AEPD (Spain) - EXP202105680: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoES.jpg |DPA_Abbrevation=AEPD |DPA_With_Country=AEPD (Spain) |Case_Number_Name=PS/00265/2022 |ECLI= |Original_Source_Name_1=AEPD |Original_Source_Link_1=https://www.aepd.es/documento/ps-00265-2022.pdf |Original_Source_Language_1=Spanish |Original_Source_Language__Code_1=ES |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language_2= |Original_Source_Language__Cod...")
 
 
(One intermediate revision by one other user not shown)
Line 67: Line 67:
}}
}}


The Spanish DPA fined 17,000 EUR a local Handball Federation for requesting and processing health data of its participants in its competitions to discriminate on the basis of such data, violating Article 9 and [[Article 13 GDPR|Article 13 GDPR]].
The Spanish DPA fined €17,000 a local Handball Federation for requesting and processing health data of its participants in its competitions to discriminate on the basis of such data, violating [[Article 9 GDPR|Article 9]] and [[Article 13 GDPR|Article 13 GDPR]].


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
On November 2021, in order to participate in the handball competition, the data subject was required to upload, on the Federación de Balonmano de Castilla y La Mancha website, a certificate of the complete vaccination against COVID or a certificate of having recovered from the disease or an antigen test with a negative result 48 hours prior to the sporting event.
On November 2021, in order to participate in a handball competition, the data subject was required to upload, on the Federación de Balonmano de Castilla y La Mancha website, a certificate of the complete vaccination against COVID or a certificate of having recovered from the disease or an antigen test with a negative result 48 hours prior to the sporting event.


Allegedly, the controller discriminated competitors based on health data they collected, given that only competitors with the presentation of the corresponding certificate of vaccination against COVID-19 or the presentation of antigen tests could play indoors without a mask.
Allegedly, the controller discriminated competitors based on health data they collected, given that only competitors with the presentation of the corresponding certificate of vaccination against COVID-19 or the presentation of antigen tests could play indoors without a mask.
Line 81: Line 81:


=== Holding ===
=== Holding ===
In its conclusion, the Spanish DPA considered that the EU Regulation 2021/953, which created and established the COVID certificate, does not justify health data requirements for federated athletes to participate in the competition without a mask. Also, there is no exception of Article 9.2 applicable to the present case.
In its conclusion, the Spanish DPA considered that the requirement of submitting health data  in order to participate in the competition without a mask by federated athletes does not fall under the requirements of [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32021R0953 EU Regulation 2021/953], which created and established the COVID certificate. Also, there is no other legal justification or basis for the processing, violating [[Article 9 GDPR|Article 9 GDPR.]] 


AEPD highlighted that Recital 46 GDPR already recognizes that, in exceptional situations, such as an epidemic, the legal basis for processing may be multiple, based on both the public interest and the vital interest of the data subject or another natural person.
AEPD highlighted that Recital 46 GDPR already recognizes that, in exceptional situations, such as an epidemic, the legal basis for processing may be multiple, based on both the public interest and the vital interest of the data subject or another natural person.

Latest revision as of 13:14, 13 December 2023

AEPD - PS/00265/2022
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 9 GDPR
Article 13 GDPR
Article 83(5)(a) GDPR
Article 83(5)(b) GDPR
Type: Complaint
Outcome: Upheld
Started: 24.11.2021
Decided: 11.09.2023
Published: 11.09.2023
Fine: 17,000 EUR
Parties: Federación de Balonmano de Castilla y La Mancha
National Case Number/Name: PS/00265/2022
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: Mgrd

The Spanish DPA fined €17,000 a local Handball Federation for requesting and processing health data of its participants in its competitions to discriminate on the basis of such data, violating Article 9 and Article 13 GDPR.

English Summary

Facts

On November 2021, in order to participate in a handball competition, the data subject was required to upload, on the Federación de Balonmano de Castilla y La Mancha website, a certificate of the complete vaccination against COVID or a certificate of having recovered from the disease or an antigen test with a negative result 48 hours prior to the sporting event.

Allegedly, the controller discriminated competitors based on health data they collected, given that only competitors with the presentation of the corresponding certificate of vaccination against COVID-19 or the presentation of antigen tests could play indoors without a mask.

Also, the controller also did not provide information on the data retention period and other aspects provided for in Article 13 GDPR.

In January 2022, the controller replied and in its response highlighted that due to the evolution of the epidemiological situation and the appearance of variants or the effectiveness, it has stopped processing the data related to COVID in order to participate in the competitions.

Holding

In its conclusion, the Spanish DPA considered that the requirement of submitting health data in order to participate in the competition without a mask by federated athletes does not fall under the requirements of EU Regulation 2021/953, which created and established the COVID certificate. Also, there is no other legal justification or basis for the processing, violating Article 9 GDPR.

AEPD highlighted that Recital 46 GDPR already recognizes that, in exceptional situations, such as an epidemic, the legal basis for processing may be multiple, based on both the public interest and the vital interest of the data subject or another natural person.

In this case, the data was collected in the private area of the website managed by the Federation as part of the "safe play without mask protocol-season 21/22". Despite the fact that the website could have provided information on the collection of data, there is no explanation or legal justification about such collection and there is no explanation about the establishment of the way and procedure for reporting the data, thus proving the non-compliance with Article 13 GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

1/21










     File No.: EXP202105680



                RESOLUTION OF SANCTIONING PROCEDURE

From the procedure instructed by the Spanish Data Protection Agency and based on the
following


                                   BACKGROUND

FIRST: A.A.A. (hereinafter, the complaining party) on 11/24/2021 filed
claim before the Spanish Data Protection Agency. The claim is directed against

HANDBALL FEDERATION OF CASTILLA LA MANCHA with NIF G45046455 (in
forward, the claimed part).

It is claimed that the defendant requests and processes health data of the participants in their
competitions, discriminating based on said data, given that they link the use of
masks in the development of their competitions with the presentation of the corresponding

certificate of vaccination against COVID-19, or the presentation of antigen tests.
It also points out that they do not inform about the data retention period and other aspects.
provided for in article 13 of the RGPD and lack a Data Protection Officer.

Provides:


-screen print with the logo of the claimed, no date is visible, which informs that
“The Assembly has voted on the new regulations on the use of masks in competitions,”
“You can say goodbye to it as long as the players present their certificate of
vaccination with the complete schedule in all categories - in the school category it will not be

It is necessary to present the vaccination schedule for the moment.

Those who have not yet received the double vaccination schedule will be able to compete without
mask as long as an antigen test is performed 48 hours before the game and present the
test result. For any questions about the regulations you can contact via email with
the Federation.


SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5/12, of
Protection of Personal Data and guarantee of digital rights (hereinafter LOPDGDD),
Said claim was transferred to the claimed party on 12/23/2021, so that it could proceed to
its analysis and inform this Agency within a period of one month, of the actions carried out

to adapt to the requirements provided for in data protection regulations. was requested
specific:


    “1.- The legal basis of the treatment and, if applicable, the circumstance that lifts the prohibition
    to process special categories of data, according to article 9 of the GDPR.
    2.- The purpose of the treatment.

     3.- The adequate guarantees implemented for the protection of rights and
    people's freedoms.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/21








      4.- The categories of interested parties (workers, clients, users, etc.) and the information
     provided to them about the processing of the data.
      5.- The Impact Assessment carried out or reasons why it has not been carried out (for

     know the list of personal data processing that requires an evaluation of
     impact, as well as any other information related to impact evaluations,
     You can consult the “Manage EIPD” tool at https://www.aepd.es/es/guias-y-
     tools/tools/manage-eipd)
      6.- The decision adopted regarding this claim.
       7.- Report on the causes that have motivated the incident that has caused the

     claim.
      8.- Report on the measures adopted to prevent incidents from occurring
     similar, dates of implementation and controls carried out to verify their effectiveness.
      9.- Any other that you consider relevant.”


 The transfer, which was carried out in accordance with the rules established in Law 39/2015, of 1/10, of the
 Common Administrative Procedure of Public Administrations (hereinafter, LPACAP),
 was collected on 12/23/2021 as stated in the acknowledgment of receipt that is in the
 proceedings.

 On 01/27/2022, this Agency received a response letter, indicating:


a) As the legal basis of the processing: “The processing of personal data referred to in the
claim is regulated by Regulation 2021/953 of the European Parliament and of the Council
relating to a framework for the issuance, verification and acceptance of COVID-19 certificates
interoperable vaccination, diagnostic test and recovery-digital COVID certificate

of the EU -, in order to facilitate free movement during the COVID-19 pandemic", with "the
information that the certificate must contain about vaccination, test result
diagnosis or recovery from the illness of the interested party.” Agrees that it is data from
health included in article 9.1 of the RGPD. Reproduces recital 46 of the RGPD that alludes
to various circumstances that may enable the legality of the treatment, highlighting: “when the

the same is necessary to protect an essential public interest on the basis of the Law of the
European Union or the Member States, which must be proportional to the objective
persecuted”, and the “Protection of vital interests of the interested party or of another natural person”, “is
justified, insofar as the situation experienced during these last two years has been
exceptional, involving a high number of deaths, as well as multiple side effects
less visible in the figures, caused by SARS-COV-2.” “This legitimizing basis is

regulated by European Union Law, because the person responsible has simply
processed data that is already regulated by Regulation (EU) 2021/953, instrument
normative that has direct effect of application in Spain.”

b) Regarding the purpose of the treatment: it is “to implement the measures that this person responsible

is at your disposal, in accordance with current regulations” “limited to compliance with the
health and prevention measures required, both by European and national regulations.
autonomous. Said vaccination certificate regulated by the regulations, and the data contained in
the same, will only be used to guarantee the safe practice of the sport, in accordance
with the health and scientific tools that are displayed until now”


You understand that said processing of personal data complies with the principles of effectiveness,
necessity and proportionality.


 C/ Jorge Juan, 6 www.aepd.es
 28001 – Madrid sedeagpd.gob.es 3/21








c) As guarantees implemented for the protection of the rights and freedoms of
people, states that on 10/26/2021, he created the registry of treatment activities-RAT- that
provided in document 2. The reference of the DPD does not appear in it, stating the treatment

“FEDERATE” and “COVID 19 HEALTH CERTIFICATE” which highlights:

“Description of the purpose and classification of the purpose: Protection of vital interests of the
interested party or another natural person. In accordance with the legitimation basis that protects said
processing of personal data, the purpose will be limited to compliance with the measures
health and prevention measures required, both by European and national regulations.

autonomous. Said vaccination certificate regulated by the regulations, and the data contained in
the same, they will only be used to guarantee the safe practice of the sport in accordance
with the health and scientific tools that are displayed until now.

“Retention period: The data will be kept for the time necessary to comply with

the purpose for which they were collected and to determine the possible responsibilities that may arise.
may arise from said purpose and from the processing of the data. However, in this sense,
in accordance with the provisions of Regulation (EU) 2021/953 itself, in its art. 17, I don't know
will retain said data beyond the date of June 30, 2022, due to lack of application
from that date."


“Legal basis of legality or legitimacy: Art. 6.1 d) Protection of vital interests of the interested party or
of another natural person. In this treatment, the vital interests to be protected are those of the
people who practice the sport of Handball, under the scope of action of the Federation,
whose scope is limited to the Autonomous Community of Castilla La Mancha and only in
reference to the practice of said sport by all federated people.”


“Typology or category of personal data: Specially protected data: Personal data
health,

d) Regarding the information provided to interested parties about the treatment, it does not indicate anything.


e) Regarding the DPIA, it is estimated that “it is not mandatory at this time to carry out an evaluation
of impact, without prejudice to the need to adopt other security measures.”

f) Regarding the decision adopted regarding the claim, it states that “they have finalized
said treatment activity”, due to the change in the epidemiological situation, as well as the

appearance of variants, which “is leading the authorities to reconsider that said passport
COVID has less efficacy, which implies that the principle of efficacy, necessity and
proportionality that such treatment requires is not exceeded.”

It states that an external DPO has been appointed to the entity on 01/26/2022.


He states that “it must be appreciated that the HANDBALL FEDERATION OF CASTILLA LA
MANCHA, provided several options to be able to practice this sport safely
complying with the protocols required at that time, the only option being to share
the COVID CERTIFICATE, but as evidenced in the different attached documents,

“There were different ways such as performing a PCR or antigen 48 test before.”

g) About the causes that motivated the incident that gave rise to the claim.


 C/ Jorge Juan, 6 www.aepd.es
 28001 – Madrid sedeagpd.gob.es 4/21








It states that “the claim notified to this party has its origin in the decision reached
dated 10/25/2021, by the Assembly of the HANDBALL FEDERATION OF CASTILLA
LA MANCHA, recorded in the Minutes”, which is attached in DOCUMENT nº4. “It was agreed on point no.

1, the decision to demand the following requirements for the practice of said sport by the
federated members of 14 years of age and older: “…it is determined that as of the date the matter of the
mask will be as follows: “Boys and girls who or
either present the COVID certificate (two complete guidelines or one guideline if the
disease) or present a negative antigen test 48 hours before the match.
In the event that there is any member of the team (including the coaching staff) who does not present the

previously requested, said team will have to wear a mask.” “(Those under 12 years of age
that depend directly on the JCCM do not have to comply with this rule)” “Regarding this
Last statement, the HANDBALL FEDERATION OF CASTILLA LA MANCHA, clarifies that
The age mentioned was an error recorded in the minutes, since the Responsible Party does not have
competitions over those under 14 years of age” “the school categories (up to 14 years of age), are

“They are governed by the direct instructions of the Community Board of Castilla La Mancha.” "To the
Clubs belonging to the Federation, it was communicated on the 29th of the same month, with an explanatory note.
from 4/11/2021, “the ways to be able to play” “without a mask, uploading the COVID certificate to the
Federation page”, or “without a mask, performing a PCR with a negative result within 48 hours
before the match - it will be certified in the manner explained above)”, and “with a mask if
“either of the two previous requirements is not met” provide doc 6, informative note of

11/4/2021 to the teams indicating that the process was carried out through email
the Federation, sending “a photograph of the test and a certificate that the test was negative”, to
He then points out that he can also play without a mask, “uploading the COVID certificate to the
Federation page


-Also provides “safe game protocol without mask – 21/22 season” insert certificate
“senior and youth category vaccination-completed schedule” in document 7, indicating:

       “Each youth or senior player/coach/delegate must enter the following link
***URL.1”” Club code you will have to give it to them. It is located on the intranet of each

team and all players who have a valid record with that club will be able to submit the certificate
without problem.”, continues with the DNI-NIE passport, date of birth, click
to access. Next, “select and save the vaccination certificate.”

         “the HANDBALL FEDERATION OF CASTILLA LA MANCHA, implemented these
options for the purposes of complying with the provisions of Royal Decree-Law 30/2021, of 12/23, by

which urgent prevention and containment measures are adopted to confront the crisis
health caused by COVID-19, specifically what is established in its art. 6.2, in which
establishes the obligation to use a mask in closed public spaces and venues. Spaces
and closed venues in which said sport is always celebrated.”


h) Regarding the measures adopted, and controls carried out to verify their effectiveness, indicate the
dates of the registration of treatment activity, the date of designation of the DPO, and completion of
EIPD analysis.

THIRD: On 02/24/2022, in accordance with article 65 of the LOPDGDD,

admitted for processing the claim presented by the complaining party.

FOURTH On 10/26/2022, the director of the AEPD agreed:


 C/ Jorge Juan, 6 www.aepd.es
 28001 – Madrid sedeagpd.gob.es 5/21








“Initiate a sanctioning procedure against the person complained of, for the alleged violation of the RGPD in the
following articles:


 -9, in accordance with article 83.5.a) of the RGPD and for the purposes of prescription in the article
 72.1.e) of the LOPDGDD.

 -13, in accordance with article 83.5.a) of the RGPD and for the purposes of prescription in the article
 72.1.h) of the LOPDGDD


 "For the purposes specified in the art. 64.2 b) of Law 39/2015, of 1/10, on Procedure
 Common Administrative Code of Public Administrations (hereinafter LPACP), the sanction
 that could correspond would be:

 -10,000 euros for a violation of article 9 of the RGPD.

 -7,000 euros for a violation of article 13 of the RGPD.”

FIFTH: The initiation Agreement was notified to the representative of the defendant, without
received allegations.

SIXTH: On 06/12/2023, a proposed resolution is issued with the literal:


“That the Director of the Spanish Data Protection Agency sanction
HANDBALL FEDERATION OF CASTILLA LA MANCHA, with NIF G45046455, for the
GDPR violation, articles:


- 9 of the RGPD, in accordance with article 83.5.a) of the RGPD, and for the purposes of prescription
classified as very serious in article 72.1. e) of the LOPDGDD, with an administrative fine
of 10,000 euros.

- 13 of the GDPR, in accordance with article 83.5 b) of the GDPR, and for the purposes of prescription

classified as very serious in article 72.1.h) of the LOPDGDD, with an administrative fine
of 7,000 euros. “

Notified on 06/12/2023, figure accepted on the same day.

On 06/26/2023, the defendant makes allegations, indicating that the file would be

expired as indicated in article 21 of the LPACAP, when mentioning the obligation of the
Administration in issuing the resolution and informing regardless of its form of initiation, admitting
that the initiation of the sanctioning procedure occurred on 10/27/2022 “although the proposal
resolution took place on 06/12/2023”


Subsequently, it requests that sanctions not be imposed on the basis that the infractions would be statute-barred.


SIXTH: The following are declared accredited


                                     PROVEN FACTS

1) The claimant complains against the defendant on 11/24/2021 because for the practice of sport
in the Castilla La Mancha competition, you are required to upload to the website of the

 C/ Jorge Juan, 6 www.aepd.es
 28001 – Madrid sedeagpd.gob.es 6/21








claimed the COVID vaccination certificate with the complete schedule, or a
certificate of having recovered from the disease or an antigen test with a result
negative 48 hours before the sporting event.



2) On 12/23/2021, the claim is transferred to the claimed party, which collects the notification on
same day, responding to the AEPD on 01/27/2022. In his response, among others
manifestations, indicates that due to the evolution of the epidemiological situation and the appearance
of variants or efficacy, has stopped processing COVID-related data in order to

participate in competitions.


3) The Assembly of the HANDBALL FEDERATION OF CASTILLA LA MANCHA, dated
of 10/25/2021, decided to require federated members aged 14 and over and coaches and

delegates (all members of the team) to practice said sport in the competition,
the possibility of playing without a mask (it is always in closed spaces, not outside) although
only to those who present the COVID certificate (two complete guidelines or one guideline if it has been
after the disease) or present a negative antigen test 48 hours before the
meeting.


This information was transferred to the Clubs belonging to the Federation, on 10/29/2021, with a note
clarification dated 11/4/2021, indicating that the process was carried out through email
of the Federation, sending “a photograph of the test and a certificate that the test was negative”, to
He then points out that he can also play without a mask, “uploading the COVID certificate to the
Federation page


4) The defendant provided “safe game protocol without mask – 21/22 season””insert
vaccination certificate senior and youth category-completed schedule” in document 7,
indicating that by entering their page ***URL.2 in which each athlete identifies and
authenticate your data, access the personal area and select and upload the vaccination certificate or

the antigen test in this case before each match as a limit, on Friday before 7 p.m.
hours.




5) As the legal basis for the treatment, the defendant indicated Regulation 2021/953 of the
European Parliament and of the Council on a framework for the issuance, verification and
acceptance of interoperable COVID-19 certificates for vaccination, diagnostic testing and

recovery - EU digital COVID certificate -, in order to facilitate free movement during the
COVID-19 pandemic, commonly known as “COVID passport”, or “COVID certificate”
EU digital. Adds article 9.2.g) of the RGPD: “the treatment is necessary for reasons
of an essential public interest, on the basis of Union or State law
members, which must be proportional to the objective pursued, essentially respect the right
to data protection and establish appropriate and specific measures to protect the

interests and fundamental rights of the interested party”; and article 9.2.c): “the treatment is
necessary to protect vital interests of the interested party or another natural person, in the event
that the interested party is not physically or legally capable of giving consent."


6) The defendant, on 10/26/2021, created the registry of treatment activities-RAT.
“COVID 19 HEALTH CERTIFICATE” which highlights:
 C/ Jorge Juan, 6 www.aepd.es
 28001 – Madrid sedeagpd.gob.es 7/21









“Description of the purpose and classification of the purpose: Protection of vital interests of the
interested party or another natural person. In accordance with the legitimation basis that protects said

processing of personal data, the purpose will be limited to compliance with the measures
health and prevention measures required, both by European and national regulations.
autonomous. Said vaccination certificate regulated by the regulations, and the data contained in
the same, they will only be used to guarantee the safe practice of the sport in accordance
with the health and scientific tools that are displayed until now.


“Retention period: The data will be kept for the time necessary to comply with
the purpose for which they were collected and to determine the possible responsibilities that may arise.
could arise from said purpose and from the processing of the data. However, in this sense,
in accordance with the provisions of Regulation (EU) 2021/953 itself, in its art. 17, I don't know
will retain said data beyond the date of June 30, 2022, due to lack of application

from that date."

“Legal basis of legality or legitimacy: Art. 6.1 d) Protection of vital interests of the interested party or
of another natural person. In this treatment, the vital interests to be protected are those of the
people who practice the sport of Handball, under the scope of action of the Federation,
whose scope is limited to the Autonomous Community of Castilla La Mancha and only in

reference to the practice of said sport by all federated people.”

“Typology or category of personal data: Specially protected data: Personal data
health,


7) The defendant was asked for the information provided to the federated athletes of her
Federation in the collection of data related to COVID 19, without providing a response
related to that aspect.



                             FOUNDATIONS OF LAW

                                             Yo

In accordance with the powers that article 58.2 of Regulation (EU) 2016/679 (Regulation
General Data Protection, hereinafter RGPD), grants each control authority and according to
the provisions of articles 47, 48.1, 64.2 and 68.1 of Organic Law 3/2018, of 5/12

Protection of Personal Data and guarantee of digital rights (hereinafter, LOPDGDD),
The Director of the Spanish Agency for Human Rights is competent to initiate and resolve this procedure.
Data Protection.

Likewise, article 63.2 of the LOPDGDD determines that: "The procedures processed by

The Spanish Data Protection Agency will be governed by the provisions of the Regulation (EU)
2016/679, in this organic law, by the regulatory provisions issued in its
development and, insofar as they do not contradict them, on a subsidiary basis, by the general rules
on administrative procedures."

                                            II



Article 4 of the GDPR defines:
 C/ Jorge Juan, 6 www.aepd.es
 28001 – Madrid sedeagpd.gob.es 8/21










  “For the purposes of this Regulation it will be understood as:

  1) personal data: any information about an identified or identifiable natural person
("the interested"); An identifiable natural person will be considered any person whose identity

can be determined, directly or indirectly, in particular by means of an identifier, such as
example a name, an identification number, location data, an online identifier
or one or more elements specific to the physical, physiological, genetic, psychological,
economic, cultural or social of said person;

  2) processing: any operation or set of operations performed on data

personal data or sets of personal data, whether by automated procedures or not,
such as the collection, registration, organization, structuring, conservation, adaptation or
modification, extraction, consultation, use, communication by transmission, dissemination or
any other form of enabling access, collating or interconnecting, limiting, deleting or
destruction;


  15) data relating to health: personal data relating to the physical or mental health of a
natural person, including the provision of health care services, who discloses information
about his state of health;”


The processing of personal data in health emergency situations continues to be
The personal data protection regulations (RGPD and LOPDGDD) are applicable, so
All its principles, contained in article 5 of the RGPD, are applied, including the treatment
ment of personal data with legality, loyalty and transparency, limitation of purpose,

principle of limitation of the conservation period, and of course, and we must pay special attention
I fell into it, the principle of data minimization.

Furthermore, it must be taken into account that the specific purpose related to the competition and
health to preserve the health of athletes other than what may be the activity of
treatment for the purpose of obtaining a federal license, from which categories of
data, different risks for the rights and freedoms of those affected, and emerge

some powers derived from the exercise of specific rights that deal with the transpar-
rence and information contained in articles 12 and 13 of the GDPR.

In the situation of health crisis caused by COVID19, the defendant adopts the measures
aimed at preventing new infections of COVID-19, under your instructions.


Athletes who belong to the claimed Federation have varied options to climb
the data to the website of the claimed party for the purposes decided by it. The collection, storage
ment and use of these data means that the claimant carries out processing of personal data
of athletes, health data on which in principle there should be legal cause for tra-
treatment and one of the causes that enables the specific processing of these health data.


                                                III

The GDPR establishes a very broad concept of health data, and gives it a specific regime.
specific, that corresponding to the so-called “special categories of data” referred to.
re article 9 of the regulatory text.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 9/21








This article 9 GDPR states:

"1. The processing of personal data that reveals ethnic or racial origin is prohibited,
political opinions, religious or philosophical convictions, or union membership, and the

processing of genetic data, biometric data aimed at uniquely identifying
a natural person, data relating to health or data relating to sexual life or orientation
“sexuality of a natural person.”


Article 9.2 of the GDPR however means that: “Section 1 will not apply
when one of the following circumstances occurs:” which cover article 9.2.a) to 9.2 j)
and which will be examined in the following foundation

Thus, such processing requires both a legal basis under Article 6 of the
GDPR, such as compliance with one of the conditions of article 9.2 of the GDPR. The
Data controllers must be aware of the need to comply with both

requirements for processing these special categories of personal data.
Article 6.1 of the RGPD establishes the assumptions that allow the treatment to be considered lawful.
of personal data.


1. Treatment will only be legal if at least one of the following conditions is met:

a) the interested party gave his or her consent to the processing of his or her personal data for one or
several specific purposes;


b) the processing is necessary for the execution of a contract to which the interested party is a party
or for the application at his request of pre-contractual measures;

c) the processing is necessary for compliance with a legal obligation applicable to the
treatment saber;


d) the processing is necessary to protect the vital interests of the interested party or another person
physical;

e) the processing is necessary for the fulfillment of a mission carried out in the public interest

or in the exercise of public powers conferred on the data controller;

f) the processing is necessary for the satisfaction of legitimate interests pursued by the res-
responsible for the treatment or by a third party, provided that said interests do not prevail
the interests or fundamental rights and freedoms of the interested party that require protection.
tion of personal data, particularly when the interested party is a child.

 The provisions of letter f) of the first paragraph will not apply to the treatment carried out by
public authorities in the exercise of their functions

The membership of people in the claimed Federation presupposes in its normal regime, that
Your data may be processed for the purpose of your associative relationship, for the purpose of

promotion and extension of ordinary sports activity, a purpose that marks the origin of the
processing of that data.

Additionally, for the case presented of making competitive sports practice compatible
with health in times of pandemic, and try to contain the spread of the infection among

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 10/21








participants, the claimed adds the legal basis for the treatment due to the vital interest of the
article 6.1.d) of the GDPR, “the processing is necessary to protect the vital interests of the
interested party or another natural person.”


Recital (46) of the GDPR already recognizes that, in exceptional situations, such as an epi-
demia, the legal basis of the treatments can be multiple, based both on the public interest
co, as in the vital interest of the interested party or another natural person.

(46) The processing of personal data should also be considered lawful when necessary

to protect an interest essential to the life of the interested party or that of another natural person. In
In principle, personal data should only be processed on the basis of the vital interest of another
natural person when the processing cannot manifestly be based on a legal basis
different. Certain types of treatment may respond to both important reasons of interest
public and the vital interests of the interested party, such as when the treatment is

necessary for humanitarian purposes, including the control of epidemics and their spread, or in
humanitarian emergency situations, especially in the event of natural disasters or
human origin.

Article 6.1.d) of the GDPR considers not only that vital interest is a sufficient legal basis for
treatment to protect the “interested party”, in this case the athletes who face each other

yes, but that said legal basis can be used to protect the vital interests “of another
natural person”, which by extension means that they can be either unidentified persons or
identifiable, as unnamed, in terms of holding an interest worthy of being safeguarded.
Furthermore, it does not follow, as stated in article 6.3 of the RGPD, that the need to
that the basis of treatment for reasons of vital interest must be established by the right of

Union or Member State law applicable to the controller, such as
If it would be the case if the basis of legitimation were the fulfillment of a mission in the interest
public.


Having analyzed this basis of legitimation, it is considered that it would cover the treatment caused by the
pandemic situation in the specific framework of the competition


As an element to consider in the treatment carried out, it must also be assessed whether the
claimed exceeds the following threshold that entails the prohibition of the processing of personal data.
health of these federated athletes. That is, unless there are any of the circumstances

halves and enumerated as established in point 2, the processing of health data will not be lawful


                                                IV

Of the following articles included in article 9.2 of the RGPD, which are cited and which
can prove the eventual legality of the processing of the data of the certificates required in
competitions to athletes, those that according to the claim would be applicable will be analyzed

to the specific case:

“a) the interested party gave explicit consent for the processing of said personal data

for one or more of the specified purposes, except where Union or State law
Member States establish that the prohibition referred to in paragraph 1 cannot be levied
raised by the interested party;
[…]”
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 11/21








c) the processing is necessary to protect the vital interests of the interested party or another person
physical, in the event that the interested party is not capable, physically or legally, to give
Your consent;


[…]”

g) the processing is necessary for reasons of essential public interest, on the basis of the De-
right of the Union or of the Member States, which must be proportional to the objective pursued.
essential, respect the right to data protection and establish appropriate measures.
given and specific to protect the interests and fundamental rights of the interested party;


[…]”

i) the treatment is necessary for reasons of public interest in the field of public health,
such as protection against serious cross-border health threats, or to ensure
high levels of quality and safety of healthcare and medicines or
medical devices, on the basis of Union or Member State law

establish appropriate and specific measures to protect the rights and freedoms of the interest
sado, in particular professional secrecy”

The claimant states that the following would be applicable:


a) In the RAT it only mentions “Art. 6.1 d) Protection of vital interests of the interested party or of
another natural person. In this treatment, the vital interests to be protected are those of the people
who practice the sport of Handball, and only in reference to the practice of said sport by
all federated people.” However, the alleged provision is not one that allows
this type of data processing.



b) In its statements it includes it within the framework of Regulation 2021/953 (certificate

EU digital COVID) and adds g) of article 9.2 of the GDPR “the treatment is necessary
for reasons of essential public interest, on the basis of Union law or the
Member States, which must be proportional to the objective pursued, essentially respect the
right to data protection and establish appropriate and specific measures to protect
the interests and fundamental rights of the interested party;”



As for the first, the documentation known as a COVID passport, or COVID certificate
digital of the EU, (derived from Regulation 2021/1953 that the defendant alleges) implies the
possession of a document that certifies having the complete vaccine schedule, proof

diagnosis of active infection -PDIA- or antigen test, and recovery from infection by
The SARS-Cov.2 diagnosed, with respect to a temporal period, has as its original purpose
the free movement of people within the territory of the EU. It is about the public service of
health issues a certificate in cases of vaccination or recovery from the disease, and,
In other cases, through the tests carried out, giving the Regulation validity to those
certificates in the form stated and for the specific purposes for which said certificate was created.

Regulation.

Although the COVID certificate was initially approved with the purpose of guaranteeing the right
fundamental to the free movement of citizens in the European Union, has been the subject of

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 12/21








subsequent use for other purposes in the generality of the Member States and, in particular
in Spain, as one of the measures adopted by the health authorities in order to
prevent the spread of infections in various establishments, through their display.


Given the adoption by various Member States of unilateral initiatives to issue certificates
COVID-19 cases that could imply restrictions on the right to free movement and make it difficult
consequently the functioning of the internal market, the European Council took the initiative
is about developing a common approach, as well as moving forward with urgency in the work
on interoperable and non-discriminatory digital certificates in relation to COVID-19

19. As a result of this initiative, a proposal for a regulation relating to a framework
for the issuance of verification and acceptance of interoperable COVID-19 vaccination certificates.
nation of diagnostic testing and recovery in order to facilitate free movement during the
pandemic.

The legal basis of the proposal was article 21 of the Treaty on the Functioning of the Union
European Union that recognizes and guarantees the right to free movement in the Union, the guarantees
for free movement for reasons of public health must meet the criteria of necessity

ity and proportionality. The entities that can access the certificate are limited to the
competent authorities of the Member State of destination and to cross-border operators of
passenger transportation services airlines and shipping companies that have the obligation to collaborate
with said authorities.

Regulation 2021/953 is related to the possibility of Member States to limit the
fundamental right to free movement for reasons of public health, and culminates the approach

coordinated restriction of the free movement of people in response to the pandemic
within the EU. Its recital 48 indicates:

“Regulation (EU) 2016/679 of the European Parliament and of the Council applies to the processing
of personal data made when applying this Regulation. This Regulation
establishes the legal basis for the processing of personal data within the meaning of the article

6(1)(c) and Article 9(2)(g) of Regulation (EU) 2016/679,
necessary for the issuance and verification of the interoperable certificates established in
this Regulation. It does not regulate the processing of personal data related to the
documentation of a vaccination, diagnostic test or recovery for other purposes,
such as pharmacovigilance or maintenance of personal medical records. The states

Members may process personal data for other purposes if the legal basis for their processing
for other purposes, including the corresponding retention periods, is established in the
National law, which must comply with Union law on the protection of
data and the principles of effectiveness, necessity and proportionality, and must include provisions
that clearly determine the scope and scope of the treatment, the

specific purpose in question, the categories of entities that can verify the
certificate, as well as relevant safeguards to prevent discrimination and abuse,
taking into account the risks to the rights and freedoms of the data subjects. When the
certificate is used for non-medical purposes, personal data accessed during the
verification process must not be kept, as provided in this Regulation.”


Thus, the main objective of the Regulation is that identified in its article 1: “to establish a
framework for the issuance, verification and acceptance of COVID-19 certificates to facilitate the

free movement of its holders during the pandemic and contribute to the gradual elimination of
restrictions established by the Member States. This purpose is not exhausted in
facilitate freedom of movement in the strict sense, since these documents can be
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 13/21








required for related purposes, as happened, especially in some sectoral standards
dictated by Health Departments of Autonomous Communities that regulated based on
the situation of various establishments, or sectors as specific prevention measures,

the necessary exhibition of this document to be able to access said establishments in
depending on the epidemiological situation. The sentences that analyze its justification have
considered according to its justification, that the request for this digital certificate or COVID passport
It was motivated, and in other cases it was not, but in any case it comes from a rule of an authority
health and its ratification approved by the judicial authority until the powers in which
supported were declared unconstitutional, which does not happen in that case in which it is

a federative entity, which, by organizing a competition, establishes certain requirements
relying on a rule such as the Regulation that has its own purposes and is not
can be transferred to the scope of the competition in which their federated members participate without
any intervention by the health authority or regulation that supports it.

In this case, the alleged Regulation EU 2021/953 does not justify the implementation of the
health data requirement system for federated athletes to participate in the
competition without mask. The defendant implements it motu proprio, without there being a standard.
ad hoc applicable to the federated sports sector in the development of competitions.



Regarding the added article 9.2.g) of the RGPD, there is no mention of the law of the Union or of the
Member States that foresee the need for those reasons of essential public interest, and
which should, on the other hand, essentially respect the right to data protection and
establish measures.


In addition, Order SND/344/2020, of 04/13, which establishes exceptional measures

for the reinforcement of the National Health System and the containment of the health crisis caused
due to COVID-19, agrees to both make available to the health authority of each Community
Autonomous Authority of all diagnostic health centres, services and establishments.
privately owned clinical co located in them, such as the submission of the performance of
diagnostic tests for the detection of COVID-19 to the guidelines, instructions and criteria

agreed for this purpose by the regional health authority,

The Second basis of the aforementioned Order determines: “Requirements for carrying out tests
diagnostic bases for the detection of COVID-19.”: The indication for performing tests
diagnostic methods for the detection of COVID-19 must be prescribed by a medical doctor.
in accordance with the guidelines, instructions and criteria agreed for this purpose by the health authority.

“competent person.”

“As indicated in the preamble of that standard, this is about limiting the realization
of diagnostic tests for the detection of COVID-19 to those cases in which there is
a prior prescription by a physician and conform to criteria established by the authority

competent health service, thus subjecting the regime for carrying out this type of
evidence of the prior existence of medical criteria that recommend its implementation.”
Thus, it is considered that the defendant does not meet the requirement that it alleges as an exception to the

processing of health data, considering that it violates article 9 of the RGPD.

                                                V



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 14/21








On the other hand, it follows that the claim considered in this case a purpose
specifically related to COVID 19, has not proven that it reports the extremes that
must contain the collection of data in this case, which would violate article 13 of the RGPD,

which indicates:
   "1. When personal data relating to him or her is obtained from an interested party, the person responsible for the
   treatment, at the time these are obtained, it will provide you with all the information

   indicated below:
   a) the identity and contact details of the person responsible and, where applicable, their representative;

   b) the contact details of the data protection officer, if applicable;

   c) the purposes of the processing for which the personal data are intended and the legal basis of the
   treatment;

   d) where the processing is based on Article 6(1)(f), legitimate interests
   of the person responsible or a third party;

   e) the recipients or categories of recipients of the personal data, where applicable;
   f) where applicable, the intention of the controller to transfer personal data to a third country or

   international organization and the existence or absence of a decision on the adequacy of the
   Commission, or, in the case of transfers indicated in articles 46 or 47 or article
   49, paragraph 1, second subparagraph, reference to adequate or appropriate guarantees and the
   means to obtain a copy of these or the fact that they have been provided.

   2.In addition to the information mentioned in section 1, the data controller
   will provide the interested party, at the time the personal data is obtained, the following
   information necessary to guarantee fair and transparent data processing:

   a) the period for which the personal data will be kept or, when this is not possible,
   the criteria used to determine this period;

   b) the existence of the right to request access to the data from the data controller
   personal data relating to the interested party, and its rectification or deletion, or the limitation of its
   processing, or to oppose processing, as well as the right to data portability;

   c) when the processing is based on Article 6(1)(a) or Article 9,
   section 2, letter a), the existence of the right to withdraw consent at any time

   moment, without affecting the legality of the treatment based on prior consent
   upon his withdrawal;
   d) the right to file a claim with a supervisory authority;

   e) whether the communication of personal data is a legal or contractual requirement, or a requirement
   necessary to sign a contract, and if the interested party is obliged to provide the data

   personal and is informed of the possible consequences of not providing such data;
   f) the existence of automated decisions, including profiling, to which

   refers to article 22, paragraphs 1 and 4, and, at least in such cases, significant information
   about the logic applied, as well as the importance and intended consequences of said
   treatment for the interested party.

   3.When the data controller plans the subsequent processing of personal data
   for a purpose other than that for which they were collected, will provide the interested party, with
   prior to such further processing, information about that other purpose and any
   additional information relevant under paragraph 2.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 15/21









 4.The provisions of paragraphs 1, 2 and 3 shall not apply when and to the extent
 "that the interested party already has the information"


Information on data collection is part of the content of the principle of
transparency that enables stakeholders to hold those responsible accountable for
exercise control over your personal data.

The data collected is different from that which could have been processed

previously as those referred to the federative license, due to its different purpose, and category and is
imposes the need for explicit information that allows you to exercise your rights.
Recital 39 of the GDPR is informative as to the meaning and effect of the principle
of transparency in the context of data processing:


“For natural persons it must be completely clear that they are collecting, using,
consulting or otherwise processing personal data that concerns them, as well as the
extent to which said data are or will be processed. The principle of transparency requires that all
information and communication related to the processing of said data is easily accessible and
easy to understand, and that simple and clear language is used. This principle refers to
particular to the information of the interested parties on the identity of the person responsible for the treatment

and the purposes thereof and the information added to guarantee fair and
transparent with respect to the affected natural persons and their right to obtain
confirmation and communication of personal data concerning them that are subject to
treatment [...]".


In this case, the data was collected in the private area of the application that manages the
Federation as part of the “safe game protocol without a mask-season 21/22”” whose
decision approved by the Assembly. Although this tool could have informed
Regarding said collection, there is no explanation of the claim regarding the establishment of the
mode and procedure for reporting the data implemented in the aforementioned measure,

proving non-compliance with the aforementioned article 13 of the RGPD.

                                                SAW


Regarding the allegation of the expiration of the procedure based on article 21 of the LPCAP, which

points out


1“The Administration is obliged to issue an express resolution and notify it in all procedures.
mentations whatever their form of initiation.”
…
2“The maximum period in which the express resolution must be notified will be that established by the norm
regulating the corresponding procedure.

This period may not exceed six months unless a norm with the rank of Law establishes
one greater or so is provided for in the Law of the European Union”

Article 64 of the LOPDGDD, paragraph two, final, on the form of initiation and duration of the process
yield prescribes:



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 16/21








“The procedure will have a maximum duration of nine months from the date of the
initiation agreement or, where applicable, the draft initiation agreement. After that period,
will produce its expiration and, consequently, the archiving of actions.”


Circumstance that is recorded in the initiation agreement notified to the defendant.

Considering that the initiation agreement is issued on 10/26/2022, the
maximum period provided for by the specific applicable rule cited, so it is not appropriate to accept
said expiration.


                                               VII

In accordance with the evidence available, it is considered that the facts

exposed could violate the provisions of articles: 9 and 13 of the RGPD, with the scope
expressed in the previous Fundamentals of Law, which means the commission of the
infringements classified in article 83 section 5.a) and b) of the RGPD that under the rubric
“General conditions for the imposition of administrative fines” provides that:


“Infringements of the following provisions will be sanctioned, in accordance with section
2, with administrative fines of a maximum of EUR 20,000,000 or, in the case of a company,
of an amount equivalent to a maximum of 4% of the total global annual turnover of the

previous financial year, opting for the highest amount:
a) the basic principles for processing, including the conditions for consent to

 wording of articles 5, 6, 7 and 9;
b) the rights of the interested parties under articles 12 to 22.”


In this regard, the LOPDGDD, in its article 71, establishes that “Infractions constitute
acts and conduct referred to in sections 4, 5 and 6 of article 83 of the Regulation
(EU) 2016/679, as well as those that are contrary to this organic law.”

For the purposes of the limitation period, article 72 of the LOPDGDD, indicates:


“Infringements considered very serious.

"1. Based on what is established in article 83.5 of Regulation (EU) 2016/679,
considered very serious and will prescribe after three years the infractions that involve a

substantial violation of the articles mentioned therein and, in particular, the following:

[…]


e) The processing of personal data of the categories referred to in article 9 of the
Regulation (EU) 2016/679, without any of the circumstances provided for in said

precept and in article 9 of this organic law.
[…]





C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 17/21








d) The omission of the duty to inform the affected party about the processing of their personal data
in accordance with the provisions of articles 13 and 14 of Regulation (EU) 2016/679 and 12 of this
organic Law. (…)”


Regarding the prescription of the infraction, considering that of article 9 as very serious, it corresponds to
would consider a period for these purposes, as provided in article 72.1.e) of the RGPD of three

years.

The collection of data for the intended purpose begins in the 21/22 season, with a “game” protocol.
go insurance” which is for that season and the claim is from 11/24/21. The Assembly decided
the measure on 10/25/2021, which is transferred to the clubs within a few days for their information.

In the respondent's response to the transfer, on 01/27/2022 she states that she ceased this type of
treatment. Having signed the initiation agreement on 10/26/2022 and with the acceptance of the notice-
fication on the same day, the infraction is not considered to be prescribed by the course of the
established period.

Regarding the prescription of the violation of article 13, failure to inform when carrying out the

treatments for the purpose of the protocol developed in “safe play”, which involved the treatment
ment of health data, the violation of omission of such duty also entails a period
calculation of three years, so from the communication to the clubs to the date of reception
tion of the initiation agreement is not considered to be time-barred.


                                               VIII

Sections d) and i) of article 58.2 of the RGPD provide the following:

“Each supervisory authority will have all the following corrective powers indicated below:

continuation: (…)

“d) order the person responsible or in charge of the treatment that the treatment operations are
comply with the provisions of this Regulation, where applicable, of a particular
manner and within a specified period;”


“i) impose an administrative fine in accordance with article 83, in addition to or instead of the
measures mentioned in this section, according to the circumstances of each case
particular;"

In this case, given the category of data that is collected and the risks of rights and

freedoms that are compromised with them, and the broad group that it affects, proceeds
administrative fine sanctioning procedure.

                                                IX


 The determination of the sanctions that should be imposed in the present case requires observing
the provisions of articles 83.1) and 2) of the RGPD, provisions that, respectively, provide
the next:

 "1. Each supervisory authority will ensure that the imposition of administrative fines with
under this Article for violations of this Regulation indicated in the

paragraphs 4, 5 and 6 are effective, proportionate and dissuasive in each individual case.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 18/21









2. Administrative fines will be imposed, depending on the circumstances of each case
individually, as an additional or substitute for the measures contemplated in article 58,

section 2, letters a) to h) and j). When deciding on the imposition of an administrative fine and its amount
In each individual case due account will be taken of:

a) the nature, severity and duration of the infringement, taking into account the nature,
scope or purpose of the processing operation in question, as well as the number of
interested parties affected and the level of damages they have suffered;


b) intentionality or negligence in the infringement;

c) any measure taken by the person responsible or in charge of the treatment to alleviate the
damages and losses suffered by the interested parties;


d) the degree of responsibility of the person responsible or in charge of the treatment, taking into account
of the technical or organizational measures that have been applied under articles 25 and 32;

e) any previous infringement committed by the controller or processor; f) the
degree of cooperation with the supervisory authority in order to remedy the infringement and

mitigate the possible adverse effects of the infringement;

g) the categories of personal data affected by the infringement;

h) the way in which the supervisory authority became aware of the infringement, in particular if the

responsible or the person in charge notified the infringement and, if so, to what extent;
i) when the measures indicated in Article 58, paragraph 2, have been ordered
previously against the person responsible or the person in charge in question in relation to the same
matter, compliance with said measures;


j) adherence to codes of conduct under Article 40 or certification mechanisms
approved in accordance with article 42, and

k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as
financial benefits obtained or losses avoided, directly or indirectly, through
the infringement.”


 Within this section, the LOPDGDD contemplates in its article 76, entitled: “Sanctions and
corrective measures":

"1. The sanctions provided for in sections 4, 5 and 6 of article 83 of the Regulation (EU)

2016/679 will be applied taking into account the graduation criteria established in the
section 2 of the aforementioned article.

2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679 also
may be taken into account:


a) The continuous nature of the infringement.



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 19/21








b) The linking of the offender's activity with the performance of data processing
personal.


c) The benefits obtained as a consequence of the commission of the infraction.

 d) The possibility that the conduct of the affected person could have induced the commission of the
infringement.

e) The existence of a merger by absorption process after the commission of the infraction,

which cannot be attributed to the absorbing entity.

f) The impact on the rights of minors.

g) Have, when not mandatory, a data protection delegate.


h) The submission by the person responsible or in charge, on a voluntary basis, to
alternative conflict resolution mechanisms, in those cases in which there are
disputes between them and any interested party.

 3. It will be possible, complementary or alternatively, to adopt, when appropriate, the

remaining corrective measures referred to in article 83.2 of the Regulation (EU)
2016/679.”

In accordance with the transcribed precepts, for the purposes of setting the amounts of the sanctions of
fine to be imposed in the present case typified in article 83.5.a) of the RGPD, of which

holds the defendant responsible for the violation of article 9 of the RGPD, it is estimated
concurrent as aggravating factors the following factors that reveal a greater
illegality and/or culpability in the conduct of the defendant:

-Article 83.2.a) RGPD “nature, severity and duration of the infringement, taking into account the

nature, scope or purpose of the processing operation in question, as well as the
number of interested parties affected and the level of damages they have suffered;”. The
Data was collected over a period, approximately since November 2021, also
for minors, and with the addition of the instruction that, if any member of the team
does not present what was requested, certificate or evidence, the team will have to wear a mask, which
It is a way to encourage testing and processing of that data in each

occasion, or get the vaccine.

With this factor, a penalty of 10,000 euros is imposed.

For the violation of article 13 of the RGPD, concurrent factors are considered as aggravating factors.

the following factors that reveal greater illegality and/or culpability in the conduct of
the claimed:

- Article 76.2.b) of the LOPDGDD, “The linking of the offender's activity with the
carrying out personal data processing”, being an associative type entity

composed of 4,895 federative licenses in 2021, according to the Ministry's publication
of Culture and Sports, State, “Federated Sports Statistics 2021”, which groups 57 Clubs
federated.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid Seeagpd.gob.es 20/21








For violation of article 13 of the GDPR, a fine of 7,000 euros is imposed.


Therefore, in accordance with the applicable legislation and assessed the graduation criteria of
the sanctions whose existence has been proven,

the Director of the Spanish Data Protection Agency RESOLVES:


FIRST: IMPOSE on the HANDBALL FEDERATION OF CASTILLA LA MANCHA,
with NIF G45046455, two administrative fines, for the following violations of the RGPD:

-article 9 of the RGPD, in accordance with article 83.5.a) of the RGPD, and for the purposes of
prescription classified as very serious in article 72.1. e) from the LOPDGDD, with 10,000

euros.

-article 13 of the GDPR, in accordance with article 83.5 b) of the GDPR, and for the purposes of
prescription classified as very serious in article 72.1.h) of the LOPDGDD, with 7,000
euros.


SECOND: NOTIFY this resolution to the HANDBALL FEDERATION OF
CASTILLA LA MANCHA, through its representative, D. B.B.B.

THIRD: Warn the sanctioned person that he must make the sanction imposed effective once
This resolution is executive, in accordance with the provisions of art. 98.1.b) of the

LPACAP, within the voluntary payment period established in art. 68 of the General Regulations of
Collection, approved by Royal Decree 939/2005, of 07/29, in relation to art. 62 of the
Law 58/2003, of 17/12, by entering it, indicating the NIF of the sanctioned person and the number of
procedure that appears in the heading of this document, in the restricted account no.
IBAN: ES00 0000 0000 0000 0000 0000, opened in the name of the Spanish Agency for

Data Protection in the banking entity CAIXABANK, S.A.. Otherwise, we will proceed
to its collection in the executive period.

Once the notification is received and once enforceable, if the date of execution is between the
days 1 and 15 of each month, both inclusive, the term to make the voluntary payment will be until
on the 20th day of the following or immediately following business month, and if it is between the 16th and

last of each month, both inclusive, the payment period will be until the 5th of the second month
following or immediate subsequent business.

In accordance with the provisions of article 50 of the LOPDGDD, this Resolution is
will be made public once it has been notified to the interested parties.


Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the
LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the interested parties
may optionally file an appeal for reconsideration before the Director of the Agency
Spanish Data Protection Agency within a period of one month from the day following the

notification of this resolution or directly administrative contentious appeal before the Chamber
of the Contentious-administrative of the National Court, in accordance with the provisions of the
article 25 and in section 5 of the fourth additional provision of Law 29/1998, of 07/13,
regulatory authority of the Contentious-Administrative Jurisdiction, within a period of two months from
from the day following notification of this act, as provided for in article 46.1 of the
referred Law.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 21/21










Finally, it is noted that in accordance with the provisions of art. 90.3 a) of the LPACAP, it may be
provisionally suspend the final resolution through administrative channels if the interested party expresses his/her
intention to file a contentious-administrative appeal. If this is the case, the interested party

must formally communicate this fact in writing addressed to the Spanish Agency of
Data Protection, presenting it through the Agency's Electronic Registry
[https://sedeagpd.gob.es/sede-electronica-web/], or through any of the other registries
provided for in art. 16.4 of the aforementioned LPCAP. You must also transfer to the Agency the

documentation that proves the effective filing of the contentious-administrative appeal. Yeah
the Agency was not aware of the filing of the contentious-administrative appeal
within two months from the day following notification of this resolution,
would end the precautionary suspension.



                                                                                      938-010623
Sea Spain Martí

Director of the Spanish Data Protection Agency










































C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es