, within its scope of responsibility, include the collection of the criminal record certificates in question between the documentation that a participant in “***PROGRAMA.1” had to provide. The infringement responds, therefore, to a procedural decision and not to a point anomaly. As has been said, that decision is taken beyond what required by the regulatory framework that regulates the activity of contractors. . Article 83.2.g) of the RGPD: “g) the categories of personal data affected by the infringement. Personal data related to convictions and criminal offences, a category especially deserving of guarantees. AMAZON ROAD alleges that the data processing related to the negative criminal record certificates cannot be compared with the processing of data on convictions and criminal offenses. In this regard, we we refer to what is expressed in the Law Foundations of this act. . Article 76.2.b) of the LOPDGDD: “b) The link between the activity of the offender with the processing of personal data”. The high link between the activity of the offender and the performance of treatment C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 59/64 of personal data, considering the level of implementation of the entity and the activity that it develops, in which the personal data of thousands of of interested parties, whether they are clients receiving the shipment, employees or self-employed contractors. This circumstance determines a higher degree of demand and professionalism and, consequently, of responsibility of the entity claimed in relation to the processing of the data. The respondent points out in this regard that her activity is related to the logistics, as a transport operator, and not with the exploitation of databases. However, this fact does not contradict the circumstances considered in the previous paragraph, which entail the requirement of a high degree of professionalism in the treatment of personal data. The same can be said, specifically, in relation to data processing in the workplace, considering the number of employees available and professionals who serve you. Nothing to do with the precedent that he cites in his allegations, referring to a company with a single client, compared to the thousands served by AMAZON ROAD. . Article 83.2.k) of the RGPD: “k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as the financial benefits obtained or losses avoided, directly or indirectly, through the infringement”. AMAZON ROAD's status as a large company and volume of business. consists in the actions that said entity has the status of (...). AMAZON ROAD requests that this aggravating circumstance be assessed based on the figures for the 2019 financial year, lower than those offered in 2020, but it does not consider said entity that the period of development of operations in 2019 is less than six months, counted from the date you received from Amazon Spain Fulfillment, S.L.U. the transport operator business. Extrapolating the 2019 figures to a period of one year, the differences with 2020 are not significant. Considering the exposed factors, the valuation reached by the fine, for the Violation of article 6.1 of the RGPD in relation to article 10 of the same rule, as well as article 10 of the LOPDGDD, is 2,000,000 euros (two million euros). None of the considered graduation factors is attenuated by the fact that that the claimed entity has not been subject to a sanctioning procedure with previously, a circumstance that has been alleged by the claimed entity so that be considered a mitigating factor. In this regard, the AN Judgment of 05/05/2021, rec. 1437/2020, indicates: “Considers, on the other hand, that the non-commission of a crime should be considered as mitigating previous offense. Well, article 83.2 of the RGPD establishes that it must be taken into account for the imposition of the administrative fine, among others, the circumstance "e) any infraction committed by the person in charge or the person in charge of the treatment". This is a aggravating circumstance, the fact that the budget for its application does not concur C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 60/64 entails that it cannot be taken into consideration, but does not imply or allow, as intended the plaintiff, its application as a mitigating factor.” According to the aforementioned article 83.2 of the RGPD, when deciding to impose a fine administrative and its amount must take into account "all previous infractions committed by the person responsible”. It is a normative provision that does not include the inexistence of previous infractions as a grading factor of the fine, which must be understood as a criterion close to recidivism, although broader. The same can be said regarding the absence of benefits also alleged as mitigation by the entity claimed. On this criterion, article 76.2 of the LOPDGDD, in its letter c), includes among the criteria that must be weighed when set the amount of the sanction "the benefits obtained as a result of the commission of the infraction” and not the absence of these benefits. The same sentence of the aforementioned National Court, of 05/05/2021, refers to the need for the "budget" in fact contemplated in the norm so that a certain graduation criterion, and, as has been said, the absence of benefits does not is among the circumstances regulated in the cited article. This graduation criterion is established in the LOPDGDD in accordance with the provisions in article 83.2.k) of the RGPD, according to which administrative fines will be imposed taking into account any “aggravating or mitigating factor applicable to the circumstances of the case, such as the financial benefits obtained or the losses avoided, directly or indirectly, through the infraction”, it being understood that avoiding a loss has the same nature for these purposes as a gain. If we add to this that the sanctions must be effective "in each individual case", proportionate and dissuasive, in accordance with the provisions of article 83.1 of the RGPD, admitting the absence of benefits as a mitigating factor is not only contrary to the presuppositions of facts contemplated in article 76.2.c), but also contrary to what is established in article 83.2.k) of the RGPD and the indicated principles. Thus, assessing the absence of benefits as a mitigating factor would nullify the effect dissuasive of the fine, to the extent that it reduces the effect of the circumstances that effectively affect its quantification, reporting to the person in charge a benefit to the that has not been deserved. It would be an artificial reduction of the sanction that can lead to understand that violating the norm without obtaining benefits, financial or of the type Whatever it may be, it will not produce a negative effect proportional to the seriousness of the act offender. In any case, the administrative fines established in the RGPD, in accordance with the established in its article 83.2, are imposed based on the circumstances of each individual case and, at present, the absence of benefits is not considered to be a adequate and decisive grading factor to assess the seriousness of the behavior offending Only in the event that this absence of benefits is relevant to determine the degree of unlawfulness and culpability present in the specific infringing action may be considered as a mitigating action, in application of article 83.2.k) of the RGPD, which refers to “any other aggravating or mitigating factor applicable to the circumstances of the case. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 61/64 Regarding the fact that the defendant has not been sanctioned previously, in its latest allegations, cites three precedents in which this Agency has considered this circumstance as an extenuating circumstance. One of these precedents is also invoked to request that the non-obtaining of any benefit by the claimed facts. In this regard, the provisions of article 35.1.c) of Law 39/2015 are considered, of October 1, of the Common Administrative Procedure of the Administrations Public, according to which an administrative act can be separated from the criteria followed in preceding actions, provided that said decision is properly motivated On the other hand, in order for it to be considered a mitigating circumstance, the respondent has stated that the processing of data object of the claim was suspended in March 2020 and has not been resumed. On this matter, you should It should be noted that the aforementioned entity has not provided any evidence; that said decision confirmed, it would have been adopted with the prior intervention of the AEPD and for reasons of the claim that has motivated the actions; and that is insufficient for “to remedy the infringement and mitigate the possible adverse effects of the infringement”, according to the terms of article 83.2.f) of the RGPD, or “to mitigate the damages suffered by the interested parties”, according to section 2.c) of the same article. Can not be understood as mitigating, in no case, the cessation of the offending behavior of the legal system. Mitigate adverse effects or mitigate damages caused imply actions greater than the mere cessation of the conduct, to the effects of restoring, to the extent possible, the rights of the interested parties. AMAZON ROAD insists on this fact in the written arguments for the proposal, clarifying that this decision was motivated by the circumstances of the moment, in express reference to the pandemic situation, and that this was communicated to users of the program “***PROGRAMA.1” by email in March 2020. It also points out that said temporary suspension became definitive after know the Judgment of 02/10/2020, issued by the Social Chamber of the High Court Nacional, without specifying when that decision was made; and that all this happened before the opening of the sanctioning procedure. Provides a copy of the mail supposedly sent to the carriers in March, but no proof of its effective shipment. In any case, it should be noted that, according to expressed in the text of the email provided, the temporary suspension of the collection of the criminal record certificate is adopted due to the impossibility of obtaining it due to to the state of alarm. In this same email, the recipients are summoned to provide the criminal record certificate within 60 days (“However, you must upload this document within 60 days from the end of the registration in ***PROGRAM.1. If after this period you have not uploaded the document, you will no longer be eligible to participate in the program ***PROGRAM.1”). It should also be noted that AMAZON ROAD, in the response letter to the transfer of the claim, dated 06/30/2020, still qualified that suspension as temporary. Then, the decision not to collect those certificates is made once known the claim through this Agency. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 62/64 7th The infraction committed may lead to the imposition of the person responsible for the adoption of appropriate measures to adjust their actions to the regulations mentioned in this act, in accordance with the provisions of the aforementioned article 58.2.d) of the RGPD, according to the which each control authority may “order the person in charge or in charge of the treatment that the treatment operations comply with the provisions of the this Regulation, where appropriate, in a certain way and within a specified period […]”. Thus, it is appropriate to require the responsible entity so that, within the period indicated in the operative part, adapt to the personal data protection regulations the treatment operations that it carries out and the information that it provides to the interested parties, with the scope expressed in the Legal Basis of this agreement. Specifically, it is appropriate to require AMAZON ROAD to cease the conduct offender, regarding the requirement of a certificate of absence of criminal record penalties for applicants in the program “***PROGRAMA.1”; correct the effects of the infraction that had been committed, which entails the suppression of all the information regarding said certificates that could have been provided by the contracted or would-be carriers; and the necessary adaptation is carried out, in this case, to the requirements contemplated in articles 6.1 of the RGPD, in relation to with article 10 of the same norm, and article 10 of the LOPDGDD. The entity claimed affirms that it does not collect the negative certificates of the participants in the program “***PROGRAMA.1” since March 2020 and that neither keeps said certificates, alleging that they were only kept for 60 days from the background check. However, he has not provided any documentation in this regard that proves that you have actually adopted these measures, having eliminated this requirement in the selection processes that follow nowadays. Thus, it does not appear in the proceedings that he has rectified the information regarding these processes or the registration process in your mobile application, the contract that is signed with the interested parties, etc. Regarding the elimination of criminal record certificates after 90 days, it has already been has previously said that this supposed elimination does not conform to the stipulations that appear in the contracts signed by AMAZON ROAD with the in charge of the treatment, who is entrusted with the function of collecting and analyzing the documentation of applicants to the program “***PROGRAMA.1”. Not included or provided accredited that AMAZON ROAD has modified its initial instructions to respect. On the other hand, said entity must make the appropriate clarifications in the information on the protection of personal data that it provides to users stakeholders, in relation to the nature attributed to the intervention in the data processing by Accurate Background, Inc. and Amazon Development Center (India) Private Limited and on the circumstances serving as based on international data transfers. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 63/64 AMAZON ROAD must also provide the means of proof of compliance of what is required. In this regard, it is noted that failure to comply with the requirements of this organism can be considered as a serious administrative infraction to “not cooperate with the Control Authority” in the face of such requirements, and may be assessed such conduct at the time of opening an administrative sanctioning procedure with a pecuniary fine. Therefore, in accordance with the applicable legislation and having assessed the criteria for graduation of sanctions whose existence has been proven, the Director of the Spanish Data Protection Agency RESOLVES: FIRST: IMPOSE the entity AMAZON ROAD TRANSPORT SPAIN, S.L., with CIF B88405303, for an infringement of article 6.1 of the RGPD, in relation to the article 10 of the RGPD and article 10 of the LOPDGDD, typified in article 83.5 of the RGPD and in article 71 of the LOPDGDD, and qualified as very serious for the purposes of prescription in article 72.1 of the LOPDGDD, a fine of 2,000,000 euros (Two millions of euros). SECOND: DECLARE the non-existence of infractions in relation to the imputation to the entity AMAZON ROAD TRANSPORT SPAIN, S.L. of a possible violation of what is established in articles 7 and 49.1 of the RGPD. THIRD: REQUEST the entity AMAZON ROAD TRANSPORT SPAIN, S.L., to that, within a period of one month, counted from the notification of this resolution, adapt to the personal data protection regulations the operations of treatment that it carries out and the information that it facilitates to the interested parties, with the scope expressed in Legal Basis VII of this resolution. Within the specified period, AMAZON ROAD TRANSPORT SPAIN, S.L. must justify before this Agency Spanish Data Protection the attention of this requirement. FOURTH: NOTIFY this resolution to the entity AMAZON ROAD TRANSPORT SPAIN, S.L. FIFTH: Warn the sanctioned party that he must make the imposed sanction effective once Once this resolution is enforceable, in accordance with the provisions of the art. 98.1.b) of Law 39/2015, of October 1, on Administrative Procedure Common Public Administrations (hereinafter LPACAP), within the payment term voluntary established in art. 68 of the General Collection Regulations, approved by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003, of December 17, through its entry, indicating the NIF of the sanctioned and the number of procedure that appears in the heading of this document, in the account restricted number ES00 0000 0000 0000 0000 0000, opened on behalf of the Agency Spanish Department of Data Protection in the banking entity CAIXABANK, S.A.. In case Otherwise, it will be collected in the executive period. Received the notification and once executed, if the date of execution is between the 1st and 15th of each month, both inclusive, the term to make the payment C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 64/64 voluntary will be until the 20th day of the following month or immediately after, and if between the 16th and last day of each month, both inclusive, the payment term It will be until the 5th of the second following month or immediately after. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. In accordance with the provisions of article 76.4 of the LOPDGDD and given that the amount of the sanction imposed is greater than one million euros, it will be subject to publication in the Official State Gazette of the information that identifies the offender, the offense committed and the amount of the penalty. Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the Interested parties may optionally file an appeal for reconsideration before the Director of the Spanish Agency for Data Protection within a month from counting from the day following the notification of this resolution or directly contentious-administrative appeal before the Contentious-Administrative Chamber of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-administrative jurisdiction, within a period of two months from the day following the notification of this act, as provided in article 46.1 of the aforementioned Law. Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP, may provisionally suspend the firm resolution in administrative proceedings if the The interested party expresses his intention to file a contentious-administrative appeal. If this is the case, the interested party must formally communicate this fact by writing addressed to the Spanish Agency for Data Protection, presenting it through Electronic Register of the Agency [https://sedeagpd.gob.es/sede-electronica- web/], or through any of the other registers provided for in art. 16.4 of the aforementioned Law 39/2015, of October 1. You must also transfer to the Agency the documentation proving the effective filing of the contentious appeal- administrative. If the Agency was not aware of the filing of the appeal contentious-administrative within a period of two months from the day following the notification of this resolution would end the precautionary suspension. 938-231221 Sea Spain Marti Director of the Spanish Data Protection Agency C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es