APDCAT (Catalonia) - PS 49/2019: Difference between revisions
From GDPRhub
No edit summary |
No edit summary |
||
| Line 64: | Line 64: | ||
The school asked for the explicit consent of the parents of the students. In case a parent would not consent, the attendance data would be gathered manually, instead of via this system. | The school asked for the explicit consent of the parents of the students. In case a parent would not consent, the attendance data would be gathered manually, instead of via this system. | ||
The system was provided by a third party, the processor, with which they had not subscribed a processing agreement. | The system was provided by a third party, the processor, with which they had not subscribed a processing agreement. Also, the school could not prove that they had properly fulfilled the parents' right to be informed. | ||
Additionally, the school stopped using this system when the APDCAT launched their investigation. | Additionally, the school stopped using this system when the APDCAT launched their investigation. | ||
| Line 72: | Line 72: | ||
===Holding=== | ===Holding=== | ||
The APDCAT held that | |||
==Comment== | ==Comment== | ||
Revision as of 10:18, 30 March 2021
| APDCAT - PS 49/2019 | |
|---|---|
 | |
| Authority: | APDCAT (Catalonia) |
| Jurisdiction: | Spain |
| Relevant Law: | Article 5(1)(a) GDPR Article 9 GDPR Article 13 GDPR Article 28 GDPR |
| Type: | Investigation |
| Outcome: | Violation found |
| Started: | |
| Decided: | |
| Published: | 02.03.2020 |
| Fine: | None |
| Parties: | Institut Enric Borràs de Badalona |
| National Case Number/Name: | PS 49/2019 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Catalan |
| Original Source: | APDCAT decision (in CA) |
| Initial Contributor: | n/a |
The Catalan DPA (APDCAT) warned a public school for using biometric data (fingerprint and facial recognition system) to control the attendance of the students.
English Summary
Facts
A public school in Badalona installed a system for controlling the students attendance that used biometric data, including collection of fingerprints and facial recognition.
This system gathered the facial vectors of the 1st year of secondary education (it was only used with this grade), with an addition of the fingerprint data for twins, given that they have identical faces but different fingerprints.
The school asked for the explicit consent of the parents of the students. In case a parent would not consent, the attendance data would be gathered manually, instead of via this system.
The system was provided by a third party, the processor, with which they had not subscribed a processing agreement. Also, the school could not prove that they had properly fulfilled the parents' right to be informed.
Additionally, the school stopped using this system when the APDCAT launched their investigation.
Dispute
Can a school use biometric data to control the attendance of the students? Are they allowed to contract with a processor to do this?
Holding
The APDCAT held that
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Croatian original. Please refer to the Croatian original for more details.
PS 49/2019
Carrer Rosselló, 214, esc. A, 1r 1a
08008 Barcelona
File identification
Resolution of the sanctioning procedure no. PS 49/2019, referring to the Institut Enric Borràs de
Badalona, dependent on the Department of Education.
Background
1. On 02/10/2019 the Inspection Area of the Catalan Data Protection Authority had
knowledge that, on 19/09/2019, the media Business Insider had published
the following news regarding the Institut Enric Borràs in Badalona (hereinafter, the institute):
Catalan Institute is using facial recognition to control class attendance, something for
which has been fined 19,000 euros by a Swedish school. "
2. The Authority opened a prior information phase (IP No. 262/2019), in accordance with
provides for Article 7 of Decree 278/1993, of 9 November, on the sanctioning procedure
applicable to the areas of competence of the Generalitat, and article 55.2 of Law 39/2015, of 1
October, of the common administrative procedure of public administrations (henceforth
hereinafter, LPAC), to determine whether the facts were likely to motivate the initiation of a
sanctioning procedure, the identification of the person or persons who may be
responsible and the relevant circumstances that concurred.
3. In this information phase, on 08/10/2019, the Authority carried out an act
inspection at the institute’s premises to verify certain aspects related to the
student facial recognition system. In that face-to-face inspection, the
representatives of the institute and the Department of Education stated, among others, the
Next:
- That the facial recognition system was installed from the 2011-2012 academic year.
- That the purpose pursued was to reduce absenteeism, by controlling the attendance of
students, as well as informing families immediately in case of absence.
- That the facial recognition system was only applied to 1st year ESO students. In
in relation to students in other courses, the control of attendance was done manually by
of teachers.
- That the system was suspended until the Authority ruled. This course was not available
initiated the control of the assistance by means of facial recognition. In the application you manage
attendance control began to load data from various students (goes
suspended before loading the entire list of students), but were not captured
vectors of his face.
- That the system allowed the unambiguous identification of people. The only problem is
identified two twins, but that goes away
Page 1 of 12 PS 49/2019
08008 Barcelona, 214, esc. A, 1r 1a
resolve by verifying your identity through your fingerprint
(All other students did not have to identify themselves through the fingerprint).
- At the beginning of the course, the student stood in front of one of the terminals, which collected the
vectors of his face making various movements. In turn, these vectors were associated
to the student’s code (it was a random but unique code for each student) and the phone number
of legal representatives.
- That in order to control their attendance, the student had to approach the terminal through which
his identity was recognized.
- That when it was detected that a student had not attended high school, before generating the notice
(SMS), it was checked if his family had warned him that he would not attend. Otherwise, the
the person managing the attendance control application activated the option to send the SMS
to their guardians. In the event that the family later contacts the institute, indicating that
the student had gone there, it was checked if he had attended in person (he was going to
look for the student in the class).
- That to the students of 1st of ESO, besides the control of assistance by means of recognition
facial, his class attendance was also monitored by passing list.
- That the data necessary to allow facial recognition were only preserved
during the 1st ESO course. In June, at the end of the course, the data was deleted.
- That this treatment was based on the consent of the legal representatives of
the students.
- That in the event that the legal representative of a student does not give consent or the
later withdrawn, that student’s attendance would be verified manually. Cap
the person had refused to give consent, nor had he withdrawn it.
- That with regard to the rest of the students of the institute, whose presence was not controlled
by facial recognition, the family was notified by telephone if they did not attend high school.
The same would be true if the consent of the parties was not obtained
legal representatives of a 1st year ESO student. This warning was not immediate as in the case
of the SMS sent to students subject to facial recognition.
- That the right to information became effective in the letter of educational commitment of the institute. In
this letter did not enable the possibility of legal representatives of minors
could express their refusal to process biometric data for purposes of
control of their children’s attendance through facial recognition.
- That the company installing the facial recognition system carried out the maintenance
of this system and intervened at the beginning of the course to load the data of the students (associate
the student’s code with the name).
- That no contract had been signed with the said company in charge of the processing.
- That this system made it possible to achieve the goal of reducing absenteeism.
- That another system is being evaluated for the next academic year to control attendance without
facial recognition.
- That there is a predisposition to act in accordance with the provisions of the regulations on the protection of
data.
Page 2 of 12 PS 49/2019
Carrer Rosselló, 214, esc. A, 1r 1a
08008 Barcelona
Also, on the same date, the inspection staff of the Authority verified, between
others:
- That in the lobby of the institute (ground floor) there were 2 terminals installed to allow the
control of attendance through facial recognition. In turn, it was found that in the
corridors on the 1st floor there were also 2 more terminals, one of which also allowed the
fingerprint recognition.
- That the application that allowed to manage the time control system was “School Access
Attendance Control ”, which was installed on a computer located in the secretariat
from the high school. It was verified that, in the system there was the data referring to the name and surnames of
several students, the group (class), the user ID and the mobile of their tutor. It was found that the
students were listed as absent and all are part of 1st ESO. On the other hand, it is
verified that in order to access said application it was necessary to authenticate using
password.
Finally, the inspection staff collected the following documentation, which was handed over by the
representatives of the inspected entity:
- Copy of the letter of commitment signed by 2 legal representatives of 1st ESO students
(1 for the 2018-2019 academic year and the other 1 for 2019-2020).
- Copy of the image rights authorization form signed by 2 legal representatives (1
corresponding to the 2018-2019 academic year and the other 1 corresponding to 2019-2020).
- Copy of the technical specifications of the access control by means of systems
biometrics for facial recognition and two budgets.
- Various documentation relating to facial recognition terminals.
4. On 11/29/2019, the director of the Catalan Data Protection Authority agreed
initiate disciplinary proceedings against the institute, in the first instance, for an alleged infringement
provided for in Article 83.5.a), in relation to Articles 5.1.a) and 9; second, by a presumption
infringement provided for in Article 83.5.b), in relation to Article 13; and, thirdly, by a presumption
infringement provided for in Article 83.4.a), in relation to Article 28; all of them of the Regulation (EU)
2016/679 of the European Parliament and of the Council, of 27/4, relative to the protection of the people
with regard to the processing of personal data and the free movement of such data (in
forward, RGPD). This initiation agreement was notified to the imputed entity on
12/12/2019.
5. On 12/20/2019, the institute made allegations in the initiation agreement.
6. On 06/02/2020, the person instructing this procedure made a proposal
resolution, which proposed that the director of the Catalan Protection Authority of
The Institut Enric Borràs in Badalona was warned of the data as responsible, in the first place, for a
infringement provided for in Article 83.5.a) in relation to Articles 5.1.a) and 9; secondly, of a
Page 3 of 12 PS 49/2019
Carrer Rosselló, 214, esc. A, 1r 1a
08008 Barcelona
infringement provided for in Article 83.5.b) in relation to Article 13; and third, an infringement
provided for in Article 83.4.a) in relation to Article 28 all of them of the RGPD. This proposal of
resolution was notified on 06/02/2020 and a period of 10 days was granted to formulate
allegations.
7. The deadline has been exceeded and no allegations have been made.
Proven facts
Of all the actions carried out in this procedure, the following are considered accredited
facts detailed below.
1. The Enric Borràs Institute in Badalona processed biometric data to control attendance at
educational center for 1st year ESO students.
To this end, in the 2011-2012 academic year he installed a facial recognition system to control
attendance at the school of 1st ESO students. And, in relation to two student people
who were twins, also monitored their attendance by fingerprint, attended to
that the facial recognition system did not guarantee its unambiguous identification.
This system controls attendance by facial recognition or fingerprinting
fingerprint remained active until the end of the 2018-2019 academic year. On 08/10/2019, the staff
Authority inspector verified that this system was no longer used for monitoring
attendance by 1st year ESO students (who were listed as absent).
2. In relation to the control of the attendance of the students of 1st of ESO by means of his
facial recognition or fingerprinting, the institute has not proven that the right has been enforced
of information to the representatives of the students of 1st of ESO during the course 2018-2019.
3. In 2011, the institute commissioned the installation of this system for monitoring the attendance of
1st year ESO students at the company Xip Solucions, SL; as well as its maintenance. He
maintenance of this system meant that, at the beginning of each course, its staff
company would upload student data to the system.
This order was not formalized in a contract or other legal act written with the
content required by Article 28.3 of the RGPD, and this was admitted by the person representing
the institute in the act of face-to-face inspection carried out on 08/10/2019.
Fundamentals of law
1. The provisions of the LPAC and Article 15 of Decree
278/1993, in accordance with the provisions of DT 2a of Law 32/2010, of 1 October, of the
Page 4 of 12 PS 49/2019
Carrer Rosselló, 214, esc. A, 1r 1a
08008 Barcelona
Catalan Data Protection. In accordance with articles 5 and 8 of Law 32/2010, the
resolution of the sanctioning procedure corresponds to the director of the Catalan Authority of
Data Protection.
2. The accused entity has not made any allegations in the motion for a resolution, but it does
to do in the initiation agreement. In this regard, it is considered appropriate to repeat the following below
relevant to the instructor's reasoned response to these allegations.
2.1. About the news.
In its written allegations against the initiation agreement, the accused entity stated
than the figures published in the media on the cost of installing the
facial recognition system were not accurate; that easy recognition system goes
contribute to the improvement of absenteeism; that there was “no intentional misuse of the data of the
students"; and that it had already been agreed to make an educational platform change to manage
assistance.
In advance, it should be made clear that the institute did not question in its writing
of allegations before the initiation agreement nor the facts imputed, nor its qualification
legal.
That said, in terms of the cost of implementation or maintenance, this was a circumstance
irrelevant for the purposes of determining the alleged facts and their legal classification.
In relation to the lack of intentionality invoked by the institute, as stated by the person
instructor in the motion for a resolution, it is necessary to point out that the infringing rates
imputed in the present sanctioning procedure, do not require that the element of the
intentionality.
Regarding the improvement of absenteeism, it is not discussed here whether the recognition system
facial (and fingerprint) could help achieve this goal, but this could be achieved in
through other less intrusive means for the rights of 1st year ESO students, than not
involve the processing of special categories of data (such as biometric data).
Proof of the above is that with respect to other students, their attendance was controlled by
from teachers in high school or the classroom; as well as the presence in the classroom of the students of 1st of ESO
it was also verified by the teacher passing list (the controversial system verified the presence
of students in high school, but not in the classroom).
It should be noted that the Authority has already ruled on CNS opinion 63/2018, in the sense of considering
that the “principle of minimization is not manifested only in opting for alternatives that are not
involve the processing of personal data, or to carry out the processing of data in a manner
that the minimum necessary data be used, but it must also entail that if possible
achieve a certain purpose without having to process data from special categories, this
Page 5 of 12 PS 49/2019
Carrer Rosselló, 214, esc. A, 1r 1a
08008 Barcelona
option must prevail over other options that do involve the treatment of such types
of data. ”
Apart from the above, in the present case the treatment was not based on any of the
exceptions set out in Article 9.2 of the RGPD, which must apply when dealing with
special categories of data, as in the present case.
Lastly, the decision to change the educational platform to manage the attendance of
the students, would come to corroborate that in the present case the treatment of was not necessary
special categories of data to control the attendance of students in the 1st year of ESO.
2.2. About the actions taken.
The accused entity then reported in its written allegations before the agreement
of initiation that the implementation of the system in this course was immediately suspended root
of news published in the media; that the terminals had been dismantled and
the whole installation; as well as the secretarial computer equipment was also disabled.
In this sense, as stated by the instructor in the motion for a resolution, all
the measures that the institute reported having implemented as a result of the face-to-face inspection carried out
on 08/10/2019 by the inspection staff of the Authority, must lead to it happening
unnecessary to require any corrective action to correct the effects of the infringements
imputed, as will be set forth below.
Also noteworthy is the good disposition of the institute to comply with the regulations
on data protection, suspending the facial / fingerprint recognition system as soon as possible
a piece of news was made public that questioned its suitability for the data protection regime;
as well as when following the intervention of the Authority in the framework of the information phase, it has decided
dismantle said system.
On the other hand, in its written allegations before the initiation agreement, the institute also indicated
that no family has "formally commented on the use of the recognition." In
this point, suffice it to say that this circumstance would not allow to consider that the
treatment of special categories of data was lawful (Article 9 RGPD).
3. In relation to the facts described in point 1 of the section on proven facts, both relating to
facial recognition as well as fingerprint recognition, violate the
principles of lawfulness (articles 5.1.a and 9 RGPD).
Article 5.1.a) of the RGPD regulates the principle of lawfulness determining that the data will be “processed
in a lawful manner (...) ”.
Page 6 of 12 PS 49/2019
Carrer Rosselló, 214, esc. A, 1r 1a
08008 Barcelona
For its part, Article 9.2 of the RGPD, concerning the treatment of special categories of
provides that the prohibition of its treatment does not apply if one of the
following circumstances:
“A) the interested party gave his explicit consent for the treatment of such
personal data for one or more of the purposes specified, except when the
Union or Member State law provides that the prohibition
referred to in paragraph 1 may not be raised by the person concerned;
b) the treatment is necessary for the fulfillment of obligations and the exercise
specific rights of the controller or the data subject
in the field of labor law and social security and protection, to the extent that
as authorized by the law of the Union of the Member States or a
collective agreement under the law of the Member States which
establish adequate guarantees of respect for fundamental rights and
the interests of the interested party;
(c) the treatment is necessary to protect the vital interests of the person concerned or
another natural person, in the event that the interested party is not trained, physical
or legally, to give their consent;
(d) the processing is carried out, within the scope of its lawful activities and with
the due guarantees, by a foundation, an association or any other
non - profit organization, whose purpose is political, philosophical, religious or
provided that the treatment relates exclusively to members
current or former members of such bodies or persons who maintain contacts
with them in relation to their purposes and provided that personal data
do not communicate outside them without the consent of the interested parties;
e) the processing refers to personal data that the interested party has made
manifestly public;
(f) treatment is necessary for the formulation, exercise or defense of
claims or when the courts act in the exercise of their judicial function;
(g) treatment is necessary for reasons of essential public interest, above
the basis of Union or Member State law, which must be
proportional to the objective pursued, to respect in essence the right to
data protection and establish appropriate and specific measures for
protect the interests and fundamental rights of the person concerned;
h) treatment is necessary for the purposes of preventive or occupational medicine,
assessment of the worker's work capacity, medical diagnosis,
provision of health or social care or treatment, or management of the
health and social care systems and services, on the basis of law
of the Union or of the Member States or under a contract with a
healthcare professional and without prejudice to the conditions and guarantees contemplated
in section 3;
(i) the treatment is necessary for reasons of public interest in the field of
public health, such as protection against serious cross-border threats
Page 7 of 12 PS 49/2019
Carrer Rosselló, 214, esc. A, 1r 1a
08008 Barcelona
for health, or to ensure high levels of quality and safety of the
health care and medicines or health products, on the basis
of Union or Member State law laying down measures
appropriate and specific measures to protect the rights and freedoms of the person concerned,
in particular professional secrecy,
j) the processing is necessary for archival purposes in the public interest, purposes of
scientific or historical research or statistical purposes, in accordance with the
Article 89 (1) on the basis of Union or State law
members, which must be proportionate to the aim pursued, respect in what
the right to data protection and to establish appropriate measures and
to protect the fundamental interests and rights of the
interested. ”
As indicated by the instructor, during the processing of this procedure has been
duly accredited the conduct described in point 1 of the section on proven facts (referring to
facial recognition and fingerprint recognition), which is constitutive of a
infringement provided for in Article 83.5.a) in relation to Articles 5.1.a) and 9; both of the RGPD.
Article 83.5.a) of the RGPD, classifies as an infraction, the violation of the “basic principles of
including the conditions for consent under Articles 5, 6, 7 and 9 ”,
including the lawfulness of the processing of special categories of data (articles
5.1.a and 9 RGPD).
For its part, this conduct has also been listed as a very serious violation of the article
72.1.e) of Organic Law 3/2018, of 5 December, on the Protection of Personal Data and
guarantee of digital rights (hereinafter, LOPDGDD), as follows:
“E) The processing of personal data in the categories referred to in the article
9 of Regulation (EU) 2016/679, without any of the circumstances
which provide for the aforementioned precept and Article 9 of this Organic Law. ”
4. With regard to the fact described in point 2 of the section on proven facts, regarding the violation of the right
information, reference should be made to Article 13 of the RGPD, which provides that:
“1. When personal data relating to him are obtained from an interested party, the
responsible for the treatment, at the time they are obtained, you
provide all the information below:
(a) the identity and contact details of the person responsible and, where applicable, of his / her manager;
representative;
(b) the contact details of the data protection officer, if any;
c) the purposes of the processing for which the personal data are intended and the basis
legal status of treatment;
Page 8 of 12 PS 49/2019
Carrer Rosselló, 214, esc. A, 1r 1a
08008 Barcelona
(d) where the treatment is based on Article 6 (1) (f), the
legitimate interests of the controller or a third party;
(e) the recipients or categories of recipients of the personal data, in
your case;
f) where applicable, the intention of the controller to transfer personal data to a
third country or international organization and the existence or absence of a
Commission adjustment decision, or, in the case of transfers
referred to in Articles 46 or 47 or the second subparagraph of Article 49 (1),
reference to the appropriate or appropriate guarantees and the means to obtain them
a copy of these or the fact that they have been lent.
2.In addition to the information referred to in paragraph 1, the head of the
processing will facilitate the interested party, at the time the data are obtained
personal information, the following information necessary to ensure treatment of
Fair and transparent data:
a) the period during which the personal data will be kept or, if not
possible, the criteria used to determine this deadline;
b) the existence of the right to request access to the controller
personal data relating to the data subject, and its rectification or deletion, or the
limitation of their treatment, or to oppose the treatment, as well as the right to
data portability;
(c) where the treatment is based on Article 6 (1) (a), or
Article 9 (2) (a), the existence of the right to withdraw the
consent at any time, without affecting the lawfulness of the
treatment based on prior consent for withdrawal;
d) the right to lodge a complaint with a supervisory authority;
e) whether the communication of personal data is a legal or contractual requirement, or
a necessary requirement to sign a contract, and whether the interested party is obliged
to provide personal data and is informed of the possible consequences
that it does not provide such data;
f) the existence of automated decisions, including profiling, a
referred to in Article 22 (1) and (4) and, at least in such cases,
significant information on the logic applied, as well as the importance and the
expected consequences of such treatment for the data subject. (...) ”
In accordance with what has been stated, as indicated by the instructor, the fact contained in
point 2 of the section on proven facts constitutes the infringement provided for in article 83.5.b) of the RGPD,
which classifies as such the violation of “the rights of the interested parties under the articles
12 to 22 ”, among which is the right of information of the interested person contemplated in
Article 13 of the RGPD.
In turn, this conduct has also been listed as a very serious infraction in Article 72.1.h) of
the LOPDGDD, as follows:
Page 9 of 12 PS 49/2019
Carrer Rosselló, 214, esc. A, 1r 1a
08008 Barcelona
“H) The omission of the duty to inform the affected party about the treatment of theirs
personal data in accordance with the provisions of Articles 13 and 14 of the
Regulation (EU) 016/679 and 12 of this Organic Law. "
5. With regard to the fact described in point 3 of the section on proven facts, regarding the lack of
contract in charge of the treatment, it is necessary to go to article 28.3 of the RGPD, which provides the
Next:
“3. The treatment by the manager will be governed by a contract or other legal act
in accordance with Union or Member State law, which links to
in charge of the person in charge and establish the object, the duration, the
nature and purpose of the processing, the type of personal data and categories
of stakeholders, and the obligations and rights of the person responsible. Said contract o
legal act shall stipulate, in particular, that the person in charge:
a) will process personal data only following instructions
documented by the responsible party, including with regard to transfers of
personal data to a third country or an international organization, unless
is required to do so under Union or Member State law
to be applied to the manager; in such a case, the person in charge will inform the person in charge
of that legal requirement prior to treatment, unless such right prohibits it by
important reasons of public interest;
(b) ensure that persons authorized to process personal data are
have committed to or are subject to confidentiality
obligation of confidentiality of a statutory nature;
(c) take all necessary measures in accordance with Article 32;
(d) respect the conditions set out in paragraphs 2 and 4 for recourse to another
in charge of treatment;
e) assist the person in charge, taking into account the nature of the treatment, through
appropriate technical and organizational measures, whenever possible, for
that it can fulfill its obligation to respond to requests that
have as their object the exercise of the rights of interested parties established in
Chapter III;
f) help the person in charge to ensure compliance with the obligations
set out in Articles 32 to 36, taking into account the nature of the
treatment and information available to the manager;
g) at the choice of the person responsible, will delete or return all personal data
once the provision of treatment services is completed, and will eliminate them
existing copies unless data retention is required
under Union or Member State law;
h) make available to the person in charge all the information necessary for
demonstrate compliance with the obligations set forth herein
article, as well as to allow and contribute to the performance of audits,
Page 10 of 12 PS 49/2019
Carrer Rosselló, 214, esc. A, 1r 1a
08008 Barcelona
including inspections, by the manager or another authorized auditor
by said person in charge.
In relation to the provisions of letter h) of the first paragraph, the manager
he shall immediately inform the person responsible if, in his opinion, an instruction
infringes this Regulation or other protection provisions
data of the Union or of the Member States. "
In accordance with what has been stated, as indicated by the instructor, the fact contained in
point 3 of the section on proven facts constitutes the infringement provided for in article 83.4.a) of the RGPD,
which typifies as such, the violation of “the obligations of the person in charge and the person in charge according to
of articles 8, 11, 25 to 39, 42 and 43 ”, among which is the one provided for in article 28 RGPD.
In turn, this conduct has also been listed as a serious violation of Article 73.k) of
the LOPDGDD, as follows:
“K) To entrust the processing of data to a third party without prior formalization
of a contract or other legal act written with the content required by the article
28.3 of Regulation (EU) 2016/679. ”
6. Article 77.2 LOPDGDD provides that, in the case of offenses committed by those responsible or
managers listed in art. 77.1 LOPDGDD, the competent data protection authority:
"(...) he must issue a resolution sanctioning them with a reprimand. The
resolution shall also set out the measures to be taken for it to cease
conduct or correct the effects of the offense that has been committed.
The decision must be notified to the controller or controller, a
the body on which it depends hierarchically, where applicable, and those affected who have the
interested party, if any. ”
In terms similar to the LOPDGDD, article 21.2 of Law 32/2010, determines the following:
“2. In the case of offenses committed in relation to publicly owned files, the
director of the Catalan Data Protection Authority must issue
a resolution declaring the infringement and setting out the measures to be taken for
correct its effects. In addition, it may propose, if necessary, the initiation of actions
disciplinary action in accordance with current legislation on the scheme
disciplinary action of staff in the service of public administrations. This one
resolution must be notified to the person responsible for the file or processing, a
the person in charge of the treatment, if applicable, to the body on which they depend and to the
affected people, if any ”.
In the present case, as stated by the instructor in the motion for a resolution, no
it is appropriate to propose no requirement for corrective action to correct the effects of the
Page 11 of 12 PS 49/2019
Carrer Rosselló, 214, esc. A, 1r 1a
08008 Barcelona
imputed infractions, since the institute has dismantled the facial recognition system and
fingerprint.
Resolution
For all this, I resolve:
1. To admonish the Enric Borràs Institute of Badalona as responsible for three infractions: one
infringement provided for in Article 83.5.a) in relation to Articles 5.1.a) and 9; another infraction
provided for in Article 83.5.b) in relation to Article 13; and a third violation under the article
83.4.a) in relation to Article 28, all of them of the RGPD.
No corrective action is required to correct the effects of the infringement, in accordance with
which has been set out in the 6th foundation of law.
2. Notify the institute of this resolution.
3. Communicate the resolution issued to the Catalan Ombudsman, in accordance with the provisions
Article 77.5 of the LOPDGDD.
4. Order that this resolution be published on the Authority’s website (apdcat.gencat.cat), of
in accordance with Article 17 of Law 32/2010, of 1 October.
Against this resolution, which terminates the administrative procedure in accordance with articles 26.2 of the
Law 32/2010, of 1 October, of the Catalan Data Protection Authority, and 14.3 of Decree
48/2003, of 20 February, approving the Statute of the Catalan Agency for the Protection of
In this case, the accused entity may, on an optional basis, lodge an appeal for reversal
the director of the Catalan Data Protection Authority, within one month from
the day after its notification, in accordance with the provisions of Article 123 et seq
the LPAC. You can also lodge an administrative appeal directly with the courts
administrative disputes, within two months from the day after its
notification, in accordance with articles 8, 14 and 46 of Law 29/1998, of 13 July, regulating
administrative contentious jurisdiction.
If the accused entity expresses to the Authority its intention to lodge a contentious appeal
administrative against the firm resolution in administrative way, the resolution will be suspended
precautionarily in the terms provided for in Article 90.3 of the LPAC.
Likewise, the defendant entity may file any other appeal it deems appropriate for
defend their interests.
The director,
Page 12 of 12
