AEPD (Spain) - PS/00247/2019: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoES.jpg |DPA_Abbrevation=AEPD |DPA_With_Country=AEPD (Spain) |Case_Number_Name=PS/00...")
 
Line 52: Line 52:
AEPD fined travel company EUR 5,000 for an infringement of Article 32(2) and (4) of the GDPR.  Medical tests of one employee were scanned and sent from one manager of the company to another. The entity invoked attenuating factors that are foreseen in national administrative law, which led to a reduced fine of EUR 3000.
AEPD fined travel company EUR 5,000 for an infringement of Article 32(2) and (4) of the GDPR.  Medical tests of one employee were scanned and sent from one manager of the company to another. The entity invoked attenuating factors that are foreseen in national administrative law, which led to a reduced fine of EUR 3000.


== English Summary ==
==English Summary==


=== Facts ===
===Facts===
On 13/02/2019 AEPD received a complaint from the claimant against the entity GLOBAL BUSINESS TRAVEL SPAIN, S.L.U. The complaint stated that an employee of the company (the Head of Occupational Risk Prevention) opened, scanned and emailed to his inmediate boss the results of medical tests of the claimant.
On 13/02/2019 AEPD received a complaint from the claimant against the entity GLOBAL BUSINESS TRAVEL SPAIN, S.L.U. The complaint stated that an employee of the company (the Head of Occupational Risk Prevention) opened, scanned and emailed to his inmediate boss the results of medical tests of the claimant.
To clarify the facts, AEPD transferred the complaint to the company, so that it could proceed with its analysis and provide a response within one month to the information requested. Nevertheless, the company did not respond to the AEPD’s request for information. After that, due to an error in the notifications, both the claimant and the respondent were notified of the admission to process the claim. This led to the claimant  misconception that it was entitled to appeal against the admission agreement.
To clarify the facts, AEPD transferred the complaint to the company, so that it could proceed with its analysis and provide a response within one month to the information requested. Nevertheless, the company did not respond to the AEPD’s request for information. After that, due to an error in the notifications, both the claimant and the respondent were notified of the admission to process the claim. This led to the claimant  misconception that it was entitled to appeal against the admission agreement.
Line 60: Line 60:
In this (erroneous) appeal to the admission agreement, the company stated that the subjects involved were interrogated and that the leaked information was immediately deleted. The appeal was not admitted as the company was not in a position to appeal, but the measures taken by the company were considered.
In this (erroneous) appeal to the admission agreement, the company stated that the subjects involved were interrogated and that the leaked information was immediately deleted. The appeal was not admitted as the company was not in a position to appeal, but the measures taken by the company were considered.


=== Dispute ===
===Dispute===
Does opening, scanning and forwarding an employee's medical test results imply a violation of Article 32 GDPR?
Does opening, scanning and forwarding an employee's medical test results imply a violation of Article 32 GDPR?


=== Holding ===
===Holding===
AEPD considered that the conduct of one of te employees of the respondent- the opening of the envelope with the results of the medical tests to which the claimant was subjected, the scanning of the document and its transmission by e-mail to at least one employee of the entity - infringes Article 32. 2 and 32.4 of the RGPD, an infringement punishable under Article 83.4.a of the GDPR.   
AEPD considered that the conduct of one of the employees of the respondent- the opening of the envelope with the results of the medical tests to which the claimant was subjected, the scanning of the document and its transmission by e-mail to at least one employee of the entity - infringes Article 32. 2 and 32.4 of the RGPD, an infringement punishable under Article 83.4.a of the GDPR.   


Assessing the circumstances modifying liability, both adverse and favourable, contemplated in article 83.2 GDPR, the AEPD established the amount of the administrative fine at EUR 5,000. However, two attenuating circumstances of the Spanish Law on Common Administrative Procedure of Public Administrations (Article 85) could be applied, which may respectively reduce the fine by 20%. The first mitigating factor is to acknowledge their responsibility within the time allowed for the submission of claims. The second mitigating factor is, at any time prior to the resolution of the proceedings, to make voluntary payment of the proposed penalty.
Assessing the circumstances modifying liability, both adverse and favourable, contemplated in article 83.2 GDPR, the AEPD established the amount of the administrative fine at EUR 5,000. However, two attenuating circumstances of the Spanish Law on Common Administrative Procedure of Public Administrations (Article 85) could be applied, which may respectively reduce the fine by 20%. The first mitigating factor is to acknowledge their responsibility within the time allowed for the submission of claims. The second mitigating factor is, at any time prior to the resolution of the proceedings, to make voluntary payment of the proposed penalty.
Line 71: Line 71:




== Comment ==
==Comment==
This case is interesting, as there was an error in the notification of the start of the procedure. Both the defendant and the respondent were notified. This error created a false sense that the respondent could appeal the initiation of the proceedings. The appeal was not accepted, but certain information provided by the company was taken into account (the investigation that was carried out on the company's own initiative and the fact that they made sure that the information that had been read out was deleted). These two aspects were taken as mitigating factors, reducing the amount of the fine.  
This case is interesting, as there was an error in the notification of the start of the procedure. Both the defendant and the respondent were notified. This error created a false sense that the respondent could appeal the initiation of the proceedings. The appeal was not accepted, but certain information provided by the company was taken into account (the investigation that was carried out on the company's own initiative and the fact that they made sure that the information that had been read out was deleted). These two aspects were taken as mitigating factors, reducing the amount of the fine.  


== Further Resources ==
==Further Resources==
''Share blogs or news articles here!''
''Share blogs or news articles here!''


== English Machine Translation of the Decision ==
==English Machine Translation of the Decision==
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.



Revision as of 09:45, 16 July 2020

AEPD - PS/00247/2019
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 32(2) GDPR
Article 32(4) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published:
Fine: 5000 EUR
Parties: n/a
National Case Number/Name: PS/00247/2019
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: aepd.es (in ES)
Initial Contributor: Pablo Rossi

AEPD fined travel company EUR 5,000 for an infringement of Article 32(2) and (4) of the GDPR. Medical tests of one employee were scanned and sent from one manager of the company to another. The entity invoked attenuating factors that are foreseen in national administrative law, which led to a reduced fine of EUR 3000.

English Summary

Facts

On 13/02/2019 AEPD received a complaint from the claimant against the entity GLOBAL BUSINESS TRAVEL SPAIN, S.L.U. The complaint stated that an employee of the company (the Head of Occupational Risk Prevention) opened, scanned and emailed to his inmediate boss the results of medical tests of the claimant. To clarify the facts, AEPD transferred the complaint to the company, so that it could proceed with its analysis and provide a response within one month to the information requested. Nevertheless, the company did not respond to the AEPD’s request for information. After that, due to an error in the notifications, both the claimant and the respondent were notified of the admission to process the claim. This led to the claimant misconception that it was entitled to appeal against the admission agreement.

In this (erroneous) appeal to the admission agreement, the company stated that the subjects involved were interrogated and that the leaked information was immediately deleted. The appeal was not admitted as the company was not in a position to appeal, but the measures taken by the company were considered.

Dispute

Does opening, scanning and forwarding an employee's medical test results imply a violation of Article 32 GDPR?

Holding

AEPD considered that the conduct of one of the employees of the respondent- the opening of the envelope with the results of the medical tests to which the claimant was subjected, the scanning of the document and its transmission by e-mail to at least one employee of the entity - infringes Article 32. 2 and 32.4 of the RGPD, an infringement punishable under Article 83.4.a of the GDPR.

Assessing the circumstances modifying liability, both adverse and favourable, contemplated in article 83.2 GDPR, the AEPD established the amount of the administrative fine at EUR 5,000. However, two attenuating circumstances of the Spanish Law on Common Administrative Procedure of Public Administrations (Article 85) could be applied, which may respectively reduce the fine by 20%. The first mitigating factor is to acknowledge their responsibility within the time allowed for the submission of claims. The second mitigating factor is, at any time prior to the resolution of the proceedings, to make voluntary payment of the proposed penalty.

On June 6, 2020, the respondent company proceeded to pay the sanction in the amount of EUR 3000 applying therefore the two previously mentioned reductions. This implied the recognition of their responsibility and the resignation to any action or appeal in administrative channels against the sanction. After these events, the AEPD decided to terminate the procedure.


Comment

This case is interesting, as there was an error in the notification of the start of the procedure. Both the defendant and the respondent were notified. This error created a false sense that the respondent could appeal the initiation of the proceedings. The appeal was not accepted, but certain information provided by the company was taken into account (the investigation that was carried out on the company's own initiative and the fact that they made sure that the information that had been read out was deleted). These two aspects were taken as mitigating factors, reducing the amount of the fine.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

DECISION R/00296/2020 ON TERMINATION OF PROCEEDINGS FOR PAYMENT
VOLUNTEER
In sanction procedure PS/00247/2019, conducted by the Agency
Spanish Data Protection Agency to GLOBAL BUSINESS TRAVEL S.L.U.,
having regard to the complaint submitted by A.A.A., and on the basis of the following
BACKGROUND
FIRST: On March 30, 2020, the Director of the Spanish Agency of
Data Protection agreed to initiate sanctioning procedure to GLOBAL BUSINESS
TRAVEL SPAIN S.L.U. (hereinafter, the Respondent), by means of the Agreement which is
transcribe:
<<
Product No.: PS/00247/2019
935-240719
AGREEMENT TO INITIATE DISCIPLINARY PROCEEDINGS
Of the actions carried out by the Spanish Agency for the Protection of
Data and based on the following
FACTS
FIRST: On 13/02/2019 he joined the Spanish Protection Agency
of Data (AEPD) a claim from Ms. A.A.A. (hereinafter, the claimant) against
GLOBAL BUSINESS TRAVEL SPAIN, S.L.U., with NIF B85376630 (in
go ahead, the one claimed).
The claimant states as the basis of her claim that an employee of
the company complained of has accessed its health data and communicated it, to the
minus two other employees of that entity.
C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es
2/16
He says that the head of Occupational Risk Prevention opened, scanned and
e-mailed her immediate boss, with a copy to her, the results of the
medical tests performed on him at a company sponsored examination and
not, as would have been correct, only the report issued by the Mutual with the conclusion
of fit or unfit for work. He adds that the Mutual had sent the company
claimed the result of his medical tests in a sealed envelope addressed to his
care and that their health data were also communicated to other persons in the
company as D.ª B.B.B.
The claimant explains that she has provided her services to the entity in question
as a company travel agent until 02/01/2019 and that on 15/10/2018
a medical examination at the Mutual Valore Prevenzione which was necessary to
to work in the facilities of a client company that required the "suitable
medical" for outside workers to access the building. That, once the
and pending the results of the analysis, the Mutual provided a suitable
and it was left to deliver the final product to the work centre once
received. He states that, 15 days after the medical examination, he requested
the Mutual Insurance Company to upload to the web the result of the recognition to what
she replied that because she had been on leave for a long time they could not
send it to them online and they would send it in print to the company's headquarters and
social, in ***DIRECTION.1, indicating that it had been sent by mail on
29/10/2018 so it would be close to being received.
He explained that after the conversation with the Mutual he had sent an email to
his superior officer, D.C.C., to inform him that his medical exam was
to be received at the headquarters and ask him that, since he planned
make a visit to the client company's premises where she was
working displaced person, he'll bring it to you in person. And in case the mail doesn't
had arrived before that visit, asked him to keep an eye out for her and
she would stop by the respondent's office to pick it up personally. She adds that
D.C.C.C. replied that they would forward your email to D.D.D., who was responsible for
prevention of occupational hazards for the company to help him.
The complainant states that on 05/11/2018, on the occasion of the visit that D.C.C.
made to the premises where she worked, she informed her that the
written medical report "but that another boss, B.B.B., already had the report of the fit
I had already gone up to the client's platform and didn't worry about it.
On 08/11/2018 reads an email received the day before sent by D. D.D.D.,
responsible for occupational hazards, to the head of the claimant, D.C.C., with a copy to her,
with which it attaches, in addition to the report of the applicant, the full result of the
medical examination photocopied and scanned in black and white.

The complainant claims that the medical information came in a sealed envelope to her
name with the indication that it was confidential and that D.D.D., after
scanned the results received, destroyed the document in which they were collected.
Attached to your claim are, among others, copies of the following documents:
- E-mail dated 05/11/2018 sent by Mr. D.D.D. "To"
prevention of occupational hazards, with a copy to the claimant, which states
as "Topic" "VR: values informational prevention-Medical recognition
A.A.A.". The text is as follows: "E.E.E., please, you can perform the
to make arrangements for A.A.A. to continue to enter Iberdrola. Many
Thank you."
- E-mail sent on 07/11/2018 by D. D.D.D. "for" C.C.C. with copy
to the claimant. A pdf document is attached. The text of the message is the
next: "Hi, I just got the A.A.A. report, I'm passing it on to you scanned."
- E-mail that the complainant sent on 11/16/2018 to the department of
Human Resources (HR), for the attention of F.F.F. Explain that you are writing this
email to record a very serious incident.
- Email sent to the complainant by "Human Resources" on
04/12/2019 in which "Medical Examination Incident" appears as the "Subject
A.A.A.". In their text they regret what happened; they confirm that D. D.D. has spoken
with the complainant apologizing and informing her that the company has
made the necessary arrangements so that all the documentation sent is
eliminated and means have been put in place to ensure that this does not happen again.
SECOND: A. In accordance with the mechanism prior to the admission to
claims made to the AEPD, provided for in Article 65.4 of the Law
Organic 3/2018 of 5 December on the Protection of Personal Data and Guarantee of
digital rights (hereinafter referred to as LOPDGDD), in the framework of E/4046/2019
gave notice of the claim to the respondent to proceed with its analysis and to give
response within one month to the information requested.
The letter was notified to the respondent electronically with the date of posting
available on the website on 12/04/2019 and the date of acceptance of the
notification on 15/04/2019 as attested by the certificate issued by the FNMT
work in the file.
C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es
4/16
Once the period of one month granted to evacuate the procedure has elapsed, the claimed
had not responded to the information request from the AEPD.
B. On 18 June 2009, having analysed the documentation in the file, the
The Director of the AEPD issued a resolution in the framework of E/ 7551/2019, in which she agreed
to admit the claim.
The claimant was notified of the settlement and, as a result of a
incident in the electronic management of notifications, also to the GLOBAL
BUSINESS TRAVEL SPAIN S.L.U., the claimed.
Article 65.4 of the LOPDGDD provides that "The decision on the admission or
inadmissibility, (...), must be notified to the claimant within three months".
(underlining is from the AEPD). This Agency, in compliance with such provision does not
communicates the admission agreements to the respondents.
The fact that the entity complained of was improperly notified on
admission agreement together with the fact that the agreement did not specify who
the addressee of the notification - as it is unnecessary since only the
and at the same time gave the "interested parties" the possibility of
The fact that the defendant was able to file an optional appeal for reconsideration led the defendant to consider that
was entitled to appeal the plea agreement.
The circumstances described above led the defendant to bring an action before
This Agency has the right to appeal against the agreement for admission to
The Commission also requested that the above-mentioned agreement be terminated (RR/120/2020).
The Agency - as stated in resolution RR/120/2020 - chose to give
The applicant did not have the right to bring an action (ex
Article 112.1 of Law 39/2015 on Common Administrative Procedure, hereinafter
LPACAP). This Agency - having regard to the fact that it had been notified to the
the claimant's admission agreement and given that
the text of that agreement led to the erroneous interpretation that
was entitled to appeal - responded to the appeal made. The decision
The rejection of RR/120/2020 was notified to the respondent and the appellant on
11/05/2020 (date of acceptance of the electronic notification)
The appellant, now the respondent, has stated that the claimant spent the
medical examination before the Mutual on 15/09/2019 and informed his immediate boss,
C.C.C., who, given that the report would reach the company, "as soon as I received it, I
sent to Iberdrola (not to bring it to you, as the complaint says). Note that it was not
specified in the A.A.A. instructions how the shipment should be made, i.e., whether
by mail, email or other means, only to be sent to
Iberdrola".
He added that the report of the Mutua Valora arrived at the headquarters of the claimed entity
on 07/11/2019, by mail "in an envelope in the name of the entity" "so given the
emergency situation, as explained, the risk prevention manager
D.D.D., scanned it and sent it immediately, by email in the
chain of emails where the subject was being discussed and where it was, in addition to
A.A.A. ..., your immediate boss C.C.C."
The defendant has stated that after learning of the events he adopted several
measures: asked the people involved who might have had contact with the
file an explanation and immediate deletion of the information. The address of
HR of the entity requested information from the occupational risk prevention technician
who responded by email on 11/19/2018 a copy of which is provided. He adds that this
person, D.D.D.D. left the company on 26/03/2019 without specifying the reasons.
It also states that it requested information about the incident from D.C.C. employees and
D.ª B.B.B. and that the Technology Department proceeded to delete the
D.D.D. and Dª. C.C.C. terminals of the transmitted report.
The respondent annexed to its writ of appeal for reversal, among others
documents, the following emails:
- Sent by the claimant to D.C.C. on 11/05/2018:
"(...) I have contacted Valora prevención because I have received the email to
to ask you for a date for the medical examination when I did it in the past
October 15 (...). I am informed in Valora that ... the medical report is not
put on the web so you can download it, but print it out and send it
to ***DIRECTION.1 for my attention. I have been told that it was printed on
last October 29th so if he hasn't arrived yet he's about to
the office. I'll let you know in case it's delivered and if you can get it to me
to Iberdrola."
- Sent by D. D.D.D. on 09/11/2018: "(...) The full report on its
I received it in the office on Monday and after scanning it and sending it to you
destroyed, you can please request that they send her the full report of
new??"
- Sent by "Prevention" to "G.G.G., H.H.H., Human Resources..." on
19/11/2018: "As A.A.A. comments in the mail, it is true, from Valora
sent the report of their appreciation to my attention to the office of
Barcelona and I accidentally scanned it and sent it to him without realizing that he was
responding to an email from C.C.C. instead of her alone..."
- Sent by D.C.C. to D.D.D. on 28/11/2018: "I confirm that this
C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es
6/16
document was deleted that same day because I only opened the page that said
that he was fit to work on the premises. The rest I didn't get to look at."
LEGAL FOUNDATIONS
I
By virtue of the powers conferred on each individual by Article 58(2) of the GPRS, the
supervisory authority, and as established in Articles 47 and 48 of the LOPDGDD,
the Director of the Spanish Data Protection Agency is competent to initiate
and to resolve this procedure.
II
Article 58 of the RGPD, "Powers", states:
"2 Each supervisory authority shall have all the following powers
corrections indicated below:
(…)
(i) to impose an administrative fine pursuant to Article 83, in addition to or instead of
of the measures referred to in this paragraph, depending on the circumstances of the
individual situation
(…)”
III
Article 5 of the RGPD deals with the principles that should govern the
processing of personal data and mentions among them those of "integrity and
confidentiality":
"1. Personal data shall be:
(…)
(f) processed in such a way as to ensure appropriate security of the data
including protection against unauthorised or unlawful processing or
C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es
7/16
their accidental loss, destruction or damage, through the application of technical measures
or appropriate organizational arrangements (<<integrity and confidentiality>>)
Article 5.2. RGPD adds:
"The controller shall be responsible for compliance with
provided for in paragraph 1 and capable of demonstrating it (<<proactive responsibility>>)"
Under Chapter IV, "Controller and person in charge of
treatment", the RGPD dedicates Article 32 to "Security of treatment" precept
that you have:
"1. Taking into account the state of the art, the implementation costs, and the
nature, scope, context and purposes of the processing, as well as risks of
variable probability and severity for the rights and freedoms of individuals
the controller and the processor shall implement technical and
appropriate organisational arrangements to ensure a level of safety appropriate to the risk,
which in your case includes, among others:
(a) the pseudonymisation and encryption of personal data
(b) the ability to ensure the confidentiality, integrity, permanent availability and resilience of processing systems and services;
(c) the ability to restore the availability of and access to personal data quickly in the event of a physical or technical incident;
(d) a process of regular verification, evaluation and assessment of effectiveness
of technical and organisational measures to ensure the security of processing.
2. In assessing the adequacy of the level of security, particular consideration shall be given to
takes account of the risks involved in the processing of data, in particular as a result of the accidental or unlawful destruction, loss or alteration of personal data
transmitted, stored or otherwise processed, or the unauthorised disclosure of or access to such data.
3. Adherence to an approved code of conduct within the meaning of Article 40 or to a
certification mechanism approved under Article 42 may serve as an element
to demonstrate compliance with the requirements set out in paragraph 1 of this Article.
4. The controller and the processor shall take steps to ensure that any person acting under the authority of the controller or the processor and having access to personal data may process such data only on instructions from the controller, unless he or she is required to do so by the law of
Union or Member States." (The underlining is from the AEPD)
C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es
8/16
The violation of article 32 of the RGPD is typified in the article
83.4 in the following terms:
"Violations of the following provisions shall be sanctioned, in accordance
with paragraph 2, with administrative fines of a maximum of 10,000,000 Eur or,
in the case of a company, for an amount equivalent to a maximum of 4% of
total annual turnover for the previous financial year, opting for
the largest:
(a) the obligations of the person responsible and of the person in charge under Articles
8,11,25 to 39, 42 and 43;"
For the purposes of the statute of limitations, Organic Law 3/2018 on Data Protection
Personal and Guaranteed Digital Rights (LOPDGDD) qualifies as an infringement
Article 73(f) "Failure to take such technical and
appropriate organizational arrangements to ensure a level of safety appropriate to the risk of
treatment, as required by Article 32(1) of Regulation (EU)
2016/679
The conduct that is the subject of this complaint is specified in the opening
by an employee of the claimed entity - the head of Risk Prevention
Work - from the envelope containing the results of the medical tests carried out at
the claimant by the Mutual, which was allegedly directed to the attention of the
claimant; in scanning it and in communicating it by e-mail to other employees
of the company.
The documentation in the file provided by the claimant
corroborates that the claimant's medical report received from the
Mutua Valore was opened by D. D.D.D., scanned and emailed as
document attached to both D. C.C.C., the head of the claimant, and herself. We
We refer to the email of 19/11/2018 sent from "Prevención",
we understand that by D.D.D., to Human Resources.
On the other hand, according to the documents provided by the claimant and the
The claim does not show that the head of the Prevention of Occupational Risks would have
known the information that was included in the document.
In addition to the above, D. C.C.C., the head of the claimant, who
as demonstrated received an email from D. D.D.D. containing as a file
C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es
9/16
I attach the document with the results of the medical tests of the affected person,
stated in the e-mail sent on 28/11/2018 that he only opened the page that
said that the claimant was fit to work on inplants and that the rest of the
document didn't get to look at it.
The Contentious-Administrative Chamber of the National Court has held
repeatedly in its resolutions, during the validity of the Organic Law
15/1999, on the protection of personal data (LOPD), that the violation of
The principle of confidentiality, insofar as it is an infringement of result, presupposes that
there has been an actual disclosure of data to a third party not entitled to
to meet them. So, even if the behavior deployed could lead to a
disclosure of data to third parties, if this has not been done in a way
effective and has been proven - without the mere presumption being admissible - is not
possible to charge an infringement of this nature; infringement of the duty established by the
Article 10 of the repealed LOPD and which is now covered by Article 5(1)(f) of the
RGPD.
Therefore, at this stage of the proceedings, and without prejudice to the outcome of the
There is no evidence to attribute to the Respondent, as alleged by the
a violation of the principle of confidentiality.
The documentation in the file shows that the
The company had not implemented the criteria for action among its staff
with respect to private documents containing health data from the
employees. Furthermore, with the exception of the e-mail sent by D.C.C. at the end
November 2018, it seems that the company's personnel give the same treatment
to the report issued by the Mutual Insurance Company on fitness for work or unfitness for work
than the result of the medical tests the claimant underwent.
Article 32 of the RGPD obliges the controller to take measures to ensure that any person acting under his authority and having access
a personal data may only be processed on the instructions of the person responsible. These instructions must be based on a prior assessment by the
risk involved in each of the processing operations carried out to ensure the security of the data. This is particularly the case when the data is requested, in compliance with the
health policy implemented by the client companies (in this
Iberdrola) was fully aware that those of its employees who
The inplant was to undergo a medical examination and the "fit-for-work report" was to be communicated to the client company.
received along with the results of the medical tests performed, results that
contained health data for the treatment of which the claimed company lacked legitimacy.
In this line of argument, recital 74 of the RGPD states that "It should be
established the responsibility of the controller for any
processing of personal data carried out by himself or on his behalf. In particular,
C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es
10/16
the person responsible should be obliged to implement timely and effective measures and should
be able to demonstrate the conformity of the processing activities with the present
Regulation, including the effectiveness of the measures. Those measures should have in
The nature, scope, context and purposes of the processing, as well as the
risk to the rights and freedoms of natural persons." (The underlining is from the
AEPD) 
According to the evidence available at this stage of the
procedure and without prejudice to the outcome of the investigation, it is considered that the
conduct of the respondent which is the subject of the assessment in this case
penalty - specified at the opening of the envelope with the test results
the claimant underwent at Mutua Valore, in the scan of the
document and in its transmission by e-mail to at least one employee of the
entity- violates Article 32.2 and 32.4 of the RGPD, an infraction sanctioned in
83.4.a, of the RGPD.
V
In order to specify the amount of the administrative fine that would correspond
The provisions of Articles 83.1 and 83.2 of the RGPD must be complied with,
precepts that they point out:
"Each supervisory authority shall ensure that the imposition of fines
administrative offences under this Article for violations of this
Regulation referred to in paragraphs 4, 9 and 6 are in each individual case
effective, proportionate and dissuasive.
"Administrative fines shall be imposed, depending on the circumstances of
each individual case, in addition to or instead of the measures referred to in
Article 58(2)(a) to (h) and (j) In deciding to impose a fine
and its amount in each individual case will be duly taken into account:
(a) the nature, gravity and duration of the infringement, taking into account the
nature, scope or purpose of the processing operation concerned as follows
as the number of stakeholders affected and the level of damages that
have suffered;
(b) the intentional or negligent nature of the infringement;
(c) any measures taken by the controller or processor to
to alleviate the damages suffered by those concerned;
(d) the degree of responsibility of the controller or processor,
C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es
11/16
taking into account the technical or organisational measures they have implemented under
of Articles 25 and 32;
(e) any previous breach committed by the controller or processor;
 (f) the degree of cooperation with the supervisory authority for the purpose of remedying
violation and mitigate the possible adverse effects of the violation;
(g) the categories of personal data affected by the infringement;
(h) the manner in which the supervisory authority became aware of the infringement, in
in particular whether the person responsible or the person in charge notified the infringement and, if so, in what
measure;
(i) where the measures referred to in Article 58(2) have been ordered
against the person in charge or the person in charge of the
same issue, compliance with those measures;
(j) adherence to codes of conduct under Article 40 or to
certification approved in accordance with Article 42, and
(k) any other aggravating or mitigating factors applicable to the circumstances of the case,
as the financial benefits obtained or losses avoided, directly or
indirectly, through the infringement."
With respect to section 83.2 (k) of the RGPD, the LOPDGDD, section 76,
"Sanctions and corrective measures," he says:
"In accordance with Article 83(2)(k) of the Regulation (EU)
2016/679 may also be taken into account:
(a) the continuing nature of the infringement
(b) The linkage of the activity of the offender with the carrying out of processing operations
personal data.
(c) The profits obtained as a result of the commission of the offence.
(d) the possibility that the conduct of the person concerned might have led to the commission
of the infraction.
(e) The existence of a merger by absorption process subsequent to the commission of the
infringement, which cannot be attributed to the acquiring entity.
(f) Affecting the rights of minors.
g) To have, when it is not compulsory, a data protection delegate.
h) The submission by the person responsible or in charge, on a voluntary basis, to
alternative dispute resolution mechanisms, in those cases where
C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es
12/16
there are disputes between them and any interested party." 
Aggravating circumstances are taken into account
next:
- Article 83(2)(f) of the GPRS which refers to the "extent of cooperation with the
authority in order to remedy the infringement and to mitigate the possible
adverse effects". Let us recall that the respondent did not respond to the request
information of this Agency, prior to the admission to procedure of the claim, in spite of
that it is established that service of the application has been properly effected
informative.
- Article 83(2)(g) of the GPRS on categories of character data
The Commission has not been able to identify the personnel affected by the infringement, as this was the complainant's health data.
- The obvious link between the business activity of the respondent and the
processing of personal data, not only of its employees but also of persons
travel is managed for, as this is the business of
the company (Article 83.2.k of the RGPD in relation to Article 76.2.b of the
LOPDGDD)
The following circumstances would apply as mitigating factors:
-The one provided for in Article 83(2)(a) RGPD, which refers to the gravity of the infringement
taking into account, among other variables, the purpose of the processing operation and
the level of damages that the affected person has suffered. The purpose of the operation
treatment was lawful: to pass on to the claimant the confidential results of his
medical tests, it was not, however, the form used for it. That is, the
conduct in which the breach of the obligation incumbent on the
The entity to take measures to ensure data security and
effectiveness of such measures. Furthermore, according to the documentation in the
file does not show that the claimant has suffered significant damage and
damages.
- That provided for in Article 83(2)(k) of the GPR, which mentions "any other
...mitigating factor applicable to the circumstances of the case. In this regard, the
to appreciate that before the complaint was filed with this Agency
(on 13/02/2019) the entity had activated internal mechanisms to
knowing the events that had taken place, had questioned the people involved in them
and ordered that all information relating to the
medical findings of the claimant.
Thus, in accordance with the foregoing statement, we consider that the
the defendant committed an infringement of Article 32(2) and (4) of the RGPD
C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es
13/16
sanctioned in Article 83.4.a of the aforementioned Regulation (EU) 2016/657 and that,
assessed the circumstances modifying the liability, both adverse and
In accordance with Article 83(2) of the RGPD, the amount of the fine
5,000 to be imposed.
Therefore, on the basis of the above,
By the Director of the Spanish Data Protection Agency,
AGREED:
FIRST: Initiate disciplinary proceedings against GLOBAL BUSINESS
TRAVEL SPAIN S.L.U., with NIF B85376630, for the alleged infringement of article 32,
paragraphs 2 and 4, of the RGPD typified in article 83.4.a) of the RGPD.
SECOND: To appoint R.R.R. as instructor and S.S.S. as secretary, indicating that
any of them may be challenged, where appropriate, in accordance with the provisions of
Articles 23 and 24 of Law 40/2015 of 1 October on the Legal System for the Sector
Public (LRJSP).
THIRD: TO INCORPORATE into the sanctioning file, for the purpose of proof, the
claimant and its accompanying documentation, as well as the
documents obtained and generated by the Subdirección General de Inspección de
Data.
FOURTH: THAT for the purposes of Article 64.2 b) of Law 39/2015, of 1
October, Common Administrative Procedure for Public Administrations
(LPACAP), the sanction that may apply would be an administrative fine for
5,000 (five thousand euros), without prejudice to the outcome of the instruction.
FIFTH: TO NOTIFY this agreement to GLOBAL BUSINESS TRAVEL SPAIN
S.L.U., with NIF B85376630, granting it a ten working day hearing
to make the allegations and submit the evidence it deems appropriate.
In your pleading, you must indicate your VAT number and the procedure number you
appears in the header of this document.
If no allegations are made within the stipulated period, the agreement to commence may be
considered as a motion for resolution, in accordance with Article 64(2)(f) of the
C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es
14/16
LPACAP.
In accordance with Article 85 of the LPACAP, if
the sanction to be imposed other than a fine, may acknowledge its responsibility within the
period granted for the formulation of arguments to the present agreement of beginning what
shall be accompanied by a 20% reduction in the penalty to be imposed in the
present procedure. With the application of this reduction, the sanction would be
established at 4,000, the procedure being resolved with the imposition of this
sanction.
Similarly, it may, at any time prior to the resolution of the
The Commission shall, in accordance with this procedure, carry out the voluntary payment of the proposed penalty
which will result in a 20% reduction in its amount. With the application of this
reduction, the penalty would be set at 4,000 euros and its payment would involve the
termination of the procedure.
The reduction for the voluntary payment of the penalty is cumulative with the one
The same applies to the recognition of liability, provided that this
recognition of responsibility is shown within the time limit
granted to make representations on the opening of the proceedings. The payment
of the amount referred to in the preceding paragraph may be made at any
moment before the resolution. In this case, if it is appropriate to apply both
reductions, the amount of the penalty would be set at
In any case, the effectiveness of either of the two above-mentioned reductions
shall be conditioned upon the waiver or relinquishment of any action or remedy in the
administrative sanction against the sanction.
If you choose to proceed with the voluntary payment of any of the amounts
40,000 or 30,000 euros, you must pay it
by depositing it in the account nº ES00 0000 0000 0000 0000 open to
name of the Spanish Data Protection Agency at CAIXABANK Bank,
S.A., indicating in the concept the reference number of the procedure in
the heading of this document and the reason for the reduction in the amount to which
welcomes.
Likewise, you must send the proof of admission to the Subdirectorate General of
Inspection to continue the procedure in accordance with the quantity
admitted.
C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es
15/16
The procedure will last a maximum of nine months from
the date of the agreement to initiate or, where appropriate, the draft agreement to initiate.
After this period, the agreement will expire and, consequently, the
actions, in accordance with the provisions of Article 64 of the LOPDGDD.
Finally, it is noted that in accordance with the provisions of Article 112.1 of the
LPACAP, there is no administrative appeal against this act.
Mar Spain Martí
Director of the Spanish Data Protection Agency
SECOND: On June 6, 2020, the claimant paid the
3,000 by making use of the two reductions provided for
in the above transcribed Inception Agreement, which implies recognition of the
responsibility.
THIRD: The payment made, within the period granted to make allegations to
the opening of the procedure, entails the waiver of any action or appeal in
administrative sanctioning and acknowledgement of responsibility in relation to
the facts referred to in the Agreement to Initiate.
LEGAL GROUNDS
I
By virtue of the powers conferred on each authority in Article 58(2) of the GPRS, the
control, and in accordance with Article 47 of Organic Law 3/2018, of 5
December, Protection of Personal Data and Guarantee of Digital Rights (in
(hereinafter LOPDGDD), the Director of the Spanish Data Protection Agency
is competent to penalise infringements committed against it
Regulations; infringements of Article 48 of Law 9/2014 of 9 May, General
of Telecommunications (hereinafter referred to as LGT), in accordance with the
Article 84.3 of the GLT, and the infractions defined in articles 38.3 c), d) and i) and
38.4 d), g) and h) of Law 34/2002, of 11 July, on services of the company of the
information and electronic commerce (hereinafter referred to as the ISESA), as provided for in
43.1 of the said Act.
II
Article 85 of Law 39/2015 of 1 October on Administrative Procedure
Commonwealth of Independent States (hereinafter LPACAP), under the heading
"Termination in sanctioning proceedings" provides the following:
"1. Penalty proceedings are initiated if the offender acknowledges his
responsibility, the proceedings may be terminated with the imposition of the penalty
as appropriate.
C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es
16/16
2. When the sanction is solely of a pecuniary nature or when it fits
impose a financial penalty and a non-pecuniary penalty but has been justified
the impropriety of the second, voluntary payment by the alleged perpetrator, in
any time before the resolution, will imply the termination of the procedure,
except as regards the restoration of the altered situation or the determination of the
compensation for damages caused by the commission of the infringement.
3. In both cases, when the penalty is solely of a pecuniary nature,
the body competent to decide on the procedure shall apply reductions of, at
at least 20 % of the amount of the proposed penalty, which may be cumulated
with each other. These reductions shall be determined in the notification of
initiation of the procedure and its effectiveness shall be conditional upon the withdrawal or
waiver of any action or appeal in administrative proceedings against the sanction.
The percentage of reduction provided for in this paragraph may be increased
by regulation.
In accordance with the above,
the Director of the Spanish Data Protection Agency RESOLVES:
FIRST: TO DECLARE the termination of procedure PS/00247/2019, of
in accordance with Article 85 of the LPACAP.
SECOND: NOTICE this resolution to GLOBAL BUSINESS TRAVEL
SPAIN S.L.U..
In accordance with the provisions of Article 50 of the LOPDGDD, this
The decision will be made public once it has been notified to the interested parties.
Against this resolution, which puts an end to the administrative procedure as prescribed by
Article 114(1)(c) of Law 39/2015 of 1 October on Administrative Procedure
The interested parties may lodge an appeal with the
administrative litigation before the Administrative Chamber of the
Audiencia Nacional, in accordance with Article 25 and paragraph 5 of
the fourth additional provision of Law 29/1998 of 13 July 1998, regulating the
Contentious-Administrative Jurisdiction, within two months of
day following notification of this act, as provided for in Article 46(1) of
referred to Law.
Mar Spain Martí
Director of the Spanish Data Protection Agency