AEPD (Spain) - EXP202208091: Difference between revisions
From GDPRhub
No edit summary |
m (Ar moved page AEPD (Spain) - PS/00480/2022 to AEPD (Spain) - EXP202208091) |
||
| (5 intermediate revisions by 4 users not shown) | |||
| Line 63: | Line 63: | ||
}} | }} | ||
The | The Spanish DPA reprimanded the Spanish Police for using recycled documents after their official use, which contained personal data of citizens and police officers. These notepads were placed on the main counter of a police station, resulting in a violation of [[Article 5 GDPR|Articles 5(1)(f)]] and [[Article 32 GDPR|32 GDPR.]] | ||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
In one visit to a police station, the data subject saw notepads on the main counter | In one visit to a police station, the data subject saw notepads on the main counter. These contained personal data of both citizens who went to the police station and police officers who worked in that police station. The personal data in these notepads included, among other categories of data, name, surname, ID number, dates and more. These notepads also included some papers with the logo of the Ministry of home affairs. It later turned out that these notepads were made out of recycled sheets of paper. | ||
On 22 June 2022, the data subject submitted a complaint against the General Directorate of Police (DGP, in Spanish) (controller). The data subject provided photos of these notepads to the Spanish DPA, which started an investigation. Once the controller was also notified, its DPO provided a report in which it claimed (among other things) that the pages were recycled after their official use since they contained notes | On 22 June 2022, the data subject submitted a complaint against the General Directorate of Police (DGP, in Spanish) (controller). The data subject provided photos of these notepads to the Spanish DPA, which started an investigation. Once the controller was also notified, its DPO provided a report in which it claimed (among other things) that the pages were only recycled after their official use since they only contained notes on one side. In the specific case, there was no evidence that the disclosed data was leaked from any of the Police databases. | ||
According to the DPO, there was also no record of a similar incident. Also, additional measures were put in place after this incident, such as providing instructions and internal communication to employees about the standard procedure for the destruction of documents. Finally, the DPO stated that the situation was an isolated event as a result of the intention to recycle paper. | |||
=== Holding === | === Holding === | ||
The Spanish DPA considered that these facts constituted a data breach. However, the DPA also reiterated that such a breach did not mean that the DPA would automatically impose a sanction. The DPA determined that it was necessary to analyse both controller's diligence and the measures that were supposed to prevent the breach from occurring. | The Spanish DPA considered that these facts constituted a data breach. However, the DPA also reiterated that such a breach did not mean that the DPA would automatically impose a sanction. The DPA determined that it was necessary to analyse both controller's diligence and the measures that were supposed to prevent the breach from occurring. | ||
''First'', with regard to [[Article 5 GDPR|Articles 5(1)(f)]] GDPR, it was proven that the personal data in the recycled notepads was illegitimately disclosed to third parties since the notepads were visible for both employees and police officers from that police station. | ''First'', with regard to [[Article 5 GDPR|Articles 5(1)(f)]] GDPR, it was proven that the personal data in the recycled notepads was illegitimately disclosed to third parties since the notepads were visible for both employees and police officers from that police station. | ||
'' | ''Second'', with regard to [[Article 32 GDPR]], the DPA considers that the controller did not have adequate measures in place when the breach occurred. Despite the fact that the controller had several measures in place, such as 4 paper shredders and internal procedures to delete police documents, these were apparently still not sufficient, since the documents containing personal were not destroyed but were instead used as recycled notepads. | ||
''Finally'', | ''Finally'', the DPA determined violations of [[Article 5 GDPR|Articles 5(1)(f)]] and [[Article 32 GDPR]]. Even though these GDPR violations were considered serious by the DPA, the DPA also recalled that national law stated that public entities could not be sanctioned with fines. Therefore, the DPA merely reprimanded the controller. | ||
== Comment == | == Comment == | ||
Latest revision as of 13:24, 13 December 2023
| AEPD - PS-00480-2022 | |
|---|---|
 | |
| Authority: | AEPD (Spain) |
| Jurisdiction: | Spain |
| Relevant Law: | Article 5(1)(f) GDPR Article 32 GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | 20.06.2022 |
| Decided: | |
| Published: | 21.02.2023 |
| Fine: | n/a |
| Parties: | General Directorate of Police |
| National Case Number/Name: | PS-00480-2022 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Spanish |
| Original Source: | AEPD (in ES) |
| Initial Contributor: | Michelle Ayora |
The Spanish DPA reprimanded the Spanish Police for using recycled documents after their official use, which contained personal data of citizens and police officers. These notepads were placed on the main counter of a police station, resulting in a violation of Articles 5(1)(f) and 32 GDPR.
English Summary
Facts
In one visit to a police station, the data subject saw notepads on the main counter. These contained personal data of both citizens who went to the police station and police officers who worked in that police station. The personal data in these notepads included, among other categories of data, name, surname, ID number, dates and more. These notepads also included some papers with the logo of the Ministry of home affairs. It later turned out that these notepads were made out of recycled sheets of paper.
On 22 June 2022, the data subject submitted a complaint against the General Directorate of Police (DGP, in Spanish) (controller). The data subject provided photos of these notepads to the Spanish DPA, which started an investigation. Once the controller was also notified, its DPO provided a report in which it claimed (among other things) that the pages were only recycled after their official use since they only contained notes on one side. In the specific case, there was no evidence that the disclosed data was leaked from any of the Police databases.
According to the DPO, there was also no record of a similar incident. Also, additional measures were put in place after this incident, such as providing instructions and internal communication to employees about the standard procedure for the destruction of documents. Finally, the DPO stated that the situation was an isolated event as a result of the intention to recycle paper.
Holding
The Spanish DPA considered that these facts constituted a data breach. However, the DPA also reiterated that such a breach did not mean that the DPA would automatically impose a sanction. The DPA determined that it was necessary to analyse both controller's diligence and the measures that were supposed to prevent the breach from occurring.
First, with regard to Articles 5(1)(f) GDPR, it was proven that the personal data in the recycled notepads was illegitimately disclosed to third parties since the notepads were visible for both employees and police officers from that police station.
Second, with regard to Article 32 GDPR, the DPA considers that the controller did not have adequate measures in place when the breach occurred. Despite the fact that the controller had several measures in place, such as 4 paper shredders and internal procedures to delete police documents, these were apparently still not sufficient, since the documents containing personal were not destroyed but were instead used as recycled notepads.
Finally, the DPA determined violations of Articles 5(1)(f) and Article 32 GDPR. Even though these GDPR violations were considered serious by the DPA, the DPA also recalled that national law stated that public entities could not be sanctioned with fines. Therefore, the DPA merely reprimanded the controller.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/13
File No.: EXP202208091
RESOLUTION OF SANCTIONING PROCEDURE
Of the procedure instructed by the Spanish Agency for Data Protection and based on
to the following
BACKGROUND
FIRST: A.A.A. (hereinafter, the claiming party) dated June 20, 2022
filed a claim with the Spanish Data Protection Agency. The
claim is directed against GENERAL DIRECTORATE OF THE POLICE with NIF
S2816015H (hereinafter, DGP). The reasons on which the claim is based are the following:
following:
The complaining party states that in XXXXXXXXX located in a building
belonging to the NATIONAL POLICE of ***ADDRESS.1, are being used to
write down XXXXXXXXX some pages stapled as a notebook, in which, in the
on the back, there are personal data of citizens who visit the facilities of
the NATIONAL POLICE of said enclave, as well as the Police who work there,
thus exposing third-party data.
Together with the notification, it provides various photographs in which these
notebooks placed on the counter of XXXXXXXXX, in which you can read
personal data such as name, surname, ID etc. and even, in some, it is shown
the coat of arms of the Ministry of the Interior.
SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5
December, Protection of Personal Data and guarantee of digital rights (in
forward LOPDGDD), said claim was forwarded to the DGP, so that
proceed to its analysis and inform this Agency within a month of the
actions carried out to adapt to the requirements established in the regulations of
Data Protection.
The transfer, which was carried out in accordance with the regulations established in Law 39/2015, of
October 1, of the Common Administrative Procedure of the Administrations
Public (hereinafter, LPACAP), was collected on 07/21/2022, as stated in the
acknowledgment of receipt in the file.
On 08/11/2022, a letter from the Protection Delegate is received at this Agency
of Data indicating:
On the part of this Data Protection Delegate, it is requested, through official
July 22, 2022, to the Deputy Operations Directorate (DAO) the preparation of
report in order to respond to the request for information
from that AEPD.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/13
As a result of said request and in order to verify the veracity of the
statements contained in the claim and clarify the circumstances in
which these events could have occurred, the DAO proceeds to evacuate the
opportune consultation to the XXXXXXXXXXXX, answering the same in the following
terms detailed below.
Allegations contained in the requested report. Answer of the
XXXXXXXXX in its report dated August 2, 2022.
“- The photographs provided by the SR, A.A.A.. seem to correspond to the
(…).
- The documents related to the complaint are two quarters of
folios: in one of them appear the names and surnames of Police officers assigned to
(...), all of them belong or have belonged to the (...), one of them being
deceased, event occurred on April 22 of the current year. The list
corresponds to (...) an undetermined day, since no date appears;
and in the other quarter of a page the name of a citizen appears, and
corresponds to the official form to report the loss or theft of a
document, (…). This time the date ***DATE.1 appears.
- The source of the pages is the office of (...) of the Provincial Police Station of
***LOCATION.1, in both cases, in the case of sheets written by a single
expensive and discarded after official use.
- To establish how these documents have arrived at XXXXXXXXX, it has been
interviewed, on the one hand, (...) and on the other, the Inspector, Head of Section
Technique responsible for, (...).
Ms. (...) stated that in order to take advantage of "recycled paper, since it is about
sheets that are only printed on 1 side", he once asked the
offices (...), as well as (...), that when there was paper to recycle if it was
could facilitate, having given him some wads of paper (cut sheets
in 4 parts), which he used to make notes, but he does not remember that the
papers have been in view of the public that comes to XXXXXXXXX.
Currently, he no longer uses these papers because in XXXXXXXXX they take the
notes on loose papers that are not written and has also acquired
(…).
The Inspector (...), asked why these documents appear
in some photographs that have been taken at the XXXXXXXXX counter,
agrees with what the person in charge of XXXXXXXXX states, and
it also says that (...), or (...), labor personnel of this XXXXXXXXX) will
were in charge of recycling some papers and making something like small
agendas for notes and that they provided them to XXXXXXXXX.
- On the part of this Headquarters, there was no knowledge of the denounced fact
by Mr. A.A.A., nor had the existence been observed in XXXXXXXXX of
those leaves.
- The sheets are made at source to establish the work shifts of
the different members of the Unit, not coming from any
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/13
database. In the case of communication by (...) it is a model
provided by the General Police Station in which the data provided is reflected
by the appearing party, which are subsequently verified (...).
- From the knowledge of the complaint, it has been verified the non-existence of
similar events, direct instructions have been issued to those responsible for
the different services and a circular has been drawn up to remind everyone
officials the way to proceed with the documents that are discarded,
all this while waiting to know the development of the AEPD file in case
there would be disciplinary action.
- In short, this is an incident that, without wishing to minimize the facts,
has been solely due to wanting to recycle paper, and all this within
police facilities where the public does not access except in cases of
some direct friendship of the officials and duly accompanied”.
Analysis report of the claim submitted by the AEPD.
After analyzing the documentation sent by the AEPD and the DAO, this
Data Protection Officer makes the following assessments:
First. The elimination of documents in the field of the General Directorate
of the Police (DGP) is regulated by the following regulations:
- The "Law 16/1985, of June 25, of Spanish Historical Heritage", which
establishes that the elimination of documentary heritage must be authorized
by the competent Administration.
- The "Royal Decree 1164/2002, of November 8, which regulates the
conservation of documentary heritage with historical value, control of the
elimination of other documents of the General State Administration and
their public bodies and the preservation of administrative documents in
support other than the original”, which develops the previous Law and determines the
corresponding procedure for deletion of documents,
requiring the prior agreement of the Document Qualifying Commission
Administrative of the department and the mandatory opinion of the Commission
Superior Qualifier of Administrative Documents.
- The "Order INT/2528/2002, of October 2, which regulates the System
Archives of the Ministry of the Interior", which refers to the elimination of
documents.
- The "Instruction of the General Technical Secretariat, of July 10, 2007,
on the elimination of documents in the Ministry of the Interior”, which
supplements the above Order.
- The "Resolution of the General Technical Secretariat, of October 20, 2014,
by which instructions are issued on the removal of documents in the
Ministry of the Interior", which, with respect to the previous Resolution, updates the
normative and organic references, improves the wording and corrects
certain inaccuracies, all with the aim of favoring clarity
of the text and reinforce legal certainty.
It can be observed that the DGP has a wide normative regulation and
trajectory in terms of destruction of documentation in our
files and dependencies.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/13
Second. The "Resolution of the General Technical Secretariat, of October 20
of 2014, by which instructions are issued on the deletion of documents
in the Ministry of the Interior” defines deletion of documents as “the
physical destruction of units or fractions of documentary series in
any support in accordance with what was determined in the previous process of
documentary evaluation”. Likewise, it establishes: a general prohibition of
unauthorized deletions; some conditions to eliminate documents; a
removal procedure; as well as an archive of records of
elimination.
Third. The documents that appear in the photographs incorporated into the
claim correspond to internal documentation of the operation
dependency (the list corresponding to officials (...) a
day not determined) and an official form to communicate (...). In both
cases, its origin is in (...) *** LOCATION.1 and it is leaves
written on one side only, cut into four parts and discarded after
official use.
Likewise, there is no evidence that the personal data collected in
said documents originate from one of the databases
belonging to the DGP.
Quarter. Said documentation was reused in XXXXXXXXX with a
willingness to recycle paper, given that it is sheets that were only
printed on one side, used to make notes and not
were, in principle, in view of the people who come to XXXXXXXXX from
in accordance with what was stated in the report of the Higher Headquarters of the Country
Basque.
Fifth. It is noteworthy that, after verifying the non-existence of similar facts,
Direct instructions have been given to those responsible for the different
services so that they are not repeated and a circular has been drawn up
to remind all officials of the removal procedure
Documents held at police stations.
Conclusion. In the opinion of this Data Protection Officer, custody,
confidentiality and proper destruction of police documents
(especially those that contain personal data) are
priority objectives for the DGP. This commitment can be seen in the
drafting of regulations, their distribution and the reiteration of the need for their
knowledge, the training of officials and the purification of
disciplinary and criminal responsibilities in those cases of greater
seriousness through the procedures established for this purpose. In relation
with the case at hand, it would be an isolated event that has already been
remedied and for which appropriate measures have already been taken
stated previously.
On 08/30/2022, a response letter was received indicating:
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/13
This Technical Office has received notification from the Agency
Spanish Data Protection Agency (AEPD), dated August 18, 2022, in
which requires expansion on the following aspects on the
EXP202208091:
- Description of the application of the documentation elimination protocol,
applied to documents with personal data in the dependencies where
the events that are the subject of the claim occurred.
- Current contract, if applicable, with a company specialized in destruction
documentary film. - Instructions sent to those responsible for the services
according to the letter received by this Agency.
- Circular reminder of the protocol for the elimination of documents that
work in police units sent to all officials, according to
accordance with the writing received by this Agency.
- Any other information that could be relevant. Performances of
Data Protection Officer.
This Management Center transferred, by means of an official letter of August 26, 2022, to the
Provincial Police Station of (***LOCATION.2) of the National Police
requirement for the preparation of the report and thus be able to respond to the
request for information from that AEPD.
Allegations contained in the requested report. On August 29, 2022
report is received from the Provincial Police Station of ***LOCALIDAD.1 of
allegations reporting the following:
- There is no contract with any document destruction company. The
Police station of (***LOCATION.2) has a total of four machines
paper shredders, one of them specifically for the use of XXXXX, with
ability to destroy supports (...). In turn, the XXXX Police Station has
with three crushing machines, one of them of the same specific model of
XXXXX. As for the (...), it also has a crusher for supports
of paper, plastic, CD's and passports provided by the Town Hall of the
locality, in whose dependencies the Unit is physically located.
- Following the complaint received by the APD, in the daily meeting with the heads of the
units of the police stations, verbal instructions were given to be
especially attentive to the destruction of any support that could contain
protected data. These reminders are made regularly.
- We also proceeded to remind in writing all the officials of the
Provincial Police Station, in its (...), the need for custody and destruction of
supports with protected data, by email to all
units dated August 17, attached. Attached hereto is the
report of the Provincial Police Station of ***LOCALIDAD.1 and the note inside, which
was sent, by email, recalling the need for custody and
destruction of supports with protected data.
The content of that note is reproduced below:
"It is hereby reported that the personnel assigned to the different
units of the National Police of this Province will be responsible for
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/13
the destruction of the documents that it generates and that its
conservation or archiving. For the destruction of these documents,
will use the paper shredders installed in the premises
police. Likewise, the shredder authorized for this purpose will be used
(Fellowes 485Ci) for the uselessness of the supports of DNIs, TIEs,
passports and other appropriate identification documents,
drawing up the corresponding act of destruction”.
Conclusion of the request for more information. As indicated, in the
report of August 11, 2022, the situation that gave rise to the claim of Mr.
A.A.A. It refers to an isolated fact that has already been corrected. For the
rectification, the pertinent verifications have been carried out
internal, originating the imparting of verbal instructions to the Heads of the
Units of the Police Stations, with regular reminders, and the dissemination of a
reminder, in the form of an internal note, to all the Units whose
recipients are the National Police stationed in that region.
THIRD: On September 5, 2022, in accordance with article 65 of
the LOPDGDD, the claim presented by the complaining party was admitted for processing.
FOURTH: On October 28, 2022, the Director of the Spanish Agency for
Data Protection agreed to initiate disciplinary proceedings against the claimed party,
for the alleged violation of Article 5.1.f) of the GDPR and Article 32 of the GDPR,
typified in Article 83.5 of the GDPR.
FIFTH: Notified of the aforementioned start-up agreement in accordance with the rules established in
Law 39/2015, of October 1, on the Common Administrative Procedure of
Public Administrations (hereinafter, LPACAP) and after the period granted
for the formulation of allegations, it has been verified that no allegation has been received
some by the DGP.
Article 64.2.f) of the LPACAP -provision of which the claimed party was informed
in the agreement to open the procedure - establishes that if no
arguments within the established term on the content of the initiation agreement, when
it contains a precise pronouncement about the imputed responsibility,
may be considered a resolution proposal. In the present case, the agreement of
beginning of the disciplinary file determined the facts in which the
imputation, the infringement of the GDPR attributed to the defendant and the sanction that could
impose. Therefore, taking into consideration that the claimed party has not
made allegations to the agreement to start the file and in attention to what
established in article 64.2.f) of the LPACAP, the aforementioned initiation agreement is
considered in the present case resolution proposal.
In view of all the proceedings, by the Spanish Agency for Data Protection
In this proceeding, the following are considered proven facts:
PROVEN FACTS
FIRST: It is proven that on the main counter of XXXXXXXXXXX (...)
*** LOCATION.1 at its facilities in (...), the claimant was able to observe
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/13
some notebooks made with stapled pages, on the back of which appear data
personal information of citizens who go to the facilities of the NATIONAL POLICE
of said enclave, as well as the Police who work there.
SECOND: It is accredited that the origin of the pages is the office of (...) of
the Provincial Police Station of ***LOCALIDAD.1, in the case of sheets written by a single
expensive and discarded after official use.
FUNDAMENTALS OF LAW
Yo
In accordance with the powers that article 58.2 of Regulation (EU) 2016/679
(General Data Protection Regulation, hereinafter GDPR), grants each
control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the
Organic Law 3/2018, of December 5, Protection of Personal Data and
guarantee of digital rights (hereinafter, LOPDGDD), is competent to
initiate and resolve this procedure the Director of the Spanish Protection Agency
of data.
Likewise, article 63.2 of the LOPDGDD determines that: "The procedures
processed by the Spanish Data Protection Agency will be governed by the provisions
in Regulation (EU) 2016/679, in this organic law, by the provisions
regulations dictated in its development and, insofar as they do not contradict them, with character
subsidiary, by the general rules on administrative procedures."
II
In the present case, in accordance with the provisions of article 4.1 of the GDPR, there is
the processing of personal data, since the DGP carries out,
among other treatments, the collection, registration, organization, etc. of the following data
personal data of natural persons, such as: name, identification number, etc.
The DGP carries out this activity in its capacity as data controller, given
who is the one who determines the purposes and means of such activity, by virtue of article 4.7 of the
GDPR.
Article 4 paragraph 12 of the GDPR defines, in a broad way, "violations of
security of personal data" (hereinafter security breach) as "all
those security violations that cause the destruction, loss or alteration
accidental or unlawful personal data transmitted, stored or otherwise processed
form, or unauthorized communication or access to said data.”
In the present case, there is a personal data security breach in the
circumstances indicated above, categorized as a breach of confidentiality, by
have been provided to XXXXXXXXX (...), sheets containing personal data
both police officers assigned to said unit, as well as people who have attended the
herself to request a (…).
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 8/13
It should be noted that the identification of a security breach does not imply the
imposition of a sanction directly by this Agency, since it is necessary
analyze the diligence of managers and managers and security measures
applied.
Within the principles of treatment provided for in article 5 of the GDPR, the
integrity and confidentiality of personal data is guaranteed in section 1.f)
of article 5 of the GDPR. For its part, the security of personal data comes
regulated in articles 32, 33 and 34 of the GDPR, which regulate the security of the
treatment, the notification of a breach of the security of personal data to
the control authority, as well as the communication to the interested party, respectively.
II
Article 5.1.f) "Principles relating to processing" of the GDPR establishes:
"1. Personal data will be:
(…)
f) processed in such a way as to guarantee adequate data security
personal data, including protection against unauthorized or unlawful processing and against
its loss, destruction or accidental damage, through the application of technical measures
or organizational procedures (“integrity and confidentiality”).”
In the present case, it is clear that the personal data of those affected, held in the
database of the DGP, were unduly exposed to a third party, since
the notebooks made with the folios provided, in which the data
both police officers and citizens, were in full view of both the staff
of XXXXXXXXX, as of the officials who attended it.
IV.
Article 83.5 of the GDPR, under the heading "General conditions for the taxation
of administrative fines” provides:
Violations of the following provisions will be sanctioned, in accordance with the
paragraph 2, with administrative fines of maximum EUR 20,000,000 or,
in the case of a company, an amount equivalent to a maximum of 4% of the
total annual global business volume of the previous financial year, opting for
the highest amount:
a) the basic principles for the treatment, including the conditions for the
consent under articles 5, 6, 7 and 9; (…)”
In this regard, the LOPDGDD, in its article 71 "Infractions" establishes that:
"The acts and behaviors referred to in sections 4,
5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that result
contrary to this organic law”.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 9/13
For the purposes of the limitation period, article 72 "Infractions considered very
serious” of the LOPDGDD indicates:
"1. Based on what is established in article 83.5 of Regulation (EU) 2016/679,
are considered very serious and will prescribe after three years the infractions that
a substantial violation of the articles mentioned therein and, in particular, the
following:
a) The processing of personal data in violation of the principles and guarantees
established in article 5 of Regulation (EU) 2016/679. (…)”
V
Without prejudice to the provisions of article 83.5 of the GDPR, the aforementioned article provides in
its section 7 the following:
“7. Without prejudice to the corrective powers of the control authorities under the
Article 58(2), each Member State may lay down rules on whether
can, and to what extent, impose administrative fines on authorities and bodies
public establishments established in that Member State.
For its part, article 77 “Regime applicable to certain categories of
responsible or in charge of the treatment" of the LOPDGDD provides the following:
"1. The regime established in this article will be applicable to the treatment of
who are responsible or in charge:
(…)
c) The General State Administration, the Administrations of the
autonomous communities and the entities that make up the Local Administration.
(…)
2. When the managers or managers listed in section 1 commit
any of the offenses referred to in articles 72 to 74 of this law
organic, the data protection authority that is competent will dictate
resolution sanctioning them with a warning. The resolution will establish
likewise, the measures that should be adopted to cease the conduct or to correct it.
the effects of the offense committed.
(…)
3. Without prejudice to what is established in the previous section, the data protection authority
data will also propose the initiation of disciplinary actions when there are
enough evidence for it. In this case, the procedure and the sanctions to be applied
will be those established in the legislation on the disciplinary or sanctioning regime that
be applicable.
Likewise, when the infractions are attributable to authorities and executives, and
accredit the existence of technical reports or recommendations for the treatment that
had not been duly attended to, in the resolution in which the
sanction will include a reprimand with the name of the responsible position and
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 10/13
will order the publication in the Official State or regional Gazette that
corresponds.
4. The data protection authority must be informed of the resolutions that
fall in relation to the measures and actions referred to in the sections
previous.
5. They will be communicated to the Ombudsman or, where appropriate, to similar institutions
of the autonomous communities the actions carried out and the resolutions issued
under this article. (…)”
SAW
Article 32 "Security of treatment" of the GDPR establishes:
"1. Taking into account the state of the art, the application costs, and the
nature, scope, context and purposes of processing, as well as risks of
variable probability and severity for the rights and freedoms of individuals
physical, the person in charge and the person in charge of the treatment will apply technical and
appropriate organizational measures to guarantee a level of security appropriate to the risk,
which may include, among others:
a) the pseudonymization and encryption of personal data;
b) the ability to ensure the confidentiality, integrity, availability and
permanent resilience of treatment systems and services;
c) the ability to restore availability and access to data
quickly in the event of a physical or technical incident;
d) a process of regular verification, evaluation and assessment of effectiveness
technical and organizational measures to guarantee the safety of the
treatment.
2. When evaluating the adequacy of the security level, particular consideration will be given to
take into account the risks presented by data processing, in particular as
consequence of the destruction, loss or accidental or illegal alteration of data
personal information transmitted, preserved or processed in another way, or the communication or
unauthorized access to such data.
3. Adherence to an approved code of conduct pursuant to article 40 or to a
certification mechanism approved under article 42 may serve as an element
to demonstrate compliance with the requirements established in section 1 of the
present article.
4. The controller and the processor shall take measures to ensure that
any person acting under the authority of the controller or processor and
have access to personal data can only process such data by following
instructions of the person in charge, unless it is obliged to do so by virtue of the Law of
the Union or of the Member States.
In the present case, at the time of the breach, it cannot be affirmed that
the DGP will have the appropriate measures, since, although in their response they have
indicated that the Commissioner has 4 paper shredding machines, and the Delegate
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 11/13
of Data Protection in his letter adds that the custody, confidentiality and
correct destruction of police documents (especially those that
contain personal data) are priority objectives for the DGP and that their
commitment can be seen in the development of regulations, their distribution and the
reiteration of the need for its knowledge, the training of officials and the
purification of disciplinary and criminal responsibilities in those cases of
more seriousness through the procedures established for this purpose, the truth is that
Some of the documents containing personal data were not
destroyed, being delivered to XXXXXXXXX for its use.
VII
Article 83.4 of the GDPR, under the heading "General conditions for the taxation
of administrative fines” provides:
Violations of the following provisions will be sanctioned, in accordance with the
paragraph 2, with administrative fines of maximum EUR 10,000,000 or,
in the case of a company, an amount equivalent to a maximum of 2% of the
total annual global business volume of the previous financial year, opting for
the highest amount:
a) the obligations of the person in charge and the person in charge according to articles 8,
11, 25 to 39, 42 and 43; (…)”
In this regard, the LOPDGDD, in its article 71 "Infractions" establishes that
"The acts and behaviors referred to in sections 4,
5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that result
contrary to this organic law”.
For the purposes of the limitation period, article 73 "Infractions considered serious"
of the LOPDGDD indicates:
"Based on what is established in article 83.4 of Regulation (EU) 2016/679,
are considered serious and will prescribe after two years the infractions that suppose a
substantial violation of the articles mentioned therein and, in particular, the
following:
(…)
f) The lack of adoption of those technical and organizational measures that
are appropriate to guarantee a level of security appropriate to the risk
of the treatment, in the terms required by article 32.1 of the Regulation
(EU) 2016/679.
(…)
VIII
Without prejudice to the provisions of article 83.5 of the GDPR, the aforementioned article provides in
its section 7 the following:
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 12/13
“7. Without prejudice to the corrective powers of the control authorities under the
Article 58(2), each Member State may lay down rules on whether
can, and to what extent, impose administrative fines on authorities and bodies
public establishments established in that Member State.
For its part, article 77 “Regime applicable to certain categories of
responsible or in charge of the treatment" of the LOPDGDD provides the following:
"1. The regime established in this article will be applicable to the treatment of
who are responsible or in charge:
c) The General State Administration, the Administrations of the
autonomous communities and the entities that make up the Local Administration.
2. When the managers or managers listed in section 1 commit
any of the offenses referred to in articles 72 to 74 of this law
organic, the data protection authority that is competent will dictate
resolution sanctioning them with a warning. The resolution will establish
likewise, the measures that should be adopted to cease the conduct or to correct it.
the effects of the offense committed.
(…)
3. Without prejudice to what is established in the previous section, the data protection authority
data will also propose the initiation of disciplinary actions when there are
enough evidence for it. In this case, the procedure and the sanctions to be applied
will be those established in the legislation on the disciplinary or sanctioning regime that
be applicable.
Likewise, when the infractions are attributable to authorities and executives, and
accredit the existence of technical reports or recommendations for the treatment that
had not been duly attended to, in the resolution in which the
sanction will include a reprimand with the name of the responsible position and
will order the publication in the Official State or regional Gazette that
corresponds.
4. The data protection authority must be informed of the resolutions that
fall in relation to the measures and actions referred to in the sections
previous.
5. They will be communicated to the Ombudsman or, where appropriate, to similar institutions
of the autonomous communities the actions carried out and the resolutions issued
under this article. (…)”
Therefore, in accordance with the applicable legislation and assessed the criteria of
graduation of sanctions whose existence has been accredited,
the Director of the Spanish Data Protection Agency RESOLVES:
FIRST: IMPOSE the GENERAL DIRECTORATE OF THE POLICE, with NIF
S2816015H, for a violation of Article 5.1.f) of the GDPR, typified in Article
83.5 of the GDPR, a warning sanction.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 13/13
IMPOSE the GENERAL DIRECTORATE OF THE POLICE, with NIF S2816015H, for a
infringement of Article 32 of the GDPR, typified in Article 83.4 of the GDPR, a
penalty of warning
SECOND: NOTIFY this resolution to the GENERAL DIRECTORATE OF THE
POLICE.
THIRD: COMMUNICATE this resolution to the Ombudsman, in
in accordance with the provisions of article 77.5 of the LOPDGDD.
In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once the interested parties have been notified.
Against this resolution, which puts an end to the administrative process in accordance with art. 48.6 of the
LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the
Interested parties may optionally file an appeal for reversal before the
Director of the Spanish Agency for Data Protection within a period of one month from
count from the day following the notification of this resolution or directly
contentious-administrative appeal before the Contentious-administrative Chamber of the
National Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-administrative jurisdiction, within a period of two months from the
day following the notification of this act, as provided for in article 46.1 of the
referred Law.
Finally, it is noted that in accordance with the provisions of art. 90.3 a) of the LPACAP,
may provisionally suspend the firm resolution in administrative proceedings if the
The interested party expresses his intention to file a contentious-administrative appeal.
If this is the case, the interested party must formally communicate this fact through
writing addressed to the Spanish Data Protection Agency, presenting it through
of the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica-
web/], or through any of the other registries provided for in art. 16.4 of the
aforementioned Law 39/2015, of October 1. You must also transfer to the Agency the
documentation proving the effective filing of the contentious appeal-
administrative. If the Agency was not aware of the filing of the appeal
contentious-administrative proceedings within a period of two months from the day following the
Notification of this resolution would terminate the precautionary suspension.
938-181022
Mar Spain Marti
Director of the Spanish Data Protection Agency
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es
