AEPD (Spain) - PS/00178/2022: Difference between revisions
(Clarification of the short summary.) |
No edit summary |
||
(2 intermediate revisions by 2 users not shown) | |||
Line 67: | Line 67: | ||
}} | }} | ||
The | The Spanish DPA fined a restaurant €20,000 for violating [[Article 6 GDPR]] by taking audio recordings of its employees and costumers disproportionate to the data minimisation principle of [[Article 5 GDPR|Article 5(1)(c) GDPR]]. | ||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
Muxers Concept, S.L., the data controller, is the owner of a restaurant. Over the course of 2020 and 2021, the Judicial Police and the Spanish DPA received numerous complaints by employees of the restaurant, the data subjects, related to the discovery of hidden and operational audio and video recording systems in the company's toilet as well as changing and locker rooms. In the following investigation, the public entities were able to collect evidence of the hidden devices. | |||
In | |||
Following further investigations, the DPA considers it undisputed at the time of the proceedings at hand that the data controller engaged in video and audio surveillance of its employees and costumers since 2018. | |||
While the controller informed its employees that their images, captured by video cameras, could be used to comply with labour laws, neither the employees nor the controller's costumers were informed of the hidden audio recordings. | |||
=== Holding === | === Holding === | ||
The DPA held that the conduct of the controller infringed the GDPR by establishing three conclusions. | |||
First, the recording of images and sounds of employees and costumers constituted the processing of personal data pursuant to [[Article 4 GDPR|Article 4(1)]] and [[Article 4 GDPR|Article 4(2) GDPR]]. | |||
Second, the data controller's hidden image and sound recording of the employees' private spaces violated the principle of data minimisation pursuant to [[Article 5 GDPR#1c|Article 5(1)(c) GDPR]] and the limits of proportionality and minimum intervention according to Article 89 of the national LOPDGDD law. | |||
Third, the Spanish DPA held that the controller failed to consider the decision of the Spanish Constitutional Court Rec. No. 4015/1996, according to which the recording of conversations among workers or between workers and customers is not justified to ensure the employers compliance with their obligations and duties. | |||
Therefore, the DPA concluded that the hidden image and voice recordings of uninformed employees and customers had no legal basis pursuent to [[Article 6 GDPR]]. | |||
In determining the amount of the fine, the DPA considered aggravating factors, as stipulated in [[Article 83 GDPR#2a|Article 83(2)(a) GDPR]], and mitigating factors, as established by [[Article 83 GDPR#2k|Article 83(2)(k) GDPR]]. The aggravating factors consisted of the duration of the infringement and the significant number of personal data subjects affected by the violation, whereas the DPA acknowledged as mitigating factors the data controler's status as a small business (SME) and its low turnover. As a result, the DPA fined the data controller €20,000 for violating [[Article 6 GDPR]]. | |||
== Comment == | == Comment == | ||
The decision of Spanish DPA on PS/00178/2022 | The decision of Spanish DPA on PS/00178/2022 highlights the importance of taking into account the necessity and proportionality of recording the audio of employees, especially in a circumstance where a combination of devices amounted to a system of surveillance, consisting not only of mere video recordings. One valuable resource for such analysis is the guidance provided by the Spanish DPA related to the protection of personal data in employment relation, available here. | ||
Latest revision as of 14:48, 22 September 2022
AEPD - PS/00178/2022 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 4(1) GDPR Article 4(2) GDPR Article 5(1)(c) GDPR Article 6 GDPR Article 83(5)(a) GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | |
Published: | |
Fine: | 20,000 EUR |
Parties: | n/a |
National Case Number/Name: | PS/00178/2022 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | Giovanna Lahude |
The Spanish DPA fined a restaurant €20,000 for violating Article 6 GDPR by taking audio recordings of its employees and costumers disproportionate to the data minimisation principle of Article 5(1)(c) GDPR.
English Summary
Facts
Muxers Concept, S.L., the data controller, is the owner of a restaurant. Over the course of 2020 and 2021, the Judicial Police and the Spanish DPA received numerous complaints by employees of the restaurant, the data subjects, related to the discovery of hidden and operational audio and video recording systems in the company's toilet as well as changing and locker rooms. In the following investigation, the public entities were able to collect evidence of the hidden devices.
Following further investigations, the DPA considers it undisputed at the time of the proceedings at hand that the data controller engaged in video and audio surveillance of its employees and costumers since 2018.
While the controller informed its employees that their images, captured by video cameras, could be used to comply with labour laws, neither the employees nor the controller's costumers were informed of the hidden audio recordings.
Holding
The DPA held that the conduct of the controller infringed the GDPR by establishing three conclusions.
First, the recording of images and sounds of employees and costumers constituted the processing of personal data pursuant to Article 4(1) and Article 4(2) GDPR.
Second, the data controller's hidden image and sound recording of the employees' private spaces violated the principle of data minimisation pursuant to Article 5(1)(c) GDPR and the limits of proportionality and minimum intervention according to Article 89 of the national LOPDGDD law.
Third, the Spanish DPA held that the controller failed to consider the decision of the Spanish Constitutional Court Rec. No. 4015/1996, according to which the recording of conversations among workers or between workers and customers is not justified to ensure the employers compliance with their obligations and duties.
Therefore, the DPA concluded that the hidden image and voice recordings of uninformed employees and customers had no legal basis pursuent to Article 6 GDPR.
In determining the amount of the fine, the DPA considered aggravating factors, as stipulated in Article 83(2)(a) GDPR, and mitigating factors, as established by Article 83(2)(k) GDPR. The aggravating factors consisted of the duration of the infringement and the significant number of personal data subjects affected by the violation, whereas the DPA acknowledged as mitigating factors the data controler's status as a small business (SME) and its low turnover. As a result, the DPA fined the data controller €20,000 for violating Article 6 GDPR.
Comment
The decision of Spanish DPA on PS/00178/2022 highlights the importance of taking into account the necessity and proportionality of recording the audio of employees, especially in a circumstance where a combination of devices amounted to a system of surveillance, consisting not only of mere video recordings. One valuable resource for such analysis is the guidance provided by the Spanish DPA related to the protection of personal data in employment relation, available here.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
File No.: PS/00178/2022 RESOLUTION OF PUNISHMENT PROCEDURE Of the procedure instructed by the Spanish Agency for Data Protection and based on to the following BACKGROUND FIRST: The General Police Directorate, Moncloa-Aravaca Police Station (in successive National Police), dated 11/16/2020 filed a claim with the Spanish Data Protection Agency against the entity MUXERS CONCEPT, SL, with NIF B87345369 (hereinafter, the claimed party or MUXERS). The motives on which the claim is based are as follows: The National Police gives an account of the complaint made before the Police Group Judicial by five workers of a restaurant belonging to the claimed party, for the “finding of an audio recording system in the company locker room”, hidden in a false ceiling; as well as the proceedings instituted for that reason. Provides a copy of the complaints outlined, in which the complainants declare having found in the employee toilet, where their lockers are also located, a alleged video surveillance camera and sound recorder, plugged in and on conditions of use (three of the five complaints refer only to a microphone). They also state that they were not informed about the installation of These devices. The National Police also provides a copy of a record, dated 10/27/2020, extended to proceed to the intervention of a "Microphone with number Air Space AA003", and photographs showing the location of this device in a false ceiling. According to It is stated in this Act that the interested person who witnesses the intervention of the Police Nacional states “that the seized microphone is owned by the company Muxers Concept, SL, CIF…”. On the other hand, on 04/20/2021, a claim filed by AAA was received (hereinafter, the complaining party), also directed against the entity MUXERS, in the stating that on 10/27/2020, in the company of other colleagues, discovered at his workplace (the same one referred to in the claim of the National Police) “the placement of audio/video recording cameras in the toilets corresponding to the changing rooms of the workers”. SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5 December, of Protection of Personal Data and guarantee of digital rights (in hereinafter LOPDGDD), the claim received from the National Police was transferred to the claimed party, so that it could proceed with its analysis and inform this Agency in within a month, of the actions carried out to adapt to the requirements C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 2/18 provided for in the data protection regulations. The transfer, which was carried out in accordance with the regulations established in Law 39/2015, of October 1, of the Common Administrative Procedure of the Administrations (hereinafter, LPACAP) by electronic notification, was not collected by the person in charge, within the period of making available, understanding rejected in accordance with the provisions of art. 43.2 of the LPACAP on 12/20/2020, as stated in the certificate that works in the file. Although the notification was validly made by electronic means, assuming carried out the procedure in accordance with the provisions of article 41.5 of the LPACAP, by way of informative, a copy was sent by mail that was reliably notified in date 01/18/2021. In said notification, he was reminded of his obligation to relate electronically with the Administration, and they were informed of the means of access to said notifications, reiterating that, in the future, it would be notified exclusively by electronic means. On 02/17/2021, this Agency received a response letter provided by the Respondent, stating the following: The system, which was installed by the entity Teknometric Biometric Solutions and New Technologies, SL (Teknometric) on 06/20/2018, has 22 cameras within of the premises, 2 exterior cameras on the facade, 1 recording equipment and 4 microphones of preamplified audio, without any device in the locker room or in the toilets. On the existence of a contract by which a third party is commissioned to view and/or listening to the images and/or audios, informs that there is a contract with the company “Stop Alarma since the installation corresponds to the video surveillance system”. I know attached contract and certificate of connection to alarm center and video certificate check with that company. In relation to the purpose of the installation of video surveillance equipment, it indicates that Said purpose is “the access control of people, merchandise… security of the goods and people”. In this regard, it notes that a written communication was made to the workers since the opening and the letters signed in agreement by each worker about the placement, its nature and its location. Regarding the causes that gave rise to the claim, the respondent adds that the rarefaction of the labor relationship caused by the reduction of working hours of the workers and not having collected the amounts owed by the partial ERTE, motivated that the workers raised the false ceiling and dragged the micro from the office (where if there is a microphone) and they will take him to the locker room area, not to the bathrooms, and from there all the controversy. Additionally, all the workers have criminally denounced the owner of the company, and there have been dismissals with the corresponding lawsuits in the Court of the Social. There are complaints by the company against the aforementioned workers for this C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 3/18 incident, which led to the dismissal of some of them, among others the manager who abandoning her functions, she admitted the entry of people outside the premises and he hatched a whole plan in order to ask for money by all means, as it has been. Attached are the complaints from the company, the letters reducing the working day, which explain the real reasons for this matter, which has nothing to do with the placement of cameras or microphones since the company has never placed them and appears on the location map from the first day of opening of the premises and the communication to female workers since August 2018. Therefore, according to the respondent, it is difficult for the workers to say, as say they were unaware of the location of the security systems when they were knowledgeable from the beginning of its existence, purpose, location, etc. For more details, the lawyer of one of the complainants has asked the company 35,000 euros for this compensation issue for not going to trial. Everything along the lines that we have said of pressuring the company to compensate the workers or to reinstate them. With his response, he provides the following relevant documentation: . Location map of the cameras and microphones (22 interior cameras, 2 exterior cameras, 1 recording equipment, 4 audio microphones preamps). According to this plan, prepared by Teknometric, the microphones they are installed at the entrance to the restaurant, in the room where they are located the tables and bar of the establishment (more than XX tables of different dimensions -between and six stalls- and 12 bar stalls), in an office and in a room of small size whose use is not specified in the plan. . Camera location photos . Provide a photograph in which the existence of an informative poster can be seen of the existence of the cameras, located inside the premises. . Provides an invoice from the installer of the Teknometric cameras, detailing the installed system, made up of 22 interior cameras, 2 exterior cameras, a recorder video surveillance and 4 audio outputs with hard disk, and "4 hidden microphones preamplified”; and technical report issued by this same entity on the installation of these devices on 06/20/2018. This report indicates that MUXERS was informed “of the regulations and legality regarding the notice of their employees before the placement of audio microphones”. . "Video verification certificate" and "Certificate of connection to alarm center" issued by the entity Stop Alarmas, SLU The latter includes a section called "Verification" in which the "Sequential" options are marked, Image” and “Bidirectional”. The “Audio” option is not checked. . 10 documents dated 08/20/2018, with the label “Communication to the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 4/18 worker of the existence of video surveillance cameras whose images can be used to control labor obligations and duties”. to information contained in these documents is excerpted in the Fourth Proven Fact. . Complaint filed with the National Police by the administrator of the entity MUXERS, for damage caused to the staff locker room on the date 10/27/2020 (“the roof is broken and the microphone cables that were in the inside hanging”). This document contains the manifestations of the complainant. Among them, the following: "That the complainant states that they are microphones, that in the employment contract comes specified the audio and video recording, and that they themselves have signed”. “That at 1:20 p.m. another indicative of the National Police comes to seize the microphone from the locker room, all of which is reflected in a Record of Intervention of Effects of which they deliver a copy to the complainant”. THIRD: On 02/22/2021, in accordance with article 65 of the LOPDGDD, The claim filed by the National Police was admitted for processing. Similarly, the claim made by the claimant was admitted for processing in date 05/07/2021. FOURTH: The General Subdirectorate for Data Inspection proceeded to carry out of previous investigative actions to clarify the facts in question, by virtue of the functions assigned to the control authorities in the article 57.1 and the powers granted in article 58.1 of the Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter RGPD), and in accordance with the provisions of Title VII, Chapter I, Second Section, of the LOPDGDD, having knowledge of the following extremes: . A request for information was sent to the claimed party, by postal mail Addressed to the same address where the notification of the outlined transfer was made in the previous Antecedent, without in this case the notification could be practiced (it was returned with the indication "unknown"). . The National Police, on 12/03/2021, informed the Inspection Services that the police report of the Moncloa-Aravaca Police Station, has led to the opening Preliminary Proceedings No. ***PROCEEDINGS.1, followed up in the Court of Instruction No. XX of Madrid. . Requested information from the aforementioned Court of Instruction on the possible responsibility of the claimed party in the installation of the devices of audio and video recording in the changing rooms and toilets used by the workers of the establishment to which the claims refer, no reply was received from said court during the period of these investigative actions. Thus, it was agreed to declare the expiration of the aforementioned prior actions of research and open new research actions, as well as incorporate the same the documentation that integrates the expired actions. The response from the Investigating Court was received on 01/26/2022, stating C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 5/18 reports that what has been done to date (01/18/2022) in the Procedure Abbreviated that follows under the number ***DILIGENCIAS.1, "the responsibility of the entity MUXERS CONCEPT, SL”. FIFTH: On 05/13/2022, by the General Subdirectorate for Data Inspection You can access the information related to the MUXERS entity in “Axesor” (“Informe monitor”). (...). SIXTH: On 05/20/2022, the Director of the Spanish Agency for the Protection of Data agreed to initiate a sanctioning procedure against the MUXERS entity, in accordance with the provided in articles 63 and 64 of the LPACAP, for the alleged violation of article 6 of the RGPD, typified in article 83.5.a) of the aforementioned Regulation; and rated as very serious for prescription purposes in article 72.1.b) of the LOPDGDD. In the opening agreement it was determined that the sanction that could correspond, attended the existing evidence at the time of opening and without prejudice to what resulting from the instruction, would amount to a total of 20,000 euros (twenty thousand euros). The notification of this opening agreement to the claimed party, in which granted a term to formulate allegations and propose evidence, it was sent by means of the Electronic Notification Service, although it was not collected by the claimed within the period of availability. Although the notification was validly made by electronic means, assuming carried out the procedure in accordance with the provisions of article 41.5 of the LPACAP, with date 06/09/2022 a new notification attempt was made by post, being returned the shipment due to an incorrect address, even though it was addressed to the registered office of the entity that appears in the Mercantile Registry. Likewise, on 06/23/02022, a document was published in the Official State Gazette announcement of notification of the opening of proceedings. In said announcement, it is informed the party complained against about the possibility of obtaining a copy of the opening agreement. SEVENTH: Notification of the aforementioned start-up agreement in accordance with the established rules in the LPACAP and after the term granted for the formulation of allegations, has verified that no allegation has been received by the respondent party. Article 64.2.f) of the LPACAP - provision of which the respondent was informed in the agreement to open the procedure - establishes that if no allegations within the stipulated period on the content of the initiation agreement, when it contains a precise statement about the imputed responsibility, may be considered a resolution proposal. In the present case, the agreement beginning of the sanctioning file determined the facts in which the imputation, the infraction of the RGPD attributed to the claimed and the sanction that could prevail. Therefore, taking into consideration that the respondent has not formulated allegations to the agreement to initiate the file and in attention to what established in article 64.2.f) of the LPACAP, the aforementioned initial agreement is considered in this case proposed resolution. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 6/18 In view of everything that has been done, by the Spanish Data Protection Agency In this proceeding, the following are considered proven facts: PROVEN FACTS 1. the MUXERS entity is responsible for the video surveillance system installed in the premises in which it carries out its activity on 06/20/2018. It's about a establishment open to the public dedicated to restoration. 2. The video surveillance system outlined in the First Proven Fact, in addition to video surveillance cameras, has four audio microphones preamplified, installed at the entrance to the restaurant, in the room where they are located the tables and bar of the establishment (more than 30 tables of different dimensions -between and six seats- and 12 bar seats), in an office and in a small room whose use is not specified. This system has a video surveillance recorder and 4 audio outputs with HDD. 3. The intended purpose of installing this equipment is access control of people and goods, the safety of goods and people, as well as the control of labor obligations and duties. 4. At the time of the installation of the video surveillance system, the entity MUXERS provided its workers with an informative document with the label "Communication to the worker of the existence of video surveillance cameras whose images can be used to control labor obligations and duties”. According to these documents, the party claimed informs the worker who signs it as follows: “In accordance with Law 5/1999… INFORMS… (name and surname of the worker) of the recording through video cameras in the internal and external facilities of the company of which is a treatment responsibility of Muxers Concept, SL in which they remain stored his personal data, including his image and sound obtained, recorded and captured through cameras and video cameras, for the following purposes: I. Surveillance Internal and external surveillance of the company's facilities..., in order to provide compliance with the security operation and to prevent risks that affect the security and protection of people, premises and patrimonial assets as well as to denounce, when necessary, made before the competent authorities or meet requirements of the themselves. II. Quality and work performance Control of the quality and labor performance of the workers as well as verification of the fulfillment by… (name and surname of the worker) of their obligations and duties labor. III. disciplinary sanctions The images and sound captured by the video surveillance cameras may be used to the detection by Muxers… of criminal acts or labor offenses included in the agreement C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 7/18 collective… as evidence when sanctioning …the technical instruments used…respect the right to privacy, within the legitimate exercise of the power of business surveillance. 5. Due to complaints made by restaurant workers, the The National Police appeared at the MUXERS establishment and drew up a record dated 10/27/2020, extended to proceed with the intervention of a “Microphone with Air Space numbering AA003”. This document includes some photographs in which the location of this device is seen in a false ceiling. As stated in these Minutes, the interested person who, on behalf of MUXERS, witnesses the intervention of the National Police states “that the seized microphone is property of the company Muxers Concept, SL, CIF…”. In its response to the claim transfer process, MUXERS stated that the microphone intervened by the National Police was in the office set up in the establishment. FOUNDATIONS OF LAW Yo In accordance with the powers that article 58.2 of the RGPD grants to each authority of control and as established in articles 47, 48.1, 64.2 and 68.1 of the Organic Law 3/2018, of December 5, on the Protection of Personal Data and guarantee of the digital rights (hereinafter, LOPDGDD), is competent to initiate and resolve this procedure the Director of the Spanish Data Protection Agency. Likewise, article 63.2 of the LOPDGDD determines that: “The procedures processed by the Spanish Agency for Data Protection will be governed by the provisions in Regulation (EU) 2016/679, in this organic law, by the provisions regulations issued in its development and, as long as they do not contradict them, with a subsidiary, by the general rules on administrative procedures. II Image and voice are personal data The physical image and voice of a person, in accordance with article 4.1 of the RGPD, are a personal data and its protection, therefore, is the subject of said Regulation. In the article 4.2 of the RGPD defines the concept of "treatment" of personal data. Images and voice captured by a camera or video camera system are data of a personal nature, so its treatment is subject to the regulations of Data Protection. It is, therefore, pertinent to analyze whether the processing of personal data (image and voice of the workers in the establishment to which the claims refer, whose ownership corresponds to the claimed party, and of the natural persons who attend as customers to said establishment, open to the public) carried out through the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 8/18 denounced video surveillance system is in accordance with the provisions of the RGPD. III Infringement Article 6.1 of the RGPD establishes the assumptions that allow the legalization of the treatment of personal data. The permanent installation of a video camera system for reasons of Security has a legitimate basis in the LOPDGDD, whose explanatory statement indicates: “Together with these assumptions are included others, such as video surveillance… in which the legality of the treatment comes from the existence of a public interest, in the terms established in the article 6.1.e) of Regulation (EU) 2016/679”. Regarding the treatment for video surveillance purposes, article 22 of the LOPDGDD establishes that natural or legal persons, public or private, may carry out carry out the processing of images through camera systems or video cameras in order to preserve the safety of people and property, as well as their installations. This same article 22, in its section 8, provides that "The treatment by the employer of data obtained through camera systems or video cameras subject to the provisions of article 89 of this organic law. On the legitimacy for the implementation of video surveillance systems in the field employment, Royal Legislative Decree 1/1995 of 03/24 is taken into account, approving the revised text of the Workers' Statute Law (LET), whose article 20.3 points out: "3. The employer may adopt the measures that he deems most appropriate for surveillance and control. to verify compliance by the worker with his labor obligations and duties, keeping in its adoption and application the consideration due to its dignity and taking into account account, where appropriate, the real capacity of workers with disabilities. The surveillance and control measures admitted include the installation of security cameras, although these systems must always respond at the beginning of proportionality, that is, the use of video cameras must be proportional to the purpose pursued, this is to guarantee the security and fulfillment of the obligations and job duties. Article 89 of the LOPDPGDD, specifically referring to the "right to privacy against the use of video surveillance and sound recording devices in the place of work” and the treatment of personal data obtained with camera systems or video cameras for the exercise of control functions of workers, allows that employers can treat the images obtained through systems of cameras or video cameras for the exercise of control functions of the workers or public employees provided, respectively, in article 20.3 of the Workers' Statute and in the public function legislation, provided that These functions are exercised within their legal framework and with the limits inherent to the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 9/18 same. In relation to the recording of sounds, the aforementioned article 89 of the LOPDGDD sets the following: "two. In no case will the installation of sound recording systems or video surveillance in places intended for rest or recreation of workers or public employees, such as changing rooms, toilets, dining rooms and the like. 3. The use of systems similar to those referred to in the previous sections for the recording of sounds in the workplace will be allowed only when they are relevant risks to the safety of facilities, assets and people arising from the activity that is developed in the workplace and always respecting the principle of proportionality, the minimum intervention and the guarantees provided for in the previous sections. suppression of the sounds preserved by these recording systems will be made according to what provided in section 3 of article 22 of this law.” On the other hand, it is interesting to note that, according to the doctrine of the Constitutional Court, the Recording of conversations between workers or between them and customers is not justified for verification of compliance by the worker with his obligations or duties. In Judgment dated 04/10/2000 (2000/98), issued in rec. no. 4015/1996, it declares the following: “In this sense, it must be taken into account that the managerial power of the employer, essential for the smooth running of the productive organization and expressly recognized in art. 20 LET, attributes to the employer, among other powers, that of adopting the measures that considers more opportune of vigilance and control to verify the fulfillment of the worker of his labor obligations (art. 20.3 LET). But this faculty must occur in any case, as is logical, within due respect for the dignity of the worker, as we expressly It is recalled by labor regulations (arts. 4.2. and 20.3 LET)… … it should be remembered that the jurisprudence of this Court has repeatedly insisted on the full effectiveness of the fundamental rights of the worker within the framework of the relationship employment, since this cannot imply in any way the deprivation of such rights for those who provide service in productive organizations... Consequently, and as this Court has also affirmed, the exercise of such rights only admits limitations or sacrifices to the extent that it operates within an organization that reflects other constitutionally recognized rights in arts. 38 and 33 EC and that imposes, according to the assumptions, the necessary adaptability for the exercise of all of them... For this reason, the premise from which the appealed Judgment starts, consisting of affirm that the workplace does not constitute by definition a space in which the right to privacy on the part of the workers, in such a way that the conversations that keep workers among themselves and with customers in the performance of their work activity are not covered by art. 18.1 EC and there is no reason why the company cannot know the content of those, since the aforementioned right is exercised in the field of worker's private sphere, which in the workplace must be understood as limited to the places of rest or recreation, changing rooms, toilets or the like, but not those places where work is carried out... …Such an affirmation is rejectable, since it cannot be ruled out that also in those places of the company in which the work activity is carried out may occur illegitimate interference by the employer in the right to privacy of the workers, such as the recording of conversations between a worker and a client, or between the workers themselves, in which issues unrelated to the relationship are addressed 28001 – Madrid 6 sedeagpd.gob.es 10/18 work that are integrated into what we have called the sphere of development of the individual (SSTC 231/1988, of December 2, FJ 4 and 197/1991, of October 17, FJ 3, by all). In short, it will be necessary to attend not only to the place of the workplace where they are installed by the company audiovisual control systems, but also to other elements of judgment (if the installation is done or not indiscriminately and massively, if the systems are visible or have been installed surreptitiously, the real purpose pursued with the installation of such systems, if there are security reasons, due to the type of activity that takes place in the work center in question, justifying the implementation of such means of control, etc.) to elucidate in each specific case whether these means of surveillance and control respect the right to the privacy of workers. Certainly, the installation of such means in places of rest or recreation, changing rooms, toilets, dining rooms and the like is, a fortiori, harmful in any case of the right to privacy of workers, without further consideration, for obvious reasons... But this does not mean that this injury cannot occur in those places where the work activity is carried out, if any of the exposed circumstances that allows the business action to be qualified as an illegitimate intrusion into the right to privacy from the workers. It will therefore be necessary to attend to the concurrent circumstances in the event specifically to determine whether or not there is a violation of art. 18.1 EC. …their limitation [of the fundamental rights of the worker] by the powers business can only derive good from the fact that the very nature of work contracted implies the restriction of the right (SSTC 99/1994, FJ 7, and 106/1996, FJ 4), either an accredited need or business interest, without its mere invocation being sufficient to sacrificing the fundamental right of the worker (SSTC 99/1994, FJ 7, 6/1995, FJ 3 and 136/1996, FJ 7)… These limitations or modulations must be those that are indispensable and strictly necessary to satisfy a business interest worthy of guardianship and protection, in a that if there are other possibilities of satisfying said interest that are less aggressive and affect the right in question, it will be necessary to use the latter and not the more aggressive and affecting. It is, in short, the application of the principle of proportionality... The question to be resolved is, therefore, whether the installation of microphones that allow the recording of conversations of workers and customers in certain areas... is adjusted in the event that concerns us to the essential requirements of respect for the right to privacy. To the In this regard, we must begin by pointing out that it is indisputable that the installation of capture and recording of sound in two specific areas... it is not without utility for the business organization, especially if one takes into account that these are two areas in which significant economic transactions take place. Now, the mere utility or convenience for the company does not simply legitimize the installation of hearing aids and recording, given that the company already had other security systems than the hearing system is intended to complement… In summary, the implementation of the audition and recording system has not been in this case in accordance with the principles of proportionality and minimum intervention that govern the modulation of fundamental rights by the requirements of the interest of the organization business, because the purpose pursued (to give a plus of security, especially before possible claims from customers) is disproportionate to the sacrifice that It implies the right to privacy of workers (and even customers...). This system allows you to capture private comments, both from customers and workers..., comments completely unrelated to business interest and therefore irrelevant from the perspective of control of labor obligations, being able, however, to have consecuencias negativas para los trabajadores que, en todo caso, se van a sentir constreñidos de realizar cualquier tipo de comentario personal ante el convencimiento de que van a ser escuchados y grabados por la empresa. Se trata, en suma, de una intromisión ilegítima en el derecho a la intimidad consagrado en el art. 18.1 CE, pues no existe argumento definitivo que C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 11/18 autorice a la empresa a escuchar y grabar las conversaciones privadas que los trabajadores… mantengan entre sí o con los clientes”. Por otra parte, el tratamiento de datos personales está sometido al resto de los principios del tratamiento contenidos en el artículo 5 del RGPD. Destacaremos el principio de minimización de datos contenido en el artículo 5.1.c) del RGPD que dispone que los datos personales serán “adecuados, pertinentes y limitados a lo necesario en relación con los fines para los que son tratados”. Esto significa que en un tratamiento concreto sólo pueden tratarse los datos personales oportunos, que vengan al caso y que sean los estrictamente necesarios para cumplir la finalidad para la que son tratados. El tratamiento debe ser ajustado y proporcional a la finalidad a la que se dirige. La pertinencia en el tratamiento de los datos debe producirse tanto en el momento de la recogida de los datos como en el posterior tratamiento que se realice de los mismos. Conforme a lo antedicho, debe restringirse el tratamiento de los datos excesivos o bien procederse a la supresión de los mismos. La aplicación del principio de minimización de datos al supuesto examinado comporta que el sistema de cámaras o videocámaras instalado no pueda obtener imágenes o sonidos afectando a la intimidad de los empleados, resultando desproporcionado captar imágenes o sonidos en espacios privados, tales como vestuarios, taquillas o zonas de descanso de trabajadores. IV Obligaciones en materia de videovigilancia De conformidad con lo expuesto, el tratamiento de imágenes a través de un sistema de videovigilancia, para ser conforme con la normativa vigente, debe cumplir los requisitos siguientes: 1.- La personas físicas o jurídicas, públicas o privadas, pueden establecer un sistema de videovigilancia con la finalidad de preservar la seguridad de las personas y bienes, así como de sus instalaciones. Se ha de valorar si la finalidad pretendida puede lograrse de otra forma menos intrusiva para los derechos y libertades de los ciudadanos. Los datos personales solo deben tratarse si la finalidad del tratamiento no pudiera lograrse razonablemente por otros medios, considerando 39 del RGPD. 2.- Las imágenes obtenidas no puedan utilizarse para una finalidad ulterior incompatible con la que motivó la instalación del sistema de videovigilancia. 3.- Se deberá cumplir con el deber de informar a los afectados previsto en los artículos 12 y 13 del RGPD, y 22 de la LOPDGDD. En tal sentido, el artículo 22 de la LOPDGDD prevé en relación con la videovigilancia un sistema de “información por capas”. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 12/18 La primera capa ha de referirse, al menos, a la existencia del tratamiento (videovigilancia), la identidad del responsable, la posibilidad de ejercitar los derechos previstos en los artículos 15 a 22 del RGPD y dónde obtener más información sobre el tratamiento de los datos personales. Esta información se contendrá en un dispositivo colocado en un lugar suficientemente visible y debe suministrarse por adelantado. La información de la segunda capa debe estar disponible en un lugar fácilmente accesible al afectado, ya sea una hoja informativa en una recepción, cajero, etc…, colocada en un espacio público visible o en una dirección web, y ha de referirse al resto de elementos del artículo 13 del RGPD. 4.- No pueden captarse imágenes de la vía pública, puesto que el tratamiento de imágenes en lugares públicos, salvo que concurra autorización gubernativa, sólo puede ser realizado por las Fuerzas y Cuerpos de Seguridad. En algunas ocasiones, para la protección de espacios privados, donde se hayan instalado cámaras en fachadas o en el interior, puede ser necesario para garantizar la finalidad de seguridad la grabación de una porción de la vía pública. Es decir, las cámaras y videocámaras instaladas con fines de seguridad no podrán obtener imágenes de la vía pública salvo que resulte imprescindible para dicho fin, o resulte imposible evitarlo por razón de la ubicación de aquéllas. Y, en tal caso extraordinario, las cámaras sólo podrán captar la porción mínima necesaria para preservar la seguridad de las personas y bienes, así como de sus instalaciones. Las cámaras instaladas no pueden obtener imágenes de espacio privativo de tercero y/o espacio público sin causa justificada debidamente acreditada, ni pueden afectar a la intimidad de transeúntes que transiten libremente por la zona. No está permitida, por tanto, la colocación de cámaras hacia la propiedad privada de vecinos con la finalidad de intimidarlos o afectar a su ámbito privado sin causa justificada. En ningún caso se admitirá el uso de prácticas de vigilancia más allá del entorno objeto de la instalación y en particular, no pudiendo afectar a los espacios públicos circundantes, edificios contiguos y vehículos distintos de los que accedan al espacio vigilado. No pueden captarse ni grabarse imágenes en espacios propiedad de terceros sin el consentimiento de sus titulares, o, en su caso, de las personas que en ellos se encuentren. Resulta desproporcionado captar imágenes en espacios privados, tales como vestuarios, taquillas o zonas de descanso de trabajadores. 5.- Las imágenes podrán conservarse por un plazo máximo de un mes, salvo en aquellos supuestos en que se deban conservar para acreditar la comisión de actos que atenten contra la integridad de personas, bienes o instalaciones. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 13/18 En este segundo supuesto, deberán ser puestas a disposición de la autoridad competente en un plazo máximo de 72 horas desde que se tuviera conocimiento de la existencia de la grabación. 6.- El responsable deberá llevar un registro de actividades de los tratamientos efectuados bajo su responsabilidad en el que se incluya la información a la que hace referencia el artículo 30.1 del RGPD. 7.- El responsable deberá realizar un análisis de riesgos o, en su caso, una evaluación de impacto en la protección de datos, para detectar los derivados de la implantación del sistema de videovigilancia, valorarlos y, en su caso, adoptar las medidas de seguridad apropiadas. 8.- Cuando se produzca una brecha de seguridad que afecte a los tratamientos de cámaras con fines de seguridad, siempre que exista riesgo para los derechos y libertades de las personas físicas, deberá notificarlo a la AEPD en un plazo máximo de 72 horas. Se entiende por brecha de seguridad la destrucción, pérdida o alteración accidental o ilícita de datos personales transmitidos, conservados o tratados de otra forma, o la comunicación o acceso no autorizado a dichos datos. 9.- Cuando el sistema esté conectado a una central de alarma, únicamente podrá ser instalado por una empresa de seguridad privada que reúna los requisitos contemplados en el artículo 5 de la Ley 5/2014 de Seguridad Privada, de 4 de abril. La Agencia Española de Protección de Datos ofrece a través de su página web [https://www.aepd.es] acceso a: . la legislación en materia de protección de datos personales, incluyendo el RGPD y la LOPDGDD (apartado “Informes y resoluciones” / “normativa”), . la Guía sobre el uso de videocámaras para seguridad y otras finalidades, . la Guía para el cumplimiento del deber de informar (ambas disponibles en el apartado “Guías y herramientas”). También resulta de interés, en caso de realizar tratamientos de datos de bajo riesgo, la herramienta gratuita Facilita (en el apartado “Guías y herramientas”), que, mediante unas preguntas concretas, permite valorar la situación del responsable respecto del tratamiento de datos personales que lleva a cabo, y en su caso, generar diversos documentos, cláusulas informativas y contractuales, así como un anexo con medidas de seguridad orientativas consideradas mínimas. v Infracción administrativa La reclamación se basa en la presunta ilicitud del sistema de videovigilancia instalado por la parte reclamada en el local donde desarrolla su actividad empresarial, en relación con la grabación de sonidos. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 14/18 No resulta controvertido en este caso el hecho de que la parte reclamada es la titular y responsable del sistema de videovigilancia denunciado y, por tanto, la responsable de los tratamientos de datos que conlleva la utilización de dicho sistema. Y tampoco el hecho de que entre los tratamientos de datos realizados se contempla la recogida y almacenamiento de datos personales relativos a la voz de empleados y clientes. Consta probado en las actuaciones, asimismo, que dicha instalación se realiza con fines de seguridad y control laboral. Por ese motivo, con fecha 20/08/2018, la parte reclamada comunicó a los trabajadores afectados, entre los que figura la parte reclamante, la instalación del sistema de videovigilancia, con captación y grabación de imágenes y sonido, “con la finalidad de dar cumplimiento al operativo de seguridad y para prevenir riesgos que afecten a la seguridad y protección de las personas, locales y bienes patrimoniales” y para el “control de la calidad y rendimiento laboral de los trabajadores así como verificación del cumplimiento… de sus obligaciones y deberes laborales”. La parte reclamada no aporta justificación suficiente sobre estos tratamientos de datos (grabación de sonidos). No tiene en cuenta la parte reclamada los limites previstos en el artículo 20.3 de la Ley del Estatuto de los Trabajadores (LET); lo establecido en el artículo 89.3 de la LOPDGDD, que admite la grabación de sonidos únicamente cuando resulten relevantes los riesgos y respetando los principios de proporcionalidad e intervención mínima; ni la doctrina del Tribunal Constitucional, ya expresada, según la cual la grabación de conversaciones entre trabajadores o entre éstos y clientes no se justifica por la verificación del cumplimiento por el trabajador de sus obligaciones o deberes. El citado artículo 89 de la LOPDGDD, más allá de la prohibición de utilizar estos sistemas de videovigilancia y grabación de sonidos en “lugares destinados al descanso o esparcimiento de los trabajadores o los empleados públicos, tales como vestuarios, aseos, comedores y análogos”, expresamente y con carácter general, establece el sometimiento de tales sistemas al marco legal y con los límites inherentes al mismo, ya señalados anteriormente. Ello implica que no puede entenderse como legítimo, sin más condición, cualquier sistema que no incluya aquellos espacios. En este caso, además, consta que uno de los micrófonos se instaló en el office utilizado por los trabajadores. Según ha quedado probado, el sistema incluyó la instalación de cuatro micrófonos “ocultos”: en el acceso al restaurante, en la sala donde están ubicadas las mesas y barra del establecimiento (más de 30 mesas de distintas dimensiones -entre y seis puestos- y 12 puestos de barra), en un office y en una estancia de pequeño tamaño cuyo uso no está especificado en el plano. Por tanto, resulta que alguno de estos dispositivos podría vulnerar la prohibición de instalar “sistemas de grabación de sonidos… en lugares destinados al descanso o esparcimiento de los trabajadores…, tales como vestuarios, aseos, comedores y análogos”, establecida en el citado artículo 89 de la LOPDGDD. Por otra parte, en la información facilitada a los trabajadores se hace referencia a la “facultada de vigilancia empresarial”. Sobre esta cuestión, relativa a las posibilidades en cuanto a la adopción de medidas de vigilancia que atribuye al empresario su poder C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 15/18 de dirección, interesa destacar algunos de los aspectos declarados en la Sentencia del Tribunal Constitucional de fecha 10/04/2000, reseñada en el Fundamento de Derecho III: “…esa facultad ha de producirse en todo caso, como es lógico, dentro del debido respeto a la dignidad del trabajador, como expresamente nos lo recuerda la normativa laboral (arts. 4.2.ey 20.3 LET)…”. “Debe por ello rechazarse… que las conversaciones que mantengan los trabajadores entre sí y con los clientes en el desempeño de su actividad laboral no están amparadas por el art. 18.1…”. “…su limitación [de los derechos fundamentales del trabajador] por parte de las facultades empresariales sólo puede derivar bien del hecho de que la propia naturaleza del trabajo contratado implique la restricción del derecho (SSTC 99/1994, FJ 7, y 106/1996, FJ 4), bien de una acreditada necesidad o interés empresarial, sin que sea suficiente su mera invocación para sacrificar el derecho fundamental del trabajador (SSTC 99/1994, FJ 7, 6/1995, FJ 3 y 136/1996, FJ 7)… Estas limitaciones o modulaciones tienen que ser las indispensables y estrictamente necesarias…”. “…la mera utilidad o conveniencia para la empresa no legitima sin más la instalación de los aparatos de audición y grabación, habida cuenta de que la empresa ya disponía de otros sistemas de seguridad que el sistema de audición pretende complementar…”. Tampoco explica qué puede aportar la grabación de conversaciones entre los trabajadores, entre sí, entre los trabajadores y los clientes, o de éstos últimos entre sí, en orden a acreditar aquellas circunstancias, que no aporte la sola grabación de imágenes. Asimismo, Interesa destacar nuevamente que la grabación de sonidos incluye la voz de clientes de la parte reclamada (dos dispositivos instalados en la zona de clientes, en el acceso al restaurante y en la sala donde están ubicadas las mesas y barra del establecimiento), los cuales no tienen conocimiento de la existencia de los micrófonos. En consecuencia, en este caso, se entiende desproporcionada la captación de la voz tanto de los trabajadores como de clientes de la parte reclamada para la función de videovigilancia pretendida, para el control del cumplimiento por los trabajadores de sus obligaciones y deberes laborales. Se tiene en cuenta que la grabación de voz supone una mayor intromisión en la intimidad. Se considera que la parte reclamada realizó tratamientos de datos sin disponer de base legítima, vulnerando lo establecido en el artículo 6 del RGPD, por lo que podrían suponer la comisión de una infracción tipificada en el artículo 83.5 del RGPD, que dispone lo siguiente: “Las infracciones de las disposiciones siguientes se sancionarán, de acuerdo con el apartado 2, con multas administrativas de 20 000 000 EUR como máximo o, tratándose de una empresa, de una cuantía equivalente al 4 % como máximo del volumen de negocio total anual global del ejercicio financiero anterior, optándose por la de mayor cuantía: a) los principios básicos para el tratamiento, incluidas las condiciones para el consentimiento a C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 16/18 tenor de los artículos 5, 6, 7 y 9;”. A efectos del plazo de prescripción de las infracciones, la infracción señalada en el párrafo anterior se considera muy grave conforme al artículo 72.1.b) de la LOPDGDD, que establece que: “En función de lo que establece el artículo 83.5 del Reglamento (UE) 2016/679 se consideran muy graves y prescribirán a los tres años las infracciones que supongan una vulneración sustancial de los artículos mencionados en aquel y, en particular, las siguientes: b) El tratamiento de datos personales sin que concurra alguna de las condiciones de licitud del tratamiento establecidas en el artículo 6 del Reglamento (UE) 2016/.79” SAW Sanction El artículo 58.2 del RGPD establece: “Cada autoridad de control dispondrá de todos los siguientes poderes correctivos indicados a continuación: (...) d) ordenar al responsable o encargado de tratamiento que las operaciones de treatment comply with the provisions of this Regulation, where appropriate, in a certain way and within a specified period; (...) i) imponer una multa administrativa con arreglo al artículo 83, además o en lugar de las medidas mencionadas en el presente apartado, según las circunstancias de cada caso particular”. Según lo dispuesto en el artículo 83.2 del RGPD, la medida prevista en el artículo 58.2.d) del citado Reglamento es compatible con la sanción consistente en multa administrativa. Con respecto a las infracciones del artículo 6 del RGPD, atendiendo a los hechos expuestos, se considera que la sanción que correspondería imponer es de multa administrativa. La multa que se imponga deberá ser, en cada caso individual, efectiva, proporcionada y disuasoria, conforme a lo establecido en el artículo 83.1 del RGPD. In order to determine the administrative fine to be imposed, the previsiones del artículo 83.2 del RGPD y del artículo 76 de la LOPDGDD, respecto al apartado k) del citado artículo 83.2 RGPD. En este caso, se consideran las siguientes circunstancias como agravantes: . Artículo 83.2.a) del RGPD: “a) la naturaleza, gravedad y duración de la infracción, teniendo en cuenta la naturaleza, alcance o propósito de la operación de tratamiento de que se trate así como el número de interesados afectados y el nivel de los daños y C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 17/18 perjuicios que hayan sufrido”. . La duración de la infracción, considerando que la instalación de los dispositivos de captación y grabación de voz tuvo lugar en agosto de 2018. . El número de interesados: la presunta infracción afecta a todos los trabajadores y clientes de la parte reclamada. Por otra parte, se estima que concurren como atenuantes las circunstancias siguientes: . Artículo 76.2.b) de la LOPDGDD: “b) La vinculación de la actividad del infractor con la realización de tratamientos de datos personales”. La escasa vinculación de la parte reclamada con la realización de tratamientos de datos personales, considerando la actividad que desarrolla. . Artículo 83.2.k) del RGPD: “k) cualquier otro factor agravante o atenuante aplicable a las circunstancias del caso, como los beneficios financieros obtenidos o las pérdidas evitadas, directa o indirectamente, a través de la infracción”. La condición de pequeña empresa de la parte reclamada y su volumen de negocio. (...). Considerando los factores expuestos, la valoración que alcanza la multa por la Infracción del artículo 6 del RGPD es de 20.000 euros (veinte mil euros). Therefore, in accordance with the applicable legislation and having assessed the criteria for graduation of sanctions whose existence has been proven, the Director of the Spanish Data Protection Agency RESOLVES: PRIMERO: IMPONER A MUXERS CONCEPT, SL, con NIF B87345369, por una infracción del Artículo 6 del RGPD, tipificada en el Artículo 83.5.a) del RGPD, una multa de 20.000 euros (veinte mil euros). SEGUNDO: NOTIFICAR la presente resolución a MUXERS CONCEPT, SL THIRD: Warn the sanctioned party that he must make the imposed sanction effective once Once this resolution is enforceable, in accordance with the provisions of the art. 98.1.b) de la ley 39/2015, de 1 de octubre, del Procedimiento Administrativo Common Public Administrations (hereinafter LPACAP), within the payment term voluntary established in art. 68 of the General Collection Regulations, approved by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003, de 17 de diciembre, mediante su ingreso, indicando el NIF del sancionado y el número of procedure that appears in the heading of this document, in the account restricted number ES00 0000 0000 0000 0000 0000, opened on behalf of the Agency Spanish Data Protection in the banking entity CAIXABANK, SA. In case Otherwise, it will be collected in the executive period. Received the notification and once executed, if the date of execution is between the 1st and 15th of each month, both inclusive, the term to make the payment C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 18/18 voluntary will be until the 20th day of the following month or immediately after, and if between the 16th and last day of each month, both inclusive, the payment term It will be until the 5th of the second following month or immediately after. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the Interested parties may optionally file an appeal for reconsideration before the Director of the Spanish Agency for Data Protection within a month from counting from the day following the notification of this resolution or directly recurso contencioso administrativo ante la Sala de lo Contencioso-administrativo de la National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-administrative jurisdiction, within a period of two months from the day following the notification of this act, as provided in article 46.1 of the aforementioned Law. Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP, may provisionally suspend the firm resolution in administrative proceedings if the The interested party expresses his intention to file a contentious-administrative appeal. If this is the case, the interested party must formally communicate this fact by writing addressed to the Spanish Agency for Data Protection, presenting it through Electronic Register of the Agency [https://sedeagpd.gob.es/sede-electronica- web/], or through any of the other registers provided for in art. 16.4 of the aforementioned Law 39/2015, of October 1. También deberá trasladar a la Agencia la documentation proving the effective filing of the contentious appeal- administrative. If the Agency was not aware of the filing of the appeal contentious-administrative within a period of two months from the day following the notification of this resolution would end the precautionary suspension. 938-050522 Sea Spain Marti Director of the Spanish Data Protection Agency C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es