AEPD (Spain) - PS/00044/2020: Difference between revisions
mNo edit summary |
mNo edit summary |
||
Line 50: | Line 50: | ||
}} | }} | ||
The Spanish Data Protection Agency (AEPD) imposed a warning on a Spanish public notary for | The Spanish Data Protection Agency (AEPD) imposed a warning on a Spanish public notary for infringing Article 13 GDPR by not offering the claimant relevant information when obtaining a copy of his national ID card to issue a certified copy of a document. | ||
==English Summary== | ==English Summary== |
Revision as of 10:21, 4 November 2020
AEPD - PS/00044/2020 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 13 GDPR Article 32(3) of the Spanish Law 10/2010 of April 28th on Money Laundering Prevention |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | 23.10.2020 |
Published: | 29.10.2020 |
Fine: | n/a |
Parties: | n/a |
National Case Number/Name: | PS/00044/2020 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Spanish |
Original Source: | AEPD decision (in ES) |
Initial Contributor: | Miguel Garrido de Vega |
The Spanish Data Protection Agency (AEPD) imposed a warning on a Spanish public notary for infringing Article 13 GDPR by not offering the claimant relevant information when obtaining a copy of his national ID card to issue a certified copy of a document.
English Summary
Facts
The decision is the consequence of a complaint submitted by a Spanish citizen stating that, when he requested the defendant a copy of the deed corresponding to his house, the defendant required a copy of the national ID card of the claimant, but it did not offer him any information clauses regarding the circumstances of the data processing activity nor on the security measures used in order to keep the copy of the national ID card. The defendant promised that it would call the claimant to clarify such aspects, but this did not happen until two months later, when the defendant was newly required by the claimant. In that moment, the defendant sent the information clauses to the claimant, but it did not clarify any security measures; additionally, the defendant redirected the claimant to his data protection officer, who finally told the claimant that there was no need to inform him, with basis on Article 32 of the Spanish Law 10/2010 of April 28th on Money Laundering Prevention.
Dispute
The defendant answered to the first AEPD investigation requests (i) confirming that it did not offer the data protection information to the claimant until almost two months later, (ii) that it offered him the possibility of exercising his data rights, but that he only required a verification on the data protection information clause, that (iii) it considered that there was no need to inform the claimant on the basis of the money laundering legislation, and that (iv) the office of the defendant complied with the security measures specified at the ISO 27001, and it later added the following: (iv) a processing activities registry, the appointment of a DPO and the corresponding information clause at the invoices sent to its clients. The AEPD started the corresponding sanction procedure, and the defendant answered again insisting on the fact that public notaries are not obliged to offer data protection information based on the Spanish money laundering legislation.
Holding
Thus, the AEPD understood that the defendant has infringed Article 13 of the GDPR, as (i) it did not offer any data protection information to the claimant (not even the alleged exclusion concerning the money laundering legislation) until more than two months after the processing activity took place, and (ii) the money laundering legislation would not be really an exclusion, as it is only addressed to avoid information in cases in which the public notary is obliged to communicate the commission of a possible terrorism financing or money laundering offence to the SEPBLAC (the Spanish highest institution on money laundering issues), so Article 13 of the GDPR would be fully applicable to the processing activity. Consequently, the AEPD decided to impose a warning to the defendant and, additionally, required the defendant to include information clauses in any documents provided to its clients, within the period of one (1) month since this resolution.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/12 Procedure No.: PS / 00044/2020 938-0419 RESOLUTION OF SANCTIONING PROCEDURE In the sanctioning procedure PS / 044/2020, instructed by the Spanish Agency for Data Protection, to A.A.A., with NIF: *** NIF.1 (hereinafter, “the person claimed ”), by virtue of the complaint presented by B.B.B., (hereinafter,“ the claimant ”), and based on the following, BACKGROUND FIRST: On 07/28/19, you had a written entry in this Agency, presented by B.B.B., (hereinafter, “the claimant”), in which it stated, among others, the following: "When I went to the notary to request a copy of the deed of my house, without informing Regarding, they scanned my ID. When asked about how they protected that document, They told me that they did not have the information but that they were taking my data and they would call. I wanted to know about the security measures that were applied because, if I had been informed, I would have given them a black and white photocopy. Two months and a half later, as they had not contacted me, I sent them an email, in the that they already show me the informative clauses, but they still do not inform me of how they keep my ID. For security, I don't like having copies of my ID scanned to good resolution and in color, so since they had not provided me with that information, I insisted on it. They sent me to their DPD, with whom I have exchanged emails, but ended up claiming that I did not need to be informed based on to article 32 of Law 10/2010, of April 28, on the prevention of money laundering capitals ”. SECOND: In view of the facts set forth in the claim and the documents provided by the claimant, the Subdirectorate General for Data Inspection proceeded to carry out actions for its clarification, under the powers of investigation granted to the control authorities in article 57.1 of the Regulation (EU) 2016/679 (RGPD). Thus, dated 10/18/19, an informative request is addressed to the claimed person. THIRD: On 11/07/19, this Agency receives a letter from the Delegate of Data Protection of the claimed Notary, in which, among others, it indicates: “On August 7, 2018, the claimant went to the notarial office to request a copy of the protocol of the former notary of that city, *** NOTARY. 1. That on December 7, 2011 as a result of the retirement of the person was a notary of this city *** NOTARY.1, Mr. *** NOTARY.2 received the notarial protocol of the former for safekeeping. That the claimant's DNI not being scanned, it was considered appropriate to carry out your scan in accordance with money laundering legislation. For this it was taken into consideration of the fact that it was an economic operation of the protocol to position of Mr. *** NOTARY. 2 of which identification document was lacking. That the claimant expressed his discrepancy regarding the applied tariff by placing a claim for the invoice issued (Doc1) before the Consumer Service of the Board of C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 2/12 Andalusia (Doc2). The professional services invoice contains the data basic information on data protection for the activity of the notarial office. That on October 31, 2018 this notarial office provided the claimant with additional information on data protection in relation to merited activity (doc3). That in subsequent communications he stated that he was against the scanning of his DNI or consider that they should be aware of the security measures applied: “… Must do a risk analysis or DPIA and determine it, according to its criticality. This gives me little confidence in the measures implemented, which is why you requested information", That subsequently, and after several calls from the claimant, the incident was reported to the Data Protection Delegate of this notarial office. That the DPD by email of December 18, 2018 (doc5) requested specify the request for rights exercised by the claimant. The claimant does not He answered, so the DPD reminded him on January 14, 2019 (doc6) that The term of the procedure was extended by two more months to be able to attend his petition. That same day, the claimant replies alleging that “what I am asking is the verification of that said information was provided to me ”(doc7). That with all of the above and having fulfilled the Notarial Office with the duty of information regarding customer activity it was considered necessary to focus the issue in the Money Laundering activity. Consequently, the DPD reported to the claimant dated February 7 (doc8) on the special circumstances that have these treatments and therefore the impossibility of meeting your request. Later, on February 11, he was informed again (doc9-10). Regarding the control measures applied in this Notarial Office: They accept the ISO 27001 standard. However, in relation to the Activity Register and its legitimation in the treatment, the following measures have been adopted: A.18 Compliance A.18.1 Compliance with legal and contractual requirements: RGPD: Control Measures 1. Activity Register 2. Data Protection Officer 3. DPD notification to the Data Protection Agency. 4. Legitimation of the treatment (yes, we inform or not) 5. Protocol to exercise the RGPD right Consequently, and in accordance with the request for information, we state that, dated On June 11, 2018, a Data Protection Audit was carried out. How As a result, the consequent recommendations were formalized for comply with the obligations indicated above. Consequently, the following measures were adopted: The Register of Activities that include, among others, a. Clients b. Money laundering C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 12/3 In consideration of the nature of the Public Authority of Notaries and based on article 37.1 a) of the European Data Protection Regulation 2016/679 was designated Dpd and reported to the Registry of the Spanish Agency for Data Protection (Doc1). It was agreed to implant legends in order to comply with the duty of information of article 13 of European Regulation 2016/679. 4. A procedure was established management of RGPD rights in the Notarial Office. The measures were reviewed on March 19, 2019. They were agreed recommendations to correct the deficiencies found and improve the proper implantation. A data protection legend is included on the invoices for reason of the "clients" activity. The claimant was sent a copy of the additional information dated October 31 2018, in relation to customer activity and was informed and explained the specific circumstances derived from the processing of data for the activity "laundering Capital ”and therefore the exclusion of the duty of information. FOURTH: In view of the denounced facts, of the documentation provided by the parties and in accordance with the evidence available, the Inspection of Data from this Spanish Agency for Data Protection considered that the action of the claimed entity did not meet the conditions imposed by the regulations in force, for which the opening of a sanctioning procedure proceeds. So dated 06/01/20, the Director of the AEPD, agreed to initiate a sanctioning procedure for the per- claimed, by virtue of the powers established, for failing to comply with the provisions of Article 13 of the RGPD, by NOT offering the necessary information to the claimant when The DNI was required for scanning, punishable in accordance with the provisions of art. 83 of the aforementioned RGPD, with an initial sanction of "APERCIBIMIENTO". FIFTH: Notified the initiation agreement, the claimed person, by writing of dated 06/15/20, made, in summary, the following allegations: On the lack of information in relation to the treatment derived from the scan of the DNI Of the interested. My client, in compliance with article 30, has a Record of Ac- Treatment activities. There are, among others, two different declared activities: 1. Clients: in order to proceed with the granting of the public document and proceed der to your billing 2. Money Laundering: for the management and registration of obligations tions derived in matter. These activities are different and coincide with the files declared at the time in accordance with Law 15/1999 on data protection and Ministerial orders of its creation to the extent that they were public files: OM de Justicia JUS / 484/2003 and Ministry of Economy Order EHA / 114/2008, of January 29. The Agreement that we are challenging says that the duty of information of Article 13 was omitted of Regulation 2016/679 when the claimant's DNI was scanned in order to give compliance with the Law on the Prevention of Money Laundering and subsequently when requested. It is true what the notified act says: the interested party was not informed C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 4/12 of the money laundering activity of the *** NOTARY. 2. However and how I know You will see, there is no legal obligation to inform about the data processing in case of money laundering. We note that the interested party was informed in relation to the activity of "clients" as stated in the file. The Agreement to Initiate the Penalty Procedure forgets some information that would have allowed the correct qualification of the facts of this procedure: 1. The notary is bound by the Money Laundering Prevention Law: ar- Title 2.1 n) Obliged subjects: “notaries”. 2. The notary as a subject bound by Regulation 2016/679 creates his Registry of Activities. Following the criteria of the AGPD, it makes use of the file created by the Or- den EHA / 114/2008, of January 29, regulating compliance with certain obligations of notaries in the field of prevention of money laundering and This is how the "Money Laundering" treatment activity has been declared. 3. Art 32.3 of Law 10/2010 of April 28 states that: “By virtue of the provisions of the Article 24.1, and in relation to the obligations referred to in the preceding paragraph rior, the obligation to provide information will not apply to data processing in article 5 of Organic Law 15/1999. Likewise, they will not apply to the les and treatments referred to in this precept the norms contained in the aforementioned Organic Law regarding the exercise of rights of access, rectification, cancellation and opposition. In case of exercise of the aforementioned rights by the interested party do, the obliged subjects shall limit themselves to making clear the provisions of this article ass". 4. On the obligation to make copies to the DNI: Art 28. 2. Laundering Regulation of Capitals “The obligated subjects will store the copies of the authentic documents formal identification clients on optical, magnetic or electronic media " 5. On the term of conservation of the DNI: Art 29.1 Regulation of Laundering of Capitals: “The obligated subjects will keep the documents and keep records of all business relationships and operations, national and international, final, for a period of ten years from the termination of the relationship… ”. Therefore, in compliance with the legal obligation of article 32 of Law 10/2010, no informed the interested party of the data processing. It has been proven that in the communication of October 31, 2018, the interested in the peculiarities of the processing of personal data at the headquarters of money laundering. Regarding the official status of the Notary Public and part of the Public Administration: It says the website of the Ministry of Justice: “The Notary, once he obtains the title and takes session of its Notary, will have in the district to which it corresponds the character of function- public authority and authority in everything that affects the service of the notarial function, with the rights granted for such purposes by the Law ”. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 5/12 https://www.mjusticia.gob.es/cs/ Satellite/Portal/es/servicios- citizen / public employment / access-calls-profiles / notaries-for-notaries The OM Justice JUS / 484/2003 says: “… Notaries, Notaries Associations and the Con- General Council of Notaries present specialties in relation to the exercise of other professions subject to membership, highlighting the character of public official co of its members and of the Public Administration dependent on the Administration General of the State, through the General Directorate of Registries and Notaries. " Moreover, the TCl says that notaries are part of the public function of the State. So, Sentence 120/1992, of September 21, says the High Court: “This competence Regulatory, on the other hand, also derives from the character of public officials of the all that Notaries have and their integration into a single national body ”. Likewise, in Sentence 4/2014, of January 16, 2014, the High Court says: “Appli- In view of the reiterated doctrine of this Court (SSTC 56/1987, of May 7; 67/1983, of July 22; 120/1992, of February 21, and 207/1999, of November 11), only at The State is responsible for directing mandatory orders or instructions to notaries or registrars, it being unquestionable that it is the State, through the DG of Registries and Notaries, the highest body of those, which are located in hierarchical dependency relationship and, consequently, in a position of forced acceptance issuance of binding orders or interpretations. On the application of article 77 of Law 3/2018 on the protection of personal data. The initiation Agreement is erred by not respecting the regime provided for in article 77 of the Law 2/2018 especially in its section 2 when it says: "When the managers or managers listed in section 1 commit any- one of the offenses referred to in articles 72 to 74 of this organic law. ca, the competent data protection authority shall issue a sanction resolution warning them with warning. The resolution will also establish the measures to be taken to stop the conduct or correct the effects of the offense that was committed. The resolution will be notified to the person responsible or charged with the treatment, to the body on which it depends hierarchically, where appropriate, and to those affected who have the status of interested party, where appropriate ”. The notary public official status and his integration into the the State Administration and, therefore, we cannot accept the allusion, as it intimidates toria, of the Commencement Agreement when it says that “This offense may be sanctioned with a maximum fine of € 20,000,000… ”. Fourth: That the Resolution of June 2, 2020, of the General Directorate of Seguri- Legal entity and Public Faith, the Ministry of Justice notifies in the Official Gazette of the date of June 8, 2020, the retirement of the notary (Doc No. 2). SIXTH: On 06/23/20, the person claimed presented in this Agency, new brief of allegations, in which, in summary, it indicated the following: “That having presented allegations last day fifteen of the current consi- We deem appropriate the presentation of the copy of Resolution R / 01712/2016 by C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 6/12 as it concludes in its Third Ground that notaries are public officials cos: In this sense, the Notaries, the Notary Associations and the General Council of Notaries They present specialties in relation to the exercise of other professions subject to members of the association, highlighting the public official nature of their members and of Public Administration dependent on the General State Administration, through through the General Directorate of Registries and Notaries ”. SEVENTH: On 06/08/20, the test practice period began, accord- dose: a) .- to consider reproduced for evidentiary purposes the complaint filed by the Advertiser and its documentation, the documents obtained and generated that form part of file E / 9681/2019 and b) .- consider reproduced for evidentiary purposes, the allegations to the agreement to initiate PS / 00044/2020, presented by the entity- announced. EIGHTH: On 07/22/20, the requested person is notified of the proposed reorganization solution in which it is proposed that, by the Director of the Spanish Protection Agency tion of Data is sanctioned with "APERCIBIMIENTO" for an infraction of article 13) of the RGPD, in accordance with the provisions of article 58.2) of the aforementioned RGPD. NINTH: After notification of the proposed resolution, dated 09/07/20, the complained person presents a brief of allegations, in which, among others, indicates: “The claimant initially filed a consumer claim with the Board of Andalusia, due to its discrepancy due to the applied tariff. It was in said procedure where he stated that he had not been informed of his rights when scanning the DNI. The file contains a copy of the notarial invoice where the basic information appears. physics of data processing the activity “clients” (Doc.1 of the report before the AEPD). That said consumption procedure is filed in October 2018 and that is when the Claimant requests data protection information that is given on October 31. There is no evidence in the record that the claimant requested on July 7, 2018 exercise your rights in data protection. In his mail of November 1, the re claimant ensures that the invoice does not include the rights and the way to exercise the themselves. However, this manifestation does not correspond to reality. That later, when the DPD intervenes, it was necessary to discern through various e-mail the specific request of the claimant about the scanning of the DNI. That before a month of silence from the complainant had elapsed, the DPD contacted contacted him and the procedure to meet his request was extended for two months (Doc. 6) of the Report requested by the AGPD. That finally the request of information on the claimant called “money laundering”. It should be noted that in relation to the “Money Laundering” activity, no tado informative legends, there is no obligation in this regard. For activity of clients, unrelated to this file, a legend was provided that is part of the file. tea. Here is attached the same: C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 7/12 << A.A.A. residing at *** ADDRESS. 1 is responsible for the treatment in order to study your file, draft the public document and yield to its granting, incorporation to the protocol and billing. The legal basis of the treatment is the exercise of the notarial public faith by virtue of the Law of Notaries and the Law of Voluntary Jurisdiction 15/2015 in the terms of article 6.1 e) of the European Data Protection Regulation 2016/679 The legal basis based on a contractual relationship fits. The treatment data is necessary for the granting of the document. Likewise, the notary acts as the data controller in relation to to the protocol and notarial documentation whose Data Controller is the General Directorate of Legal Security and Public Faith with the purpose of archiving of the public documents of the notary and collaboration of the Administrations Public trades. The billing data will be kept until prescribed They ban tax obligations. In relation to the protocol and notarial documentation, the data will be kept as a public file indefinitely. This notarial office has designated a Data Protection Delegate: *** DPD.1. The data will be communicated to the Public Administrations, the Notarial Association or to the General Council of Notaries when there is a legal norm that protects it. You have the right of access, rectification, deletion and portabi- the quality of your data, limitation and opposition to its treatment, as well as not be the subject of decisions based solely on automated processing of your data, when applicable. You can exercise your rights before the Delegate data protection by providing a scanned copy of your ID addressed to *** DPD.1. We would like to point out that regarding the protocol and documentation Such rights have a series of limitations due to their specific purpose. archive feature. The right to file a claim with the Agency is also recognized. Spanish company for Data Protection as an interested party >>. For all the foregoing, WE PLEASE V.I. that has presented this writing in time in the manner and form and on the merit of its content, the file of the Sanctioning Procedure agrees. dor as there was no delay in providing the information to Mr. B.B.B. In view of all the actions, by the Spanish Agency for Data Protection In this proceeding, the following are considered proven facts, PROVEN FACTS C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 12/8 1º.- On 08/07/18, the claimant went to the notarial office of A.A.A., to request a copy of your house deed. According to the record, "by not having the claimant's DNI scanned, it was considered appropriate to scan in accordance with current legislation on money laundering ”. As stated in the Claimant's announcement, “when asking the reason why the DNI was scanned, NO received no adequate reply, informing him only that they would be in contact with him to inform him conveniently ”. 2º.- According to the DPD's letter, the Notary Public contacted with the claimant on 10/31/18, informing him of the special circumstances that they have these treatments because they are subject to money laundering legislation. In addition, it was indicated that, in the invoice for professional services delivered to the clamoring, included the basic data of information on data protection by the activity of the notarial office. From this date there were several exchanges of co- electronic records between the claimant and the DPD of the Notary's Office, in relation to the chos. 3.- The claimant responded to the DPD's answer one day later (11/01/18), at the following terms: “Dear Sir, thank you very much for the information. Indicate that the invoice does not have that this information was provided, given that among other things, they must see nir the rights and the contact to exercise them. I spoke to three employees who did not they provided the information. The third, asked me for the telephone number to provide me with these data, but until my email today, I have not received the information, which leaves me wondering where my phone was saved. I will check if what you tell me about the invoice. I understand that you have a record of what you tell me. Also indicate that there are errors in the information you present to me, since the security measures do not They are in article 26. In fact, the GDPR does not say what to do, but must do a risk analysis or DPIA and determine it, according to criticality. This gives me little confidence in the measures implemented, which is why I initially requested training. I hope your DPO can answer me for security, I have two months and a half plating, as well as the legitimation given that I have not been able to see the need for the information required by law 15/2015, which was the reason vo from my query. For security, as I indicated, I do not like to be scanned directly my ID ". 4.- The information provided in the invoice issued by the notarial office (No. Invoice: U001155 dated: 08/07/2018, the following information appears regarding the Personal data protection: - Responsible: Notarial Office located at *** ADDRESS. 1 Contact information of the Data Protection Officer: *** DPD.1 Purpose: Granting documents public ment and billing. - Conservation: Until the prescription of the legal obligations derived from writing. - Legitimation: Compliance with public duties corresponding to the note- River - Recipients: No data will be transferred to third parties except in case of obligation to- gal. In general, the Public Administrations, the Notarial College and the General Council General of the Notary Public. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 9/12 - Rights: Access, rectify and delete the data, as well as other rights, as explained in the additional information. - More Information: You can request an expanded information sheet of Your rights". 5º.- In the allegations, presented in this Agency by the claimed person, the 11/07/19, indicated the following: “(…) Consequently and in accordance with the request for information, we state that, on June 11, 2018, an Audit was carried out to protect the Data. As a result, the consequent recommendations were formalized. mentions to comply with the obligations indicated above, were adopted the following measures: “(…) It was agreed to implant legends in order to fulfill the duty of information of article 13 of European Regulation 2016/679. A RGPD rights management procedure was established in the Office cho Notarial ”. The measures were reviewed on March 19, 2019. It was agreed- recommendations were made to correct the deficiencies found and improve the proper implementation. In the invoices a legend of protection of data by reason of the activity "clients". FOUNDATIONS OF LAW I The Director of the Spanish Agency is competent to resolve this procedure of Data Protection, in accordance with the provisions of art. 58.2 of the GDPR in the art. 47 of LOPDGDD. II The joint assessment of the documentary evidence in the procedure brings to knowledge of the AEPD, a vision of the denounced action that has been reflected in the facts declared proven above related. However, the following observations should be made: The art. 32.3 of Law 10/2010, of April 28, on the prevention of money laundering and the financing of terrorism, establishes that: “By virtue of the provisions of article Article 24.1, and in relation to the obligations referred to in the previous section, The information obligation provided for in Article 5 of Organic Law 15/1999. Likewise, they will not apply to the files and treatments referred to in this precept the norms contained in the citation of the Organic Law regarding the exercise of rights of access, rectification, cancellation lation and opposition. In case of exercise of the aforementioned rights by the interested party, the Obliged subjects will limit themselves to making the provisions of this article clear to you ”. Well, when the claimant went to the Notary, on 08/07/18, to request a copy of the deed of his apartment, and ask him for the ID for his scan, he asked the reasons for which this act was now required, receiving no satisfactory answer, nor C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 10/12 He was even told what was stipulated in the Money Laundering Prevention Act. them: ”(…) In case of exercise of the aforementioned rights by the interested party, the subjects obliged will limit themselves to making clear the provisions of this article ", limiting- was to indicate that, “they would already contact him to receive the appropriate information cuada ”, situation occurred two and a half months later, on 10/31/18, through the DPD. Therefore, although said article establishes that the duty to inform the interested party does not It is applicable in relation to “the obligations referred to in section above ”, that is, those related to the fulfillment of information obligations provided for in Chapter III (which basically refer to cases in which there is to communicate to SEPBLAC when there are indications of a possible case of money laundering of capital or financing of terrorism), the right to information of art. 13 of RGPD, it is completely applicable. Therefore, with that exception, you have the obligation to provide all the information regarding the processing of personal data in the moment to collect them from the interested parties. Regarding the rights of citizens when they process their personal data, it says recital 59) of the RGPD that: “(…) The data controller must be obliged to respond to the interested party's requests without undue delay and no later than give within a month, and explain your reasons if you do not attend. der them ”. While recital 60) and 61) of the same RGPD indicates, respectively- mind: “(60) The principles of fair and transparent treatment require that the interested party be informed the existence of the processing operation and its purposes. The person responsible for treatment must provide the interested party with any additional information necessary aria to ensure fair and transparent treatment, taking into account the circumstances tances and the specific context in which the personal data are processed (…) ”. “(61) Interested parties should be provided with information on the processing of their data personal coughs at the time they are obtained from them (…) ”. In the present case, the collection of the claimant's personal data, me- Through the scanner of your ID, it is endorsed by art. 6.1.c) of the RGPD: “the treatment is necessary for the fulfillment of a legal obligation applicable to the person responsible for the treatment ”, such as compliance with the legislation on money laundering. On the other hand, article 13.1.c) of the RGPD obliges the person responsible for the treatment of the data to give the necessary information so that the interested party knows the purposes of the treatment of the data and the legal basis for it: “c) the purposes of the treatment to which the personal data and the legal basis of the treatment are destined ”. But it is also that article 12 of the RGPD summons the person responsible for the treatment of data to take the necessary measures to provide the interested party with the information indicated each in article 13 indicated above: “1. The person responsible for the treatment takes- The appropriate measures will be taken to provide the interested party with all the information indicated in the Articles 13 and 14, as well as any communication in accordance with Articles 15 to 22 and 34 relating to the treatment, in a concise, transparent, intelligible and easily accessible way. so, in clear and simple language, particularly any targeted information specifically physically to a child. The information will be provided in writing or by other means, including C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 11/12 clusive, if applicable, by electronic means. When requested by the interested party, the information The statement may be provided verbally provided the identity of the affected by other means 2. The data controller will provide the interested party with the exercise of their rights under Articles 15 to 22. In the cases referred to in In accordance with article 11, paragraph 2, the controller shall not refuse to act at the request of the interested party in order to exercise their rights under articles 15 to 22, except that can demonstrate that it is not in a position to identify the interested party. 3.The res- Responsible for the treatment will provide the interested party with information regarding their actions on the basis of a request pursuant to Articles 15 to 22, and in any case within one month of receiving the request (…) ”. Well, the invoice delivered to the claimant contained the necessary information regarding the About data protection, as the data controller; the purpose: (-Gives- public document and billing); the conservation time; legitimation for the treatment: (- compliance with public duties that correspond to the notary); the recipients and the rights that could be exercised. It can be verified that, in the purposes for which the data processing will be used Notary public personnel include the, "Granting public document and billing", and in the legal basis for the treatment of the data it appears, “the fulfillment of the public services that correspond to the notary ”. Nothing is informed to the interested party about what stipulated in art. 32.3 of Law 10/2010 of April 28, when it is indicated that, in the event that personal data are processed in order to comply with the current legislation on money laundering, as is the case, if the interest sado wishes to exercise its rights recognized in the RGPD, “(…) the obligated subjects they will limit themselves to making clear to you the provisions of this article ”. Well, not even- You are informed of this circumstance, neither in writing nor verbally, when you ask. to, receiving only as an answer that, "they would already contact him", circumscribed It did happen, but not before a month as indicated by the RGPD, but with a de- two and a half months late. Finally, remember once again that the respondent undertook to take the necessary measures necessary to correct the deficiency detected and this was indicated to this Agency: "It was agreed to implant legends in order to comply with the duty of information of article 13 of European Regulation 2016/679. 4. A procedure was established management of RGPD rights in the Notarial Office (…) ”. Measures not yet they have been submitted for corroboration by this Agency. In view of the above, the following is issued: RESOLVES: APPEAR: A.A.A., with NIF: *** NIF. 1 for violation of article 13) of the RGPD. REQUIRE: A.A.A., so that, within one month from this act of notification of the resolution, proceed to include legends in the documents that are provided to clients, in order to comply with the information duty of article 13 of the RGPD. NOTIFY: this resolution to A.A.A. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 12/12 In accordance with the provisions of article 50 of the LOPDPGDD, this Re- solution will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the LOPDPGDD, and in accordance with the provisions of article 123 of the LPACAP, the The parties may optionally file an appeal for reconsideration before the Director of the Spanish Agency for Data Protection within a month from the day after notification of this resolution or directly contentious appeal administrative before the Contentious-Administrative Chamber of the National Court, in accordance with the provisions of article 25 and section 5 of the additional provision Fourth nal of Law 29/1998, of July 13, regulating the Contentious Jurisdiction- administrative, within two months from the day after the notification tion of this act, as provided in article 46.1 of the aforementioned Law. Mar España Martí Director of the Spanish Agency for Data Protection. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es