AEPD (Spain) - PS/00267/2021: Difference between revisions
(Created page with "{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoES.jpg |DPA_Abbrevation=AEPD |DPA_With_Country=AEPD (Spain) |Case_Number_Name=PS/00...") |
No edit summary |
||
(16 intermediate revisions by 4 users not shown) | |||
Line 34: | Line 34: | ||
|GDPR_Article_3=Article 15 GDPR | |GDPR_Article_3=Article 15 GDPR | ||
|GDPR_Article_Link_3=Article 15 GDPR | |GDPR_Article_Link_3=Article 15 GDPR | ||
|GDPR_Article_4= | |GDPR_Article_4=Article 83(2)(e) GDPR | ||
|GDPR_Article_Link_4= | |GDPR_Article_Link_4=Article 83 GDPR#2e | ||
|GDPR_Article_5= | |GDPR_Article_5= | ||
|GDPR_Article_Link_5= | |GDPR_Article_Link_5= | ||
Line 44: | Line 44: | ||
|EU_Law_Link_2= | |EU_Law_Link_2= | ||
|National_Law_Name_1= | |National_Law_Name_1= | ||
|National_Law_Link_1= | |National_Law_Link_1= | ||
|National_Law_Name_2= | |National_Law_Name_2= | ||
|National_Law_Link_2= | |National_Law_Link_2= | ||
|National_Law_Name_3= | |National_Law_Name_3= | ||
|National_Law_Link_3= | |National_Law_Link_3= | ||
|National_Law_Name_4= | |National_Law_Name_4= | ||
|National_Law_Link_4= | |National_Law_Link_4= | ||
|National_Law_Name_5= | |National_Law_Name_5= | ||
|National_Law_Link_5= | |National_Law_Link_5= | ||
Line 73: | Line 73: | ||
}} | }} | ||
The Spanish | The Spanish DPA fined Spain's biggest supermarket chain €170,000 for violating [[Article 12 GDPR|Articles 12]] and [[Article 15 GDPR|15 GDPR]] by not replying to the access request of the data subject and [[Article 6 GDPR|Article 6]] by deleting video footage without a legal basis. | ||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
The controller, MERCADONA S.A., is the biggest supermarket chain in Spain. The data subject suffered an accident in one of the controller's stores which was video surveilled by the controller. With the purpose of claiming damages against the controller, the data subject requested access to the video footage after the accident occurred via an online contact form provided by the controller. On the same day the data subject received an auto-response from the controller that her message has been sent successfully. Afterwards the data subject also filed a complaint with the controller about the accident via email which included name, email-address, telephone number, a description of the accident and the damages she suffered. The controller replied to this email by providing a reference number for the case. | |||
After the controller did not reply to the access request for over a month, the data subject's lawyer sent an email to the controller's DPO following up on the access request. The DPO responded that they were not aware of any access request and that the video footage had already been deleted because they were obliged to erase the footage one month after it was recorded according to Article 6 of the Instruction 1/2006 of the AEPD (Spain) on the processing of personal data for surveillance purposes through camera or video camera systems. After having received this negative answer of the controller, the data subject lodged a complaint with the DPA. | |||
During the DPA's investigation it turned out that the access request did not reach the DPO's attention because of a human error in the management of the case. Further, the controller had compensated the data subject during the proceedings, which resulted in the data subject withdrawing their complaint before the DPA. The DPA, however, decided to continue the investigation on its own (''ex officio'') and render a decision. The controller objected to this approach, arguing that the DPA had terminated proceedings before in similar cases only violating Articles 15-22 GDPR. | |||
=== Holding === | === Holding === | ||
[ | The DPA fined MERCADONA S.A. €70,000 for violating [[Article 12 GDPR|Articles 12]] and [[Article 15 GDPR|15 GDPR]] by not replying to the access request of the data subject and €100,000 for violating Article 6 GDPR by deleting the video footage without a legal basis (in total €170,000). | ||
At first, the DPA concluded that it was not bound by the settlement of the parties, nor by the withdrawal of the complaint of the data subject. The DPA considered that it was allowed to continue the investigation on its own since Article 64.2 LOPDGDD (Spanish Data Protection Law) and general Spanish Administrative Law (Art. 63.1 LPACAP) provides for this situation. Furthermore, it found that the compensation of the data subject did not exonerate the controller from its liability arising from the violations of the GDPR. | |||
At second, the DPA rejected the controller's argument that it should have dropped the case because it had allegedly done so in previous similar cases. The DPA found that this case is already different from the previous cases because it involves not only a violation of [[Article 15 GDPR|Article 15]] but also [[Article 6 GDPR|Article 6]]. | |||
At third, the DPA held that the controller violated [[Article 12 GDPR|Articles 12]] and [[Article 15 GDPR|15]] by not replying to the access request. It found that the obligation under Article 6 of the Instruction 1/2006 to delete video footage after, at latest, one month conflicts with the obligation to answer an access request at the latest one month after it was received under [[Article 12 GDPR|Article 12(3)]]. The DPA concluded that the responsibility to answer an access request under the GDPR takes precedence since otherwise a controller could always evade the data subject's right to access by invoking the deletion obligation under the Instruction 1/2006. | |||
At fourth, the DPA held that the controller violated [[Article 6 GDPR|Article 6]] because it deleted the video footage without a legal basis. The DPA found that none of the requirements of [[Article 6 GDPR#1|Article 6(1)]] were met. The DPA reasoned that the data subjects interest in obtaining the video footage as evidence, as a part of its right to effective remedy under Article 24 of the Spanish Constitution, outweighed the data protection considerations as well as the controller's obligation to delete the footage within one month under Instruction 1/2006. To reinforce its reasoning, the DPA referred to the opposite situation where a controller is under [[Article 6 GDPR#1f|Article 6(1)(f)]] allowed to keep the video footage for a longer period than one month in order to defend itself against a claim. | |||
When determining the amount of the fine the DPA considered, among others, as aggravating factors that (i) the data subject was not able to use the video footage to enforce its claims against the controller, that (ii) the controller did only respond after the deletion and that (iii) the images of the data subject processed were sensitive data (although not special category data under Article 9 GDPR). Moreover, the DPA held that the absence of a previous offence of the controller does not constitute a mitigating factor, whereas previous violations consitute an aggravating factor according to [[Article 83 GDPR#2e|Article 83(2)(e) GDPR.]] | |||
== Comment == | == Comment == | ||
The decision of the DPA could be seen as a confirmation that [[Article 15 GDPR|Article 15]] generally prevails over specific national law provisions. Interestingly enough the prevalence of EU Law, and specifically the GDPR, is hardly addressed in the decision. | |||
== Further Resources == | == Further Resources == | ||
Line 93: | Line 107: | ||
<pre> | <pre> | ||
1/61 | |||
• | |||
File No: PS/00267/2021 | |||
DECISION ON DISCIPLINARY PROCEEDINGS | |||
From the procedure conducted by the Spanish Data Protection Agency and on the | |||
basis of the following | |||
BACKGROUND | |||
FIRST: A.A.A. (hereinafter, the claimant), on 31/12/2020, filed a complaint with the | |||
Spanish Data Protection Agency. The complaint is directed against MERCADONA | |||
S.A., with Tax Identification Number A46103834 (hereinafter, MERCADONA or the | |||
respondent), for failure to comply with the claimant's right of access to her personal | |||
data, as the request had not been answered within one month. The grounds on which | |||
the complaint is based are as follows: | |||
The claimant states that on ***DATE.1 she suffered an accident in an establishment of | |||
the entity located at ***DIRECCION.1, and that, with the purpose of claiming damages, | |||
she exercised her right of access to the images from the security cameras, using the | |||
request form available on the website of the defendant, the one established in the | |||
Privacy Policy, receiving a message about the conformity of the sending, which took | |||
place on ***DATE.2. | |||
She adds that, after a month without receiving a reply, she sent an e-mail to the DPD | |||
of the entity, which replied denying receipt of the request for access and informing the | |||
complainant that the images had been deleted. On this occasion, the complainant sent | |||
the proof of sending the request for access, without receiving any further response. | |||
The complainant also points out that on ***DATE.3 she filed a complaint with | |||
MERCADONA itself about the accident, via its website, and received a reference for | |||
the case, so she does not understand why the images, which were the only proof of the | |||
facts, were deleted. | |||
Together with the complaint, he submitted the following documentation, which is set out | |||
in the Proven Facts: | |||
. Printout of the completed right of access request form via the Respondent's website, | |||
dated ***DATE.2. | |||
. Screenshot of the response message to the previous request. | |||
. Copy of the e-mail sent on ***DATE.4 by the complainant's representative to the DPD | |||
of MERCADONA, requesting the images. | |||
. Screen print of the e-mail sent by the complainant to the address | |||
"conducta@mercadona.es", dated ***DATE.3, with the subject "Complaint D201...", | |||
and MERCADONA's reply of ***DATE.5. | |||
SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5 December 2018, | |||
of | |||
C/ Jorge Juan, 6 | |||
28001 - Madrid | |||
www.aepd.es | |||
sedeagpd.gob.es | |||
2/61 | |||
December, on Personal Data Protection and guarantee of digital rights (hereinafter | |||
LOPDGDD), this complaint was transferred to the respondent on 03/02/2021, so that it | |||
could proceed with its analysis and inform this Agency, within a period of one month, of | |||
the actions carried out to adapt to the requirements set out in the data protection | |||
regulations. | |||
In response to this transfer, the defendant reported as follows: | |||
. MERCADONA began its response by presenting the facts of the case, confirming that | |||
sending the request via the form available on the website does not generate an | |||
acknowledgement of receipt and simply displays a response message indicating "the | |||
message has been sent correctly". It also refers to the e-mail that was sent by the | |||
complainant's representative to the DPD of the entity on the date | |||
***DATE.6, and notes that this email was replied to informing "that the request had not | |||
been received and that the images were no longer available (they had been deleted | |||
more than 30 days after capture)". | |||
It adds that, once it became aware of the complainant's request through the | |||
aforementioned mail sent to the DPD, it reviewed the material and human processes | |||
involved, both technical and managerial, without observing any deviation. This | |||
verification led to the aforementioned response. | |||
On 09/02/2021, having become aware of the complaint, it sent the claimant a burofax | |||
in the same terms. | |||
It then reports on some details regarding the procedure it follows for data subjects to | |||
exercise their personal data protection rights, which are outlined in the First Proven | |||
Fact, and indicates that a total of 229 requests for personal data protection rights have | |||
been received and processed through the form during the year 2020. | |||
On the other hand, MERCADONA points out that, on ***DATE.7, the complainant's | |||
representative first contacted the entity for the sole purpose of reporting the incident | |||
and communicating her intention to request compensation for it, without any reference | |||
to the request for access made on ***DATE.2, which is the subject of the present | |||
complaint. | |||
The Respondent, on the other hand, understands that it cannot be inferred from the | |||
communication made by the complainant through the complaints channel that it was a | |||
request for the exercise of the right of access. | |||
Based on the foregoing, the Respondent concludes that it acted at all times in | |||
accordance with the regulations in force, according to the scheme established to | |||
comply with the exercise of customers' rights. In this specific case, when it first became | |||
aware of the request for access on ***DATE.4, it replied to the request on ***DATE.8, | |||
responding to the only known address of the applicant. | |||
With its reply, it provided a copy of the following documentation, which is set out in the | |||
Proven Facts. | |||
C/ Jorge Juan, 6 | |||
28001 - Madrid | |||
www.aepd.es | |||
sedeagpd.gob.es | |||
3/61 | |||
. Copy of a letter sent by MERCADONA to the complainant's representative, dated | |||
***DATE.9, with the subject "Right of access". | |||
. Copy of the mail sent by the complainant's representative to MERCADONA, of | |||
***DATE.7, cited above. | |||
THIRD: On 16/04/2021, the Director of the AEPD agreed to admit the complaint for | |||
processing. | |||
FOURTH: On 05/07/2021, the Subdirectorate General for Data Inspection accessed | |||
the information available on the entity claimed in "Axesor". It appears that this entity | |||
belongs to the "Commerce" sector (...). | |||
FIFTH: On 19/07/2021, the Director of the Spanish Data Protection Agency agreed to | |||
initiate disciplinary proceedings against MERCADONA, in accordance with the | |||
provisions of articles 63 and 64 of Law 39/2015, of 1 October, on the Common | |||
Administrative Procedure for Public Administrations (hereinafter, LPACAP), for the | |||
alleged infringement of articles 12 and 6 of the GDPR, classified in articles 83.5.b) and | |||
83.5.a) of the aforementioned Regulation, respectively; and classified as minor and | |||
very serious for statute of limitations purposes in articles 74.c) and 72.1.b) of the | |||
LOPDGDD. | |||
In the opening decision, it was determined that the penalties that might be applicable, | |||
in view of the evidence existing at the time of opening and without prejudice to the | |||
outcome of the investigation, would amount to a total of 170,000 euros (70,000 euros | |||
for the infringement of Article 12 and 100,000 euros for the infringement of Article 6, | |||
both of the GDPR). | |||
It was also warned that the infringements alleged, if confirmed, could lead to the | |||
imposition of measures, in accordance with the provisions of the aforementioned | |||
article. | |||
58.2 d) of the GDPR. | |||
SIXTH: Having been notified of the aforementioned agreement of initiation and having | |||
extended the period granted to make allegations, the entity complained against | |||
presented a letter dated 02/08/2021, in which it requested that the sanctioning | |||
procedure be shelved in accordance with the following considerations: | |||
1. Firstly, he refers to the accident suffered by the claimant, which, as he indicates, | |||
was communicated to him by complaint of ***DATE.3 made through its website, and | |||
points out that the internal investigation carried out by the entity itself after the transfer | |||
process detected a human error in the management of the civil claim filed by the | |||
claimant, which led to it not reaching the attention of the Data Protection Delegate | |||
(DPD) or his team and the lack of attention to the request for access formulated. | |||
As a result, the claimant was contacted, through her representative, and an agreement | |||
was reached that compensates the damages suffered as a result of the accident and | |||
those derived from the failure to attend to her right of access to her personal data, so | |||
that the error in attending to the right has not caused her any damage and/or harm. | |||
C/ Jorge Juan, 6 | |||
28001 - Madrid | |||
www.aepd.es | |||
sedeagpd.gob.es | |||
4/61 | |||
Furthermore, it states that disciplinary measures have been adopted internally, as well | |||
as technical and organisational measures, to prevent a similar error from occurring in | |||
the future and to ensure that requests made through the web form are sent to the DPD. | |||
2. It considers it inappropriate to initiate sanctioning proceedings in a case referring | |||
exclusively to the failure to respond to a request to exercise the rights established in | |||
Articles 15 to 22 of the GDPR, and highlights the exceptional nature of such | |||
proceedings, which has been highlighted by the AEPD in various actions | |||
(E/10485/2019, TD/00120/2021 and RR/00506/2021), indicating that "whenever | |||
possible, alternative mechanisms should be chosen to prevail in the event that they are | |||
protected by the regulations in force...." and that there must be elements that justify the | |||
initiation of the sanctioning procedure. In this regard, MERCADONA adds that, in the | |||
present case, the agreement to initiate the procedure does not specify the specific | |||
aspects that justify the initiation of the sanctioning procedure, nor how, through the | |||
imposition of a sanction on the entity, the guarantees and rights of the complainant | |||
could be restored, which, according to the Authority, would not be duly restored | |||
through the procedure under article 64.1 of the LOPDGDD. | |||
In this case, the facts refer exclusively to the failure to respond to a request for the right | |||
of access, without there having been any breach of other provisions that would justify | |||
the opening of sanctioning proceedings, in view of the factual circumstances set out in | |||
the previous point, and the guarantees and rights of the interested party have been | |||
restored. | |||
Thus, it considers that the initiation agreement has not duly motivated the opening of | |||
the procedure, contrary to the provisions of Article 35.8 of Law 39/2015, letters | |||
h) and i), which may render the administrative act null and void in accordance with the | |||
doctrine of the Supreme Court insofar as it may deprive the interested party of the | |||
necessary means of defence or hinder jurisdictional control (STS 5701/1998, STS | |||
1935/2003 or STS 8046/1999). | |||
It stresses that, in the case of a discretionary act, the motivation must be more intense, | |||
expressing the logical process that leads the Administration to take the decision (STS | |||
7626/1998, citing in turn the SSTS of 15/06/1984, 13/07/1984 and 07/02/1987, among | |||
others). | |||
Finally, MERCADONA indicates that, if the purpose of opening the sanctioning | |||
procedure is to ensure that the "guarantees and rights of the interested parties are duly | |||
restored", as indicated in Ground II of the Agreement to initiate the Sanctioning | |||
Procedure, this entity has taken actions to repair and mitigate the damages suffered by | |||
the interested party, for not having responded in time to the right of access due to the | |||
human error detected, and therefore the guarantees and rights of the claimant have | |||
been duly restored. | |||
It therefore considers that it is not appropriate to initiate disciplinary proceedings and | |||
that, moreover, no justification has been given for that decision. | |||
C/ Jorge Juan, 6 | |||
28001 - Madrid | |||
www.aepd.es | |||
sedeagpd.gob.es | |||
5/61 | |||
3. Considering the alleged human error, it invokes the principle of fault, pointing out | |||
that there are no errors in the past. | |||
It cites Article 28.1 of Law 40/2015, which establishes the Principle of liability of the | |||
sanctioning power, and several precedents in which the AEPD has declared that the | |||
principle of culpability constitutes an essential note in sanctioning matters and that so- | |||
called strict liability has no place in administrative sanctioning law, so that the mere | |||
commission of an administrative infringement is not sufficient when it comes to | |||
proceeding to impose an administrative sanction, There must be wilful or negligent | |||
conduct, whether serious or slight negligence or simple negligence, depending on the | |||
degree of inattention, there being no negligence, and therefore no culpable and | |||
punishable offence, "when the necessary diligence has been applied in complying with | |||
the obligations required in terms of the LOPD" (PS/00724/2014). | |||
As human error is involuntary, there is no culpability, as it would never be possible to | |||
demand diligence of such a calibre that, in terms of result, it would be immune to any | |||
human or technical failure, as this would completely empty the aforementioned | |||
principle of culpability of its content, being no different from a mere imputation by way | |||
of objective causation. This is reflected in several decisions of the Authority, such as | |||
those handed down in the cases indicated with the numbers E/03468/2009, in which | |||
the AEPD brings up case law doctrine of the AN and the SC on error and the | |||
relationship with fault (".....no system is unfailing or immune to the existence of possible | |||
errors, so that, once they have occurred, the importance and scope of the same must | |||
be analysed, in order to avoid strict liability on the part of the subject of the obligation of | |||
custody of the same"); E/00546/2010; E/01795/2011 ("....In the present case, there is | |||
no requirement of malice or negligence with regard to the conduct of the companies | |||
complained of, but rather we would be dealing with a case of error with an allegedly | |||
infringing result, insofar as there could be a possible unlawful result, but not a willful | |||
intention with regard to that result... In this sense, the Audiencia Nacional itself has | |||
expressed itself in similar situations in judgments such as those handed down on 16 | |||
March 2004 and 2 March 2005, in which it states the following respectively.... We must | |||
bear in mind that, as the National High Court makes clear, and insofar as there is no | |||
willfulness in the act, that there has been no particularly harmful result in what | |||
happened, and that there is no evidence of a lack of care in the generalised action of | |||
the company denounced in its communications, it would be contrary to the nature of | |||
the administrative sanctioning sphere, subject to the principles of minimum intervention | |||
and proportionality, to impose a sanction in respect of the act produced, which can be | |||
summarised as a mere error not deserving of sanctioning action"). | |||
In the present case, the entity has taken the necessary diligence in complying with the | |||
obligations established in the data protection regulations and acts in all its processes | |||
with the utmost diligence, and always within its commitment to transparency and | |||
respect for regulatory compliance with regard to the processing of its customers' data. | |||
Thus, it has established an intuitive and simple procedure in relation to the exercise of | |||
Data Protection rights, which establishes the requirements set out in the RGPD and the | |||
LOPDGDDD. | |||
With regard to the information provided to customers on how to exercise their rights, it | |||
has established a simple and straightforward process on which the institution reports | |||
C/ Jorge Juan, 6 | |||
28001 - Madrid | |||
www.aepd.es | |||
sedeagpd.gob.es | |||
6/61 | |||
through different channels (posters at the entrances to the shops; a call to the | |||
Customer Service freephone number; or the Privacy Policy published on the website, | |||
which includes a link to the form for exercising rights). | |||
In the present case, the complainant opted for the web form, whose requests are | |||
received by the Customer Service Department. | |||
And it details the processing process followed by the application, which is outlined in | |||
the First Proven Fact. | |||
This process contemplates that requests for the exercise of data protection rights are | |||
communicated by the manager to the Data Protection Delegate, through a non- | |||
automated procedure. This is the only non-automated step in the entire rights | |||
management procedure and, to date, no error has ever occurred, neither of a technical | |||
nor human nature, in the management of data protection requests, the established | |||
system working perfectly, thanks to the special and constant training that the entity | |||
provides to the professionals in charge of managing this type of request, through which | |||
the great importance of the fundamental right to data protection and especially the | |||
rights of data subjects is conveyed. | |||
In relation to exercises of rights received through the web form, a total of 229 requests | |||
for ARSOPL rights were received and satisfactorily processed during 2020 (January- | |||
September: 188 and October-December: 41). The entity can affirm that it has not been | |||
previously sanctioned by the AEPD in terms of data subjects' rights, and internally, | |||
there is no record to date of any complaint to the DPD, nor any complaint form, | |||
regarding the non-response or non-receipt of requests from data subjects. | |||
However, additionally, the entity has proceeded to reinforce the instructions to the staff | |||
in charge of handling data protection requests from data subjects, especially those sent | |||
by data subjects through the Customer Service form and which the managers assigned | |||
to process them receive in their folders, placing special emphasis on their | |||
communication to the DPD until the procedure is fully automated, through a | |||
communiqué sent by the Data Protection Delegate on 02/08/2021 August. | |||
In view of the procedure established, MERCADONA concludes that it has at all times | |||
observed the diligence and duty of care required of it, establishing the necessary | |||
procedures to manage data subjects' requests and providing specific training to the | |||
employees in charge of managing such requests and communicating them to the Data | |||
Protection Delegate. In addition, preventive measures are implemented, such as | |||
periodic controls carried out by the coordinators, in order to avoid incidents. | |||
The contrary would be to assume strict liability on the part of the subject of the | |||
obligation of custody of the same, despite the fact that there is no evidence of a lack of | |||
care in the generalised action, the entity having shown the diligence and duty of care | |||
required of it, through the implementation of formative and preventive control | |||
measures. Furthermore, the importance and scope of the error should be taken into | |||
account, which was not | |||
C/ Jorge Juan, 6 | |||
28001 - Madrid | |||
www.aepd.es | |||
sedeagpd.gob.es | |||
7/61 | |||
The nature of the error, that given the large amount of data processed by the entity, no | |||
system is unfailing or immune to the existence of possible errors, as has been the case | |||
here, and that on the other hand, (technical) measures have been adopted to prevent | |||
this from happening in the future. | |||
4. MERCADONA considers that the principle of typicality has been infringed by the | |||
following circumstances: | |||
. When it is stated in the decision to initiate proceedings that Article 6 of the GDPR has | |||
been infringed and that this could lead to the commission of the offence defined in | |||
Article 83(5)(a) of the GDPR, the offending conduct is not specified at all. | |||
. It is also indicated in the opening agreement that the facts could involve a breach of | |||
the provisions of Article 6 of the GDPR, in relation to Article 22 of the LOPDGDD. | |||
Article 6 of the GDPR has four paragraphs, which in turn have different sub- | |||
paragraphs, and it is not specified which paragraph and letter of Article 6 is the one that | |||
could have been allegedly violated. | |||
The same applies to Article 22 of the LOPDGDD, which has eight paragraphs and does | |||
not specify which specific paragraph(s) and section(s) might have been violated. | |||
Furthermore, the relationship between Article 6 of the GDPR and Article 22 LOPDGDD | |||
is also not explained. | |||
. It is not explained in detail or is not adequately substantiated why the fact of having | |||
erased images within the legally established time limit, because of a failure to respond | |||
to a right of access due to human error, constitutes a breach of the conditions of | |||
lawfulness, and specifically, which of them. | |||
According to MERCADONA, all of this causes defencelessness and contributes to | |||
legal uncertainty (Article 9.3 of the Constitution). | |||
It cites the decision handed down by the AEPD in case E/02434/2020, in which it | |||
states: | |||
"In short, this principle implies, firstly, that punitive laws can only be applied to those conducts | |||
that meet all the elements of the type described, i.e., that a conduct can be defined as "typical" | |||
when there is identity or homogeneity between the act committed and the circumstances | |||
described in the rule. The prohibition of analogy, for its part, implies that a sanction cannot be | |||
imposed for an act that does not fit in with the literal nature of the type of offence, even if it | |||
bears some kind of conceptual similarity or proximity to it". | |||
In view of the foregoing, the defendant considers that the decision to initiate the | |||
disciplinary proceedings does not comply in any way with the principle of | |||
criminalisation since, firstly, the provisions allegedly infringed have not been specified, | |||
nor has the relationship between them been explained; secondly, there is no identity | |||
between them; and, thirdly, there is no evidence of the existence of the same offence. | |||
C/ Jorge Juan, 6 | |||
28001 - Madrid | |||
www.aepd.es | |||
sedeagpd.gob.es | |||
8/61 | |||
between the act committed and the circumstances described in the law, since at no | |||
time has there been any unlawful processing of data (art. 6 RGPD) nor has there been | |||
any breach of the provisions of article 22 of the LOPDGDD, and thirdly, a sanction | |||
cannot be imposed for an act that does not fit within the wording of the type of offence, | |||
even if it bears some kind of conceptual similarity or proximity to it (prohibition of | |||
analogy). | |||
5. MERCADONA scrupulously complies with the provisions of article 22.3 of the | |||
LOPDGDD regarding the obligation to conserve images captured by video surveillance | |||
systems, as these images are permanently deleted more than 30 days after they are | |||
captured. | |||
In the case that is the subject of this complaint, due to human error, the claimant's | |||
request for access was not processed correctly, but this in no way implies a breach of | |||
the provisions of Article 22.3 LOPDGDD, which states the following: | |||
"3. The data shall be deleted within a maximum period of one month from their capture, except | |||
when they have to be kept to prove the commission of acts that threaten the integrity of | |||
persons, property or installations. In this case, the images must be made available to the | |||
competent authority within a maximum period of seventy-two hours from the time the existence | |||
of the recording became known. The blocking obligation provided for in Article 32 of this | |||
Organic Law shall not apply to such processing" . | |||
In the AEPD's "Fichas prácticas de videovigilancia información general", updated in | |||
2021, the following is indicated (provide screen print): | |||
"The images shall be kept for a maximum period of one month from their capture, after which | |||
they shall be deleted. | |||
In the event of the recording of a crime or administrative offence to be brought to the attention | |||
of an authority, the images shall accompany the report and shall be kept for the sole purpose of | |||
making them available to that authority and may not be used for any other purpose. | |||
Therefore, regarding the obligation of general erasure after a maximum of one month | |||
has elapsed since the images were captured, the exception is given by the recording of | |||
a crime or administrative offence that must be brought to the attention of the | |||
authorities, and we cannot include other cases within this exception to the general rule, | |||
as the LOPDGDD itself does not include them. | |||
Article 22.3 LOPDGDD speaks of "(...) except when they have to be kept to prove the | |||
commission of acts that threaten the integrity of persons, goods or installations", so it is | |||
not referring to any act, but to those that involve conduct by a third party (committing an | |||
act) against persons, goods or installations, i.e. an act must be committed by a person | |||
that threatens the integrity of persons, goods or installations. | |||
Let us remember that all exceptions must be interpreted restrictively and to hold | |||
otherwise would violate both the principle of typicality and the prohibition of analogy, | |||
since a sanction cannot be imposed for an act that does not fit within the literal wording | |||
of the | |||
C/ Jorge Juan, 6 | |||
28001 - Madrid | |||
www.aepd.es | |||
sedeagpd.gob.es | |||
9/61 | |||
type of infringement, even if it bears some conceptual similarity or proximity to it. | |||
In a similar case (Procedure E/02434/2020) in which the Guardia Civil requested | |||
images from a catering establishment "as these were decisive for the clarification of the | |||
facts", and these had already been erased, the AEPD indicates that it is necessary to | |||
analyse whether the conduct described constitutes an infringement and states that | |||
"The aforementioned Article 22.3 LOPDGDD, must be put in connection with the | |||
provisions of article 32 LOPDGG, "Blocking of data" and concludes that "the obligation | |||
to "block" images obtained through video-surveillance systems is one of the exceptions | |||
determined by the Legislator, so that the defendant could not be charged with an | |||
administrative offence in the terms of art. 72n) LOPDGDD", and therefore the complaint | |||
is archived: | |||
"In accordance with the above, it can be concluded that there is no obligation to block the | |||
images obtained through the system, nor does the Legislator require that they must necessarily | |||
be kept for a period of one month, and this body lacks greater knowledge of the circumstances | |||
that led to the deletion of the images (e.g. intentionality or simple human error), all of which | |||
reasons make it advisable to order the archiving of the present proceedings". | |||
If in the aforementioned case, in which the images were requested by the Guardia Civil | |||
for the clarification of allegedly criminal acts, the Authority concluded that there was no | |||
obligation on the part of the establishment to block the images, even less so in the | |||
present case in which we are not dealing with the commission of a crime or | |||
administrative offence, which would justify "making the images available to the | |||
competent authority within a maximum period of seventy-two hours of becoming aware | |||
of the existence of the recording", which is what is actually established in Article 22.3 of | |||
the LOPDGDD, and not an obligation of conservation, not even partial. | |||
In conclusion, there has been no breach of any provision establishing an obligation to | |||
preserve images, since Article 22.3 LOPDGDD does not establish such an obligation, | |||
but only establishes the obligation to communicate certain recordings to the authorities, | |||
and sanctioning for this would be a violation of the Principle of Typicality and the | |||
prohibition of analogy. | |||
It is a different matter if, due to the failure to receive or process the request for the right | |||
of access correctly, possible damages have been caused to the claimant, which have | |||
already been repaired through the agreement reached with the claimant as explained | |||
above, but in no way can the fact that the claimant filed a complaint against the | |||
establishment for the purpose of claiming damages for civil liability (without actually | |||
exercising a right of access to the images in said complaint and which did not refer to | |||
the exercise of the previously exercised right of access) be linked to a legal obligation | |||
to conserve the images, which, moreover, Art. 22.3 does not establish, since this | |||
precept is limited to establishing the obligation to make available to the competent | |||
authority within a maximum period of seventy-two hours those images that serve to | |||
"accredit the commission of acts that threaten the integrity of persons, property or | |||
installations" and not of any event that does not involve the recording of a crime or | |||
administrative offence. | |||
C/ Jorge Juan, 6 | |||
28001 - Madrid | |||
www.aepd.es | |||
sedeagpd.gob.es | |||
10/61 | |||
Therefore, it is clear that Article 22(3) does not establish an obligation to preserve | |||
images that the organisation has not respected. Accepting the contrary would mean | |||
that data controllers would be obliged to review all recordings on a daily basis in order | |||
to preserve any recording in which a person may have fallen, fainted, etc., in addition to | |||
notifying the competent authorities of such events which would not fall within their | |||
competence, as in the present case, and penalising them for this would be a violation | |||
of the Principle of Typicality and the prohibition of analogy. | |||
The following documents were submitted with the allegations: | |||
. Specification agreement addressed to the Systems Department to carry out a new | |||
development on the corporate website that involves automating the sending of any | |||
exercise of rights to the Data Protection Delegate. | |||
With the aim of facilitating the exercise of rights, this document includes a "FAQ" to | |||
explain how to exercise the right and a link to a form, "which by completing it will reach" | |||
the legal team to manage the request. | |||
. "Certification" from the Human Resources Department in relation to the imposition of | |||
the internal disciplinary measure. It is said that the investigation carried out detected | |||
that an employee of the Civil Liability Area in charge of the management of the claim | |||
which is the subject of the present proceedings "had incurred in a lack of diligence in | |||
his functions and which have originated the lack of attention to the right of access in | |||
matters of video surveillance", for which reason "internal disciplinary measures were | |||
applied to him for negligently failing to carry out the working methods established by | |||
the company, having been duly trained for them". | |||
. Communication from the DPD of the respondent entity addressed to the "processing | |||
managers" of the Customer Service Department", sent by e-mail dated 02/08/2021. It | |||
lists the channels for the exercise of rights and reports the following: | |||
"As you know, if the data subject uses the web form for the exercise of a right, through an | |||
automated procedure, the system assigns the request to a manager and sends it to his or her | |||
folder. | |||
IMPORTANT: Those requests for the exercise of data protection rights, as you know and as | |||
you have been doing to date, must be sent immediately to the Data Protection Delegate | |||
***EMAIL.1, so that a response can be given in due time and form to the Head (client) who | |||
requests it. It is currently a process that is carried out manually, so the IT Department has been | |||
asked to study and evaluate the automation project in order to avoid any human error in the | |||
management". | |||
. Documentation on a training for the "900 Line Area", carried out in May 2021, which | |||
includes a section on personal data protection. | |||
SEVENTH: On 29/07/2021, this Agency received a letter presented by the | |||
representative of the claimant, in relation to the opening of the procedure | |||
C/ Jorge Juan, 6 | |||
28001 - Madrid | |||
www.aepd.es | |||
sedeagpd.gob.es | |||
11/61 | |||
sanctioning, by means of which it communicates "that an agreement has been reached | |||
with Mercadona, through which the damages and losses suffered by my client, both | |||
material and immaterial in the area of civil liability, as well as in the area of data | |||
protection due to the failure to comply with the right of access, the reason for the | |||
complaint filed, have been duly and sufficiently compensated". On this basis, it | |||
concludes by stating that the damages have been compensated and the claimant's | |||
right has been satisfied, and requests "that my claim be considered to have been met | |||
and, therefore, that the case be closed". | |||
EIGHTH: On 02/03/2022 a motion for resolution was formulated in the following sense: | |||
1. Sanction MERCADONA, for an infringement of Article 12, in relation to Article 15, | |||
both of the RGPD, as defined in Article 83.5.b) and classified as minor for the purposes | |||
of prescription in Article 74.c) of the LOPDGDD, with a fine of 70,000 euros (seventy | |||
thousand euros). | |||
2. That MERCADONA be sanctioned with a fine of 100,000 euros (one hundred | |||
thousand euros) for an infringement of Article 6 of the RGPD, as defined in Article | |||
83.5.a) and classified as very serious for statute of limitations purposes in Article | |||
72.1.b) of the LOPDGDD. | |||
3. That MERCADONA be ordered to adopt, within the period of time to be determined, | |||
the measures necessary to adapt its actions to the personal data protection | |||
regulations, with the scope expressed in Ground of Law IX of the proposed resolution. | |||
NINTH: On 16/03/2022, a letter was received from the defendant entity in which it | |||
formulated allegations to the proposed resolution, requesting once again that the | |||
proceedings be closed and that the following requests be taken into account. It bases | |||
its request on the following considerations: | |||
1. He reiterated the same allegations as above regarding the appropriateness of | |||
pursuing a procedure for failure to respond to a request for the exercise of rights, | |||
which, in his opinion, is the procedure that corresponds by legal imperative, rather than | |||
a disciplinary procedure; and pointed out that the former had a duration of six months | |||
from the date of admission for processing on 16/04/2021, which elapsed without any | |||
pronouncement being made. | |||
It understands that the responsibilities must also be clarified within the framework of | |||
the procedure regulated in Article 64.1 of the LOPDGDD; and that the same should be | |||
followed even if it is not possible to satisfy the right, as is the case here, as the data | |||
has been deleted, as the Agency has resolved in precedents that it describes as | |||
similar, in which the AEPD has formally upheld the data subject's claim within the | |||
procedure for the protection of rights, urging the respondent to provide a response but | |||
without appreciating a "lack" of purpose and without purging responsibilities | |||
(TD/00955/2018, TD/00830/2017 and TD/01272/2017). He adds that this is the | |||
understanding of the European Data Protection Board (EDPC) in its Guidelines 3/2019 | |||
on the processing of personal data by video devices: | |||
"Example: If the controller automatically deletes all images, for example within two days, it | |||
cannot provide the images to the data subject after two days. | |||
C/ Jorge Juan, 6 | |||
28001 - Madrid | |||
www.aepd.es | |||
sedeagpd.gob.es | |||
12/61 | |||
those two days. If a request is received by the responsible person after those two days, the | |||
person concerned must be informed accordingly. | |||
It also cites the proceedings followed by the AEPD under number E/02434/2020, which | |||
refers to a request by the State Security Forces and Corps for images that were | |||
decisive for the clarification of the alleged commission of a crime or administrative | |||
offence, which the Agency closed, concluding that there was no obligation on the part | |||
of the establishment to block the images and did not impose a sanction for this. | |||
Furthermore, MERCADONA considers that there has been no breach of provisions | |||
other than Article 12, paragraphs 2 and 3, in relation to Article 15 of the GDPR, which | |||
would justify the initiation of sanctioning proceedings, and argues that the alleged | |||
infringement is classified as "Failure to respond to requests to exercise the rights | |||
established in Articles 15 to 22 of the Regulation". | |||
Finally, it states that the same conduct is being sanctioned with two sanctions; and that | |||
the guarantees and rights of the interested party have been restored for the possible | |||
harm derived from the facts, as established in Article 82.1 of the GDPR. | |||
2. MERCADONA insists on the allegations already made concerning the exceptional | |||
nature of the penalty procedure; the actions taken to restore the guarantees and rights | |||
of the interested party and to repair the damage, which are not achieved by the | |||
imposition of a penalty; as well as the lack of reasoning, in the present case, of the | |||
opening decision, unlike other cases in which it is justified by a general action of the | |||
person responsible that would affect all persons in the same situation, and not a | |||
specific error (PS/00003/2021), which does not even specify the paragraphs of Articles | |||
12 and 6 of the GDPR that have been infringed. | |||
As in the previous section, also in this section 2, MERCADONA disputes the | |||
appropriateness of resolving the issues raised by means of a sanctioning procedure, | |||
arguing on the contrary the volume of rights applications it has processed in recent | |||
years; that it has not been previously sanctioned for this reason and there is no record | |||
of any complaint before the DPD; and that the necessary measures have been adopted | |||
to avoid similar errors, having fully automated the application management process, | |||
which have been assessed as mitigating factors together with the fact that in this case | |||
the anomaly only affects the complainant. | |||
It considers that it is not sufficient to justify the opening of the disciplinary proceedings | |||
by stating that by deleting the images there has been an infringement other than the | |||
infringement of Articles 15 to 22 of the GDPR, or that the proceedings for failure to | |||
comply with a right "lacked purpose" since the images did not exist. | |||
Moreover, it mentions the possibility of resorting to other remedial powers set out in | |||
Article 58(2) of the GDPR (warning, caution or other), depending on the circumstances | |||
of each individual case. | |||
It was only in the motion for a resolution that the AEPD first argued which specific | |||
paragraphs of articles 12 and 6 of the GDPR were considered to have been allegedly | |||
violated. And, with regard to the alleged violation | |||
C/ Jorge Juan, 6 | |||
28001 - Madrid | |||
www.aepd.es | |||
sedeagpd.gob.es | |||
13/61 | |||
of Article 6 and its relationship with Article 22 of the LOPDGDD, it is also in the | |||
proposed resolution when, despite acknowledging the non-application of Article 22 | |||
LOPDGDD, the AEPD explains the legal reasoning and ratifies the proposed sanction. | |||
3. He reiterates that the complainant's request for access was not handled because it | |||
was not brought to the attention of the DPD due to human error, already explained, in | |||
his opinion, in his submissions on the opening of the procedure. | |||
It again invokes the principle of culpability and the prohibition of strict liability in | |||
administrative law on penalties, which are considered in various decisions of the | |||
Agency itself, such as those indicated in its previous pleading and in judgments of the | |||
Audiencia Nacional (such as those handed down on 16/03/2004 and 02/03/2005, | |||
referring to an error in the movements of a bank account or a mistake in the sending of | |||
correspondence to a person's address, where there was no wilful misconduct and there | |||
is no evidence of a lack of care). | |||
In such cases, the AEPD has assessed the specific circumstances, bearing in mind | |||
that the mere commission of an administrative infringement -an objective type- is not | |||
sufficient when proceeding to impose an administrative sanction (PS/00724/2014); that | |||
no system is unfailing or immune to the existence of possible errors, so that, once they | |||
have occurred, the importance and scope of the same must be analysed, in order to | |||
avoid objective liability of the subject of the obligation of custody of the same | |||
(E/01795/2011); whether or not there is voluntariness in the act, whether a particularly | |||
harmful result has been produced or whether there is evidence of a lack of care in the | |||
generalised action (E/03468/2009); or proportionality (SANs of 16/03/2004 and | |||
02/03/2005). | |||
With regard to the statements contained in the proposed resolution on this issue, | |||
MERCADONA indicates that the Agency does not substantiate what the lack of | |||
diligence consisted of. The only argument is that "it cannot be admitted that the actions | |||
of the respondent entity, by not processing the request for access to personal data, | |||
were diligent", which would have as a corollary the strict liability derived from any error, | |||
absent-mindedness, forgetfulness, etc., of the worker who should have redirected the | |||
request to the data subject. of the employee who had to redirect the request to the | |||
DPD, without taking into account the specific circumstances of the case and the fact | |||
recognised by the Authority itself that there were "adequate" procedures in place to | |||
handle this type of request and that no errors had occurred in the past to justify the | |||
change of procedure on the part of the person responsible, based on his diligence. | |||
As evidence of the existence in this case of generalised due diligence, the AEPD itself | |||
assesses as a mitigating circumstance the implementation of adequate procedures for | |||
action in the management of requests for the exercise of rights, such that the | |||
infringement is the consequence of an anomaly in the operation of these procedures | |||
that only affects the respondent. This being the case, MERCADONA considers that the | |||
error was not intentional, and adds that there has been no harmful result, as the entity | |||
has proceeded to avoid the possible damages that could have been caused. | |||
Finally, as regards the significance and extent of the error, the entity has pointed out that | |||
C/ Jorge Juan, 6 | |||
28001 - Madrid | |||
www.aepd.es | |||
sedeagpd.gob.es | |||
14/61 | |||
The AEPD has not previously been sanctioned by the AEPD with regard to the rights of | |||
data subjects, and internally, there is no record to date of any complaint to the DPD, | |||
nor any complaint form, regarding the non-response or non-receipt of requests from | |||
data subjects. | |||
Despite being an "anomaly in operation", as defined by the AEPD itself, the entity has | |||
modified the management procedure by eliminating the only non-automated step. | |||
Thus, it has implemented a development, by means of a system of mail flow rules in | |||
the Exchange Server (also known as transport rules). These rules contain a set of | |||
conditions and actions that guarantee the automatic notification to the recipients of | |||
Customer Service (L900) and the Data Protection Delegate of those requests for the | |||
exercise of rights made through the web page form (automatic forwarding of a copy of | |||
the original message to the ***EMAIL.1 mailbox). | |||
As for its scope, it is clear from the AEPD that it only affects the respondent, which is | |||
taken into account as a mitigating factor in the sanction. On this point, it should be | |||
borne in mind that there has been no harmful result in what happened, since no | |||
damages have been derived from the extrajudicial satisfaction of the claim for | |||
compensation based on facts whose accreditation the images requested by the | |||
claimant were intended to serve. | |||
Furthermore, it has shown the diligence and duty of care required of it, through the | |||
implementation of formative and preventive control measures, as evidenced by the lack | |||
of errors in the past. | |||
He also points out that he did not base the failure to comply with the right on the | |||
deletion of the images, but on the human error indicated. The time limit had elapsed | |||
only as a consequence of the request not having reached the DPD. Proof of this is that | |||
a reply was given to the complainant on ***DATE.9, before the AEPD's request. | |||
As for the storage period of the images, in the rest of the European countries, there are | |||
either no storage periods, or they are less than 30 days, so that the situation raised by | |||
the AEPD is even more evident and possible to materialise if the data subject does not | |||
exercise his or her right of access before the deletion of the images takes place. Thus, | |||
the European Data Protection Committee, ECDC, in Guidelines 3/2019, in relation to | |||
storage periods and erasure obligations, states that: | |||
"Personal data may not be kept for longer than necessary for the purpose for which they are | |||
processed (Article 5(1)(c) and (e) of the GDPR). In some Member States, there may be specific | |||
provisions for retention periods in respect of video-surveillance in accordance with Article 6(2) | |||
of the GDPR. | |||
Whether or not the retention of personal data is necessary should be controlled within a short | |||
period of time. In general, the legitimate purposes of video surveillance are usually the | |||
protection of property or the preservation of evidence. Damage can usually be recognised | |||
within one or two days. In order to facilitate the demonstration of compliance with the data | |||
protection framework, it is in the interest of the controller to make organisational arrangements | |||
in advance (e.g. to appoint, if necessary, a representative for | |||
C/ Jorge Juan, 6 | |||
28001 - Madrid | |||
www.aepd.es | |||
sedeagpd.gob.es | |||
15/61 | |||
examine and secure video material). Taking into account the principles of Article 5(1)(c) and (e) | |||
of the GDPR, namely data minimisation and limitation of the retention period, personal data | |||
should in most cases (e.g. for the purpose of detecting vandalism) be deleted, preferably | |||
automatically, after a few days. The longer the retention period (especially when it exceeds 72 | |||
hours), the more arguments should be provided for the legitimacy of the purpose and the | |||
necessity of retention'. | |||
Even the ECDC gives the following example for a shop: | |||
"Example: The owner of a small shop would normally notice any signs of vandalism the same | |||
day. Consequently, a normal 24-hour retention period would be sufficient. Closed weekends or | |||
longer holidays may nevertheless be grounds for a longer retention period. If damage is | |||
detected it may also be necessary to keep the video images for a longer period in order to bring | |||
claims against the offender". | |||
4. The AEPD understands two different and independent conducts, when in fact one is | |||
a consequence of the other, because if the images were deleted it was precisely | |||
because there was no record of the request for access due to the error that had | |||
occurred. And it concludes that the concurrent circumstances prevail over the | |||
obligation to delete the images within a maximum period of one month from the time | |||
they were captured, in violation of the provisions of article 6 of the GDPR. | |||
In this regard, it points out firstly that when the complainant enquired about her request, | |||
a reply was given, as it was the first time it had come to her attention, and the | |||
maximum conservation period of 30 days had already elapsed, as in the similar cases | |||
mentioned above. | |||
Moreover, MERCADONA argues that deletion of data when it is no longer necessary | |||
does not require a legitimate basis. Deletion occurs precisely because there is no | |||
longer a legitimate basis for continuing to retain the data, since the maximum legal | |||
period of one month has elapsed, and a legitimate basis is required for their | |||
subsequent retention, not for their deletion as indicated by the AEPD. In other words, it | |||
is the "expiry" of the legal retention period, the very compliance with the applicable rule, | |||
which entails the deletion of the images, without the need to resort to any basis of | |||
legitimisation to carry out such deletion. If the AEPD's argument is accepted, there | |||
would have to exist in every Register of Processing Activities (including that of the | |||
AEPD itself), a processing operation called "deletion of images" with its corresponding | |||
basis of legitimisation, which makes no sense whatsoever. | |||
Thirdly, it should be noted that we are dealing with a maximum conservation period, as | |||
the AEPD itself indicates in its "practical video surveillance files" ("after which time the | |||
data will be deleted"), in the proposed resolution and in many resolutions. Such as that | |||
issued in procedure PS/00261/2020, which states the following: | |||
"Regarding the obligation to retain images for a period not exceeding 30 days, the (GDPR), in | |||
recital 39, announces the need to "ensure that the period of retention of personal data is limited | |||
to a strict minimum", which in turn must be "adequate, relevant and limited to what is necessary | |||
for the purposes for which they are processed". Article 22.3 of the LOPDGDD specifies - with | |||
regard to processing for the purposes of | |||
C/ Jorge Juan, 6 | |||
28001 - Madrid | |||
www.aepd.es | |||
sedeagpd.gob.es | |||
16/61 | |||
video-surveillance - that "the data shall be deleted at the latest within one month of their | |||
collection". | |||
The exception is given by the recording of a crime or administrative offence that must | |||
be brought to the attention of the authorities ex Article 22.3 LOPDGDD, without us | |||
being able to include other cases within this exception to the general rule, as the | |||
LOPDGDD itself does not include them. | |||
It should be remembered that all exceptions must be interpreted restrictively and to | |||
hold otherwise would violate both the principle of typicality and the prohibition of | |||
analogy, since a sanction cannot be imposed for an act that does not fit in with the | |||
literal nature of the type of offence, even if it has some kind of similarity or conceptual | |||
proximity to it. | |||
In the Agreement to initiate sanctioning proceedings, the AEPD stated that it | |||
considered that the facts set out could breach the provisions of Article 6 of the | |||
Regulation, in relation to Article 22 of the LOPDGDD; and in the proposal it | |||
acknowledges that it is not applicable to the present case. | |||
Therefore, it is not understood what is the case analysed in the present proceedings | |||
and why this entity is considered responsible for an alleged infringement of art. 6 of the | |||
GDPR with respect to the same (attached extract from the Register of Processing | |||
Activity corresponding to the processing of Video Surveillance). | |||
The AEPD understands that "there are other circumstances that must be considered in | |||
the analysis of the lawfulness or unlawfulness of the deletion or erasure of personal | |||
data", directly linked to the particular situation of the claimant, but in no way can it be | |||
maintained that, due to these particular circumstances, of which the organisation has | |||
no reason to be aware, MERCADONA had a duty of retention. And this organisation | |||
warns that no justification or motivation should be provided by the interested party for | |||
the exercise of rights, and that the organisation should not make any assessment as to | |||
whether there may be a legitimate interest of the interested party that could justify the | |||
conservation of the images beyond the legal period. In the case of having received the | |||
request, the entity would have provided the data subject with a copy of the images, but | |||
not because the basis for legitimisation had changed, but because the data subject has | |||
the right to request the images through the right of access regardless of the motivation. | |||
In other words, MERCADONA did not have to make any weighting or assessment as | |||
far as standing was concerned. | |||
Reproduces again what is stated about retention and deletion periods in the above- | |||
transcribed ECDC Guidelines 3/2019, with the addition of the following paragraph: | |||
"If the controller uses video surveillance not only to monitor its premises but also to retain data, | |||
it must ensure that the retention is indeed necessary to achieve the purpose. If so, the retention | |||
period should be clearly defined and set individually for each particular purpose. It is the | |||
responsibility of the controller to define the retention period in accordance with the principles of | |||
necessity and proportionality and to demonstrate compliance with the provisions of the GDPR". | |||
C/ Jorge Juan, 6 | |||
28001 - Madrid | |||
www.aepd.es | |||
sedeagpd.gob.es | |||
17/61 | |||
On the other hand, if a legal basis were needed to proceed with t h e deletion of the | |||
data, at no point does the AEPD specify what it is or what it should be, of those listed in | |||
Article 6 of the GDPR. | |||
According to the respondent, the proposed resolution confuses the concepts of "basis | |||
of legitimisation" with the "motives" or reasons that justified the conservation of the | |||
images. That the complainant had an interest in the images, and a right to obtain them, | |||
is beyond dispute, but the AEPD seems to ignore the fact that, if in the present case | |||
the images were not kept, it was not because it was considered that the complainant | |||
had no right to them or because it was considered that in any case the one-month | |||
storage period should be applied, but because, quite simply, there was a specific error | |||
in the handling of her request which prevented her replying in due time and form. The | |||
interest that the data subject may have in the images cannot be confused with the | |||
retention period of the images determined by the data controller or with the concept of | |||
the basis of entitlement. If a data subject exercises the right of access during the period | |||
in which the data controller retains the images, the request must be complied with, and | |||
the images must be retained, even if there was a formal defect in the request, precisely | |||
so that when this is remedied, the right can be satisfied. But in this case, the data | |||
controller was not made aware of the request, so the images could not be kept. | |||
Nor is the right of the organisation to keep the images if it deems it appropriate, for | |||
example, because it was sued by the claimant, in the example given by the AEPD | |||
itself, disputed, but this shows the confusion of the AEPD regarding the need for a | |||
legitimate basis for keeping the images beyond the established legal period, with the | |||
supposed need for a legitimate basis for deleting these images. | |||
In fact, in the aforementioned Guidelines 3/2019, in relation to the right of access in | |||
matters of video surveillance it is stated that: | |||
"The data subject has the right to obtain confirmation from the controller as to whether or not his | |||
or her personal data are processed...If, however, the data are still processed at the time of the | |||
request (i.e. if the data are retained or otherwise continuously processed), the data subject | |||
must obtain access and information in accordance with Article 15." | |||
"Example: If the controller automatically deletes all images within e.g. two days, it cannot | |||
provide the images to the data subject after those two days. If the controller receives a request | |||
after those two days, the data subject must be informed accordingly. | |||
In the present case, there is no conflict of rights to be weighed up by the controller, but | |||
simply a request for a right of access that was not granted because the controller was | |||
unaware of the data subject's request due to an isolated and specific error in the | |||
procedure. | |||
If MERCADONA deleted the images, it was because it was not aware of the data | |||
subject's request for access, not because it assessed her request negatively and did | |||
not grant access. | |||
C/ Jorge Juan, 6 | |||
28001 - Madrid | |||
www.aepd.es | |||
sedeagpd.gob.es | |||
18/61 | |||
The AEPD has considered that the right to effective judicial protection of judges and | |||
courts prevails. But it is not necessary to argue that the images should have been kept | |||
for a period of more than 30 days. If the request had been received, the interested | |||
party would have had a response in due time and form, without the need to keep the | |||
images for longer than the established period or to seek any additional basis for | |||
legitimisation. | |||
Given that the DPD did not receive the original request, the data was deleted in | |||
compliance with the established procedures. In other words, MERCADONA never | |||
found itself and would never have found itself (had the error not occurred) in the | |||
dilemma of whether or not to keep the data beyond the legal period, and therefore no | |||
weighing up can be required in the face of an alleged collision of rights that has not | |||
existed and will not exist. In the event that the request had been dealt with | |||
satisfactorily, the images would have been handed over without further assessment. | |||
Furthermore, if we accept that the data controller must analyse and assess the reasons | |||
why the data subject requests the data, we are giving the data controller powers that | |||
the law does not grant him/her. | |||
Furthermore, when the AEPD states that "there is legal authorisation for the processing | |||
of image data once the period established for their deletion has been exceeded, which | |||
is covered by Article 24 of the Constitution and its implementing regulations", it seems | |||
to introduce, for those cases in which a data protection right has not been exercised, | |||
an obligation for data controllers to supervise all images, on a daily basis, to assess | |||
whether it is necessary to keep any recordings in which a person may have fallen, | |||
fainted, etc., and need them in order to exercise their right to effective judicial | |||
protection, even in the absence of a request from the data subject. and needed to | |||
exercise his or her right to effective judicial protection, even in the absence of a request | |||
from the data subject. This reasoning cannot be shared or legally sustained, as it | |||
means demanding obligations from data controllers that are not in the law and that go | |||
beyond the purposes of a video surveillance system installed to guarantee the security | |||
of persons and property, as well as the security of their installations. It is a different | |||
matter if the data subject can request the images through the right of access and use | |||
them as he or she sees fit (for example, to provide them in a legal proceeding), but in | |||
no way can a general obligation of conservation for the controller be argued, | |||
contradicting the maximum legal period of conservation of the images, to safeguard a | |||
possible right of access to effective judicial protection of a person who has not | |||
exercised a right of access in data protection. | |||
It is clear that these purposes go beyond the purpose of the video surveillance system | |||
to preserve the security of persons and property, as well as of its installations (Art 22.1 | |||
LOPDGDD). | |||
However, the entity has proceeded to compensate the possible damages that the error | |||
and, therefore, the non-availability of the images may have caused to the claimant. | |||
For all the above reasons, no treatment has been carried out at any time. | |||
C/ Jorge Juan, 6 | |||
28001 - Madrid | |||
www.aepd.es | |||
sedeagpd.gob.es | |||
19/61 | |||
data without a basis of lawfulness. | |||
Nor has there been any breach of any provision establishing an obligation to conserve | |||
images, since Article 22.3 LOPDGDD does not establish such an obligation, and | |||
therefore penalising for this would be a violation of the principle of criminalisation and | |||
the prohibition of analogy. | |||
5. It invokes the principles of legal certainty, which obliges the ius puniendi of the State | |||
to be subject to the principle of legality - Lex previa - and the principle of typicality - Lex | |||
certa -. | |||
On this basis, it expressly opposes the consideration of the alleged facts as constituting | |||
the alleged offence under Article 6 of the RGPD and Article 72.1.b) of the LOPDGDD, | |||
because, precisely, having kept them beyond the legal retention period would have | |||
meant processing without a legitimate basis. | |||
The offence of deleting images without a legitimate basis does not exist, it is not | |||
criminalised in the law, as all the lawful bases detailed in Article 6 involve positive, | |||
active data processing (processing data for a specific purpose, executing a contract, | |||
fulfilling a legal obligation, etc.), not negative (deletion). | |||
6. As regards the graduation of sanctions, it notes the following: | |||
a) In relation to the infringement for failure to comply with the provisions of Article 12, in | |||
conjunction with Article 15, both of the GDPR, the Respondent considers that the | |||
following circumstances should be considered as mitigating and not aggravating: | |||
. There is only one person affected, the duration of the infringement does not last over | |||
time and was not of a general or structural nature, it is not a serious infringement and | |||
the damage that the complainant could have suffered has been repaired, putting her in | |||
the same situation she would have been in if she had used the images to file a | |||
complaint. | |||
. There is no intention or negligence in the infringement, since the infringement was "a | |||
consequence of an anomaly in the functioning of the procedures" which, according to | |||
the AEPD, the entity has implemented and which are adequate; the respondent has not | |||
previously been sanctioned for failure to comply with a right and there is not even any | |||
record of complaints at the level of the DPD or complaints forms, which shows that no | |||
errors had occurred to date, thanks to the training it provides to its staff (it provides | |||
documentation on training actions provided); and preventive measures have been | |||
implemented, such as periodic controls and the automation of the process. | |||
. The respondent has cooperated with the Agency and has not waited for the formal | |||
request to modify its procedure. | |||
. The categories of data concerned are image data and do not constitute special | |||
categories of data, as they are processed solely for the purpose of ensuring the | |||
security of persons, property and premises. | |||
C/ Jorge Juan, 6 | |||
28001 - Madrid | |||
www.aepd.es | |||
sedeagpd.gob.es | |||
20/61 | |||
This is the understanding of the ECDC in its Guidelines 3/2019: | |||
"Video surveillance systems typically collect massive amounts of personal data that may reveal | |||
data of a highly personal nature and even special categories of data. Indeed, seemingly | |||
insignificant data initially collected through video can be used to infer other information aimed at | |||
achieving a different purpose (e.g. tracking a person's habits). However, video surveillance is | |||
not always considered as processing of special categories of personal data". | |||
The category 'of a particularly sensitive nature' does not exist. An 'ordinary' video | |||
surveillance system does not allow for the prompt identification of data subjects, | |||
basically because there is no other data that could allow for such identification, nor | |||
does it use the data for purposes other than preserving the security of persons, | |||
property and premises. | |||
Moreover, in relation to the aggravating factors considered, it states that the data | |||
processing it carries out is the minimum necessary to carry out its main activity, which | |||
is the sale of food products, and that it is not possible to discriminate against the | |||
capture of images of customers. As regards professionalism in relation to the | |||
processing of data, it again notes that to date it has not been penalised for a lack of | |||
attention to the rights of data subjects, nor has any internal complaint been lodged. | |||
b) Regarding the aggravating factors considered to determine the sanction for non- | |||
compliance with the provisions of article 6 of the GDPR, MERCADONA reiterates what | |||
was expressed in relation to the previous infringement and adds, in relation to the | |||
seriousness of the infringement and intentionality or negligence, that the complainant's | |||
complaint to the establishment for the purposes of claiming damages for civil liability | |||
cannot be linked to a legal obligation to keep the images, which, moreover, article 22.3 | |||
does not establish. MERCADONA is not obliged to keep the images of every event that | |||
has occurred, without the person having requested the images, only in the eventuality | |||
that he/she might request them. It cannot be affirmed that "MERCADONA suppressed | |||
the images despite knowing that the claimant reported the accident and the damages | |||
suffered to the entity, and requested, for this reason, access to said images" because | |||
the entity was not aware of the request for access made. | |||
It also invokes the principle of proportionality and requests, in the alternative, that a | |||
warning or cautionary penalty be imposed or, in any event, that the proposed amount | |||
be reconsidered, as it is not proportionate; finally, it points out that the same conduct | |||
and facts (failure to exercise a right) are being punished by means of two different | |||
penalties, which result in a disproportionate total amount if we consider that the error | |||
has led to an 'anomaly in the operation of those procedures' which has affected a | |||
single person. | |||
7. MERCADONA considers that the reduction for acknowledgement of liability provided | |||
for in article 85 of Law 39/2015, which the Agency limits to the period granted for | |||
submitting allegations at the opening of the procedure, may be applied at any time prior | |||
to the resolution. | |||
C/ Jorge Juan, 6 | |||
28001 - Madrid | |||
www.aepd.es | |||
sedeagpd.gob.es | |||
21/61 | |||
According to MERCADONA, the aforementioned article should be considered to | |||
regulate the voluntary and unilateral termination of the procedure by the party | |||
concerned as a "block", determining the options, conditions and their consequences; | |||
and that provision admits that the second form of voluntary termination of the | |||
procedure, voluntary payment, may be made at "any time prior to the decision". | |||
It considers that the proposed decision is the "natural" moment for the assumption of | |||
responsibility by the person concerned, without any infringement or affectation of his | |||
right to defence, contradiction and effective judicial protection. It is that proposal which | |||
determines the proven facts, their classification in the type of offence and the sanction, | |||
after the interested party has presented its allegations and evidence, without being | |||
subject to the initial agreement. | |||
This conclusion is supported by the recent STS 232/2021, of 18 February, (appeal | |||
2201/2020) which deals with the possibility of challenging before the Courts sanctions | |||
handed down in administrative proceedings in which the administrative authority has | |||
recognised its liability and, for the purposes of availing itself of the reductions indicated | |||
in art. 85 LPAC, withdraws or waives the exercise of any action or appeal in | |||
administrative proceedings against the sanction. | |||
In the Third Legal Basis it states: | |||
"However, one thing is that in such cases the possibility of challenging the sanctioning decision | |||
by means of contentious-administrative jurisdiction remains, and quite another that... the | |||
difficulty of successfully challenging the sanctioning decision by means of contentious- | |||
administrative jurisdiction is increased, because this will be the natural consequence of having | |||
recognised their liability in application of the principles of good faith and binding on the acts | |||
themselves (...).) in order for such a challenge to be successful, it will have to provide the court | |||
with a solid explanation that fully justifies the reason why, having first assumed its responsibility | |||
for the offence committed - which entails acknowledgement of the concurrence of the objective | |||
and subjective elements of the offence, i.e., its participation in the criminalised acts and its guilt | |||
- it then maintains the non-existence of the offence in court (...)". | |||
In MERCADONA's opinion, it is clear from that ruling that the acknowledgement of | |||
liability does not imply that the classification of the facts is correct; that it is in | |||
consideration of the circumstances modifying the acknowledged liability, the exact | |||
extent of the participation, whether it is culpable, wilful or merely a slight failure to | |||
comply, the seriousness of the facts and their specific graduation, which may be settled | |||
before the contentious-administrative jurisdiction without increasing the difficulty of | |||
contesting them. | |||
To maintain that liability can only be recognised during the time limit for submitting | |||
allegations would imply, de facto, that the persons administered assume it in order to | |||
benefit from the discount, even if they are only partially in agreement with the | |||
agreement of initiation, transferring the dispute over the aspects in question to the | |||
judicial process. | |||
On the contrary, admitting such recognition at any time prior to the decision, when the | |||
investigation has already been completed and the elements taken into consideration | |||
have been established, eliminates litigation without undermining effective judicial | |||
protection and the right of defence. | |||
C/ Jorge Juan, 6 | |||
28001 - Madrid | |||
www.aepd.es | |||
sedeagpd.gob.es | |||
22/61 | |||
Furthermore, the Respondent understands that there is no legal basis for stating that | |||
the time limit is that of allegations to the initiation agreement, because nothing is stated | |||
in the legal text and because there are different "milestones" prior to the resolution, | |||
namely, allegations to the initiation agreement, the hearing process, and the proposal | |||
for resolution, which can be any of them. | |||
This interpretation is supported by the public administrations themselves in different | |||
sanctioning procedures, such as the Catalan Data Protection Agency (procedure | |||
PS8/2019). It also cites report SSPI00043/17, of the Legal Office of the Regional | |||
Government of Andalusia, in relation to Report HPPI00035/17, of 5 July 2017, of the | |||
Legal Department of the Ministry of Finance and Public Administration, which admits | |||
this possibility: | |||
"(...) this interpretation allows us to consider that in this case there is no invalidating defect | |||
either, as there is no harm to the administration, which must continue to carry out the procedure | |||
without the possibility of its early termination. Likewise, it will always be more beneficial for the | |||
administrative body to be able to avail itself of this possibility than not having the option to do | |||
so. Moreover, as we have mentioned, it seems that the wording at least leaves doubts when it | |||
establishes in Art. 85.2 that this can be done "at any time prior to the decision". Therefore, it | |||
really seems that the wording of Art. 85 requires that the initiation agreement determines the | |||
percentage of reduction, rather than the amount, which is why the initiation agreement must | |||
always establish the percentage and, in those cases in which it is possible, the amount, given | |||
that the latter will not always be possible". | |||
Also by the Courts. The Judgment of the High Court of Justice of Madrid, Chamber for | |||
Contentious-Administrative Matters, no. 79/2020, of 6 February, in which the non- | |||
application of art. 85.1 LPACAP is denounced, declares: | |||
"Finally, it should be remembered that art. 85 of Law 39/2015 provides that "when a sanctioning | |||
procedure has been initiated, if the offender acknowledges his or her responsibility, the | |||
procedure may be resolved with the imposition of the appropriate sanction". Section 3 | |||
establishes that, "when the sanction is solely of a pecuniary nature, the body competent to | |||
resolve the procedure shall apply reductions of at least 20% of the amount of the proposed | |||
sanction". | |||
The plaintiff considers that, despite having acknowledged in the statement of allegations made | |||
in the motion for a decision that he was responsible for the failure to declare the money seized, | |||
and even having proposed a penalty of €100 000, the decision to impose a penalty ignores that | |||
circumstance and imposes a fine on him which is totally disproportionate. | |||
In response to this allegation, the State Attorney's Office argues that the circumstances | |||
necessary for its application do not exist, since the statement of allegations of 13 November | |||
2017 does not expressly refer to the recognition of liability, which must be prior to the resolution | |||
of the case once the proposal has been received (...)". | |||
Particularly enlightening is the Judgment of the Audiencia Nacional no. 625/2017, | |||
dated 22/03/2019, which states; | |||
"The sanctioning decision of 21 December 2018 did not take into account that by letters of 4 | |||
December - (allegations to the agreement to initiate the sanctioning proceedings) - and 11 | |||
December 2018 - (allegations to the Proposal for Resolution) - the applicant acknowledged | |||
responsibility for the facts, requested payment from the amount seized, and twice waived the | |||
lodging of an administrative appeal. These | |||
C/ Jorge Juan, 6 | |||
28001 - Madrid | |||
www.aepd.es | |||
sedeagpd.gob.es | |||
23/61 | |||
The written pleadings show a clear intention to terminate the proceedings, in accordance with the | |||
terms of Art. | |||
85.1 of Law 39/2015, and to waive the administrative appeal, proceeding to payment, charged | |||
to the guarantee. Hence, having fulfilled all the conditions required in the second and third | |||
paragraphs of article 85, it was appropriate to accumulate two reductions of 20%". | |||
MERCADONA adds that other regulations governing administrative sanctioning | |||
procedures provide for the possibility of recognising liability at any time prior to the | |||
resolution, and cites the following: | |||
. Law 16/1987, of 30 July, on Land Transport Organisation (LOTT), which in Article | |||
146.3 establishes: | |||
"Payment of the financial penalty prior to the issuing of the sanctioning decision shall imply | |||
conformity with the facts denounced and the waiver of the interested party to make allegations | |||
and the termination of the procedure, although an express decision must be issued". | |||
. Law 13/2017, of 8 November, of the Taxi of the Valencian Community, which in its | |||
article 38.4 establishes; | |||
"Once the sanctioning procedure has been initiated, if the offender acknowledges his or her | |||
responsibility before a decision is issued, the amount of the financial penalty initially proposed | |||
shall be reduced by fifty percent. | |||
. Law 7/2014, of 23 July, on the Protection of Consumers and Users of the Balearic | |||
Islands, which in Article 84 graduates the percentage of discount depending on the | |||
procedural moment in which the recognition of liability occurs. And so: | |||
"1. A reduction of fifty percent of the amount of the sanction corresponding to serious or minor | |||
infringements shall be applied if the alleged offender agrees to the content of the initiating | |||
decision and justifies payment of the aforementioned amount during the fifteen days following | |||
its notification. In this case, it is understood that the interested party waives the right to make | |||
allegations and lodge any type of subsequent appeal. | |||
2. A reduction of twenty percent of the amount of the sanction corresponding to serious or | |||
minor infringements shall be applied if the alleged offender agrees with the content of the | |||
proposed decision and justifies payment of the aforementioned amount during the fifteen days | |||
following its notification. In this case, it is understood that the interested party waives the right to | |||
make allegations and to lodge any type of subsequent appeal". | |||
. Municipal Ordinance on Consumer Affairs of the Madrid City Council, ANM 2011/17, | |||
which in its article 59.1 establishes: | |||
"1. Once a disciplinary proceeding has been initiated, if the offender explicitly acknowledges his | |||
or her responsibility before the decision is taken, the proceeding may be resolved without | |||
further formalities with the imposition of the appropriate fine. In this case, a 30 percent reduction | |||
shall be applied to the total amount of the fine, which must be paid by the interested party | |||
during the voluntary payment period". | |||
Finally, the above interpretation of art. 85 LPACAP is found in article 3 of the recent | |||
Royal Decree 137/2021, of 2 March 2021, which raises it to regulatory status by | |||
establishing: | |||
C/ Jorge Juan, 6 | |||
28001 - Madrid | |||
www.aepd.es | |||
sedeagpd.gob.es | |||
24/61 | |||
"In accordance with the provisions of art. 85.3 of Law 39/2015, of 1 October, in the disciplinary | |||
proceedings referred to in art. 2, if, having initiated a disciplinary proceeding, at any time prior to | |||
the resolution the alleged offender acknowledges his liability, the proceeding may be resolved | |||
with the imposition of the appropriate sanction, and when the sanction is solely financial in | |||
nature, the body competent to resolve and notify the resolution of the proceeding shall apply | |||
reductions of up to 30% of the amount of the proposed sanction". | |||
Therefore, in the event of the AEPD maintaining a sanction or financial penalties, if | |||
voluntary payment and acknowledgement of responsibility is made at any time before | |||
the resolution that implies the termination of the sanctioning procedure, the 40% | |||
discount must be made. | |||
From the actions carried out in the present proceedings and the documentation in the | |||
file, the following have been accredited: | |||
ESTABLISHED FACTS | |||
1. MERCADONA has stated that it provides information on the procedure it follows for | |||
interested parties to exercise their personal data protection rights through different | |||
channels, such as the signs displayed in shops warning that they are in a "Video | |||
Surveillance Area" (the contact address of the company's DPD is indicated); by calling | |||
Customer Services free of charge, which sends an SMS informing them of this | |||
procedure; and through the Privacy Policy available on the website, which includes a | |||
link to the form provided for exercising these rights. According to the information | |||
provided, the Privacy Policy provides the following information: | |||
"You can send us a letter to MERCADONA, S.A. (Asesoría Jurídica Procesos) C/... or | |||
if you have a digital signature issued by the Fábrica Nacional de Moneda y Timbre, via | |||
the | |||
customer | |||
service | |||
form | |||
("https://infor.mercadona.es/es/atencion-al- | |||
customer#destacadosFormulario")". | |||
Once the form has been filled in and sent, the following text will appear automatically | |||
"Thank you, your comment has been sent successfully". | |||
MERCADONA also informs that the interested party, in turn, receives an email to the | |||
email address provided, indicating: "MERCADONA. Your opinion helps us to continue | |||
improving. Dear (name of recipient). Thank you for contacting our Customer Service | |||
Department. Please be informed that we have received your e-mail. We invite you to | |||
consult our frequently asked questions in case you have any further questions"). | |||
According to the information provided by MERCADONA, the application process | |||
follows the following steps: | |||
C/ Jorge Juan, 6 | |||
28001 - Madrid | |||
www.aepd.es | |||
sedeagpd.gob.es | |||
25/61 | |||
"i. The form is registered in the management system (Contact Centre). System managed by the | |||
processing managers. | |||
ii. Once the form is received, the system assigns the request to the manager, according to | |||
certain criteria (typology, workload, productivity, etc. of the manager). | |||
iii. Once the application (form) has been assigned, it is sent to the folder of the assigned | |||
manager, which is accessed via username and password, including all the information and | |||
documents sent by the Client, for processing. | |||
It adds that "there are periodic controls carried out by the coordinators in order to avoid | |||
incidents" and that "the system (Contact Centre) leaves traces and evidence of all the | |||
movements that pass through the system, not allowing the accidental or voluntary | |||
deletion of entries in the system". | |||
2. On ***DATE.1, the claimant suffered an accident on the premises of the entity | |||
located at ***DIRECCION.1. | |||
3. On ***DATE.3, via the MERCADONA website, the complainant filed a complaint with | |||
MERCADONA about the accident that had occurred, receiving a reference for the | |||
case. This complaint was made by e-mail to the address "conducta@mercadona.es", | |||
with the subject "Complaint D201...". This e-mail contains the complainant's name, | |||
surname, e-mail address and telephone number. The commentary includes an account | |||
of the accident suffered (...), the damage caused by the accident to the claimant (.... ) | |||
and the lack of attention to the claim by the defendant's insurer (.... ). | |||
4. On ***DATE.5, the respondent company responded to the complaint described in | |||
the previous Proven Fact by the same means, indicating that the complaint had been | |||
sent to MERCADONA's Customer Service Department, to which future | |||
communications should be addressed (a contact telephone number for this department | |||
and a link to the company's website are indicated). | |||
5. On ***DATE.2, the complainant exercised her right of access to the images from the | |||
security cameras, using the application form available on the MERCADONA website, | |||
under the "Customer Service" tab, as mentioned in the First Proven Fact. This request | |||
contains the name and surname of the complainant, the complainant's postcode and e- | |||
mail address, and the following text in the field entitled "How can we help you" (url: | |||
"https://infor.mercadona.es/ en/atencion-al-cliente#destacadosFormulario"): | |||
"I enclose a request for the right of access to the video surveillance recordings of the | |||
MERCADONA shop ***DIRECCION.1, due to the accident that took place (...)". | |||
As "Attachments" are indicated "DNI" of the claimant and "Request for right of access" | |||
(in this letter it is indicated that the request is motivated by the accident that took place | |||
on ***DATE.1). | |||
6. In response to the complainant's request for the right of access, the complainant | |||
received a reply message, also dated ***DATE.2, with the following text: | |||
C/ Jorge Juan, 6 | |||
28001 - Madrid | |||
www.aepd.es | |||
sedeagpd.gob.es | |||
26/61 | |||
"Thank you, your comment has been sent successfully. | |||
7. On ***DATE.7, the complainant's representative sent an e-mail to MERCADONA | |||
with the following text: | |||
"I am writing to you to establish an initial communication in order to inform you of the | |||
documentation that I have at the moment, in relation to the accident... in which my client was | |||
injured... Also in order to inform you of our intention to request the compensation that according | |||
to the schedule corresponds". | |||
8. On ***DATE.4, the complainant's representative sent an e-mail to the DPD of | |||
MERCADONA, with the following text: | |||
"More than a month ago, my client exercised her right of access to the video | |||
surveillance images, through the channel established in your privacy policy (via the | |||
customer | |||
service | |||
form: | |||
https://info.mercadona.es/es/atencion-al- | |||
customer#detailsForm), and she has still not received a reply. | |||
Please send these images to him as they correspond to (...)". | |||
9. On ***DATE.9, MERCADONA sent an e-mail to the complainant with the subject | |||
"Right of access" and the following text: | |||
"After checking internally, we inform you that we are not aware of any request for access to | |||
images, nor of the documentation that according to data protection regulations is necessary to | |||
manage any right of access, neither from your client (Ms...) nor from you. | |||
We should add that we no longer have any of the images from the date requested (***DATE.1), | |||
all in accordance with art. 6 of Instruction 1/2006, of 8 November, of the AEPD, which | |||
establishes that "The data will be cancelled within a maximum period of one month from their | |||
capture". | |||
Yours sincerely. | |||
Legal Div. MERCADONA Proceedings". | |||
10. On 09/02/2021, MERCADONA sent the complainant a burofax in the same terms | |||
as the letter described in the ninth proven fact. | |||
THE LEGAL BASIS | |||
I | |||
By virtue of the powers that Article 58.2 of the GDPR recognises to each supervisory | |||
authority, and in accordance with the provisions of Articles 47 and 48 of the | |||
LOPDGDD, the Director of the Spanish Data Protection Agency is competent to initiate | |||
and resolve this procedure. | |||
Article 63.2 of the LOPDGDD determines that: "The procedures processed by the | |||
Spanish Data Protection Agency shall be governed by the provisions of the RGPD, in | |||
this Organic Law, by the regulatory provisions issued in its development and, insofar | |||
as they do not contradict them, subsidiarily, by the general rules on administrative | |||
procedures". | |||
C/ Jorge Juan, 6 | |||
28001 - Madrid | |||
www.aepd.es | |||
sedeagpd.gob.es | |||
27/61 | |||
II | |||
During the investigation of the procedure, the complainant has informed this Agency | |||
that she has reached an agreement with the entity complained of, whereby the | |||
damages suffered in the area of civil liability and for the non-fulfilment of the right of | |||
access have been compensated, requesting that her claim be considered to have been | |||
met and that the present sanctioning procedure be closed. | |||
In this regard, article 63.1 of Law 39/2015, of 1 October, on the Common | |||
Administrative Procedure of Public Administrations (LPACAP) establishes that | |||
"proceedings of a sanctioning nature shall always be initiated ex officio by agreement | |||
of the competent body". In the same vein, Article 64.2 of the LOPDGDD provides that | |||
proceedings aimed at determining the possible existence of an infringement of the | |||
provisions of the GDPR "shall be initiated by means of an agreement adopted on its | |||
own initiative or as a result of a complaint". | |||
Thus, the fact that the claimant withdraws her complaint does not imply that the | |||
sanctioning procedure initiated has been closed, given that the same is initiated and | |||
processed in all its phases ex officio, with this Agency being responsible for | |||
determining whether the personal data protection regulations have been breached and | |||
the scope that should be given to said breach. | |||
It is irrelevant, for these purposes, what agreement the claimant and the respondent | |||
may have signed to repair the damages suffered by the claimant, as well as the internal | |||
disciplinary measures that the respondent claims to have adopted. | |||
In accordance with the foregoing, the position defended by MERCADONA in its | |||
submissions cannot be accepted when it states that the aforementioned agreement | |||
between the parties has restored the guarantees and rights of the interested party. The | |||
"reparation" of the damage suffered to which MERCADONA refers cannot exonerate it | |||
from liability arising from the breaches of the regulations that have occurred, the | |||
application of which is obviously not conditioned by any agreements that may arise | |||
between private individuals. Only when the data controller proves that "it is in no way | |||
responsible for the event that has caused the damage" will it be exempt from liability, in | |||
accordance with the provisions of article 82.3 of the GDPR. | |||
Such compensation may compensate for the damages suffered by the claimant, but it | |||
does not restore her guarantees and rights in a case arising from the exercise of the | |||
right of access, which cannot be granted as the personal data to which the request | |||
referred have been deleted. | |||
On the other hand, where any imputable liability arises from the facts established, the | |||
fact that the entity in question has not previously been sanctioned for infringements of | |||
an identical nature, or the adoption of measures aimed at avoiding future | |||
infringements, cannot serve as an argument for not opening the sanctioning procedure | |||
to assess those liabilities and determine the applicable consequences, i.e. the | |||
corrective powers that should be applied. | |||
C/ Jorge Juan, 6 | |||
28001 - Madrid | |||
www.aepd.es | |||
sedeagpd.gob.es | |||
28/61 | |||
apply in each case. | |||
The same can be said where the alleged infringement affects only one interested party. | |||
Sanctioning proceedings are not reserved for cases, such as the one cited by | |||
MERCADONA in its allegations, in which the conduct of the responsible entity is | |||
configured as a general action affecting a number of parties in the same situation. | |||
III | |||
MERCADONA considers that the agreement to initiate the procedure has not | |||
sufficiently justified the initiation of the procedure or specified the aspects justifying | |||
such initiation, thereby limiting its rights of defence. | |||
For the same reasons, MERCADONA considers that the principle of criminalisation has | |||
been infringed. In this regard, MERCADONA argues that the decision to initiate | |||
proceedings does not specify the infringing conduct, does not specify which | |||
paragraphs and letters of Articles 6 and 22 are considered to have been infringed, and | |||
does not explain why the fact of having deleted images within the legally established | |||
time limit and not having responded to a right of access due to human error constitutes | |||
a breach of the conditions of lawfulness. In his final submissions, he states that the | |||
infringements and legal reasoning have not been specified until the motion for a | |||
decision. | |||
This Agency does not share the position expressed by the Respondent in relation to | |||
the content of the agreement to initiate the present sanctioning procedure. | |||
In the opinion of this Agency, the initiation agreement issued complies with the | |||
provisions of Article 68.1 of the LOPDGDD, which establishes the minimum content | |||
required, the elements that must be detailed in the aforementioned agreement to | |||
determine its validity. According to this article, it is sufficient for the agreement to | |||
initiate the procedure to specify the facts that motivate its initiation, identify the person | |||
or entity against whom the procedure is directed, the infringement that may have been | |||
committed and its possible sanction (in this case, of the different corrective powers | |||
contemplated in Article 58.2 of the GDPR, the Agency considered it appropriate to | |||
impose a fine, in addition to the adoption of measures to bring its actions into line with | |||
the regulations, without prejudice to what may result from the investigation of the | |||
procedure). | |||
In the same sense, Article 64.2 of the LPACAP expressly establishes the minimum | |||
content of the initiation agreement. According to this precept, among other details, it | |||
must contain "the facts that motivate the initiation of the procedure, its possible legal | |||
qualification and the sanctions that may correspond, without prejudice to what results | |||
from the investigation". | |||
In this case, not only are the aforementioned requirements amply met, but it goes | |||
further by offering reasoning that justifies the possible legal classification of the facts | |||
assessed at the outset and even mentions the circumstances that may influence the | |||
determination of the sanction, which undoubtedly benefits the interested party, whose | |||
right of defence is strengthened and favoured. | |||
C/ Jorge Juan, 6 | |||
28001 - Madrid | |||
www.aepd.es | |||
sedeagpd.gob.es | |||
29/61 | |||
In relation to the request for the right of access made by the complainant, the rules | |||
governing the formal aspects relating to the exercise of rights were reviewed, and it | |||
was highlighted that the deadline for responding to the request had passed without the | |||
complainant obtaining the response she was due from MERCADONA, concluding that | |||
these facts could constitute an infringement of Article 83.5.b) of the RGPD and Article | |||
74.c) of the LOPDGDD, for breach of the provisions of Article 12, paragraphs 2 and 3, | |||
of the RGPD, in relation to Article 15 of the aforementioned Regulation, without | |||
prejudice to the outcome of the investigation. | |||
Moreover, the decision to initiate the procedure, after reproducing Article 6 of the | |||
GDPR, which refers to the "lawfulness of the processing", emphasises that the removal | |||
or "erasure" of the images to which the complainant's right of access refers constitutes | |||
the processing of personal data. | |||
On the deletion of images captured by video surveillance systems, paragraphs 1 to 3 of | |||
Article 22 of the LOPDGDD are reproduced below. | |||
The circumstances and purposes that determined the complainant's actions were | |||
highlighted and it was emphasised that, despite this, MERCADONA proceeded to | |||
delete the images requested by the complainant, in order to conclude that these facts | |||
could constitute a breach of the provisions of Article 6 of the GDPR, in relation to | |||
Article 22 of the LOPDGDD, constituting an infringement as defined in Article 83.5.a) of | |||
the GDPR and 72.1.b) of the LOPDGDD ("The processing of personal data without | |||
meeting any of the conditions of lawfulness of processing set out in Article 6 of | |||
Regulation (EU) 2016/679"). | |||
In short, this Agency understands that the agreement to initiate proceedings has | |||
allowed MERCADONA to know the facts that gave rise to the initiation of the | |||
proceedings and their possible legal classification. Proof of this are the allegations | |||
made by this entity, which are directly related to the above. | |||
The alleged lack of defence cannot therefore be upheld. Defence with legal | |||
significance arises only where the person concerned is unjustifiably prevented from | |||
seeking protection of his rights and legitimate interests or where the infringement of | |||
procedural or procedural rules results in the deprivation of the right to a defence, with | |||
the consequent real and effective harm to the interests of the affected party by being | |||
deprived of his right to allege, prove and, where appropriate, to reply to opposing | |||
arguments (STC 31/1984, of 7 March, STC 48/1984, of 4 April, STC 70/1984, of 11 | |||
June, STC 48/1986, of 23 April, STC 155/1988, of 22 July, and STC 58/1989, of 16 | |||
March, among many others). It is worth mentioning STC 78/1999, of 26 April, which in | |||
its Legal Basis 2, states: | |||
"In order for a defence with constitutional relevance, which places the interested party at the | |||
margin of any possibility of alleging and defending his or her rights in the proceedings, to be | |||
considered a defence with constitutional relevance, it is not sufficient for a merely formal | |||
infringement, as it is necessary that this formal infringement has a material effect of defence, an | |||
effective and real impairment of the right of defence (STC 149/1998, legal ground 3), with the | |||
consequent real and effective harm to the interested parties affected (SSTC 155/1988, legal | |||
ground 4, and 112/1989, legal ground 2)". | |||
C/ Jorge Juan, 6 | |||
28001 - Madrid | |||
www.aepd.es | |||
sedeagpd.gob.es | |||
30/61 | |||
In any event, as MERCADONA rightly points out in its allegations, it is the resolution | |||
proposal issued once the procedure has been carried out that establishes the facts that | |||
are considered proven and their exact legal classification, determines the infringement | |||
that they may constitute, the person or persons responsible and the proposed sanction. | |||
This proposal must be notified to the interested party, who is granted a period in which | |||
to make allegations and submit the documents and information deemed relevant. In no | |||
case shall a decision be adopted without the interested party having had the | |||
opportunity to express his or her views on all the points considered. | |||
Therefore, the submissions made by MERCADONA do not contain any arguments that | |||
would change this approach and the conclusion reached. | |||
MERCADONA, in this case, has seen that all the guarantees for the interested party | |||
provided for in the procedural regulations have been respected. | |||
IV | |||
Pursuant to Article 55 of the GDPR, the Spanish Data Protection Agency is competent | |||
to perform the functions assigned to it in Article 57 of the GDPR, including enforcing | |||
the Regulation and promoting awareness among controllers and processors of their | |||
obligations, as well as dealing with complaints lodged by a data subject and | |||
investigating the grounds for such complaints. | |||
Article 31 of the GDPR establishes the obligation of controllers and processors to | |||
cooperate with the supervisory authority on request in the performance of its tasks. In | |||
the event that they have appointed a data protection officer, Article 39 of the GDPR | |||
confers on the latter the task of cooperating with the supervisory authority. | |||
Similarly, the domestic legal system, in Article 65.4 of the LOPDGDD, has provided for | |||
a mechanism prior to the admission for processing of claims made to the Spanish Data | |||
Protection Agency, which consists of transferring them to the data protection officers | |||
designated by the data controllers or data processors, for the purposes provided in | |||
Article 37 of the aforementioned law, or to the latter when they have not been | |||
designated, so that they may proceed to analyse the claims and respond to them within | |||
a period of one month. | |||
In accordance with these regulations, prior to the admission for processing of the | |||
complaint that gave rise to this procedure, the complaint was transferred to the entity | |||
responsible so that it could proceed with its analysis, provide this Agency with a | |||
response within a period of one month and accredit that it had provided the claimant | |||
with the appropriate response, in the event of the exercise of the rights regulated in | |||
Articles 15 to 22 of the GDPR. | |||
The result of this transfer was not satisfactory. Consequently, on 16/04/2021, for the | |||
purposes set out in Article 64.2 of the LOPDGDD, the Spanish Data Protection Agency | |||
agreed to admit for processing the complaint that gave rise to the present proceedings. | |||
C/ Jorge Juan, 6 | |||
28001 - Madrid | |||
www.aepd.es | |||
sedeagpd.gob.es | |||
31/61 | |||
In the case of a claim for failure to respond to a request to exercise the rights | |||
established in Articles 15 to 22 of the RGPD, in general, the procedure regulated in | |||
Article 64.1 of the LOPDGDD is followed, according to which: | |||
"Where the procedure relates exclusively to the failure to deal with a request for the exercise of | |||
the rights laid down in Articles 15 to 22 of Regulation (EU) 2016/679, it shall be initiated by an | |||
agreement on admissibility, which shall be adopted in accordance with the following Article. | |||
In this case, the time limit for resolving the procedure shall be six months from the date on | |||
which the claimant was notified of the decision to admit the claim for processing. Once this | |||
period has elapsed, the interested party may consider their claim to have been upheld". | |||
On the contrary, when the procedure does not relate exclusively to the fulfilment of a | |||
request for the exercise of rights, it is appropriate to determine administrative liability in | |||
the context of a sanctioning procedure, and it is the exclusive competence of this | |||
Agency to assess whether there is administrative liability that should be determined in | |||
a procedure of this nature and, consequently, to decide whether to initiate such a | |||
procedure. Contrary to MERCADONA's allegations in its submissions, this | |||
determination of responsibilities cannot be agreed in a proceeding for lack of attention | |||
to rights. | |||
This specific regime with regard to proceedings before data protection supervisory | |||
authorities is also provided for in the GDPR. Chapter VIII of the GDPR is entitled | |||
'Remedies, Liability and Sanctions', and the first article of Chapter VIII, Article 77(1), | |||
provides for the right to lodge a complaint with a supervisory authority: | |||
"Without prejudice to any other administrative or judicial remedy, every data subject shall have | |||
the right to lodge a complaint with a supervisory authority, in particular in the Member State in | |||
which he or she has his or her habitual residence, place of work or place of the alleged | |||
infringement, if he or she considers that the processing of personal data relating to him or her | |||
infringes this Regulation". | |||
In turn, Article 79 of the same Regulation provides that 'without prejudice to any | |||
available administrative or non-judicial remedy, including the right to lodge a complaint | |||
with a supervisory authority pursuant to Article 77, every data subject shall have the | |||
right to an effective judicial remedy where he/she considers that his/her rights under | |||
this Regulation have been infringed as a result of the processing of his/her personal | |||
data'. | |||
Therefore, a 'complaint' from an individual may give rise to two types of proceedings, | |||
one relating to breaches of the GDPR in general and the other to infringements of his | |||
or her rights. | |||
This distinction is also reflected in Title VIII of the LOPDGDD, which jointly regulates | |||
the "proceedings in the event of a possible breach of data protection legislation". Thus, | |||
its Article 63.1, "Legal regime", includes (a) procedures in the event of a breach of the | |||
GDPR and the LOPDGDD itself and (b) those arising from a possible infringement of | |||
data subjects' rights. The LOPDGDD does not provide for any additional type of | |||
procedure in case of a possible breach of data protection law, so that all the functions | |||
and powers that | |||
C/ Jorge Juan, 6 | |||
28001 - Madrid | |||
www.aepd.es | |||
sedeagpd.gob.es | |||
32/61 | |||
The procedures provided by the GDPR to the supervisory authorities in Art. 57 and 58 | |||
GDPR will have to be exercised through these procedures in the event of a possible | |||
breach of data protection law. No other procedures exist. | |||
It follows, also taking into account art. 64 LOPDGDD, that when the procedure is | |||
directed exclusively at the lack of attention to a request for the rights under articles 15 | |||
to 22 RGPD a complaint will be necessary, but that (art. 64.2 LOPDGDD) "[w]hen the | |||
procedure is aimed at determining the possible existence of an infringement of the | |||
provisions of Regulation (EU) 2016/679 and this organic law, it shall be initiated by | |||
means of a commencement agreement adopted on its own initiative or as a result of a | |||
complaint". In other words, both the GDPR and the LOPDGDD consider that a | |||
complaint from an affected party may be the way or means of bringing a possible | |||
infringement of data protection regulations to the attention of the supervisory authority, | |||
but in no case does it restrict the supervisory authority's action to the specific and | |||
concrete complaint of the affected parties. | |||
To do otherwise would be inconsistent with the purpose and intention of the EU | |||
legislator, expressly stated in the GDPR, that supervisory authorities should monitor | |||
and enforce the GDPR, and with the provision in the GDPR that 'breaches' of data | |||
protection law may be brought to light through 'complaints' which may go beyond the | |||
individual complaints made. | |||
In relation to this issue, MERCADONA has argued that in a case referring exclusively | |||
to the failure to respond to a request for the exercise of rights, the procedure regulated | |||
in Article 64.1 of the LOPDGDD, and it is not appropriate to open a disciplinary | |||
procedure, the exceptional nature of which has been made clear by the AEPD in | |||
various actions it cites, stating that "whenever possible, alternative mechanisms should | |||
be chosen to prevail in the event that they are covered by the regulations in force..." | |||
and that there must be elements that justify the initiation of the disciplinary procedure. | |||
In this case, in the opinion of this Agency, as indicated in the opening agreement, there | |||
are elements that justify the initiation of the sanctioning activity, considering that the | |||
procedure provided for in article 64.1 of the aforementioned LOPDGDD would not duly | |||
restore the guarantees and rights of the interested parties. In this case, the right | |||
exercised was for the purpose of gaining access to images that the responsible entity | |||
deleted before the complaint was filed, and therefore the processing of a procedure for | |||
failure to address an exercise of the rights regulated in Articles 15 to 22 of the GDPR, | |||
whose ultimate purpose is to resolve whether or not to address the right exercised, in | |||
this case, whether or not to provide the complainant with images that no longer existed, | |||
was pointless. | |||
In addition, considering the circumstances described above, it appears that | |||
MERCADONA's actions go beyond the failure to respond in time to the respondent's | |||
request for access, and it was considered appropriate to analyse in this procedure the | |||
scope, from the point of view of the protection of personal data, that should be given to | |||
the processing of data consisting of the deletion of the images requested by the | |||
complainant, their possible unlawfulness and the responsibility that this fact | |||
C/ Jorge Juan, 6 | |||
28001 - Madrid | |||
www.aepd.es | |||
sedeagpd.gob.es | |||
33/61 | |||
may entail for the defendant entity. This is an extreme that can in no way be carried out | |||
within the framework of the procedure regulated in article 64.1 of the LOPDGDD. | |||
The respondent has also argued that there are similar precedents in which the AEPD | |||
has followed the procedure regulated in Article 64.1 of the LOPDGDD and that the | |||
CEPD itself, in its Guidelines 3/2019, pronounces in the same sense. However, both | |||
the CEPD statement referred to by MERCADONA and the precedents cited, two of | |||
which refer to requests to exercise rights formulated when the images had already | |||
been deleted. In procedure number TD/01272/2017, the request for access is made on | |||
14/04/2017 and requires images captured on 14/11/2016 (the complaint was rejected); | |||
and file number TD/00955/2018 analyses a request dated 20/03/2018 in which the | |||
interested party requests images captured on 25/11/2017 (the complaint was upheld as | |||
the request for access was not answered by the data controller). The third precedent | |||
cited, number TD/00830/2017, was upheld due to lack of response and, although the | |||
complaint refers to access to images captured by a video surveillance system, the | |||
request for access that gave rise to the complaint did not specify this object nor did it | |||
refer to the date on which the alleged images were captured. | |||
Thus, in those precedents there was no responsibility for the deletion of the data, one | |||
of the cases being dismissed and in two of them only the lack of response within the | |||
deadline was assessed, giving rise to a resolution that formally upholds the complaint | |||
and obliges the entity complained of to duly respond to the respective complainant, | |||
informing him/her in the sense expressed by the CEPD in those Guidelines (no data | |||
exists). | |||
With regard to the proceedings under number E/02434/2020, also cited by the | |||
defendant, it should be noted that the decision to close the case took into account that | |||
the facts transmitted were part of an alleged criminal conduct, for which there was a | |||
legal case sub iudice, and that the circumstances that led to the removal of the images | |||
were not known. | |||
Finally, MERCADONA argues that there is no justification for initiating sanctioning | |||
proceedings because only Article 12 has been breached in relation to the right of | |||
access exercised, and argues that the alleged infringement is defined as "Failure to | |||
respond to requests to exercise the rights established in Articles 15 to 22 of the | |||
Regulation". As the respondent rightly states, this non-compliance constitutes an | |||
infringement and gives rise to the determination of responsibilities. To understand that | |||
this non-compliance can only be dealt with through the procedure for failure to comply | |||
with rights is as much as to understand that this type of infringement does not apply in | |||
any case. | |||
Finally, it should be noted that no rule prevents the body exercising the sanctioning | |||
power, when it determines the opening of a sanctioning procedure, always ex officio | |||
(art. 63.1 Law 39/2015, of 1 October), from determining its scope in accordance with | |||
the circumstances revealed, even if they do not strictly conform to the statements and | |||
claims of the claimant. That is to say, the agreement to initiate the sanctioning | |||
procedure is not constrained by the | |||
C/ Jorge Juan, 6 | |||
28001 - Madrid | |||
www.aepd.es | |||
sedeagpd.gob.es | |||
34/61 | |||
complaint submitted by the individual. This does not occur in the case of procedures | |||
processed at the request of the interested party, in which article 88.2 of the LPACAP | |||
requires that the resolution be congruent with the requests made by the interested | |||
party. Even in this case, the administration's power to initiate a new procedure ex | |||
officio remains unaffected. | |||
This same article 88 of the LPACAP, referring to the content of the decision, in section | |||
1 establishes the obligation to decide on all the issues raised by the interested parties | |||
and any others arising from the procedure, including related issues not raised by the | |||
interested parties. This article expressly states the following: | |||
"1. The decision terminating the procedure shall decide all the issues raised by the interested | |||
parties and all other issues arising from the procedure. | |||
In the case of related questions which have not been raised by the interested parties, the | |||
competent body may rule on them, first making them known to the interested parties for a | |||
period of no more than fifteen days, so that they may present the arguments they deem | |||
relevant and provide, where appropriate, the means of proof. | |||
In the sanctioning procedure, account shall also be taken of the facts that come to light | |||
during its investigation, which shall be determined in the proposed decision, and may | |||
lead to the modification of the charges contained in the agreement to initiate the | |||
procedure or their legal qualification. | |||
In this sense, when referring to the specialities of the decision in sanctioning | |||
procedures, Article 90 of the LPACAP establishes: | |||
"2. The decision may not accept facts other than those established in the course of the | |||
proceedings, irrespective of their different legal assessment...". | |||
V | |||
The rights of individuals with regard to personal data protection are regulated in articles | |||
15 to 22 of the RGPD and 13 to 18 of the LOPDGDD. The rights of access, | |||
rectification, erasure, opposition, the right to limitation of processing and the right to | |||
portability are contemplated. | |||
The formal aspects relating to the exercise of these rights are set out in Articles 12 of | |||
the GDPR and 12 of the LOPDGDD. | |||
Article 12 "Transparency of information, communication and procedures for exercising | |||
rights" of the GDPR provides as follows: | |||
"The controller shall take appropriate steps to provide the data subject with any information | |||
referred to in Articles 13 and 14, as well as any communication pursuant to Articles 15 to 22 | |||
and 34 concerning processing, in a concise, transparent, intelligible and easily accessible form, | |||
in clear and plain language, in particular any information specifically addressed to a child. The | |||
information shall be provided in writing or by other means, including, where appropriate, by | |||
electronic means. Where requested by the data subject, information may be provided orally, | |||
provided that the identity of the data subject is proved by other means. | |||
C/ Jorge Juan, 6 | |||
28001 - Madrid | |||
www.aepd.es | |||
sedeagpd.gob.es | |||
35/61 | |||
2. The controller shall facilitate the data subject's exercise of his or her rights under Articles 15 | |||
to 22. In the cases referred to in Article 11(2), the controller shall not refuse to act on the | |||
request of the data subject for the purpose of exercising his or her rights under Articles 15 to | |||
22, unless he or she can demonstrate that he or she is unable to identify the data subject. | |||
3. The controller shall provide the data subject with information relating to its actions on the | |||
basis of a request pursuant to Articles 15 to 22 without undue delay and in any event within one | |||
month of receipt of the request. This period may be extended by a further two months if | |||
necessary, taking into account the complexity and number of requests. The controller shall | |||
inform the data subject of any such extension within one month of receipt of the request, stating | |||
the reasons for the delay. Where the data subject submits the request by electronic means, the | |||
information shall be provided by electronic means where possible, unless the data subject | |||
requests otherwise. | |||
4.If the controller does not act on the data subject's request, it shall inform the data subject | |||
without delay, and at the latest within one month of receipt of the request, of the reasons for its | |||
failure to act and of the possibility of lodging a complaint with a supervisory authority and of | |||
taking legal action. | |||
5.Information provided pursuant to Articles 13 and 14 as well as any communication and any | |||
action taken pursuant to Articles 15 to 22 and 34 shall be free of charge. Where requests are | |||
manifestly unfounded or excessive, in particular because of their repetitive character, the | |||
controller may (a) charge a reasonable fee having regard to the administrative costs incurred in | |||
providing the information or communication or taking the action requested, or (b) refuse to act | |||
on the request. The controller shall bear the burden of demonstrating that the request is | |||
manifestly unfounded or excessive. | |||
6.Without prejudice to Article 11, where the controller has reasonable doubts as to the identity | |||
of the natural person making the request referred to in Articles 15 to 21, the controller may | |||
request the provision of additional information necessary to confirm the identity of the data | |||
subject. | |||
7.The information to be provided to data subjects pursuant to Articles 13 and 14 may be | |||
transmitted in combination with standardised icons which provide an easily visible, intelligible | |||
and clearly legible overview of the intended processing in an easily visible, intelligible and | |||
clearly legible form. Icons presented in electronic form shall be machine-readable. | |||
8.The Commission shall be empowered to adopt delegated acts in accordance with Article 92 to | |||
specify the information to be presented through icons and the procedures for providing | |||
standardised icons". | |||
Article 12 "General provisions on the exercise of rights" states that | |||
of the LOPDGDD, paragraphs 2 and 4, adds the following: | |||
"The controller shall be obliged to inform the data subject of the means at his disposal to | |||
exercise the rights to which he is entitled. The means must be easily accessible to the data | |||
subject. The exercise of the right may not be refused on the sole ground that the data subject | |||
has opted for another means". | |||
"4. Proof of compliance with the duty to respond to the data subject's request to exercise his or | |||
her rights shall lie with the data controller". | |||
C/ Jorge Juan, 6 | |||
28001 - Madrid | |||
www.aepd.es | |||
sedeagpd.gob.es | |||
36/61 | |||
Account is also taken of the provisions of Recitals 59 et seq. of the GDPR. | |||
In accordance with the provisions of these rules, the controller must provide | |||
arrangements and mechanisms to facilitate the exercise of the data subject's rights, | |||
which shall be free of charge (without prejudice to Articles 12(5) and 15(3) of the | |||
GDPR); it is obliged to respond to requests made within one month at the latest, unless | |||
it can demonstrate that it is unable to identify the data subject; and to state its reasons | |||
if it does not comply with the request. | |||
It follows from the foregoing that the data subject's request to exercise his or her rights | |||
must be answered in any case, with the controller bearing the burden of proof of | |||
compliance with this duty. | |||
This obligation to act does not apply where the controller can demonstrate that it is not | |||
in a position to identify the data subject (in the cases referred to in Article 11(2) of the | |||
GDPR). In cases other than those provided for in this Article, where the controller has | |||
reasonable doubts as to the identity of the data subject, the controller may request | |||
additional information necessary to confirm the identity of the data subject. | |||
In this respect, Recital 64 of the GDPR is expressed in the following terms: | |||
"(64) The controller should use all reasonable measures to verify the identity of data subjects | |||
requesting access, in particular in the context of online services and online identifiers. The | |||
controller should not retain personal data for the sole purpose of being able to respond to | |||
possible requests". | |||
As regards the right of access, the GDPR stipulates in Article 15 as follows: | |||
"The data subject shall have the right to obtain from the controller confirmation as to whether or | |||
not personal data relating to him or her are being processed and, if so, the right of access to the | |||
personal data and to the following information: | |||
a) the purposes of the processing; | |||
b) the categories of personal data concerned; | |||
c) the recipients or categories of recipients to whom the personal data have been or will be | |||
disclosed, in particular recipients in third countries or international organisations; | |||
d) if possible, the envisaged period of retention of personal data or, if not possible, the criteria | |||
used to determine this period; | |||
e) the existence of the right to request from the controller the rectification or erasure of personal | |||
data or the restriction or objection to the processing of personal data relating to the data | |||
subject; | |||
f) the right to lodge a complaint with a supervisory authority; | |||
g) where the personal data have not been obtained from the data subject, any available | |||
information on their origin; | |||
h) the existence of automated decisions, including profiling, as referred to in Article 22(1) and | |||
(4), and, at least in such cases, meaningful information about the logic involved and the | |||
significance and expected consequences of such processing for the data subject". | |||
C/ Jorge Juan, 6 | |||
28001 - Madrid | |||
www.aepd.es | |||
sedeagpd.gob.es | |||
37/61 | |||
2. Where personal data are transferred to a third country or to an international organisation, the | |||
data subject shall have the right to be informed of the appropriate safeguards pursuant to | |||
Article 46 concerning the transfer. | |||
3. The controller shall provide a copy of the personal data undergoing processing. The controller | |||
may charge for any further copies requested by the data subject a reasonable fee based on the | |||
administrative costs. Where the data subject makes the request by electronic means, and | |||
unless the data subject requests otherwise, the information shall be provided in a commonly | |||
used electronic format. | |||
4. The right to obtain a copy referred to in paragraph 3 shall not adversely affect the rights and | |||
freedoms of others". | |||
Like the other rights of the data subject, the right of access is a very personal right. It | |||
allows the citizen to obtain information on how his or her data are being processed, the | |||
possibility to obtain a copy of the personal data concerning him or her that are being | |||
processed, as well as the information listed in the above-mentioned article. | |||
In the present case, the complainant is a customer of the respondent entity. It is stated | |||
that, on ***DATE.1, she visited the establishment of the responsible entity located at | |||
***DIRECCION.1, for which reason her image was captured by the video-surveillance | |||
system installed in that centre. | |||
Subsequently, following the procedure provided by MERCADONA for the exercise of | |||
personal data protection rights, the complainant exercised her right of access to her | |||
personal data, specifically requesting the images captured by the security cameras (the | |||
text of the request is as follows: "I attach a request for the right of access to the video | |||
surveillance recordings of the MERCADONA establishment ***DIRECCION.1, (...)"). | |||
This right was exercised on ***DATE.2, using the form available on the Respondent's | |||
website, under the "Customer Service" tab, attaching a file corresponding to the | |||
request for access and a copy of the ID card. | |||
In response to the submission of the above-mentioned form, the information system | |||
sent the complainant a message with the text "Thank you, your comment has been | |||
sent successfully". | |||
After the established deadline, this request did not receive the legally required | |||
response, which gave rise to the complaint that gave rise to the present procedure, | |||
submitted on 31/12/2020. | |||
The uncontested facts are (i) that the claimant exercised her right of access to her | |||
personal data before MERCADONA, using one of the mechanisms provided by the | |||
respondent itself, such as the form available on the company's website, which can also | |||
be accessed via a link included in the Privacy Policy; and (ii) that this request for | |||
access to personal data was not answered by the data controller within the established | |||
period. | |||
The aforementioned rules do not allow the request to be ignored as if it had not been | |||
made, leaving it without the response that must necessarily be issued by the | |||
C/ Jorge Juan, 6 | |||
28001 - Madrid | |||
www.aepd.es | |||
sedeagpd.gob.es | |||
38/61 | |||
The data subject shall be held responsible, even in the event that the data subject's | |||
details do not exist in the entity's files or even in those cases in which they do not meet | |||
the requirements, in which case the addressee of the request is also obliged to request | |||
the rectification of the deficiencies observed or, where appropriate, reject the request, | |||
stating the reasons for which the right in question should not be considered. | |||
Therefore, the request that is made obliges the data controller, in any case, to give an | |||
express reply to the data subject, informing him/her of the decision that has been taken | |||
regarding the request for the exercise of rights, using any means that justifies the | |||
receipt of the reply. | |||
MERCADONA has not disputed that it received the complainant's request for the right | |||
of access. However, it alleges an involuntary human error in the handling of the | |||
request, which caused it not to reach the attention of the DPD or his team, and the | |||
consequent lack of attention to the request. On this basis, he invoked the principle of | |||
culpability, pointing out that so-called strict liability has no place in administrative | |||
sanctioning law, so that the mere commission of an administrative infringement is not | |||
sufficient when it comes to imposing an administrative sanction, as there must be wilful | |||
or negligent conduct. | |||
In this respect, it adds that it acts with the utmost diligence in all processes, that it has | |||
a simple procedure for the exercise of rights through various channels, about which it | |||
duly informs customers, and that it applies a procedure for processing applications that | |||
has been error-free so far and about which it provides constant training to the persons | |||
in charge, and which will be adjusted to avoid similar incidents. | |||
According to the management process designed by MERCADONA, requests to | |||
exercise rights are received by the Customer Service Department, which subsequently | |||
transmits them to the DPD by means of a manual process. In this case, she alleges | |||
that due to an involuntary human error, the complainant's request did not reach the | |||
DPD, preventing it from being dealt with, and that this has given rise to the appropriate | |||
disciplinary actions. | |||
However, MERCADONA has not even explained what the alleged human error | |||
consisted of. However, it appears from its written allegations that the claimant's request | |||
was not dealt with because one of the managers of the Customer Service Department | |||
("manager" in the terms of the entity itself) did not forward the request to the DPD. The | |||
Agency understands that this is tantamount to not following up on the request, to not | |||
processing it according to the internal channels designed by the same, which cannot | |||
be admitted as an involuntary error. | |||
The incident occurred within MERCADONA's sphere of responsibility and | |||
MERCADONA must be held liable for it. In no way can the error alleged to have been | |||
made be considered to exclude its liability, since, according to settled case law, the | |||
existence of such an error cannot be considered to exist when it is attributable to the | |||
person who suffers it or could have been avoided with the use of greater diligence. In | |||
this case, the alleged error is incompatible with the diligence that the defendant is | |||
obliged to observe. | |||
C/ Jorge Juan, 6 | |||
28001 - Madrid | |||
www.aepd.es | |||
sedeagpd.gob.es | |||
39/61 | |||
This diligence must be shown in the specific case under analysis, in respect of which | |||
the error is alleged, and not in the general circumstances alleged by MERCADONA to | |||
justify its diligent action, such as having procedures for managing applications for the | |||
exercise of rights or the absence of errors in the past, nor the fact of having taken | |||
measures to avoid future incidents. Nor can the training provided to the Respondent's | |||
employees be taken as a circumstance that prevents the claimant from being held | |||
liable for the specific irregular conduct. | |||
In the specific case of the claimant, it cannot be accepted that the actions of the | |||
respondent entity, in not processing the request for access to personal data, were | |||
diligent. To admit that MERCADONA cannot be held liable for not responding to an | |||
exercise of data protection rights, based on an alleged involuntary error consisting of | |||
not processing the request, would be tantamount to admitting that the application of the | |||
RGPD and the LOPDGDD can be ignored, undermining the entire system for | |||
exercising rights established therein, which expressly contemplates the obligation to | |||
respond to such requests in all cases and the consequences of not complying with this | |||
regulatory requirement. | |||
In this respect, it should be remembered that when the error is the result of a lack of | |||
diligence, the standard is applicable. The Audiencia Nacional in its ruling of 21 | |||
September 2004 (RCA 937/2003), pronounced in the following terms: | |||
"Furthermore, as regards the application of the principle of culpability, it follows (following the | |||
criterion of this Chamber in other judgments such as that of 21 January 2004 in appeal | |||
1139/2001) that the commission of the offence provided for in Article 44.3.d) can be either | |||
intentional or negligent. And in this sense, if the error is a sign of a lack of diligence, the type of | |||
offence is applicable, because although the principle of culpability governs in sanctioning | |||
matters, as can be inferred from a simple reading of Art. 130 of Law 30/1992, the fact is that the | |||
expression "simple failure to comply" in Art. 130.1 of Law 30/1992, allows the imposition of the | |||
sanction, without doubt in cases of malice, and also in cases of negligence, in which failure to | |||
comply with the duty of care is sufficient". | |||
In this line, it is worth citing the SAN of 21 January 2010, in which the Audiencia | |||
explains: | |||
"The appellant also maintains that there was no culpability in his actions. It is true that the | |||
principle of culpability prevents the admission of strict liability in administrative sanctioning law, | |||
but it is also true that the absence of intentionality is secondary, since this type of infringement | |||
is normally committed through negligent or culpable action, which is sufficient to include the | |||
subjective element of culpability. XXX's actions are clearly negligent because... it must be | |||
aware of... the obligations imposed by the LOPD on all those who handle personal data of third | |||
parties. XXX is obliged to guarantee the fundamental right to the protection of personal data of | |||
its clients and hypothetical clients with the intensity required by the content of the right itself". | |||
The principle of culpability is required in the sanctioning procedure and thus STC | |||
246/1991 considers liability without fault inadmissible in the field of administrative | |||
sanctioning law. However, the principle of fault does not imply that only intentional or | |||
voluntary action can be sanctioned, and in this regard, Article 28 of Law 40/2015 on the | |||
Legal Regime of the Public Sector, under the rubric | |||
C/ Jorge Juan, 6 | |||
28001 - Madrid | |||
www.aepd.es | |||
sedeagpd.gob.es | |||
40/61 | |||
"Responsibility", provides as follows: | |||
"1. Only natural and legal persons, as well as, when a law recognises their capacity to act, | |||
groups of affected persons, unions and entities without legal personality and independent or | |||
autonomous estates, who are responsible for them through intent or negligence, may be | |||
sanctioned for acts constituting an administrative offence. | |||
The facts set out in the preceding Fundamento show that MERCADONA did not act | |||
with the diligence to which MERCADONA was obliged, that it acted with a lack of | |||
diligence. The Supreme Court (Judgments of 16 and 22/04/1991) considers that from | |||
the element of guilt it follows "...that the action or omission, classified as an | |||
administratively punishable offence, must, in any case, be imputable to its author, | |||
through malice or recklessness, negligence or inexcusable ignorance". The same Court | |||
reasons that "it is not sufficient... for exculpation from a typically unlawful conduct to | |||
invoke the absence of fault" but it is necessary "that the diligence that was required by | |||
the person alleging its non-existence has been used" (STS 23 January 1998). | |||
Also connected with the degree of diligence that the data controller is obliged to display | |||
in complying with the obligations imposed by the data protection regulations is the SAN | |||
of 17/10/2007 (Rec. 63/2006), which stated: "(...) the Supreme Court has understood | |||
that imprudence exists whenever a legal duty of care is disregarded, i.e. when the | |||
offender does not behave with the required diligence". | |||
Furthermore, the Audiencia Nacional, in matters of personal data protection, has | |||
declared that "simple negligence or failure to comply with the duties that the Law | |||
imposes on the persons responsible for files or data processing to exercise extreme | |||
diligence is sufficient..." (SAN 29/06/2001). | |||
It is therefore concluded, contrary to the objections raised by the defendant, that the | |||
subjective element is present in the infringement found. | |||
Consequently, in accordance with the evidence set out above, the aforementioned | |||
facts constitute a breach of the provisions of Article 12(2) and (3) of the GDPR, in | |||
relation to Article 15 of the aforementioned Regulation, which gives rise to the | |||
application of the corrective powers granted to the Spanish Data Protection Agency by | |||
Article 58 of the aforementioned Regulation. | |||
Not demanding responsibility from MERCADONA for these facts would be tantamount | |||
to emptying the rules governing the exercise of rights in the area of personal data | |||
protection of their content. | |||
It is relevant that the images captured by a video surveillance system must be deleted | |||
within a maximum period of one month, in accordance with Article 6 of Instruction | |||
1/2006, of 8 November, of the Spanish Data Protection Agency, on the processing of | |||
personal data for surveillance purposes through camera or video camera systems. This | |||
is the same period provided for the data controller to resolve the request to exercise | |||
the right of access to such images. | |||
C/ Jorge Juan, 6 | |||
28001 - Madrid | |||
www.aepd.es | |||
sedeagpd.gob.es | |||
41/61 | |||
If we consider that the exercise of the right is subsequent to the capture of the images, | |||
the date of expiry of the deadline for exercising the right will always be later than the | |||
deadline for deleting the images. Therefore, if it were accepted that MERCADONA is | |||
not responsible for the failure to comply with the right of access exercised by the | |||
complainant, it would be tantamount to admitting that any data controller could evade | |||
the data subject's right of access by claiming that the images had been deleted. | |||
With regard to the precedents cited by the respondent, it should be noted that the two | |||
cases in which the existence of an unintentional error was found are not similar to the | |||
present case, as they refer to entry errors (E/01795/2011 and E/03468/2009). The third | |||
of these precedents (PS/00724/2014) is resolved by this Agency, in relation to the | |||
aspects highlighted by MERCADONA, according to the scheme followed in this act. | |||
VI | |||
MERCADONA, in addition to not providing access to the images of the security | |||
cameras requested by the complainant, proceeded to delete them after 30 days had | |||
elapsed since they were captured, as the company informed the complainant in an e- | |||
mail addressed to her representative, who had previously warned of the lack of | |||
response to the right of access ("We should add that none of the images from the | |||
requested date are available (***DATE.1), all in accordance with art. 6 of Instruction | |||
1/2006, of 8 November, of the AEPD, which establishes that "The data will be | |||
cancelled within a maximum period of one month from their capture"). | |||
This erasure of the images constitutes processing of personal data, in accordance with | |||
Article 4 of the GDPR, which, under the heading 'Definitions', provides as follows: | |||
"(2) 'processing' means any operation or set of operations which is performed upon personal | |||
data or sets of personal data, whether or not by automatic means, such as collection, recording, | |||
organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, | |||
disclosure by transmission, dissemination or otherwise making available, alignment or | |||
combination, restriction, erasure or destruction. | |||
In short, we are dealing with a "processing of data" ("erasure or destruction" of images) | |||
subject to the legitimisation regime regulated by Article 6 of the GDPR "Lawfulness of | |||
processing", which states the following: | |||
"Processing shall only be lawful if at least one of the following conditions is met: | |||
a) the data subject consented to the processing of his or her personal data for one or more | |||
specific purposes; | |||
b) processing is necessary for the performance of a contract to which the data subject is party | |||
or for the implementation of pre-contractual measures at the request of the data subject; | |||
c) the processing is necessary for compliance with a legal obligation applicable to the | |||
controller; | |||
d) processing is necessary in order to protect the vital interests of the data subject or of another | |||
person | |||
C/ Jorge Juan, 6 | |||
28001 - Madrid | |||
www.aepd.es | |||
sedeagpd.gob.es | |||
42/61 | |||
physics; | |||
e) the processing is necessary for the performance of a task carried out in the public interest or | |||
in the exercise of official authority vested in the controller; | |||
f) processing is necessary for the purposes of the legitimate interests pursued by the controller | |||
or by a third party, provided that such interests are not overridden by the interests or | |||
fundamental rights and freedoms of the data subject which require the protection of personal | |||
data, in particular where the data subject is a child. | |||
Point (f) of the first subparagraph shall not apply to processing carried out by public authorities | |||
in the exercise of their functions. | |||
2. Member States may maintain or introduce more specific provisions in order to adapt the | |||
application of the rules of this Regulation with regard to processing in compliance with | |||
paragraph 1(c) and (e) by setting out more precisely specific processing requirements and other | |||
measures ensuring lawful and fair processing, including other specific processing situations | |||
within the meaning of Chapter IX. | |||
3. The basis for the processing referred to in paragraph 1(c) and (e) shall be established by: | |||
a) Union law, or | |||
b) the law of the Member States which applies to the controller. | |||
The purpose of the processing shall be determined in that legal basis or, as regards processing | |||
referred to in paragraph 1(e), shall be necessary for the performance of a task carried out in the | |||
public interest or in the exercise of official authority vested in the controller. That legal basis | |||
may contain specific provisions to adapt the application of rules of this Regulation, inter alia: the | |||
general conditions governing the lawfulness of processing by the controller; the types of data | |||
processed; the data subjects concerned; the entities to which personal data may be disclosed | |||
and the purposes of such disclosure; purpose limitation; data retention periods as well as | |||
processing operations and procedures, including measures to ensure lawful and fair | |||
processing, such as those relating to other specific processing situations within the meaning of | |||
Chapter IX. Union or Member State law shall meet a public interest objective and be | |||
proportionate to the legitimate aim pursued. | |||
4. Where processing for a purpose other than that for which the personal data were collected is | |||
not based on the consent of the data subject or on Union or Member State law which | |||
constitutes a necessary and proportionate measure in a democratic society to safeguard the | |||
purposes referred to in Article 23(1), the controller shall, in order to determine whether | |||
processing for another purpose is compatible with the purpose for which the personal data were | |||
originally collected, take into account, inter alia: | |||
a) any link between the purposes for which the personal data were collected and the purposes | |||
of the intended further processing; | |||
b) the context in which the personal data have been collected, in particular as regards the | |||
relationship between the data subjects and the controller; | |||
c) the nature of the personal data, in particular where special categories of personal data are | |||
processed in accordance with Article 9 or personal data relating to criminal convictions and | |||
offences in accordance with Article 10; | |||
d) the possible consequences for data subjects of the intended further processing; | |||
e) the existence of appropriate safeguards, which may include encryption or pseudonymisation'. | |||
In relation to the conservation of images captured by video surveillance systems, it is | |||
necessary to take into account the provisions of Instruction 1/2006, of 8 November, of | |||
the Spanish Data Protection Agency, on the processing of personal data for | |||
surveillance purposes through camera or video camera systems. | |||
C/ Jorge Juan, 6 | |||
28001 - Madrid | |||
www.aepd.es | |||
sedeagpd.gob.es | |||
43/61 | |||
With the application of the GDPR, it must be considered that most of Instruction 1/2006 | |||
has been displaced, since the content of the same, such as the legitimisation or the | |||
rights of individuals, is displaced by what is established in this respect by the European | |||
standard. | |||
However, the provisions of Article 6 of the aforementioned Instruction, which regulates | |||
the retention period and refers to the obligation to "cancel" the personal data (the | |||
images) within a maximum period of one month from their capture, may be considered | |||
to remain in force. An interpretation in accordance with the GDPR, which does not | |||
contemplate the cancellation but rather the deletion of personal data, means that this | |||
maximum storage period of one month will not be one of cancellation but of deletion, | |||
except in those cases in which they must be kept to prove the commission of acts that | |||
threaten the integrity of persons, goods or installations. | |||
Article 22 of the LOPDGDD, section 3, to which reference was made in the agreement | |||
to initiate the procedure, also establishes certain rules regarding the deletion of images | |||
captured by video surveillance systems. However, as MERCADONA rightly points out | |||
in its statement of allegations, this provision regulates cases other than the one | |||
analysed in the present proceedings, related to "the processing of images through | |||
camera or video camera systems for the purpose of preserving the security of persons | |||
and property, as well as of its facilities". This provision regulates video-surveillance | |||
processing whose legitimisation lies in the existence of a public interest purpose that | |||
can be included in article 6.1.e) of the Regulation, and not in the mere legitimate | |||
interests of a private individual. | |||
In accordance with the above, MERCADONA's removal of the images requested by the | |||
complainant could be understood to be in accordance with the provisions of the | |||
aforementioned Instruction 1/2006, as it was carried out within a maximum period of | |||
one month from the date they were captured, that is to say, from ***DATE.1. | |||
However, in the present case, there are other circumstances that must be considered | |||
in the analysis of the lawfulness or unlawfulness of the deletion or erasure of personal | |||
data. | |||
The claimant suffered an accident in one of MERCADONA's establishments on | |||
***DATE.1 and, four days later, on ***DATE.3, she reported the incident to | |||
MERCADONA, informing them of their responsibility in the incident (...), the damage | |||
caused by the incident to the claimant (...) and her protest at the lack of attention given | |||
to the incident by MERCADONA's insurer (...). The claimant's intention to be | |||
compensated for the accident suffered is clear in the complaint, which MERCADONA is | |||
on record as having received and responded to the complaint on ***DATE.5 | |||
acknowledging receipt and informing the Customer Service Department of its transfer. | |||
Such circumstances motivated the complainant's interest in having a copy of the | |||
images captured by the security camera system installed in the establishment in | |||
question, for which she exercised the right of access described above, on ***DATE.2, | |||
also received by the Department of | |||
C/ Jorge Juan, 6 | |||
28001 - Madrid | |||
www.aepd.es | |||
sedeagpd.gob.es | |||
44/61 | |||
Customer Service. In this request for the right of access to the images of the video | |||
surveillance system, the complainant once again informs the respondent entity that her | |||
request is motivated by the accident that took place at the centre in question and on | |||
the date indicated. | |||
All these circumstances were known to MERCADONA. In addition, on | |||
***DATE.7, the claimant's representative sent an e-mail to this entity, in relation to the | |||
aforementioned claim, advising of her "desire to request the corresponding | |||
compensation according to the schedule". | |||
These actions are considered to be sufficiently indicative of the need to keep the | |||
images, especially because they were not made available to the complainant in | |||
accordance with the right of access exercised. However, despite all this, MERCADONA | |||
proceeded to delete the images requested by the complainant. | |||
It is understood that there was an interest on the part of the complainant that justified | |||
the processing of the repeated images beyond the period of one month set by | |||
Instruction 1/2006, at least until the images were handed over to the complainant and | |||
for this sole purpose. | |||
The same would be true if the complainant had filed a lawsuit and MERCADONA had | |||
decided to keep the images for the defence of its rights, in which case it would be | |||
understood that the data processing would comply with the provisions of Article 6.1.f) of | |||
the GDPR (processing is considered lawful when "necessary for the purposes of the | |||
legitimate interests pursued by the controller"). | |||
It is necessary to take into account the doctrine of the Constitutional Court regarding | |||
the restrictions to the fundamental right to data protection, analysed in its Judgement | |||
292/2000, of 30 November. In this judgement, after configuring the fundamental right to | |||
the protection of personal data as an autonomous and independent right consisting of a | |||
power of disposal and control over personal data, which empowers the individual to | |||
decide which of these data to provide to a third party or which this third party may | |||
collect, and which also allows the individual to know who possesses these personal | |||
data and for what purpose, being able to oppose this possession or use, it analyses the | |||
limits of the same, pointing out the following: | |||
"More specifically, in the aforementioned judgments on data protection, this Court has declared | |||
that the right to data protection is not unlimited, and although the Constitution does not | |||
expressly impose specific limits on it, nor does it refer to the Public Authorities for its | |||
determination as it has done with other fundamental rights, there is no doubt that they must be | |||
found in the other fundamental rights and constitutionally protected legal assets, since this is | |||
required by the principle of unity of the Constitution (SSTC 11/1981, of 8 April, F. 7; 196/1987, | |||
of 11 December [RTC 1987, 196] , F. 6; and with regard to art. 18, STC 110/1984, F. | |||
5)". | |||
In relation to this question, it must be considered that the ultimate aim pursued by the | |||
non-removal of the images requested by the complainant, the owner of the data in | |||
question, is to obtain proof of the damage caused to her own person, as a | |||
consequence of an accident that occurred in a MERCADONA centre in which she was | |||
injured due to possible negligence on the part of that entity. | |||
C/ Jorge Juan, 6 | |||
28001 - Madrid | |||
www.aepd.es | |||
sedeagpd.gob.es | |||
45/61 | |||
In this case, a collision between two fundamental rights arises: the right to privacy and | |||
the right to | |||
C/ Jorge Juan, 6 | |||
28001 - Madrid | |||
www.aepd.es | |||
sedeagpd.gob.es | |||
46/61 | |||
protection of personal data, derived from Article 18 of the Constitution and enshrined | |||
as an autonomous right that informs the constitutional text by the aforementioned | |||
Constitutional Court Ruling 292/2000, of 30 November; and the right to the effective | |||
judicial protection of judges and courts, contained in Article 24.1 of the Spanish | |||
Constitution ("All persons have the right to obtain the effective protection of judges and | |||
courts in the exercise of their rights and legitimate interests, without, in any case, any | |||
defencelessness"), which guarantees the access of all persons to judges and courts for | |||
the defence of their rights. | |||
The right to the protection of personal data yields in those cases in which it may entail | |||
a reduction in the possibility of the data subject to provide the relevant means of proof | |||
for his or her defence, thereby violating the guarantees derived from the | |||
aforementioned right to effective protection and restricting the possibility of obtaining | |||
the full development of this latter right. | |||
Therefore, from the point of view of this Agency, there is a legal authorisation for the | |||
processing of image data once the period established for their deletion has expired, | |||
which is covered by Article 24 of the Constitution and its implementing regulations. | |||
Following this premise, prevalence must be given to the right enshrined in Article 24 of | |||
the Constitution, which guarantees citizens the effective judicial protection of judges | |||
and courts, in the terms set out above. | |||
As the Constitutional Court has consistently held (for example, STC 186/2000, of 10 | |||
July, citing many others) "the right to privacy is not absolute, as is none of the | |||
fundamental rights, and may yield to constitutionally relevant interests, provided that | |||
the restriction that it must undergo is necessary to achieve the intended legitimate aim, | |||
proportionate to achieve it and, in any case, is respectful of the essential content of the | |||
right". | |||
The Constitutional Court has been demanding that any measure restricting rights must | |||
be proportional. This is stated in Constitutional Court Ruling 14/2003 of 28 January: | |||
"In other words, in accordance with the reiterated doctrine of this Court, the constitutionality of | |||
any measure restricting fundamental rights is determined by strict observance of the principle of | |||
proportionality. For the purposes of the present case, it is sufficient to recall that, in order to | |||
check whether a measure restricting a fundamental right passes the proportionality test, it is | |||
necessary to ascertain whether it meets the following three requirements or conditions: whether | |||
the measure is likely to achieve the proposed objective (suitability test); whether, in addition, it | |||
is necessary, in the sense that there is no other more moderate measure for the achievement of | |||
that purpose with equal effectiveness (necessity test); and, finally, whether it is weighted or | |||
balanced, as it derives more benefits or advantages for the general interest than harm to other | |||
conflicting goods or values (proportionality test in the strict sense; SSTC 66/1995, of 8 May [ | |||
RTC 1995, 66], F. 5; 55/1996, of 28 March [RTC 1996, 55], FF. 7, 8 and 9; 270/1996, of 16 | |||
March [RTC 1996, 55], FF. 7, 8 and 9; 270/1996, of 16 March [RTC 1996, 57], FF. 8 and 9. | |||
December [RTC 1996, 270], F. 4.e; 37/1998, of 17 February [RTC 1998, 37], F. 8; 186/2000, | |||
of 10 July [RTC 2000, 186], F. 6)". | |||
This principle of proportionality is respected in this case, in which the images | |||
C/ Jorge Juan, 6 | |||
28001 - Madrid | |||
www.aepd.es | |||
sedeagpd.gob.es | |||
47/61 | |||
captured by MERCADONA's video surveillance cameras constitute valid and adequate | |||
evidence for the defence of the claimant's interests. | |||
In this respect, Article 299 of Law 1/2000, of 7 January, on Civil Proceedings, indicates | |||
which are the means of evidence that may be used in court, establishing in its number | |||
2 the following: | |||
"Means of reproduction of speech, sound and image, as well as instruments for recording and | |||
knowing or reproducing words, data, figures and mathematical operations carried out for | |||
accounting or other purposes, relevant to the proceedings, shall also be admissible in | |||
accordance with the provisions of this Act". | |||
Article 265 determines the time at which such documents must be produced, providing | |||
as follows: | |||
1. Any claim or defence shall be accompanied by: | |||
1o. The documents on which the parties base their right to the judicial protection they are seeking. | |||
2o. The means and instruments referred to in paragraph 2 of Article 299, if they form the basis of | |||
the claims for guardianship formulated by the parties. | |||
(...)". | |||
In this case, the proof of the causation of the damage, as well as the determination of | |||
the person against whom the claim will be directed, is to be found in the images | |||
captured by the cameras, whose contribution to the proceedings with the claim seems | |||
necessary, so that the right to effective protection must prevail in this case over the | |||
right to data protection. | |||
The scope of the right to judicial protection in relation to evidence has been addressed, | |||
among others, in STC 212/2013, of 16 December, in which reference is made, citing | |||
STC 88/2014, of 28 May, to "the intimate relationship of the right to evidence with other | |||
rights guaranteed in art. 24 CE. Specifically, in our constitutional doctrine we have | |||
emphasised the connection of this specific constitutional right with the right to effective | |||
judicial protection (art. 24.1 CE), the scope of which includes questions relating to | |||
evidence (SSTC 89/1986, of 1 July, FJ 2; 50/1988, of 22 March, FJ 3; 110/1995, of 4 | |||
July, FJ 4; 189/1996, of 25 November, FJ 3; and 221/1998, of 24 November, FJ 3), and | |||
with the right of defence (art. 24. 24.2 CE), of which it is inseparable (SSTC 131/1995, | |||
of 11 September, FJ 2; 1/1996, of 15 January, FJ 2; and 26/2000, of 31 January, FJ 2)'' | |||
(STC 19/2001, of 29 January, FJ 4; and, in the same sense, STC 133/2003, of 30 | |||
June, FJ 3)". In the aforementioned SSTC 19/2001 and 133/2003, the Constitutional | |||
Court pointed out that "it has been precisely this inseparable connection (with the other | |||
fundamental rights mentioned, in particular the right to obtain effective judicial | |||
protection), which has allowed us to affirm that the essential content of the right to use | |||
the relevant means of proof is made up of the legal power recognised to those who | |||
intervene as litigants in a process to provoke the procedural activity necessary to | |||
achieve the conviction of the judicial body on the existence or non-existence of the | |||
relevant facts for the decision of the conflict which is the object of the process (for all, | |||
STC 37/2000, of 14 February, FJ 3)". | |||
The arguments put forward by MERCADONA in its allegations to the motion for | |||
resolution are based on the erroneous assumption that the entity | |||
C/ Jorge Juan, 6 | |||
28001 - Madrid | |||
www.aepd.es | |||
sedeagpd.gob.es | |||
48/61 | |||
"did not have any record of the request for access", a circumstance to which he | |||
repeatedly refers. However, as stated above, the request to exercise the right of | |||
access was correctly received by the aforementioned entity. | |||
And not only that. It is also proven that MERCADONA received the complaint about the | |||
accident suffered by the claimant, addressed to the same department that received the | |||
request for access to the images captured by the video surveillance system. | |||
To comply with both of the complainant's initiatives entailed the conservation of the | |||
images, even though this would have meant exceeding the legal time limit, and this | |||
conservation would be in accordance with the principles of necessity and | |||
proportionality in this specific case. | |||
Therefore, this does not impose a general obligation on the responsible entity to | |||
preserve and monitor all images in order to assess the need for preservation, which is | |||
present in this case in view of the circumstances described above. | |||
It should be borne in mind that that request for access and the complainant's complaint | |||
were submitted to the entity responsible before the images were deleted, unlike the | |||
case analysed in the ECDC Guidelines 3/2019 to which MERCADONA refers in its | |||
allegations, which refers to a request for access made when the images had already | |||
been deleted. Thus, it is not understood that MERCADONA alleges that the Agency | |||
relies on circumstances that "the entity has no reason to be aware of", given that these | |||
circumstances were known to MERCADONA. | |||
It is true that MERCADONA's statement that it would have been different if it had | |||
delivered the images to the complainant before the expiry of the legal conservation | |||
period, but this was not the case due to the respondent's own conduct, and not | |||
precisely because it had not received the request. | |||
This same entity states in its allegations that "If a data subject exercises the right of | |||
access during the period in which the data controller retains the images, it must be | |||
complied with, and the images must be retained, even if there is a formal defect in the | |||
request, precisely so that when this is rectified, the right can be satisfied". | |||
He then adds, once again, "But in this case, the request did not reach the person | |||
responsible, so it could not be kept", when we already know that the request for access | |||
did reach him. | |||
The defendant also understands its right to keep the images beyond the time limit for | |||
the defence of its own rights. | |||
On the other hand, it denies that there is in this case a collision of rights (protection of | |||
personal data and effective judicial protection) that had to be weighed up by the data | |||
controller and does so by arguing once again that this would not have occurred if it had | |||
been aware of the data subject's request. It states that "If the request had been | |||
received, the data subject would have had a response in due time and form, without | |||
the need to keep the images longer than the established time or to seek any basis for | |||
the request". | |||
C/ Jorge Juan, 6 | |||
28001 - Madrid | |||
www.aepd.es | |||
sedeagpd.gob.es | |||
49/61 | |||
of additional standing", without considering that it did receive the request, that the fact | |||
that it was not passed on internally to the unit responsible for processing it does not | |||
mean that it did not receive the request and that all of this is within its exclusive sphere | |||
of responsibility. | |||
The conclusion set out here does not imply any change with respect to the general | |||
obligation that the law imposes on data controllers to erase personal data when they | |||
are no longer necessary for the purpose for which they were collected or, in the case of | |||
images captured by video surveillance systems, when the established time limit has | |||
elapsed. | |||
The aforementioned reasons prevail over the obligation to delete the images within a | |||
maximum period of one month after they were captured, with the result that, once the | |||
need to retain and proportionality of retaining the images has been concluded, the | |||
processing of personal data consisting of the deletion or suppression of such images is | |||
carried out without a legal basis to legitimise it, in clear violation of the provisions of | |||
Article 6 of the GDPR. This breach gives rise to the application of the corrective powers | |||
that Article 58 of the aforementioned Regulation grants to the Spanish Data Protection | |||
Agency. | |||
The infringement of the provisions of Article 6 of the GDPR occurs independently of the | |||
lack of attention to the right of access exercised by the complainant. The two | |||
infringements are the result of separate conduct which must be punished separately. | |||
VII | |||
In the event of a breach of the precepts of the GDPR, among the corrective powers | |||
available to the Spanish Data Protection Agency, as supervisory authority, Article 58.2 | |||
of the Regulation provides for the following: | |||
"2 Each supervisory authority shall have all of the following remedial powers listed below: | |||
(...) | |||
(b) issue a warning to any controller or processor where processing operations have infringed | |||
the provisions of this Regulation;". | |||
(...) | |||
(d) instruct the controller or processor to ensure that processing operations are carried out in | |||
accordance with the provisions of this Regulation, where applicable, in a specified manner and | |||
within a specified period of time; | |||
(...) | |||
(i) impose an administrative fine in accordance with Article 83, in addition to or instead of the | |||
measures referred to in this paragraph, according to the circumstances of each individual | |||
case;'. | |||
Pursuant to Article 83(2) of the GDPR, the measure provided for in (d) above is | |||
compatible with the sanction of an administrative fine. | |||
VIII | |||
C/ Jorge Juan, 6 | |||
28001 - Madrid | |||
www.aepd.es | |||
sedeagpd.gob.es | |||
50/61 | |||
In accordance with the evidence set out above, it is considered that the facts set out | |||
above do not comply with the provisions of Articles 12, in relation to Article 15, both of | |||
the GDPR; and with the provisions of Article 6 of the same Regulation; which entails | |||
the commission of two infringements typified, respectively, in sections 5.a) and 5.b) of | |||
the GDPR. | |||
5(b) of Article 83 of the GDPR. | |||
Article 83(5)(a) and (b) of the GDPR, under the heading 'General conditions for the | |||
imposition of administrative fines', provides as follows: | |||
"5. Infringements of the following provisions shall be punishable, in accordance with paragraph | |||
2, by administrative fines not exceeding EUR 20 000 000 or, in the case of an undertaking, not | |||
exceeding 4 % of the total annual aggregate turnover in the preceding financial year, whichever | |||
is the greater: | |||
a) the basic principles for processing, including the conditions for consent within the meaning of | |||
Articles 5, 6, 7 and 9; | |||
b) the rights of the persons concerned within the meaning of Articles 12 to 22". | |||
On the other hand, Article 71 of the LOPDGDD considers any breach of this Organic | |||
Law to be an infringement: | |||
"The acts and conduct referred to in Article 83(4), (5) and (6) of Regulation (EU) 2016/679, as | |||
well as those which are contrary to this organic law, shall constitute infringements." | |||
Section 1.b) of Article 72 of the LOPDGDD considers this to be "very serious" for the | |||
purposes of the statute of limitations: | |||
"Pursuant to Article 83(5) of Regulation (EU) 2016/679, infringements which constitute a | |||
substantial breach of the Articles mentioned therein, in particular the following, shall be | |||
considered very serious and shall be subject to a three-year statute of limitations: | |||
(b) the processing of personal data without one of the conditions for lawful processing set out in | |||
Article 6 of Regulation (EU) 2016/679 being met. | |||
And section c) of Article 74 of the LOPDGDD considers infringements of a merely | |||
formal nature of the articles mentioned in Article 83.5 of the RGPD to be a "minor" | |||
infringement for the purposes of the statute of limitations and, specifically: | |||
"(c) failing to comply with requests to exercise the rights laid down in Articles 15 to 22 of | |||
Regulation (EU) 2016/679, unless the provisions of Article | |||
72.1.k) of this Organic Law". | |||
In order to determine the administrative fine to be imposed, the provisions of Articles | |||
83.1 and 83.2 of the GDPR must be observed, which state: | |||
"Each supervisory authority shall ensure that the imposition of administrative fines under this | |||
Article for the infringements of this Regulation referred to in paragraphs 4, 9 and 6 are in each | |||
individual case effective, proportionate and dissuasive. | |||
2. Administrative fines shall be imposed, depending on the circumstances of each individual | |||
case, in addition to or instead of the measures referred to in points (a) to (h) and (j) of Article | |||
58(2). When deciding on the imposition of an administrative fine and the amount thereof | |||
C/ Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
51/61 | |||
in each individual case shall be duly taken into account: | |||
a) the nature, gravity and duration of the infringement, taking into account the nature, scope or | |||
purpose of the processing operation concerned as well as the number of data subjects | |||
concerned and the level of damage they have suffered; | |||
b) the intentional or negligent nature of the infringement; | |||
c) any measures taken by the controller or processor to mitigate the damage suffered by data | |||
subjects; | |||
d) the degree of responsibility of the controller or processor, taking into account the technical or | |||
organisational measures they have implemented pursuant to Articles 25 and 32; | |||
e) any previous infringement committed by the controller or processor; | |||
f) the degree of cooperation with the supervisory authority in order to remedy the infringement | |||
and mitigate the possible adverse effects of the infringement; | |||
g) the categories of personal data concerned by the infringement; | |||
h) the manner in which the supervisory authority became aware of the breach, in particular | |||
whether and to what extent the breach was notified by the controller or processor; | |||
i) where the measures referred to in Article 58(2) have previously been ordered against the | |||
controller or processor concerned in relation to the same matter, compliance with those | |||
measures; | |||
j) adherence to codes of conduct under Article 40 or to certification schemes approved under | |||
Article 42, and | |||
k) any other aggravating or mitigating factor applicable to the circumstances of the case, such | |||
as financial gain or loss avoided, directly or indirectly, through the infringement. | |||
For its part, Article 76 "Sanctions and corrective measures" of the LOPDGDD | |||
is available: | |||
"The penalties provided for in Article 83(4), (5) and (6) of Regulation (EU) 2016/679 shall be | |||
applied taking into account the graduation criteria set out in paragraph 2 of that Article. | |||
2. In accordance with Article 83(2)(k) of Regulation (EU) 2016/679, the following may also be | |||
taken into account: | |||
a) The continuing nature of the infringement. | |||
b) The link between the offender's activity and the processing of personal data. | |||
c) Profits made as a result of the commission of the offence. | |||
d) The possibility that the conduct of the person concerned could have led to the commission of | |||
the infringement. | |||
e) The existence of a process of merger by absorption subsequent to the commission of the | |||
infringement, which cannot be imputed to the absorbing entity. | |||
f) Affecting the rights of minors. | |||
g) Have, where not mandatory, a data protection officer. | |||
h) The submission by the data controller or data processor, on a voluntary basis, to alternative | |||
dispute resolution mechanisms, in those cases in which there are disputes between them and | |||
any interested party". | |||
In addition to the above, consideration should be given to Article 83(1) of the GDPR, | |||
according to which "Each supervisory authority shall ensure that the imposition of | |||
administrative fines in accordance with this Article for infringements of this Regulation | |||
as referred to in paragraphs 4, 5 and 6 are in each individual case effective, | |||
proportionate and dissuasive". | |||
In accordance with the above-mentioned provisions, for the purposes of setting the | |||
amount of the penalty to be imposed, the following shall be applied | |||
C/ Jorge Juan, 6 | |||
28001 - Madrid | |||
www.aepd.es | |||
sedeagpd.gob.es | |||
52/61 | |||
impose in the present case, it is considered that the penalty to be imposed should be | |||
graduated in accordance with the following criteria set out in the transcribed precepts: | |||
1. Infringement of Article 12, in conjunction with Article 15, both of the GDPR, as | |||
defined in Article 83(5)(b) and classified as minor for the purposes of the statute of | |||
limitations in Article 83(5)(b). | |||
74.c) of the LOPDGDD: | |||
The following graduation criteria are considered as aggravating factors: | |||
. Article 83(2)(a) of the GDPR: '(a) the nature, gravity and duration of the breach, | |||
taking into account the nature, scope or purpose of the processing operation | |||
concerned as well as the number of data subjects concerned and the level of | |||
damage they have suffered'. | |||
. The nature of the infringement, insofar as the failure to respect the right of | |||
access, by its content, has an impact on the complainant's ability to exercise | |||
real control over her personal data. | |||
In relation to the right of access and its configuration as a gateway to other | |||
rights, the CJEU, in its ruling of 07/05/2009, handed down in Case C-553/07, | |||
analysing the Directive at the time and equally valid now for the GDPR, states | |||
the following: | |||
"51 That right of access is indispensable to enable the data subject to exercise the | |||
rights provided for in Article 12(b) and (c) of the directive, namely, where necessary, | |||
where the processing does not comply with the provisions of the directive, to obtain | |||
from the data controller rectification, erasure or blocking of the data (subparagraph | |||
(b)), or to notify third parties to whom the data have been disclosed of any | |||
rectification, erasure or blocking carried out, if this is not impossible or would involve a | |||
disproportionate effort (subparagraph (c)). 52 The right of access is also a necessary | |||
condition for the exercise by the data subject of the right to object to the processing of | |||
his personal data, provided for in Article 14 of the Directive, as it is for the right to | |||
bring an action for damages, provided for in Articles 22 and 23 of the Directive. | |||
. The level of damages suffered by the interested parties, insofar as the failure | |||
to comply with the right of access led to the non-delivery of the images | |||
requested by the complainant, which prejudiced her ability to defend herself in | |||
relation to the accident she had suffered in one of the respondent's centres. | |||
. Article 83(2)(b) of the GDPR: "(b) intentional or negligent breach". | |||
Negligence in the commission of the infringement, taking into account that | |||
MERCADONA not only failed to respond to the right exercised by the complainant, | |||
but did not even provide any response to the request made by the complainant | |||
within the deadline. This response did not take place until after the images in | |||
question had been deleted, so that the failure to exercise the right has led to a loss | |||
of availability and control over the data. | |||
C/ Jorge Juan, 6 | |||
28001 - Madrid | |||
www.aepd.es | |||
sedeagpd.gob.es | |||
53/61 | |||
This circumstance highlights MERCADONA's negligent conduct. In this respect, | |||
we take into account what is stated in the Judgment of the Audiencia Nacional of | |||
17/10/2007 (rec. 63/2006) which, based on the fact that these are entities whose | |||
activity involves continuous data processing, indicates that "...the Supreme Court | |||
has understood that imprudence exists whenever a legal duty of care is | |||
disregarded, i.e. when the offender does not behave with the required diligence. | |||
And in assessing the degree of diligence, the professionalism or otherwise of the | |||
subject must be weighed up, and there is no doubt that, in the case under | |||
examination, when the appellant's activity involves constant and abundant | |||
handling of personal data, it is necessary to insist on rigour and exquisite care to | |||
comply with the legal provisions in this respect". | |||
It is a company that processes personal data systematically and continuously and | |||
must take great care in complying with its data protection obligations. | |||
This Agency understands that diligence must be deduced from conclusive facts, | |||
which are duly accredited and directly related to the elements that make up the | |||
infringement, in such a way that it can be deduced that the infringement has taken | |||
place despite all the means available to the responsible party to avoid it. In this | |||
case, MERCADONA's actions are not of this nature. | |||
. Article 83(2)(g) of the GDPR: '(g) the categories of personal data concerned by | |||
the breach'. | |||
Although "Special categories of personal data", as defined by the GDPR in Article | |||
9, have not been affected, the personal data to which the proceedings relate (the | |||
complainant's image) is of a particularly sensitive nature, as it allows for the early | |||
identification of data subjects and increases the risks to their privacy. | |||
. Article 76.2.b) of the LOPDGDD: "b) The linking of the offender's activity with the | |||
processing of personal data". | |||
The strong link between the offender's activity and the processing of personal data, | |||
especially with regard to the indiscriminate capture of images of customers by the | |||
video surveillance systems installed in its establishments. Consideration is given to | |||
the level of implementation of the entity and the activity it carries out, in which the | |||
personal data of thousands of data subjects are involved. This circumstance | |||
determines a higher degree of exigency and professionalism and, consequently, of | |||
the responsibility of the entity complained of in relation to the processing of the | |||
data. | |||
. Article 83(2)(k) of the GDPR: '(k) any other aggravating or mitigating factor | |||
applicable to the circumstances of the case, such as financial benefit gained or | |||
loss avoided, directly or indirectly, through the infringement'. | |||
. MERCADONA's status as a large company and its turnover. It is on record in | |||
the proceedings that this entity has (...). | |||
C/ Jorge Juan, 6 | |||
28001 - Madrid | |||
www.aepd.es | |||
sedeagpd.gob.es | |||
54/61 | |||
The following circumstances are also considered as extenuating circumstances: | |||
. Article 83(2)(d) of the GDPR: '(d) the degree of responsibility of the controller or | |||
processor, taking into account the technical or organisational measures which they | |||
have implemented pursuant to Articles 25 and 32'. | |||
The accused entity has adequate procedures in place for handling requests for the | |||
exercise of rights, so that the infringement is the result of an anomaly in the | |||
operation of those procedures which affects only the defendant. | |||
Considering the factors set out above, the value of the fine for the infringement of | |||
Article 12 of the GDPR is 70,000 euros (seventy thousand euros). | |||
2. Infringement for failure to comply with the provisions of Article 6 of the RGPD, | |||
typified in Article 83.5.a) and classified as very serious for statute of limitations | |||
purposes in Article 72.1.b) of the LOPDGDD: | |||
The following graduation criteria are considered as aggravating factors: | |||
. Article 83(2)(a) of the GDPR: '(a) the nature, gravity and duration of the breach, | |||
taking into account the nature, scope or purpose of the processing operation | |||
concerned as well as the number of data subjects concerned and the level of | |||
damage they have suffered'. | |||
. The nature and seriousness of the infringement, insofar as the definitive | |||
erasure of the images captured by the video surveillance system, in this case, | |||
affects the complainant's ability to exercise real control over her personal data | |||
insofar as it limits her ability to act in defence of her rights; and limits any | |||
subsequent intervention by this Agency in order to remedy the lack of attention | |||
to the right of access or by the courts with regard to the actions that the | |||
complainant could bring against MERCADONA for possible compensation for | |||
damages. | |||
. The level of damages suffered by the complainant concerned, insofar as the | |||
removal of the images has impaired her ability to defend herself, as expressed | |||
in the previous paragraph. | |||
MERCADONA argues that the complainant's complaint cannot be linked to a legal | |||
obligation to keep the images and that it is not the obligation of the person in | |||
charge to keep the images of every event that has occurred, without the person | |||
having requested the images, just in case he/she might request them. However, | |||
this is not the case here, in which the complainant had indeed requested the | |||
images on the occasion of an accident that occurred in a centre of the | |||
aforementioned entity. | |||
. Article 83(2)(b) of the GDPR: "(b) intentional or negligent breach". | |||
C/ Jorge Juan, 6 | |||
28001 - Madrid | |||
www.aepd.es | |||
sedeagpd.gob.es | |||
55/61 | |||
The negligence found in the commission of the infringement, bearing in mind that | |||
MERCADONA deleted the images despite being aware that the complainant | |||
reported the accident and the damage suffered to MERCADONA, and requested | |||
access to those images for that reason. | |||
According to the Respondent, this cannot be affirmed because "the entity was not | |||
aware of the access request made". Once again, MERCADONA raises the issue | |||
as if the request for access had not existed, despite the fact that it is not disputed | |||
that MERCADONA received such a request. The fact that it was not properly | |||
processed, as the request was not passed on internally to the person or unit | |||
responsible for handling it, cannot be treated as something beyond the control of | |||
the responsible entity itself. | |||
In assessing this negligence, account is also taken of the circumstances set out in | |||
paragraph 1 above. | |||
. Article 83(2)(g) of the GDPR: '(g) the categories of personal data concerned by | |||
the breach'. | |||
As has already been pointed out, the personal data to which the proceedings refer | |||
(image of the complainant) is of a particularly sensitive nature. | |||
. Article 76.2.b) of the LOPDGDD: "b) The linking of the offender's activity with the | |||
processing of personal data". | |||
The strong link between the offender's activity and the processing of personal data, | |||
already justified in relation to the previous offence. | |||
. Article 83(2)(k) of the GDPR: '(k) any other aggravating or mitigating factor | |||
applicable to the circumstances of the case, such as financial benefit gained or | |||
loss avoided, directly or indirectly, through the infringement'. | |||
. MERCADONA's status as a large company and its turnover, according to the | |||
details set out above. | |||
The following circumstances are also considered as extenuating circumstances: | |||
. Article 83(2)(d) of the GDPR: '(d) the degree of responsibility of the controller or | |||
processor, taking into account the technical or organisational measures which they | |||
have implemented pursuant to Articles 25 and 32'. | |||
The infringement is an anomaly affecting only the defendant. | |||
Considering the factors set out in this second part, the value of the fine for the | |||
infringement of Article 6 of the GDPR is 100,000 euros (one hundred thousand euros). | |||
C/ Jorge Juan, 6 | |||
28001 - Madrid | |||
www.aepd.es | |||
sedeagpd.gob.es | |||
56/61 | |||
MERCADONA did not make any allegation on the factors for the graduation of the | |||
sanctions in its submissions to the opening of the procedure. However, in its written | |||
statement it emphasised that it had contacted the complainant, through her | |||
representative, and reached an agreement that compensated the damages suffered as | |||
a result of the accident and those arising from the failure to comply with her right of | |||
access to her personal data. | |||
Furthermore, it states that disciplinary measures were adopted internally, as well as | |||
technical and organisational measures, to prevent a similar error from occurring in the | |||
future and to ensure that requests made through the web form are sent to the DPD. | |||
These measures are insufficient to "remedy the breach and mitigate the possible | |||
adverse effects of the breach", according to the terms of Article 83(2)(f) of the GDPR, | |||
or "to mitigate the damage suffered by data subjects" as a result of the breach, | |||
according to paragraph 2(c) of the same article. Mitigating the adverse effects or | |||
mitigating the damage caused by the infringements implies restoring the rights of the | |||
data subjects, which in this case is not possible because of the deletion of the images. | |||
Nor can the cessation of the conduct in breach of the legal system be considered as a | |||
mitigating factor in any case. | |||
On the other hand, it cannot be accepted that an out-of-court agreement between the | |||
complainant and the respondent can avoid the application of the regulation and the | |||
demand for the responsibilities resulting from the facts established. This would be | |||
tantamount to emptying the personal data protection regulation of its content. | |||
If we add to this that sanctions must be "in each individual case" effective, | |||
proportionate and dissuasive, in accordance with the provisions of Article 83.1 of the | |||
GDPR, this agreement cannot be admitted as a mitigating factor. It would be an | |||
artificial reduction of the sanction that could lead to the understanding that infringing | |||
the rule would not produce a negative effect proportional to the seriousness of the | |||
infringing act. | |||
On this issue of compensation for the damage alleged by the Respondent, reference is | |||
made to what is indicated in Ground II. | |||
Subsequently, in the allegations to the draft decision, MERCADONA questions the | |||
aggravating circumstances considered and argues that these same aggravating | |||
circumstances should be assessed as mitigating circumstances. | |||
Thus, it alleges that there is only one affected party and that it is not a structural | |||
infringement that lasts over time, despite the fact that these graduation factors have | |||
already been considered by this Agency as mitigating factors; and it insists on the | |||
"repair" of damages carried out and the measures adopted, on which this Agency has | |||
already ruled, without MERCADONA providing any argument that undermines what | |||
has been indicated in this resolution in this regard. | |||
On the other hand, it denies the alleged negligence and its professionalism in the | |||
processing of personal data, but again it does not put forward sufficient counter- | |||
arguments to overcome the above. | |||
C/ Jorge Juan, 6 | |||
28001 - Madrid | |||
www.aepd.es | |||
sedeagpd.gob.es | |||
57/61 | |||
In relation to the degree of diligence that should be required of MERCADONA, given its | |||
level of professionalism and high level of involvement in the processing of personal | |||
data, it should be noted that the entity itself, in its allegations in the opening of the | |||
procedure, as an argument to justify the extent of the involuntary error alleged, | |||
highlighted the large amount of personal data that it processes. | |||
On the other hand, none of the factors considered is attenuated by the fact that the | |||
defendant entity has not been subject to sanctioning proceedings before, a | |||
circumstance that has been alleged by the defendant entity to be considered as an | |||
attenuating circumstance. | |||
In this respect, the NA Judgment of 05/05/2021, rec. 1437/2020, indicates: | |||
"On the other hand, it considers that the fact that no previous infringement has been committed | |||
should be taken into account as a mitigating circumstance. Article 83.2 of the GDPR establishes | |||
that the imposition of the administrative fine must take into account, inter alia, the circumstance | |||
"(e) any previous infringement committed by the controller or processor". This is an aggravating | |||
circumstance; the fact that it does not meet the requirements for its application means that it | |||
cannot be taken into consideration, but it does not imply or permit, as the plaintiff claims, its | |||
application as a mitigating circumstance". | |||
According to the aforementioned Article 83.2 of the GDPR, when deciding on the | |||
imposition of an administrative fine and its amount, "any previous infringement | |||
committed by the person responsible" must be taken into account. This is a regulatory | |||
provision that does not include the absence of previous infringements as a factor in the | |||
graduation of the fine, which should be understood as a criterion close to recidivism, | |||
albeit broader. | |||
The defendant also states that personal data relating to images do not constitute | |||
special categories of data, which is already considered in this act, since otherwise the | |||
proven facts would constitute an infringement other than the one alleged. However, this | |||
does not imply that the personal image is considered to increase the risks to privacy in | |||
the assessment of the infringement. | |||
IX | |||
Infringements in the matter in question may give rise to the imposition on the controller | |||
of the obligation to take appropriate measures to bring its actions into compliancewith the | |||
regulations referred to in this act, in accordance with the provisions of the | |||
aforementioned Article 58(2)(d) of the GDPR, according to which each supervisory | |||
authority may "order the controller or processor to bring processing operations into | |||
compliance with the provisions of this Regulation, where applicable, in a specified | |||
manner and within a specified period of time...". | |||
In this case, the responsible entity should be required, within the period indicated in the | |||
operative part, to adapt the processing operations it carries out and the mechanisms | |||
and procedures it follows to deal with requests from data subjects to exercise their | |||
rights, with the scope expressed in the grounds of law of this resolution, to the personal | |||
data protection regulations. Thus, it shall establish mechanisms to ensure that the | |||
C/ Jorge Juan, 6 | |||
28001 - Madrid | |||
www.aepd.es | |||
sedeagpd.gob.es | |||
requests for | |||
58/61 | |||
C/ Jorge Juan, 6 | |||
28001 - Madrid | |||
www.aepd.es | |||
sedeagpd.gob.es | |||
59/61 | |||
In the case of requests for access to images captured by its video-surveillance | |||
systems, the images to which these requests refer shall be deleted before the right has | |||
been exercised and before the competent bodies can review, where appropriate, the | |||
decisions adopted by MERCADONA in this regard. | |||
It should be noted that failure to comply with the requirements of this body may be | |||
considered a serious administrative offence for "failing to cooperate with the | |||
supervisory authority" in response to the requirements made, and such conduct may | |||
be assessed when opening an administrative sanctioning procedure with a financial | |||
fine. | |||
X | |||
MERCADONA, in its statement of allegations to the proposed resolution, in the event | |||
that voluntary payment and acknowledgement of liability is made at any time prior to | |||
the resolution, requests the application of a 40% discount on the fine. However, as of | |||
this date, there is no record that said entity has proceeded to voluntary payment, nor | |||
has any letter been received by this Agency in which the entity acknowledges its | |||
liability for the facts that have given rise to the proceedings. | |||
In any event, this Agency does not share the interpretation of article 85 of Law 39/2015 | |||
(LPACPA) that MERCADONA puts forward in its statement of allegations, in relation to | |||
the time at which liability must be recognised in order for the reduction provided for to | |||
be applicable. | |||
In the opinion of this Agency, this acknowledgement, as stated in the initiation | |||
agreement, should be expressed at the start of the procedure, during the period for | |||
submitting allegations at the start of the procedure. This is in accordance with the | |||
provisions of the aforementioned article 85 of Law 39/2015, according to which the | |||
acknowledgement of liability must occur "when the procedure is initiated" in order for | |||
the reduction of 20% of the penalty to be applicable, unlike what is expressly | |||
established in relation to the discount for voluntary payment of the penalty, which may | |||
be applied when said payment is made at any time prior to the resolution. If the | |||
aforementioned provision has distinguished the conditions in the two methods of | |||
voluntary termination of the procedure indicated, no interpretation should equate these | |||
conditions as if there were no differences in their regulation. | |||
Article 85.2 of the LPACAP refers expressly and solely to voluntary payment, and not | |||
to the recognition of liability, determining that such payment may be made at any time | |||
prior to the resolution. Thus, it is not possible to distinguish or oblige where the Law | |||
does not distinguish or oblige. Furthermore, Article 85.3 states that "In both cases, | |||
when the sanction is solely of a pecuniary nature, the body competent to resolve the | |||
procedure shall apply reductions of at least 20 % of the amount of the proposed | |||
sanction, which may be cumulative. The aforementioned reductions must be specified | |||
in the notification of the initiation of the procedure and their effectiveness shall be | |||
conditional upon the withdrawal or waiver of any administrative action or appeal against | |||
the sanction". | |||
C/ Jorge Juan, 6 | |||
28001 - Madrid | |||
www.aepd.es | |||
sedeagpd.gob.es | |||
60/61 | |||
implies that both must be in the initiation agreement (reference of article 85.1 to 64 of | |||
the LPACAP), so it does not contemplate that both reductions are in the resolution | |||
proposal or that they can be paid cumulatively at any time prior to the resolution. | |||
This is also the understanding of the Audiencia Nacional, Sala de lo Contencioso- | |||
administrativo, Sección 1a, which in its Judgment of 05/02/2021, Rec. 41/2019, | |||
indicates that voluntary payment can take place at any time prior to the resolution, | |||
while the reduction for recognition of liability is linked to the agreement of initiation and | |||
to the provision of article 64.2.d) of Law 39/2015: | |||
"With regard to the infringement of the provisions of Articles 64 and 85 of Law 39/2015, which | |||
provide for the possibility of recognising liability at the time of notification of the decision to | |||
initiate the procedure (Article 64.2.d) and availing oneself of the reductions provided for in | |||
Article 85, in the decision to initiate the procedure there is an express reference to those | |||
articles, indicating that paragraphs 2 and 3 of Article 85 are not applicable; furthermore, at no | |||
time has the applicant shown its willingness to acknowledge liability for the infringement | |||
penalised and avail itself of the possibility established in those articles (voluntary payment may | |||
be made at any time prior to the decision), and therefore this argument must also be | |||
dismissed" . | |||
The purpose is also different for each one of those modes of termination of the | |||
procedure. In the case of the recognition of liability (Article 85.1), the aim is to achieve | |||
greater efficiency in administrative action with a rapid completion of the procedure, | |||
which is also associated with the waiver of the administrative appeal. This implies a | |||
saving of time, effort and, therefore, of costs, which subsidises the recognition of | |||
liability with a 20% reduction. The position defended by MERCADONA does not | |||
achieve this aim, as the procedure would be carried out in its entirety, which is why this | |||
reduction is not obtained. | |||
In the case of voluntary payment (Article 85(2)) the purpose is different, since in this | |||
case it is referred to as "at any time prior to the decision". | |||
On this issue, the provisions of other sanctioning regimes, such as those mentioned by | |||
MERCADONA in its allegations, do not condition the regulations applicable to this | |||
procedure, nor do they prevail over them. Furthermore, some of the regulations cited | |||
by MERCADONA in this regard do not establish that the recognition of liability entails | |||
the application of a discount, even if it occurs after the proposed decision and before | |||
the decision, as in the case of Law 16/1987, of 30 July, on Land Transport | |||
Organisation (LOTT), article 146.3 of which only refers to voluntary payment: | |||
"Payment of the financial penalty prior to the issuing of the sanctioning decision shall imply | |||
conformity with the facts denounced and the waiver of the interested party to make allegations | |||
and the termination of the procedure, although an express decision must nevertheless be | |||
issued. | |||
The case of Law 7/2014, of 23 July, on the Protection of Consumers and Users of the | |||
Balearic Islands, is no different when it establishes the application of a | |||
C/ Jorge Juan, 6 | |||
28001 - Madrid | |||
www.aepd.es | |||
sedeagpd.gob.es | |||
61/61 | |||
reduction "if the allegedly liable party agrees to the content of the resolution of initiation | |||
and justifies the payment of the aforementioned amount during the fifteen days | |||
following its notification"; although it expressly contemplates the application of a lower | |||
reduction if the agreement is given in relation to the content of the proposed resolution, | |||
which Law 39/2015 does not do. | |||
MERCADONA also considers that its interpretation of the aforementioned provision is | |||
supported by the courts, and cites three judgments. Two of these, STS 232/2021, of 18 | |||
February, (appeal 2201/2020), and that handed down by the High Court of Justice of | |||
Madrid, Chamber for Contentious-Administrative Proceedings, no. 79/2020, of 6 | |||
February, do not contain the pronouncement expressed by the claimant. 79/2020, of 6 | |||
February, do not contain the pronouncement expressed by the respondent (the STS | |||
establishes as a doctrine "the waiver or withdrawal required in Article 85 of Law | |||
39/2015 to be able to benefit from the reduction in the amount of the penalty is | |||
projected solely and exclusively on the actions or appeals against the penalty to be | |||
exercised in administrative proceedings and not in judicial proceedings"); and the third | |||
refers to a case in which the appellant acknowledged his liability in the statement of | |||
allegations to the agreement to initiate the penalty proceedings. | |||
On another note, it should be pointed out that the Report of the Legal Office of the | |||
Junta de Andalucía cited in the allegations to the proposed resolution refers to the | |||
voluntary payment of the penalty (article 85.2 of Law 39/2015) and not to the | |||
acknowledgement of liability. | |||
Therefore, in accordance with the applicable legislation and taking into account the | |||
criteria for the graduation of the sanctions whose existence has been accredited, | |||
the Director of the Spanish Data Protection Agency RESOLVES: | |||
FIRST: IMPOSE a fine of 70,000 euros (seventy thousand euros) on MERCADONA, | |||
S.A., with tax identification number A46103834, for an infringement of Article 12, in | |||
relation to Article 15, both of the RGPD, as defined in Article 83.5.b) and classified as | |||
minor for statute of limitations purposes in Article 74.c) of the LOPDGDD. | |||
SECOND: IMPOSE a fine of 100,000 euros (one hundred thousand euros) on | |||
MERCADONA, S.A., for an infringement of Article 6 of the RGPD, typified in Article | |||
83.5.a) and classified as very serious for the purposes of prescription in Article 72.1.b) | |||
of the LOPDGDD, for a fine of 100,000 euros (one hundred thousand euros). | |||
THIRD: TO REQUIRE MERCADONA, S.A., within one month of notification of this | |||
resolution, to bring its actions into line with the personal data protection regulations, | |||
with the scope expressed in Ground of Law IX, and to justify to this Spanish Data | |||
Protection Agency the fulfilment of this requirement. The text of the resolution | |||
establishes the infringements committed and the facts that have given rise to the | |||
breach of the data protection regulations, from which it is clearly inferred what | |||
measures are to be adopted, without prejudice to the fact that the type of procedures, | |||
mechanisms or specific instruments to implement them corresponds to the sanctioned | |||
party, since it is the data controller who is fully aware of its organisation and has to | |||
decide, based on proactive responsibility and a risk-based approach, how to comply | |||
with the GDPR and the LOPDGDDD. | |||
C/ Jorge Juan, 6 | |||
28001 - Madrid | |||
www.aepd.es | |||
sedeagpd.gob.es | |||
62/61 | |||
FOURTH: TO NOTIFY MERCADONA S.A. of this resolution. | |||
FIFTH: To warn the sanctioned party that they must pay the penalty imposed once this | |||
resolution is enforceable, in accordance with the provisions of art. 98.1.b) of Law | |||
39/2015, of 1 October, of the Common Administrative Procedure of Public | |||
Administrations (hereinafter LPACAP), within the voluntary payment period established | |||
in art. 68 of the General Collection Regulations, approved by Royal Decree 939/2005, | |||
of 29 July, in relation to art. 62 of Law 58/2003, of 17 December, by means of payment, | |||
indicating the NIF of the sanctioned party and the procedure number that appears in | |||
the heading of this document, into the restricted account number ES00 0000 0000 | |||
0000 0000 0000 0000 0000 0000, opened in the name of the Spanish Data Protection | |||
Agency at the bank CAIXABANK, S.A.. Otherwise, it will be collected during the | |||
enforcement period. | |||
Once the notification has been received and once enforceable, if the enforceability date | |||
is between the 1st and 15th of each month, both inclusive, the deadline for voluntary | |||
payment will be until the 20th of the following month or the immediately following | |||
working day, and if it is between the 16th and the last day of each month, both | |||
inclusive, the deadline for payment will be until the 5th of the second following month or | |||
the immediately following working day. | |||
In accordance with the provisions of Article 50 of the LOPDGDD, this Resolution will be | |||
made public once it has been notified to the interested parties. | |||
Against this resolution, which puts an end to administrative proceedings in accordance | |||
with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of | |||
the LPACAP, the interested parties may lodge an appeal for reversal with the Director | |||
of the Spanish Data Protection Agency within one month of the day following | |||
notification of this resolution or directly lodge a contentious-administrative appeal with | |||
the Contentious-Administrative Chamber of the National High Court, pursuant to the | |||
provisions of Article 25 and section 5 of the fourth additional provision of Law 29/1998, | |||
of 13 July, regulating the Contentious-Administrative Jurisdiction, within a period of two | |||
months from the day following the notification of this act, in accordance with the | |||
provisions of Article 46.1 of the aforementioned Law. | |||
Finally, it should be noted that in accordance with the provisions of art. 90.3 a) of the | |||
LPACAP, the final administrative decision may be suspended as a precautionary | |||
measure if the data subject expresses his/her intention to file a contentious- | |||
administrative appeal. If this is the case, the interested party must formally | |||
communicate this fact in writing to the Spanish Data Protection Agency, submitting it | |||
through the Agency's Electronic Register [https://sedeagpd.gob.es/sede-electronica- | |||
web/], or through any of the other registers provided for in art. 16.4 of the | |||
aforementioned Law 39/2015, of 1 October. The documentation accrediting the | |||
effective filing of the contentious-administrative appeal must also be sent to the | |||
Agency. If the Agency is not aware of the lodging of the contentious-administrative | |||
appeal within two months of the day following notification of this resolution, the | |||
precautionary suspension will be deemed to have ended. | |||
Mar España Martí | |||
C/ Jorge Juan, 6 | |||
28001 - Madrid | |||
938-100322 | |||
www.aepd.es | |||
sedeagpd.gob.es | |||
Director of the Spanish Data Protection Agency | |||
63/61 | |||
C/ Jorge Juan, 6 | |||
28001 - Madrid | |||
www.aepd.e | |||
</pre> | </pre> |
Latest revision as of 11:16, 15 June 2022
AEPD - PS/00267/2021 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 6 GDPR Article 12 GDPR Article 15 GDPR Article 83(2)(e) GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | 31.12.2020 |
Decided: | |
Published: | 13.05.2022 |
Fine: | 170000 EUR |
Parties: | MERCADONA S.A. |
National Case Number/Name: | PS/00267/2021 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | n/a |
The Spanish DPA fined Spain's biggest supermarket chain €170,000 for violating Articles 12 and 15 GDPR by not replying to the access request of the data subject and Article 6 by deleting video footage without a legal basis.
English Summary
Facts
The controller, MERCADONA S.A., is the biggest supermarket chain in Spain. The data subject suffered an accident in one of the controller's stores which was video surveilled by the controller. With the purpose of claiming damages against the controller, the data subject requested access to the video footage after the accident occurred via an online contact form provided by the controller. On the same day the data subject received an auto-response from the controller that her message has been sent successfully. Afterwards the data subject also filed a complaint with the controller about the accident via email which included name, email-address, telephone number, a description of the accident and the damages she suffered. The controller replied to this email by providing a reference number for the case.
After the controller did not reply to the access request for over a month, the data subject's lawyer sent an email to the controller's DPO following up on the access request. The DPO responded that they were not aware of any access request and that the video footage had already been deleted because they were obliged to erase the footage one month after it was recorded according to Article 6 of the Instruction 1/2006 of the AEPD (Spain) on the processing of personal data for surveillance purposes through camera or video camera systems. After having received this negative answer of the controller, the data subject lodged a complaint with the DPA.
During the DPA's investigation it turned out that the access request did not reach the DPO's attention because of a human error in the management of the case. Further, the controller had compensated the data subject during the proceedings, which resulted in the data subject withdrawing their complaint before the DPA. The DPA, however, decided to continue the investigation on its own (ex officio) and render a decision. The controller objected to this approach, arguing that the DPA had terminated proceedings before in similar cases only violating Articles 15-22 GDPR.
Holding
The DPA fined MERCADONA S.A. €70,000 for violating Articles 12 and 15 GDPR by not replying to the access request of the data subject and €100,000 for violating Article 6 GDPR by deleting the video footage without a legal basis (in total €170,000).
At first, the DPA concluded that it was not bound by the settlement of the parties, nor by the withdrawal of the complaint of the data subject. The DPA considered that it was allowed to continue the investigation on its own since Article 64.2 LOPDGDD (Spanish Data Protection Law) and general Spanish Administrative Law (Art. 63.1 LPACAP) provides for this situation. Furthermore, it found that the compensation of the data subject did not exonerate the controller from its liability arising from the violations of the GDPR.
At second, the DPA rejected the controller's argument that it should have dropped the case because it had allegedly done so in previous similar cases. The DPA found that this case is already different from the previous cases because it involves not only a violation of Article 15 but also Article 6.
At third, the DPA held that the controller violated Articles 12 and 15 by not replying to the access request. It found that the obligation under Article 6 of the Instruction 1/2006 to delete video footage after, at latest, one month conflicts with the obligation to answer an access request at the latest one month after it was received under Article 12(3). The DPA concluded that the responsibility to answer an access request under the GDPR takes precedence since otherwise a controller could always evade the data subject's right to access by invoking the deletion obligation under the Instruction 1/2006.
At fourth, the DPA held that the controller violated Article 6 because it deleted the video footage without a legal basis. The DPA found that none of the requirements of Article 6(1) were met. The DPA reasoned that the data subjects interest in obtaining the video footage as evidence, as a part of its right to effective remedy under Article 24 of the Spanish Constitution, outweighed the data protection considerations as well as the controller's obligation to delete the footage within one month under Instruction 1/2006. To reinforce its reasoning, the DPA referred to the opposite situation where a controller is under Article 6(1)(f) allowed to keep the video footage for a longer period than one month in order to defend itself against a claim.
When determining the amount of the fine the DPA considered, among others, as aggravating factors that (i) the data subject was not able to use the video footage to enforce its claims against the controller, that (ii) the controller did only respond after the deletion and that (iii) the images of the data subject processed were sensitive data (although not special category data under Article 9 GDPR). Moreover, the DPA held that the absence of a previous offence of the controller does not constitute a mitigating factor, whereas previous violations consitute an aggravating factor according to Article 83(2)(e) GDPR.
Comment
The decision of the DPA could be seen as a confirmation that Article 15 generally prevails over specific national law provisions. Interestingly enough the prevalence of EU Law, and specifically the GDPR, is hardly addressed in the decision.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/61 • File No: PS/00267/2021 DECISION ON DISCIPLINARY PROCEEDINGS From the procedure conducted by the Spanish Data Protection Agency and on the basis of the following BACKGROUND FIRST: A.A.A. (hereinafter, the claimant), on 31/12/2020, filed a complaint with the Spanish Data Protection Agency. The complaint is directed against MERCADONA S.A., with Tax Identification Number A46103834 (hereinafter, MERCADONA or the respondent), for failure to comply with the claimant's right of access to her personal data, as the request had not been answered within one month. The grounds on which the complaint is based are as follows: The claimant states that on ***DATE.1 she suffered an accident in an establishment of the entity located at ***DIRECCION.1, and that, with the purpose of claiming damages, she exercised her right of access to the images from the security cameras, using the request form available on the website of the defendant, the one established in the Privacy Policy, receiving a message about the conformity of the sending, which took place on ***DATE.2. She adds that, after a month without receiving a reply, she sent an e-mail to the DPD of the entity, which replied denying receipt of the request for access and informing the complainant that the images had been deleted. On this occasion, the complainant sent the proof of sending the request for access, without receiving any further response. The complainant also points out that on ***DATE.3 she filed a complaint with MERCADONA itself about the accident, via its website, and received a reference for the case, so she does not understand why the images, which were the only proof of the facts, were deleted. Together with the complaint, he submitted the following documentation, which is set out in the Proven Facts: . Printout of the completed right of access request form via the Respondent's website, dated ***DATE.2. . Screenshot of the response message to the previous request. . Copy of the e-mail sent on ***DATE.4 by the complainant's representative to the DPD of MERCADONA, requesting the images. . Screen print of the e-mail sent by the complainant to the address "conducta@mercadona.es", dated ***DATE.3, with the subject "Complaint D201...", and MERCADONA's reply of ***DATE.5. SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5 December 2018, of C/ Jorge Juan, 6 28001 - Madrid www.aepd.es sedeagpd.gob.es 2/61 December, on Personal Data Protection and guarantee of digital rights (hereinafter LOPDGDD), this complaint was transferred to the respondent on 03/02/2021, so that it could proceed with its analysis and inform this Agency, within a period of one month, of the actions carried out to adapt to the requirements set out in the data protection regulations. In response to this transfer, the defendant reported as follows: . MERCADONA began its response by presenting the facts of the case, confirming that sending the request via the form available on the website does not generate an acknowledgement of receipt and simply displays a response message indicating "the message has been sent correctly". It also refers to the e-mail that was sent by the complainant's representative to the DPD of the entity on the date ***DATE.6, and notes that this email was replied to informing "that the request had not been received and that the images were no longer available (they had been deleted more than 30 days after capture)". It adds that, once it became aware of the complainant's request through the aforementioned mail sent to the DPD, it reviewed the material and human processes involved, both technical and managerial, without observing any deviation. This verification led to the aforementioned response. On 09/02/2021, having become aware of the complaint, it sent the claimant a burofax in the same terms. It then reports on some details regarding the procedure it follows for data subjects to exercise their personal data protection rights, which are outlined in the First Proven Fact, and indicates that a total of 229 requests for personal data protection rights have been received and processed through the form during the year 2020. On the other hand, MERCADONA points out that, on ***DATE.7, the complainant's representative first contacted the entity for the sole purpose of reporting the incident and communicating her intention to request compensation for it, without any reference to the request for access made on ***DATE.2, which is the subject of the present complaint. The Respondent, on the other hand, understands that it cannot be inferred from the communication made by the complainant through the complaints channel that it was a request for the exercise of the right of access. Based on the foregoing, the Respondent concludes that it acted at all times in accordance with the regulations in force, according to the scheme established to comply with the exercise of customers' rights. In this specific case, when it first became aware of the request for access on ***DATE.4, it replied to the request on ***DATE.8, responding to the only known address of the applicant. With its reply, it provided a copy of the following documentation, which is set out in the Proven Facts. C/ Jorge Juan, 6 28001 - Madrid www.aepd.es sedeagpd.gob.es 3/61 . Copy of a letter sent by MERCADONA to the complainant's representative, dated ***DATE.9, with the subject "Right of access". . Copy of the mail sent by the complainant's representative to MERCADONA, of ***DATE.7, cited above. THIRD: On 16/04/2021, the Director of the AEPD agreed to admit the complaint for processing. FOURTH: On 05/07/2021, the Subdirectorate General for Data Inspection accessed the information available on the entity claimed in "Axesor". It appears that this entity belongs to the "Commerce" sector (...). FIFTH: On 19/07/2021, the Director of the Spanish Data Protection Agency agreed to initiate disciplinary proceedings against MERCADONA, in accordance with the provisions of articles 63 and 64 of Law 39/2015, of 1 October, on the Common Administrative Procedure for Public Administrations (hereinafter, LPACAP), for the alleged infringement of articles 12 and 6 of the GDPR, classified in articles 83.5.b) and 83.5.a) of the aforementioned Regulation, respectively; and classified as minor and very serious for statute of limitations purposes in articles 74.c) and 72.1.b) of the LOPDGDD. In the opening decision, it was determined that the penalties that might be applicable, in view of the evidence existing at the time of opening and without prejudice to the outcome of the investigation, would amount to a total of 170,000 euros (70,000 euros for the infringement of Article 12 and 100,000 euros for the infringement of Article 6, both of the GDPR). It was also warned that the infringements alleged, if confirmed, could lead to the imposition of measures, in accordance with the provisions of the aforementioned article. 58.2 d) of the GDPR. SIXTH: Having been notified of the aforementioned agreement of initiation and having extended the period granted to make allegations, the entity complained against presented a letter dated 02/08/2021, in which it requested that the sanctioning procedure be shelved in accordance with the following considerations: 1. Firstly, he refers to the accident suffered by the claimant, which, as he indicates, was communicated to him by complaint of ***DATE.3 made through its website, and points out that the internal investigation carried out by the entity itself after the transfer process detected a human error in the management of the civil claim filed by the claimant, which led to it not reaching the attention of the Data Protection Delegate (DPD) or his team and the lack of attention to the request for access formulated. As a result, the claimant was contacted, through her representative, and an agreement was reached that compensates the damages suffered as a result of the accident and those derived from the failure to attend to her right of access to her personal data, so that the error in attending to the right has not caused her any damage and/or harm. C/ Jorge Juan, 6 28001 - Madrid www.aepd.es sedeagpd.gob.es 4/61 Furthermore, it states that disciplinary measures have been adopted internally, as well as technical and organisational measures, to prevent a similar error from occurring in the future and to ensure that requests made through the web form are sent to the DPD. 2. It considers it inappropriate to initiate sanctioning proceedings in a case referring exclusively to the failure to respond to a request to exercise the rights established in Articles 15 to 22 of the GDPR, and highlights the exceptional nature of such proceedings, which has been highlighted by the AEPD in various actions (E/10485/2019, TD/00120/2021 and RR/00506/2021), indicating that "whenever possible, alternative mechanisms should be chosen to prevail in the event that they are protected by the regulations in force...." and that there must be elements that justify the initiation of the sanctioning procedure. In this regard, MERCADONA adds that, in the present case, the agreement to initiate the procedure does not specify the specific aspects that justify the initiation of the sanctioning procedure, nor how, through the imposition of a sanction on the entity, the guarantees and rights of the complainant could be restored, which, according to the Authority, would not be duly restored through the procedure under article 64.1 of the LOPDGDD. In this case, the facts refer exclusively to the failure to respond to a request for the right of access, without there having been any breach of other provisions that would justify the opening of sanctioning proceedings, in view of the factual circumstances set out in the previous point, and the guarantees and rights of the interested party have been restored. Thus, it considers that the initiation agreement has not duly motivated the opening of the procedure, contrary to the provisions of Article 35.8 of Law 39/2015, letters h) and i), which may render the administrative act null and void in accordance with the doctrine of the Supreme Court insofar as it may deprive the interested party of the necessary means of defence or hinder jurisdictional control (STS 5701/1998, STS 1935/2003 or STS 8046/1999). It stresses that, in the case of a discretionary act, the motivation must be more intense, expressing the logical process that leads the Administration to take the decision (STS 7626/1998, citing in turn the SSTS of 15/06/1984, 13/07/1984 and 07/02/1987, among others). Finally, MERCADONA indicates that, if the purpose of opening the sanctioning procedure is to ensure that the "guarantees and rights of the interested parties are duly restored", as indicated in Ground II of the Agreement to initiate the Sanctioning Procedure, this entity has taken actions to repair and mitigate the damages suffered by the interested party, for not having responded in time to the right of access due to the human error detected, and therefore the guarantees and rights of the claimant have been duly restored. It therefore considers that it is not appropriate to initiate disciplinary proceedings and that, moreover, no justification has been given for that decision. C/ Jorge Juan, 6 28001 - Madrid www.aepd.es sedeagpd.gob.es 5/61 3. Considering the alleged human error, it invokes the principle of fault, pointing out that there are no errors in the past. It cites Article 28.1 of Law 40/2015, which establishes the Principle of liability of the sanctioning power, and several precedents in which the AEPD has declared that the principle of culpability constitutes an essential note in sanctioning matters and that so- called strict liability has no place in administrative sanctioning law, so that the mere commission of an administrative infringement is not sufficient when it comes to proceeding to impose an administrative sanction, There must be wilful or negligent conduct, whether serious or slight negligence or simple negligence, depending on the degree of inattention, there being no negligence, and therefore no culpable and punishable offence, "when the necessary diligence has been applied in complying with the obligations required in terms of the LOPD" (PS/00724/2014). As human error is involuntary, there is no culpability, as it would never be possible to demand diligence of such a calibre that, in terms of result, it would be immune to any human or technical failure, as this would completely empty the aforementioned principle of culpability of its content, being no different from a mere imputation by way of objective causation. This is reflected in several decisions of the Authority, such as those handed down in the cases indicated with the numbers E/03468/2009, in which the AEPD brings up case law doctrine of the AN and the SC on error and the relationship with fault (".....no system is unfailing or immune to the existence of possible errors, so that, once they have occurred, the importance and scope of the same must be analysed, in order to avoid strict liability on the part of the subject of the obligation of custody of the same"); E/00546/2010; E/01795/2011 ("....In the present case, there is no requirement of malice or negligence with regard to the conduct of the companies complained of, but rather we would be dealing with a case of error with an allegedly infringing result, insofar as there could be a possible unlawful result, but not a willful intention with regard to that result... In this sense, the Audiencia Nacional itself has expressed itself in similar situations in judgments such as those handed down on 16 March 2004 and 2 March 2005, in which it states the following respectively.... We must bear in mind that, as the National High Court makes clear, and insofar as there is no willfulness in the act, that there has been no particularly harmful result in what happened, and that there is no evidence of a lack of care in the generalised action of the company denounced in its communications, it would be contrary to the nature of the administrative sanctioning sphere, subject to the principles of minimum intervention and proportionality, to impose a sanction in respect of the act produced, which can be summarised as a mere error not deserving of sanctioning action"). In the present case, the entity has taken the necessary diligence in complying with the obligations established in the data protection regulations and acts in all its processes with the utmost diligence, and always within its commitment to transparency and respect for regulatory compliance with regard to the processing of its customers' data. Thus, it has established an intuitive and simple procedure in relation to the exercise of Data Protection rights, which establishes the requirements set out in the RGPD and the LOPDGDDD. With regard to the information provided to customers on how to exercise their rights, it has established a simple and straightforward process on which the institution reports C/ Jorge Juan, 6 28001 - Madrid www.aepd.es sedeagpd.gob.es 6/61 through different channels (posters at the entrances to the shops; a call to the Customer Service freephone number; or the Privacy Policy published on the website, which includes a link to the form for exercising rights). In the present case, the complainant opted for the web form, whose requests are received by the Customer Service Department. And it details the processing process followed by the application, which is outlined in the First Proven Fact. This process contemplates that requests for the exercise of data protection rights are communicated by the manager to the Data Protection Delegate, through a non- automated procedure. This is the only non-automated step in the entire rights management procedure and, to date, no error has ever occurred, neither of a technical nor human nature, in the management of data protection requests, the established system working perfectly, thanks to the special and constant training that the entity provides to the professionals in charge of managing this type of request, through which the great importance of the fundamental right to data protection and especially the rights of data subjects is conveyed. In relation to exercises of rights received through the web form, a total of 229 requests for ARSOPL rights were received and satisfactorily processed during 2020 (January- September: 188 and October-December: 41). The entity can affirm that it has not been previously sanctioned by the AEPD in terms of data subjects' rights, and internally, there is no record to date of any complaint to the DPD, nor any complaint form, regarding the non-response or non-receipt of requests from data subjects. However, additionally, the entity has proceeded to reinforce the instructions to the staff in charge of handling data protection requests from data subjects, especially those sent by data subjects through the Customer Service form and which the managers assigned to process them receive in their folders, placing special emphasis on their communication to the DPD until the procedure is fully automated, through a communiqué sent by the Data Protection Delegate on 02/08/2021 August. In view of the procedure established, MERCADONA concludes that it has at all times observed the diligence and duty of care required of it, establishing the necessary procedures to manage data subjects' requests and providing specific training to the employees in charge of managing such requests and communicating them to the Data Protection Delegate. In addition, preventive measures are implemented, such as periodic controls carried out by the coordinators, in order to avoid incidents. The contrary would be to assume strict liability on the part of the subject of the obligation of custody of the same, despite the fact that there is no evidence of a lack of care in the generalised action, the entity having shown the diligence and duty of care required of it, through the implementation of formative and preventive control measures. Furthermore, the importance and scope of the error should be taken into account, which was not C/ Jorge Juan, 6 28001 - Madrid www.aepd.es sedeagpd.gob.es 7/61 The nature of the error, that given the large amount of data processed by the entity, no system is unfailing or immune to the existence of possible errors, as has been the case here, and that on the other hand, (technical) measures have been adopted to prevent this from happening in the future. 4. MERCADONA considers that the principle of typicality has been infringed by the following circumstances: . When it is stated in the decision to initiate proceedings that Article 6 of the GDPR has been infringed and that this could lead to the commission of the offence defined in Article 83(5)(a) of the GDPR, the offending conduct is not specified at all. . It is also indicated in the opening agreement that the facts could involve a breach of the provisions of Article 6 of the GDPR, in relation to Article 22 of the LOPDGDD. Article 6 of the GDPR has four paragraphs, which in turn have different sub- paragraphs, and it is not specified which paragraph and letter of Article 6 is the one that could have been allegedly violated. The same applies to Article 22 of the LOPDGDD, which has eight paragraphs and does not specify which specific paragraph(s) and section(s) might have been violated. Furthermore, the relationship between Article 6 of the GDPR and Article 22 LOPDGDD is also not explained. . It is not explained in detail or is not adequately substantiated why the fact of having erased images within the legally established time limit, because of a failure to respond to a right of access due to human error, constitutes a breach of the conditions of lawfulness, and specifically, which of them. According to MERCADONA, all of this causes defencelessness and contributes to legal uncertainty (Article 9.3 of the Constitution). It cites the decision handed down by the AEPD in case E/02434/2020, in which it states: "In short, this principle implies, firstly, that punitive laws can only be applied to those conducts that meet all the elements of the type described, i.e., that a conduct can be defined as "typical" when there is identity or homogeneity between the act committed and the circumstances described in the rule. The prohibition of analogy, for its part, implies that a sanction cannot be imposed for an act that does not fit in with the literal nature of the type of offence, even if it bears some kind of conceptual similarity or proximity to it". In view of the foregoing, the defendant considers that the decision to initiate the disciplinary proceedings does not comply in any way with the principle of criminalisation since, firstly, the provisions allegedly infringed have not been specified, nor has the relationship between them been explained; secondly, there is no identity between them; and, thirdly, there is no evidence of the existence of the same offence. C/ Jorge Juan, 6 28001 - Madrid www.aepd.es sedeagpd.gob.es 8/61 between the act committed and the circumstances described in the law, since at no time has there been any unlawful processing of data (art. 6 RGPD) nor has there been any breach of the provisions of article 22 of the LOPDGDD, and thirdly, a sanction cannot be imposed for an act that does not fit within the wording of the type of offence, even if it bears some kind of conceptual similarity or proximity to it (prohibition of analogy). 5. MERCADONA scrupulously complies with the provisions of article 22.3 of the LOPDGDD regarding the obligation to conserve images captured by video surveillance systems, as these images are permanently deleted more than 30 days after they are captured. In the case that is the subject of this complaint, due to human error, the claimant's request for access was not processed correctly, but this in no way implies a breach of the provisions of Article 22.3 LOPDGDD, which states the following: "3. The data shall be deleted within a maximum period of one month from their capture, except when they have to be kept to prove the commission of acts that threaten the integrity of persons, property or installations. In this case, the images must be made available to the competent authority within a maximum period of seventy-two hours from the time the existence of the recording became known. The blocking obligation provided for in Article 32 of this Organic Law shall not apply to such processing" . In the AEPD's "Fichas prácticas de videovigilancia información general", updated in 2021, the following is indicated (provide screen print): "The images shall be kept for a maximum period of one month from their capture, after which they shall be deleted. In the event of the recording of a crime or administrative offence to be brought to the attention of an authority, the images shall accompany the report and shall be kept for the sole purpose of making them available to that authority and may not be used for any other purpose. Therefore, regarding the obligation of general erasure after a maximum of one month has elapsed since the images were captured, the exception is given by the recording of a crime or administrative offence that must be brought to the attention of the authorities, and we cannot include other cases within this exception to the general rule, as the LOPDGDD itself does not include them. Article 22.3 LOPDGDD speaks of "(...) except when they have to be kept to prove the commission of acts that threaten the integrity of persons, goods or installations", so it is not referring to any act, but to those that involve conduct by a third party (committing an act) against persons, goods or installations, i.e. an act must be committed by a person that threatens the integrity of persons, goods or installations. Let us remember that all exceptions must be interpreted restrictively and to hold otherwise would violate both the principle of typicality and the prohibition of analogy, since a sanction cannot be imposed for an act that does not fit within the literal wording of the C/ Jorge Juan, 6 28001 - Madrid www.aepd.es sedeagpd.gob.es 9/61 type of infringement, even if it bears some conceptual similarity or proximity to it. In a similar case (Procedure E/02434/2020) in which the Guardia Civil requested images from a catering establishment "as these were decisive for the clarification of the facts", and these had already been erased, the AEPD indicates that it is necessary to analyse whether the conduct described constitutes an infringement and states that "The aforementioned Article 22.3 LOPDGDD, must be put in connection with the provisions of article 32 LOPDGG, "Blocking of data" and concludes that "the obligation to "block" images obtained through video-surveillance systems is one of the exceptions determined by the Legislator, so that the defendant could not be charged with an administrative offence in the terms of art. 72n) LOPDGDD", and therefore the complaint is archived: "In accordance with the above, it can be concluded that there is no obligation to block the images obtained through the system, nor does the Legislator require that they must necessarily be kept for a period of one month, and this body lacks greater knowledge of the circumstances that led to the deletion of the images (e.g. intentionality or simple human error), all of which reasons make it advisable to order the archiving of the present proceedings". If in the aforementioned case, in which the images were requested by the Guardia Civil for the clarification of allegedly criminal acts, the Authority concluded that there was no obligation on the part of the establishment to block the images, even less so in the present case in which we are not dealing with the commission of a crime or administrative offence, which would justify "making the images available to the competent authority within a maximum period of seventy-two hours of becoming aware of the existence of the recording", which is what is actually established in Article 22.3 of the LOPDGDD, and not an obligation of conservation, not even partial. In conclusion, there has been no breach of any provision establishing an obligation to preserve images, since Article 22.3 LOPDGDD does not establish such an obligation, but only establishes the obligation to communicate certain recordings to the authorities, and sanctioning for this would be a violation of the Principle of Typicality and the prohibition of analogy. It is a different matter if, due to the failure to receive or process the request for the right of access correctly, possible damages have been caused to the claimant, which have already been repaired through the agreement reached with the claimant as explained above, but in no way can the fact that the claimant filed a complaint against the establishment for the purpose of claiming damages for civil liability (without actually exercising a right of access to the images in said complaint and which did not refer to the exercise of the previously exercised right of access) be linked to a legal obligation to conserve the images, which, moreover, Art. 22.3 does not establish, since this precept is limited to establishing the obligation to make available to the competent authority within a maximum period of seventy-two hours those images that serve to "accredit the commission of acts that threaten the integrity of persons, property or installations" and not of any event that does not involve the recording of a crime or administrative offence. C/ Jorge Juan, 6 28001 - Madrid www.aepd.es sedeagpd.gob.es 10/61 Therefore, it is clear that Article 22(3) does not establish an obligation to preserve images that the organisation has not respected. Accepting the contrary would mean that data controllers would be obliged to review all recordings on a daily basis in order to preserve any recording in which a person may have fallen, fainted, etc., in addition to notifying the competent authorities of such events which would not fall within their competence, as in the present case, and penalising them for this would be a violation of the Principle of Typicality and the prohibition of analogy. The following documents were submitted with the allegations: . Specification agreement addressed to the Systems Department to carry out a new development on the corporate website that involves automating the sending of any exercise of rights to the Data Protection Delegate. With the aim of facilitating the exercise of rights, this document includes a "FAQ" to explain how to exercise the right and a link to a form, "which by completing it will reach" the legal team to manage the request. . "Certification" from the Human Resources Department in relation to the imposition of the internal disciplinary measure. It is said that the investigation carried out detected that an employee of the Civil Liability Area in charge of the management of the claim which is the subject of the present proceedings "had incurred in a lack of diligence in his functions and which have originated the lack of attention to the right of access in matters of video surveillance", for which reason "internal disciplinary measures were applied to him for negligently failing to carry out the working methods established by the company, having been duly trained for them". . Communication from the DPD of the respondent entity addressed to the "processing managers" of the Customer Service Department", sent by e-mail dated 02/08/2021. It lists the channels for the exercise of rights and reports the following: "As you know, if the data subject uses the web form for the exercise of a right, through an automated procedure, the system assigns the request to a manager and sends it to his or her folder. IMPORTANT: Those requests for the exercise of data protection rights, as you know and as you have been doing to date, must be sent immediately to the Data Protection Delegate ***EMAIL.1, so that a response can be given in due time and form to the Head (client) who requests it. It is currently a process that is carried out manually, so the IT Department has been asked to study and evaluate the automation project in order to avoid any human error in the management". . Documentation on a training for the "900 Line Area", carried out in May 2021, which includes a section on personal data protection. SEVENTH: On 29/07/2021, this Agency received a letter presented by the representative of the claimant, in relation to the opening of the procedure C/ Jorge Juan, 6 28001 - Madrid www.aepd.es sedeagpd.gob.es 11/61 sanctioning, by means of which it communicates "that an agreement has been reached with Mercadona, through which the damages and losses suffered by my client, both material and immaterial in the area of civil liability, as well as in the area of data protection due to the failure to comply with the right of access, the reason for the complaint filed, have been duly and sufficiently compensated". On this basis, it concludes by stating that the damages have been compensated and the claimant's right has been satisfied, and requests "that my claim be considered to have been met and, therefore, that the case be closed". EIGHTH: On 02/03/2022 a motion for resolution was formulated in the following sense: 1. Sanction MERCADONA, for an infringement of Article 12, in relation to Article 15, both of the RGPD, as defined in Article 83.5.b) and classified as minor for the purposes of prescription in Article 74.c) of the LOPDGDD, with a fine of 70,000 euros (seventy thousand euros). 2. That MERCADONA be sanctioned with a fine of 100,000 euros (one hundred thousand euros) for an infringement of Article 6 of the RGPD, as defined in Article 83.5.a) and classified as very serious for statute of limitations purposes in Article 72.1.b) of the LOPDGDD. 3. That MERCADONA be ordered to adopt, within the period of time to be determined, the measures necessary to adapt its actions to the personal data protection regulations, with the scope expressed in Ground of Law IX of the proposed resolution. NINTH: On 16/03/2022, a letter was received from the defendant entity in which it formulated allegations to the proposed resolution, requesting once again that the proceedings be closed and that the following requests be taken into account. It bases its request on the following considerations: 1. He reiterated the same allegations as above regarding the appropriateness of pursuing a procedure for failure to respond to a request for the exercise of rights, which, in his opinion, is the procedure that corresponds by legal imperative, rather than a disciplinary procedure; and pointed out that the former had a duration of six months from the date of admission for processing on 16/04/2021, which elapsed without any pronouncement being made. It understands that the responsibilities must also be clarified within the framework of the procedure regulated in Article 64.1 of the LOPDGDD; and that the same should be followed even if it is not possible to satisfy the right, as is the case here, as the data has been deleted, as the Agency has resolved in precedents that it describes as similar, in which the AEPD has formally upheld the data subject's claim within the procedure for the protection of rights, urging the respondent to provide a response but without appreciating a "lack" of purpose and without purging responsibilities (TD/00955/2018, TD/00830/2017 and TD/01272/2017). He adds that this is the understanding of the European Data Protection Board (EDPC) in its Guidelines 3/2019 on the processing of personal data by video devices: "Example: If the controller automatically deletes all images, for example within two days, it cannot provide the images to the data subject after two days. C/ Jorge Juan, 6 28001 - Madrid www.aepd.es sedeagpd.gob.es 12/61 those two days. If a request is received by the responsible person after those two days, the person concerned must be informed accordingly. It also cites the proceedings followed by the AEPD under number E/02434/2020, which refers to a request by the State Security Forces and Corps for images that were decisive for the clarification of the alleged commission of a crime or administrative offence, which the Agency closed, concluding that there was no obligation on the part of the establishment to block the images and did not impose a sanction for this. Furthermore, MERCADONA considers that there has been no breach of provisions other than Article 12, paragraphs 2 and 3, in relation to Article 15 of the GDPR, which would justify the initiation of sanctioning proceedings, and argues that the alleged infringement is classified as "Failure to respond to requests to exercise the rights established in Articles 15 to 22 of the Regulation". Finally, it states that the same conduct is being sanctioned with two sanctions; and that the guarantees and rights of the interested party have been restored for the possible harm derived from the facts, as established in Article 82.1 of the GDPR. 2. MERCADONA insists on the allegations already made concerning the exceptional nature of the penalty procedure; the actions taken to restore the guarantees and rights of the interested party and to repair the damage, which are not achieved by the imposition of a penalty; as well as the lack of reasoning, in the present case, of the opening decision, unlike other cases in which it is justified by a general action of the person responsible that would affect all persons in the same situation, and not a specific error (PS/00003/2021), which does not even specify the paragraphs of Articles 12 and 6 of the GDPR that have been infringed. As in the previous section, also in this section 2, MERCADONA disputes the appropriateness of resolving the issues raised by means of a sanctioning procedure, arguing on the contrary the volume of rights applications it has processed in recent years; that it has not been previously sanctioned for this reason and there is no record of any complaint before the DPD; and that the necessary measures have been adopted to avoid similar errors, having fully automated the application management process, which have been assessed as mitigating factors together with the fact that in this case the anomaly only affects the complainant. It considers that it is not sufficient to justify the opening of the disciplinary proceedings by stating that by deleting the images there has been an infringement other than the infringement of Articles 15 to 22 of the GDPR, or that the proceedings for failure to comply with a right "lacked purpose" since the images did not exist. Moreover, it mentions the possibility of resorting to other remedial powers set out in Article 58(2) of the GDPR (warning, caution or other), depending on the circumstances of each individual case. It was only in the motion for a resolution that the AEPD first argued which specific paragraphs of articles 12 and 6 of the GDPR were considered to have been allegedly violated. And, with regard to the alleged violation C/ Jorge Juan, 6 28001 - Madrid www.aepd.es sedeagpd.gob.es 13/61 of Article 6 and its relationship with Article 22 of the LOPDGDD, it is also in the proposed resolution when, despite acknowledging the non-application of Article 22 LOPDGDD, the AEPD explains the legal reasoning and ratifies the proposed sanction. 3. He reiterates that the complainant's request for access was not handled because it was not brought to the attention of the DPD due to human error, already explained, in his opinion, in his submissions on the opening of the procedure. It again invokes the principle of culpability and the prohibition of strict liability in administrative law on penalties, which are considered in various decisions of the Agency itself, such as those indicated in its previous pleading and in judgments of the Audiencia Nacional (such as those handed down on 16/03/2004 and 02/03/2005, referring to an error in the movements of a bank account or a mistake in the sending of correspondence to a person's address, where there was no wilful misconduct and there is no evidence of a lack of care). In such cases, the AEPD has assessed the specific circumstances, bearing in mind that the mere commission of an administrative infringement -an objective type- is not sufficient when proceeding to impose an administrative sanction (PS/00724/2014); that no system is unfailing or immune to the existence of possible errors, so that, once they have occurred, the importance and scope of the same must be analysed, in order to avoid objective liability of the subject of the obligation of custody of the same (E/01795/2011); whether or not there is voluntariness in the act, whether a particularly harmful result has been produced or whether there is evidence of a lack of care in the generalised action (E/03468/2009); or proportionality (SANs of 16/03/2004 and 02/03/2005). With regard to the statements contained in the proposed resolution on this issue, MERCADONA indicates that the Agency does not substantiate what the lack of diligence consisted of. The only argument is that "it cannot be admitted that the actions of the respondent entity, by not processing the request for access to personal data, were diligent", which would have as a corollary the strict liability derived from any error, absent-mindedness, forgetfulness, etc., of the worker who should have redirected the request to the data subject. of the employee who had to redirect the request to the DPD, without taking into account the specific circumstances of the case and the fact recognised by the Authority itself that there were "adequate" procedures in place to handle this type of request and that no errors had occurred in the past to justify the change of procedure on the part of the person responsible, based on his diligence. As evidence of the existence in this case of generalised due diligence, the AEPD itself assesses as a mitigating circumstance the implementation of adequate procedures for action in the management of requests for the exercise of rights, such that the infringement is the consequence of an anomaly in the operation of these procedures that only affects the respondent. This being the case, MERCADONA considers that the error was not intentional, and adds that there has been no harmful result, as the entity has proceeded to avoid the possible damages that could have been caused. Finally, as regards the significance and extent of the error, the entity has pointed out that C/ Jorge Juan, 6 28001 - Madrid www.aepd.es sedeagpd.gob.es 14/61 The AEPD has not previously been sanctioned by the AEPD with regard to the rights of data subjects, and internally, there is no record to date of any complaint to the DPD, nor any complaint form, regarding the non-response or non-receipt of requests from data subjects. Despite being an "anomaly in operation", as defined by the AEPD itself, the entity has modified the management procedure by eliminating the only non-automated step. Thus, it has implemented a development, by means of a system of mail flow rules in the Exchange Server (also known as transport rules). These rules contain a set of conditions and actions that guarantee the automatic notification to the recipients of Customer Service (L900) and the Data Protection Delegate of those requests for the exercise of rights made through the web page form (automatic forwarding of a copy of the original message to the ***EMAIL.1 mailbox). As for its scope, it is clear from the AEPD that it only affects the respondent, which is taken into account as a mitigating factor in the sanction. On this point, it should be borne in mind that there has been no harmful result in what happened, since no damages have been derived from the extrajudicial satisfaction of the claim for compensation based on facts whose accreditation the images requested by the claimant were intended to serve. Furthermore, it has shown the diligence and duty of care required of it, through the implementation of formative and preventive control measures, as evidenced by the lack of errors in the past. He also points out that he did not base the failure to comply with the right on the deletion of the images, but on the human error indicated. The time limit had elapsed only as a consequence of the request not having reached the DPD. Proof of this is that a reply was given to the complainant on ***DATE.9, before the AEPD's request. As for the storage period of the images, in the rest of the European countries, there are either no storage periods, or they are less than 30 days, so that the situation raised by the AEPD is even more evident and possible to materialise if the data subject does not exercise his or her right of access before the deletion of the images takes place. Thus, the European Data Protection Committee, ECDC, in Guidelines 3/2019, in relation to storage periods and erasure obligations, states that: "Personal data may not be kept for longer than necessary for the purpose for which they are processed (Article 5(1)(c) and (e) of the GDPR). In some Member States, there may be specific provisions for retention periods in respect of video-surveillance in accordance with Article 6(2) of the GDPR. Whether or not the retention of personal data is necessary should be controlled within a short period of time. In general, the legitimate purposes of video surveillance are usually the protection of property or the preservation of evidence. Damage can usually be recognised within one or two days. In order to facilitate the demonstration of compliance with the data protection framework, it is in the interest of the controller to make organisational arrangements in advance (e.g. to appoint, if necessary, a representative for C/ Jorge Juan, 6 28001 - Madrid www.aepd.es sedeagpd.gob.es 15/61 examine and secure video material). Taking into account the principles of Article 5(1)(c) and (e) of the GDPR, namely data minimisation and limitation of the retention period, personal data should in most cases (e.g. for the purpose of detecting vandalism) be deleted, preferably automatically, after a few days. The longer the retention period (especially when it exceeds 72 hours), the more arguments should be provided for the legitimacy of the purpose and the necessity of retention'. Even the ECDC gives the following example for a shop: "Example: The owner of a small shop would normally notice any signs of vandalism the same day. Consequently, a normal 24-hour retention period would be sufficient. Closed weekends or longer holidays may nevertheless be grounds for a longer retention period. If damage is detected it may also be necessary to keep the video images for a longer period in order to bring claims against the offender". 4. The AEPD understands two different and independent conducts, when in fact one is a consequence of the other, because if the images were deleted it was precisely because there was no record of the request for access due to the error that had occurred. And it concludes that the concurrent circumstances prevail over the obligation to delete the images within a maximum period of one month from the time they were captured, in violation of the provisions of article 6 of the GDPR. In this regard, it points out firstly that when the complainant enquired about her request, a reply was given, as it was the first time it had come to her attention, and the maximum conservation period of 30 days had already elapsed, as in the similar cases mentioned above. Moreover, MERCADONA argues that deletion of data when it is no longer necessary does not require a legitimate basis. Deletion occurs precisely because there is no longer a legitimate basis for continuing to retain the data, since the maximum legal period of one month has elapsed, and a legitimate basis is required for their subsequent retention, not for their deletion as indicated by the AEPD. In other words, it is the "expiry" of the legal retention period, the very compliance with the applicable rule, which entails the deletion of the images, without the need to resort to any basis of legitimisation to carry out such deletion. If the AEPD's argument is accepted, there would have to exist in every Register of Processing Activities (including that of the AEPD itself), a processing operation called "deletion of images" with its corresponding basis of legitimisation, which makes no sense whatsoever. Thirdly, it should be noted that we are dealing with a maximum conservation period, as the AEPD itself indicates in its "practical video surveillance files" ("after which time the data will be deleted"), in the proposed resolution and in many resolutions. Such as that issued in procedure PS/00261/2020, which states the following: "Regarding the obligation to retain images for a period not exceeding 30 days, the (GDPR), in recital 39, announces the need to "ensure that the period of retention of personal data is limited to a strict minimum", which in turn must be "adequate, relevant and limited to what is necessary for the purposes for which they are processed". Article 22.3 of the LOPDGDD specifies - with regard to processing for the purposes of C/ Jorge Juan, 6 28001 - Madrid www.aepd.es sedeagpd.gob.es 16/61 video-surveillance - that "the data shall be deleted at the latest within one month of their collection". The exception is given by the recording of a crime or administrative offence that must be brought to the attention of the authorities ex Article 22.3 LOPDGDD, without us being able to include other cases within this exception to the general rule, as the LOPDGDD itself does not include them. It should be remembered that all exceptions must be interpreted restrictively and to hold otherwise would violate both the principle of typicality and the prohibition of analogy, since a sanction cannot be imposed for an act that does not fit in with the literal nature of the type of offence, even if it has some kind of similarity or conceptual proximity to it. In the Agreement to initiate sanctioning proceedings, the AEPD stated that it considered that the facts set out could breach the provisions of Article 6 of the Regulation, in relation to Article 22 of the LOPDGDD; and in the proposal it acknowledges that it is not applicable to the present case. Therefore, it is not understood what is the case analysed in the present proceedings and why this entity is considered responsible for an alleged infringement of art. 6 of the GDPR with respect to the same (attached extract from the Register of Processing Activity corresponding to the processing of Video Surveillance). The AEPD understands that "there are other circumstances that must be considered in the analysis of the lawfulness or unlawfulness of the deletion or erasure of personal data", directly linked to the particular situation of the claimant, but in no way can it be maintained that, due to these particular circumstances, of which the organisation has no reason to be aware, MERCADONA had a duty of retention. And this organisation warns that no justification or motivation should be provided by the interested party for the exercise of rights, and that the organisation should not make any assessment as to whether there may be a legitimate interest of the interested party that could justify the conservation of the images beyond the legal period. In the case of having received the request, the entity would have provided the data subject with a copy of the images, but not because the basis for legitimisation had changed, but because the data subject has the right to request the images through the right of access regardless of the motivation. In other words, MERCADONA did not have to make any weighting or assessment as far as standing was concerned. Reproduces again what is stated about retention and deletion periods in the above- transcribed ECDC Guidelines 3/2019, with the addition of the following paragraph: "If the controller uses video surveillance not only to monitor its premises but also to retain data, it must ensure that the retention is indeed necessary to achieve the purpose. If so, the retention period should be clearly defined and set individually for each particular purpose. It is the responsibility of the controller to define the retention period in accordance with the principles of necessity and proportionality and to demonstrate compliance with the provisions of the GDPR". C/ Jorge Juan, 6 28001 - Madrid www.aepd.es sedeagpd.gob.es 17/61 On the other hand, if a legal basis were needed to proceed with t h e deletion of the data, at no point does the AEPD specify what it is or what it should be, of those listed in Article 6 of the GDPR. According to the respondent, the proposed resolution confuses the concepts of "basis of legitimisation" with the "motives" or reasons that justified the conservation of the images. That the complainant had an interest in the images, and a right to obtain them, is beyond dispute, but the AEPD seems to ignore the fact that, if in the present case the images were not kept, it was not because it was considered that the complainant had no right to them or because it was considered that in any case the one-month storage period should be applied, but because, quite simply, there was a specific error in the handling of her request which prevented her replying in due time and form. The interest that the data subject may have in the images cannot be confused with the retention period of the images determined by the data controller or with the concept of the basis of entitlement. If a data subject exercises the right of access during the period in which the data controller retains the images, the request must be complied with, and the images must be retained, even if there was a formal defect in the request, precisely so that when this is remedied, the right can be satisfied. But in this case, the data controller was not made aware of the request, so the images could not be kept. Nor is the right of the organisation to keep the images if it deems it appropriate, for example, because it was sued by the claimant, in the example given by the AEPD itself, disputed, but this shows the confusion of the AEPD regarding the need for a legitimate basis for keeping the images beyond the established legal period, with the supposed need for a legitimate basis for deleting these images. In fact, in the aforementioned Guidelines 3/2019, in relation to the right of access in matters of video surveillance it is stated that: "The data subject has the right to obtain confirmation from the controller as to whether or not his or her personal data are processed...If, however, the data are still processed at the time of the request (i.e. if the data are retained or otherwise continuously processed), the data subject must obtain access and information in accordance with Article 15." "Example: If the controller automatically deletes all images within e.g. two days, it cannot provide the images to the data subject after those two days. If the controller receives a request after those two days, the data subject must be informed accordingly. In the present case, there is no conflict of rights to be weighed up by the controller, but simply a request for a right of access that was not granted because the controller was unaware of the data subject's request due to an isolated and specific error in the procedure. If MERCADONA deleted the images, it was because it was not aware of the data subject's request for access, not because it assessed her request negatively and did not grant access. C/ Jorge Juan, 6 28001 - Madrid www.aepd.es sedeagpd.gob.es 18/61 The AEPD has considered that the right to effective judicial protection of judges and courts prevails. But it is not necessary to argue that the images should have been kept for a period of more than 30 days. If the request had been received, the interested party would have had a response in due time and form, without the need to keep the images for longer than the established period or to seek any additional basis for legitimisation. Given that the DPD did not receive the original request, the data was deleted in compliance with the established procedures. In other words, MERCADONA never found itself and would never have found itself (had the error not occurred) in the dilemma of whether or not to keep the data beyond the legal period, and therefore no weighing up can be required in the face of an alleged collision of rights that has not existed and will not exist. In the event that the request had been dealt with satisfactorily, the images would have been handed over without further assessment. Furthermore, if we accept that the data controller must analyse and assess the reasons why the data subject requests the data, we are giving the data controller powers that the law does not grant him/her. Furthermore, when the AEPD states that "there is legal authorisation for the processing of image data once the period established for their deletion has been exceeded, which is covered by Article 24 of the Constitution and its implementing regulations", it seems to introduce, for those cases in which a data protection right has not been exercised, an obligation for data controllers to supervise all images, on a daily basis, to assess whether it is necessary to keep any recordings in which a person may have fallen, fainted, etc., and need them in order to exercise their right to effective judicial protection, even in the absence of a request from the data subject. and needed to exercise his or her right to effective judicial protection, even in the absence of a request from the data subject. This reasoning cannot be shared or legally sustained, as it means demanding obligations from data controllers that are not in the law and that go beyond the purposes of a video surveillance system installed to guarantee the security of persons and property, as well as the security of their installations. It is a different matter if the data subject can request the images through the right of access and use them as he or she sees fit (for example, to provide them in a legal proceeding), but in no way can a general obligation of conservation for the controller be argued, contradicting the maximum legal period of conservation of the images, to safeguard a possible right of access to effective judicial protection of a person who has not exercised a right of access in data protection. It is clear that these purposes go beyond the purpose of the video surveillance system to preserve the security of persons and property, as well as of its installations (Art 22.1 LOPDGDD). However, the entity has proceeded to compensate the possible damages that the error and, therefore, the non-availability of the images may have caused to the claimant. For all the above reasons, no treatment has been carried out at any time. C/ Jorge Juan, 6 28001 - Madrid www.aepd.es sedeagpd.gob.es 19/61 data without a basis of lawfulness. Nor has there been any breach of any provision establishing an obligation to conserve images, since Article 22.3 LOPDGDD does not establish such an obligation, and therefore penalising for this would be a violation of the principle of criminalisation and the prohibition of analogy. 5. It invokes the principles of legal certainty, which obliges the ius puniendi of the State to be subject to the principle of legality - Lex previa - and the principle of typicality - Lex certa -. On this basis, it expressly opposes the consideration of the alleged facts as constituting the alleged offence under Article 6 of the RGPD and Article 72.1.b) of the LOPDGDD, because, precisely, having kept them beyond the legal retention period would have meant processing without a legitimate basis. The offence of deleting images without a legitimate basis does not exist, it is not criminalised in the law, as all the lawful bases detailed in Article 6 involve positive, active data processing (processing data for a specific purpose, executing a contract, fulfilling a legal obligation, etc.), not negative (deletion). 6. As regards the graduation of sanctions, it notes the following: a) In relation to the infringement for failure to comply with the provisions of Article 12, in conjunction with Article 15, both of the GDPR, the Respondent considers that the following circumstances should be considered as mitigating and not aggravating: . There is only one person affected, the duration of the infringement does not last over time and was not of a general or structural nature, it is not a serious infringement and the damage that the complainant could have suffered has been repaired, putting her in the same situation she would have been in if she had used the images to file a complaint. . There is no intention or negligence in the infringement, since the infringement was "a consequence of an anomaly in the functioning of the procedures" which, according to the AEPD, the entity has implemented and which are adequate; the respondent has not previously been sanctioned for failure to comply with a right and there is not even any record of complaints at the level of the DPD or complaints forms, which shows that no errors had occurred to date, thanks to the training it provides to its staff (it provides documentation on training actions provided); and preventive measures have been implemented, such as periodic controls and the automation of the process. . The respondent has cooperated with the Agency and has not waited for the formal request to modify its procedure. . The categories of data concerned are image data and do not constitute special categories of data, as they are processed solely for the purpose of ensuring the security of persons, property and premises. C/ Jorge Juan, 6 28001 - Madrid www.aepd.es sedeagpd.gob.es 20/61 This is the understanding of the ECDC in its Guidelines 3/2019: "Video surveillance systems typically collect massive amounts of personal data that may reveal data of a highly personal nature and even special categories of data. Indeed, seemingly insignificant data initially collected through video can be used to infer other information aimed at achieving a different purpose (e.g. tracking a person's habits). However, video surveillance is not always considered as processing of special categories of personal data". The category 'of a particularly sensitive nature' does not exist. An 'ordinary' video surveillance system does not allow for the prompt identification of data subjects, basically because there is no other data that could allow for such identification, nor does it use the data for purposes other than preserving the security of persons, property and premises. Moreover, in relation to the aggravating factors considered, it states that the data processing it carries out is the minimum necessary to carry out its main activity, which is the sale of food products, and that it is not possible to discriminate against the capture of images of customers. As regards professionalism in relation to the processing of data, it again notes that to date it has not been penalised for a lack of attention to the rights of data subjects, nor has any internal complaint been lodged. b) Regarding the aggravating factors considered to determine the sanction for non- compliance with the provisions of article 6 of the GDPR, MERCADONA reiterates what was expressed in relation to the previous infringement and adds, in relation to the seriousness of the infringement and intentionality or negligence, that the complainant's complaint to the establishment for the purposes of claiming damages for civil liability cannot be linked to a legal obligation to keep the images, which, moreover, article 22.3 does not establish. MERCADONA is not obliged to keep the images of every event that has occurred, without the person having requested the images, only in the eventuality that he/she might request them. It cannot be affirmed that "MERCADONA suppressed the images despite knowing that the claimant reported the accident and the damages suffered to the entity, and requested, for this reason, access to said images" because the entity was not aware of the request for access made. It also invokes the principle of proportionality and requests, in the alternative, that a warning or cautionary penalty be imposed or, in any event, that the proposed amount be reconsidered, as it is not proportionate; finally, it points out that the same conduct and facts (failure to exercise a right) are being punished by means of two different penalties, which result in a disproportionate total amount if we consider that the error has led to an 'anomaly in the operation of those procedures' which has affected a single person. 7. MERCADONA considers that the reduction for acknowledgement of liability provided for in article 85 of Law 39/2015, which the Agency limits to the period granted for submitting allegations at the opening of the procedure, may be applied at any time prior to the resolution. C/ Jorge Juan, 6 28001 - Madrid www.aepd.es sedeagpd.gob.es 21/61 According to MERCADONA, the aforementioned article should be considered to regulate the voluntary and unilateral termination of the procedure by the party concerned as a "block", determining the options, conditions and their consequences; and that provision admits that the second form of voluntary termination of the procedure, voluntary payment, may be made at "any time prior to the decision". It considers that the proposed decision is the "natural" moment for the assumption of responsibility by the person concerned, without any infringement or affectation of his right to defence, contradiction and effective judicial protection. It is that proposal which determines the proven facts, their classification in the type of offence and the sanction, after the interested party has presented its allegations and evidence, without being subject to the initial agreement. This conclusion is supported by the recent STS 232/2021, of 18 February, (appeal 2201/2020) which deals with the possibility of challenging before the Courts sanctions handed down in administrative proceedings in which the administrative authority has recognised its liability and, for the purposes of availing itself of the reductions indicated in art. 85 LPAC, withdraws or waives the exercise of any action or appeal in administrative proceedings against the sanction. In the Third Legal Basis it states: "However, one thing is that in such cases the possibility of challenging the sanctioning decision by means of contentious-administrative jurisdiction remains, and quite another that... the difficulty of successfully challenging the sanctioning decision by means of contentious- administrative jurisdiction is increased, because this will be the natural consequence of having recognised their liability in application of the principles of good faith and binding on the acts themselves (...).) in order for such a challenge to be successful, it will have to provide the court with a solid explanation that fully justifies the reason why, having first assumed its responsibility for the offence committed - which entails acknowledgement of the concurrence of the objective and subjective elements of the offence, i.e., its participation in the criminalised acts and its guilt - it then maintains the non-existence of the offence in court (...)". In MERCADONA's opinion, it is clear from that ruling that the acknowledgement of liability does not imply that the classification of the facts is correct; that it is in consideration of the circumstances modifying the acknowledged liability, the exact extent of the participation, whether it is culpable, wilful or merely a slight failure to comply, the seriousness of the facts and their specific graduation, which may be settled before the contentious-administrative jurisdiction without increasing the difficulty of contesting them. To maintain that liability can only be recognised during the time limit for submitting allegations would imply, de facto, that the persons administered assume it in order to benefit from the discount, even if they are only partially in agreement with the agreement of initiation, transferring the dispute over the aspects in question to the judicial process. On the contrary, admitting such recognition at any time prior to the decision, when the investigation has already been completed and the elements taken into consideration have been established, eliminates litigation without undermining effective judicial protection and the right of defence. C/ Jorge Juan, 6 28001 - Madrid www.aepd.es sedeagpd.gob.es 22/61 Furthermore, the Respondent understands that there is no legal basis for stating that the time limit is that of allegations to the initiation agreement, because nothing is stated in the legal text and because there are different "milestones" prior to the resolution, namely, allegations to the initiation agreement, the hearing process, and the proposal for resolution, which can be any of them. This interpretation is supported by the public administrations themselves in different sanctioning procedures, such as the Catalan Data Protection Agency (procedure PS8/2019). It also cites report SSPI00043/17, of the Legal Office of the Regional Government of Andalusia, in relation to Report HPPI00035/17, of 5 July 2017, of the Legal Department of the Ministry of Finance and Public Administration, which admits this possibility: "(...) this interpretation allows us to consider that in this case there is no invalidating defect either, as there is no harm to the administration, which must continue to carry out the procedure without the possibility of its early termination. Likewise, it will always be more beneficial for the administrative body to be able to avail itself of this possibility than not having the option to do so. Moreover, as we have mentioned, it seems that the wording at least leaves doubts when it establishes in Art. 85.2 that this can be done "at any time prior to the decision". Therefore, it really seems that the wording of Art. 85 requires that the initiation agreement determines the percentage of reduction, rather than the amount, which is why the initiation agreement must always establish the percentage and, in those cases in which it is possible, the amount, given that the latter will not always be possible". Also by the Courts. The Judgment of the High Court of Justice of Madrid, Chamber for Contentious-Administrative Matters, no. 79/2020, of 6 February, in which the non- application of art. 85.1 LPACAP is denounced, declares: "Finally, it should be remembered that art. 85 of Law 39/2015 provides that "when a sanctioning procedure has been initiated, if the offender acknowledges his or her responsibility, the procedure may be resolved with the imposition of the appropriate sanction". Section 3 establishes that, "when the sanction is solely of a pecuniary nature, the body competent to resolve the procedure shall apply reductions of at least 20% of the amount of the proposed sanction". The plaintiff considers that, despite having acknowledged in the statement of allegations made in the motion for a decision that he was responsible for the failure to declare the money seized, and even having proposed a penalty of €100 000, the decision to impose a penalty ignores that circumstance and imposes a fine on him which is totally disproportionate. In response to this allegation, the State Attorney's Office argues that the circumstances necessary for its application do not exist, since the statement of allegations of 13 November 2017 does not expressly refer to the recognition of liability, which must be prior to the resolution of the case once the proposal has been received (...)". Particularly enlightening is the Judgment of the Audiencia Nacional no. 625/2017, dated 22/03/2019, which states; "The sanctioning decision of 21 December 2018 did not take into account that by letters of 4 December - (allegations to the agreement to initiate the sanctioning proceedings) - and 11 December 2018 - (allegations to the Proposal for Resolution) - the applicant acknowledged responsibility for the facts, requested payment from the amount seized, and twice waived the lodging of an administrative appeal. These C/ Jorge Juan, 6 28001 - Madrid www.aepd.es sedeagpd.gob.es 23/61 The written pleadings show a clear intention to terminate the proceedings, in accordance with the terms of Art. 85.1 of Law 39/2015, and to waive the administrative appeal, proceeding to payment, charged to the guarantee. Hence, having fulfilled all the conditions required in the second and third paragraphs of article 85, it was appropriate to accumulate two reductions of 20%". MERCADONA adds that other regulations governing administrative sanctioning procedures provide for the possibility of recognising liability at any time prior to the resolution, and cites the following: . Law 16/1987, of 30 July, on Land Transport Organisation (LOTT), which in Article 146.3 establishes: "Payment of the financial penalty prior to the issuing of the sanctioning decision shall imply conformity with the facts denounced and the waiver of the interested party to make allegations and the termination of the procedure, although an express decision must be issued". . Law 13/2017, of 8 November, of the Taxi of the Valencian Community, which in its article 38.4 establishes; "Once the sanctioning procedure has been initiated, if the offender acknowledges his or her responsibility before a decision is issued, the amount of the financial penalty initially proposed shall be reduced by fifty percent. . Law 7/2014, of 23 July, on the Protection of Consumers and Users of the Balearic Islands, which in Article 84 graduates the percentage of discount depending on the procedural moment in which the recognition of liability occurs. And so: "1. A reduction of fifty percent of the amount of the sanction corresponding to serious or minor infringements shall be applied if the alleged offender agrees to the content of the initiating decision and justifies payment of the aforementioned amount during the fifteen days following its notification. In this case, it is understood that the interested party waives the right to make allegations and lodge any type of subsequent appeal. 2. A reduction of twenty percent of the amount of the sanction corresponding to serious or minor infringements shall be applied if the alleged offender agrees with the content of the proposed decision and justifies payment of the aforementioned amount during the fifteen days following its notification. In this case, it is understood that the interested party waives the right to make allegations and to lodge any type of subsequent appeal". . Municipal Ordinance on Consumer Affairs of the Madrid City Council, ANM 2011/17, which in its article 59.1 establishes: "1. Once a disciplinary proceeding has been initiated, if the offender explicitly acknowledges his or her responsibility before the decision is taken, the proceeding may be resolved without further formalities with the imposition of the appropriate fine. In this case, a 30 percent reduction shall be applied to the total amount of the fine, which must be paid by the interested party during the voluntary payment period". Finally, the above interpretation of art. 85 LPACAP is found in article 3 of the recent Royal Decree 137/2021, of 2 March 2021, which raises it to regulatory status by establishing: C/ Jorge Juan, 6 28001 - Madrid www.aepd.es sedeagpd.gob.es 24/61 "In accordance with the provisions of art. 85.3 of Law 39/2015, of 1 October, in the disciplinary proceedings referred to in art. 2, if, having initiated a disciplinary proceeding, at any time prior to the resolution the alleged offender acknowledges his liability, the proceeding may be resolved with the imposition of the appropriate sanction, and when the sanction is solely financial in nature, the body competent to resolve and notify the resolution of the proceeding shall apply reductions of up to 30% of the amount of the proposed sanction". Therefore, in the event of the AEPD maintaining a sanction or financial penalties, if voluntary payment and acknowledgement of responsibility is made at any time before the resolution that implies the termination of the sanctioning procedure, the 40% discount must be made. From the actions carried out in the present proceedings and the documentation in the file, the following have been accredited: ESTABLISHED FACTS 1. MERCADONA has stated that it provides information on the procedure it follows for interested parties to exercise their personal data protection rights through different channels, such as the signs displayed in shops warning that they are in a "Video Surveillance Area" (the contact address of the company's DPD is indicated); by calling Customer Services free of charge, which sends an SMS informing them of this procedure; and through the Privacy Policy available on the website, which includes a link to the form provided for exercising these rights. According to the information provided, the Privacy Policy provides the following information: "You can send us a letter to MERCADONA, S.A. (Asesoría Jurídica Procesos) C/... or if you have a digital signature issued by the Fábrica Nacional de Moneda y Timbre, via the customer service form ("https://infor.mercadona.es/es/atencion-al- customer#destacadosFormulario")". Once the form has been filled in and sent, the following text will appear automatically "Thank you, your comment has been sent successfully". MERCADONA also informs that the interested party, in turn, receives an email to the email address provided, indicating: "MERCADONA. Your opinion helps us to continue improving. Dear (name of recipient). Thank you for contacting our Customer Service Department. Please be informed that we have received your e-mail. We invite you to consult our frequently asked questions in case you have any further questions"). According to the information provided by MERCADONA, the application process follows the following steps: C/ Jorge Juan, 6 28001 - Madrid www.aepd.es sedeagpd.gob.es 25/61 "i. The form is registered in the management system (Contact Centre). System managed by the processing managers. ii. Once the form is received, the system assigns the request to the manager, according to certain criteria (typology, workload, productivity, etc. of the manager). iii. Once the application (form) has been assigned, it is sent to the folder of the assigned manager, which is accessed via username and password, including all the information and documents sent by the Client, for processing. It adds that "there are periodic controls carried out by the coordinators in order to avoid incidents" and that "the system (Contact Centre) leaves traces and evidence of all the movements that pass through the system, not allowing the accidental or voluntary deletion of entries in the system". 2. On ***DATE.1, the claimant suffered an accident on the premises of the entity located at ***DIRECCION.1. 3. On ***DATE.3, via the MERCADONA website, the complainant filed a complaint with MERCADONA about the accident that had occurred, receiving a reference for the case. This complaint was made by e-mail to the address "conducta@mercadona.es", with the subject "Complaint D201...". This e-mail contains the complainant's name, surname, e-mail address and telephone number. The commentary includes an account of the accident suffered (...), the damage caused by the accident to the claimant (.... ) and the lack of attention to the claim by the defendant's insurer (.... ). 4. On ***DATE.5, the respondent company responded to the complaint described in the previous Proven Fact by the same means, indicating that the complaint had been sent to MERCADONA's Customer Service Department, to which future communications should be addressed (a contact telephone number for this department and a link to the company's website are indicated). 5. On ***DATE.2, the complainant exercised her right of access to the images from the security cameras, using the application form available on the MERCADONA website, under the "Customer Service" tab, as mentioned in the First Proven Fact. This request contains the name and surname of the complainant, the complainant's postcode and e- mail address, and the following text in the field entitled "How can we help you" (url: "https://infor.mercadona.es/ en/atencion-al-cliente#destacadosFormulario"): "I enclose a request for the right of access to the video surveillance recordings of the MERCADONA shop ***DIRECCION.1, due to the accident that took place (...)". As "Attachments" are indicated "DNI" of the claimant and "Request for right of access" (in this letter it is indicated that the request is motivated by the accident that took place on ***DATE.1). 6. In response to the complainant's request for the right of access, the complainant received a reply message, also dated ***DATE.2, with the following text: C/ Jorge Juan, 6 28001 - Madrid www.aepd.es sedeagpd.gob.es 26/61 "Thank you, your comment has been sent successfully. 7. On ***DATE.7, the complainant's representative sent an e-mail to MERCADONA with the following text: "I am writing to you to establish an initial communication in order to inform you of the documentation that I have at the moment, in relation to the accident... in which my client was injured... Also in order to inform you of our intention to request the compensation that according to the schedule corresponds". 8. On ***DATE.4, the complainant's representative sent an e-mail to the DPD of MERCADONA, with the following text: "More than a month ago, my client exercised her right of access to the video surveillance images, through the channel established in your privacy policy (via the customer service form: https://info.mercadona.es/es/atencion-al- customer#detailsForm), and she has still not received a reply. Please send these images to him as they correspond to (...)". 9. On ***DATE.9, MERCADONA sent an e-mail to the complainant with the subject "Right of access" and the following text: "After checking internally, we inform you that we are not aware of any request for access to images, nor of the documentation that according to data protection regulations is necessary to manage any right of access, neither from your client (Ms...) nor from you. We should add that we no longer have any of the images from the date requested (***DATE.1), all in accordance with art. 6 of Instruction 1/2006, of 8 November, of the AEPD, which establishes that "The data will be cancelled within a maximum period of one month from their capture". Yours sincerely. Legal Div. MERCADONA Proceedings". 10. On 09/02/2021, MERCADONA sent the complainant a burofax in the same terms as the letter described in the ninth proven fact. THE LEGAL BASIS I By virtue of the powers that Article 58.2 of the GDPR recognises to each supervisory authority, and in accordance with the provisions of Articles 47 and 48 of the LOPDGDD, the Director of the Spanish Data Protection Agency is competent to initiate and resolve this procedure. Article 63.2 of the LOPDGDD determines that: "The procedures processed by the Spanish Data Protection Agency shall be governed by the provisions of the RGPD, in this Organic Law, by the regulatory provisions issued in its development and, insofar as they do not contradict them, subsidiarily, by the general rules on administrative procedures". C/ Jorge Juan, 6 28001 - Madrid www.aepd.es sedeagpd.gob.es 27/61 II During the investigation of the procedure, the complainant has informed this Agency that she has reached an agreement with the entity complained of, whereby the damages suffered in the area of civil liability and for the non-fulfilment of the right of access have been compensated, requesting that her claim be considered to have been met and that the present sanctioning procedure be closed. In this regard, article 63.1 of Law 39/2015, of 1 October, on the Common Administrative Procedure of Public Administrations (LPACAP) establishes that "proceedings of a sanctioning nature shall always be initiated ex officio by agreement of the competent body". In the same vein, Article 64.2 of the LOPDGDD provides that proceedings aimed at determining the possible existence of an infringement of the provisions of the GDPR "shall be initiated by means of an agreement adopted on its own initiative or as a result of a complaint". Thus, the fact that the claimant withdraws her complaint does not imply that the sanctioning procedure initiated has been closed, given that the same is initiated and processed in all its phases ex officio, with this Agency being responsible for determining whether the personal data protection regulations have been breached and the scope that should be given to said breach. It is irrelevant, for these purposes, what agreement the claimant and the respondent may have signed to repair the damages suffered by the claimant, as well as the internal disciplinary measures that the respondent claims to have adopted. In accordance with the foregoing, the position defended by MERCADONA in its submissions cannot be accepted when it states that the aforementioned agreement between the parties has restored the guarantees and rights of the interested party. The "reparation" of the damage suffered to which MERCADONA refers cannot exonerate it from liability arising from the breaches of the regulations that have occurred, the application of which is obviously not conditioned by any agreements that may arise between private individuals. Only when the data controller proves that "it is in no way responsible for the event that has caused the damage" will it be exempt from liability, in accordance with the provisions of article 82.3 of the GDPR. Such compensation may compensate for the damages suffered by the claimant, but it does not restore her guarantees and rights in a case arising from the exercise of the right of access, which cannot be granted as the personal data to which the request referred have been deleted. On the other hand, where any imputable liability arises from the facts established, the fact that the entity in question has not previously been sanctioned for infringements of an identical nature, or the adoption of measures aimed at avoiding future infringements, cannot serve as an argument for not opening the sanctioning procedure to assess those liabilities and determine the applicable consequences, i.e. the corrective powers that should be applied. C/ Jorge Juan, 6 28001 - Madrid www.aepd.es sedeagpd.gob.es 28/61 apply in each case. The same can be said where the alleged infringement affects only one interested party. Sanctioning proceedings are not reserved for cases, such as the one cited by MERCADONA in its allegations, in which the conduct of the responsible entity is configured as a general action affecting a number of parties in the same situation. III MERCADONA considers that the agreement to initiate the procedure has not sufficiently justified the initiation of the procedure or specified the aspects justifying such initiation, thereby limiting its rights of defence. For the same reasons, MERCADONA considers that the principle of criminalisation has been infringed. In this regard, MERCADONA argues that the decision to initiate proceedings does not specify the infringing conduct, does not specify which paragraphs and letters of Articles 6 and 22 are considered to have been infringed, and does not explain why the fact of having deleted images within the legally established time limit and not having responded to a right of access due to human error constitutes a breach of the conditions of lawfulness. In his final submissions, he states that the infringements and legal reasoning have not been specified until the motion for a decision. This Agency does not share the position expressed by the Respondent in relation to the content of the agreement to initiate the present sanctioning procedure. In the opinion of this Agency, the initiation agreement issued complies with the provisions of Article 68.1 of the LOPDGDD, which establishes the minimum content required, the elements that must be detailed in the aforementioned agreement to determine its validity. According to this article, it is sufficient for the agreement to initiate the procedure to specify the facts that motivate its initiation, identify the person or entity against whom the procedure is directed, the infringement that may have been committed and its possible sanction (in this case, of the different corrective powers contemplated in Article 58.2 of the GDPR, the Agency considered it appropriate to impose a fine, in addition to the adoption of measures to bring its actions into line with the regulations, without prejudice to what may result from the investigation of the procedure). In the same sense, Article 64.2 of the LPACAP expressly establishes the minimum content of the initiation agreement. According to this precept, among other details, it must contain "the facts that motivate the initiation of the procedure, its possible legal qualification and the sanctions that may correspond, without prejudice to what results from the investigation". In this case, not only are the aforementioned requirements amply met, but it goes further by offering reasoning that justifies the possible legal classification of the facts assessed at the outset and even mentions the circumstances that may influence the determination of the sanction, which undoubtedly benefits the interested party, whose right of defence is strengthened and favoured. C/ Jorge Juan, 6 28001 - Madrid www.aepd.es sedeagpd.gob.es 29/61 In relation to the request for the right of access made by the complainant, the rules governing the formal aspects relating to the exercise of rights were reviewed, and it was highlighted that the deadline for responding to the request had passed without the complainant obtaining the response she was due from MERCADONA, concluding that these facts could constitute an infringement of Article 83.5.b) of the RGPD and Article 74.c) of the LOPDGDD, for breach of the provisions of Article 12, paragraphs 2 and 3, of the RGPD, in relation to Article 15 of the aforementioned Regulation, without prejudice to the outcome of the investigation. Moreover, the decision to initiate the procedure, after reproducing Article 6 of the GDPR, which refers to the "lawfulness of the processing", emphasises that the removal or "erasure" of the images to which the complainant's right of access refers constitutes the processing of personal data. On the deletion of images captured by video surveillance systems, paragraphs 1 to 3 of Article 22 of the LOPDGDD are reproduced below. The circumstances and purposes that determined the complainant's actions were highlighted and it was emphasised that, despite this, MERCADONA proceeded to delete the images requested by the complainant, in order to conclude that these facts could constitute a breach of the provisions of Article 6 of the GDPR, in relation to Article 22 of the LOPDGDD, constituting an infringement as defined in Article 83.5.a) of the GDPR and 72.1.b) of the LOPDGDD ("The processing of personal data without meeting any of the conditions of lawfulness of processing set out in Article 6 of Regulation (EU) 2016/679"). In short, this Agency understands that the agreement to initiate proceedings has allowed MERCADONA to know the facts that gave rise to the initiation of the proceedings and their possible legal classification. Proof of this are the allegations made by this entity, which are directly related to the above. The alleged lack of defence cannot therefore be upheld. Defence with legal significance arises only where the person concerned is unjustifiably prevented from seeking protection of his rights and legitimate interests or where the infringement of procedural or procedural rules results in the deprivation of the right to a defence, with the consequent real and effective harm to the interests of the affected party by being deprived of his right to allege, prove and, where appropriate, to reply to opposing arguments (STC 31/1984, of 7 March, STC 48/1984, of 4 April, STC 70/1984, of 11 June, STC 48/1986, of 23 April, STC 155/1988, of 22 July, and STC 58/1989, of 16 March, among many others). It is worth mentioning STC 78/1999, of 26 April, which in its Legal Basis 2, states: "In order for a defence with constitutional relevance, which places the interested party at the margin of any possibility of alleging and defending his or her rights in the proceedings, to be considered a defence with constitutional relevance, it is not sufficient for a merely formal infringement, as it is necessary that this formal infringement has a material effect of defence, an effective and real impairment of the right of defence (STC 149/1998, legal ground 3), with the consequent real and effective harm to the interested parties affected (SSTC 155/1988, legal ground 4, and 112/1989, legal ground 2)". C/ Jorge Juan, 6 28001 - Madrid www.aepd.es sedeagpd.gob.es 30/61 In any event, as MERCADONA rightly points out in its allegations, it is the resolution proposal issued once the procedure has been carried out that establishes the facts that are considered proven and their exact legal classification, determines the infringement that they may constitute, the person or persons responsible and the proposed sanction. This proposal must be notified to the interested party, who is granted a period in which to make allegations and submit the documents and information deemed relevant. In no case shall a decision be adopted without the interested party having had the opportunity to express his or her views on all the points considered. Therefore, the submissions made by MERCADONA do not contain any arguments that would change this approach and the conclusion reached. MERCADONA, in this case, has seen that all the guarantees for the interested party provided for in the procedural regulations have been respected. IV Pursuant to Article 55 of the GDPR, the Spanish Data Protection Agency is competent to perform the functions assigned to it in Article 57 of the GDPR, including enforcing the Regulation and promoting awareness among controllers and processors of their obligations, as well as dealing with complaints lodged by a data subject and investigating the grounds for such complaints. Article 31 of the GDPR establishes the obligation of controllers and processors to cooperate with the supervisory authority on request in the performance of its tasks. In the event that they have appointed a data protection officer, Article 39 of the GDPR confers on the latter the task of cooperating with the supervisory authority. Similarly, the domestic legal system, in Article 65.4 of the LOPDGDD, has provided for a mechanism prior to the admission for processing of claims made to the Spanish Data Protection Agency, which consists of transferring them to the data protection officers designated by the data controllers or data processors, for the purposes provided in Article 37 of the aforementioned law, or to the latter when they have not been designated, so that they may proceed to analyse the claims and respond to them within a period of one month. In accordance with these regulations, prior to the admission for processing of the complaint that gave rise to this procedure, the complaint was transferred to the entity responsible so that it could proceed with its analysis, provide this Agency with a response within a period of one month and accredit that it had provided the claimant with the appropriate response, in the event of the exercise of the rights regulated in Articles 15 to 22 of the GDPR. The result of this transfer was not satisfactory. Consequently, on 16/04/2021, for the purposes set out in Article 64.2 of the LOPDGDD, the Spanish Data Protection Agency agreed to admit for processing the complaint that gave rise to the present proceedings. C/ Jorge Juan, 6 28001 - Madrid www.aepd.es sedeagpd.gob.es 31/61 In the case of a claim for failure to respond to a request to exercise the rights established in Articles 15 to 22 of the RGPD, in general, the procedure regulated in Article 64.1 of the LOPDGDD is followed, according to which: "Where the procedure relates exclusively to the failure to deal with a request for the exercise of the rights laid down in Articles 15 to 22 of Regulation (EU) 2016/679, it shall be initiated by an agreement on admissibility, which shall be adopted in accordance with the following Article. In this case, the time limit for resolving the procedure shall be six months from the date on which the claimant was notified of the decision to admit the claim for processing. Once this period has elapsed, the interested party may consider their claim to have been upheld". On the contrary, when the procedure does not relate exclusively to the fulfilment of a request for the exercise of rights, it is appropriate to determine administrative liability in the context of a sanctioning procedure, and it is the exclusive competence of this Agency to assess whether there is administrative liability that should be determined in a procedure of this nature and, consequently, to decide whether to initiate such a procedure. Contrary to MERCADONA's allegations in its submissions, this determination of responsibilities cannot be agreed in a proceeding for lack of attention to rights. This specific regime with regard to proceedings before data protection supervisory authorities is also provided for in the GDPR. Chapter VIII of the GDPR is entitled 'Remedies, Liability and Sanctions', and the first article of Chapter VIII, Article 77(1), provides for the right to lodge a complaint with a supervisory authority: "Without prejudice to any other administrative or judicial remedy, every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State in which he or she has his or her habitual residence, place of work or place of the alleged infringement, if he or she considers that the processing of personal data relating to him or her infringes this Regulation". In turn, Article 79 of the same Regulation provides that 'without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority pursuant to Article 77, every data subject shall have the right to an effective judicial remedy where he/she considers that his/her rights under this Regulation have been infringed as a result of the processing of his/her personal data'. Therefore, a 'complaint' from an individual may give rise to two types of proceedings, one relating to breaches of the GDPR in general and the other to infringements of his or her rights. This distinction is also reflected in Title VIII of the LOPDGDD, which jointly regulates the "proceedings in the event of a possible breach of data protection legislation". Thus, its Article 63.1, "Legal regime", includes (a) procedures in the event of a breach of the GDPR and the LOPDGDD itself and (b) those arising from a possible infringement of data subjects' rights. The LOPDGDD does not provide for any additional type of procedure in case of a possible breach of data protection law, so that all the functions and powers that C/ Jorge Juan, 6 28001 - Madrid www.aepd.es sedeagpd.gob.es 32/61 The procedures provided by the GDPR to the supervisory authorities in Art. 57 and 58 GDPR will have to be exercised through these procedures in the event of a possible breach of data protection law. No other procedures exist. It follows, also taking into account art. 64 LOPDGDD, that when the procedure is directed exclusively at the lack of attention to a request for the rights under articles 15 to 22 RGPD a complaint will be necessary, but that (art. 64.2 LOPDGDD) "[w]hen the procedure is aimed at determining the possible existence of an infringement of the provisions of Regulation (EU) 2016/679 and this organic law, it shall be initiated by means of a commencement agreement adopted on its own initiative or as a result of a complaint". In other words, both the GDPR and the LOPDGDD consider that a complaint from an affected party may be the way or means of bringing a possible infringement of data protection regulations to the attention of the supervisory authority, but in no case does it restrict the supervisory authority's action to the specific and concrete complaint of the affected parties. To do otherwise would be inconsistent with the purpose and intention of the EU legislator, expressly stated in the GDPR, that supervisory authorities should monitor and enforce the GDPR, and with the provision in the GDPR that 'breaches' of data protection law may be brought to light through 'complaints' which may go beyond the individual complaints made. In relation to this issue, MERCADONA has argued that in a case referring exclusively to the failure to respond to a request for the exercise of rights, the procedure regulated in Article 64.1 of the LOPDGDD, and it is not appropriate to open a disciplinary procedure, the exceptional nature of which has been made clear by the AEPD in various actions it cites, stating that "whenever possible, alternative mechanisms should be chosen to prevail in the event that they are covered by the regulations in force..." and that there must be elements that justify the initiation of the disciplinary procedure. In this case, in the opinion of this Agency, as indicated in the opening agreement, there are elements that justify the initiation of the sanctioning activity, considering that the procedure provided for in article 64.1 of the aforementioned LOPDGDD would not duly restore the guarantees and rights of the interested parties. In this case, the right exercised was for the purpose of gaining access to images that the responsible entity deleted before the complaint was filed, and therefore the processing of a procedure for failure to address an exercise of the rights regulated in Articles 15 to 22 of the GDPR, whose ultimate purpose is to resolve whether or not to address the right exercised, in this case, whether or not to provide the complainant with images that no longer existed, was pointless. In addition, considering the circumstances described above, it appears that MERCADONA's actions go beyond the failure to respond in time to the respondent's request for access, and it was considered appropriate to analyse in this procedure the scope, from the point of view of the protection of personal data, that should be given to the processing of data consisting of the deletion of the images requested by the complainant, their possible unlawfulness and the responsibility that this fact C/ Jorge Juan, 6 28001 - Madrid www.aepd.es sedeagpd.gob.es 33/61 may entail for the defendant entity. This is an extreme that can in no way be carried out within the framework of the procedure regulated in article 64.1 of the LOPDGDD. The respondent has also argued that there are similar precedents in which the AEPD has followed the procedure regulated in Article 64.1 of the LOPDGDD and that the CEPD itself, in its Guidelines 3/2019, pronounces in the same sense. However, both the CEPD statement referred to by MERCADONA and the precedents cited, two of which refer to requests to exercise rights formulated when the images had already been deleted. In procedure number TD/01272/2017, the request for access is made on 14/04/2017 and requires images captured on 14/11/2016 (the complaint was rejected); and file number TD/00955/2018 analyses a request dated 20/03/2018 in which the interested party requests images captured on 25/11/2017 (the complaint was upheld as the request for access was not answered by the data controller). The third precedent cited, number TD/00830/2017, was upheld due to lack of response and, although the complaint refers to access to images captured by a video surveillance system, the request for access that gave rise to the complaint did not specify this object nor did it refer to the date on which the alleged images were captured. Thus, in those precedents there was no responsibility for the deletion of the data, one of the cases being dismissed and in two of them only the lack of response within the deadline was assessed, giving rise to a resolution that formally upholds the complaint and obliges the entity complained of to duly respond to the respective complainant, informing him/her in the sense expressed by the CEPD in those Guidelines (no data exists). With regard to the proceedings under number E/02434/2020, also cited by the defendant, it should be noted that the decision to close the case took into account that the facts transmitted were part of an alleged criminal conduct, for which there was a legal case sub iudice, and that the circumstances that led to the removal of the images were not known. Finally, MERCADONA argues that there is no justification for initiating sanctioning proceedings because only Article 12 has been breached in relation to the right of access exercised, and argues that the alleged infringement is defined as "Failure to respond to requests to exercise the rights established in Articles 15 to 22 of the Regulation". As the respondent rightly states, this non-compliance constitutes an infringement and gives rise to the determination of responsibilities. To understand that this non-compliance can only be dealt with through the procedure for failure to comply with rights is as much as to understand that this type of infringement does not apply in any case. Finally, it should be noted that no rule prevents the body exercising the sanctioning power, when it determines the opening of a sanctioning procedure, always ex officio (art. 63.1 Law 39/2015, of 1 October), from determining its scope in accordance with the circumstances revealed, even if they do not strictly conform to the statements and claims of the claimant. That is to say, the agreement to initiate the sanctioning procedure is not constrained by the C/ Jorge Juan, 6 28001 - Madrid www.aepd.es sedeagpd.gob.es 34/61 complaint submitted by the individual. This does not occur in the case of procedures processed at the request of the interested party, in which article 88.2 of the LPACAP requires that the resolution be congruent with the requests made by the interested party. Even in this case, the administration's power to initiate a new procedure ex officio remains unaffected. This same article 88 of the LPACAP, referring to the content of the decision, in section 1 establishes the obligation to decide on all the issues raised by the interested parties and any others arising from the procedure, including related issues not raised by the interested parties. This article expressly states the following: "1. The decision terminating the procedure shall decide all the issues raised by the interested parties and all other issues arising from the procedure. In the case of related questions which have not been raised by the interested parties, the competent body may rule on them, first making them known to the interested parties for a period of no more than fifteen days, so that they may present the arguments they deem relevant and provide, where appropriate, the means of proof. In the sanctioning procedure, account shall also be taken of the facts that come to light during its investigation, which shall be determined in the proposed decision, and may lead to the modification of the charges contained in the agreement to initiate the procedure or their legal qualification. In this sense, when referring to the specialities of the decision in sanctioning procedures, Article 90 of the LPACAP establishes: "2. The decision may not accept facts other than those established in the course of the proceedings, irrespective of their different legal assessment...". V The rights of individuals with regard to personal data protection are regulated in articles 15 to 22 of the RGPD and 13 to 18 of the LOPDGDD. The rights of access, rectification, erasure, opposition, the right to limitation of processing and the right to portability are contemplated. The formal aspects relating to the exercise of these rights are set out in Articles 12 of the GDPR and 12 of the LOPDGDD. Article 12 "Transparency of information, communication and procedures for exercising rights" of the GDPR provides as follows: "The controller shall take appropriate steps to provide the data subject with any information referred to in Articles 13 and 14, as well as any communication pursuant to Articles 15 to 22 and 34 concerning processing, in a concise, transparent, intelligible and easily accessible form, in clear and plain language, in particular any information specifically addressed to a child. The information shall be provided in writing or by other means, including, where appropriate, by electronic means. Where requested by the data subject, information may be provided orally, provided that the identity of the data subject is proved by other means. C/ Jorge Juan, 6 28001 - Madrid www.aepd.es sedeagpd.gob.es 35/61 2. The controller shall facilitate the data subject's exercise of his or her rights under Articles 15 to 22. In the cases referred to in Article 11(2), the controller shall not refuse to act on the request of the data subject for the purpose of exercising his or her rights under Articles 15 to 22, unless he or she can demonstrate that he or she is unable to identify the data subject. 3. The controller shall provide the data subject with information relating to its actions on the basis of a request pursuant to Articles 15 to 22 without undue delay and in any event within one month of receipt of the request. This period may be extended by a further two months if necessary, taking into account the complexity and number of requests. The controller shall inform the data subject of any such extension within one month of receipt of the request, stating the reasons for the delay. Where the data subject submits the request by electronic means, the information shall be provided by electronic means where possible, unless the data subject requests otherwise. 4.If the controller does not act on the data subject's request, it shall inform the data subject without delay, and at the latest within one month of receipt of the request, of the reasons for its failure to act and of the possibility of lodging a complaint with a supervisory authority and of taking legal action. 5.Information provided pursuant to Articles 13 and 14 as well as any communication and any action taken pursuant to Articles 15 to 22 and 34 shall be free of charge. Where requests are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may (a) charge a reasonable fee having regard to the administrative costs incurred in providing the information or communication or taking the action requested, or (b) refuse to act on the request. The controller shall bear the burden of demonstrating that the request is manifestly unfounded or excessive. 6.Without prejudice to Article 11, where the controller has reasonable doubts as to the identity of the natural person making the request referred to in Articles 15 to 21, the controller may request the provision of additional information necessary to confirm the identity of the data subject. 7.The information to be provided to data subjects pursuant to Articles 13 and 14 may be transmitted in combination with standardised icons which provide an easily visible, intelligible and clearly legible overview of the intended processing in an easily visible, intelligible and clearly legible form. Icons presented in electronic form shall be machine-readable. 8.The Commission shall be empowered to adopt delegated acts in accordance with Article 92 to specify the information to be presented through icons and the procedures for providing standardised icons". Article 12 "General provisions on the exercise of rights" states that of the LOPDGDD, paragraphs 2 and 4, adds the following: "The controller shall be obliged to inform the data subject of the means at his disposal to exercise the rights to which he is entitled. The means must be easily accessible to the data subject. The exercise of the right may not be refused on the sole ground that the data subject has opted for another means". "4. Proof of compliance with the duty to respond to the data subject's request to exercise his or her rights shall lie with the data controller". C/ Jorge Juan, 6 28001 - Madrid www.aepd.es sedeagpd.gob.es 36/61 Account is also taken of the provisions of Recitals 59 et seq. of the GDPR. In accordance with the provisions of these rules, the controller must provide arrangements and mechanisms to facilitate the exercise of the data subject's rights, which shall be free of charge (without prejudice to Articles 12(5) and 15(3) of the GDPR); it is obliged to respond to requests made within one month at the latest, unless it can demonstrate that it is unable to identify the data subject; and to state its reasons if it does not comply with the request. It follows from the foregoing that the data subject's request to exercise his or her rights must be answered in any case, with the controller bearing the burden of proof of compliance with this duty. This obligation to act does not apply where the controller can demonstrate that it is not in a position to identify the data subject (in the cases referred to in Article 11(2) of the GDPR). In cases other than those provided for in this Article, where the controller has reasonable doubts as to the identity of the data subject, the controller may request additional information necessary to confirm the identity of the data subject. In this respect, Recital 64 of the GDPR is expressed in the following terms: "(64) The controller should use all reasonable measures to verify the identity of data subjects requesting access, in particular in the context of online services and online identifiers. The controller should not retain personal data for the sole purpose of being able to respond to possible requests". As regards the right of access, the GDPR stipulates in Article 15 as follows: "The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data relating to him or her are being processed and, if so, the right of access to the personal data and to the following information: a) the purposes of the processing; b) the categories of personal data concerned; c) the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations; d) if possible, the envisaged period of retention of personal data or, if not possible, the criteria used to determine this period; e) the existence of the right to request from the controller the rectification or erasure of personal data or the restriction or objection to the processing of personal data relating to the data subject; f) the right to lodge a complaint with a supervisory authority; g) where the personal data have not been obtained from the data subject, any available information on their origin; h) the existence of automated decisions, including profiling, as referred to in Article 22(1) and (4), and, at least in such cases, meaningful information about the logic involved and the significance and expected consequences of such processing for the data subject". C/ Jorge Juan, 6 28001 - Madrid www.aepd.es sedeagpd.gob.es 37/61 2. Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Article 46 concerning the transfer. 3. The controller shall provide a copy of the personal data undergoing processing. The controller may charge for any further copies requested by the data subject a reasonable fee based on the administrative costs. Where the data subject makes the request by electronic means, and unless the data subject requests otherwise, the information shall be provided in a commonly used electronic format. 4. The right to obtain a copy referred to in paragraph 3 shall not adversely affect the rights and freedoms of others". Like the other rights of the data subject, the right of access is a very personal right. It allows the citizen to obtain information on how his or her data are being processed, the possibility to obtain a copy of the personal data concerning him or her that are being processed, as well as the information listed in the above-mentioned article. In the present case, the complainant is a customer of the respondent entity. It is stated that, on ***DATE.1, she visited the establishment of the responsible entity located at ***DIRECCION.1, for which reason her image was captured by the video-surveillance system installed in that centre. Subsequently, following the procedure provided by MERCADONA for the exercise of personal data protection rights, the complainant exercised her right of access to her personal data, specifically requesting the images captured by the security cameras (the text of the request is as follows: "I attach a request for the right of access to the video surveillance recordings of the MERCADONA establishment ***DIRECCION.1, (...)"). This right was exercised on ***DATE.2, using the form available on the Respondent's website, under the "Customer Service" tab, attaching a file corresponding to the request for access and a copy of the ID card. In response to the submission of the above-mentioned form, the information system sent the complainant a message with the text "Thank you, your comment has been sent successfully". After the established deadline, this request did not receive the legally required response, which gave rise to the complaint that gave rise to the present procedure, submitted on 31/12/2020. The uncontested facts are (i) that the claimant exercised her right of access to her personal data before MERCADONA, using one of the mechanisms provided by the respondent itself, such as the form available on the company's website, which can also be accessed via a link included in the Privacy Policy; and (ii) that this request for access to personal data was not answered by the data controller within the established period. The aforementioned rules do not allow the request to be ignored as if it had not been made, leaving it without the response that must necessarily be issued by the C/ Jorge Juan, 6 28001 - Madrid www.aepd.es sedeagpd.gob.es 38/61 The data subject shall be held responsible, even in the event that the data subject's details do not exist in the entity's files or even in those cases in which they do not meet the requirements, in which case the addressee of the request is also obliged to request the rectification of the deficiencies observed or, where appropriate, reject the request, stating the reasons for which the right in question should not be considered. Therefore, the request that is made obliges the data controller, in any case, to give an express reply to the data subject, informing him/her of the decision that has been taken regarding the request for the exercise of rights, using any means that justifies the receipt of the reply. MERCADONA has not disputed that it received the complainant's request for the right of access. However, it alleges an involuntary human error in the handling of the request, which caused it not to reach the attention of the DPD or his team, and the consequent lack of attention to the request. On this basis, he invoked the principle of culpability, pointing out that so-called strict liability has no place in administrative sanctioning law, so that the mere commission of an administrative infringement is not sufficient when it comes to imposing an administrative sanction, as there must be wilful or negligent conduct. In this respect, it adds that it acts with the utmost diligence in all processes, that it has a simple procedure for the exercise of rights through various channels, about which it duly informs customers, and that it applies a procedure for processing applications that has been error-free so far and about which it provides constant training to the persons in charge, and which will be adjusted to avoid similar incidents. According to the management process designed by MERCADONA, requests to exercise rights are received by the Customer Service Department, which subsequently transmits them to the DPD by means of a manual process. In this case, she alleges that due to an involuntary human error, the complainant's request did not reach the DPD, preventing it from being dealt with, and that this has given rise to the appropriate disciplinary actions. However, MERCADONA has not even explained what the alleged human error consisted of. However, it appears from its written allegations that the claimant's request was not dealt with because one of the managers of the Customer Service Department ("manager" in the terms of the entity itself) did not forward the request to the DPD. The Agency understands that this is tantamount to not following up on the request, to not processing it according to the internal channels designed by the same, which cannot be admitted as an involuntary error. The incident occurred within MERCADONA's sphere of responsibility and MERCADONA must be held liable for it. In no way can the error alleged to have been made be considered to exclude its liability, since, according to settled case law, the existence of such an error cannot be considered to exist when it is attributable to the person who suffers it or could have been avoided with the use of greater diligence. In this case, the alleged error is incompatible with the diligence that the defendant is obliged to observe. C/ Jorge Juan, 6 28001 - Madrid www.aepd.es sedeagpd.gob.es 39/61 This diligence must be shown in the specific case under analysis, in respect of which the error is alleged, and not in the general circumstances alleged by MERCADONA to justify its diligent action, such as having procedures for managing applications for the exercise of rights or the absence of errors in the past, nor the fact of having taken measures to avoid future incidents. Nor can the training provided to the Respondent's employees be taken as a circumstance that prevents the claimant from being held liable for the specific irregular conduct. In the specific case of the claimant, it cannot be accepted that the actions of the respondent entity, in not processing the request for access to personal data, were diligent. To admit that MERCADONA cannot be held liable for not responding to an exercise of data protection rights, based on an alleged involuntary error consisting of not processing the request, would be tantamount to admitting that the application of the RGPD and the LOPDGDD can be ignored, undermining the entire system for exercising rights established therein, which expressly contemplates the obligation to respond to such requests in all cases and the consequences of not complying with this regulatory requirement. In this respect, it should be remembered that when the error is the result of a lack of diligence, the standard is applicable. The Audiencia Nacional in its ruling of 21 September 2004 (RCA 937/2003), pronounced in the following terms: "Furthermore, as regards the application of the principle of culpability, it follows (following the criterion of this Chamber in other judgments such as that of 21 January 2004 in appeal 1139/2001) that the commission of the offence provided for in Article 44.3.d) can be either intentional or negligent. And in this sense, if the error is a sign of a lack of diligence, the type of offence is applicable, because although the principle of culpability governs in sanctioning matters, as can be inferred from a simple reading of Art. 130 of Law 30/1992, the fact is that the expression "simple failure to comply" in Art. 130.1 of Law 30/1992, allows the imposition of the sanction, without doubt in cases of malice, and also in cases of negligence, in which failure to comply with the duty of care is sufficient". In this line, it is worth citing the SAN of 21 January 2010, in which the Audiencia explains: "The appellant also maintains that there was no culpability in his actions. It is true that the principle of culpability prevents the admission of strict liability in administrative sanctioning law, but it is also true that the absence of intentionality is secondary, since this type of infringement is normally committed through negligent or culpable action, which is sufficient to include the subjective element of culpability. XXX's actions are clearly negligent because... it must be aware of... the obligations imposed by the LOPD on all those who handle personal data of third parties. XXX is obliged to guarantee the fundamental right to the protection of personal data of its clients and hypothetical clients with the intensity required by the content of the right itself". The principle of culpability is required in the sanctioning procedure and thus STC 246/1991 considers liability without fault inadmissible in the field of administrative sanctioning law. However, the principle of fault does not imply that only intentional or voluntary action can be sanctioned, and in this regard, Article 28 of Law 40/2015 on the Legal Regime of the Public Sector, under the rubric C/ Jorge Juan, 6 28001 - Madrid www.aepd.es sedeagpd.gob.es 40/61 "Responsibility", provides as follows: "1. Only natural and legal persons, as well as, when a law recognises their capacity to act, groups of affected persons, unions and entities without legal personality and independent or autonomous estates, who are responsible for them through intent or negligence, may be sanctioned for acts constituting an administrative offence. The facts set out in the preceding Fundamento show that MERCADONA did not act with the diligence to which MERCADONA was obliged, that it acted with a lack of diligence. The Supreme Court (Judgments of 16 and 22/04/1991) considers that from the element of guilt it follows "...that the action or omission, classified as an administratively punishable offence, must, in any case, be imputable to its author, through malice or recklessness, negligence or inexcusable ignorance". The same Court reasons that "it is not sufficient... for exculpation from a typically unlawful conduct to invoke the absence of fault" but it is necessary "that the diligence that was required by the person alleging its non-existence has been used" (STS 23 January 1998). Also connected with the degree of diligence that the data controller is obliged to display in complying with the obligations imposed by the data protection regulations is the SAN of 17/10/2007 (Rec. 63/2006), which stated: "(...) the Supreme Court has understood that imprudence exists whenever a legal duty of care is disregarded, i.e. when the offender does not behave with the required diligence". Furthermore, the Audiencia Nacional, in matters of personal data protection, has declared that "simple negligence or failure to comply with the duties that the Law imposes on the persons responsible for files or data processing to exercise extreme diligence is sufficient..." (SAN 29/06/2001). It is therefore concluded, contrary to the objections raised by the defendant, that the subjective element is present in the infringement found. Consequently, in accordance with the evidence set out above, the aforementioned facts constitute a breach of the provisions of Article 12(2) and (3) of the GDPR, in relation to Article 15 of the aforementioned Regulation, which gives rise to the application of the corrective powers granted to the Spanish Data Protection Agency by Article 58 of the aforementioned Regulation. Not demanding responsibility from MERCADONA for these facts would be tantamount to emptying the rules governing the exercise of rights in the area of personal data protection of their content. It is relevant that the images captured by a video surveillance system must be deleted within a maximum period of one month, in accordance with Article 6 of Instruction 1/2006, of 8 November, of the Spanish Data Protection Agency, on the processing of personal data for surveillance purposes through camera or video camera systems. This is the same period provided for the data controller to resolve the request to exercise the right of access to such images. C/ Jorge Juan, 6 28001 - Madrid www.aepd.es sedeagpd.gob.es 41/61 If we consider that the exercise of the right is subsequent to the capture of the images, the date of expiry of the deadline for exercising the right will always be later than the deadline for deleting the images. Therefore, if it were accepted that MERCADONA is not responsible for the failure to comply with the right of access exercised by the complainant, it would be tantamount to admitting that any data controller could evade the data subject's right of access by claiming that the images had been deleted. With regard to the precedents cited by the respondent, it should be noted that the two cases in which the existence of an unintentional error was found are not similar to the present case, as they refer to entry errors (E/01795/2011 and E/03468/2009). The third of these precedents (PS/00724/2014) is resolved by this Agency, in relation to the aspects highlighted by MERCADONA, according to the scheme followed in this act. VI MERCADONA, in addition to not providing access to the images of the security cameras requested by the complainant, proceeded to delete them after 30 days had elapsed since they were captured, as the company informed the complainant in an e- mail addressed to her representative, who had previously warned of the lack of response to the right of access ("We should add that none of the images from the requested date are available (***DATE.1), all in accordance with art. 6 of Instruction 1/2006, of 8 November, of the AEPD, which establishes that "The data will be cancelled within a maximum period of one month from their capture"). This erasure of the images constitutes processing of personal data, in accordance with Article 4 of the GDPR, which, under the heading 'Definitions', provides as follows: "(2) 'processing' means any operation or set of operations which is performed upon personal data or sets of personal data, whether or not by automatic means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. In short, we are dealing with a "processing of data" ("erasure or destruction" of images) subject to the legitimisation regime regulated by Article 6 of the GDPR "Lawfulness of processing", which states the following: "Processing shall only be lawful if at least one of the following conditions is met: a) the data subject consented to the processing of his or her personal data for one or more specific purposes; b) processing is necessary for the performance of a contract to which the data subject is party or for the implementation of pre-contractual measures at the request of the data subject; c) the processing is necessary for compliance with a legal obligation applicable to the controller; d) processing is necessary in order to protect the vital interests of the data subject or of another person C/ Jorge Juan, 6 28001 - Madrid www.aepd.es sedeagpd.gob.es 42/61 physics; e) the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, provided that such interests are not overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data, in particular where the data subject is a child. Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the exercise of their functions. 2. Member States may maintain or introduce more specific provisions in order to adapt the application of the rules of this Regulation with regard to processing in compliance with paragraph 1(c) and (e) by setting out more precisely specific processing requirements and other measures ensuring lawful and fair processing, including other specific processing situations within the meaning of Chapter IX. 3. The basis for the processing referred to in paragraph 1(c) and (e) shall be established by: a) Union law, or b) the law of the Member States which applies to the controller. The purpose of the processing shall be determined in that legal basis or, as regards processing referred to in paragraph 1(e), shall be necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. That legal basis may contain specific provisions to adapt the application of rules of this Regulation, inter alia: the general conditions governing the lawfulness of processing by the controller; the types of data processed; the data subjects concerned; the entities to which personal data may be disclosed and the purposes of such disclosure; purpose limitation; data retention periods as well as processing operations and procedures, including measures to ensure lawful and fair processing, such as those relating to other specific processing situations within the meaning of Chapter IX. Union or Member State law shall meet a public interest objective and be proportionate to the legitimate aim pursued. 4. Where processing for a purpose other than that for which the personal data were collected is not based on the consent of the data subject or on Union or Member State law which constitutes a necessary and proportionate measure in a democratic society to safeguard the purposes referred to in Article 23(1), the controller shall, in order to determine whether processing for another purpose is compatible with the purpose for which the personal data were originally collected, take into account, inter alia: a) any link between the purposes for which the personal data were collected and the purposes of the intended further processing; b) the context in which the personal data have been collected, in particular as regards the relationship between the data subjects and the controller; c) the nature of the personal data, in particular where special categories of personal data are processed in accordance with Article 9 or personal data relating to criminal convictions and offences in accordance with Article 10; d) the possible consequences for data subjects of the intended further processing; e) the existence of appropriate safeguards, which may include encryption or pseudonymisation'. In relation to the conservation of images captured by video surveillance systems, it is necessary to take into account the provisions of Instruction 1/2006, of 8 November, of the Spanish Data Protection Agency, on the processing of personal data for surveillance purposes through camera or video camera systems. C/ Jorge Juan, 6 28001 - Madrid www.aepd.es sedeagpd.gob.es 43/61 With the application of the GDPR, it must be considered that most of Instruction 1/2006 has been displaced, since the content of the same, such as the legitimisation or the rights of individuals, is displaced by what is established in this respect by the European standard. However, the provisions of Article 6 of the aforementioned Instruction, which regulates the retention period and refers to the obligation to "cancel" the personal data (the images) within a maximum period of one month from their capture, may be considered to remain in force. An interpretation in accordance with the GDPR, which does not contemplate the cancellation but rather the deletion of personal data, means that this maximum storage period of one month will not be one of cancellation but of deletion, except in those cases in which they must be kept to prove the commission of acts that threaten the integrity of persons, goods or installations. Article 22 of the LOPDGDD, section 3, to which reference was made in the agreement to initiate the procedure, also establishes certain rules regarding the deletion of images captured by video surveillance systems. However, as MERCADONA rightly points out in its statement of allegations, this provision regulates cases other than the one analysed in the present proceedings, related to "the processing of images through camera or video camera systems for the purpose of preserving the security of persons and property, as well as of its facilities". This provision regulates video-surveillance processing whose legitimisation lies in the existence of a public interest purpose that can be included in article 6.1.e) of the Regulation, and not in the mere legitimate interests of a private individual. In accordance with the above, MERCADONA's removal of the images requested by the complainant could be understood to be in accordance with the provisions of the aforementioned Instruction 1/2006, as it was carried out within a maximum period of one month from the date they were captured, that is to say, from ***DATE.1. However, in the present case, there are other circumstances that must be considered in the analysis of the lawfulness or unlawfulness of the deletion or erasure of personal data. The claimant suffered an accident in one of MERCADONA's establishments on ***DATE.1 and, four days later, on ***DATE.3, she reported the incident to MERCADONA, informing them of their responsibility in the incident (...), the damage caused by the incident to the claimant (...) and her protest at the lack of attention given to the incident by MERCADONA's insurer (...). The claimant's intention to be compensated for the accident suffered is clear in the complaint, which MERCADONA is on record as having received and responded to the complaint on ***DATE.5 acknowledging receipt and informing the Customer Service Department of its transfer. Such circumstances motivated the complainant's interest in having a copy of the images captured by the security camera system installed in the establishment in question, for which she exercised the right of access described above, on ***DATE.2, also received by the Department of C/ Jorge Juan, 6 28001 - Madrid www.aepd.es sedeagpd.gob.es 44/61 Customer Service. In this request for the right of access to the images of the video surveillance system, the complainant once again informs the respondent entity that her request is motivated by the accident that took place at the centre in question and on the date indicated. All these circumstances were known to MERCADONA. In addition, on ***DATE.7, the claimant's representative sent an e-mail to this entity, in relation to the aforementioned claim, advising of her "desire to request the corresponding compensation according to the schedule". These actions are considered to be sufficiently indicative of the need to keep the images, especially because they were not made available to the complainant in accordance with the right of access exercised. However, despite all this, MERCADONA proceeded to delete the images requested by the complainant. It is understood that there was an interest on the part of the complainant that justified the processing of the repeated images beyond the period of one month set by Instruction 1/2006, at least until the images were handed over to the complainant and for this sole purpose. The same would be true if the complainant had filed a lawsuit and MERCADONA had decided to keep the images for the defence of its rights, in which case it would be understood that the data processing would comply with the provisions of Article 6.1.f) of the GDPR (processing is considered lawful when "necessary for the purposes of the legitimate interests pursued by the controller"). It is necessary to take into account the doctrine of the Constitutional Court regarding the restrictions to the fundamental right to data protection, analysed in its Judgement 292/2000, of 30 November. In this judgement, after configuring the fundamental right to the protection of personal data as an autonomous and independent right consisting of a power of disposal and control over personal data, which empowers the individual to decide which of these data to provide to a third party or which this third party may collect, and which also allows the individual to know who possesses these personal data and for what purpose, being able to oppose this possession or use, it analyses the limits of the same, pointing out the following: "More specifically, in the aforementioned judgments on data protection, this Court has declared that the right to data protection is not unlimited, and although the Constitution does not expressly impose specific limits on it, nor does it refer to the Public Authorities for its determination as it has done with other fundamental rights, there is no doubt that they must be found in the other fundamental rights and constitutionally protected legal assets, since this is required by the principle of unity of the Constitution (SSTC 11/1981, of 8 April, F. 7; 196/1987, of 11 December [RTC 1987, 196] , F. 6; and with regard to art. 18, STC 110/1984, F. 5)". In relation to this question, it must be considered that the ultimate aim pursued by the non-removal of the images requested by the complainant, the owner of the data in question, is to obtain proof of the damage caused to her own person, as a consequence of an accident that occurred in a MERCADONA centre in which she was injured due to possible negligence on the part of that entity. C/ Jorge Juan, 6 28001 - Madrid www.aepd.es sedeagpd.gob.es 45/61 In this case, a collision between two fundamental rights arises: the right to privacy and the right to C/ Jorge Juan, 6 28001 - Madrid www.aepd.es sedeagpd.gob.es 46/61 protection of personal data, derived from Article 18 of the Constitution and enshrined as an autonomous right that informs the constitutional text by the aforementioned Constitutional Court Ruling 292/2000, of 30 November; and the right to the effective judicial protection of judges and courts, contained in Article 24.1 of the Spanish Constitution ("All persons have the right to obtain the effective protection of judges and courts in the exercise of their rights and legitimate interests, without, in any case, any defencelessness"), which guarantees the access of all persons to judges and courts for the defence of their rights. The right to the protection of personal data yields in those cases in which it may entail a reduction in the possibility of the data subject to provide the relevant means of proof for his or her defence, thereby violating the guarantees derived from the aforementioned right to effective protection and restricting the possibility of obtaining the full development of this latter right. Therefore, from the point of view of this Agency, there is a legal authorisation for the processing of image data once the period established for their deletion has expired, which is covered by Article 24 of the Constitution and its implementing regulations. Following this premise, prevalence must be given to the right enshrined in Article 24 of the Constitution, which guarantees citizens the effective judicial protection of judges and courts, in the terms set out above. As the Constitutional Court has consistently held (for example, STC 186/2000, of 10 July, citing many others) "the right to privacy is not absolute, as is none of the fundamental rights, and may yield to constitutionally relevant interests, provided that the restriction that it must undergo is necessary to achieve the intended legitimate aim, proportionate to achieve it and, in any case, is respectful of the essential content of the right". The Constitutional Court has been demanding that any measure restricting rights must be proportional. This is stated in Constitutional Court Ruling 14/2003 of 28 January: "In other words, in accordance with the reiterated doctrine of this Court, the constitutionality of any measure restricting fundamental rights is determined by strict observance of the principle of proportionality. For the purposes of the present case, it is sufficient to recall that, in order to check whether a measure restricting a fundamental right passes the proportionality test, it is necessary to ascertain whether it meets the following three requirements or conditions: whether the measure is likely to achieve the proposed objective (suitability test); whether, in addition, it is necessary, in the sense that there is no other more moderate measure for the achievement of that purpose with equal effectiveness (necessity test); and, finally, whether it is weighted or balanced, as it derives more benefits or advantages for the general interest than harm to other conflicting goods or values (proportionality test in the strict sense; SSTC 66/1995, of 8 May [ RTC 1995, 66], F. 5; 55/1996, of 28 March [RTC 1996, 55], FF. 7, 8 and 9; 270/1996, of 16 March [RTC 1996, 55], FF. 7, 8 and 9; 270/1996, of 16 March [RTC 1996, 57], FF. 8 and 9. December [RTC 1996, 270], F. 4.e; 37/1998, of 17 February [RTC 1998, 37], F. 8; 186/2000, of 10 July [RTC 2000, 186], F. 6)". This principle of proportionality is respected in this case, in which the images C/ Jorge Juan, 6 28001 - Madrid www.aepd.es sedeagpd.gob.es 47/61 captured by MERCADONA's video surveillance cameras constitute valid and adequate evidence for the defence of the claimant's interests. In this respect, Article 299 of Law 1/2000, of 7 January, on Civil Proceedings, indicates which are the means of evidence that may be used in court, establishing in its number 2 the following: "Means of reproduction of speech, sound and image, as well as instruments for recording and knowing or reproducing words, data, figures and mathematical operations carried out for accounting or other purposes, relevant to the proceedings, shall also be admissible in accordance with the provisions of this Act". Article 265 determines the time at which such documents must be produced, providing as follows: 1. Any claim or defence shall be accompanied by: 1o. The documents on which the parties base their right to the judicial protection they are seeking. 2o. The means and instruments referred to in paragraph 2 of Article 299, if they form the basis of the claims for guardianship formulated by the parties. (...)". In this case, the proof of the causation of the damage, as well as the determination of the person against whom the claim will be directed, is to be found in the images captured by the cameras, whose contribution to the proceedings with the claim seems necessary, so that the right to effective protection must prevail in this case over the right to data protection. The scope of the right to judicial protection in relation to evidence has been addressed, among others, in STC 212/2013, of 16 December, in which reference is made, citing STC 88/2014, of 28 May, to "the intimate relationship of the right to evidence with other rights guaranteed in art. 24 CE. Specifically, in our constitutional doctrine we have emphasised the connection of this specific constitutional right with the right to effective judicial protection (art. 24.1 CE), the scope of which includes questions relating to evidence (SSTC 89/1986, of 1 July, FJ 2; 50/1988, of 22 March, FJ 3; 110/1995, of 4 July, FJ 4; 189/1996, of 25 November, FJ 3; and 221/1998, of 24 November, FJ 3), and with the right of defence (art. 24. 24.2 CE), of which it is inseparable (SSTC 131/1995, of 11 September, FJ 2; 1/1996, of 15 January, FJ 2; and 26/2000, of 31 January, FJ 2)'' (STC 19/2001, of 29 January, FJ 4; and, in the same sense, STC 133/2003, of 30 June, FJ 3)". In the aforementioned SSTC 19/2001 and 133/2003, the Constitutional Court pointed out that "it has been precisely this inseparable connection (with the other fundamental rights mentioned, in particular the right to obtain effective judicial protection), which has allowed us to affirm that the essential content of the right to use the relevant means of proof is made up of the legal power recognised to those who intervene as litigants in a process to provoke the procedural activity necessary to achieve the conviction of the judicial body on the existence or non-existence of the relevant facts for the decision of the conflict which is the object of the process (for all, STC 37/2000, of 14 February, FJ 3)". The arguments put forward by MERCADONA in its allegations to the motion for resolution are based on the erroneous assumption that the entity C/ Jorge Juan, 6 28001 - Madrid www.aepd.es sedeagpd.gob.es 48/61 "did not have any record of the request for access", a circumstance to which he repeatedly refers. However, as stated above, the request to exercise the right of access was correctly received by the aforementioned entity. And not only that. It is also proven that MERCADONA received the complaint about the accident suffered by the claimant, addressed to the same department that received the request for access to the images captured by the video surveillance system. To comply with both of the complainant's initiatives entailed the conservation of the images, even though this would have meant exceeding the legal time limit, and this conservation would be in accordance with the principles of necessity and proportionality in this specific case. Therefore, this does not impose a general obligation on the responsible entity to preserve and monitor all images in order to assess the need for preservation, which is present in this case in view of the circumstances described above. It should be borne in mind that that request for access and the complainant's complaint were submitted to the entity responsible before the images were deleted, unlike the case analysed in the ECDC Guidelines 3/2019 to which MERCADONA refers in its allegations, which refers to a request for access made when the images had already been deleted. Thus, it is not understood that MERCADONA alleges that the Agency relies on circumstances that "the entity has no reason to be aware of", given that these circumstances were known to MERCADONA. It is true that MERCADONA's statement that it would have been different if it had delivered the images to the complainant before the expiry of the legal conservation period, but this was not the case due to the respondent's own conduct, and not precisely because it had not received the request. This same entity states in its allegations that "If a data subject exercises the right of access during the period in which the data controller retains the images, it must be complied with, and the images must be retained, even if there is a formal defect in the request, precisely so that when this is rectified, the right can be satisfied". He then adds, once again, "But in this case, the request did not reach the person responsible, so it could not be kept", when we already know that the request for access did reach him. The defendant also understands its right to keep the images beyond the time limit for the defence of its own rights. On the other hand, it denies that there is in this case a collision of rights (protection of personal data and effective judicial protection) that had to be weighed up by the data controller and does so by arguing once again that this would not have occurred if it had been aware of the data subject's request. It states that "If the request had been received, the data subject would have had a response in due time and form, without the need to keep the images longer than the established time or to seek any basis for the request". C/ Jorge Juan, 6 28001 - Madrid www.aepd.es sedeagpd.gob.es 49/61 of additional standing", without considering that it did receive the request, that the fact that it was not passed on internally to the unit responsible for processing it does not mean that it did not receive the request and that all of this is within its exclusive sphere of responsibility. The conclusion set out here does not imply any change with respect to the general obligation that the law imposes on data controllers to erase personal data when they are no longer necessary for the purpose for which they were collected or, in the case of images captured by video surveillance systems, when the established time limit has elapsed. The aforementioned reasons prevail over the obligation to delete the images within a maximum period of one month after they were captured, with the result that, once the need to retain and proportionality of retaining the images has been concluded, the processing of personal data consisting of the deletion or suppression of such images is carried out without a legal basis to legitimise it, in clear violation of the provisions of Article 6 of the GDPR. This breach gives rise to the application of the corrective powers that Article 58 of the aforementioned Regulation grants to the Spanish Data Protection Agency. The infringement of the provisions of Article 6 of the GDPR occurs independently of the lack of attention to the right of access exercised by the complainant. The two infringements are the result of separate conduct which must be punished separately. VII In the event of a breach of the precepts of the GDPR, among the corrective powers available to the Spanish Data Protection Agency, as supervisory authority, Article 58.2 of the Regulation provides for the following: "2 Each supervisory authority shall have all of the following remedial powers listed below: (...) (b) issue a warning to any controller or processor where processing operations have infringed the provisions of this Regulation;". (...) (d) instruct the controller or processor to ensure that processing operations are carried out in accordance with the provisions of this Regulation, where applicable, in a specified manner and within a specified period of time; (...) (i) impose an administrative fine in accordance with Article 83, in addition to or instead of the measures referred to in this paragraph, according to the circumstances of each individual case;'. Pursuant to Article 83(2) of the GDPR, the measure provided for in (d) above is compatible with the sanction of an administrative fine. VIII C/ Jorge Juan, 6 28001 - Madrid www.aepd.es sedeagpd.gob.es 50/61 In accordance with the evidence set out above, it is considered that the facts set out above do not comply with the provisions of Articles 12, in relation to Article 15, both of the GDPR; and with the provisions of Article 6 of the same Regulation; which entails the commission of two infringements typified, respectively, in sections 5.a) and 5.b) of the GDPR. 5(b) of Article 83 of the GDPR. Article 83(5)(a) and (b) of the GDPR, under the heading 'General conditions for the imposition of administrative fines', provides as follows: "5. Infringements of the following provisions shall be punishable, in accordance with paragraph 2, by administrative fines not exceeding EUR 20 000 000 or, in the case of an undertaking, not exceeding 4 % of the total annual aggregate turnover in the preceding financial year, whichever is the greater: a) the basic principles for processing, including the conditions for consent within the meaning of Articles 5, 6, 7 and 9; b) the rights of the persons concerned within the meaning of Articles 12 to 22". On the other hand, Article 71 of the LOPDGDD considers any breach of this Organic Law to be an infringement: "The acts and conduct referred to in Article 83(4), (5) and (6) of Regulation (EU) 2016/679, as well as those which are contrary to this organic law, shall constitute infringements." Section 1.b) of Article 72 of the LOPDGDD considers this to be "very serious" for the purposes of the statute of limitations: "Pursuant to Article 83(5) of Regulation (EU) 2016/679, infringements which constitute a substantial breach of the Articles mentioned therein, in particular the following, shall be considered very serious and shall be subject to a three-year statute of limitations: (b) the processing of personal data without one of the conditions for lawful processing set out in Article 6 of Regulation (EU) 2016/679 being met. And section c) of Article 74 of the LOPDGDD considers infringements of a merely formal nature of the articles mentioned in Article 83.5 of the RGPD to be a "minor" infringement for the purposes of the statute of limitations and, specifically: "(c) failing to comply with requests to exercise the rights laid down in Articles 15 to 22 of Regulation (EU) 2016/679, unless the provisions of Article 72.1.k) of this Organic Law". In order to determine the administrative fine to be imposed, the provisions of Articles 83.1 and 83.2 of the GDPR must be observed, which state: "Each supervisory authority shall ensure that the imposition of administrative fines under this Article for the infringements of this Regulation referred to in paragraphs 4, 9 and 6 are in each individual case effective, proportionate and dissuasive. 2. Administrative fines shall be imposed, depending on the circumstances of each individual case, in addition to or instead of the measures referred to in points (a) to (h) and (j) of Article 58(2). When deciding on the imposition of an administrative fine and the amount thereof C/ Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 51/61 in each individual case shall be duly taken into account: a) the nature, gravity and duration of the infringement, taking into account the nature, scope or purpose of the processing operation concerned as well as the number of data subjects concerned and the level of damage they have suffered; b) the intentional or negligent nature of the infringement; c) any measures taken by the controller or processor to mitigate the damage suffered by data subjects; d) the degree of responsibility of the controller or processor, taking into account the technical or organisational measures they have implemented pursuant to Articles 25 and 32; e) any previous infringement committed by the controller or processor; f) the degree of cooperation with the supervisory authority in order to remedy the infringement and mitigate the possible adverse effects of the infringement; g) the categories of personal data concerned by the infringement; h) the manner in which the supervisory authority became aware of the breach, in particular whether and to what extent the breach was notified by the controller or processor; i) where the measures referred to in Article 58(2) have previously been ordered against the controller or processor concerned in relation to the same matter, compliance with those measures; j) adherence to codes of conduct under Article 40 or to certification schemes approved under Article 42, and k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial gain or loss avoided, directly or indirectly, through the infringement. For its part, Article 76 "Sanctions and corrective measures" of the LOPDGDD is available: "The penalties provided for in Article 83(4), (5) and (6) of Regulation (EU) 2016/679 shall be applied taking into account the graduation criteria set out in paragraph 2 of that Article. 2. In accordance with Article 83(2)(k) of Regulation (EU) 2016/679, the following may also be taken into account: a) The continuing nature of the infringement. b) The link between the offender's activity and the processing of personal data. c) Profits made as a result of the commission of the offence. d) The possibility that the conduct of the person concerned could have led to the commission of the infringement. e) The existence of a process of merger by absorption subsequent to the commission of the infringement, which cannot be imputed to the absorbing entity. f) Affecting the rights of minors. g) Have, where not mandatory, a data protection officer. h) The submission by the data controller or data processor, on a voluntary basis, to alternative dispute resolution mechanisms, in those cases in which there are disputes between them and any interested party". In addition to the above, consideration should be given to Article 83(1) of the GDPR, according to which "Each supervisory authority shall ensure that the imposition of administrative fines in accordance with this Article for infringements of this Regulation as referred to in paragraphs 4, 5 and 6 are in each individual case effective, proportionate and dissuasive". In accordance with the above-mentioned provisions, for the purposes of setting the amount of the penalty to be imposed, the following shall be applied C/ Jorge Juan, 6 28001 - Madrid www.aepd.es sedeagpd.gob.es 52/61 impose in the present case, it is considered that the penalty to be imposed should be graduated in accordance with the following criteria set out in the transcribed precepts: 1. Infringement of Article 12, in conjunction with Article 15, both of the GDPR, as defined in Article 83(5)(b) and classified as minor for the purposes of the statute of limitations in Article 83(5)(b). 74.c) of the LOPDGDD: The following graduation criteria are considered as aggravating factors: . Article 83(2)(a) of the GDPR: '(a) the nature, gravity and duration of the breach, taking into account the nature, scope or purpose of the processing operation concerned as well as the number of data subjects concerned and the level of damage they have suffered'. . The nature of the infringement, insofar as the failure to respect the right of access, by its content, has an impact on the complainant's ability to exercise real control over her personal data. In relation to the right of access and its configuration as a gateway to other rights, the CJEU, in its ruling of 07/05/2009, handed down in Case C-553/07, analysing the Directive at the time and equally valid now for the GDPR, states the following: "51 That right of access is indispensable to enable the data subject to exercise the rights provided for in Article 12(b) and (c) of the directive, namely, where necessary, where the processing does not comply with the provisions of the directive, to obtain from the data controller rectification, erasure or blocking of the data (subparagraph (b)), or to notify third parties to whom the data have been disclosed of any rectification, erasure or blocking carried out, if this is not impossible or would involve a disproportionate effort (subparagraph (c)). 52 The right of access is also a necessary condition for the exercise by the data subject of the right to object to the processing of his personal data, provided for in Article 14 of the Directive, as it is for the right to bring an action for damages, provided for in Articles 22 and 23 of the Directive. . The level of damages suffered by the interested parties, insofar as the failure to comply with the right of access led to the non-delivery of the images requested by the complainant, which prejudiced her ability to defend herself in relation to the accident she had suffered in one of the respondent's centres. . Article 83(2)(b) of the GDPR: "(b) intentional or negligent breach". Negligence in the commission of the infringement, taking into account that MERCADONA not only failed to respond to the right exercised by the complainant, but did not even provide any response to the request made by the complainant within the deadline. This response did not take place until after the images in question had been deleted, so that the failure to exercise the right has led to a loss of availability and control over the data. C/ Jorge Juan, 6 28001 - Madrid www.aepd.es sedeagpd.gob.es 53/61 This circumstance highlights MERCADONA's negligent conduct. In this respect, we take into account what is stated in the Judgment of the Audiencia Nacional of 17/10/2007 (rec. 63/2006) which, based on the fact that these are entities whose activity involves continuous data processing, indicates that "...the Supreme Court has understood that imprudence exists whenever a legal duty of care is disregarded, i.e. when the offender does not behave with the required diligence. And in assessing the degree of diligence, the professionalism or otherwise of the subject must be weighed up, and there is no doubt that, in the case under examination, when the appellant's activity involves constant and abundant handling of personal data, it is necessary to insist on rigour and exquisite care to comply with the legal provisions in this respect". It is a company that processes personal data systematically and continuously and must take great care in complying with its data protection obligations. This Agency understands that diligence must be deduced from conclusive facts, which are duly accredited and directly related to the elements that make up the infringement, in such a way that it can be deduced that the infringement has taken place despite all the means available to the responsible party to avoid it. In this case, MERCADONA's actions are not of this nature. . Article 83(2)(g) of the GDPR: '(g) the categories of personal data concerned by the breach'. Although "Special categories of personal data", as defined by the GDPR in Article 9, have not been affected, the personal data to which the proceedings relate (the complainant's image) is of a particularly sensitive nature, as it allows for the early identification of data subjects and increases the risks to their privacy. . Article 76.2.b) of the LOPDGDD: "b) The linking of the offender's activity with the processing of personal data". The strong link between the offender's activity and the processing of personal data, especially with regard to the indiscriminate capture of images of customers by the video surveillance systems installed in its establishments. Consideration is given to the level of implementation of the entity and the activity it carries out, in which the personal data of thousands of data subjects are involved. This circumstance determines a higher degree of exigency and professionalism and, consequently, of the responsibility of the entity complained of in relation to the processing of the data. . Article 83(2)(k) of the GDPR: '(k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefit gained or loss avoided, directly or indirectly, through the infringement'. . MERCADONA's status as a large company and its turnover. It is on record in the proceedings that this entity has (...). C/ Jorge Juan, 6 28001 - Madrid www.aepd.es sedeagpd.gob.es 54/61 The following circumstances are also considered as extenuating circumstances: . Article 83(2)(d) of the GDPR: '(d) the degree of responsibility of the controller or processor, taking into account the technical or organisational measures which they have implemented pursuant to Articles 25 and 32'. The accused entity has adequate procedures in place for handling requests for the exercise of rights, so that the infringement is the result of an anomaly in the operation of those procedures which affects only the defendant. Considering the factors set out above, the value of the fine for the infringement of Article 12 of the GDPR is 70,000 euros (seventy thousand euros). 2. Infringement for failure to comply with the provisions of Article 6 of the RGPD, typified in Article 83.5.a) and classified as very serious for statute of limitations purposes in Article 72.1.b) of the LOPDGDD: The following graduation criteria are considered as aggravating factors: . Article 83(2)(a) of the GDPR: '(a) the nature, gravity and duration of the breach, taking into account the nature, scope or purpose of the processing operation concerned as well as the number of data subjects concerned and the level of damage they have suffered'. . The nature and seriousness of the infringement, insofar as the definitive erasure of the images captured by the video surveillance system, in this case, affects the complainant's ability to exercise real control over her personal data insofar as it limits her ability to act in defence of her rights; and limits any subsequent intervention by this Agency in order to remedy the lack of attention to the right of access or by the courts with regard to the actions that the complainant could bring against MERCADONA for possible compensation for damages. . The level of damages suffered by the complainant concerned, insofar as the removal of the images has impaired her ability to defend herself, as expressed in the previous paragraph. MERCADONA argues that the complainant's complaint cannot be linked to a legal obligation to keep the images and that it is not the obligation of the person in charge to keep the images of every event that has occurred, without the person having requested the images, just in case he/she might request them. However, this is not the case here, in which the complainant had indeed requested the images on the occasion of an accident that occurred in a centre of the aforementioned entity. . Article 83(2)(b) of the GDPR: "(b) intentional or negligent breach". C/ Jorge Juan, 6 28001 - Madrid www.aepd.es sedeagpd.gob.es 55/61 The negligence found in the commission of the infringement, bearing in mind that MERCADONA deleted the images despite being aware that the complainant reported the accident and the damage suffered to MERCADONA, and requested access to those images for that reason. According to the Respondent, this cannot be affirmed because "the entity was not aware of the access request made". Once again, MERCADONA raises the issue as if the request for access had not existed, despite the fact that it is not disputed that MERCADONA received such a request. The fact that it was not properly processed, as the request was not passed on internally to the person or unit responsible for handling it, cannot be treated as something beyond the control of the responsible entity itself. In assessing this negligence, account is also taken of the circumstances set out in paragraph 1 above. . Article 83(2)(g) of the GDPR: '(g) the categories of personal data concerned by the breach'. As has already been pointed out, the personal data to which the proceedings refer (image of the complainant) is of a particularly sensitive nature. . Article 76.2.b) of the LOPDGDD: "b) The linking of the offender's activity with the processing of personal data". The strong link between the offender's activity and the processing of personal data, already justified in relation to the previous offence. . Article 83(2)(k) of the GDPR: '(k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefit gained or loss avoided, directly or indirectly, through the infringement'. . MERCADONA's status as a large company and its turnover, according to the details set out above. The following circumstances are also considered as extenuating circumstances: . Article 83(2)(d) of the GDPR: '(d) the degree of responsibility of the controller or processor, taking into account the technical or organisational measures which they have implemented pursuant to Articles 25 and 32'. The infringement is an anomaly affecting only the defendant. Considering the factors set out in this second part, the value of the fine for the infringement of Article 6 of the GDPR is 100,000 euros (one hundred thousand euros). C/ Jorge Juan, 6 28001 - Madrid www.aepd.es sedeagpd.gob.es 56/61 MERCADONA did not make any allegation on the factors for the graduation of the sanctions in its submissions to the opening of the procedure. However, in its written statement it emphasised that it had contacted the complainant, through her representative, and reached an agreement that compensated the damages suffered as a result of the accident and those arising from the failure to comply with her right of access to her personal data. Furthermore, it states that disciplinary measures were adopted internally, as well as technical and organisational measures, to prevent a similar error from occurring in the future and to ensure that requests made through the web form are sent to the DPD. These measures are insufficient to "remedy the breach and mitigate the possible adverse effects of the breach", according to the terms of Article 83(2)(f) of the GDPR, or "to mitigate the damage suffered by data subjects" as a result of the breach, according to paragraph 2(c) of the same article. Mitigating the adverse effects or mitigating the damage caused by the infringements implies restoring the rights of the data subjects, which in this case is not possible because of the deletion of the images. Nor can the cessation of the conduct in breach of the legal system be considered as a mitigating factor in any case. On the other hand, it cannot be accepted that an out-of-court agreement between the complainant and the respondent can avoid the application of the regulation and the demand for the responsibilities resulting from the facts established. This would be tantamount to emptying the personal data protection regulation of its content. If we add to this that sanctions must be "in each individual case" effective, proportionate and dissuasive, in accordance with the provisions of Article 83.1 of the GDPR, this agreement cannot be admitted as a mitigating factor. It would be an artificial reduction of the sanction that could lead to the understanding that infringing the rule would not produce a negative effect proportional to the seriousness of the infringing act. On this issue of compensation for the damage alleged by the Respondent, reference is made to what is indicated in Ground II. Subsequently, in the allegations to the draft decision, MERCADONA questions the aggravating circumstances considered and argues that these same aggravating circumstances should be assessed as mitigating circumstances. Thus, it alleges that there is only one affected party and that it is not a structural infringement that lasts over time, despite the fact that these graduation factors have already been considered by this Agency as mitigating factors; and it insists on the "repair" of damages carried out and the measures adopted, on which this Agency has already ruled, without MERCADONA providing any argument that undermines what has been indicated in this resolution in this regard. On the other hand, it denies the alleged negligence and its professionalism in the processing of personal data, but again it does not put forward sufficient counter- arguments to overcome the above. C/ Jorge Juan, 6 28001 - Madrid www.aepd.es sedeagpd.gob.es 57/61 In relation to the degree of diligence that should be required of MERCADONA, given its level of professionalism and high level of involvement in the processing of personal data, it should be noted that the entity itself, in its allegations in the opening of the procedure, as an argument to justify the extent of the involuntary error alleged, highlighted the large amount of personal data that it processes. On the other hand, none of the factors considered is attenuated by the fact that the defendant entity has not been subject to sanctioning proceedings before, a circumstance that has been alleged by the defendant entity to be considered as an attenuating circumstance. In this respect, the NA Judgment of 05/05/2021, rec. 1437/2020, indicates: "On the other hand, it considers that the fact that no previous infringement has been committed should be taken into account as a mitigating circumstance. Article 83.2 of the GDPR establishes that the imposition of the administrative fine must take into account, inter alia, the circumstance "(e) any previous infringement committed by the controller or processor". This is an aggravating circumstance; the fact that it does not meet the requirements for its application means that it cannot be taken into consideration, but it does not imply or permit, as the plaintiff claims, its application as a mitigating circumstance". According to the aforementioned Article 83.2 of the GDPR, when deciding on the imposition of an administrative fine and its amount, "any previous infringement committed by the person responsible" must be taken into account. This is a regulatory provision that does not include the absence of previous infringements as a factor in the graduation of the fine, which should be understood as a criterion close to recidivism, albeit broader. The defendant also states that personal data relating to images do not constitute special categories of data, which is already considered in this act, since otherwise the proven facts would constitute an infringement other than the one alleged. However, this does not imply that the personal image is considered to increase the risks to privacy in the assessment of the infringement. IX Infringements in the matter in question may give rise to the imposition on the controller of the obligation to take appropriate measures to bring its actions into compliancewith the regulations referred to in this act, in accordance with the provisions of the aforementioned Article 58(2)(d) of the GDPR, according to which each supervisory authority may "order the controller or processor to bring processing operations into compliance with the provisions of this Regulation, where applicable, in a specified manner and within a specified period of time...". In this case, the responsible entity should be required, within the period indicated in the operative part, to adapt the processing operations it carries out and the mechanisms and procedures it follows to deal with requests from data subjects to exercise their rights, with the scope expressed in the grounds of law of this resolution, to the personal data protection regulations. Thus, it shall establish mechanisms to ensure that the C/ Jorge Juan, 6 28001 - Madrid www.aepd.es sedeagpd.gob.es requests for 58/61 C/ Jorge Juan, 6 28001 - Madrid www.aepd.es sedeagpd.gob.es 59/61 In the case of requests for access to images captured by its video-surveillance systems, the images to which these requests refer shall be deleted before the right has been exercised and before the competent bodies can review, where appropriate, the decisions adopted by MERCADONA in this regard. It should be noted that failure to comply with the requirements of this body may be considered a serious administrative offence for "failing to cooperate with the supervisory authority" in response to the requirements made, and such conduct may be assessed when opening an administrative sanctioning procedure with a financial fine. X MERCADONA, in its statement of allegations to the proposed resolution, in the event that voluntary payment and acknowledgement of liability is made at any time prior to the resolution, requests the application of a 40% discount on the fine. However, as of this date, there is no record that said entity has proceeded to voluntary payment, nor has any letter been received by this Agency in which the entity acknowledges its liability for the facts that have given rise to the proceedings. In any event, this Agency does not share the interpretation of article 85 of Law 39/2015 (LPACPA) that MERCADONA puts forward in its statement of allegations, in relation to the time at which liability must be recognised in order for the reduction provided for to be applicable. In the opinion of this Agency, this acknowledgement, as stated in the initiation agreement, should be expressed at the start of the procedure, during the period for submitting allegations at the start of the procedure. This is in accordance with the provisions of the aforementioned article 85 of Law 39/2015, according to which the acknowledgement of liability must occur "when the procedure is initiated" in order for the reduction of 20% of the penalty to be applicable, unlike what is expressly established in relation to the discount for voluntary payment of the penalty, which may be applied when said payment is made at any time prior to the resolution. If the aforementioned provision has distinguished the conditions in the two methods of voluntary termination of the procedure indicated, no interpretation should equate these conditions as if there were no differences in their regulation. Article 85.2 of the LPACAP refers expressly and solely to voluntary payment, and not to the recognition of liability, determining that such payment may be made at any time prior to the resolution. Thus, it is not possible to distinguish or oblige where the Law does not distinguish or oblige. Furthermore, Article 85.3 states that "In both cases, when the sanction is solely of a pecuniary nature, the body competent to resolve the procedure shall apply reductions of at least 20 % of the amount of the proposed sanction, which may be cumulative. The aforementioned reductions must be specified in the notification of the initiation of the procedure and their effectiveness shall be conditional upon the withdrawal or waiver of any administrative action or appeal against the sanction". C/ Jorge Juan, 6 28001 - Madrid www.aepd.es sedeagpd.gob.es 60/61 implies that both must be in the initiation agreement (reference of article 85.1 to 64 of the LPACAP), so it does not contemplate that both reductions are in the resolution proposal or that they can be paid cumulatively at any time prior to the resolution. This is also the understanding of the Audiencia Nacional, Sala de lo Contencioso- administrativo, Sección 1a, which in its Judgment of 05/02/2021, Rec. 41/2019, indicates that voluntary payment can take place at any time prior to the resolution, while the reduction for recognition of liability is linked to the agreement of initiation and to the provision of article 64.2.d) of Law 39/2015: "With regard to the infringement of the provisions of Articles 64 and 85 of Law 39/2015, which provide for the possibility of recognising liability at the time of notification of the decision to initiate the procedure (Article 64.2.d) and availing oneself of the reductions provided for in Article 85, in the decision to initiate the procedure there is an express reference to those articles, indicating that paragraphs 2 and 3 of Article 85 are not applicable; furthermore, at no time has the applicant shown its willingness to acknowledge liability for the infringement penalised and avail itself of the possibility established in those articles (voluntary payment may be made at any time prior to the decision), and therefore this argument must also be dismissed" . The purpose is also different for each one of those modes of termination of the procedure. In the case of the recognition of liability (Article 85.1), the aim is to achieve greater efficiency in administrative action with a rapid completion of the procedure, which is also associated with the waiver of the administrative appeal. This implies a saving of time, effort and, therefore, of costs, which subsidises the recognition of liability with a 20% reduction. The position defended by MERCADONA does not achieve this aim, as the procedure would be carried out in its entirety, which is why this reduction is not obtained. In the case of voluntary payment (Article 85(2)) the purpose is different, since in this case it is referred to as "at any time prior to the decision". On this issue, the provisions of other sanctioning regimes, such as those mentioned by MERCADONA in its allegations, do not condition the regulations applicable to this procedure, nor do they prevail over them. Furthermore, some of the regulations cited by MERCADONA in this regard do not establish that the recognition of liability entails the application of a discount, even if it occurs after the proposed decision and before the decision, as in the case of Law 16/1987, of 30 July, on Land Transport Organisation (LOTT), article 146.3 of which only refers to voluntary payment: "Payment of the financial penalty prior to the issuing of the sanctioning decision shall imply conformity with the facts denounced and the waiver of the interested party to make allegations and the termination of the procedure, although an express decision must nevertheless be issued. The case of Law 7/2014, of 23 July, on the Protection of Consumers and Users of the Balearic Islands, is no different when it establishes the application of a C/ Jorge Juan, 6 28001 - Madrid www.aepd.es sedeagpd.gob.es 61/61 reduction "if the allegedly liable party agrees to the content of the resolution of initiation and justifies the payment of the aforementioned amount during the fifteen days following its notification"; although it expressly contemplates the application of a lower reduction if the agreement is given in relation to the content of the proposed resolution, which Law 39/2015 does not do. MERCADONA also considers that its interpretation of the aforementioned provision is supported by the courts, and cites three judgments. Two of these, STS 232/2021, of 18 February, (appeal 2201/2020), and that handed down by the High Court of Justice of Madrid, Chamber for Contentious-Administrative Proceedings, no. 79/2020, of 6 February, do not contain the pronouncement expressed by the claimant. 79/2020, of 6 February, do not contain the pronouncement expressed by the respondent (the STS establishes as a doctrine "the waiver or withdrawal required in Article 85 of Law 39/2015 to be able to benefit from the reduction in the amount of the penalty is projected solely and exclusively on the actions or appeals against the penalty to be exercised in administrative proceedings and not in judicial proceedings"); and the third refers to a case in which the appellant acknowledged his liability in the statement of allegations to the agreement to initiate the penalty proceedings. On another note, it should be pointed out that the Report of the Legal Office of the Junta de Andalucía cited in the allegations to the proposed resolution refers to the voluntary payment of the penalty (article 85.2 of Law 39/2015) and not to the acknowledgement of liability. Therefore, in accordance with the applicable legislation and taking into account the criteria for the graduation of the sanctions whose existence has been accredited, the Director of the Spanish Data Protection Agency RESOLVES: FIRST: IMPOSE a fine of 70,000 euros (seventy thousand euros) on MERCADONA, S.A., with tax identification number A46103834, for an infringement of Article 12, in relation to Article 15, both of the RGPD, as defined in Article 83.5.b) and classified as minor for statute of limitations purposes in Article 74.c) of the LOPDGDD. SECOND: IMPOSE a fine of 100,000 euros (one hundred thousand euros) on MERCADONA, S.A., for an infringement of Article 6 of the RGPD, typified in Article 83.5.a) and classified as very serious for the purposes of prescription in Article 72.1.b) of the LOPDGDD, for a fine of 100,000 euros (one hundred thousand euros). THIRD: TO REQUIRE MERCADONA, S.A., within one month of notification of this resolution, to bring its actions into line with the personal data protection regulations, with the scope expressed in Ground of Law IX, and to justify to this Spanish Data Protection Agency the fulfilment of this requirement. The text of the resolution establishes the infringements committed and the facts that have given rise to the breach of the data protection regulations, from which it is clearly inferred what measures are to be adopted, without prejudice to the fact that the type of procedures, mechanisms or specific instruments to implement them corresponds to the sanctioned party, since it is the data controller who is fully aware of its organisation and has to decide, based on proactive responsibility and a risk-based approach, how to comply with the GDPR and the LOPDGDDD. C/ Jorge Juan, 6 28001 - Madrid www.aepd.es sedeagpd.gob.es 62/61 FOURTH: TO NOTIFY MERCADONA S.A. of this resolution. FIFTH: To warn the sanctioned party that they must pay the penalty imposed once this resolution is enforceable, in accordance with the provisions of art. 98.1.b) of Law 39/2015, of 1 October, of the Common Administrative Procedure of Public Administrations (hereinafter LPACAP), within the voluntary payment period established in art. 68 of the General Collection Regulations, approved by Royal Decree 939/2005, of 29 July, in relation to art. 62 of Law 58/2003, of 17 December, by means of payment, indicating the NIF of the sanctioned party and the procedure number that appears in the heading of this document, into the restricted account number ES00 0000 0000 0000 0000 0000 0000 0000 0000, opened in the name of the Spanish Data Protection Agency at the bank CAIXABANK, S.A.. Otherwise, it will be collected during the enforcement period. Once the notification has been received and once enforceable, if the enforceability date is between the 1st and 15th of each month, both inclusive, the deadline for voluntary payment will be until the 20th of the following month or the immediately following working day, and if it is between the 16th and the last day of each month, both inclusive, the deadline for payment will be until the 5th of the second following month or the immediately following working day. In accordance with the provisions of Article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to administrative proceedings in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the interested parties may lodge an appeal for reversal with the Director of the Spanish Data Protection Agency within one month of the day following notification of this resolution or directly lodge a contentious-administrative appeal with the Contentious-Administrative Chamber of the National High Court, pursuant to the provisions of Article 25 and section 5 of the fourth additional provision of Law 29/1998, of 13 July, regulating the Contentious-Administrative Jurisdiction, within a period of two months from the day following the notification of this act, in accordance with the provisions of Article 46.1 of the aforementioned Law. Finally, it should be noted that in accordance with the provisions of art. 90.3 a) of the LPACAP, the final administrative decision may be suspended as a precautionary measure if the data subject expresses his/her intention to file a contentious- administrative appeal. If this is the case, the interested party must formally communicate this fact in writing to the Spanish Data Protection Agency, submitting it through the Agency's Electronic Register [https://sedeagpd.gob.es/sede-electronica- web/], or through any of the other registers provided for in art. 16.4 of the aforementioned Law 39/2015, of 1 October. The documentation accrediting the effective filing of the contentious-administrative appeal must also be sent to the Agency. If the Agency is not aware of the lodging of the contentious-administrative appeal within two months of the day following notification of this resolution, the precautionary suspension will be deemed to have ended. Mar España Martí C/ Jorge Juan, 6 28001 - Madrid 938-100322 www.aepd.es sedeagpd.gob.es Director of the Spanish Data Protection Agency 63/61 C/ Jorge Juan, 6 28001 - Madrid www.aepd.e