AEPD (Spain) - EXP202201681: Difference between revisions
From GDPRhub
Saineybelle (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoES.jpg |DPA_Abbrevation=AEPD |DPA_With_Country=AEPD (Spain) |Case_Number_Name=EXP202201681 (PS/00345/2022) |ECLI= |Original_Source_Name_1=AEPD |Original_Source_Link_1=https://www.aepd.es/es/documento/ps-00345-2022.pdf |Original_Source_Language_1=Spanish |Original_Source_Language__Code_1=ES |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language_2= |Original_So...") |
(I elaborated further on the legal reasoning and the facts.) |
||
| Line 67: | Line 67: | ||
}} | }} | ||
The Spanish DPA fined a controller | The Spanish DPA fined a controller €5,000 due to the conflicts of interest in the exercise its DPO's tasks. In addition, it issued a fine of €8,000 for lack of information on its website and €1,000 for the use of third-party analytical cookies without consent. | ||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
On 21 December 2021, a data subject filed a complaint with the Spanish alleging a number of data protection violations by the Official College of Architects of Granada, the controller. | |||
In particular, the data subject argued that: a) the controller failed to inform the supervisory authority about the appointment of its DPO, pursuant to Article 34(1)(a) LOPDGDD; b) there was a conflict of interest between the functions performed by the person appointed to the position of DPO; c) there was a lack of adequate information in the controller's privacy policy; d) the controller was using non-essential cookies on its website without obtaing consent. | |||
The DPA opened an investigation on the controller and notified it to present its defense. In response, the controller recognized that it was necessary to adapt its privacy and cookies policy, but claimed to be already conducting audits and implementing corrective measures. Regarding the alleged conflict of interests, the controller maintained that it was a mere presumption, not concretely demonstrated. However, it reported that it appointed a new person for the position. | |||
The DPA proceeded with the investigations and visited the controller's website to collect evidence. | |||
=== Holding === | === Holding === | ||
The | The DPA highlighted the relevance of the DPO for ensuring compliance with data protection regulations. It recalled this position is regulated in [[Article 37 GDPR|Articles 37 to 39 GDPR]], provisions that were interpreted by Article 29 Working Party in the [https://ec.europa.eu/newsroom/article29/items/612048 Guidelines on Data Protection Officers]. In addition to advice, the DPO fulfills other important functions such as carrying out DPIAs and internal inspections and being the point of contact with the supervisory authority. To adequately perform these tasks, independence is essential. In this sense, [[Article 38 GDPR#3|Article 38(3) GDPR]] provides that the DPO shall not receive instructions, be dismissed or or punished by the controller/processor for exercising its functions. | ||
As a general rule, conflicting positions within an organisation may include senior management positions (such as chief executive officer, chief operating officer, chief financial officer, chief medical officer, head of the marketing department, head of human resources or head of the IT department), but also other positions lower down in the organisational structure if such positions lead to the determination of the means and purposes of the processing of personal data. For instance, a conflict of interest may arise if a DPO is asked to represent the controller or processor in court in data protection cases. | |||
In the case at hand, the DPA found that the position held by the person appointed as the DPO was incompatible with the performance of these tasks as it could lead to the determination of the purposes and means of data processing. Therefore, it found a violation of [[Article 38 GDPR#6|Article 38(6) GDPR]]. | |||
Furthermore, the DPA confirmed that the complaints sheet available on the controller's website did not provide all the necessary information required by [[Article 13 GDPR|Article 13 GDPR.]] | |||
Finally, the DPA emphasized that, in its Opinion 4/2012 on cookie consent exemption, the Article 29 WP considered that cookies such as “user input cookies” (those used to fill in forms or to manage a shopping basket); “authentication” or “user identification cookies” (session); “user security cookies (those used to detect erroneous and repeated attempts to connect to a website)”; “media player session cookies”; “load balancing session cookies”; “user interface customization cookies”; and some plugins to exchange social content do not require consent to be used. However, after browsing the website, the DPA concluded that the controller installed analytical third-party cookies that were not described in its policy, which is not covered by the consent exemption. For this reason, the DPA found a violation of [https://www.boe.es/buscar/act.php?id=BOE-A-2002-13758 Article 22(2) LSSI]. | |||
In light of the above violations, DPA has imposed the following fines: | |||
- €5,000 for the violation of [[Article 38 GDPR#6|Article 38(6) GDPR]]; | |||
- €8,000 for the violation of [[Article 13 GDPR|Article 13 GDPR;]] | |||
- €1,000 for the violation of [https://www.boe.es/buscar/act.php?id=BOE-A-2002-13758 Article 22(2) LSSI.] | |||
== Comment == | == Comment == | ||
Revision as of 15:11, 8 August 2023
| AEPD - EXP202201681 (PS/00345/2022) | |
|---|---|
 | |
| Authority: | AEPD (Spain) |
| Jurisdiction: | Spain |
| Relevant Law: | Article 12 GDPR Article 13 GDPR Article 37(5) GDPR Article 34(1)(a) |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | 21.12.2021 |
| Decided: | |
| Published: | |
| Fine: | 14000 EUR |
| Parties: | COLEGIO OFICIAL DE ARQUITECTOS DE GRANADA |
| National Case Number/Name: | EXP202201681 (PS/00345/2022) |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Spanish |
| Original Source: | AEPD (in ES) |
| Initial Contributor: | Sainey Belle |
The Spanish DPA fined a controller €5,000 due to the conflicts of interest in the exercise its DPO's tasks. In addition, it issued a fine of €8,000 for lack of information on its website and €1,000 for the use of third-party analytical cookies without consent.
English Summary
Facts
On 21 December 2021, a data subject filed a complaint with the Spanish alleging a number of data protection violations by the Official College of Architects of Granada, the controller.
In particular, the data subject argued that: a) the controller failed to inform the supervisory authority about the appointment of its DPO, pursuant to Article 34(1)(a) LOPDGDD; b) there was a conflict of interest between the functions performed by the person appointed to the position of DPO; c) there was a lack of adequate information in the controller's privacy policy; d) the controller was using non-essential cookies on its website without obtaing consent.
The DPA opened an investigation on the controller and notified it to present its defense. In response, the controller recognized that it was necessary to adapt its privacy and cookies policy, but claimed to be already conducting audits and implementing corrective measures. Regarding the alleged conflict of interests, the controller maintained that it was a mere presumption, not concretely demonstrated. However, it reported that it appointed a new person for the position.
The DPA proceeded with the investigations and visited the controller's website to collect evidence.
Holding
The DPA highlighted the relevance of the DPO for ensuring compliance with data protection regulations. It recalled this position is regulated in Articles 37 to 39 GDPR, provisions that were interpreted by Article 29 Working Party in the Guidelines on Data Protection Officers. In addition to advice, the DPO fulfills other important functions such as carrying out DPIAs and internal inspections and being the point of contact with the supervisory authority. To adequately perform these tasks, independence is essential. In this sense, Article 38(3) GDPR provides that the DPO shall not receive instructions, be dismissed or or punished by the controller/processor for exercising its functions.
As a general rule, conflicting positions within an organisation may include senior management positions (such as chief executive officer, chief operating officer, chief financial officer, chief medical officer, head of the marketing department, head of human resources or head of the IT department), but also other positions lower down in the organisational structure if such positions lead to the determination of the means and purposes of the processing of personal data. For instance, a conflict of interest may arise if a DPO is asked to represent the controller or processor in court in data protection cases.
In the case at hand, the DPA found that the position held by the person appointed as the DPO was incompatible with the performance of these tasks as it could lead to the determination of the purposes and means of data processing. Therefore, it found a violation of Article 38(6) GDPR.
Furthermore, the DPA confirmed that the complaints sheet available on the controller's website did not provide all the necessary information required by Article 13 GDPR.
Finally, the DPA emphasized that, in its Opinion 4/2012 on cookie consent exemption, the Article 29 WP considered that cookies such as “user input cookies” (those used to fill in forms or to manage a shopping basket); “authentication” or “user identification cookies” (session); “user security cookies (those used to detect erroneous and repeated attempts to connect to a website)”; “media player session cookies”; “load balancing session cookies”; “user interface customization cookies”; and some plugins to exchange social content do not require consent to be used. However, after browsing the website, the DPA concluded that the controller installed analytical third-party cookies that were not described in its policy, which is not covered by the consent exemption. For this reason, the DPA found a violation of Article 22(2) LSSI.
In light of the above violations, DPA has imposed the following fines:
- €5,000 for the violation of Article 38(6) GDPR;
- €8,000 for the violation of Article 13 GDPR;
- €1,000 for the violation of Article 22(2) LSSI.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/60
Procedure No.: EXP202201681 (PS/00345/2022)
RESOLUTION OF THE SANCTION PROCEDURE
Of the actions carried out by the Spanish Data Protection Agency before
the OFFICIAL COLLEGE OF ARCHITECTS OF GRANADA, with CIF.: Q1875003D,
owner of the website, www.coagranada.es/ (hereinafter "the claimed party"), in
by virtue of the claim filed by A.A.A., (hereinafter, "the claiming party"),
for the alleged violation of data protection regulations: Regulation (EU)
2016/679, of the European Parliament and of the Council, of 04/27/16, regarding the Protection
of Natural Persons with regard to the Processing of Personal Data and the
Free Circulation of these Data (RGPD) and Organic Law 3/2018, of December 5,
Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD),
and Law 34/2002, of July 11, on Services of the Information Society and
Electronic Commerce (LSSI) and attending to the following:
BACKGROUND
FIRST: On 12/21/21, he entered this Agency, through the Council of
Transparency and Data Protection of the Junta de Andalucía, document presented by
the claimant, in which he indicated, among other things, the following:
"It has been observed how the College repeatedly fails to comply with the
current regulations on the protection of personal data,
thus endangering the privacy of the data of the members and therefore
Your rights.
The first of the facts on which the present claim is formulated,
refers to the absence of communication from the Data Protection Officer
of the Official College of Architects of Granada to the Council of Transparency and
Data Protection of Andalusia. Remember that according to the law
current (Art. 34.1.A. of the LOPDGDD) the Professional Associations are
obliged to designate a Data Protection Officer and therefore
notification to the competent body, in this case the Council of
Transparency and Data Protection of Andalusia.
Likewise, and in relation to the appointment of Delegate for the Protection of
Data, according to the accompanying document (Document
nº1), the Governing Board of the College, in a session held on April 11,
2019 adopted the following agreement: "Appoint *** POSITION 1 of the College
Architects Officer as Data Protection Delegate for the College
of Architects”
Regardless of whether the appointment could violate the requirements
fixed by art. 37.5 of the GDPR, related to the qualities and knowledge of the
DPD, what does seem evident is that said appointment could
contravene the postulates of the Working Group of Art. 29 when in its
document "Guidelines on Data Protection Delegates" indicate
that the organization must guarantee the absence of conflict of interest in the
figure of the DPD whenever it provides other functions, noting that "the
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/60
DPD cannot hold a position in the organization that leads him to determine the
purposes and means of processing.
At the web address https://coagranada.es/quejas-y-reclamaciones/
corresponding to the website of the Official College of Architects of Granada,
There are two links for downloading the respective forms for the
formulation of complaints and claims, being able to observe in said
printed (Documents No. 2 and 3) the existence of a privacy policy that does not
meets all the requirements of the arts. 12 and 13 of the GDPR and what
is more serious, it is indicated as Responsible for the Treatment to the
*** POSITION 1 of the College, an issue that generates clear misinformation in
interested parties, since as you know the body to which I am addressing the
Responsible for the Treatment is not ***POSITION.1 but the College itself
Official Architects of Granada, which can generate an obvious
confusion and misinformation to stakeholders. It is even more serious, when the
position of DPD and the GDPR falls on the same person, the ***POINT.1 of the
School.
The web page https://coagranada.es/ presents an informative notice about
cookies that violates the latest guidelines of the AEPD since according to
indicates in said informative notice that the mere use of the website implies the
Acceptance for the installation of cookies.
The privacy policy of the website of the Official College of Architects of
Granada, which is available at the following web address
(https://coagranada.es/politica-de-privacidad-y-tratamiento-de-datos/
(Document No. 4) has the following deficiencies: 1.- The data is not indicated
Contact information for the Data Protection Officer. 2.- Incorrect application of
the legitimizing basis of consent in section 5 of the policy, by
choose this basis as the one that legitimizes the processing of personal data
derived from the sending of emails, without stating a mechanism of
expression of consent that meets the established requirements
by current legislation. 3.- There is no clear and unequivocal identification of the
legitimizing bases of data processing, since in section 3 of
said policy literally states "Consent will always be required
for the processing of your personal data that may be for one or more
specific purposes about which prior information will be given with absolute
transparency". However, later in section no. 6 of the web,
other legitimizing bases other than consent are detailed, producing
confusion about the true legitimizing bases applied by the entity.
Likewise, it was possible to appreciate the existence of privacy policies not
adapted to current regulations (eg visa application form that is
attached as Document No. 5).
Finally, it is wished to state that, as stated in the
letter addressed to the Official College of Architects of Granada on 03-23-
2021 (Document No. 6), there are well-founded reasons to believe that the
disciplinary proceedings conducted by the College do not enjoy the
corresponding technical and organizational measures that guarantee the
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/60
confidentiality and integrity of the personal data contained in the
themselves, since there is no record of incorporation of documents or
proceedings to the file.
The claim document is accompanied by the following relevant documentation for the
present procedure:
- Copy of the document that A.A.A., collegiate ***COLEGIADO.1, sends to the
claimant, on 08/30/21, where, among others, you can read:
or "(...) The Governing Board of the College in its session held on
April 2019 adopted, among others, the following agreement: "(AIG)
04.11.19/08.- DESIGNATE THE *** POSITION. 1 OF THE OFFICIAL ASSOCIATION
OF ARCHITECTS AS DELEGATE OF PROTECTION OF
DATA FOR THE SCHOOL OF ARCHITECTS.” therefore i can
inform you that, currently, the Data Protection Officer of the
Official College of Architects of Granada is his *** POSITION. 1 D.
B.B.B. (…)”.
- Copy of the "Complaint Sheet" of the Official College of Architects of
Granada where you can read, among others, the following information with
Regarding the data protection policy:
o Official College of Architects of Granada. Plaza de San Agustin Nº3,
18001 Grenada. General Secretary . Area of Attention to the Collegiate and
to user. The data collected will form part of the File of the
COAGRANADA, being Responsible for ***POINT.1 of the same, to
who will have to address in writing in the case of exercising the rights
of access, opposition, rectification and cancellation, in accordance with the
L.O.P.D.
- Copy of the "Visa Application" addressed to the Dean of the Official College of
Architects of Granada, where you can read, among others, the following
Information regarding the data protection policy:
o In accordance with the provisions of LO 15/1999 on Data Protection of
Personal character, the existence of a file is reported
automated whose purpose is the provision of the requested service. The
Applicants expressly consent to the
treatment and transfer of existing data in the automated file
to the various Spanish Official Colleges of Architects and to other
administrative bodies, for the purposes related to the function of
visa. Signatories may exercise the right of access,
rectification, opposition and cancellation in writing before the C.O.A. of
Granada, with address at Plaza de San Agustín Nº 3, 18001 Granada,
email coagranada@coagranada.org
SECOND: On 03/03/22, in accordance with the provisions of article 65.4
of the LOPDGDD Law, by this Agency, said claim was transferred
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/60
to the claimed party, to proceed with its analysis and report, within a period of
month, about what was stated in the claim document.
THIRD: On 04/01/22, the claimed party filed a response brief
to the request made by this Agency, in which, among others, it stated:
"Specifically, the claimant refers to the text of the Legal Notice of
First Layer in relation to the Cookies Policy, which, as of the date of the
claim, 12/21/21, showed: https://coagranada.sedelectronica.es/
“We use cookies to ensure that we give the best user experience
on our website. If you continue to use this site we will assume that you agree
agreement I accept.”
This First Layer Legal Notice was located at the bottom of the screen,
and the formula to obtain consent was exclusively by pressing the
"I accept" button, that is, by means of an unequivocal action carried out by the
user. However, when you continue browsing, the Initial Notice of
First Layer kept appearing in case the user wanted to
consult the Cookies Policy, which was found in the link located in the
expression highlighted in orange we will assume that you agree. In its
moment, it was interpreted that, by continuing to browse, the user was showing
according to the notice provided.
On March 29, 2022, this College contacted the company
specialized in data protection adaptation services, the entity
"PSN Sercon S.L.U.", which has analyzed and made a preliminary report on
potential irregularities on the COA website, report attached
to this document as annex I (INITIAL ANALYSIS OF THE OFFICIAL SCHOOL WEB
OF ARCHITECTS OF GRANADA) in which the main
non-compliances detected in a first approximation to the process of
regularization and adaptation to the current regulatory framework on data protection
and other legislation applicable to the COA Granada website.
The work to adapt the Privacy Policy has already begun
of the COA Granada website and its Cookies Policy, as can be
check on the links:
https://coagranada.es/politica-de-privacidad-y-tratamiento-de-datos/
https://coagranada.es/politica-sobre-recogida-y-tratamiento-de-cookies/
They indicate that work is being done to update and adapt them to
current legislation. Efficacy controls referred to the Privacy Policy
Privacy, the COA Granada, with the assistance of the entity PSN Sercon SLU,
Currently they are the following:
A redesign of the Privacy Policy and its Registry is being carried out
of Treatment Activities following the criteria of the Document "Informe
on Internet Privacy Policies, Adaptation to the GDPR”, 2018- AEPD.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/60
An annual audit program has been established, in line with the
principle of proactive responsibility of art. 24.1 of the GDPR
In relation to the measures adopted for the adequacy of the use of
cookies to the applicable regulations on data protection, since
The First Layer of Cookies Notice has been modified, following the
guidelines of the Document "Guide on the use of Cookies", published by the
AEPD 2020.
An audit of existing cookies on the website of the
COA Granada, with the use of the tools recommended by the
National Institute of Cybersecurity, INCIBE, https://www.incibe.es/protege-tu-
company/blog/are-cookies-and-show-them-website for, later,
carry out an analysis of its usefulness, necessity and validity. The result of
this analysis is in the process of elaboration.
Likewise, the mechanism to collect the
consent, replacing it with a banner with the indications established
by the applicable regulations: ownership of the website, purpose of cookies,
existence of third-party cookies and the possibility of configuring cookies,
rejection and acceptance of them.
The Official College of Architects of Granada, through its Governing Board
chaired by the Dean who signs this document, recognizes the
need to adapt the cookie policy and its privacy policy. Is by
For this reason, on March 30 of this year, it was decided to start
immediately of the work of adequacy and adaptation of the aspects
required by that AEPD in order to comply with the provisions
both in the LOPDGDD, as well as in the RGDP and the LSSI.
Consequently, by virtue of all of the foregoing, and given that the
COAGranada, is in the process of implementing the measures
corrective measures on its own initiative, respectfully requests that the
FILE of the Claim that has given rise to File 202201681
This has been the criteria maintained by the Spanish Agency for the Protection of
Data in its Resolution R/00461/2019 -Procedure No.: A/00013/2019.
“Well, in view of the aforementioned circumstances, it is considered necessary
emphasize that the National Court, in its Judgment of November 29,
2013, (Rec. 455/2011), Sixth Legal Basis warns, regarding
the legal nature of this figure, which despite referring to the warning
regulated in article 45.6 of Organic Law 15/1999, of December 13,
Protection of Personal Data (LOPD) has full application to the
warning regulated by the LSSI, which "does not constitute a sanction" and which is
It deals with "corrective measures for the cessation of the constitutive activity of the
infraction" that replace the sanction. The Judgment understands that the article
45.6 of the LOPD (these considerations must be understood as done, so
here it concerns article 39 bis, 2 of the LSSI) confers on the Spanish Agency
of Data Protection a "power" different from the sanctioner whose
exercise is conditioned to the concurrence of special circumstances
described in the precept
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/60
In congruence with the nature attributed to awareness -as a
alternative to the sanction when, given the circumstances of the case, the subject
of the infringement is not deserving of that- whose object is the imposition of
corrective measures, the aforementioned SAN concludes that when the measures
pertinent corrective measures had already been adopted, what is appropriate in Law
It will be to agree on the File of the proceedings.
In the present case, taking into account that the corrective measures that
would proceed to impose were already adopted on its own initiative, and that it has been
verified that cookies are not currently installed on the analyzed website,
in harmony with the pronouncement of the National Court included in the
SAN of 11/29/2013 (Rec. 455/2011) must agree to file the
proceedings of this proceeding”.
It is also worth mentioning Resolution R/03132/2016, of December 19, of that
Spanish Data Protection Agency-Procedure No.: A/00411/2016-:
“In congruence with the nature attributed to awareness as a
alternative to the sanction when, given the circumstances of the case, the subject
of the infringement is not deserving of it, the Judgment of the Hearing
The cited National concludes that when the corrective measures object of the
warning had already been adopted by the offender, what is appropriate in
The right is to agree to file the proceedings.
In view of the pronouncement contained in the Judgment of the Hearing
National of 11/29/2013 (Rec. 455/2011), subsequently reinforced in its
Judgment dated 06/10/2014 (RJCA 2014, 571) (Rec. 166/2013), references
to the cases in which the subject responsible for the infringement has adopted
the appropriate corrective measures to remedy the situation created, and in
harmony with what has been indicated, the proceedings must be filed
practiced.”. And, likewise, the Resolutions of that AEPD R/02863/2016 of
December 14 - Procedure No.: A/00242/2016-, R/02906/2015 of December 17
November- Procedure No.: A/00172/2015- or R/00001/2015 of 145 of
January- Procedure No.: A/00289/2014.
The Judgment of the National Court (Chamber of Administrative Litigation,
Section 1) of November 29, 2013 - JUR 2014\14399-established the following:
"However, given that it was proven that the denounced by initiative
itself had already adopted a series of corrective measures , which it communicated to
the Spanish Data Protection Agency, and that it had verified that
the data of the complainant were no longer locatable on the website of the accused, the
Spanish Data Protection Agency did not consider it appropriate to impose on the
denounced the obligation to carry out other corrective measures, therefore
that it did not agree to any requirement in this regard to it. Remember that at
having knowledge of the complaint, the denounced entity, proceeded by
own initiative to go to Google to remove the URL where
reproduced the Magazine and the article, to ask their collaborators to
remove any names from their articles or any other information
likely to appear personal data and that they review the appointments in the private area
of the web to delete any other sensitive data, and, finally, to review the
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/60
configuration of the accesses so that the search engines did not have access to the
Journals.
Consequently, if the AEPD considered that the corrective measures had already been
pertinent in the case, how it happened, as expressed in the resolution
appealed, the appropriate administrative action in law was the file of
the proceedings, without making any warning or request to the
denounced entity, as this is deduced from the correct interpretation of the
Article 45.6 of the LOPD, taking into account its systematic and teleological interpretation."
Judgment no. 447/2016 of 23
September and no. 363/2016 of July 8, issued by the National Court
(Contentious-Administrative Chamber, Section 1)-RJCA 2016\1072 and JUR
2016\166417- "Consequently, when, as occurs in the case that we
occupies, given the circumstances of the case and, in particular, the nature of
the facts and the significant concurrence of the criteria established in the
fifth paragraph of article 45 of the LOPD, it is estimated that the subject
responsible for the infringement is not deserving of the sanction provided for the
itself, and that in its place the obligation to carry out
certain corrective measures, proceeding therefore the application of the
article 45.6 of the LOPD, there is no room for the imposition of any "warning"
as a sanctioning measure. On the contrary, what proceeds in
such a case is to "warn" or require the responsible subject in order to comply in the
term indicated with such obligation, as is clear from the
interpretation of the legal precept examined>> . In the same sense, it
Pronounce S October 17, 2014 (JUR 2014, 267483) -appeal No.
150/2013 -, May 8, 15 (JUR 2015, 154993) -appeal No. 122/2014 -, and July 8
of 2016 (JUR 2016, 166417) -appeal No. 242/2014 -
Therefore, based on the foregoing, it is not applicable, as claimed by the
plaintiff, the warning, instead of the financial sanction imposed, since
As has been reflected, the warning included in the LOPD does not have
punitive nature”.
FOURTH: On 07/27/22, this Agency accessed the document
"Collective Complaints and Claims Sheet": https://coagranada.es/wp-content/
uploads/2021/02/Hoja_queja_reclamaciones_colegiados_V02.pdf , where you can
read, at the bottom of it, below the form, the following legend:
“Official College of Architects of Granada. Plaza de San Agustin Nº3, 18001
Grenade. General Secretary . Area of Attention to the Collegiate and to the User.
The data collected will form part of the COAGRANADA File, being the
Responsible for *** POSITION 1 of the same, to whom it will have to be addressed in writing
in the case of exercising the rights of access, opposition, rectification and
cancellation, in accordance with the L.O.P.D.”
FIFTH: On 07/27/22, this Agency accessed the website
https://www.coagranada.es/ verifying in it, the following characteristics
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 8/60
regarding the processing of personal data, about its "Privacy Policy" and about
its “Cookie Policy”:
a).- Regarding the obtaining of the personal data of the users of the page
Web:
1º.- Through the link <<contact>>, located at the top of the page
main page, the web displays a form where you can enter personal data
of users such as name, email and subject.
In order to send the form, the user must necessarily click on the option:
_ I have read and accept the <<Privacy Policy>> <<send>>
b).- About the "Privacy Policy" on the website
If you wish to access the "Privacy Policy" through the existing link in the
contact form or through the existing link at the bottom of the page
main, the web redirects the user to a new page https://coagranada.es/politica-
de-privacidad-y-tratamiento-de-datos/, where information is provided, regarding
the protection of personal data of: the identity of the owner of the website and the Delegate
Data Protection; the purpose of the personal data obtained from the
collegiate; training/events; web users; citizen services; Within
conservation of personal data obtained; the legitimacy of the treatment of
personal information; the recipients; on the rights that assist users and
where and how to request them, as well as the possibility of filing a claim with the
competent authority.
c).- About the Cookies Policy on the web:
The inspection is carried out with the developer tools that
provided by the Mozilla Firefox browser, in which the
cache and cookies have been removed. The tool has also been used
EDPS (Web Evidence Collector) for analysis
Observing the cookie installation panel, it can be verified that a
session cookie PHPSESSID and another from Google, _GRECAPTCHA.
According to Opinion 4/2012 of WP 194 on the exemption of the requirement of
cookie consent, the exemption applied to authentication cookies could
apply to others introduced specifically to strengthen the security of the service
requested, for example, those cookies whose purpose is to detect attempts
erroneous and repeated connection to a website or for protection of the information system
connection against abuses such as _GRECAPTCHA.
However, after browsing the website, it is observed that cookies are installed
from third parties of a non-excepted nature, which are not reported in the policies, to
despite not having given consent through the banner. the circumstance is given
that these analytical cookies are installed through the insertion of a map
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 9/60
interactive program of the Institute for Geoenvironmental Health of the Vivo Sano Foundation in the
page: https://coagranada.es/mapa-zonas-radon-en-elnuevo-cte-db-hs6/ .
2.- There is an information banner about cookies on the main page with the
following message:
“We use our own and third-party cookies for analytical, functional,
performance to offer services appropriate to your profile, as well as own advertising
and from third parties. The basis of treatment is consent, except in the case of
Essential cookies for the proper functioning of the website. can accept
all cookies by clicking the <<ACCEPT>> button or configuring them or rejecting their use
pressing the <<CONFIGURE>> button. You can get more information in our
<<Cookie Policy>>,
<<Accept>> <<Reject>> <<Settings>>
If you wish to reject all cookies that are not technical or necessary, clicking
in the <<reject>> option, it is checked how the web continues to use the same
third-party cookies (from Google) indicated above.
3.- If the cookies control panel is accessed through the link <<Configure>>, the
web displays a page or control panel verifying that the groups of cookies
They are pre-marked in the “deactivated” option:
- Strictly Necessary Cookies: Off On.
- Analytical and Advertising Cookies: Off On.
- Functional Cookies: Off On.
- Analytical Cookies: Off On.
<<Save Changes>> <<Activate All>>
If you choose "Save changes" without having accepted any group of cookies, you will
Check how the web continues to use the same cookies indicated above.
4.- If you want to access the "Cookies Policy" through the existing link in the
information banner of the first layer, through the existing link in the panel
control or through the existing link at the bottom of the main page, the web
redirects the user to a new page https://coagranada.es/politica-sobre-recogida-y-
treatment-of-cookies/ where information is provided on: what are cookies, definition and
generic function of cookies; types of cookies; what type of cookies are used in the
web and what is its purpose; how to disable cookies; cookies identify
used and information is provided on how to accept, deny, revoke the
consent or eliminate cookies, through the tools installed in the
web or through browsers installed on the terminal equipment.
SIXTH: On 09/06/22, the Director of the Spanish Agency for the Protection of
Datos agreed to initiate disciplinary proceedings against the claimed party, in accordance with the
provided in articles 63 and 64 of the LPACAP, when appreciating reasonable indications of
violation of the provisions of the articles:
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 10/60
- Article 38.6 of the GDPR, due to the conflict of interest detected in the
appointment of *** POSITION 1 of the Association as Delegate of Protection of
data, with an initial sanction of 5,000 euros (five thousand euros). Also, it
warned that the alleged offence, if confirmed, may lead to the
imposition of measures, according to article 58.2 d) of the GDPR. Along with it and
In accordance with article 58.2 of the GDPR, it was also indicated that the measure
corrective action that could be imposed would be to order him to name a
Data Protection Officer in which he was not involved in a conflict
of interest, as stipulated in article 38 of the GDPR.
- Article 13 of the GDPR, due to the lack of information provided in the data sheets
claims, about the processing of personal data obtained, with
an initial penalty of 8,000 euros (eight thousand euros). Along with it and
In accordance with article 58.2 of the GDPR, it was indicated that the measure
corrective action that could be imposed would be to order him to include, in the
forms used in the School, where personal data is obtained, all
the information referred to in article 13 of the GDPR, referring to the treatment of
Personal information.
- Article 22.2 of the LSSI, regarding the use of third-party cookies from
non-excepted character, without the consent of the user, with a penalty
initial amount of 1,000 euros (one thousand euros).
SEVENTH: On 09/29/22, the claimant entity submits a written statement of allegations to
the initiation of the file in which the procedure is requested to be archived based on
the following considerations:
1.- Regarding the conflict of interest regarding the data protection officer of
This College.-
It points out that such a “conflict of interest” cannot be presumed, as has been said, taking
only as a basis the Statutes of COAGranada, in relation to the composition
and functions of the Governing Board, of the Permanent Commission and of the functions
of ***POINT.1 of COAGranada, since, of the statutory precepts that are
invoked by that AEPD (14.1, 13.2, 15 and 17) no existence of any
“conflict of interest” on the part of ***POINT.1 of COAGranada regarding the
protection of the interests of the Collegiate and third parties, in terms of protection of
data.
Regarding the violation of art. 38.6 of the GDPR, referring to the eventual "conflict of
interests”, the enumeration of functions of the Board is inappropriate and insufficient
of Government, as well as of the Permanent Commission and of ***PUESTO.1, all of them
established in the Particular Statutes of the Official College of Architects of
Grenada, to reach the conclusion that "the existence of a conflict is evident
of interest by ***POSITION.1 of the Official College of Architects of Granada
to act as DPD of said Body.
The COAGranada proceeded to appoint the DPD in the figure of his *** POSITION.1
thus guaranteeing the participation of the Data Protection Officer in all
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 11/60
issues relating to the protection of personal data and, for your support and
advice provided him with the competition and assistance of the external Legal Department.
Reference is also made to the fact that COAGranada designated its
*** POSITION 1 as Data Protection Officer was the subject of a complaint before
this Agency dated July 8, 2021 by the same claimant and who was
archived by Resolution of this AEPD on 11/11/21, therefore, there are two
Contrary resolutions, so that, in the first, infringing conduct is not imputed
any regarding the appointment of the Data Protection Officer in the figure
*** POSITION 1 of the College and, however, in the second, with said appointment
COAGranada is accused of a violation of art. 38.6 of the GDPR.
Finally, it states that the Official College of Architects of Granada adopted the
decision to appoint a new Data Protection Officer on April 26
2022, anticipating the proposed corrective action and request that it be taken into account
account this decision under art. 83.2.c) of the GDPR.
2.- about the lack of information in the forms on "complaints and claims".
Regarding the sanction referred to for the violation of art. 13 GDPR, state that they
has incorporated all the information referred to in art. 13 of the GDPR to the forms to
disposition of both Collegiate and the general public, for which they request
that this measure be taken into account under art. 83.2.c) of the GDPR.
3.- about the cookie policy
It states that the breach is due to the use of a third-party cookie for the use
of an interactive map and request that for the establishment of the amount of the
sanction is taken into account the absolute absence of guilt or illegality
of the fact as a consequence of the significant concurrence of several of the criteria
set out in article 40, based on the following criteria:
-Intentionality: COAGranada made the map available to its Members
interactive to facilitate compliance with the provisions contained in the Royal
Decree 732/2019, of December 20, by which the Technical Code of the
Building approved by RD 314/2006, of March 17, providing information
on the basic concepts related to the regulatory modification, without
to collect any information.
- Period of time during which the eventual infringement was committed. The map has already
been removed from the web and was available to the public during the period
established between February 10, 2022 and September 20, 2022, the day on which it was
retired.
-Recidivism due to the commission of offenses of the same nature: This College does not
has previously been convicted of any similar offence.
4.- Regarding improper or erroneous interpretation of article 77.2 of the LOPDGDD
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 12/60
At this point, the application of article 77.2 of the LOPDGDD is reiterated in the same
terms that they already stated in their letter dated 04/1/22.
Regarding the aforementioned article 77 of the LOPDGDD, they allege that the AEPD distinguishes the
public and "private" functions exercised or held by the Professional Associations but
state that these associations of professionals are Corporations of
Public Law and it is considered that it is not appropriate to impute only as "functions
private" those that are the object of the presumed infringing conducts that are imputed and
"disconnect" them without any reason or justification from public functions, in which
they can also be completely incardinated.
The following is a reproduction of the statutory precepts invoked that imply the
exercise of public functions, which are perfectly extensible to behaviors
accused; and these can perfectly overlap with such pubic functions
such as article 13. 2. It will correspond to the Governing Board, specifically;
article 15. The Permanent Commission and article 17. The *** POSITION.1. "It corresponds to
***POINT.1:
It is also stated that the Spanish Data Protection Agency, in its
Resolutions of May 24, 2021, Procedure No.: PS/00416/2020 and of May 11
2021, Procedure No.: PS/00347/2020, has adopted a different criterion from that followed in
this Sanctioning File before Public Law Corporations.
EIGHTH: On 04/10/23, this Agency once again accessed the
web page https://www.coagranada.es/ being aware of the following
Characteristics regarding its "Cookies Policy":
When entering the web for the first time, once the terminal equipment has been cleaned of the history of
navigation and cookies, without accepting new cookies or taking any action on
the web page, it has been verified that a single cookie "_GRECAPTCHA" is used,
whose purpose is to provide your risk analysis, such as detecting
erroneous and repeated connection attempts.
NINTH: On 04/10/23, this Agency accessed the data sheet
complaints and claims of the College of Architects of Granada, accessible through
of the link https://coagranada.es/quejas-y-reclamaciones/ verifying that in the
You can read the following message:
Official College of Architects of Granada. Plaza de San Agustin Nº3, 18001
Grenade. General Secretary. Area of Attention to the Collegiate and the User.
In compliance with the provisions of EU Regulation 2016/679, of 27
April 2016, hereinafter GDPR, the Official College of Architects of Granada
with address at PLAZA DE SAN AGUSTÍN 3, 18001 GRANADA and NIF nº
Q1875003D informs you that the collection and processing of your data through the
The purpose of this form is the administrative, fiscal and
accounting provided for in the legislation of professional associations and our
statutes. Your data may be communicated to the General Council of Colleges
Officials of Architects, related organizations and the Public Administration without
prejudice to other assignments provided by law. Your data will be kept
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 13/60
during the time necessary to comply with legal obligations. In
You can consult additional information on this treatment at any time.
or exercise the rights of access, rectification, deletion and opposition,
portability and limitation of treatment by directing your request to the address above
indicated or by email to protecciondedatos@coagranada.org. Also, in case
If you consider your right to the protection of personal data violated, you may
file a claim with the Spanish Data Protection Agency
(www.agpd.es).
TENTH: On 04/10/23, a resolution proposal was formulated in the sense that
the party claimed for the infringement of article 38.6 of the GDPR is sanctioned, for the
conflict of interest detected in the appointment of *** POSITION 1 of the College
as Data Protection Delegate, with a penalty of 5,000 euros (five thousand
euro); for the infringement of article 13 of the GDPR, for the lack of information
provided in the claims forms, on the treatment of the data
personal data obtained, with a penalty of 8,000 euros (eight thousand euros) and for the
violation of article 22.2 of the LSSI, regarding the use of third-party cookies
of a non-excepted nature, without the consent of the user, with a sanction of
1,000 euros (one thousand euros).
Likewise, it was proposed that the claimed party be required so that, within the term
determined, adopt the necessary measures to adapt its performance to the
personal data protection regulations.
ELEVENTH: On 04/28/23, this Agency received a written
allegations to the proposed resolution, in which the claimed party reiterates and
confirms its previous allegations and once again requests the file of the
procedure. In this letter, the defendant states the following:
FIRST.- REGARDING THE "CONFLICT OF INTERESTS" OF THE
*** POSITION 1 OF THIS SCHOOL AS DELEGATE OF PROTECTION OF
DATA, THE PROPOSED RESOLUTION IS INCONSISTENT AND
CONTINUES IF DISTORTING THE PRINCIPLES OF CLASSIFICATION AND LEGALITY,
PERSONAL TO THE SANCTION PROCEDURE, WHICH OPERATE IN
FAVOR OF COAGRANADA AND AGAINST THAT AGENCY.-
The Draft Resolution does not actually refute the allegations made
by this College, especially regarding the violation of the principles
of typicality and legality. Moreover, without addressing and dealing with these principles
invoked in our pleadings brief, considers, without foundation or
some piece of evidence- Cfr. Last paragraph of FD II a) that "it is evident the
existence of a conflict of interest on the part of ***POSITION.1 of the College
Official of Architects of Granada to act as DPD of said body”.
At this point it is necessary to remember that this Agency continues to be based on some
“Guidelines” or “best practices of the Working Group on
Data Protection". It is clear that any administrative offense
must take as an inexcusable foundation a normative element (legal, or
regulation) which, in the present case, does not exist, since it results in all
inappropriate point to take as a title of imputation some guidelines or
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 14/60
recommendations, given that this implies a violation of the principles of
typicity and legality. Even in article 29 of the “Guidelines on the
data protection delegates (DPD)" of said Working Group, it will be
to set an "example" (that "a DPO be asked to represent the person responsible or
to the data processor before the courts in cases related to the
Data Protection").
The mere fact of mentioning an example in a sanctioning procedure already
implies per se, dispensing with the essential factual element that must distort
the principle of presumption of innocence and, likewise, even applying as
implausible example, there are no similar circumstances in the present
Sanctioning procedure. On the other hand, the considerations of the aforementioned
"Working Group" regarding the "conflict of interest of the DPD are
extremely generic and, in no way, can they serve as a basis
to enervate the aforementioned presumption of innocence.
Moreover, even applying such "Criteria" -which is not rejected either
would result in the existence of a “conflict of interest” to appoint the
*** POSITION 1 of the College, with the assistance and support of the Legal Department of the
COAGranada, as DPD. The “Criteria” themselves establish that the
determination or consideration of the existence of a "conflict of interest" in
the figure of the DPD must be "considered on a case-by-case basis", which has not been done
for that AEPD.
In this sense, it is worth mentioning the Judgment of the Court of Justice of the Union
Commission (Sixth Chamber) of February 9, 2023, Case C-453/21: “Fourth
question referred for a preliminary ruling 43 Third, as regards the context in which
that article 38, section 6, of the GDPR is registered, it should be noted that,
according to article 39, paragraph 1, letter b) of the GDPR, the protection officer
of data has the function, in particular, of supervising compliance with the
provided in the GDPR, other data protection provisions of the
Union or of the Member States and of the policies of the person in charge or of the
person in charge of the treatment regarding the protection of personal data,
including assignment of responsibilities, awareness raising and training of
staff involved in processing operations, and audits
corresponding.
From this it can be deduced that they cannot be entrusted to a protection delegate
of data, its functions or tasks that lead it to determine the purposes and
means of processing personal data of the controller or
from his manager. Indeed, in accordance with Union Law or the Law of
Member States in the field of data protection, the control of these
purposes and means must be carried out independently by said
delegate.
The determination of the existence of a conflict of interest, in the sense of the
art 38 paragraph 6 of the GDPR, must be carried out on a case-by-case basis, on the basis of
an assessment of all the relevant circumstances, in particular, of
the organizational structure of the controller or his manager and in the light of all
applicable regulations, including any policies of the latter.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 15/60
In view of all the above considerations, it is appropriate to reply to the
fourth question referred that Article 38(6) of the GDPR must
interpreted as meaning that there may be a "conflict of interest", in
the meaning of this provision, when entrusted to a delegate of
data protection other functions or tasks that would lead it to
determine the purposes and means of processing personal data in the
within the person responsible for the treatment or his manager, which is the responsibility of
determine in each case the national judge on the basis of all the
relevant circumstances, in particular the organizational structure of the
responsible for the treatment or its manager and in light of all the regulations
applicable, including any policies of the latter.
By virtue of all of the above, the TJ (Sixth Chamber) declares: (...) 2) Article 38,
Paragraph 6 of Regulation 2016/679 must be interpreted in the sense that
there may be a "conflict of interest" within the meaning of this provision,
when other functions are entrusted to a data protection officer
or tasks that would lead him to determine the ends and means of the
processing of personal data within the controller or
of his person in charge, which is the responsibility of the national judge to determine in each case
on the basis of all the relevant circumstances, in particular the
organizational structure of the data controller or its manager and
light of all applicable regulations, including any policies of these
last.
On this point, that Agency confuses the very concept of "conflict of
interests” when he seems to equate the position of ***POSITION.1 of the College to
"management positions", given that, as a result of the application of article 17
of the Particular Statutes of COAGranada, it is evident that the
***POSITION.1 does not in any way hold such senior management functions,
This concept is also applicable to other types of entities, not to COAGranada.
To these considerations, as it cannot be otherwise, it is not offered by
that AEPD response or factual or legal foundation that distorts it.
And this is especially relevant, given that the expression "conflict of
interests” implies the application of an indeterminate legal concept that, in
a disciplinary procedure, while restrictive of rights, must
be applied with extreme caution and with a strong factual heritage, probative
and legal-regulatory that supports it, all of which has not happened in the
present case.
And it is that "the conflict of interest" has to be proven by that Agency and not
be presumed, which is what has happened in this Procedure
Sanctioner. It is not possible to presume, as has been said, such a "conflict of interest"
taking as a basis only the Statutes of COAGranada, regarding
to the composition and functions of the Governing Board, the Commission
Permanent and of the functions of ***POSITION.1 of COAGranada, position
that, of the statutory precepts that are invoked by that AEPD (14.1, 13.2,
15 and 17) does not infer any existence of "conflict of interest" on the part of the
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 16/60
*** POSITION 1 of COAGranada regarding the protection of the interests of the
Collegiate and third parties in terms of data protection.
That is to say, of the statutory precepts that regulate the functions of the Board of
Government (Art. 13.2), its composition (Article 14.1), the Permanent Commission
of the Governing Board (article 15) and, especially, the powers of the
*** POSITION.1 (article 17) in no way can the performance of
functions that imply a "conflict of interest" with the figure of the DPD.
The COAGranada proceeded to appoint the DPD in the figure of his
***POINT.1 thus guaranteeing the participation of the DPD in all
issues relating to the protection of personal data and, for your support and
advice endowed him with the help and assistance of the Legal Department of the
COAGranada.
2.- As has been said, the sanctioning power of the Public Administration
is directly linked to the principles that inspire criminal law, given that
Both powers are an expression of the Legal System of the State, as
as expressed in the Constitutional Text itself (art. 25) and recognizes the
jurisprudence of the Constitutional Court from the STC 18/1 981, of June 8 and
a very reiterated jurisprudential doctrine of the TS (STS September 29, 1980
and STS November 4, 1980 and STS November 10, 1980, among others).
The sanctioning power of the Administration is based
constitutional in article 25 of the CE. It is reiterated doctrine of the Court
Constitutional (STC 77/83, of October 3, STS 42/87, of April 7; STC
29/1989, of February 6) that the administrative sanctioning order
includes a double guarantee: the first, of a material nature, supposes the
need for normative predetermination of illegal conduct and sanctions
corresponding, through legal precepts that allow predicting, with
sufficient degree of certainty, the conducts that constitute an infraction and the
applicable penalties or sanctions.
It appears derived from the binding mandate or "lex certa" and is specified in
the requirement of normative predetermination of the illegal conducts and of the
corresponding sanctions, which places on the legislator the duty of
configure them in the penalizing laws with the greatest possible precision
(principle of typicality) so that citizens can know in advance
the scope of what is proscribed and thus foresee the consequences of their actions.
(STC 242/2005, of October 10 and STC 162/2008, of December 15). The
second, of a formal nature, refers to the range of norms
typifying the infractions and regulating the sanctions, insofar as they
the term "current legislation" contained in art. 25.1 CE is expressive of
a reserve of law.
Therefore, the formal guarantee implies that the law must contain the determination
of the essentials. Well then, the material guarantee comes to constitute
the aforementioned principle of typicality, which "supposes the imperative
need for normative predetermination of the infringing conducts and the
corresponding sanctions, that is, the existence of legal precepts (lex
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 17/60
previous) that allow predicting with a sufficient degree of certainty (lex certa)
those behaviors and know what to expect in terms of responsibility and
to eventual sanction" (Cf. STC 61/1990, of March 29 and STC 24/1996 of
February 13; STS April 20, 2006; STS November 18, 2000; STS December 20
1999; SAN of December 2, 2011; STS No. 74/2017, Litigation Chamber
Administrative, of January 23). For its part, article 27 of Law 40/2015
of October 1, of LRJSP-, includes the so-called principle of typicality, according to the
which only constitute administrative infractions the violations of the
legal system foreseen as such infractions by a Law.
The principle of classification, related to that of legality, requires that the fact
that allegedly has an illegal character is expressly found
foreseen as an infraction in some precept of the legal system
administrative. For a conduct to be classified as typical, and for
Therefore, unlawful and punishable, it is necessary that there is a coincidence between the action
carried out by the actor and the conduct exposed in the applicable legal precept.
Through the application of the principle of typicality, it is intended to verify if a
event that occurred in reality meets all the characteristics described in the
law as presuppositions of the infringement of a rule of a punitive nature.
For this, it is necessary that the action be subsumed in a sanctioning precept,
understanding as such that part of the offense that describes all the elements
subjective and objective that, as a whole, give rise to the infringement of the
rule. According to Judgment no. 4672/2022 of December 23, of the Court
Superior Court of Justice of Catalonia, (Contentious-Administrative Chamber,
Section 4)-JUR 2023\48531-: "Requirements of the principle of classification in matters
administrative penalty that, as is well known, despite the notable
conciseness and taking into account the implicit content of the aforementioned article 25 of the
Constitution (judgment of the Constitutional Court 34/1996, of March 11
(RTC 1996, 34) ), has been highlighted since ancient times by jurisprudence
constitutional in relation to what has been called the guarantee
material of the principle of legality (among many others, from the judgment of the
Constitutional Court 42/1987, of April 7 (RTC 1987, 42), for the
judgments of the Constitutional Court 3, 11, 12, 100 and 101/1988, of June 8
(RTC 1988, 101), 161, 200 and 219/1989, of December 21 (RTC 1989, 219),
61/1990, of March 29 (RTC 1990, 61), 207/1990, of December 17 (RTC
1990, 207), 120 and 212/1996, 133/1999, of July 14, 142/1999, of July 22
(RTC 1999, 142), and 60 and 276/2000, of November 16 (RTC 2000, 276) ),
that comes to be identified with the traditional principle of typicity of faults and
administrative sanctions (sentences of the Supreme Court, Third Chamber, of
dates January 16 and June 8, 1992, February 5 and October 2, 2002)
and that always requires the necessary certain normative predetermination of the
specific conducts that by action or omission are deemed to constitute a
illegal administrative, with prohibition of possible analogical interpretations
to the effect or extensive in malam partem (ruling of the Constitutional Court
125/2001, of June 4 (RTC 2001, 125), citing their previous judgments
81/1995, of June 5 (RTC 1995, 81), 34/1996, of March 11, (RTC 1996,
34) 64/2001, of March 17 (RTC 2001, 64), and order of the Court
Constitutional 3/1993, of January 14, and 72/1993, of March 1; as well as
Judgment of the Supreme Court, Third Chamber, of May 30, 1981, of 4
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 18/60
of June 1983, of December 29, 1987, of October 20, 1998, of
February 22, 2000 and March 3, 2003). Or put it in words
of the Constitutional Court itself, among many other previous and subsequent
in its judgment 113/2002, of May 9 (RTC 2002, 113), in the following
terms: "(...) Specifically, in relation to the material guarantee referred to
is subject to the sanctioning power of the Administration, we have
specified that normative predetermination supposes the existence of
legal precepts (lex prior) that allow predicting with a sufficient degree of accuracy
certainty (lex certa) the infringing behaviors and knowing in advance to which
abide in terms of the attached responsibility and the eventual sanction that
the offender can deserve (STC 219/1989, of December 21, FJ
4; 61/1990, of March 29, FJ 7; and 133/1999, of July 15, FJ 2) ".
Also being well-consolidated jurisprudential doctrine that teaches
that in the exercise of its sanctioning administrative power the
acting sanctioning administration does not properly respond to the exercise
of an administrative power of essence or discretionary tendency but rather
predominantly regulated for the application to each specific case of the framework
normative pre-established sanctions with a general nature in the legal system
applicable sanctioning law, which entails, from the outset, the requirement of
the necessary adequacy and rigor in the classification of the imputed facts and in
its punctual incardination and adequate subsumption in the legally infringing type
defined for its correction, in such a way that the contrary, certainly,
would be determinative of violation of the subjective fundamental right since
targeted and all recognized by the current constitutional text ex article
25.1 of the Constitution (sentences of the Constitutional Court 77/1983, of 3
of October (RTC 1983, 77) ,199 7 and 3/1988, of January 21 (RTC 1988, 3) ),
which, because it is subject to constitutional protection, would incur an eventual
sanctioning administrative action infringing the same in the vice of
full nullity today provided for in article 47.1. a) of Law 39/2015
".
3.- Finally, in relation to the non-compliance related to the appointment
of the DPD, it must be recorded that, prior to the receipt of
Resolution PS/00345/2022, as known and known to that Agency, the
COAGranada adopted the decision to appoint a new Delegate of
Data Protection on April 26, 2022, with electronic receipt no.
REGAGE22e00014921519, meeting the requirements of art. 38 of the GDPR.
This College has anticipated the proposed corrective measure and we request
that this decision be taken into account under art. 83.2.c) of the GDPR, which
establishes the following: “[…] When deciding to impose an administrative fine
and its amount in each individual case shall be duly taken into account: c)
any measure taken by the controller or processor to
alleviate the damages and losses suffered by the interested parties.” In this point
We also invoke the proportionality application of art 29.3 LRJSP.
SECOND.- ON THE LACK OF INFORMATION IN THE FORMS
ABOUT "COMPLAINTS AND CLAIMS".
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 19/60
Regarding the sanction referred to for the violation of art. 13 GDPR, it is reiterated
what is stated in the First Allegation, in the sense that no response is given and
what is alleged by COAGranada in its pleadings is addressed. So and
as stated in this, was applied as soon as this fact became known, the
proposed corrective action having incorporated all the information
referred to in article 13 of the GDPR to the forms available to both
Collegiate as well as the general public, for which we request that
Take this measure into account under art. 83.2.c) of the GDPR.
On this point, related to what is stated in the First Allegation, the lack of
concurrence of an essential element implies that the active subject has not
committed the conduct described in the type allegedly violated by its
action, therefore, it is perfectly lawful. That is, the atypicality
determines the absence of responsibility for the subject responsible and, therefore,
hence, the impossibility of displaying the effects of the ius puniendi on the subject.
Furthermore, for the action to be considered typical, and therefore,
display legal effects, it is necessary that together with the objective elements of
typicality the so-called subjective elements of typicality concur. based on
principle of subjective typicity requires that, in order to proceed to impute and
sanction for an action, the voluntary nature of the active subject is confirmed.
In this sense, jurisprudence has repeatedly required the
existence of guilt to be able to impose an administrative sanction,
to the point that today it is configured as one of the pillars on the
that the sanctioning administrative law is established, discarding all
sanction outside of negligent or negligent conduct and, therefore,
discarding what has traditionally been called responsibility
objective.
Specifically, regarding guilt, the Constitutional Court has declared that, in
Indeed, the Spanish Constitution undoubtedly enshrines the principle of guilt
as a basic structural principle of Criminal Law and has added that, without
However, the constitutional consecration of this principle does not imply in any way
that the Constitution has made a certain mode of
understand it (Cf. STC 150/1991).
This principle of culpability governs in matters of administrative infractions,
because to the extent that the sanction of said infraction is one of the
manifestations of the ius puniendi of the State is inadmissible in our
system a regime of strict liability or without fault (Cf. STC
76/1990). This same sentence requires guilt in the case of infractions
administrative acts committed by legal entities, affirming that "...Even
this TC has described the principle of personal responsibility as "correct"
by own facts principle of the personality of the penalty or sanction (STC
219/1988).
All this, however, does not prevent our Administrative Law from admitting
direct liability of legal persons, recognizing them, therefore,
infringing capacity. This does not mean, at all, that in the case of
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 20/60
administrative offenses committed by legal entities
suppressed the subjective element of guilt.
Law 40/2015 itself, on the Legal Regime of the Public Sector, provides in its
Article 28 that "they may only be penalized for acts constituting
administrative infraction natural and legal persons, as well as, when a
Law recognizes the capacity to act, the affected groups, the unions and
entities without legal personality and independent estates or
self-employed, who are responsible for them by way of fraud or negligence".
The majority jurisprudence of our Supreme Court (from its
judgments of January 24 and 25 and May 9, 1983) and the doctrine of the Tribunal
Constitutional (after its STC 76/1990) emphasize that the principle of
Guilt, even without explicit recognition in the Constitution, is inferred from
the principles of legality and prohibition of excess (art. 25.1 CE), or of the
requirements inherent to a rule of law, and require the existence of
fraud or fault
The requirement of guilt in the penalizing administrative law has
impregnated the jurisprudence of the Supreme Court in the different areas
materials in which he has had the opportunity to speak, discarded by
legal and constitutional requirement, strict liability, that is, regardless of
from any wrongdoing. In this way, the principle of guilt
constitutes an essential element of the administrative offense.
THIRD.- ABOUT THE COOKIES POLICY
In relation to the sanction proposal "About the Cookies Policy", as
as the Resolution Proposal itself acknowledges, when entering the web by
first time, without accepting cookies or performing any action on the page,
You can check that non-technical cookies are not used or
necessary.
The breach detected is due to the use of a third-party cookie by the
use of an interactive map. Based on art. 39 bis a) of Law 34/2002, of 11
July, Information Society Services and Electronic Commerce,
We request that the establishment of for the establishment of the amount of
the sanction takes into account the absolute absence of guilt of the
defendant or the illegality of the act as a consequence of the
significant concurrence of several of the criteria set forth in article 40,
based on the following criteria: -Intentionality: The COAGranada
made the interactive map available to its members to facilitate the
compliance with the provisions contained in Royal Decree 732/2019, of
December 20, by which the Technical Building Code was modified
approved by Royal Decree 314/2006, of March 17, providing
information on the basics related to the modification
regulations, without the intention of collecting any information.
Period of time during which the eventual infringement was committed. The map
has already been removed from the web and was available to the public during the
period established between February 10, 2022 and withdrew on February 20, 2022.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 21/60
September 2022. -The recidivism by commission of infractions of the same
Nature: This College has not been previously condemned by any
similar offence. At this point it is invoked, as in the Allegation
above, the principle of guilt and, in addition, that of proportionality.
FOURTH.- WE UNDERSTAND THAT THE PROPOSED RESOLUTION
REITERATES THE IMPROPER OR WRONG INTERPRETATION OF THE ARTICLE
77.2 OF THE ORGANIC LAW 3/2018 OF DECEMBER 5, OF PROTECTION
OF PERSONAL DATA AND GUARANTEE OF RIGHTS
DIGITALESLOPDGDD-.
We invoke the application of article 77.2 of the LOPDGDD in the same terms
that we already exposed in our letter dated April 1, 2022. And it is that,
here it is also necessary to remember that we are in the heart of a
disciplinary procedure, in which they are applied, as inspiring principles
of the criminal order, that of presumption of innocence and that of in dubio pro reo.
Regarding the aforementioned article 77 of the LOPDGDD, that Agency distinguishes the
public and "private" functions exercised or held by the Colleges
Professionals. But it is that, in addition to being associative entities of
professional, privately-based, the fundamental thing for the purposes that we here
occupy, is that they are Public Law Corporations. And, at this point,
We consider that it is not appropriate to impute only as "private functions"
those who are the object of the presumed infringing conducts that are imputed and
“disconnect” them without any reason or justification from public functions, in
which can also be totally incardinated.
What is inappropriate at all points is to try to justify spuriously
the exercise of "private functions" overlapping it with a norm that is not
in application mode, such as Law 7/2006, of May 31, on the exercise of
titled professions and professional associations of the Community
Autonomous of Catalonia.
Said Law is not applicable neither by reason of the matter, nor of the territory and,
even less within a disciplinary procedure, which leads us
again to the violation of the principles of classification and legality, without
can be "presumed", without any evidence or factual foundation
and legal, the exercise of private functions erring in the normative framework of
application and assuming that the alleged infringements have been in the
exercise of such functions.
If we take into account the statutory precepts that the AEPD invokes
regarding the alleged “conflict of interest” of ***POINT.1 of the
COAGranada, the statutory precepts invoked by that AEPD
involve the exercise of public functions, which are perfectly extensible
to the imputed conducts; and these can be perfectly imbricated as
pubic functions
-Article 13. 2. It will correspond to the Governing Board, specifically: "a)
Prepare draft standards of a general nature and the promotion of
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 22/60
procedure of approval and reform of the statutes. b) Propose to the
General Assembly the matters that concern it, provide advice and
technical support and arbitrate the means leading to the exact compliance of the
agreed by it. c) Resolve the applications for the incorporation of new
collegiate, of collegiate withdrawals and on the suspension of collegiate services and
of college status. d) Authorize the registration of Companies
Professionals in the corresponding Association Registry, upon request, who
may be processed electronically through the single window established in
this School e) Collect, distribute and manage the funds of the School,
in accordance with the provisions of the Title on the Economic and Patrimonial Regime of
the present Particular Statutes. h) Promote actions of all kinds through
favor of the profession. i) Know the actions carried out due to
urgency by the Dean or by the Permanent Commission, assuming them or
censoring them when they were not within their own competence. j)
Resolve as many proposals as the Permanent Commission may put forward k)
Exercise the disciplinary function and adopt precautionary measures, initiating, of
ex officio or by virtue of denunciation, the disciplinary files, in which it will dictate
the corresponding Resolution. The exercise of such functions may be delegated
in the Dean, in a group of members of the Governing Board or in a
Commission. l) Send to the Investigating Commission the Files initiated in
disciplinary matter, for the purposes of its processing and formulation of the
corresponding proposed resolution. m) Initially approve the
Regulations for the operation of attendance and telematic voting in the
General Assembly, in order to be definitively approved by the General Assembly
General of the Collegiates.”
-Article 15. The Permanent Commission. The Governing Board will be constituted in
Permanent Commission, made up of the Dean, the ***POSITION.1 and the Treasurer
as ex officio members, for the fulfillment of the functions assigned to them
in these Statutes. Corresponds to the Permanent Commission of the Board of
Governance of the School: 1. Put into practice the guidelines issued by the
Governing Board. 2. Propose to the Governing Board as many acts as are
consequence of the powers that it has assumed. 3. The adoption of
the necessary measures to comply with the agreements of the Board of
Government. 5. Adopt decisions on matters of an urgent nature
that, being the competence of the Governing Board, cannot suffer
postponement until the meeting of the latter, having to account for these acts,
for its ratification, in the first session held by the Governing Board. 6.
Those functions expressly delegated by the Governing Board.
-Article 17. The *** POSITION.1. “Corresponds to *** POSITION.1: 1. Organize, with
the approval of the Dean and according to the criteria of the Governing Board,
The school secretary. 2. Provisionally resolve on admission
of the new members in accordance with the provisions of these Statutes
individuals. 3. Receive and process all requests and communications that are
directed to the College and its different Bodies, reporting them to whoever
corresponds. 4. Issue the certifications that are requested and must be
issued and keep the registration book of collegiate. 6. Make notifications
college ups and downs. 7. Keep the minute books of the meetings of the
General Assembly of members, Governing Board and the Commission
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 23/60
Permanent and transfer the agreements, monitoring compliance
thereof.". 10. Direct the services of the College offices.”.
And, as a complement to the previous statutory precepts in article 6
the functions of COAGranada are listed, fully governed by Public Law -
Article 6. Functions. "Without prejudice to those reserved to the Superior Council of
the Colleges of Architects of Spain and the Andalusian Council of Colleges
Official Architects, are functions of the Official College of Architects of
Granada, in its territorial scope, those expressly determined, for the
achievement of its purposes, in the legislation on Professional Associations and,
specifically, the following: 1. Registration: e) Facilitate the bodies
courts and Public Administrations, in accordance with the laws, the
List of members who may be required to intervene as
experts or designate them directly, as appropriate. f) Equip yourself with the systems
appropriate electronic communications and computer programs that
allow citizens, Collegiates and other practicing Architects
in its territory, to the Public Administrations and to the organizations declared
authorities, resolve their administrative relations with them in
single window system, without prejudice to the fact that it can also be done by other
ways. g) Establish and maintain a telematic and in-person customer service
to consumers and users and to Collegiates and other architects with the functions
that the Law establishes and those that regulate the Superior Council of Schools of
Architects, the Andalusian Council of Official Colleges of Architects and this
School, according to the Law
2. Representation and relations with Public Administrations: a)
Represent the profession, in the territorial area that corresponds to it, before the
public powers of the Andalusian Autonomous Community and others
Public Administrations, defending the general interests of the
profession, lending their collaboration in the matters of their competence, to
which may enter into agreements to carry out activities of interest
common, as well as for the promotion of actions aimed at defending the
public interest and, especially, of the users of the professional services of
the collegiate, with the different Public Administrations and with organizations
public or private. When the representation must take place before bodies
with jurisdiction outside the scope of the College and refers to matters that
beyond its territorial scope, the actions will be carried out with the
prior knowledge or through mediation of the Superior Council or Andalusian Council,
as appropriate. b) Prior agreement of the Governing Council of the Junta de
Andalusia, which must be published in the Official Gazette of the Junta de
Andalusia, exercise administrative functions related to the profession,
all this prior to the report of the Andalusian Council of Official Colleges of
Architects and the express acceptance of the College. c) Act before the Judges and
Courts, inside and outside their territorial scope, both in their own name and in
defense of the goals and interests of the profession and professionals
members of the Association or practitioners in its territorial scope, as in name,
on their behalf and in their procedural substitution, in the defense that they themselves
voluntarily entrust him. d) Report in legal proceedings or
administrative proceedings in which fees or other professional issues are discussed,
when required to do so. e) Inform, in accordance with the Laws, the
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 24/60
draft provisions at the local level that regulate or directly affect
to the professional attributions or the conditions of activity of the
Architects as well as those of regional scope when it does not correspond to the
Andalusian Council. f) Cooperate in the improvement of teaching and research
of architecture, urbanism and the environment. g) Participate and
represent the profession in congresses, juries and advisory bodies to
request of the Administration or individuals. i) Exercise the right of petition
in accordance with the Law. j) Attend, in its capacity as competent body, the
requests for information that are requested, in accordance with the provisions
in Spanish or European Union legislation, both by individuals
as by the Collegiate and other practicing architects or by the organisms
national or international authorized by law.
3. Ordination: a) Ensure the ethics and dignity of the profession, both in the
reciprocal relations of the Architects as in those of these with their clients
or with the organizations in which they carry out their professional work. b) Watch
by the optional independence of the Architect in any of the
modalities of professional practice. c) Avoid and prosecute before the Courts
professional intrusion. d) Establish, within the scope of its competence,
criteria on the minimum required levels of professional diligence, in
particular, regarding the presentation of works and the quality control and
monitoring of the works. e) Visa in accordance with what is established in the
regulatory or legal application standards the professional works of the
Architects. The visa will in no case include the fees, nor the
Other contractual conditions for the provision of professional services
agreed by the Architects with their clients. f) Prevent competition
unfair between the Architects in the terms established in the legislation
in force on unfair competition. g) Exercise disciplinary power over the
Architects and Professional Societies that fail to comply with their collegiate duties
or professionals, both legal and deontological, approving for this purpose a
Code of Ethics, in accordance with the provisions of the Law and by the Council
Superior of the Colleges of Architects of Spain and the Andalusian Council of
Official Colleges of Architects. Said Code will be accessible to
Collegiate and other practicing architects and consumers and users of
their professional services. i) Advise members and others
practicing architects as well as consumers and users of their
professional services on the contracting conditions of the services
professionals of the Architects, seeking the best definition and guarantee of
the respective obligations and rights. j) Establish, within the scope of its
competence, regulations on professional activity in the exercise of these
management functions, subject to the Statutes and other
general provisions of application.
4. Service: e) Resolve by award, in accordance with the legislation on arbitration
and to the collegiate Rules of Procedure itself, conflicts between
Collegiate and citizens, or raised by the latter, that are
submitted in matters related to the professional competence of the
Architects. f) Establish fee scales merely for
indicative for the sole purpose of cost appraisals in conflicts or
jurisdictional proceedings. i) Provide the collaboration that is required in
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 25/60
the organization and dissemination of competitions that affect Architects and
ensure the adequacy of their calls to the regulatory standards of the
professional exercise. m) Exercise as many administrative powers as may be
legally attributed, collaborate with the Administration by carrying out
of studies or issuance of reports and exercise the powers that are
attributed by other norms of legal or regulatory rank, or are
delegated by the Public Administrations or derived from agreements of
collaboration. n) Prepare the letter of services to the citizen, offer
information on the content of the profession and the members registered in the
College, respecting the provisions of the regulations on data protection
of a personal nature. o) Guarantee collaboration with the Administration of the
Junta de Andalucía and its dependent bodies, as well as with the other
Public Administrations and public entities in the control of situations of
members who, due to their status as public employees at their service,
could be affected due to incompatibility for the exercise of
professional activities. p) Exercise arbitration and mediation functions in the
Conflicts that, for professional reasons, arise between the Collegiate,
between members and citizens, and between them when they decide
freely, all in accordance with the applicable legislation on
arbitration and mediation.
5. Organization: a) Approve the Particular Statutes and their modifications
prior report from the Higher Council of Colleges about its compatibility
with the General Statutes of the Colleges of Architects and their Council
Superior, submitting them to a report from the Andalusian Council of Official Colleges
of Architects for its subsequent qualification of legality and registration in the
Registration of Professional Associations of Andalusia by the Ministry
competent. b) Prepare and approve the annual income budgets and
expenses, as well as their accounts and settlements. d) Issue regulations of
organization and internal functioning for the development and of those present
Statutes.".
And the Spanish Data Protection Agency itself, in its Resolutions of
May 24, 2021, Procedure No.: PS/00416/2020 and May 11, 2021,
Procedure No.: PS/00347/2020 has adopted a different criterion from that followed in
this Sanctioning File before Public Law Corporations.
Thus, the first of the aforementioned Resolutions establishes the following:
"The denounced facts are specified that through the web page
http//www.albuixech.es/wp-content/uploads/ ownership of the claimed could be
access personal data of neighbors such as ID, telephone, disability,
economic situation and that despite the fact that he had stated that he had solved the
incidence, the corresponding measures had not been taken since
he could still access the data of the neighbors.
Article 83.5 a) of the GDPR (LCEur 2016, 605), considers that the infringement of
"the basic principles for the treatment, including the conditions for the
consent under articles 5, 6, 7 and 9" is punishable, according to
with section 5 of the aforementioned article 83 of the aforementioned GDPR, "with fines
administrative costs of €20,000,000 maximum or, in the case of a company,
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 26/60
of an amount equivalent to a maximum of 4% of the total turnover
global annual report of the previous financial year, opting for the one with the highest
amount". On the other hand, the LOPDGDD (RCL 2018, 1629), for the purposes of
prescription, in its article 72 indicates: "Infringements considered very serious:
1. Based on what is established in article 83.5 of the Regulation (EU)
2016/679 are considered very serious and will prescribe after three years the
offenses involving a substantial violation of the articles
mentioned therein and, in particular, the following: a) The treatment of
personal data violating the principles and guarantees established in the
Article 5 of Regulation (EU) 2016/679. (...)" V The violation of article 32
of the GDPR (LCEur 2016, 605) is typified in article 83.4.a) of the
cited GDPR in the following terms:
4. Violations of the following provisions will be penalized, according to
with paragraph 2, with administrative fines of EUR 10,000,000 as
maximum or, in the case of a company, an amount equivalent to 2%
maximum of the overall annual total turnover of the financial year
above, opting for the one with the highest amount: a) the obligations of the
responsible and of the manager in accordance with articles 8, 11, 25 to 39, 42 and 43.
(...)" For its part, the LOPDGDD (RCL 2018, 1629) in its article 71,
Violations, states that: "Infractions are the acts and conducts to the
referred to in paragraphs 4, 5 and 6 of article 83 of Regulation (EU)
2016/679, as well as those that are contrary to this organic law". And
in its article 73, for prescription purposes, it qualifies as "Offences
considered serious": "Based on what is established in article 83.4 of the
Regulation (EU) 2016/679 are considered serious and will prescribe after two years
the infractions that suppose a substantial infringement of the articles
mentioned therein and, in particular, the following: (...) g) The
breach, as a consequence of the lack of due diligence, of the
technical and organizational measures that have been implemented in accordance with the
required by article 32.1 of Regulation (EU) 2016/679". (...)"
VI The proven facts show access through the website
http//www.albuixech.es/wp-content/uploads owned by the defendant to the
personal data of residents of the town (ID, telephone,
disability, economic situation, etc.), despite having stated to
this AEPD that had provided a solution to the incident, breaking and
violating technical and organizational measures and the duty to
data confidentiality. As stated in the background and accredited
based on the proven facts of the procedure, it has been proven that the
file resolution of the initial claim, the claimant filed an appeal
optional replacement against the relapsed resolution showing its
disagreement and stating that the defendant had not taken the measures
adequate since, despite what was alleged, the data continued to be accessed
of the municipal website, contributing together with the new appeal document
relevant documentation.
After the analysis and checks carried out, it was found that there
published documents containing information with character data
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 27/60
personnel who had not been eliminated or anonymized, estimating the
appeal and agreeing to the admission of the claim presented.
Therefore, the entity's actions constitute a violation of the principles of
confidentiality and data security, regulated in articles 5.1.f) and
32.1 of the GDPR (LCEur 2016, 605), and typified in articles 83.5.a) and
83.4.a) of the GDPR. However, in order to clarify the terms of the
incident produced and that led to the opening of this proceeding
sanctioning party, the defendant by letter of 02/18/2021 indicated that if
Well at first I installed a WP Content Copy Protection Pro plugin for
block access to existing documents on the website of the
City Council and carry out the elimination of the files that contained
personal data published on the aforementioned page, after receiving the
agreement to open the procedure the computer service treated in a
first moment of solving the incident, reaching the conclusion that the
measure adopted (install a plugin to block access to the web),
seemed insufficient since although it prevented access to the contents
it was still possible to access them if the URL address was known
of the published files.
Therefore, the migration of the entity's website to another server was carried out
which determined that the content that could have been accessed with
Prior to the aforementioned date, it was deleted, and it was not possible to access the
same from the moment the migration was performed. For the purpose of
avoid incidents such as the one that occurred, the new website adopted a
series of technical measures: remove access to the wp-content folder and its
content through. htaccess ; check before serving WP permissions
using the is-luger-logged-in function, to retrieve a file for a
wp-content subfolder etc. In addition, the defendant has indicated that he assumes
its responsibility as a consequence of the infractions committed, although
considers that the efforts made to improve
security measures in order to ensure the safety and security of
confidentiality of personal data for which it is responsible
and that the violation is not due to inaction or lack of proactivity in the
compliance with data protection regulations.
On the other hand, it should be noted that the defendant provides a screen print
of the web page where the content of the character data should be
staff that caused the claim and who are currently
deleted, not being possible to access them VII The LOPDGDD
(RCL 2018, 1629) in its article 77, Regime applicable to certain
categories of controllers or processors, establishes what
following: In the case at hand, in accordance with the evidence of
those that are available and without prejudice to what results from the instruction, said
conduct could constitute, on the part of the defendant, a possible violation of the
provided in article 5.1.f) and 32.1 of the GDPR (LCEur 2016, 605).
It should be noted that the GDPR, without prejudice to the provisions of its article 83,
contemplates in its article 77 the possibility of resorting to the sanction of
warning to correct the processing of personal data that is not
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 28/60
conform to their forecasts, when those responsible or in charge
listed in section 1 committed any of the offenses to which
refer to articles 72 to 74 of this organic law. Also, it is contemplated
that the resolution issued will establish the measures to be adopted
so that the conduct ceases, the effects of the infraction are corrected
committed and its adequacy to the requirements contemplated in the
Articles 5.1.f) and 32.1 of the GDPR, as well as the contribution of means
certifying compliance.
However, it is considered that the response formulated by the defendant in
letter dated 02/18/2021 has been reasonable, correcting the incident
produced, not proceeding to urge the adoption of additional measures to those already
taken by the defendant, which is one of the main purposes of the
procedures with respect to those entities listed in article 77
LOPDGDD, having been accredited the suspension of the website of the
entity where the information contained the character data
neighbors staff having migrated it to another server and adopting
measures to prevent the occurrence of events such as those that gave rise to the
claim.
Therefore, in accordance with the applicable legislation and assessed the criteria of
graduation of sanctions whose existence has been accredited, The
Director of the Spanish Data Protection Agency RESOLVES:
FIRST IMPOSE ALBUIXECH CITY COUNCIL, with NIF
P4601400G, for a violation of article 5.1.f) of the GDPR (LCEur 2016, 605)
, typified in article 83.5.a) of the GDPR, a penalty of warning, of
in accordance with article 77 of the LOPDGDD (RCL 2018, 1629). SECOND
TO IMPOSE the CITY COUNCIL OF ALBUIXECH, with NIF P4601400G, for
an infringement of article 32.1 of the GDPR (LCEur 2016, 605), typified in the
Article 83.4.a) of the GDPR, a warning sanction, in accordance with
article 77 of the LOPDGDD (RCL 2018, 1629)”. About these resolutions
dictated by the AEPD itself, the Resolution Proposal is not pronounced.
FIFTH.- ABSENCE OF DETERMINATION OF THE CORRESPONDING TYPE
TO THE PROPOSED SANCTIONS AND LACK OF REASONS FOR THE
DETERMINATION OF THE AMOUNT THEREOF. ALTERNATIVE AND
SUBSIDIARILY, INVOCATION OF THE PRINCIPLE OF
PROPORTIONALITY.
The Resolution Proposal does not establish which are the specific types
of the sanctions that are proposed and the determination and graduation of the
quantum of the same, which entails an absence of contrary motivation
to article 35.1 a) of Law 39/2015 of October 1, on Procedure
Common Administrative of Public Administrations. The type is not specified
of infraction committed (we understand that, slight) nor is it motivated why they are imposed
the respective sanctions of 5,000, 8,000 and 1,000 euros. With this you can
consider that it has generated defenselessness for COAGranada.
Alternatively and subsidiarily, in the event that it is estimated that
one or more of the infractions contained in the
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 29/60
Resolution Proposal, we request the application of the principle of
proportionality established in the aforementioned article 29.3 of the LRJSP as well as
also invoked article 83.2.c) of the GDPR.
The principle of proportionality in its application aspect, has served in the
jurisprudence as an important mechanism of jurisdictional control of the
exercise of the sanctioning power of the Administration when the norm
establishes for an infraction several possible sanctions or indicates a margin
quantitative for the fixing of the pecuniary sanction; and, thus, it has been insisting
in which the aforementioned principle of proportionality or the individualization of
the sanction to adapt it to the seriousness of the fact, make the determination
of the sanction a regulated activity and, of course, it is possible in the
jurisdiction not only the confirmation or elimination of the sanction imposed but also
its modification or reduction (Cf. Judgment of the National Court of December 11,
March 2008, Rec. 501/2006). In this sense, it is worth mentioning the Judgment of the
Supreme Court of September 25, 2003 (Rec. 527/1998): "The power
disciplinary measure is not discretionary and this implies that, when for
a certain infraction has legally provided for a list of sanctions,
the imposition of a more serious or higher than that established with the character of
minimum must be clearly motivated by consigning the
specific reasons and circumstances on which the superior malice or
negligence that are taken into account to choose that greater punishment. This is how the
interdiction of arbitrariness of article 9.3 of the Constitution and also the
principle of proportionality included in the guarantees of article 25 of the
same constitutional text.
Therefore, the principle of proportionality implies that, since the activity is
sanctioning of the Administration an activity typically of application of
the rules, the factors that have to preside over its application are based on
what is available in each sector of the Legal System and, especially,
in the concurrent circumstances. As established in the Judgment of the
Superior Court of Justice of Castilla y León de Burgos, nº 3/2017 of 13
January (Rec. 80/2016): "It is precisely in this area that a
extraordinarily clarifying role the motivation of the concrete act
administrative sanction and to the extent that it will define not
only the circumstances modifying the responsibility appreciated and
proven but, in addition, the specific reason that the Administration understands that
concurs to, within the margins granted by law, impose a specific
sanction".
It is for this reason that, by virtue of what is stated in these Claims,
in the event that it is deemed that there are infringing conducts and consequent
sanctions to be applied, be it by reducing as much as possible their
economic amount, since given the concurrent circumstances, the
total amount of 14,000 euros seems disproportionate and excessive (said
be with due respect and in strict terms of defense. I ASK THE
SPANISH DATA PROTECTION AGENCY: That, having
presented this brief, please admit it and consider the allegations
which are formulated therein. Granada for Madrid, on the date of signing
electronics.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 30/60
PROVEN FACTS:
Of the actions carried out in this procedure and of the information and
documentation presented by the parties, the following have been accredited
facts:
First: To the claim document presented in this Agency on 12/21/21,
attached the following documentation relevant to this proceeding:
- Copy of the document that A.A.A., collegiate ***COLEGIADO.1, sends to the
claimant, on 08/30/21, where, among others, you can read:
or "(...) The Governing Board of the College in its session held on
April 2019 adopted, among others, the following agreement: "(AIG)
04.11.19/08.- DESIGNATE THE *** POSITION. 1 OF THE OFFICIAL ASSOCIATION
OF ARCHITECTS AS DELEGATE OF PROTECTION OF
DATA FOR THE SCHOOL OF ARCHITECTS.” therefore i can
inform you that, currently, the Data Protection Officer of the
Official College of Architects of Granada is his *** POSITION. 1 D.
B.B.B. (…)”.
- Copy of the "Complaint Sheet" of the Official College of Architects of
Granada where you can read, among others, the following information with
Regarding the data protection policy:
o Official College of Architects of Granada. Plaza de San Agustin No. 3,
18001 Grenada. General Secretary . Area of Attention to the Collegiate and
to user. The data collected will form part of the File of the
COAGRANADA, being Responsible for ***POINT.1 of the same, to
who will have to address in writing in the case of exercising the rights
of access, opposition, rectification and cancellation, in accordance with the
L.O.P.D.
- Copy of the "Visa Application" addressed to the Dean of the Official College of
Architects of Granada, where you can read, among others, the following
Information regarding the data protection policy:
o In accordance with the provisions of LO 15/1999 on Data Protection of
Personal character, the existence of a file is reported
automated whose purpose is the provision of the requested service. The
Applicants expressly consent to the
treatment and transfer of existing data in the automated file
to the various Spanish Official Colleges of Architects and to other
administrative bodies, for the purposes related to the function of
visa. Signatories may exercise the right of access,
rectification, opposition and cancellation in writing before the C.O.A. of
Granada, with address at Plaza de San Agustín Nº 3, 18001 Granada,
email coagranada@coagranada.org
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 31/60
Second: On 07/27/22, this Agency verified that in the
document "Member Complaints and Claims Sheet", accessible on the page
Web,
https://coagranada.es/wp-content/uploads/2021/02/
Sheet_complaint_reclamations_collegiate_V02.pdf,
that there was only the following legend referring to the data protection of
personal character:
“Official College of Architects of Granada. Plaza de San Agustin No. 3, 18001
Grenade. General Secretary. Area of Attention to the Collegiate and the User.
The data collected will form part of the COAGRANADA File, being the
Responsible for *** POSITION 1 of the same, to whom it will have to be addressed in writing
in the case of exercising the rights of access, opposition, rectification and
cancellation, in accordance with the L.O.P.D.”
It was also found that in the document "Complaints and Claims Sheet of
Consumers and Users”, accessible on the website,
https://coagranada.es/wp-content/uploads/2021/02/
Sheet_complaint_claims_consumers_V02.pdf
that only the following information related to data protection existed
of a personal nature:
“Official College of Architects of Granada. Plaza de San Agustin No. 3, 18001
Grenade. General Secretary. Area of Attention to the Collegiate and the User.
The data collected will form part of the COAGRANADA File, being the
Responsible for *** POSITION 1 of the same, to whom it will have to be addressed in writing
in the case of exercising the rights of access, opposition, rectification and
cancellation, in accordance with the L.O.P.D.”
On 04/10/23, this Agency accessed the complaint form and
complaints from the College of Architects of Granada, accessible through the link
https://coagranada.es/quejas-y-reclamaciones/ verifying that it
you can read the following message:
Official College of Architects of Granada. Plaza de San Agustin Nº3, 18001
Grenade. General Secretary. Area of Attention to the Collegiate and the User.
In compliance with the provisions of EU Regulation 2016/679, of 27
April 2016, hereinafter GDPR, the Official College of Architects of Granada
with address at PLAZA DE SAN AGUSTÍN 3, 18001 GRANADA and NIF nº
Q1875003D informs you that the collection and processing of your data through the
The purpose of this form is the administrative, fiscal and
accounting provided for in the legislation of professional associations and our
statutes. Your data may be communicated to the General Council of Colleges
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 32/60
Officials of Architects, related organizations and the Public Administration without
prejudice to other assignments provided by law. Your data will be kept
during the time necessary to comply with legal obligations. In
You can consult additional information on this treatment at any time.
or exercise the rights of access, rectification, deletion and opposition,
portability and limitation of treatment by directing your request to the address above
indicated or by email to protecciondedatos@coagranada.org. Also, in case
If you consider your right to the protection of personal data violated, you may
file a claim with the Spanish Data Protection Agency
(www.agpd.es).
Third: About the "Cookies Policy" of the website https://www.coagranada.es/
It was initially found that a third-party cookie of an unauthorized nature was used.
excepted, without the prior consent of the web user. the circumstance is given
that this analytical cookie was installed through the insertion of a map
interactive of the Institute for Geoenvironmental Health of the "Vivo Sano" Foundation in the
page: https://coagranada.es/mapa-zonas-radon-en-elnuevo-cte-db-hs6/ .
On 04/10/23, this Agency accessed the website again
https://www.coagranada.es/ having knowledge of the following characteristics
regarding its “Cookies Policy”:
When entering the web for the first time, once the terminal equipment has been cleaned of the history of
navigation and cookies, without accepting new cookies or taking any action on
the web page, it has been verified that a single cookie "_GRECAPTCHA" is used,
whose purpose is to provide your risk analysis, such as detecting
erroneous and repeated connection attempts.
FUNDAMENTALS OF LAW
YO.-
Competence:
- Regarding the processing of personal data and the "Privacy Policy":
The Director of the Spanish Agency is competent to resolve this procedure
of Data Protection, by virtue of the powers that article 58.2 of the GDPR recognizes
each Control Authority and, as established in arts. 47, 64.2 and 68.1 of the Law
LOPDGDD.
- About the "Cookies Policy":
The Director of the Spanish Agency is competent to resolve this procedure
Data Protection, in accordance with the provisions of art. 43.1, paragraph
second, that of the LSSI Law.
II
Reply to the allegations presented to the resolution proposal
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 33/60
a).- Regarding the alleged conflicts of interest of the Data Protection Officer
(DPD) in the person of ***POSITION.1 of the Official College of Architects of Granada.
There is evidence that, in the session held by the Governing Board of the College of
Architects of Granada, on 04/11/19 the agreement was adopted to designate ***POSITION.1
of said Association as Delegate of Data Protection (PDP) and thus specified
expressly in the meeting minutes: "(...) Therefore, I can inform you that,
currently the Data Protection Delegate of the Official College of Architects of
Granada is his ***POST.1 D. B.B.B. (…)”.
According to the claimed party, the decision was made to appoint a new
Data Protection Delegate dated 04/26/22, and that was notified to the
Agency in response to the requirements of art. 38 of the GDPR.
In the allegations presented by the defendant entity, both in the initiation of the
file as in the motion for a resolution essentially defends that
There has never been any conflict of interest for the appointment of ***POSITION.1
as Delegate of Data Protection (DPD), in the College of Architects of
Grenade.
Well then, we must begin this section by indicating that, as indicated in
repeatedly this Agency, the greatest novelty presented by the GDPR is the
evolution of a model based, fundamentally, on the control of compliance with
current legislation to another that rests on the principle of active responsibility, which
that requires a prior assessment by the person in charge or by the person in charge of the treatment
of the risk that the processing of personal data could generate in order to
Based on said assessment, adopt the appropriate measures.
A fundamental role within the new model of active responsibility is
will perform the DPD. Also following on this point the Statement of Reasons for the
LPDGDD, "the figure of the DPD acquires outstanding importance in the GDPR and so
includes the Organic Law, which starts from the principle that it can have a
obligatory or voluntary, being or not integrated in the organization of the person in charge or
manager and be both a natural person and a legal person.
Section 4 of CHAPTER IV, of the GDPR -articles 37 to 39-, regulates
detailed figure of the DPD. In connection with the interpretation and application of these
precepts can refer to the guidelines contained in the document of the Group of the
Article 29 "Guidelines on Data Protection Delegates" -WP243-,
last revised and adopted on April 5, 2017.
This regulation is complemented by the provisions of CHAPTER III of the
TITLE V of the LOPDGDD-, whose articles 34 to 37 contain some
specialties directly applicable to our domestic law. Specifically, the
The appointment of the data protection officer is included in article 37 of the
GDPR, expanding in article 34 of the LOPDGDD the spectrum of subjects
bound to their appointment.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 34/60
From the foregoing it can be deduced that the requirement for the appointment of a DPD should not
interpreted, without further ado, as a mere formality, having to comply with the
requirements established in the applicable legal regulations. Consequently, it turns out
necessary to carry out a brief analysis of the functions and resources of which
dispose of the DPD. Thus, it must be based on the important functions that article 39.1 of the
GDPR assigns:
"1. The data protection officer will have at least the following
Functions: a) inform and advise the person in charge or the person in charge of the treatment
and to the employees who deal with the treatment of the obligations that
are incumbent under this Regulation and other provisions of
data protection of the Union or of the Member States; b) supervise the
compliance with the provisions of this Regulation, of other
data protection provisions of the Union or of the Member States and
of the policies of the person in charge or of the person in charge of the treatment regarding
protection of personal data, including the assignment of responsibilities, the
awareness and training of personnel involved in security operations
treatment, and the corresponding audits; c) offer advice that
asked about the impact assessment relating to the protection of
data and supervise its application in accordance with article 35; d) cooperate
with the control authority; e) act as a point of contact for the authority
control for issues relating to treatment, including consultation prior to
referred to in article 36, and consult, where appropriate, on any
another matter." It is, therefore, functions of advice and
supervision aimed at guaranteeing adequate compliance with regulations
on protection of personal data, pointing out article 39.2 that "The
data protection officer will carry out his functions providing the
due attention to the risks associated with processing operations,
taking into account the nature, scope, context and purposes of the
treatment".
Likewise, article 38.1 clearly establishes that: "The person in charge and the person in charge of
of the treatment will guarantee that the data protection officer participates in an
adequately and in a timely manner in all matters relating to the protection of
personal information".
In addition to the important advisory functions assigned to the DPD,
including the cases in which it is necessary to carry out an impact assessment
because they are high-risk treatments, and specifying the functions of supervision,
Article 36 of the LOPDGDD provides that: "The delegate may inspect the
procedures related to the purpose of this organic law and issue
recommendations within the scope of its powers", that "In the exercise of its
functions the data protection officer will have access to personal data and
treatment processes, not being able to oppose to this access the person in charge or the
person in charge of the treatment the existence of any duty of confidentiality or
secrecy, including that provided for in article 5 of this organic law", and that, "When the
data protection delegate appreciates the existence of a relevant violation in
data protection matter will document it and notify it immediately to the
administrative and management bodies of the person in charge or the person in charge of the treatment”.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 35/60
On the other hand, article 39.1.e) of the GDPR also establishes as functions of the DPO
“Act as the contact point of the control authority for questions related to the
treatment, including the prior consultation referred to in article 36, and carry out
consultations, where appropriate, on any other matter.
For the proper fulfillment of these tasks, the GDPR requires certain requirements
of training of the DPD, and that it is endowed with the necessary resources. To the
training requirements, refers to article 37.5 GDPR, providing that "The
data protection officer will be appointed based on their qualities
professionals and, in particular, their specialized knowledge of Law and
data protection practice and its ability to perform the
functions indicated in article 39”. For its part, article 35 of the LOPDGDD
adds that "Fulfillment of the requirements established in article 37.5 of the
Regulation (EU) 2016/679 for the appointment of the data protection officer,
whether a natural or legal person, may be demonstrated, among other means, through
voluntary certification mechanisms that will take particular account of the
Obtaining a university degree certifying specialized knowledge in
data protection law and practice.
In order to the best interpretation and application of these precepts, you can go to
the guidelines contained in the document of the Group of Article 29 “Guidelines on the
Data Protection Delegates" -WP243-, last revised and adopted on
April 5, 2017, that, in relation to the knowledge and skills of the DPD,
note the following points:
- Level of knowledge: The level of knowledge required is not defined
strictly, but must be commensurate with the sensitivity, complexity, and quantity
of the data that an organization processes. For example, when the activity of
data processing is especially complex or when it involves a large
amount of sensitive data, the DPO may need a higher level of
knowledge and support. There is also a difference depending on whether the
organization systematically transfers personal data outside the Union
Union or if said 9 Legal Cabinet transfers are occasional.
Thus, the DPO must be chosen carefully, taking due account of
issues relating to data protection that arise in the organization.
- Professional qualities: Indicate that, although article 37, section 5, does not
specifies the professional qualities that must be taken into account when
appointment of the DPO, an important factor is that he has knowledge
on national and European protection legislation and practices
of data and a deep understanding of the GDPR.
- Ability to perform their duties: The DPO's ability to
perform their functions must be interpreted both in reference to their
personal qualities and knowledge as to his position within the
organization.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 36/60
Personal qualities should include, for example, integrity and a level
high professional ethics; the primary concern of the DPD should be
enable compliance with the GDPR.
The DPD plays a key role in promoting a culture of
data protection within the organization and contributes to the application of
essential elements of the GDPR, such as the principles related to the treatment of
data, the rights of the interested parties, the protection of the data from the
design and by default, recording of processing activities, security
of the treatment and the notification and communication of the violations of the
data security.
On the other hand, the need to provide the DPO with the necessary resources for the
performance of their duties is included as an obligation of the person in charge
in article 38.2 of the RGPD: "The person in charge and the person in charge of the treatment
will support the data protection officer in the performance of the
functions mentioned in article 39, providing the necessary resources
for the performance of said functions and access to personal data and
processing operations, and for the maintenance of their knowledge
specialized”.
In particular, the following aspects should be taken into account: · Active support
to the work of the DPD by senior management (at the level of the board of
administration). Sufficient time for the DPO to comply with its
functions, which is particularly important when appointing a DPO
internal part-time or when the external DPO carries out the protection of
data in a complementary way to other obligations.
Otherwise, conflicting priorities could lead to neglect of the
DPO obligations. It is essential to have enough time to
dedicate it to DPD tasks. It is good practice to establish a
percentage of time for the DPD's own work when it is not carried out
full time. It is also good practice to determine the time
necessary to perform the work, the appropriate level of priority for the
functions of the DPO and for the DPO (or organization) to write a plan of
job. Adequate support in terms of financial resources, infrastructure
(premises, facilities, equipment) and personnel, as required. ·
Therefore, what is essential is that DPDs meet the training and
independence that allow them to adequately develop the functions that the
GDPR assigns them, as Recital 97 of the GDPR recalls, "The level of
necessary specialized knowledge must be determined, in particular, according to
of the data processing operations carried out and the protection
required for personal data processed by the person in charge or in charge”.
In this way, and provided that its independence is adequately guaranteed, it
relevant is that the functions assigned to the DPD can be carried out effectively,
taking into account, equally, the criterion of availability, fundamental
to ensure that data subjects can easily contact the DPO (according to
to article 38.4 of the GDPR, "interested parties may contact the
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 37/60
data protection officer for all matters relating to the
processing of your personal data and the exercise of your rights under the
this Regulation").
In conclusion, these functions can be carried out effectively if the following are met:
training requirements when proceeding with the appointment of the DPO and is endowed with the
necessary resources, including, as noted by the Article 29 Group, a DPO team
(a DPD and his staff), a team that must be proportional to the size and structure of the
organization, as well as the sensitivity, complexity and amount of data that
an organization deals with, and the availability of the DPO must be guaranteed so that
interested parties can contact him, as well as communicate with the authorities of
Data Protection.
Focusing now on the questions related to independence and the possible
conflicts of interest of the delegate, must comply with the legal norms that the
regulates the position of the delegate in his relations with the person in charge and/or with the
treatment manager. Thus, article 36 of the LOPDDD provides the following:
"Position of the data protection officer" 1. The data protection officer
data will act as interlocutor of the person in charge or in charge of the treatment
before the Spanish Data Protection Agency and the authorities
data protection regulations. The delegate may inspect the
procedures related to the purpose of this organic law and issue
recommendations within the scope of their competences. 2. When it comes to
a natural person integrated into the organization of the person in charge or in charge
of the treatment, the data protection officer may not be removed or
sanctioned by the person in charge or in charge for carrying out their duties
unless he incurred in willful intent or gross negligence in his exercise.
The independence of the data protection officer will be guaranteed within the
organization, avoiding any conflict of interest.” For his part, he
Article 38.3 of the GDPR, when regulating the position of the Data Protection delegate,
underlines their independence by pointing out that the person in charge and the person in charge of the
treatment will guarantee that the data protection officer does not receive any
instruction regarding the performance of said functions, and cannot be
dismissed or sanctioned by the person in charge or in charge of carrying out their
functions, and reporting directly to the highest hierarchical level of the
responsible or in charge.
In addition, according to the Article 29 Group document “Guidelines on the
Data Protection Delegates”, last revised and adopted on April 5
of 2017 -WP243-, their appointment must take into account the element
regarding the independence of the DPO. Thus, article 38.3 of the GDPR establishes some
basic guarantees for delegates to act independently within the
organization in which they provide their services, including that "they do not receive any
instruction relative to the exercise of their tasks”.
It is important to note that those bound to comply with the GDPR are responsible
or the person in charge of the treatment, so that, if they adopt decisions contrary to the
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 38/60
rule and advice provided by the delegate, he must be given the possibility
to clearly express their dissatisfied opinion regarding said decisions.
The aforementioned article 38.3 also refers to the fact that the delegates of
data protection "should not be dismissed or penalized by the person in charge or the
entrusted with carrying out its functions", which supposes a reinforcement of its
autonomy and independence. Yes, you could be fired or sanctioned accordingly
with the applicable contractual, labor or criminal legislation of each country, for reasons
other than the performance of their duties.
In relation to the possible conflict of interest of the delegate, the guidelines on the
data protection delegates adopted by the Protection Working Group
Data of Article 29, -WP243-, state the following: “3.5. Conflict of interest The
Article 38(6) allows DPOs to “perform other functions and duties”.
However, it requires the organization to ensure that "such functions and
tasks do not give rise to a conflict of interest.
The absence of conflict of interest is closely linked to the requirement to act
independently. This assumes, in particular, that the DPO cannot occupy a
position in the organization that leads him to determine the purposes and means of the treatment of
personal information. On the other hand, although DPOs may have other functions,
They can only be entrusted with other tasks and tasks if these do not give rise to
conflicts of interest. Due to the specific organizational structure of each
organization, this should be considered on a case-by-case basis.
As a general rule, conflicting positions within an organization can
include senior management positions (such as CEO, Director of
operations, financial director, medical director, head of the department of
marketing, head of human resources or director of the IT department) but
also other lower positions in the organizational structure if such positions or positions
lead to the determination of the purposes and means of processing.
In addition, a conflict of interest may also arise, for example, if a
DPO representing the controller or processor in court
in cases related to data protection.
From the foregoing it can be deduced that, regardless of the formula adopted for their appointment,
the appointment of the data protection officer must meet the requirements
derived from the principle of independence in the development of its activity, and must
ensure that the performance of their functions and duties do not give rise to conflict
of interests. The provision of a data protection officer in organizations
public or private requires that the selection conform to the legal requirements
established and, in particular, that specialized knowledge in
law and practice of data protection indicated by the GDPR.
For the rest, the formula adopted for the appointment of DPD will depend on the
decision adopted by the entity in which he performs his duties, such as
consequence of its organizational autonomy. However, questions regarding the
autonomy of the organizations in which the delegates belong, clearly
derived from the regulations analyzed in this report, cannot be an obstacle to the
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 39/60
necessary guarantee of the independence of the data protection officer - ex
article 38 GDPR- within the framework of internal and external legal relations that
maintain in the development of its functions.
Thus, in any case, it will be enforceable, as provided for in article 36 of the LOPDGDD,
that (i) in the case of a natural person integrated into the organization of the
responsible or in charge of the treatment, the data protection officer does not
may be removed or penalized by the person in charge or in charge of carrying out
their functions unless they were guilty of intent or gross negligence in their exercise, that (ii)
the independence of the data protection officer is guaranteed within the
organization, avoiding any conflict of interest, and that (iii) when the
data protection delegate appreciates the existence of a relevant violation in
data protection matters, document it and immediately notify the
administrative and management bodies of the person in charge or in charge of the treatment.
In short, although Section 4 of CHAPTER IV of the GDPR -articles 37 to 39-,
contemplates for DPOs wide possibilities regarding their appointment and
frame in the organization of the entities to which its designation refers, not
it is less true that said autonomy must be reconciled with the demands derived
of the principle of independence of the delegate, and it must be guaranteed that the exercise of
their duties do not give rise to situations of incompatibility or conflict of interest.
In the legal norms that regulate the figure of the data protection delegate, it is
configure the requirement of their independence as inherent to the performance of their
functions.
In the case at hand, the Governing Board of the College of Architects of
Grenada, in a session held on 04/11/19, adopted the agreement to designate the
*** POSITION 1 of said College as Data Protection Delegate (DPD), and thus
it is certified in the letter sent by the Association to the claimant on 08/30/21: "(...) Therefore,
Therefore, I can inform you that, currently, the Data Protection Delegate of the
Official College of Architects of Granada is his *** POSITION. 1 D. B.B.B. (…)”.
In the Order of February 20, 2018, which approves the modification of the
Statutes of the Official College of Architects of Granada establishes, in its article 13
and 14, the functions and composition of its Governing Board; in its article 15, the
functions of the Permanent Commission and in its article 17, the functions of the
*** POSITION 1 of the College.
As we have previously indicated, Section 4 of CHAPTER IV, of the GDPR -
articles 37 to 39-, regulates in detail the figure of the DPD and in relation to the
interpretation and application of these precepts, you can refer to the guidelines contained
in the document of the Group of Article 29 “Guidelines on the Delegates of
Data Protection" -WP243-, last revised and adopted on April 5,
2017: (https://ec.europa.eu/newsroom/article29/itemdetail.cfm?item_id=612048).
This regulation is complemented by the provisions of CHAPTER III of the
TITLE V of the LOPDGDD-, whose articles 34 to 37 contain some
specialties directly applicable to our domestic law. Thus, article 36
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 40/60
LOPDGDD guarantees the independence of the DPO within the organization, having to
avoid any conflict of interest.
For its part, article 38.3 of the GDPR, when regulating the position of the DPD, underlines its
independence by stating that the person in charge and the person in charge of the treatment
will ensure that the data protection officer does not receive any instructions in
regarding the performance of said functions, and cannot be dismissed or
sanctioned by the person in charge or the person in charge for carrying out their functions, and
reporting directly to the highest hierarchical level of the person in charge or
in charge.
In the specific case that he does not occupy, the functions as *** POSITION 1 of the College of
Architects of Granada that incur in a conflict of interest, are all those in
the one that carries out activities or advises as ***POSITION.1 on issues that may
be affected by the data protection of the members, personnel at the service of the
School or users of the same and also have to develop the functions of
a DPD.
If we look at the functions of *** POSITION 1 of the Official College of
Architects (article 17) that can be influenced by data protection, we
we find that it has powers to: 2. Provisionally resolve on the
admission of new members in accordance with the provisions of these
Particular Statutes. 3. Receive and process all requests and communications that
addressed to the College and its different Bodies, reporting them to whoever
corresponds. 4. Issue the certifications that are requested and must be issued and
keep the registration book of collegiate. 5. Annually formulate the lists of collegiate
in its different versions. These lists must be arranged annually in the
deadlines provided in these Particular Statutes for the purposes of elections. 6.
Make notifications of high and low college. 7. Keep the minute books of the
meetings of the General Assembly of collegiate, Governing Board and the Commission
Permanent and transfer the agreements, monitoring compliance with the
themselves.
Likewise, ***POSITION.1 is an ex officio member of the Governing Board, whose
functions (article 13.2), which may be affected by data protection, the
following: c) Resolve the applications for the incorporation of new members, of dismissals
collegiate and on the suspension of collegiate services and collegiate status.
e) Collect, distribute and manage the School's funds, in accordance with the provisions of
the Title on Economic and Patrimonial Regime of the present Statutes
individuals. k) Exercise the disciplinary function and adopt precautionary measures, initiating,
ex officio or by virtue of a complaint, the disciplinary proceedings, in which the
corresponding Resolution.
Also, as a member of the Permanent Commission of the Official College (article 15),
that it has as functions, which may be affected by data protection, the
following: 1. Put into practice the guidelines issued by the Governing Board. 2.
Propose to the Governing Board as many acts as a consequence of the
competences that it has assumed. 3. The adoption of the necessary measures
for the fulfillment of the agreements of the Governing Board. 4. Organize the
College office services.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 41/60
In greater abundance, it means that *** POSITION 1 of this official school forms
part of these two collegiate management and administration bodies, which determine
purposes and means of treatment, with voice and vote, in such a way that, in addition to their
advice, their will conforms to that of the collegiate body.
Therefore, taking into account the functions that, according to the GDPR, correspond to the DPD and the
functions that, according to the Order of February 20, 2018, which approves the
Modification of the Statutes of the Official College of Architects of Granada,
correspond to the Governing Board and the Permanent Commission of the Official College
of Architects of Granada, in addition to those of the position of ***POSITION.1, it is
the existence of a conflict of interest on the part of ***POSITION.1 of the
Official College of Architects of Granada to act as DPO of said Organism,
since it was appointed as DPD on 04/11/19 until 04/26/22 when it was adopted
the decision to replace him.
b).- Regarding the alleged lack of information in the forms on “complaints and
claims”, referring to the treatment of personal data obtained in the
themselves.
As could be verified by this Agency, on 07/27/22, when accessing the document
Refer to the "Member Complaints and Claims Sheet" through the link:
https://coagranada.es/wp-content/uploads/2021/02/Hoja_queja_reclamaciones_cole-
giados_V02.pdf
You can read, in the lower part of it, below the form, the following le-
yenda:
“Official College of Architects of Granada. Plaza de San Agustin No. 3, 18001
Grenade. General Secretary. Area of Attention to the Collegiate and the User.
The data collected will form part of the COAGRANADA File, being the
Responsible for *** POSITION 1 of the same, to whom it will have to be addressed in writing
in the case of exercising the rights of access, opposition, rectification and cancellation
celación, in accordance with the L.O.P.D.”
It was also possible to verify that same day, 07/27/22, that in the document "Hoja de
Complaints and Claims from Consumers and Users" accessible at the link:
https://coagranada.es/wp-content/uploads/2021/02/Hoja_queja_reclamaciones_consu-
midores_V02.pdf
there was the following legend:
“Official College of Architects of Granada. Plaza de San Agustin No. 3, 18001
Grenade. General Secretary. Area of Attention to the Collegiate and the User.
The data collected will form part of the COAGRANADA File, being the
Responsible for *** POSITION 1 of the same, to whom it will have to be addressed in writing
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 42/60
in the case of exercising the rights of access, opposition, rectification and cancellation
celación, in accordance with the L.O.P.D.”
In the brief of allegations to the initiation of the file, presented by the entity
claimed before this Agency on 09/29/22, it was indicated, among others, that: "(...) Regarding
to the sanction referred to for the violation of art. 13 GDPR, we must record
of the application of the proposed corrective measure and that all the information has been incorporated.
information referred to in art. 13 of the GDPR to the forms available to both
Collegiate as well as the general public, for which we request that you take into
account this measure under art. 83.2.c) of the GDPR (…)”.
In the verification carried out by this Agency after writing allegations of
the sheets of complaints and claims of the College of Architects of Granada, accessed
via the link https://coagranada.es/quejas-y-reclamaciones/, it was requested to read
The next message:
Official College of Architects of Granada. Plaza de San Agustin Nº3, 18001
Grenade. General Secretary. Area of Attention to the Collegiate and the User.
In compliance with the provisions of EU Regulation 2016/679, of 27
April 2016, hereinafter GDPR, the Official College of Architects of Granada
with address at PLAZA DE SAN AGUSTÍN 3, 18001 GRANADA and NIF nº
Q1875003D informs you that the collection and processing of your data through the
The purpose of this form is the administrative, fiscal and con-
table provided for in the legislation of professional associations and our statutes.
Your data may be communicated to the General Council of Official Colleges
of Architects, related organizations and the Public Administration without prejudice to
other assignments provided by law. Your data will be kept during the
time necessary to comply with legal obligations. At any mo-
moment you can consult the additional information of this treatment or exercise
the rights of access, rectification, deletion and opposition, portability and limitation
treatment by directing your request to the address indicated above or by
email to protecciondedatos@coagranada.org. Also, if you consider
violated your right to the protection of personal data, you may file
a claim before the Spanish Data Protection Agency (www.a-
gpd.es).
Well, article 12.1 of the GDPR establishes, regarding the requirements that must be met
the information that the data controller must make available to the interested parties
resados, the following:
"1. The person in charge of the treatment will take the appropriate measures to facilitate
to the interested party all the information indicated in articles 13 and 14, as well as any
any communication pursuant to articles 15 to 22 and 34 relating to the treatment
information, in a concise, transparent, intelligible and easily accessible form, with a slow
clear and simple language, in particular any information directed specifically-
mind a child The information will be provided in writing or by other means,
including, if applicable, by electronic means. When requested by the interested party,
The information may be provided orally provided that identity is proven.
of the interested party by other means (…)”.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 43/60
And for its part, article 13 of the GDPR, details the information that must be provided to the
interested when the data is collected directly from him, establishing the following:
next:
"1. When personal data relating to him or her is obtained from an interested party, the
responsible for the treatment, at the time they are obtained, will provide you with
tare:
a) the identity and contact details of the person in charge and, where appropriate, their re-
presenter; b) the contact details of the data protection officer, in
Their case; c) the purposes of the processing for which the personal data is intended and the
legal basis of the treatment; d) when the treatment is based on article 6,
paragraph 1, letter f), the legitimate interests of the controller or a third party; and)
recipients or categories of recipients of personal data, in
Their case; f) where appropriate, the intention of the person responsible for transferring personal data
to a third country or international organization and the existence or absence of
an adequacy decision by the Commission, or, in the case of transfers
indicated in articles 46 or 47 or article 49, paragraph 1, second paragraph,
reference to the adequate or appropriate guarantees and to the means to obtain
a copy of these or the fact that they have been provided.
2. In addition to the information mentioned in section 1, the person responsible for the
treatment will provide the interested party, at the time the data is obtained,
personal data, the following information necessary to guarantee treatment
fair and transparent data management: a) the period during which the data will be kept;
personal data or, when this is not possible, the criteria used to determine
nar this term; b) the existence of the right to request the data controller
access to personal data relating to the interested party, and its rectification
tion or deletion, or the limitation of its treatment, or to oppose the treatment,
as well as the right to data portability; c) when the treatment is-
tea based on Article 6(1)(a) or Article 9(2)(2)
a), the existence of the right to withdraw consent at any time,
without this affecting the legality of the processing based on prior consent.
he saw his withdrawal; d) the right to lodge a complaint with an authority
of control; e) if the communication of personal data is a legal requirement or
contractual, or a necessary requirement to sign a contract, and if the interested party
is obliged to provide personal data and is informed of the possi-
possible consequences of not providing such data; f) the existence of decisions
automated, including profiling, referred to in article 22,
paragraphs 1 and 4, and, at least in such cases, significant information about the
applied logic, as well as the significance and intended consequences of that
treatment for the interested party.
Therefore, it is evident that, at least since the claimant submits the brief
claim on 12/21/21 to 09/29/22, date on which the claimed party filed
the allegations to the initiation indicating having solved the observed deficiencies
given by this Agency, there is a violation of the provisions of the GDPR res-
regarding the information that must be provided to users when obtaining
of them your personal data, such as the identity and contact details of the person responsible.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 44/60
ble, the purposes of the processing for which the personal data is intended and the legal basis
of the treatment; the possible recipients or categories of recipients of the data
personal cough, if applicable; the period during which the personal data will be kept
or, when this is not possible, the criteria used to determine this term or the
right to file a claim with a control authority, for which
comply with the provisions of current regulations on data protection.
c).- About the Cookies Policy of the website https://www.coagranada.es/.
On 07/27/22, it was found that when entering the website of the College
Oficial de Arquitectos de Granada https://www.coagranada.es/ two were used
cookies "PHPSESSID" and another from Google, "_GRECAPTCHA".
According to Opinion 4/2012 of WP 194 on the exemption of the requirement of
cookie consent, the exemption applied to authentication cookies could
apply to others introduced specifically to strengthen the security of the service
requested, for example, those cookies whose purpose is to detect attempts
erroneous and repeated connection to a website or for protection of the information system
connection against abuses as in the case of “_GRECAPTCHA”.
However, after browsing the website, it was observed that cookies were installed
from third parties of a non-excepted nature, which were not reported in the policies. HE
It so happens that these analytical cookies are installed through the insertion
of an interactive map of the Institute for Geoenvironmental Health of the Vivo Foundation
Healthy on the page: https://coagranada.es/mapa-zonas-radon-en-elnuevo-cte-db-hs6/
.
In the subsequent checks carried out by this Agency, regarding the
"Cookies Policy" of the website https://www.coagranada.es/, on 04/10/23 the
last one on 05/03/23, it is observed that the web only uses the cookie
“_GRECAPTCHA”, established in order to provide its risk analysis against
the erroneous and repeated attempts to connect to the web.
In this sense, the GT29, in its Opinion 4/2012, interpreted that among the cookies
excepted would be the user input Cookies" (those used to
fill in forms, or as management of a shopping cart); cookies from
authentication or user identification (session); user security cookies
(those used to detect erroneous and repeated attempts to connect to a site
Web); media player session cookies; session cookies to balance
load; user interface customization cookies and some of
complement (plug-in) to exchange social content.
These cookies would be excluded from the scope of application of article 22.2 of the
LSSI, and, therefore, it would not be necessary to inform or obtain consent about your
use. On the contrary, it will be necessary to inform and obtain the prior consent of the
user before the use of any other type of cookies, both first and second
third party, session or persistent.
Therefore, the use of third-party cookies of a non-excepted nature,
during the time they were active, at least since 07/27/22, date of the
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 45/60
detection by this Agency of said cookies until 04/10/23, suppose for
part of the defendant, the commission of the infringement of article 22.2 of the LSSI.
Regarding the application of the principle of proportionality alleged by the entity
claimed, it must be indicated that it is not applicable because in the present case, the file
penalized for infraction of article 22.2 of the LSSI, it was only considered as
aggravating, the existence of intentionality, an expression interpreted as equivalent to
degree of guilt in accordance with the Judgment of the National Court of
11/12/07 relapse in Appeal no. 351/2006.
d).- On the possible application of article 77.2 of the LOPDGDD in the present case.
The art. 83.7 of the GDPR establishes that: "Without prejudice to the corrective powers of the
control authorities (…) each Member State may establish rules on whether
can, and to what extent, impose administrative fines on authorities and bodies
public establishments established in that Member State".
In application of the aforementioned article, article 77 LOPDGDD, on the regime applicable to
certain categories of controllers or processors, establishes,
on the regime applicable to the Entities that make up the Public Administration, which
following:
"1. The regime established in this article will be applied to the treatments
of those who are responsible or in charge: (...)
g) Public law corporations when the purposes of the treatment
related to the exercise of public law powers.
Before entering into its analysis, previously, it must be taken into account that the
Professional Associations, are corporations of Public Law, protected by the Law
and recognized by the State, with its own legal personality and full capacity to
the fulfillment of its purposes.
Despite qualifying as a Public Law corporation, it is necessary to have
present that it can also exercise functions of a legal-private nature,
depending on whether the College is acting in the exercise of public functions or, for the
contrary, in the exercise of private functions.
Before continuing, clarify the error by referring to Law 7/2006, of May 31,
when it should actually have been referred to as the head of the applicable regulations
to professional associations, to Law 2/1974, of February 13, on Associations
Professionals, although this Law was already referenced and included in the tag "(...) or
other regulations”.
Well, even though the Professional Associations are legal corporations
Public, protected by law and recognized by the State, with legal personality
own and full capacity for the fulfillment of its purposes (art. 1.1 Law 2/1974, of 13
February, of Professional Associations) have a mixed nature that implies that,
Indeed, the Colleges carry out public functions, but they also carry out
activities and provide services to their members under private law.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 46/60
It is true that the legal regime of these organizations is necessarily complex.
since it lacks uniformity and has to adapt to nature (public or
private) of the activity carried out by the College at all times. The functions
practices to be exercised by the Professional Associations are, essentially, the management of the
professional practice, which includes the exercise of sanctioning power and control
compliance with ethical standards. In the absence of such functions
public, it is not possible to speak properly of Colleges but of private associations
dedicated to the achievement of goals oriented to the exclusive benefit of their
members.
As we have already indicated in section a).- “Regarding the alleged conflicts of
interests of the Data Protection Officer (DPO) in the person of ***POSITION.1
of the Official College of Architects of Granada”, the functions of the *** POSITION.1
of the Official College of Architects (article 17) that can be affected by the
data protection, we find that it has powers to: 2. Resolve
provisionally about the admission of new members in accordance with
the provisions of these Particular Statutes. 3. Receive and process all requests and
communications addressed to the College and its different Bodies, giving an account of
them to whom it may concern. 4. Issue the certifications that are requested and must be
issued and keep the registration book of collegiate. 5. Formulate annually the lists of
collegiate in its different versions. These lists must be annually
arranged within the terms set forth in these Particular Statutes for the purposes of
elections. 6. Make notifications of college registrations and withdrawals. 7. Carry the books
of minutes of the meetings of the General Assembly of collegiate, Governing Board and
of the Permanent Commission and transfer the agreements, keeping track of the
compliance thereof.
Likewise, ***POSITION.1 is an ex officio member of the Governing Board, whose
functions (article 13.2), which may be affected by data protection, the
following: c) Resolve the applications for the incorporation of new members, of dismissals
collegiate and on the suspension of collegiate services and collegiate status.
e) Collect, distribute and manage the School's funds, in accordance with the provisions of
the Title on Economic and Patrimonial Regime of the present Statutes
individuals. k) Exercise the disciplinary function and adopt precautionary measures, initiating,
ex officio or by virtue of a complaint, the disciplinary proceedings, in which the
corresponding Resolution.
In greater abundance, it means that, in this specific case, the claim is
constrains "the privacy of the data of the members and therefore their rights", for
which goes beyond public functions.
Therefore, in the present case, the conflict of interest detected in the appointment
*** POSITION 1 of the College as Data Protection Delegate as we have already
set forth in section a).- “Regarding the alleged conflicts of interest of the Delegate
of Data Protection (DPD) in the person of *** POSITION 1 of the Official College of
Arquitectos de Granada", and the lack of information provided in the sheets of
claims of the College, on the treatment of personal data of the
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 47/60
private users, have no place in any of the public functions that
attributed by the regulations, so it would not be possible to apply in this case what is established in the
Article 77 of the LOPDGDD and on the "Cookies Policy", indicate that they are governed by the
LSSI, therefore art. 77 of the LOPDGDD.
e).- On the allegations presented regarding the Resolutions of this Agency
of May 24, 2021, Procedure No.: PS/00416/2020 and of May 11, 2021,
Procedure No.: PS/00347/2020
In the resolution of PS/00416/2020, the following can be read verbatim:
"(...) It should be noted that the GDPR, without prejudice to what is established in its
article 83, contemplates in its article 77 the possibility of resorting to the sanction of
warning to correct the processing of personal data that is not
conform to their forecasts, when those responsible or in charge
listed in section 1 committed any of the offenses to which
Articles 72 to 74 of this organic law refer (...).
However, as we have previously indicated, the conflict of interest detected
in the appointment of ***POSITION.1 of the Association as Delegate of Protection of
data, and the lack of information provided in the claims forms of the
Colegio, on the treatment of personal data of private users, not
have no place in any of the public functions attributed to them by the regulations, so
that it would not be possible to apply either, in this case what is established in article 77 of the
LOPDGDD.
d).- On the absence of determination of the type corresponding to the sanctions
proposals and lack of motivation to determine their amount,
alternatively and secondarily, invocation of the principle of proportionality.
Violations in the field of data protection are typified in the sections
4, 5 and 6 of article 83 of the GDPR. It is a classification by referral, admitted
fully by our Constitutional Court. In this sense, also article 71
of the LOPDGDD makes a reference to them by stating that "They constitute
offenses the acts and behaviors referred to in sections 4, 5 and 6 of the
Article 83 of Regulation (EU) 2016/679, as well as those that are contrary to the
present organic law”.
In this sense, the Opinion of the Council of State of October 26, 2017 regarding
to the Draft Organic Law on Protection of Personal Data
provides that "The European Regulation does typify, even though it does so in a sense
generic, conduct constituting an infringement: in effect, sections 4, 5 and 6 of
its article 83 contains a catalog of infractions for violation of the precepts
of the European standard indicated in such sections.
The offenses established in articles 72, 73 and 74 of the LOPDGDD are only for
effects of the prescription, as stated in the beginning of each and every one of these
precepts. This need arose in our State since it does not exist in the GDPR
any reference to the statute of limitations relating to offences, given that this institute
legal is not specific to all EU Member States.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 48/60
We must start from the fact that the GDPR is a directly applicable legal norm, which has
been developed by the LOPDGDD, only in what the first allows. So
is clear and as regards the prescription in the explanatory statement of the
LOPDGDD when it states that "The categorization of offenses is introduced to
the sole purpose of determining the prescription periods, having the description of
the typical behaviors as the only object the enumeration of exemplary way of
some of the punishable acts that should be understood as included within the types
general established in the European standard. The organic law regulates the assumptions of
interruption of the prescription based on the constitutional requirement of the
knowledge of the facts that are imputed to the person”.
It results from the application and interpretation of the RGPD, and not from the LOPDGDD, which
determines the seriousness of an infringement based on a series of conditions
provided therein.
As we can see, the RGPD does not present a typification in
very serious, serious or minor infractions typical of the Spanish legal system, nor
neither can it be deduced from his diction that the violation of the precepts of the
article 83.4 of the GDPR correspond to minor infractions and the precepts of article
83.5 or article 83.6 of the GDPR correspond to serious infringements.
Thus, recital 148 speaks of serious infringements as opposed to minor ones
when it determines that, “In case of minor infraction, or if the fine that is likely to
were imposed would constitute a disproportionate burden on a natural person, in
place of sanction by means of a fine, a warning may be imposed. must not
However, special attention should be paid to the nature, severity and duration of the
infraction, to its intentional nature, to the measures taken to alleviate the damages and
damages suffered, the degree of responsibility or any previous infringement
pertinent, to the way in which the supervisory authority has learned of the
infringement, compliance with measures ordered against the person responsible or in charge,
adherence to codes of conduct and any other aggravating or
extenuating.".
For all these reasons, the seriousness of an infringement is determined for the purposes of the GDPR and
with the elements endowed by it.
Once again, we bring up the aforementioned Opinion of the Council of State, which
explains in great profusion: "On the other hand, the European Regulation does not distinguish,
when setting the amount of the sanctions, between very serious, serious and minor infractions,
as stated in the preamble to the Draft. Actually, the European standard
is limited to distinguishing, depending on the maximum quantitative limit of the fine to be imposed,
among some infractions that can be sanctioned "with administrative fines of 10
EUR 000 000 maximum or, in the case of a company, an amount
equivalent to a maximum of 2% of the total annual global business volume of the financial year
previous financial" (section 4 of article 83), and other infractions that can be
sanctioned "with administrative fines of a maximum of 20,000,000 EUR or,
in the case of a company, an amount equivalent to a maximum of 2% of the
overall annual total turnover of the previous financial year" (paragraphs 5 and 6
of article 83). From this distinction it can be deduced that, for the Law of the European Union,
the offenses typified in sections 5 and 6 of article 83 can reach
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 49/60
have the same and greater seriousness than those contemplated in section 4 of the
same article 83 of the European Regulation. The European standard is thus limited to
establish two categories of offenses based on their seriousness.
The limitation periods for infringements are not provided for in the
European Regulation and, therefore, there is a tacit but peaceful understanding that
Member States have the power to establish such terms. The
determination of such deadlines must be based, as is well known, on the
severity of the offence.
Well, the offenses provided for in section 4 of article 83, on the one hand, and in the
paragraphs 5 and 6 of article 83 of the European Regulation, on the other, have a different
maximum limit -10,00,000 euros or 2% of the business volume in the first case,
20,000,000 euros or 4% of the business volume in the second- but the same limit
minimum, which in both cases is 1 euro. The existence of such wide margins
quantitative indicates that the violations of article 83, whether those of section 4 are
those of sections 5 and 6, can be of very different entity and that, for this reason, do not
may have the same limitation period those offenses that, due to their
severity, are close to the upper quantitative limit than those other
that, due to their lightness, are closer to the lower quantitative limit.
In such circumstances, the setting of the limitation periods would not be resolved.
satisfactorily, applying to the infractions of the precepts mentioned in
sections 5 and 6 of article 83 a term longer than the infringements of the
precepts mentioned in section 4 of article 83, given that infringements
contemplated both precepts, in case of being light, they would require a period of
lower prescription.
From this point of view and with the sole purpose of establishing its limitation period,
A distinction has been made between "merely formal infringements" and "violations
substantial" of such precepts, considering the former as "violations
minor" with a limitation period of one year and the latter as "violations
serious" and "very serious" with prescription periods of two and three years
respectively. In the opinion of the Council of State, this classification of offences,
to the extent that it is carried out for the sole purpose of determining certain terms of
statute of limitations for offenses not provided for in the European Regulation, cannot
be understood contrary to the provisions of the European standard.
This classification is not, however, important in terms of the amount of the
fines. The determination of the amount of the fines to be imposed for the violation of
the precepts mentioned in sections 4, 5 and 6 of article 83 of the Regulation
In accordance with the European standard, it is the responsibility of the control authorities, of
according to the graduation criteria established in section 2 of this same
provision, among which is the "nature" or "seriousness" of the offence".
Within the quantitative limits established by the European Regulation, the
control authorities, according to the greater or less seriousness of the infringement,
They must fix the amount of the fines. Certainly, the margins available to the
control authorities are very large - from 1 euro to 10,000,000 euros per violation of
the precepts mentioned in section 4 of article 83 and from 1 euro to 20,000,000
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 50/60
euros for violation of the precepts mentioned in sections 5 and 6-, which
confers on such authorities a high degree of discretion, far superior to those
which is usual in countries of our legal tradition.
It is, in any case, the model desired by the European Regulation, hence the
distinction between minor, serious and very serious infractions contemplated in the
Draft may not have a consequence in determining the maximum amount
of minor infractions, and in any case the determination of their
amount made by the control authorities, according to the circumstances of the case
concretely, within the limits established in that regulation”.
Thus, the classification of offenses for the purposes of the prescription of
LOPDGDD does not have virtuality in terms of determining the severity of the
infringement for the purposes of the GDPR or with respect to the imposition of fines
corresponding”.
Well then, in the proposed resolution of this file, notified to the
concerned on 04/10/23, the facts that are considered
proven and their exact legal classification in the section "PROVEN FACTS" and in
the FD II in response to the allegations indicated the following:
In point a).- On the alleged conflicts of interest of the Delegate of
Data Protection (DPD) in the person of *** POSITION 1 of the Official College of
Architects from Granada.
The offense was determined:
Therefore, taking into account the functions that, according to the GDPR, correspond to the
DPD and the functions that, according to the Order of February 20, 2018, by which
the modification of the Statutes of the Official College of Architects is approved
of Granada, correspond to the Governing Board and the Permanent Commission
of the Official College of Architects of Granada, in addition to those of the position
of ***POINT.1, it is evident the existence of a conflict of interest for
part of *** POSITION 1 of the Official College of Architects of Granada for
act as DPO of said Organism, finding ourselves before the violation of the
article 38.6) of the GDPR.
The person responsible and the proposed sanction were identified:
“FIRST: That by the Director of the Spanish Agency for the Protection of
Data is sanctioned to the OFFICIAL COLLEGE OF ARCHITECTS OF GRANADA,
owner of the website, https://www.coagranada.es/, by:
Violation of article 38.6 of the GDPR, due to the conflict of interest detected in
the appointment of *** POSITION 1 of the College as Protection Delegate
of data, with a penalty of 5,000 euros (five thousand euros) (...)
In accordance with the provisions of the GDPR, the amount of the fine was valued at 5,000 euros,
that is in the lower section of the possible sanctions, thus giving
compliance with the provisions of article 83.1 of the GDPR: "Each control authority
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 51/60
ensure that the imposition of administrative fines under this
article for the infringements of this Regulation indicated in sections 4, 5 and
6 are in each individual case, effective, proportionate and dissuasive.”
On the other hand, article 83.2 of the GDPR states that "administrative fines shall be
will impose, depending on the circumstances of each individual case, additionally
or substitute for the measures referred to in article 58, paragraph 2, letters a) to h) and
j). When deciding the imposition of an administrative fine and its amount in each case
will be duly taken into account:” (emphasis added).
That is, it provides for the assessment of the penalty as a whole, taking into account each and every
one of the concurrent circumstances in the specific case and that are
provided for in the aforementioned precept.
The jurisprudence pronounces itself along the same lines when it refers to the principle of
proportionality, "fundamental principle that beats and presides over the graduation process
of sanctions and implies, in legal terms, "its adequacy to the seriousness of the
fact constituting the infringement" as provided in article 29.3 of Law 40/2015,
of the Legal Regime of the Public Sector, given that any sanction must be determined in
consistency with the entity of the offense committed and according to a criterion of
proportionality in relation to the circumstances of the fact.” (Sentences of the
Supreme Court of December 3, 2008 (rec. 6602/2004) and April 12, 2012
(rec. 5149/2009) and Judgment of the National Court of May 5, 2021 (rec.
1437/2020), among others).
Thus, the Judgment of the Third Chamber of the Supreme Court, dated May 27,
2003 (rec. 3725/1999), indicates that "Proportionality, pertaining specifically to
to the scope of the sanction, constitutes one of the principles that govern the Law
Sanctioning administrative, and represents an instrument of control of the exercise of the
disciplinary power by the Administration within, even, the margins that, in
principle, indicates the applicable rule for such exercise. It is certainly a concept
difficult to determine a priori, but which tends to adjust the sanction, by establishing
its specific graduation within the indicated possible margins, to the severity of the
fact constituting the infringement, both in its aspect of unlawfulness and of
guilt, weighing as a whole the objective and subjective circumstances
that make up the budget of punishable fact (...)"
We can also cite for this purpose the Supreme Court Judgment 713/2019, of 29
of May (rec. 1857/2018): "We will begin by pointing out that the proportionality of the
sanctions implies that they come tempered to the particular gravity
of the fact in conjunction with the circumstances of a subjective nature (which refer to the
offender) and objective (which refer to the typical fact) being that in the field of law
administrative sanction in general and in the field of the stock market in
In particular, there are no dosimetry criteria similar to those included in the article
66 of the CP and that the modifying circumstances differ from those of the scope
penal. Let us remember that there is no room for automatic application, without any qualification of the
guiding principles of criminal law to the sanctioning administrative procedure
(S.TS 6-10-2003 Rec.772/1998).”
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 52/60
For this reason, Directives 04/2022 of the European Committee for Data Protection on the
calculation of administrative fines in accordance with the RGPD, in its version of 12
May 2022, submitted to public consultation, indicate that "As regards the
evaluation of these elements, increases or decreases in a fine do not
They can be previously determined through tables or percentages. It is reiterated that the
The actual quantification of the fine will depend on all the elements collected during the
research and other considerations also related to the experiences
of the supervisory authority regarding fines.”
In point b).- Regarding the alleged lack of information in the forms on “complaints
and claims”, referring to the treatment of personal data obtained in the
themselves.
The offense was determined:
“From what is evident that the forms lacked the necessary information
ria established in article 13 GDPR, such as, for example, the identity and
contact details of the person in charge, the purposes of the treatment for which they are intended
the personal data and the legal basis of the treatment; the possible recipients
names or categories of recipients of personal data, if applicable; he
period during which the personal data will be kept or, when it is not
possible, the criteria used to determine this term or the right to pre-
file a claim with a control authority, for which they failed to comply with the
stipulated in the current regulations on data protection
The person responsible and the proposed sanction were identified:
“FIRST: That by the Director of the Spanish Agency for the Protection of
Data is sanctioned to the OFFICIAL COLLEGE OF ARCHITECTS OF GRANADA,
owner of the website, https://www.coagranada.es/, by:
(...) Violation of article 13 of the GDPR, due to the lack of information
provided in the claims forms, on the treatment of the data
obtained, (with a penalty of 8,000 euros) (...)
In accordance with the provisions of the GDPR, the amount of the fine was valued at 5,000 euros,
that is in the lower section of the possible sanctions, thus giving
compliance with the provisions of article 83.1 of the GDPR: "Each control authority
ensure that the imposition of administrative fines under this
article for the infringements of this Regulation indicated in sections 4, 5 and
6 are in each individual case, effective, proportionate and dissuasive.”
We reiterate the considerations set forth in the previous section in relation to
with the determination of the amount of the fine.
In point c).- On the treatment of personal data and the "Policy of
Privacy” of the web: https://www.coagranada.es/ whose owner is the Official College of
Granada architects:
The lack of infringement was determined:
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 53/60
"Therefore, in the present case, according to the evidence available
At this time, it is considered that the management of personal data that
makes the web page, https://www.coagranada.es/ does not contradict what
stipulated in the RGPD regarding the consent in the treatment of the
personal data and the information that must be provided to the interested party
when your personal data is obtained from it.
In point d).- About the Cookies Policy of the website
https://www.coagranada.es/.
The offense is determined:
"Therefore, the use of third-party cookies of a non-existent nature
excepted, which are not reported in the policies and despite not having
given the consent through the banner could suppose on the part of the
claimed, the commission of the infringement of article 22.2 of the LSSI
The person responsible and the proposed sanction were identified:
“FIRST: That by the Director of the Spanish Agency for the Protection of
Data is sanctioned to the OFFICIAL COLLEGE OF ARCHITECTS OF GRANADA,
owner of the website, https://www.coagranada.es/, by:
(...) Violation of article 22.2 of the LSSI, regarding the use of cookies
from third parties of a non-excepted nature, without the consent of the user, with
a penalty of 1,000 euros (one thousand euros).
The fine to be imposed has been determined in application of the provisions determined
in the LSSI.
e).- On the allegations presented as a consequence of the filing in the
exp202101340 and the change of criteria in this file.
According to the claimed party, on 07/08/21, the claimant submitted a written
before this Agency, in the same sense as the present claim, indicating, among
others, that:
"(...) Such is the lack of knowledge regarding PD on the part of this College,
that according to these accredited by their statements, the *** POSITION.1 holds the
title of DPD and Responsible for the processing of personal data at the same
time. As evidenced by the text that accompanies the sheet of
claims of this College, (...)"
Well then, this claim was filed by Resolution of the AEPD dated
of 11/11/21 in file E/08892/2021, indicating in it that:
"(...) Once the reasons presented by the OFFICIAL SCHOOL OF
ARCHITECTS OF GRANADA, who work in the file, it has been verified
the lack of rational indications of the existence of an infringement in the field
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 54/60
competence of the Spanish Data Protection Agency, not proceeding,
consequently, the opening of a disciplinary procedure.
On 11/23/21, the claimant filed an appeal for reversal (RR/0731/21),
against the resolution issued by the Director of the Spanish Agency for the Protection of
Data, in which, among others, it indicated that "the AEPD should clarify whether the DPD and
the ***POINT.1 of COAG can be the same person”.
On 04/04/22, this Agency issued a resolution on the appeal of
replacement RR/0731/21, indicating in it, regarding the issue expressed
by the claimant, in relation to the duplication of charges, DPD and ***POSITION 1 of the
COAG, the following:
"Regarding the appointment as data protection delegate in the same
person who holds the position of ***POSITION.1 general, it should be noted that the
appellant party cannot claim that in the appeal phase the
recounts facts that it did not state in a previous procedural phase.
The LPACAP provides in its article 118: "They will not be taken into account in the
resolution of the appeals, facts, documents or allegations of the appellant,
when having been able to provide them in the claims process, they have not
made. Nor may the practice of evidence be requested when their lack of
realization in the procedure in which the appealed decision was issued outside
attributable to the interested party."
This norm contains a rule that is nothing more than the positive concretion for
the common administrative scope of the general principle that the Law does not cover the
abuse of the right (article 7.2 of the Civil Code), in this case, the abuse of the
procedural law. There is no doubt that this principle is intended to prevent
that the processing of allegations and evidence of the procedures of
application, as it would be if the interested parties could choose, at their discretion,
the moment in which to present evidence and allegations, since this
it would be contrary to an elementary procedural order.
The claimed party has informed that the person designated as delegate of
data protection possesses the competencies and has the knowledge
required for the performance of said position, adding that they have the
collaboration of external professionals who are experts in the matter”.
Therefore, there has not been a change in criteria of the administration, but rather, in the
exposed cases, the reason why they were archived was because there was no proof
sufficient for the imputation of an infraction. In fact, this is how it is stated in the
resolution of inadmissibility, that the principle of presumption of innocence is applied and that,
not having sufficient evidence of non-compliance, we proceed to archive the
claim. In the same sense, the resolution of the appeal of
reinstatement, particularly in relation to that breach, what it says is that in phase
of appeal cannot be taken into account facts other than those valued throughout
of the procedure. This does not prevent a new claim from being filed.
in which aspects can be accredited by the claimant that reveal the
existence of a violation.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 55/60
f).- About the Cookies Policy of the website https://www.coagranada.es/.
On 07/27/22, it was found that when entering the website of the College
Oficial de Arquitectos de Granada https://www.coagranada.es/ a cookie was installed
session ID PHPSESSID and another from Google, _GRECAPTCHA. The first is a cookie
technique and the second is used by websites developed with WordPress as the
which is the object of analysis, to protect web forms from spam and attacks
external.
According to Opinion 4/2012 of WP 194 on the exemption of the requirement of
cookie consent, the exemption applied to authentication cookies could
apply to others introduced specifically to strengthen the security of the service
requested, for example, those cookies whose purpose is to detect attempts
erroneous and repeated connection to a website or for protection of the information system
connection against abuses such as _GRECAPTCHA.
However, after browsing the website, it is observed that cookies are installed
from third parties of a non-excepted nature, which are not reported in the policies, to
despite not having given consent through the banner. the circumstance is given
that these analytical cookies are installed through the insertion of a map
interactive program of the Institute for Geoenvironmental Health of the Vivo Sano Foundation in the
page: https://coagranada.es/mapa-zonas-radon-en-elnuevo-cte-db-hs6/
Therefore, there was a clear violation of current regulations (LSSI) by not informing
the users of the web of the installation of third-party cookies of a non-
excepted.
III.-
Violation committed and Sanction to be imposed
Regarding the alleged conflicts of interest of the Data Protection Officer
(DPD) in the person of ***POSITION.1 of the Official College of Architects of Granada.
In accordance with the available evidence, set forth in section a)
of DF II, it is considered that there is a violation of article 38.6) of the GDPR.
This infraction can be sanctioned with a fine of a maximum of €10,000,000 or,
in the case of a company, an amount equivalent to a maximum of 2% of the
total annual global business volume of the previous financial year, opting for the
of greater amount, in accordance with article 83.4.a) RGPD.
For its part, article 73.w) LOPDGDD, considers serious, for the purposes of prescription:
“Not enabling the effective participation of the data protection officer in
all matters relating to the protection of personal data, not
support him or interfere in the performance of his duties”.
In accordance with the precepts indicated, for the purpose of setting the amount of the sanction to
imposed in the present case, it is considered appropriate to graduate the sanction according to
with the following aggravating criteria established in article 83.2 of the GDPR:
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 56/60
- The number of interested parties affected by the processing of their personal data
(section a), bearing in mind the relationship that the College of Architects of
Granada has with the registered members, the contracted personnel and with the
users in general.
It is also considered that it is appropriate to graduate the sanction to be imposed in accordance with the
following aggravating criteria, established in article 76.2 of the LOPDGDD:
- The linking of the activity of the offender with the performance of treatment of
personal data, (section b), considering the level of implementation of the
College in the community, in which personal data of
Hundreds of people who access their services.
The balance of the circumstances contemplated in article 83.2 of the GDPR and 76.2
LOPDGDD, with respect to the offense committed by violating the provisions of the
Article 38.6 GDPR, allows a final penalty of 5,000 euros (five thousand euros) to be set.
On the other hand, it is not appropriate to require a corrective measure since the DPD of the
Official College of Architects of Granada in another person that is not the *** POSITION.1
of the same.
IV.-
Violation committed and Sanction to be imposed
Regarding the alleged lack of information in the forms on "complaints and
claims”, referring to the treatment of personal data obtained in the
themselves.
In accordance with the available evidence, set forth in section b)
of DF II, it is considered that there is a violation of article 13) of the GDPR
This infraction can be penalized as established in article 83.5.b) of the
GDPR, where it is established that:
Violations of the following provisions will be penalized, according to
with paragraph 2, with administrative fines of EUR 20,000,000 as
maximum or, in the case of a company, an amount equivalent to 4%
maximum of the overall annual total turnover of the financial year
above, opting for the one with the highest amount: a) the rights of the interested parties
pursuant to articles 12 to 22”.
In this sense, article 74.a) of the LOPDGDD, considers light, for the purposes of
prescription:
"Breach of the principle of transparency of information or the right
of information of the affected party for not providing all the information required by the
articles 13 and 14 of Regulation (EU) 2016/679.”
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 57/60
In accordance with the precepts indicated, for the purpose of setting the amount of the sanction to
imposed in the present case, it is considered appropriate to graduate the sanction according to
with the following aggravating criteria established in article 83.2 of the GDPR:
- The number of interested parties affected by the processing of their personal data
(section a), bearing in mind the relationship that the College of Architects of
Granada has with the registered members, the contracted personnel and with the
users in general.
It is also considered that it is appropriate to graduate the sanction to be imposed in accordance with the
following aggravating criteria, established in article 76.2 of the LOPDGDD:
- The linking of the activity of the offender with the performance of treatment of
personal data, (section b), considering the level of implementation of the
College in the community, in which personal data of
Hundreds of people who access their services.
The balance of the circumstances contemplated in article 83.5.b) of the GDPR, with
regarding the offense committed by violating the provisions of article 13 of the GDPR,
allows a final penalty of 8,000 euros (eight thousand euros) to be set.
On the other hand, it is not appropriate to require a corrective measure as the
Substitution of the information provided in the “complaints and claims” models
adjusting to the provisions of article 13 of the GDPR.
V.-
Violation committed and Sanction to be imposed
About the Cookies Policy of the website https://www.coagranada.es/.
Article 22.2 of the LSSI establishes that users must be provided with information
clear and complete information on the use of storage devices and
data recovery and, in particular, on the purposes of data processing.
This information must be provided in accordance with the provisions of the GDPR.
Therefore, when the use of a cookie entails a treatment that enables the
identification of the user, those responsible for the treatment must ensure the
compliance with the requirements established by the regulations on the protection of
data.
However, it is necessary to point out that they are exempted from compliance with the
obligations established in article 22.2 of the LSSI those necessary cookies
for the intercommunication of terminals and the network and those that provide a service
expressly requested by the user.
In this sense, the GT29, in its Opinion 4/2012, interpreted that among the cookies
excepted would be the user input Cookies" (those used to
fill in forms, or as management of a shopping cart); cookies from
authentication or user identification (session); user security cookies
(those used to detect erroneous and repeated attempts to connect to a site
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 58/60
Web); media player session cookies; session cookies to balance
load; user interface customization cookies and some of
complement (plug-in) to exchange social content.
These cookies would be excluded from the scope of application of article 22.2 of the
LSSI, and, therefore, it would not be necessary to inform or obtain consent about your
use. On the contrary, it will be necessary to inform and obtain the prior consent of the
user before the use of any other type of cookies, both first and second
third party, session or persistent.
In this case, when entering the web for the first time, without accepting cookies or making
no action on the page, it has been verified that cookies are not used that
They are not technical or necessary.
However, after browsing the website, it is observed that cookies are used
third parties of a non-excepted nature, which are not reported in the policies, despite
of not having given consent through the banner. The circumstance occurs that
These analytical cookies are installed through the insertion of an interactive map of the
Institute for Geoenvironmental Health of the Vivo Sano Foundation on the page:
https://coagranada.es/mapa-zonas-radon-en-elnuevo-cte-db-hs6/
Therefore, the use of third-party cookies of a non-excepted nature,
which are not reported in the policies and despite not having given consent
through the banner could suppose on the part of the defendant, the commission of the
infringement of article 22.2 of the LSSI, since it establishes that:
“Service providers may use storage devices and
recovery of data in terminal equipment of recipients, provided
that they have given their consent after they have been
provided clear and complete information on its use, in particular on
the purposes of data processing, in accordance with the provisions of the Law
Organic 15/1999, of December 13, on the protection of personal data
staff.
When technically possible and effective, the recipient's consent
to accept the processing of the data may be facilitated through the use of the
appropriate parameters of the browser or other applications.
The foregoing will not prevent the possible storage or access of a technical nature
for the sole purpose of carrying out the transmission of a communication over a network of
electronic communications or, to the extent strictly
necessary, for the provision of a service of the information society
expressly requested by the addressee.
This infraction is typified as "mild" in article 38.4 g), of the aforementioned Law, which
considered as such: "Use data storage and recovery devices
when the information has not been provided or the consent of the
recipient of the service in the terms required by article 22.2.", and may be
sanctioned with a fine of up to €30,000, in accordance with article 39 of the aforementioned
LSSI.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 59/60
In accordance with said criteria, it is deemed appropriate to impose a penalty of 1,000
euros, (thousand euros), for the violation of article 22.2 of the LSSI, for the time that
maintained the use of non-excepted cookies without the prior consent of the
user
Therefore, in accordance with the applicable legislation and assessed the criteria of
graduation of sanctions whose existence has been accredited, the Director of the
Spanish Data Protection Agency
RESOLVES:
FIRST: IMPOSE the OFFICIAL ASSOCIATION OF ARCHITECTS OF GRANADA, with
CIF.: Q1875003D, owner of the website, https://www.coagranada.es/, the following
sanctions:
- For violation of article 38.6 of the GDPR, due to the conflict of interest
detected in the appointment of ***POSITION.1 of the College as Delegate
of Data Protection a sanction of 5,000 euros (five thousand euros).
- For the infringement of article 13 of the GDPR, due to the lack of information
provided in the claims forms, on the treatment of the data
obtained, a penalty of 8,000 euros (eight thousand euros).
- For the violation of article 22.2 of the LSSI, regarding the use of
third-party cookies of a non-excepted nature, without the consent of the
user, a penalty of 1,000 euros (one thousand euros).
Being the total sanction of 14,000 euros (fourteen thousand euros).
SECOND: NOTIFY this resolution to the OFFICIAL ASSOCIATION OF
ARCHITECTS OF GRANADA.
THIRD: Warn the penalized party that the sanction imposed must make it effective
once this resolution is enforceable, in accordance with the provisions of Article
Article 98.1.b) of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations, within the voluntary payment period indicated in the
Article 68 of the General Collection Regulations, approved by Royal Decree
939/2005, of July 29, in relation to art. 62 of Law 58/2003, of 17
December, by depositing it in the restricted account No. ES00 0000 0000 0000
0000 0000, opened in the name of the Spanish Data Protection Agency in the
Banco CAIXABANK, S.A. or otherwise, it will proceed to its collection in
executive period.
Once the notification has been received and once executed, if the execution date is
between the 1st and 15th of each month, both inclusive, the term to make the payment
voluntary will be until the 20th day of the following or immediately following business month, and if
between the 16th and the last day of each month, both inclusive, the payment term
It will be until the 5th of the second following or immediately following business month.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 60/60
In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once the interested parties have been notified.
Against this resolution, which puts an end to the administrative procedure (article 48.6 of the
LOPDGDD), and in accordance with the provisions of articles 112 and 123 of the Law
39/2015, of October 1, of the Common Administrative Procedure of the
Public Administrations, interested parties may optionally file
appeal for reversal before the Director of the Spanish Agency for Data Protection
within a month from the day following notification of this
resolution or directly contentious-administrative appeal before the Chamber of
contentious-administrative of the National Court, in accordance with the provisions of the
article 25 and in section 5 of the fourth additional provision of Law 29/1998, of
July 13, regulating the Contentious-administrative Jurisdiction, within the period of
two months from the day following the notification of this act, according to what
provided for in article 46.1 of the aforementioned legal text.
Finally, it is noted that in accordance with the provisions of art. 90.3 a) of Law 39/2015,
of October 1, of the Common Administrative Procedure of the Administrations
Public, the firm resolution may be temporarily suspended in administrative proceedings if
The interested party declares his intention to file a contentious-administrative appeal.
If this is the case, the interested party must formally communicate this fact through
writing addressed to the Spanish Data Protection Agency, presenting it through
of the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica-
web/], or through any of the other registries provided for in art. 16.4 of the
aforementioned Law 39/2015, of October 1. You must also transfer to the Agency the
documentation proving the effective filing of the contentious appeal-
administrative. If the Agency was not aware of the filing of the appeal
contentious-administrative proceedings within a period of two months from the day following the
Notification of this resolution would terminate the precautionary suspension.
Mar Spain Marti
Director of the Spanish Data Protection Agency.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es
