AN - 1861/2021: Difference between revisions
No edit summary |
|||
Line 63: | Line 63: | ||
According to the general principles of the procedural law for sanctioning proceedings, any defendant has the right to a trial period, a draft resolution, and a period for allegations, that the AEPD did not grant to the controller, as they did not respond to the initial notification. | According to the general principles of the procedural law for sanctioning proceedings, any defendant has the right to a trial period, a draft resolution, and a period for allegations, that the AEPD did not grant to the controller, as they did not respond to the initial notification. | ||
Additionally, the AEPD, in their initial assessment, only contemplated the violation of Article 9 (security of the data) of the [https://www.boe.es/buscar/act.php?id=BOE-A-1999-23750 former Spanish Data Protection Act], while in their resolution they also found a violation of Article 4 (quality of the data), but did not inform the controller about the allegations against them pursuant to | Additionally, the AEPD, in their initial assessment, only contemplated the violation of Article 9 (security of the data) of the [https://www.boe.es/buscar/act.php?id=BOE-A-1999-23750 former Spanish Data Protection Act], while in their resolution they also found a violation of Article 4 (quality of the data), but did not inform the controller about the allegations against them pursuant to the latter Article. | ||
Furthermore, the DPA conducted an on-site investigation on different premises than where the problem | Furthermore, the DPA conducted an on-site investigation on different premises than where the problem had originated - in order to assess and verify the security protocol of the controller - but did not inform the controller that they could assess other infringements in those other premises. | ||
According to Article 24 of the Spanish Constitution, defendants shall have the right to legal defence, to be informed about the allegations made against them, an to have the opportunity to prove themselves innocent, with whatever means of evidence. | According to Article 24 of the Spanish Constitution, defendants shall have the right to legal defence, to be informed about the allegations made against them, an to have the opportunity to prove themselves innocent, with whatever means of evidence. | ||
Also, according to Article 122(1) [https://www.boe.es/buscar/act.php?id=BOE-A-2008-979 Spanish DPA Bylaw], the DPA should carry out investigation activities that allow them to adequately determine the facts, identify the infringers, and identify all the relevant circumstances for the case, what the DPA failed to properly perform in this case, as they did not carry out all the necessary activities in a first place, and had to broaden their scope in a latter moment, without properly informing the defendant. | |||
The AN considered that there had been a serious restriction of the defendant's rights to defence, which rendered the decision, as well as the fine imposed, null and void. | The AN considered that there had been a serious restriction of the defendant's rights to defence, which rendered the decision, as well as the fine imposed, null and void. |
Revision as of 12:51, 9 June 2021
AN - 1861/2021 | |
---|---|
Court: | AN (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 122(1) Spanish DPA Bylaw Article 24 Spanish Constitution Article 24 Spanish Constitution |
Decided: | 16.02.2021 |
Published: | 03.06.2021 |
Parties: | CECOSA Hipermercados SL Agencia Española de Protección de Datos |
National Case Number/Name: | 1861/2021 |
European Case Law Identifier: | ECLI:ES:AN:2021:1861 |
Appeal from: | AEPD R/00423/2019 |
Appeal to: | |
Original Language(s): | Spanish |
Original Source: | CENDOJ (in Spanish) |
Initial Contributor: | n/a |
The Spanish National High Court annulled a fine issued by the Spanish DPA for violating both the Spanish procedural law for administrative sanctions, and the principle of the right to effective judicial protection enshrined in the Spanish Constitution.
English Summary
Facts
On 2019, the Spanish DPA (AEPD) fined a supermarket chain €100,000 for not implementing adequate measures to prevent the leakage of one of their security videos, that involved images from a well-known politician.
This AEPD decision was appealed before the Spanish National High Court (AN).
Holding
The AN concluded that the sanctioning proceeding carried out by the AEPD had not respected the procedural law for sanctioning proceedings nor the ethos of the right to effective judicial protection enshrined in the Spanish Constitution.
According to the general principles of the procedural law for sanctioning proceedings, any defendant has the right to a trial period, a draft resolution, and a period for allegations, that the AEPD did not grant to the controller, as they did not respond to the initial notification.
Additionally, the AEPD, in their initial assessment, only contemplated the violation of Article 9 (security of the data) of the former Spanish Data Protection Act, while in their resolution they also found a violation of Article 4 (quality of the data), but did not inform the controller about the allegations against them pursuant to the latter Article.
Furthermore, the DPA conducted an on-site investigation on different premises than where the problem had originated - in order to assess and verify the security protocol of the controller - but did not inform the controller that they could assess other infringements in those other premises.
According to Article 24 of the Spanish Constitution, defendants shall have the right to legal defence, to be informed about the allegations made against them, an to have the opportunity to prove themselves innocent, with whatever means of evidence.
Also, according to Article 122(1) Spanish DPA Bylaw, the DPA should carry out investigation activities that allow them to adequately determine the facts, identify the infringers, and identify all the relevant circumstances for the case, what the DPA failed to properly perform in this case, as they did not carry out all the necessary activities in a first place, and had to broaden their scope in a latter moment, without properly informing the defendant.
The AN considered that there had been a serious restriction of the defendant's rights to defence, which rendered the decision, as well as the fine imposed, null and void.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
Page 1 JURISPRUDENCE Roj: SAN 1861/2021 - ECLI: ES: AN: 2021: 1861 Cendoj Id: 28079230012021100195 Organ: National Court. Contentious Chamber Headquarters: Madrid Section: 1 Date: 02/16/2021 Resource Number: 2031/2019 Resolution No.: Procedure: Ordinary procedure Speaker: EDUARDO MENENDEZ REXACH Type of Resolution: Sentence NATIONAL AUDIENCE Contentious-Administrative Chamber SECTION ONE No. Resource. 0,002,031 / 2019 Resource Type: ORDINARY PROCEDURE General Registration No.: 14814/2019 Applicant: CECOSA HIPERMERCADOS, SL Attorney: Mr. JOSÉ LUIS PINTO-MARABOTTO RUIZ Lawyer: D. JUAN PABLO RODRÍGUEZ-CURIEL ESPINOSA Defendant: DATA PROTECTION AGENCY State Attorney Speaker IImo. Sr .: D. EDUARDO MENÉNDEZ REXACH JUDGMENT No.: IImo. Mr. President: D. EDUARDO MENÉNDEZ REXACH Ilmos. Messrs. Magistrates: Mrs. FELISA ATIENZA RODRIGUEZ D. FERNANDO DE MATEO MENÉNDEZ Madrid, February 16, two thousand twenty-one. Considering the contentious-administrative appeal that before this Administrative Litigation Chamber of the National Court has promoted CECOSA Hipermercados SL, represented by the Attorney D. José Luis Pinto-Marabotto Ruiz, against the General State Administration, represented by the State Attorney, on sanction for serious infringement of the Data Protection Law. The President of this Section Iltmo. Mr. Eduardo Menéndez Rexach. I. FACTUAL BACKGROUND FIRST.- The contested act comes from the Director of the Spanish Agency for Data Protection and is the Resolution of December 2, 2018. 1 Page 2 JURISPRUDENCE SECOND.- Administrative contentious appeal filed before the Administrative Litigation Chamber of this National High Court, after the administrative file was admitted for processing and requested, transfer to the appellant to formalize the claim, requesting in the petition the estimate of the resource. THIRD.- Once the claim was presented, it was transferred to the State Attorney, with delivery of the administrative file for him to answer it and, once said answer was formalized, he requested in the petition that the appellant's claims be dismissed and the contested act confirmed as being in accordance with Right. FOUR.- Once the demand was answered, the trial was received, the proposal was practiced and admitted to instance of the plaintiff; After the presentation of conclusions by the parties and once the processing is completed, The proceedings were concluded for sentencing, signaling for voting and ruling on February 2, 2021 in which, indeed, it was voted and failed. II. FOUNDATIONS OF LAW FIRST. - The purpose of this appeal is the Resolution of December 2, 2018 (PS / 00336/2018), of the Director of the Spanish Data Protection Agency (AEPD), by which the applicant was imposed: - a fine of 100,000 euros as responsible for an infringement of art. 9 of Organic Law 15/1999, of 13 December, Protection of Personal Data (LOPD), classified as serious in article 44.3 h), in accordance with article 45.2, 4. b), c) and d) and 45.4 j) of the same Law. - a fine of 50,000 euros for an infraction of article 4.1, classified as serious in article 44.3 c), of in accordance with the provisions of article 45.2) and 45.4 f) and j) of the LOPD. SECOND.- The appellant requests that: A.- In relation to the sanction of 100,000 euros for an alleged violation of article 9 of the Organic Law 15/1999, Protection of Personal Data: 1.- Revoke the sanction in its entirety for not having infringed the aforementioned article 9; 2.- Subsidiarly to the foregoing, with partial estimation of the resource, in the event that the aforementioned has been infringed. Article 9, quantify the sanction within the range established for minor infractions, in application of the provided in article 45.5 LOPD, establishing a penalty of FIVE THOUSAND EUROS (5,000.- €), 3.- Subsidiarly to the foregoing, with partial estimation of the resource, in case of quantifying the sanction within of the range established for serious offenses, reduce the sanction to its minimum degree, that is, FORTY THOUSAND EUROS (€ 40,000), due to the lack of concurrence of any of the aggravating criteria contained in the article 45.4 LOPD; B.- Regarding the penalty of 50,000 euros for an alleged violation of article 4.1 of Organic Law 15/1999: 1.- Revoke the sanction in its entirety for not having infringed the aforementioned article 4; 2.- Subsidiarly to the foregoing, with partial estimation of the resource, in the event that the aforementioned has been infringed. Article 4, quantify the sanction within the range established for minor infractions, in application of the provided in article 45.5 LOPD, establishing a penalty of FIVE THOUSAND EUROS (5,000.- €), 3.- Subsidiarly to the foregoing, with partial estimation of the resource, in case of quantifying the sanction within of the range established for serious offenses, reduce the sanction to its minimum degree, that is, FORTY THOUSAND EUROS (€ 40,000), due to the lack of concurrence of any of the aggravating criteria contained in the Article 45.4 LOPD. In defense of his claim, he alleges that the resolution contains a series of facts that have nothing to do with it. with the inspection carried out in the Eroski hypermarket of the "Luz del Tajo" shopping center, in Toledo, on the 23rd of May 2018, but refers to the publication of some images recorded at the time in which a person of notorious public relevance allegedly stole certain objects from said center commercial, on May 4, 2011, whose publication had an important media relevance, on which no action was taken by the Agency. Regarding the violation of article 9 LOPD, it indicates that it did have legitimate documentary support for allow the contractor (OMBUDS) access to the organized set of data surrounding the treatment of the video surveillance file and article 12 of the Law does not require that it must be a contract independent of the rest of documents that regulate the relationship with a provider that accesses data; on the other hand, it has been proven that technical conditions of the service were agreed, details of the services to be provided by OMBUDS, two Page 3 JURISPRUDENCE general rules, cover letter, prevention activities and Operational Manuals with details of the level of service, and effective control of OMBUDS employees was not the responsibility of the claimant, but from his employer, with whom he hired the professional services, and with respect to his own employees, Eroski Luz del Tajo has different means, procedures and protocols that inform them on the treatment of data in the matter of video surveillance, adapted to the norms of the LOPD. He adds that Security measures applicable to the treatment are the basic ones, in the sense of article 81.1 of the Regulation LOPD, as it also results from the criteria of the "Video surveillance guide" published by the AEPD in 2009 and that the plaintiff had a security document that protocolizes and deals with video tasks surveillance; The Resolution, for its part, is limited to transcribing articles 89, 91 and 93 of the LOPD Regulation, without relate it to the facts derived from the inspection or formulate specific allegations; the fact that the establishment manager acknowledged that he was not aware of the existence of any protocol security and that on one of the monitors he had pasted a post-it containing the user code administrator and password, do not imply lack of access control measures or absence of functions or staff obligations, but rather unintended human errors, which do not represent the policy of the plaintiff in terms of data protection embodied, in this regard, in the terms and conditions of job. Regarding the physical access control referred to in article 99 of the LOPD Regulation, it would not apply as it corresponds to the basic level and, in any case, the inspection report reflects that "It is verified that In the establishment there is an area with restricted access only to staff in which the center is located security control, the intervention room, access to the central cashier area and customer service desk. client. Access to this area is through a door that is permanently closed and only The key is available to the team leader of the company that provides security services. door opening by means of a button located on the central box ", which shows that it is in an area of private access and not open to the general public that, in addition, is reinforced by the work of the security guards who control the access of visitors, so that the treatment or viewing of the Video surveillance cannot be done by just anyone, as stated in the Resolution that is not in accordance with the Law, for How much it has not been proven that there is an absence of security conditions in the premises and equipment. Even if the offense is considered to have been committed, the sanction imposed is disproportionate and does not None of the aggravating circumstances applied concur, but it is applicable, in the alternative, the provided in article 45.5 and apply the corresponding sanction to minor infractions specified in a a fine of 5,000 euros or, if the foregoing is not considered, impose the minimum serious fine. Regarding the violation of article 4.1 LOPD, consisting of having photographs of people suspected of theft, alleges that what was exposed on the walls (not visible to the general public but only in the Video Surveillance and Security Room of the Control Center) were images of people who in they had repeatedly committed thefts in hypermarkets operated by the applicant, generated by it, as well as photographs sent by different State Security Forces and Bodies, whose purpose was the security of goods and people and had their origin in the surveillance systems of CECOSA Hypermarkets SL, as the inspectors were able to verify; everyone who enters hypermarkets is duly informed of the capture of images by video surveillance, and that being a purpose such as that of security of goods and people, no express or explicit consent is required, which excludes infringement of article 4.1; Regarding the images sent by the State Security Forces and Corps, these are legitimized for the treatment and, where appropriate, to require the collaboration of commercial companies that operate establishments open to the public, so the only thing that must be assessed is whether the maintenance of these images is provided or not, so the article would be equally applicable 45.5 LOPD and impose, alternatively, a fine of 5,000 euros or, if it is not estimated, the corresponding minimum to serious infractions, according to the criteria of the Chamber expressed in the sentences that it cites. THIRD.- The representation of the defendant Administration, for its part, opposes that the appealed resolution it is in accordance with the law; Regarding the violation of article 9 LOPD, it has been proven that no there are protocols for action and handling of data resulting from access to the video surveillance system celebrated between the parties, the owner of the supermarket and OMBUDS, neither the employees are knowledgeable nor have they been informed of their obligations in this regard. In relation to the infringement of article 4.1, the images the author of a theft, obtained in the same or in another supermarket, cannot be collected or storage to avoid that in the future they can access the public establishment, but there is the Obligation to eliminate the images from video surveillance without the appellant having the authorization for the collection of these data. Regarding the principle of proportionality, it has been respected, in attention to the concurrent circumstances, for all of which he requests the dismissal of the appeal. FOURTH.- The contested resolution makes a list of the investigation actions carried out with reason for the publication in different media on April 25, 2018 "... of images 3 Page 4 JURISPRUDENCE from the recordings recorded by the video surveillance system installed in an establishment commercial of the EROSKI supermarket chain corresponding to events that occurred on 05/04/2011 " . report on said actions concludes that: "The lack of implementation of security controls adequate measures and the supervision of their effectiveness and compliance led, in May 2011, to the unauthorized exit of the recordings of the cameras of the video surveillance system that have been published in different communication media " (Report of previous inspection actions E / 02335/2018, Annex I 8., folios 1,123-1140 of the File); within the framework of this specific investigation and "in order to verify how realizes in practice the management of video surveillance systems, an inspection visit is carried out in a EROSKI hypermarket managed by CECOSA located within the "Luz del Tajo Shopping Center", in the municipality of Toledo " , as reflected in the Resolution of initiation of the sanctioning procedure (Sixth fact). Following this Resolution, notified to CECOSA by electronic means on March 5, 2019 and automatically rejected on the 16th of the same month and year, there is no record of the practice of other proceedings, the opening of the trial period or the proposed resolution and allegations of the company against the one that directs the procedure, until the contested resolution, notified and received on September 3, 2019. Under these conditions, it is clear that the rules established for the procedure have not been followed. sanctioner, whose essential principles and guarantees have been violated, which determines the nullity of the resolution, as will be discussed below. In the first place, the actions carried out in the investigation, initiated ex officio, of some facts in which, in principle, indications of infringement of article 9 LOPD could be appreciated, to sanction other different ones using the elements collected in the previous investigation, referred to a moment and in relationship with an establishment of the same organization that no longer existed; in the information request carried out at CECOSA, the open investigation actions are mentioned " In the framework of the actions practiced by the General Subdirectorate for Data Inspection initiated ex officio in order to clarify the circumstances that have led to the publication in various media on April 25, 2018, of information that reproduces images captured by video cameras intended for the security of one of the establishments of the EROSKI trademark, as shown in the press reports that attached ... " The reason why the inspection is carried out does not respond to the existence of indications of infringement of the data protection rules in the specific establishment where the inspection takes place, but " to the object to check in an EROSKI establishment that is operational how the management of video surveillance systems " (Report of previous inspection actions, cited); therefore, neither the those responsible for the center, nor those of CECOSA were informed of the possible existence of an infraction in the center of Toledo, since the reason for the initiation of the proceedings was not related to the operation of the surveillance system of this establishment, which the Agency recognizes in the response given to the person who appeared in the published images when he requested information, as interested, about said actions. FIFTH.- In accordance with the consolidated doctrine of the Constitutional Court (for all St. TC 82/2019, of 17 June), the constitutional guarantees established in article 24 of the Constitution are applicable, with certain nuances, to the administrative sanctioning procedures; among such guarantees is the right of defense, the right to be informed of the accusation and the right to use the evidence adequate in their defense. The correct exercise of this right requires due notification to the interested party of the initiation of the procedure, so that you can properly organize your defense, as well as the proper use of the previous investigation activities that, according to article 122.1 of the LOPD Regulation, have as object to determine if there are circumstances that justify the initiation of the sanctioning procedure and "will be aimed at determining, with the greatest possible precision, the facts that could justify the initiation of the procedure, identify the person or body that could be responsible and set the circumstances relevant that could concur in the case " . In this case, the investigative actions are initiated ex officio due to a breach of the principle of security of the data, related to the operation and custody of the video surveillance system of an establishment commercial located in the Vallecas neighborhood of this Capital, information requirements are persons and entities and an inspection is carried out in another establishment, of the same property, to determine how the management of video surveillance systems is carried out, without actually having any an indication that the system of that establishment, or of any other, except the one that occurred in May 2011 in the Vallecas disappeared already on the start date of the procedure, has given rise to a violation of the principle of security. 4 Page 5 JURISPRUDENCE Thus, the applicant, informed of the opening of the preliminary investigation into those recordings from 2011, published in 2018, provided the required information and facilitated the inspection visit to another establishment without being, in turn, informed of the possibility of being sanctioned for the infraction of said principle, let alone the commission of the second offense, to the principle of consent of the article 4.1 LOPD, which resulted from the inspection itself, which is not reflected until the resolution of initiation of the sanctioning procedure, several months after the inspection. In relation to the Initiation Agreement, it has already been said that it is the last action of the administrative procedure before the Resolution and that there is no record that it came to the knowledge of the interested party, although it is true that notified electronically in application of the provisions of article 43 of Law 39/2015, it also consists of the date of making available -March 5, 2019- but also the automatic rejection date -16 of March of the same year- and the referral data does not include the act in question but a generic "written", and no other attempts were made so that the content of the initiation reached the knowledge of the interested party; In addition, the provisions of article 89 of Law 39/2015 have been breached since the proposal was not notified resolution, eliminating the possibility of submitting allegations; This is so because, although article 64.2 f) of Law 39/2015 contemplates the possibility that, if allegations are not made within the term established on the content of the initiation agreement, it may be considered a resolution proposal when it contains a precise pronouncement about the imputed responsibility, this does not exempt the Administration from notifying the Agreement, this time as a proposed resolution, as indicated in the Agreement, with the aforementioned effects on your right of defense; On the other hand, all the acts of instruction are prior to the agreement of initiation, and the elements used in the Resolution to qualify the infractions already existed since the visit inspection of May 23, 2018, as is clearly deduced from the First and Second Fundamentals of the contested Resolution, and the sanctioning procedure does not formally begin until March 4 of 2019, which is contrary to the doctrine of the Supreme Court, expressed in the judgment of May 6, 2015 (R. 3438/2012) and the one cited in it, according to which: «[(] it is clear that a period of information prior, either it consisted in the simple development of some investigative or inspection proceedings, or in a period formally open as such, must necessarily be short and not conceal an artificial form of carry out acts of investigation and mask and reduce the duration of the subsequent file itself. This is so as soon as such preliminary investigative actions offer indications of the existence of an infraction, it is It is necessary to proceed with the opening of the corresponding file [...] '. In short, the circumstances set out allow us to consider that in this case there has been a serious restriction of the plaintiff's right to defense, which determines the nullity of the resolution, leaving without effect the sanctions imposed. SIXTH.- For all the above reasons, the appeal must be upheld and, in application of art. 139.1. of the law of this Jurisdiction, impose the costs of this appeal to the defendant Administration. WE FAILED FIRST.- To estimate the present appeal No. 2031/2019, filed by the Attorney Mr. Pinto-Marabotto Ruiz, in the representation it holds, against the Resolution of the Spanish Data Protection Agency described in the first Foundation of Law, which is annulled for being contrary to law, leaving the sanctions without effect imposed. SECOND.- Impose the defendant Administration the costs of the appeal. This judgment is subject to a cassation appeal that must be prepared before this Chamber within the term 30 days from the day following that of its non - fication; in the writing of preparation of the appeal, you must Proof of compliance with the requirements established in article 89.2. of the Jurisdiction Law justifying the objective appeal interest it presents. Thus, for this our judgment, testimony of which will be sent along with the administrative file to your office of origin for its execution, we pronounce it, send it and sign it. 5