AEPD (Spain) - EXP202202960: Difference between revisions
mNo edit summary |
mNo edit summary |
||
Line 65: | Line 65: | ||
}} | }} | ||
The DPA fined a controller that was processing employees’ fingerprint data € 360,000 because it failed to disclose processing and storage information to data subjects, lacked security measures ensuring the data’s confidentiality | The DPA fined a controller that was processing employees’ fingerprint data € 360,000 because it failed to disclose processing and storage information to data subjects, lacked security measures ensuring the data’s confidentiality and failed to carry out a data protection impact assessment. | ||
== English Summary == | == English Summary == |
Revision as of 12:02, 3 April 2024
AEPD - EXP202202960 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 13 GDPR Article 32 GDPR Article 35 GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | 22.02.2024 |
Decided: | 12.02.2024 |
Published: | |
Fine: | 360,000 EUR |
Parties: | CTC Externalización, S.L. |
National Case Number/Name: | EXP202202960 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | lm |
The DPA fined a controller that was processing employees’ fingerprint data € 360,000 because it failed to disclose processing and storage information to data subjects, lacked security measures ensuring the data’s confidentiality and failed to carry out a data protection impact assessment.
English Summary
Facts
On 14 February 2022, a data subject filed a complaint with the Spanish DPA (AEPD) against their employer, CTC Externalización, S.L. (the controller), which collected fingerprint data from employees to implement a sign-in system.
In its defense brief, the controller stated that the fingerprint scanner was an authentication system, not an identification system. As such, it claimed that fingerprints were not stored; instead, the fingerprint reader generated a numeric identifier that matched the fingerprint. The numeric identifier, not the fingerprint, was then stored in an encrypted system that compared the generated numeric identifiers. The fingerprint was allegedly erased immediately. As result, the controller claimed that it was impossible to reproduce the fingerprint from the numeric identifier. The controller also noted that it provided a disclosure in the employee portal concerning the data processing.
Holding
The AEPD concluded that the controller violated Articles 13, 32, and 35 GDPR and imposed a fine of € 360,000.
First, the AEPD noted that the processing disclosure made available in the employee portal violated Article 13(2)(d) and (e) GDPR because it was inaccurate, overly general and insufficiently informative. The clause concerning processing only mentioned that a fingerprint sign-in system was being implemented; it provided no information about the collection, processing or storage of fingerprint data. The clause referred generally to a number of processing activities and purposes and invoked contract as a legal basis for all of them. In assessing the disclosure's adequacy, the AEPD took note of the controller's amendments to the disclosure. The controller’s updates referred specifically to the fingerprint processing and cited legal obligations under national law as the legal basis for this processing. They also articulated a different data retention period, further indicating the inaccuracy of the original disclosure. Finally, at no point did the controller’s disclosure inform data subjects about their right to file a complaint with the AEPD, violating Article 13(2)(d) GDPR.
Second, the AEPD found that the controller violated Article 32 GDPR because it lacked sufficient security measures to ensure the erasure and integrity of the fingerprint data. In particular, the controller failed to demonstrate how fingerprint data could be erased after each scan and did not demonstrate the existence of any technical measures to protect processed personal data. Additionally, while the fingerprint data and numeric identifiers were kept in separate tables, the controller could not demonstrate measures to ensure the storage locations were kept sufficiently separate.
Finally, the AEPD concluded that the controller violated Article 35 GDPR because it failed to conduct data protection impact assessments for the fingerprint data, which is a special category of data under Article 9(1) GDPR. In addition to posing high risks for data subjects, the AEPD’s published list of processing requiring a data protection impact assessment expressly includes biometric data.
In sanctioning the controller € 360,000, the AEPD considered the high sensitivity of biometric data and took into account the duration of the infraction period of over two years.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/51 File No.: EXP202202960 RESOLUTION OF SANCTIONING PROCEDURE From the procedure instructed by the Spanish Data Protection Agency and based to the following BACKGROUND................................................. .................................................. .......2 FIRST:................................................ .................................................. ...............2 SECOND:................................................ .................................................. ..............3 THIRD:................................................ .................................................. ...............6 ROOM:................................................ .................................................. .................6 BACKGROUND................................................. .................................................. 6 RESULT OF THE RESEARCH ACTIONS..............................................7 FIFTH:................................................ .................................................. ................fifteen SIXTH:................................................ .................................................. ..................fifteen SEVENTH:................................................ .................................................. ..............16 EIGHTH:................................................ .................................................. ................16 PROVEN FACTS................................................ ................................................18 FIRST................................................. .................................................. .............18 SECOND................................................. .................................................. ............18 THIRD................................................. .................................................. .............18 ROOM................................................. .................................................. .................18 FIFTH................................................. .................................................. ................19 SIXTH................................................. .................................................. ...................19 SEVENTH................................................. .................................................. ..............19 EIGHTH................................................. .................................................. ................19 NINETH................................................. .................................................. ...............twenty TENTH................................................. .................................................. ................twenty ELEVENTH................................................. .................................................twenty LEGAL FUNDAMENTALS................................................. ..................................twenty-one I Competition................................................ .................................................. ........twenty-one II Previous questions................................................ .................................................twenty-one C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 2/51 III Response to allegations regarding non-compliance with article 13 GDPR .................................................. .................................................. ............................22 IV Response to allegations regarding non-compliance with article 32 GDPR .................................................. .................................................. ............................25 V Response to allegations regarding non-compliance with article 35 GDPR27 VI Unfulfilled information obligation. Article 13 GDPR...................................29 VII Lack of information. Article 13 GDPR Typification and qualification of the infringement .................................................. .................................................. ............................32 VIII Lack of information. Article 13 GDPR. Sanction...............................................33 IX Lack of security measures. Article 32 GDPR. Unfulfilled obligation.........33 X Typification and qualification for the purposes of the prescription of the violation of the article 32 of the GDPR................................................ ...................................................36 XI Lack of security measures article 32 RGPD................................................. ......37 XII Impact assessment relating to data protection. Article 35 GDPR Unfulfilled obligation................................................ ................................................38 XIII Classification of the violation of article 35 RGPD................................................. .....46 XIV Lack of impact assessment article 35 RGPD................................................. ...47 XV Adoption of measures................................................ ............................................47 RESOLVES:................................................ .................................................. .................48 BACKGROUND FIRST: A.A.A. (hereinafter, the claiming party) on February 14, 2022 filed claim before the Spanish Data Protection Agency. The claim is directs against CTC EXTERNALIZACIÓN, S.L. with NIF B60924131 (hereinafter, the claimed party). The reasons on which the claim is based are the following: It is claimed that the entity CTC EXTERNALIZACIÓN, S.L. data has been requested biometrics, specifically the fingerprint, to employees for the purpose of implement a signing system based on that data. It is stated that at the time of taking the biometric data it was not communicated that the information was in the employee portal, located in the most hidden part of the application to which not all workers who work They use the new signing system. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 3/51 Along with the claim, a printout of emails exchanged is provided. between the complaining party and the defendant SECOND: In accordance with article 65.4 of Organic Law 3/2018, of December 5, of Protection of Personal Data and guarantee of digital rights (hereinafter LOPDGDD), said claim was transferred to the claimed party so that proceed to its analysis and inform this Agency within a period of one month, of the actions carried out to adapt to the requirements provided for in the regulations of Data Protection. The transfer, which was carried out in accordance with the rules established in Law 39/2015, of October 1, of the Common Administrative Procedure of Administrations Public (hereinafter, LPACAP), was collected on 03/14/2022 as stated in the acknowledgment of receipt that appears in the file. On 03/22/2022, this Agency received a written response indicating basically the following: 1. This is a verification/authentication system (one to one), not Identification (one to many). 2. Fingerprint is not stored. The reader generates an identifier numeric which is the one that matches the fingerprint. The identifiers and not the fingerprint. An encryption system is used for storage. It is impossible to reproduce the fingerprint from the numeric identifier. 3. The system does not compare fingerprints, it compares the code that is generated in the reading with the code that is stored. 4. The system matches a number with a numerical identifier that has been created through a hash. 5. No more data is requested or processed than is strictly necessary to the purpose of this treatment. 6. The data cannot be reused for other purposes and is deleted when they are no longer needed. 7. The data processed are name, surname, employee code and fingerprint initial fingerprint that is transformed into an identification code. The fingerprint as such is eliminated. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 4/51 8. They store only one biometric template that is registered in a repository central for distribution to the rest of the biometric devices. 9. The central repository is located on a non-accessible internal server publicly and with access restricted exclusively to the administrator of the system. 10. You have been informed about the processing of personal data, specifically: the identity of the Data Controller, the basis of legitimation, purposes of the treatment, contact of the delegate of data protection, rights and procedure to exercise them, which are not They carry out data transfers and the expected retention period. Besides, the Information is provided through the Employee Portal to which they have access to all Employees. The protection clauses are delivered company data with job registrations. and sent in October 2021 a email to employees informing them of the update of the data protection policies and their publication on the Portal of the Employee. The fingerprint access system was activated at the end of December 2021. 11. They have data protection by design: a supplier with software that offers all guarantees in compliance of data protection regulations, with which a contract as Data Processor. 12. There are no international data transfers. The location is in the EEA. 13. The impact evaluation carried out is provided, where among others questions: It is clear that the principle of data minimization is fulfilled because “The The purpose that is intended to be covered requires all the data to be collected and for all affected persons/stakeholders (principle of minimization of data).". There is no justification for how this principle is fulfilled. It is clear that the question that “The data collected will be used exclusively for the declared purpose and will not for any other not informed or incompatible with the legitimacy of its use (principle of limitation of purpose)”. There is no justification for How is this principle fulfilled? It appears in the Result section that “After analyzing the need and proportionality of this treatment, the risk analysis carried out and the Residual risk assessment after the application of the corresponding C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 5/51 security measures, the result of this Evaluation study of data protection impact EIPD is: ACCEPTABLE.” 14. An information sign has been installed next to the signing apparatus about the processing of data with the purpose that it is perfectly visible by all workers. The information has also been expanded data protection relating to the use of the fingerprint for control of the working day and has been communicated to employees, through the Portal of the employee. 15. Due to this claim, an email has been sent to all employees the information clause. 16. They have implemented the following measures to prevent the occurrence of Similar incidents: - Information poster next to the transfer apparatus about the data treatment. Provide a copy of the information poster containing information about the responsible, purpose, legitimacy, recipients, rights and place where to locate additional information (Employee Portal). A screenshot of the Employee Portal is provided where there is a link to the informative clause, but there is no date of publication, nor url of the Employee Portal. - Expansion of data protection information related to the use of the fingerprint to control the working day and communication to employees, through the Employee Portal. - Sending an email to employees with the updated data protection information regarding the use of the fingerprint to control the working day and as a channel for all the doubts or clarifications you need. - The receipt of new messages will be monitored clauses published by all employees. 1. The Record of fingerprint processing activities is provided in which states that the fingerprint is used as a security system verification/authentication, not identification. 2. They have ruled out other systems, e.g. card signing because after the experience with it, conflictive situations arose. It's about a service in which there is a high staff turnover. When used the card system for signing, sometimes it was transferred to others people who were not the owners of the same, present in the area C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 6/51 of personal work unrelated to it with all the risks that it entails job security. The use of the fingerprint is the system that allows you to avoid these criminal situations and guarantees the correct compliance with labor regulations and prevent unauthorized access. THIRD: On May 14, 2022, in accordance with article 65 of the LOPDGDD, admitted for processing the claim presented by the complaining party. ROOM: The General Subdirectorate of Data Inspection proceeded to carry out prior investigative actions to clarify the facts in issue, by virtue of the functions assigned to the control authorities in the article 57.1 and the powers granted in article 58.1 of the Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter GDPR), and in accordance with the provisions of Title VII, Chapter I, Second Section, of the LOPDGDD, having knowledge of the following points: BACKGROUND Along with the claim, the complaining party provides the following emails: - Copy of email sent by soliobrera.secciontourline@gmail.com to ***USUARIO.1@grupoctc.com and to ***USUARIO.2@grupoctc.com with date 01/31/2022 with the text: “Last Friday when I got ready to sign out of my work day (method implemented from the beginning for registration and entry-exit control of workers in the Madrid-Coslada workplace), they inform me that they are leaving start clocking in with fingerprint access control and They have to take my samples, to which I ask what else are they going to give me? information and some document in which you consent to the treatment of this type of data and they tell me (to my surprise) that there is no[…]” - Provide a copy of the email sent by ***USUARIO.1@grupoctc.com dated 02/02/2022 with the text: “First of all, you were not properly informed when you asked in the service if there was information about the processing of the data, then yes, We have this information. Specifically, it is found on the portal of the CTC employee, portal to which you have access since you joined the company. On the other hand, and taking into account article 9 on the Legality of the treatment, it is not Express consent is necessary because the treatment is necessary for the compliance with obligations on the part of the businessman, as well as for the compliance with the exercise of the rights of the data controller. It is true that article 13 establishes a duty of information, and this duty is complies perfectly as the information is posted on the portal of the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 7/51 Employee (in the data protection policy). There you will see all the information regarding the person responsible for the treatment, purposes of data collection, recipients, conservation of data and the procedure for the exercise of rights. Secondly, you comment that article 64.5.f) authorizes you to issue a previous report. In this case, I regret to inform you that point 5 of the mentioned article, is related to work control (in a sense of content). In fact, the literal of the article stipulates the following: "the implementation and review of work organization and control systems, time studies, establishment of bonuses and incentives and valuation of jobs". In this case, it is a signing system through fingerprint, and the legality of this treatment is protected, not only by the article 6 GDPR 2016/679 EU, but also for compliance with a legal obligation such as time registration, regulated in article 34.9 of the Status of workers. For greater peace of mind, tell you that the fingerprint, in this case, does not acquires the category of special data because it is used only for authenticate that the person is who they say they are. Additionally, the fingerprint, but only a series of points that, via algorithm, provides a unique signature for that print. That is, by itself it does not represent the fingerprint, and is stored in a centralized system with restricted access. Regarding the reason for this signing system, it is the one that is being implementing in most CTC services, including central offices. Finally, and if after this explanation you still consider it necessary, We will send the results of the impact evaluation study (EIPD) that you asked us. […]” During the proceedings, the following entity was investigated: CTC EXTERNALIZACIÓN, S.L. with NIF B60924131 with address in PLAZA EUROPA, 30 32. - 08902 L'HOSPITALET DE LLOBREGAT (BARCELONA) (in forward CTC) RESULT OF THE RESEARCH ACTIONS General issues: 1. That in the event that the employee declines the use of his or her fingerprint for the registration process, marking or the print is insufficiently good, the marking can be carried out via RFID card. 2. That the fingerprint processing began on 12/29/2021 and ends when the employment relationship with the employee ends. In that case, the fingerprint hash is eliminated. 3. That there are 208 fingerprint readers installed in 117 work centers, all in Spain. Regarding the data protection information provided: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 8/51 4. They provide screenshots showing that the document with name “POL RGPD CTC EXTER_2021.pdf” was published on 10/28/2021 associated with a “cluster_id” = 66 which, according to them, refers to the employees to whom the document is published. 5. They provide a screenshot of their systems where “cluster_id” = 66 appears associated with the field “description”=”CTC company employees”. 6. Provide a copy of the email sent to ctc@grupoctc.com on 10/28/2021 with subject “Updating CTC data protection policies OUTSOURCING S.L.U.” where it consists: “[…] Through this communication we want to inform that CTC EXTERNALIZACIÓN S.L.U., in its obligation to comply with regulations, has proceeded to update its data protection policies regarding the processing of personal data. They can access through the Employee Portal, upon publication of the new policies: POL/RGPD CTC EXTER_2021: Employee data protection clause You must carefully read these clauses and click on your acceptance. in case If you have any questions, you can contact the Department of Protection of Data, via email: dpo@grupoctc.com […]” 7. The informative clause referred to above is provided where it appears as Date: 03/02/2018, Update date: 10/26/2021 and the code “POL/RGPD CTC EXTER_2021”. Likewise, there is information about: to. The legal framework b. The person responsible for the treatment c. Legitimation, this being the contractual employment relationship. d. Purposes of the treatment, these being to manage the employment relationship with employees, administrative accounting management, payroll preparation, prevention of occupational risks, training. It is reported that it is installed a fingerprint reader for office access. and. Recipients, which include: “The data will be communicated to public administrations (Social Security and Tax Agency) in compliance with labor regulations, labor mutual funds, to the labor consultancy company, to training companies and to entities banking for direct debit and payroll payment. Also between Group companies, to Client companies to which we lend our services, as well as to Suppliers who act as managers of the treatment and with whom treatment contracts have been duly signed. Data Protection. In the case of subcontracting, the worker authorizes the transfer of the data included in the TC's, to all those companies that are necessary to carry out subcontracting. If the Employee's task involves driving vehicles, the rights will be transferred. Employee data to the vehicle rental company, as well as to the Administration in the case of a fine for a traffic violation.” F. Employee's duty of confidentiality. g. Conservation of data, which includes: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 9/51 “The data provided will be kept for the duration of the relationship. contractual and during the years necessary to comply with the obligations legal. Please remember that the use of the email account provided by the company, is strictly and limited for professional purposes and not for personal topics. The Employee agrees to use email and the Internet only for professional issues of a labor nature, expressly recognizing that the email account is the company's domain. It is also reported that the company, in the case of termination of employment, will have access to corporate email and equipment used by the Former Employee.” h. Rights. This document “POL/RGPD CTC EXTER_2021” contains exclusively the following specific reference to fingerprint processing: “[…] A fingerprint reader is installed for office access. […]” 8. Screenshots of their systems are provided showing that the claimant has accessed (…)” on dates between 08/23/2021 and 12/16/2021. Consists Likewise, the claimant has executed the “sign” action with respect to the object “POL06 2018 DATA PROTECTION CLAUSE” on 08/23/2021 10:20. Consists Likewise, there is an “agreement_date” related to the claimant and the document “POL06_2018_CLAUSULA.pdf” on 08/23/2021 10:20:16. It is clear that The last “agreement_date” associated with the claimant was 08/23/2021. 9. A screenshot of the employee portal is provided where the “Informative clause on the use of fingerprints to control the working day” and “Clause Employee data protection”. Which consists of a button to the right of each document with the text “Received” that, by clicking on it, marks the document as “Received”. 10. That after receiving the transfer of the claim from the AEPD they published the most detailed clause “Informative clause on the use of fingerprints to control the working day”, which was sent by email. Provide email sent on 03/22/2022 with this information clause. This informative clause contains specific information on the treatment of fingerprint with the sections of person responsible, legitimation, purpose, recipients, conservation period, rights and security measures. What is included in this information provided “This is an authentication/verification system, not a ID." In relation to the technical characteristics of the system and the contracts: 11. Using a single Windows Server 2016 server as a virtual machine managed by CTC. (…). That the server is located in Spain. Provide a copy of the order contract signed and dated 01/27/2023 between CTC and ***COMPANY.1) this being the person in charge of the treatment. This contract includes C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 10/51 that CTC has contracted with ***EMPRESA.1 for the implementation and maintenance of the access control system and control of working hours through fingerprint. There is also another contract dated 09/29/2020 and signed between CTC and ***COMPANY.1 as a provider of control, access and presence software (...). Provide contract with the hosting provider ***COMPANY.2. where the date is 11/27/2019. The object of the contract is not stated nor is the complete contract provided. It appears in section “12 Personal data” in subsection “5) Data processing responsibility of the Client, ***COMPANY.2 as in charge of the treatment” that: “5) Data processing responsibility of the Client. ***COMPANY.2 as treatment manager Only in the event that ***COMPANY.2 had access to data from personal nature responsibility of the Client, and the provision of services contracted involves processing personal data on behalf of a responsible for the treatment, whether it is the Client or a third party that contracts the services of the Client directly or indirectly, ***COMPANY.2 will be considered, "in charge of the treatment" committing to comply with the obligations that correspond to it based on the nature and scope of the contracted services and by virtue of what is established in the regulations in force in matter of data protection, national or supranational. […]” 12. That fingerprint readers are (…). Provide a document of technical specifications of the reader where it states that supports (…). 13. That the fingerprint reader is a device that is located in an accessible area and passage in which employees record the different markings throughout the workday. To do this they can use their fingerprint and the system calculates the hash that will be compared with the one registered at the time of activation in the system (record of the initial hash of the fingerprint and association to the employee). 14. That the system is configured to perform a 1:N fingerprint comparison. That (…) calculates the template and compares it with the ones stored. Yes There is correspondence with some stored pattern, the reading is considered good. Provides a diagram showing that after detecting the finger on the sensor and calculating the pattern, there is the “Compare with stored patterns” process. 15. That the template is generated in the biometric module so the image of the fingerprint is not stored or propagated to other systems. That at no time saves the employee's fingerprint. That the response obtained by the module is the template. That the biometric template is according to (…). C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 11/51 16. That the template is registered in the database. That a signal is sent to propagate the template only to the devices where the employee works labor. 17. That in relation to how it is guaranteed that the fingerprint captured is erased when finish the recruitment process, states the following: “In no case is the fingerprint image saved since it is not obtained, The response obtained by the module is the template. All these procedures and criteria are based on the specific standard (...).” The standard is not provided (...). 18. That in response to the requested information on the detailed description step by step of the complete process followed by an employee to access your center of work and clock the start of the work day using the reading devices of fingerprint and, where appropriate, without using them, CTC states: “The fingerprint reader is a device that is located in an accessible and safe area. step in which employees record the different markings throughout the working day, for this they can use their fingerprint and the system calculates the hash that will be compared with the one registered at the time of its activation in the system (record of the initial hash of the fingerprint and association to the employee). A Once the system recognizes the hash, the marking type option is presented, e.g.: entry, exit or pause, the markings are synchronized with the central server through a private network. No further information is collected. The employee may need other ways to use the device (e.g. reading insufficiently good fingerprint) or decline the use of your fingerprint for the marking process, in both cases you can do it using an RFID card.” Regarding the content of the database: 19. Provides extraction of its database where, for 100 records, the data (…). It is verified that the “code” is made up of numbers and letters. (…). In The extraction of this data shows that the hash of the fingerprint is in a table different from the table where the employee identification data is found. However, it has not been possible to verify the possible security measures that They could be implemented to separate access to both tables. 20. Provides a screenshot of your systems showing a total of ***QUANTITY.1 employee fingerprints stored. 21. Provide an extract from the database with all unsubscribed users of the system with ***QUANTITY.2 as well as another extract with the dates of deletion of each footprint with ***QUANTITY.3. It is verified that the employee discharge table has the ID field extracted from the user.id field and the fingerprint deletion table has the USER_ID field. HE checks that by searching for matches by the ID and USER_ID fields, to C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 12/51 ***QUANTITY.4 employees, the leave date coincides exactly with the date of fingerprint erasure. It is also verified that there are fingerprint deletions prior to the date 12/29/2021. In total there are ***QUANTITY.5 fingerprint erasures prior to 12/29/2021: Finally, it is verified that the first deletion of the fingerprint occurs on the date 03/25/2020 22. That in relation to the erasure of fingerprints, it states that biometric templates are completely removed from the system in an automatic synchronization process of employees (4 times a day). Since it is an automatic process, it is guaranteed that the objective of data elimination is met. In relation to the impact evaluation: 23. That justify compliance with data minimization, as well as the analysis of necessity and proportionality and the process followed to ensure that the Data collected is not used for any other purpose, stating the following: “We justify the application of the principle of minimization, in the sense that in each of the operations that constitute the treatment, data and operations are the minimum and necessary to address the purposes of the treatment. To make signing queries, it is necessary to have the hash of the fingerprint associated with the code and in relation to the name and surname of the Employee, otherwise there is no way to know who the workday. On the other hand, and in relation to the purpose of access control associated with occupational risk prevention issues, in the case of a emergency (e.g. fire, ...) it is necessary to know which people are within the facility. Regarding the weighting of the proportionality of the treatment, taking into account the following criteria: Suitability judgment: to achieve the objective of access control and working day, the system, through the fingerprint hash, has result that is appropriate for the purpose pursued. The effectiveness threshold that should be achieved to fulfill the purposes of the treatment, it must be practically 100%, it is about compliance with a legal obligation and ensure safety in the workplace. The effectiveness of this system, We consider that it helps us reach this threshold. Judgment of necessity: The correct control of the working day, as well as the access control to the service, is relevant and to achieve the purpose pursued, this system offers us greater reliability compared to others. HE They had used other systems, e.g. card signing, but after the experience with it, did not provide us with sufficient effectiveness for the pursued objective. Using the card system for signing in, We experienced that, on certain occasions, the card was transferred to another person who was not the owner of the same, with all the risks that they entail for job security and the inaccuracy of working hours registration. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 13/51 We consider that there is no alternative treatment that is equally effective for achieving the intended purpose, aiming to facilitate as much as possible the use of the system by the employee, veracity of the records and job security Judgment of proportionality in the strict sense: When we carry out the assessment initial implementation of this system, we consider that the severity of the risk for the rights and freedoms of employees and interference with their Privacy was zero. Employee fingerprints are not stored They cannot be reproduced from the hashes either. On the other hand, considering the social benefit for the Employees, We appreciated that it was more positive and comfortable for them, avoiding situations e.g. when the card is lost, or forgotten in the vehicle..., producing delays in signings that hurt the most is the players themselves interested. Regarding Expiration: the treatment disappears at the moment it is suspends the employment relationship with the Employee. The hashes are removed. Regarding use for other purposes: The only function that the system allows with the use of the fingerprint is the registration of marking and/or access to the center, not enables no other access to employee data, nor is it used as part of identification for other systems or functionalities.” In relation to access to readers, application server and database server data and security in general: 24. That the readers cannot be accessed directly but through the application or accessing the web embedded in the device, with only one administration credentials. That the readers cannot be accessed from any another point on the network other than from the server, since they have implemented network restrictions. 25. That the application server is isolated from the domain. that only has 3 access users; “CLI.gruntc”, “CLI.***COMPANY.1”, “PRV.gruntc”. Provides access logs to said server showing successful authentication exclusively two of those users. 26. Provides access logs to the database server where they state that “Account Name” users for whom no data has been provided, such as “DWM- 12”, “SRVINTEMO$” or “-“. 27. Provides access logs to the application that controls the system as well as the users with access permissions to this application and deleted users. In these The lists contain access to the application of the users “CTT”, “CTT Valencia”, “Gestamp”, “...”, “Makro” which do not appear in the list of users with permission of access to the application nor do they appear in the list of deleted users. 28. Provides documents on Procedures for accessing servers and applications, as well as Procedure for registering and deleting system users. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 14/51 29. That in response to the request for justification of why it cannot dispense with the direct association between the fingerprint hash and the name and surnames, state: “The fingerprint hash is related to an employee code that could be sufficient to complete the day record, but clearly insufficient to be able to track markings in real time by those responsible for the center. Likewise, it would not allow control over the location of people (inside-outside) for risk prevention purposes labor. It should be noted that the device module, when comparing the hash in time Really, what is returned is the code. And it is from this, where all the functionalities, the hash does not intervene in any way in the process." 30. That in response to him proving how he prevents fingerprint data from being reused for other purposes or by other responsible parties, states: “Biometric devices are inventoried with their data corresponding to installation, location, as well as its status. Devices removed by closure are recovered, contents deleted and stored for later use. Biometric data have no meaning in the installation, they do not provide interpretable or relevant information. The use of biometric data also is totally ruled out in any other use, its use as identification It does not provide us with value beyond collecting the markings in an agile way, easy for the employee and that allows fraudulent marking to be avoided. The hardware It is dedicated and cannot be used for a different use than that intended by the manufacturer. design." CONCLUSIONS OF THE REPORT OF PREVIOUS ACTIONS OF INVESTIGATION 1. There are clear indications that the user accessed a URL that could be that of the employee portal, but there is no such evidence. It is clear that the claimant accepted the data protection information document, but did so at an earlier date to the last update of the information document. In this latest update of the document contains specific information regarding fingerprint treatment, although only making mention of said treatment with a phrase. 2. There is an email sent in October 2021 to the organization with the update of the data protection information document. 3. There is another email sent, although already in March 2022, with more information specific to fingerprint treatment. 4. In relation to the operation of the system, it works with a comparison of 1:N fingerprints, however in the data protection information provided It is clear that this is an authentication system, not an identification system. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 15/51 5. In relation to the deletion of fingerprints, there are hashes of deleted fingerprints with a date prior to the first sending of information on data protection with information from the treatment of fingerprints and also prior to the date on which they state that treatment began. 6. In relation to system security: to. The identifying data of the employee and his fingerprint hash. CTC has not been required to justification of the security measures implemented to prevent a eventual unwanted association of this data, although it has been required justification of why they need the direct association between the data identifications and the fingerprint hash whose answer seems insufficient. b. The information provided by CTC confirms the access of some users who do not appear in the lists of users with access privileges provided, both to the application and to the database server. c. CTC has not proven how the erasure of the fingerprint is guaranteed after his capture. FIFTH: On May 12, 2023, the Director of the Spanish Agency for the Protection of Data agreed to initiate sanctioning proceedings against the claimed party, for the alleged violation of Article 35 of the GDPR, Article 32 of the GDPR and Article 13 of the GDPR, typified in Articles 83.5 of the RGPD and Article 83.4 of the RGPD. SIXTH: Notified of the aforementioned initiation agreement in accordance with the rules established in the Law 39/2015, of October 1, of the Common Administrative Procedure of the Public Administrations (hereinafter, LPACAP), the claimed party presented a written of allegations in which, in summary, he states the following: In relation to the imputation of article 13 of the RGPD for the lack of information to the workers in relation to the implementation of a signing system through the processing of biometric data, the claimed party is limited to reaffirming arguments already exposed in the phase of previous investigation actions: (having corrected the informative clause; the complaining party would have accessed the information content of the clause; the adoption of additional and subsequent information measures; and the existence of alternative systems to fingerprints for signing in In relation to the violation of article 32, he alleges that the fingerprint is not stored na. What the system does is convert the fingerprint into a numerical identifier; and that already it would have been proven that users who should not access the data were contraban unsubscribed, without being able to access the application. Finally, nothing was alleged in relation to non-compliance with article 35 of the GDPR, regarding the absence of a true impact evaluation. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 16/51 SEVENTH: On November 2, 2023, a resolution proposal was formulated, proposing “FIRST That by the Director of the Spanish Data Protection Agency CTC EXTERNALIZACIÓN, S.L. is sanctioned, with NIF B60924131, - For a violation of Article 13 of the RGPD, typified in Article 83.5 of the RGPD, with a fine of €200,000 (TWO HUNDRED THOUSAND EUROS). - For a violation of article 32 of the RGPD, typified in Article 83.4 of the RGPD with a fine of €100,000 (ONE HUNDRED THOUSAND EUROS). - For a violation of article 35 of the RGPD, typified in Article 83.4 of the RGPD, with a fine of €100,000.00 (ONE HUNDRED THOUSAND EUROS) SECOND That by the Director of the Spanish Data Protection Agency is ordered to CTC EXTERNALIZACIÓN, S.L., with NIF B60924131, which by virtue of article 58.2.d) of the RGPD, within a period of 6 months, prove that you have proceeded to compliance with the following measures: - Inform all workers appropriately, including all the extremes that have not been included until now, as detailed in the legal foundations of this proposal - Establish the necessary security measures to prevent access by personnel not expressly authorized, as well as to guarantee the erasure of the trace after his capture. Also to separate access to the tables that They contain the hash of the fingerprints and the identification data of the workers. - Prepare a data protection impact assessment that contains all the extremes provided for in article 35 of the RGPD, in particular taking take into account the defects pointed out in this proposal. “ EIGHTH: Notified of the aforementioned proposed resolution in accordance with the rules established in the Law 39/2015, of October 1, on the Common Administrative Procedure of the Public Administrations (hereinafter, LPACAP), the claimed party presented a written of allegations in which, in summary, he states the following: In relation to the imputation of article 13 GDPR: in this regard, the defendant limits itself to reiterating allegations already presented in the initial agreement: - Reiterates that CTC made corrections to the initial version of the clause data protection (date October 2021) for adequate information to users. workers. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 17/51 - If any damage has been caused, the right of possible affected would have been fully guaranteed by the application of the subsequent informative measures adopted by CTC - Information on the processing of personal data related to the fingerprint fingerprint of CTC employees would have been available in advance to the start-up, which occurred in December 2021. - CTC established an information sign next to the signing devices and He also sent an informative email. - In any case there would not have been a total lack of information, but rather aspects that would need clarification In relation to the imputation of article 32 GDPR: - It also reiterates what was already alleged in the investigation phase, about having identified ced to the companies involved in the establishment of the system and have provided documents on the technology used - Indicates that at the time a responsible declaration of the company was provided. sa INTEMO proving the fact that the fingerprint is not stored - As a novelty with respect to previous allegations, CTC provided a report bre user records in the system. - Access to the system, it states, would only be carried out by “technical users with purpose of controlling” the system In relation to the imputation of article 35 GDPR - CTC reproduces what it considers to be the reproach made against him in the file directs, that it would only be, in his opinion, that the evaluation document of impact provided by the claimant would not constitute an “impact assessment” under the terms of the RGPD, as it suffers from substantial defects such as not determining undermine the purpose of the treatment or do not contain a judgment about the need ity and proportionality of the system. - Invokes various precedents of resolutions of this AEPD: o E/00793/2016: the defendant interprets this resolution in the sense of that, if the workers have been informed about the implementation of the system issue, the AEPD would not evaluate its suitability. o E/10900/2019: according to this resolution, the biometric access system This process can be implemented if there is a legal basis, even without consent. your workers or E/03925/2020. The AEPD, in the opinion of the defendant, would be accepting not a “similar” case in which there would be no Impact Assessment. - In relation to the principle of proportionality, he alleges that in the file previous PS/00050/2021 a fine of €20,000 was imposed for the violation of lack of impact evaluation, while in this case it would be sanctioning €100,000. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 18/51 Of the actions carried out in this procedure and the documentation recorded in the file, the following have been accredited: PROVEN FACTS FIRST. A.A.A. (hereinafter, the claiming party) on February 14, 2022 presented claim before the Spanish Data Protection Agency. The claim is directed ge against CTC EXTERNALIZACIÓN, S.L. with NIF B60924131. The reasons why basis of the claim are the following: It is claimed that the entity CTC EXTERNALIZACIÓN, S.L. data has been requested biometrics, the fingerprint, to employees with the purpose of implementing a system transfer based on that data. It is stated that at the time of taking the biometric data it was not communicated that the information was in the employee portal, located in the most hidden part of the application to which not all workers who work They use the new signing system. SECOND. An email was sent to ctc@grupoctc.com on 10/28/2021 with subject “Updating data protection policies CTC EXTERNALIZACIÓN S.L.U.” where it consists: “[…] Through this communication we want to inform that CTC EXTERNALIZACIÓN S.L.U., in its obligation to comply with regulations, has proceeded to update its data protection policies regarding the processing of personal data. They can access through the Employee Portal, upon publication of the new policies: POL/RGPD CTC EXTER_2021: Employee data protection clause You must carefully read these clauses and click on your acceptance. in case If you have any questions, you can contact the Department of Protection of Data, via email: dpo@grupoctc.com […]” THIRD. On behalf of CTC, an informative clause is provided where the Date appears: 03/02/2018, Update date: 10/26/2021 and the code “POL/RGPD CTC EXTER_2021”. This document contains exclusively the following specific reference: cific to fingerprint processing: “[…] A fingerprint reader is installed for office access. […]” C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 19/51 ROOM. There are screenshots of the CTC systems showing that the claimant has accessed an application encoded as “com.ctc.portal[…]” on dates between 08/23/2021 and 12/16/2021. It is also clear that the claimant has carried out the action tion “sign” regarding the object “POL06 2018 DATA PROTECTION CLAUSE” in date 08/23/2021 10:20. It is also known that there is a related “agreement_date” with the claimant and the document “POL06_2018_CLAUSULA.pdf” on date 08/23/2021 10:20:16. It is known that the last “agreement_date” associated with the claimant It was on 08/23/2021. FIFTH. After receiving the transfer of the claim from the AEPD, CTC published a clause more detailed information clause “Information clause for fingerprint use to control the working day”, which was sent by email. Provide email sent on 03/22/2022 with this information clause. This informative clause contains specific information on the treatment of fingerprint with the sections of person responsible, legitimation, purpose, recipients, conservation period, rights and security measures. What is included in this information information provided “This is an identity authentication/verification system. tification.” SIXTH. The fingerprint reader is a device that is located in an accessible area and passes through. which employees record the different markings throughout the work day. To do this, they can use their fingerprint and the system calculates the hash that is compared. will be equal to the one registered at the time of its activation in the system (hash registration initial fingerprint and association to the employee). The system is configured to perform a 1:N fingerprint comparison. It has the CBM biometric module that calculates the template and compares it with the ones it has stored. dined. If there is a correspondence with a stored pattern, consider good reading. SEVENTH. The claimed party provides extraction of its database where, for 100 records, name data, surname, user ID, code, registration date, registration date low, fingerprint hash. It is verified that the “code” is composed of numbers groupers and letter. It is verified that the letter complies with the rule (...). In the extraction of es- The data shows that the hash of the fingerprint is in a table different from the table where the employee identification data is located. However, it is not has been able to verify the possible security measures that could be implemented. das to separate access to both tables. EIGHTH. In CTC systems there are a total of ***QUANTITY.1 fingerprints of stored jobs. CTC provides an extract from the database with all users. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 20/51 rios deregistered from the system with ***QUANTITY.2 as well as another extract with the dates erase cards for each fingerprint with ***QUANTITY.3. It is verified that the employee discharge table has the ID field extracted from the po user.id and the fingerprint erasure table has the USER_ID field. It is checked than searching for matches by the ID and USER_ID fields, for ***QUANTITY.4 em- employees exactly match the date of withdrawal with the date of deletion of the fingerprint. It is also verified that there are fingerprint deletions prior to the date 12/29/2021. In total there are ***QUANTITY.5 fingerprint erasures prior to 12/29/2021. Finally, it is verified that the first erasure of the fingerprint occurs in the fe- cha 03/25/2020 NINETH. The readers cannot be accessed directly but through the application or accessing the web embedded in the device, with a single ad credentials. ministration. The readers cannot be accessed from any other point on the network other than from the server, since they have network restrictions implemented. TENTH. The application server is isolated from the domain, and only has 3 users access; “CLI.gruntc”, “CLI.***COMPANY.1”, “PRV.gruntc”.v CTC provides access logs to said server where only two of those users. ELEVENTH. The impact evaluation document provided by CTC contains the following: “We justify the application of the principle of minimization, in the sense that in each of the operations that constitute the treatment, data and operations are the minimum and necessary to address the purposes of the treatment. To make signing queries, it is necessary to have the hash of the fingerprint associated with the code and in relation to the name and surname of the Employee, otherwise there is no way to know who the workday. On the other hand, and in relation to the purpose of access control associated with occupational risk prevention issues, in the case of a emergency (e.g. fire, ...) it is necessary to know which people are within the facility. Regarding the weighting of the proportionality of the treatment, taking into account the following criteria: Suitability judgment: to achieve the objective of access control and working day, the system, through the fingerprint hash, has result that is appropriate for the purpose pursued. The effectiveness threshold that should be achieved to fulfill the purposes of the treatment, it must be practically 100%, it is about compliance with a legal obligation and ensure safety in the workplace. The effectiveness of this system, We consider that it helps us reach this threshold. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 21/51 Judgment of necessity: The correct control of the working day, as well as the access control to the service, is relevant and to achieve the purpose pursued, this system offers us greater reliability compared to others. HE They had used other systems, e.g. card signing, but after the experience with it, did not provide us with sufficient effectiveness for the pursued objective. Using the card system for signing in, We experienced that, on certain occasions, the card was transferred to another person who was not the owner of the same, with all the risks that they entail for job security and the inaccuracy of working hours registration. We consider that there is no alternative treatment that is equally effective for achieving the intended purpose, aiming to facilitate as much as possible the use of the system by the employee, veracity of the records and job security Judgment of proportionality in the strict sense: When we carry out the assessment initial implementation of this system, we consider that the severity of the risk for the rights and freedoms of employees and interference with their Privacy was zero. Employee fingerprints are not stored They cannot be reproduced from the hashes either. On the other hand, considering the social benefit for the Employees, We appreciated that it was more positive and comfortable for them, avoiding situations e.g. when the card is lost, or forgotten in the vehicle..., producing delays in signings that hurt the most is the players themselves interested. Regarding Expiration: the treatment disappears at the moment it is suspends the employment relationship with the Employee. The hashes are removed. Regarding use for other purposes: The only function that the system allows with the use of the fingerprint is the registration of marking and/or access to the center, not enables no other access to employee data, nor is it used as part of identification for other systems or functionalities.” FOUNDATIONS OF LAW I Competition In accordance with the powers that article 58.2 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter RGPD), grants each control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the Organic Law 3/2018, of December 5, on Protection of Personal Data and guarantee of digital rights (hereinafter, LOPDGDD), is competent to initiate and resolve this procedure the Director of the Spanish Protection Agency of data. Likewise, article 63.2 of the LOPDGDD determines that: "The procedures processed by the Spanish Data Protection Agency will be governed by the provisions in Regulation (EU) 2016/679, in this organic law, by the provisions regulations dictated in its development and, insofar as they do not contradict them, with a subsidiary, by the general rules on administrative procedures." C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 22/51 II Previous questions In the present case, in accordance with the provisions of article 4.1 of the RGPD, there is the processing of personal data, since CTC EXTERNALIZATION, S.L. carries out this activity in its capacity as responsible for the treatment, given that it is the one who determines the purposes and means of such activity, by virtue of article 4.7 of the RGPD: "Controller" or "responsible": the person physical or legal entity, public authority, service or other body that, alone or together with others, determine the purposes and means of the treatment; If the law of the Union or of the Member States determines. According to the data obtained in AXESOR, the business volume of the part claimed for the 2020 financial year was (…). Additionally, article 4.2 of the Regulation defines the “processing” of data personal as “any operation or set of operations carried out on personal data or sets of personal data, whether by procedures automated or not, such as the collection, registration, organization, structuring, conservation, adaptation or modification, extraction, consultation, use, communication by transmission, broadcast or any other form of enabling access, collation or interconnection, limitation, deletion or destruction” In this regard, it is worth referring to the distinction made by the interested party in his claims about the difference between “identification” and “authentication” in relation with the processing of biometric data. He states that a system would not be being used of “identification” (that is, one that would determine the identity of the subject based on fingerprint), but rather “authentication” (that is, one that verifies that the fingerprint is corresponds to the one previously provided). Two things must be meant in this regard. First of all, it is more than It is doubtful that the system used in this case is an “authentication” system. The installed fingerprint readers do not compare the subject's fingerprint with any document or support that he uses at the time of signing, but what does is compare said fingerprint, read at the time of signing, with the total fingerprints previously registered by the workers. With this, the comparison is 1:N. But, the most important thing is that since Guidelines 05/2022, of the CEPD, on Facial Recognition Technologies, it is made clear that both systems (identification and authentication) constitute a treatment of special categories of personal information. In effect, section 12 of the Guidelines establishes the following: (12) While both functions – authentication and identification – are distinct, they both relate to the processing of biometric data related to an identified or identifiable natural person and therefore constitute a processing of personal data, and more specifically a processing of special categories of personal data. (12) While both functions – authentication and identification – are different, Both refer to the processing of biometric data related to a identified or identifiable person, and thus constitute a processing of C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 23/51 personal data, and more specifically the processing of special categories of personal data. (the translation is ours) From the above it follows that the regime provided for in the RGPD for the categories special personal data is applicable to this case. III Response to allegations regarding non-compliance with article 13 GDPR In response to the allegations presented by the entity claimed in both the agreement At the outset and in the proposed resolution the following should be noted: In relation to the imputation of article 13 of the RGPD for the lack of information to the workers in relation to the implementation of a signing system through the processing of biometric data, the claimed party reiterates arguments already presented in the phase of prior investigation actions: - The fact of having corrected the information clause for workers. To this In this regard, CTC expressly acknowledges having made the correction on the date after having received the claim through this Agency. - The complaining party would have accessed the informative content of the clause - The adoption of additional and subsequent information measures. Also, there located information posters next to the signing devices. - The existence of alternative systems to the fingerprint for the signing of employees, particularly through the use of an RFID card. In the case at hand, it has been proven that the claimed party did not correctly inform carefully about the treatment. The informative clause to which it refers and which had been included in the company's “employee portal” in October 2021. ce of important defects. These are also corroborated by the correction that was made the version of the information clause, without date, but prepared after the request information of this Agency and, as stated in the report of actions previous, sent to workers in March 2022: - It does not include which treatments are the subject of said information clause. Of In fact, the only specific reference to the treatment of the fingerprint comes from a very brief mention in section 3 “A fingerprint reader is installed. lar for access to offices.” It does not indicate if it is activated or if it collects the fingerprint and, Of course, it does not include fingerprint data among those that are subject to treatment. By contrast, the later clause (March 2022) contains a reference specific to the treatment of the “fingerprint to control the working day” In this regard, it is important to note that the information clause seems refer to a plurality of treatments, which are included in a single document written in a very concise manner. They are not related C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 24/51 treatments carried out, and for all of them a legitimizing basis applies, which It would be the execution of the contract. Furthermore, it states that the data processing personal is carried out for multiple purposes: o Manage the employment relationship with the company's employees. o Administrative accounting management of employee data. o Preparation of payrolls. o Prevention of occupational risks. o Training - In the first informative clause, joint information was made to what is assumed to have been multiple processing of personal data that lised the company. Well, for all of them the original document informed as a basis of legitimation simply the expression “Labor contractual relationship” boral”. However, in the later version, this has been corrected and, referring to specifically to the processing of the fingerprint, it is stated that the legitimation would come from “fulfillment of a legal obligation (article 34.9 of the Workers' Statute), referring to the control of the working day.” As can be seen, a totally different legitimizing basis. In fact, after consulting the Registry of Treatment Activities provided by the claimed party, in the treatment “Access control and working day by fingerprint”, in the field “Legitimation of security operations”. treatment” includes “compliance with a legal obligation (article 34.9 of the Status of workers)". For all these reasons, the duty to inform the parties was not complied with in this regard. workers in the initial information that was provided. In this regard, you must Remember that the aforementioned article 13.2.e) of the RGPD establishes that find out about “whether the communication of personal data is a legal requirement or contractual, or a necessary requirement to enter into a contract, and if the interested party is obliged to provide personal data and is informed of the possible consequences of not providing such data.” - In relation to the data retention period, in the initial version of The information clause stated “The data provided will be kept while the contractual relationship lasts and during the years necessary to fulfill comply with legal obligations.” Furthermore, as indicated above, ba, in relation to the multiple treatments that were carried out. However, The later version clarifies the conservation and blocking periods. queo, also specifying the total period in years “The data will be kept while the employment relationship lasts. The data regarding the working day is will remain blocked and pseudonymized for as long as required for compliance. legal ment (4 years.)” C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 25/51 - Neither in the initial version of the clause nor in the later version is information about the right right to file a claim with the Control Authority (art. 13.2.d) of the GDPR). In relation to the alleged voluntary nature of the use of the signing system with fingerprint, remember that it is not the object of this file to elucidate whether whether or not workers were forced to use that system. With independence of the legitimacy regarding the processing of personal data or the possible obligation regarding its supply, was the obligation of the person responsible for the treatment comply with its information duties established in article 13 of the GDPR. For all these reasons, it cannot be considered that the claimed party has complied with its information obligations of article 13 of the GDPR. It is also striking that the text of the email sent by the company makes only a reference to the “updating of its data protection policies”, without any reference to the implementation of a fingerprint signing system (which will surely would have encouraged consultation of the information clause which, from what has been seen, was totally defective). IV Response to allegations regarding non-compliance with article 32 GDPR In relation to this violation, relating to the lack of security measures in the processing of biometric data, CTC alleges the following: Firstly, regarding the processing of the fingerprint data, it is stated that the image The fingerprint is not stored. What the system does is convert the fingerprint into a numerical identifier. In this way, when the worker clocks in, that identifier with the one previously assigned to said fingerprint. With this, the fingerprint does not could be reproduced from that numerical identifier. In this regard, it provides a certificate from the company IDEMIA IDENTITY & SECURITY FRANCE SAS stating that “there is no way to recover the templates in case of theft, since it is impossible recreate an image of a footprint from the typical points.” In relation to this allegation, it should be noted that the imputation of the violation of the Article 32 is not based on the factor alleged by the defendant, but on what is reflected in the initiation agreement, that is: “b. The information provided by CTC confirms the access of some users who do not appear in the lists of users with access privileges provided, both to the application and to the database server. c. CTC has not proven how the erasure of the fingerprint is guaranteed after its capture. d. As detailed in the report of previous investigation actions, in The extraction of the data shows that the hash of the fingerprint is in a table different from the table where the identifying data of the employees. However, it has not been possible to verify the possible measures of C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 26/51 security that could be implemented to separate access to both boards." In relation to access to the application that controls the system, of which this Agency has deduced that access could occur by users who did not have permits for this, it is stated in the allegations that in the documents that were provided during the inspection period, it would have already been proven that said Users were unsubscribed, without being able to access the application. In addition, they point out that the security and safety policies were also contributed by them. information. Regarding the issue of access by users who would not have permissions, The following can be noted, analyzing the documentation provided by the interested party in their allegations to the initiation agreement. - It is noted that, as CTC states, the “CTT” users are eliminated, “CTT Valencia”, “Gestamp”, “…” and “Makro”. With this, it cannot be stated that With respect to these users, improper access occurs. - In relation to the user “DWM-12”, there is a screenshot of the ted by the interested party, with the letterhead “Log File Viewer – SRVINTEMO” but It does NOT appear in the file called “21.a.3 AccessesSQLSERVER.log”. With this, it is possible that this user appears in the server log but NOT the database log. Therefore, the explanation provided could be considered valid. related to being an account that is automatically generated when a remote desktop session is started and therefore it can be deduced that it is not what to be an account that is actually accessing the database. - On the contrary, the Users “SRVINTEMO$” or “-“ do appear in the file named “21.a.3 AccessesSQLSERVER.log”, that is, where it is assumed that There are accesses to the database server and they also appear associated with two to the message “An account was successfully logged on”. These users do not had been identified in the response to the request for institutional licenses. pection. In any case, the allegations do not explain in sufficient detail ll and clarify the matter. They only include a somewhat ambiguous phrase about the character of the user (“In the case of users who have not been provided data, such as "SRVINTEMO$" or “-“ are not user or system accounts, It is simply information that appears in the log generated by the system itself. operational issue.”) No evidence is provided in this regard, such as the list of users who are registered with access to the database or confirmation that the file “21.a.3 AccesosSQLSERVER.log” refers to access logs to the database. Subsequently, in his arguments to the proposed resolution, the defendant has provided a technical report about accesses and users. From this we conclude following: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 27/51 The defendant affirms that, in the response to the Inspection's request, what was attached would have been an extraction from the Windows event log that included all accesses. It is understood that what they contributed in response to the request They were not specific accesses to SQL Server, although they did identify it as such in Your day. Furthermore, it appears that the information provided in response to the request It was cut off since it was a screenshot and in this report it would be contributed more completely. Well, from all the documentation provided throughout the file (relative to the users “DWM-12”, “-“, “SRVINTEMO$” with respect to which no clearly determined who they were, it seems, according to the explanation given in allegations and associated with screenshots also provided now, which are linked to accesses from the user “CLI.gruntc”, if previously declared as legitimized for access. Likewise, some specific accesses to SQL Server are also attached and in these You can see accesses from the users “sa” and “SRVINTEMO$” and “SQLTELEMETRY”. The users are declared, according to the screenshot also provided now, except the “SRVINTEMO$” account. But regarding this account “SRVINTEMO$” It can be assumed that something similar to what has already been explained will happen with respect to the other log of the contributed server, and where you could see that that same account was actually linked to a user who was declared. Therefore, after analyzing all the information and documentation provided now, there is no the access of some users who do not appear can be determined with complete certainty. in the lists of users with facilitated access privileges, both to the application as well as the database server. As will be seen later, this factor is taken taken into account for the reduction of the amount of the penalty for violation of the article 32. Finally, it must be noted that nothing has been alleged in relation to the rest of imputed facts that were contained in the agreement that initiated this file. To this In this regard, we remember that the following was indicated: “c. CTC has not proven how the erasure of the fingerprint is guaranteed after his capture. d. As detailed in the report of previous actions of investigation, in the extraction of the data it is clear that the fingerprint hash was found in a different table than the table where the data is located employee identification. However, it has not been possible to verify the possible security measures that could be implemented to separate the access to both tables.” V Response to allegations regarding non-compliance with article 35 GDPR In relation to this non-compliance, CTC alleges the following: firstly, it invokes di- preceding verses of resolutions of this AEPD: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 28/51 - E/00793/2016: the defendant interprets this resolution in the sense that, if workers have been informed about the implementation of the system, the AEPD I would not go into evaluating its suitability. In relation to this case, it should be noted that it prosecutes a case that occurred before the entry into force of the current GDPR. And in this Regulation it is Two obligations are perfectly established and differentiated. By a part, the information to the owners of the personal data of the data that they are going to be treated and their conditions (art. 13). And on the other hand, the need to passing an impact assessment relating to data protection, in which includes “an evaluation of the necessity and proportionality of the processing operations with respect to their purpose” (art. 35.7.b). In any case, it cannot be said that mere information to workers can could be a legitimizing basis for the installation of the biometric system. And all this without prejudice to the fact that in the present file it is also sanctioned by the absence of information, thus not even that requirement, which indicates that would be enough, it would have been fulfilled. - E/10900/2019: according to this resolution, it is alleged that the biometric system access could be implemented if there is a legal basis, even without consent workers. In this regard, it is noted that article 6.1 of the RGPD establishes what are the different bases of legitimacy for the processing of personal data. Consent (letter a) of said article) is only one of them, and may effectively occur others such as the execution of a contract, compliance of a legal obligation or even the existence of a legitimate interest that must be considered.And that in addition, for the treatment of special categories of damage personal coughs, an exception to those in section 2 is required. of article 9 of the GDPR. However, the concurrence of an exception from article 9.2 of the RGPD together with a basis of legitimation of those of article 6 of the RGPD, in no way exempts from compliance with the rest of the obligations established by the RGPD. AND One of them consists of preparing and passing an evaluation of im- data protection agreement in the cases established in said Regulation- ment, among which is the treatment that is being subject to this file. With this, it cannot be affirmed that the mere existence of a legitimizing basis exempts from the necessary completion and passing of the impact evaluation of data protection in the legally provided cases. Furthermore, the resolution that puts an end to this file bases its motivation in the old differentiation, in order to determine the treatment of categories special categories of personal data, between “identification” and “authentication” to determining identity in fingerprint signing systems C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 29/51 As has been sufficiently explained in the second foundation of This resolution, based on CEPD Guidelines 05/2022, on recognition facial treatment, the distinction between both types of treatments has disappeared, considering in any case the existence of a treatment of specific categories. special personal data. - E/03925/2020. The AEPD, in the opinion of the defendant, would be accepting a “similar” assumption in which there would be no DPIA. Analyzing the procedure invoked, it is observed that it is a resolution tion of file of actions, in which the aforementioned file was due to that the data protection impact assessment had been prepared and surpassed Thus, the resolution states the following: “The complainant has attached a copy of the extensive Impact Assessment carried out. zada for the processing of the fingerprint. Therefore, it has been proven that the actions of the defendant, as an entity responsible for the treatment, has been in accordance with the regulations on protection of personal data analyzed in the previous paragraphs.” Consequently, this assumption has nothing to do with the fact that it was developed and su- The impact evaluation was carried out, with the defendant in the present file. In relation to the principle of proportionality, the defendant alleges that in the file of this Agency PS/00050/2021, a fine of €20,000 was imposed for the infringement of lack of impact assessment, while in this case it would be sanctioning €100,000. It is necessary to indicate in this regard that article 83.4 of the RGPD establishes that the The amount of the penalty will take into account the business volume of the defendant. To this In this regard, as reflected in this resolution, it has been found that the turnover of the claimed party is (…).l while the income of the sanctioned in PS/00050/2021 were considerably lower. For the rest, the The rest of the circumstances taken into account for the graduation of the sanction are different in both cases. Additionally, it should be noted that in accordance with the provisions of article 83.1 of the GDPR, the supervisory authorities will ensure that the imposition of fines administrative procedures under that Regulation must be in each individual case effective, proportionate and dissuasive. Its section 2 adds that “Administrative fines will be imposed, depending on the circumstances of each individual case, in addition to or substitute for the measures referred to in Article 58, paragraph 2, letters a) to h) and j). When deciding the tax of an administrative fine and its amount in each individual case will be taken due account:" C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 30/51 VI Unfulfilled information obligation. Article 13 GDPR Article 13 of the GDPR states the following: Information that must be provided when personal data is obtained from the interested 1. When personal data relating to him or her are obtained from an interested party, the responsible for the treatment, at the time these are obtained, will provide all the information indicated below: a) the identity and contact details of the person responsible and, where applicable, their representative; b) the contact details of the data protection officer, if applicable; c) the purposes of the processing for which the personal data are intended and the basis legal treatment; e) the recipients or categories of recipients of the personal data, in Their case; f) where applicable, the intention of the controller to transfer personal data to a third country or international organization and the existence or absence of a adequacy decision of the Commission, or, in the case of transfers indicated in Articles 46 or 47 or Article 49, paragraph 1, second subparagraph, reference to adequate or appropriate guarantees and to the means of obtaining a copy of these or to the place where they have been made available. 2. In addition to the information mentioned in section 1, the person responsible for the treatment will provide the interested party, at the time the data is obtained personal, the following information necessary to guarantee a treatment of loyal and transparent data: a) the period during which the personal data will be kept or, when it is not possible, the criteria used to determine this period; b) the existence of the right to request from the data controller access to the personal data relating to the interested party, and its rectification or deletion, or the limitation of your treatment, or to oppose the treatment, as well as the right to data portability; c) when the processing is based on Article 6, paragraph 1, letter a), or the Article 9, paragraph 2, letter a), the existence of the right to withdraw the consent at any time, without affecting the legality of the treatment based on consent prior to its withdrawal; d) the right to file a claim with a supervisory authority; C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 31/51 e) if the communication of personal data is a legal or contractual requirement, or a necessary requirement to sign a contract, and if the interested party is obliged to provide personal data and is informed of the possible consequences not to provide such data; f) the existence of automated decisions, including profiling, referred to in Article 22, paragraphs 1 and 4, and, at least in such cases, significant information about the logic applied, as well as the importance and foreseen consequences of said processing for the interested party. 3. When the data controller plans the subsequent processing of personal data for a purpose other than that for which it was collected, will provide the interested party, prior to said further processing, information about that other purpose and any additional information relevant to tenor of section 2. 4. The provisions of paragraphs 1, 2 and 3 shall not apply when and in the to the extent that the interested party already has the information. In that sense, Recital 60 of the GDPR says that “The processing principles loyal and transparent require that the interested party be informed of the existence of the operation. tion of treatment and its purposes. The data controller must provide the interested party provided as much complementary information as is necessary to guarantee treatment fair and transparent, taking into account the specific circumstances and context in personal data are processed. The interested party must also be informed of the existence of profiling and the consequences of such profiling. If personal data is obtained from data subjects, they must also be informed whether they are obliged to provide them and the consequences if they do not do so. ran.” In the case at hand, it can be proven that the claimed party did not inform correctly about the treatment. The informative clause referred to and which would have been included in the company's “employee portal” in October 2021 suffers from important defects. These are also corroborated by the correction that The version of the informative clause was made, without date, but prepared after the information requirement of this Agency and as stated in the report of Previous actions sent to workers in March 2022: - It does not include which treatments are the subject of said information clause. Of In fact, the only specific reference to the treatment of the fingerprint comes from a very brief mention in section 3 “A fingerprint reader is installed “fingerprint for access to offices.” It does not indicate if it is activated or if it collects the fingerprint and, of course, it does not include the fingerprint data among those who are the object of treatment. By contrast, the later clause contains a specific reference to treatment of the “fingerprint to control the working day” C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid Seeagpd.gob.es 32/51 In this regard, it is important to note that the information clause seems refer to a plurality of treatments, which are included in a single document written in a very concise manner. They are not related treatments carried out, and for all of them a legitimizing basis applies, which It would be the execution of the contract. Furthermore, it states that the data processing personal is carried out with multiple purposes: o Manage the employment relationship with the company's employees. o Administrative accounting management of employee data. o Preparation of payrolls. o Prevention of occupational risks. o Training - In the first informative clause, joint information was made to which were supposed to be multiple processing of personal data that the company carried out. Well, for all of them the original document reported as a basis of legitimation simply the expression “Relationship labor contract.” However, in the later version, this has been corrected and, referring to specifically to the processing of the fingerprint, it is stated that the legitimation would come from “compliance with a legal obligation (article 34.9 of the Workers' Statute), referring to the control of the working day.” As It is observed, a totally different legitimizing basis. In fact, after consulting the Registry of Treatment Activities provided by the claimed party, in the treatment “Access control and working day by fingerprint”, in the field “Legitimation of security operations”. treatment” includes “compliance with a legal obligation (article 34.9 of the Status of workers)". For all these reasons, the duty to inform the parties was not complied with in this regard. workers in the initial information that was provided. In this regard, you must Remember that the aforementioned article 13.2.e) of the RGPD establishes that find out about “whether the communication of personal data is a legal requirement or contractual, or a necessary requirement to enter into a contract, and if the interested party is obliged to provide personal data and is informed of the possible consequences of not providing such data” - In relation to the data retention period, in the initial version of The information clause stated “The data provided will be kept for the duration of the contractual relationship and for the years necessary to comply with legal obligations.” Furthermore, as has been indicated more above, in relation to the multiple treatments that were carried out. Without However, in the later version it is clarified what the periods of conservation and blocking, also specifying the total period in years “The data They will be kept for the duration of the employment relationship. The data regarding the working day will be kept blocked and pseudonymized for the duration. required for legal compliance (4 years.)” C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 33/51 - Neither in the initial version of the clause nor in the later version is information about the right to file a claim with the Control Authority (art. 13.2.d) For all these reasons, it cannot be considered that the claimed party has complied with its information obligations of article 13 of the GDPR. It is also striking that the text of the email sent by the company makes only a reference to the “updating of the update of its data protection policies”, without no reference to the implementation of a fingerprint signing system (which would surely have encouraged consultation of the information clause that, for what has been seen, was totally defective) VII Lack of information. Article 13 GDPR Typification and qualification of the infringement In accordance with the evidence available at the present time of the sanctioning procedure, it is considered that the claimed party has omitted the information related to the data processing carried out, thereby violating the article 13 of the GDPR. The known facts constitute an infringement, attributable to the party claimed typified in article 83.5 of the RGPD which stipulates the following: "5. Violations of the following provisions will be sanctioned, in accordance with the paragraph 2, with administrative fines of a maximum of EUR 20 000 000 or, In the case of a company, an amount equivalent to a maximum of 4% of the global total annual business volume of the previous financial year, opting for the largest amount: b) the rights of the interested parties under articles 12 to 22;” For the purposes of the limitation period for infringements, the alleged infringement prescribes after three years, in accordance with article 72.h). of the LOPDGDD, which qualifies as The following behavior is very serious: “h) The omission of the duty to inform the affected party about the processing of their data personal in accordance with the provisions of articles 13 and 14 of the Regulation (EU) 2016/679 and 12 of this organic law.” VIII Lack of information. Article 13 GDPR. Sanction This violation can be punished with a fine of a maximum of €20 million or, In the case of a company, an amount equivalent to a maximum of 4% of the global total annual business volume of the previous financial year, opting for the of larger amounts, in accordance with article 83.5 of the RGPD. Likewise, it is considered that it is appropriate to graduate the sanction to be imposed in accordance with the following criteria established by article 83.2 of the RGPD: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 34/51 - The duration of the violation. It would have lasted at least from October 2021 (date of submission of the original clause) until March 2022 (containing the revised version) (art. 83.2.a) of the GDPR). - The category of personal data affected by the infringement. It must be kept in Keep in mind that the fingerprint is biometric data and in accordance with article 9 of the GDPR are considered special categories of data “the processing of biometric data aimed at uniquely identifying a person physics,” (article 83.2.g) of the RGPD) According to these criteria, it is estimated that the corresponding sanction is a fine. TWO HUNDRED THOUSAND EUROS (€200,000) IX Lack of security measures. Article 32 GDPR. Unfulfilled obligation With regard to the application of data protection regulations to the case raised, it must be taken into account that the RGPD, in its article 32, requires responsible for the treatment, the adoption of the corresponding measures of necessary security to guarantee that the treatment complies with the regulations in force, as well as ensuring that any person acting under the authority of the responsible or the person in charge and has access to personal data, can only process it following instructions from the person in charge. Article 32 “Security of processing” of the GDPR establishes: "1. Taking into account the state of the art, the application costs, and the nature, scope, context and purposes of the processing, as well as risks of variable probability and severity for people's rights and freedoms physical, the person responsible and the person in charge of the treatment will apply technical and appropriate organizational measures to guarantee a level of security appropriate to the risk, which, if applicable, includes, among others: a) pseudonymization and encryption of personal data; a) the ability to guarantee the confidentiality, integrity, availability and permanent resilience of treatment systems and services; a) the ability to restore availability and access to data personnel quickly in the event of a physical or technical incident; b) a process of regular verification, evaluation and assessment of effectiveness of the technical and organizational measures to guarantee the security of the treatment. 2. When evaluating the adequacy of the security level, particular consideration will be given to takes into account the risks presented by data processing, in particular as consequence of the accidental or unlawful destruction, loss or alteration of data personal data transmitted, preserved or otherwise processed, or the communication or unauthorized access to said data. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid Seeagpd.gob.es 35/51 3. Adherence to a code of conduct approved pursuant to Article 40 or to a certification mechanism approved pursuant to article 42 may serve as an element to demonstrate compliance with the requirements established in section 1 of the present article. 4. The controller and the person in charge of the treatment will take measures to ensure that any person acting under the authority of the person responsible or in charge and has access to personal data can only process said data following instructions of the person responsible, unless it is obliged to do so by virtue of the Law of the Union or the Member States.” Article 32 does not establish static security measures, but will correspond to the responsible for determining those security measures that are necessary to incorporate the ability to ensure confidentiality, integrity and availability of personal data, therefore, the same data processing may involve different security measures depending on the specificities specific conditions in which said data processing takes place. In line with these provisions, Recital 75 of the GDPR establishes: risks to the rights and freedoms of natural persons, serious and variable probability, may be due to data processing that could cause physical, material or immaterial damages, particularly in cases where that the treatment may give rise to problems of discrimination, usurpation of identity or fraud, financial loss, reputational damage, loss of confidentiality of data subject to professional secrecy, unauthorized reversal of the pseudonymization or any other significant economic or social harm; in the cases in which the interested parties are deprived of their rights and freedoms or are prevents you from exercising control over your personal data; in cases where the data processed personal reveals ethnic or racial origin, political opinions, religion or philosophical beliefs, militancy in unions and the processing of genetic data, data relating to health or data on sexual life, or convictions and offenses criminal or related security measures; in cases in which they are evaluated personal aspects, in particular the analysis or prediction of aspects related to the performance at work, economic situation, health, preferences or interests personal, reliability or behavior, situation or movements, in order to create or use personal profiles; in cases in which personal data of vulnerable people, particularly children; or in cases where the treatment involves a large amount of personal data and affects a large number of interested. Likewise, Recital 83 of the GDPR establishes: In order to maintain the security and prevent the processing from infringing the provisions of this Regulation, the responsible or the person in charge must evaluate the risks inherent to the treatment and apply measures to mitigate them, such as encryption. These measures must guarantee a appropriate level of security, including confidentiality, taking into account the state of the art and the cost of its application with respect to the risks and nature of the personal data that must be protected. When assessing the risk in Regarding data security, the risks involved must be taken into account. arise from the processing of personal data, such as the destruction, loss or C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 36/51 accidental or illicit alteration of personal data transmitted, preserved or processed otherwise, or unauthorized communication or access to said data, susceptible in particular of causing physical, material or immaterial damages. (he emphasis is ours) In short, the first step to determine the security measures will be the Risk assessment. Once evaluated, it will be necessary to determine the measures of security aimed at reducing or eliminating risks for the treatment of data. The principle of data security requires the application of technical measures or appropriate organizational measures in the processing of personal data to protect said data against access, use, modification, dissemination, loss, destruction or damage accidental, unauthorized or unlawful. In this sense, security measures are keys when it comes to guaranteeing the fundamental right to data protection. It's not possible the existence of the fundamental right to data protection if it is not possible guarantee their confidentiality, integrity and availability. It should not be forgotten that, in accordance with article 32.1 of the aforementioned GDPR, the technical and organizational measures to apply to incorporate the capacity to guarantee a level of security appropriate to the risk must take into account the state of the technical, implementation costs, nature, scope, context and purposes of the treatment, as well as the risks of varying probability and severity for the rights and freedoms of natural persons. Therefore, the claimed party, when evaluating the risks and determining the appropriate technical and organizational measures to include the ability to ensure a level of security appropriate to the risk, is obliged to take into account the specific activity carried out and the type of data processed. Therefore, derived from the activity to which it is dedicated, the claimed party is obliged to carry out a highly specialized risk analysis and implementation of appropriate technical and organizational measures to ensure a level of security appropriate to the risk of its activity for the rights and freedoms of people. In the present case, in the course of the investigation carried out by this Agency, it has been was able to verify the following in relation to the security of the system: to. The identifying data of the employee and his fingerprint hash. b. CTC has not proven how the erasure of the fingerprint is guaranteed after his capture. c. As detailed in the report of previous actions of investigation, in the extraction of the data it is clear that the fingerprint hash was found in a different table than the table where the data is located employee identification. However, it has not been possible to verify the possible security measures that could be implemented to separate the access to both tables. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid Seeagpd.gob.es 37/51 With this, the claimed party has not proven the existence of technical measures and organizational in relation to the security of the processing of personal data. X Typification and qualification for the purposes of the prescription of the violation of the article 32 of the GDPR The aforementioned violation of article 32 of the RGPD implies the commission of the violations typified in article 83.4 of the RGPD that under the heading “General conditions for the imposition of administrative fines” provides: “Infringements of the following provisions will be sanctioned, in accordance with the paragraph 2, with administrative fines of a maximum of EUR 10 000 000 or, In the case of a company, an amount equivalent to a maximum of 2% of the global total annual business volume of the previous financial year, opting for the largest amount: a) the obligations of the controller and the processor pursuant to Articles 8, 11, 25 to 39, 42 and 43; (…)” In this regard, the LOPDGDD, in its article 71 “Infringements” establishes that “The acts and conduct referred to in sections 4, 5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that result contrary to this organic law.” For the purposes of the limitation period, article 73 “Infringements considered serious” of the LOPDGDD indicates: “Based on what is established in article 83.4 of Regulation (EU) 2016/679, are considered serious and will prescribe after two years the infractions that involve a substantial violation of the articles mentioned therein and, in particular, the following: f) The lack of adoption of those technical and organizational measures that result appropriate to guarantee a level of security appropriate to the risk of the treatment, in the terms required by article 32.1 of Regulation (EU) 2016/679.” XI Lack of security measures article 32 RGPD. This violation can be punished with a fine of a maximum of €10 million or, In the case of a company, an amount equivalent to a maximum of 2% of the global total annual business volume of the previous financial year, opting for the of larger amounts, in accordance with article 83.4 of the RGPD. Likewise, it is considered that it is appropriate to graduate the sanction to be imposed in accordance with the following criteria established by article 83.2 of the RGPD: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 38/51 - Duration of the violation. It would have lasted at least since October 2021 (date of sending the original clause), without the inspector would have confirmed his termination at any time. (art. 83.2.a) of the RGPD). - The category of personal data affected by the infringement. It must be kept in Keep in mind that the fingerprint is biometric data and in accordance with article 9 of the GDPR are considered special categories of data “the processing of biometric data aimed at uniquely identifying a person physical,". In this regard, the risk situation created by the lack of measures security is superior with respect to data that is not considered (article 83.2.g) of the RGPD). Both in the initiation agreement and in the proposed resolution of this file included as one of the breaches within this infraction the fact that In the information provided by CTC, the access of some users who were not included in the lists of users with access privileges provided, both to the application as well as the database server. However, throughout this file, the defendant has provided information and documentation that have led to the conclusion that the access of some users who do not appear in the lists of privileged users facilitated access, both to the application and to the database server. Consequently, although the initial agreement of this resolution proposed a penalty of €100,000 for non-compliance with article 32, after assessment mentioned, the amount is set at SIXTY-FIVE THOUSAND EUROS (€65,000). XII Impact assessment relating to data protection. Article 35 GDPR Unfulfilled obligation Obligation to carry out and pass a data protection impact assessment. Article 35.1 of the GDPR states that “When it is likely that a type of processing, particularly if it uses new technologies, due to their nature, scope, context or purposes, entails a high risk for the rights and freedoms of people physical, the person responsible for the treatment will carry out, before the treatment, an evaluation of the impact of processing operations on the protection of personal data. A single evaluation may address a series of similar treatment operations that entail similar high risks.” Section 3 of said article 35 contains the cases in which the preparation of the impact evaluation: “a) systematic and exhaustive evaluation of personal aspects of natural persons that is based on automated processing, such as profiling, and on on the basis of which decisions are made that produce legal effects for people physically or that significantly affect them in a similar way; C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 39/51 b) large-scale processing of the special categories of data referred to in the Article 9(1) or personal data relating to convictions and offenses criminal offenses referred to in article 10, or c) large-scale systematic observation of a publicly accessible area.” In this procedure, the need to prepare an impact evaluation of data protection is not questioned by the defendant, who has also sent the prepared in relation to this treatment. Article 35.7 GDPR includes the content minimum you must have: “a) a systematic description of the planned treatment operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the responsible for the treatment; b) an assessment of the necessity and proportionality of the operations of processing with respect to its purpose; c) an assessment of the risks to the rights and freedoms of the data subjects to referred to in section 1, and d) the measures planned to address the risks, including guarantees, security measures security and mechanisms that guarantee the protection of personal data, and to demonstrate compliance with this Regulation, taking into account the rights and legitimate interests of the interested parties and other affected persons.” Before implementing data processing based on this intrusive technology, it is It is also necessary to previously audit its operation, not in isolation but in the framework of the specific treatment in which it is going to be used. The personal data protection impact assessment, DPIA, then appears as the tool required by the GDPR to ensure compliance with this aspect of the treatment, as established in the aforementioned section 1 of the Article 35 of the GDPR. The processing of biometric data is a high-risk treatment, by virtue of the provided for in article 35.4 of the RGPD, so it must be assumed that the treatment carried out in this case by CTC should have been preceded by the carrying out and passing a valid impact evaluation, which included, as minimum the sections provided for in article 35.7 of the RGPD. This implies that it is not enough with carrying out a DPIA, but will have to be passed to comply with the RGPD. For these purposes, this Agency has published the document called “Lists of types of data processing that require impact assessment relating to the Data Protection". This list is based on the criteria established by the Group of Work of Article 29 in the guide WP248 “Guidelines on impact assessment regarding data protection (DPIA) and to determine whether the processing "involves “probably a high risk” for the purposes of the GDPR”, complements them and should be understood as a non-exhaustive list. Inside it is: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 40/51 "5. Treatments that involve the use of biometric data for the purpose of uniquely identify a natural person.” This evaluation will be done prior to the start of treatment, without prejudice to that should be understood as a continuous or periodic evaluation, in the sense established by article 35.11 of the GDPR, which provides: “If necessary, the responsible will examine whether the treatment complies with the impact assessment regarding data protection, at least when there is a change in the risk that represent the treatment operations.” A DPIA must comply with the requirements or minimum content related to the Article 35.7 of the GDPR, which provides: “The evaluation must include at least: a) a systematic description of the planned processing operations and of the purposes of the processing, including, where applicable, the legitimate interest pursued by the data controller; b) an assessment of the necessity and proportionality of the operations of processing with respect to its purpose; c) an assessment of the risks to the rights and freedoms of data subjects referred to in section 1, and d) the measures planned to address the risks, including guarantees, measures security and mechanisms that guarantee the protection of personal data, and to demonstrate compliance with this Regulation, taking into account the rights and legitimate interests of the interested parties and other persons affected.” In short, overcoming a DPIA requires that the person responsible for a treatment high risk document in writing that it passes the suitability assessment, necessity and proportionality of the treatment, and that manages from the design the specific risks of the treatment, with the practical application of measures aimed at them in a way that guarantees an acceptable risk threshold throughout the processing life cycle, as established in article 35 of the GDPR. Furthermore, it requires prior consultation with the supervisory authority in the event that the responsible has not taken measures to mitigate the risk in accordance with the article 36 of the GDPR. To analyze CTC's compliance with this obligation, we must start from the consideration made by the person responsible, and already refuted in previous sections of this resolution, that the person responsible was not processing data classified as special provisions in article 9 of the GDPR. As has been proven, the treatment of biometric data fits into that category of data, without distinction being applied anything, for these purposes, between identification and authentication Once this factor has been established, the validity of the document must be ruled out from the beginning. presented by the controller as an “impact assessment” relating to the data personal. And this is because at no time is this document based on the processing of special category personal data such as biometric data. And in C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 41/51 Consequently, the evaluation has not been able to take into account crucial aspects that should be analyzed, among them: - If any of the causes for lifting the prohibition of processing of those categories of personal data among those provided for in the article 9.2 of the GDPR. - Correct identification and analysis of risks regarding treatment referenced also with respect to these categories of personal data, which must be taken into consideration along with the rest of the elements that involved in the processing of personal data, and how they can affect the rights and freedoms of data owners. - Technical and organizational measures of all kinds, with express mention of the specific security measures inherent to the processing of this data. The above necessarily leads to the conclusion that in no way can be considered a valid data protection impact assessment, when it starts from premises in which the person responsible for the treatment does not take into account consideration that is faced with the processing of special categories of data personal, with all that this entails in terms of compliance with the RGPD and the risk management. One of the obligations that correspond to every data controller personal is to ensure that the treatment respects the Principles provided for in the Article 5 of the GDPR. In the case of biometric data, because it is a special category and high risk, it is worth highlighting the essential importance of respecting the principle of minimization of processing/data, provided for in article 5.1.c) which indicates: "1. The personal data will be: a) adequate, relevant and limited to what is necessary in relation to the purposes for those that are processed (“data minimization”)”. Respect for this principle must be the starting point at the beginning of everything treatment, the person responsible must first of all consider whether this treatment It will be really necessary, suitable, and proportional before starting it. And if this treatment is high risk - in the case of biometrics - should reflect this evaluation prior of necessity and proportionality in a specific document called personal data protection impact assessment, in accordance with the provisions in article 35.7.b) of the RGPD, which provides that “a assessment of the necessity and proportionality of treatment operations regarding its purpose.” This is confirmed by recital 39 of the GDPR, which underlines the importance of processing is necessary, indicating that “Personal data should only be processed if the purpose of the processing could not reasonably be achieved by other means.” C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 42/51 Along the same lines, the Working Group of article 29, in its Opinion 3/2012 on the evolution of biometric technologies, indicates that “When analyzing the proportionality of a proposed biometric system, it is necessary to previously consider whether the system is necessary to respond to the identified need, that is, if it is essential to satisfy that need, and not just the most appropriate or profitable one. A second factor What must be taken into account is the probability that the system will be effective for respond to the need in question in light of the specific characteristics of the biometric technology to be used. A third aspect to consider is whether the The resulting loss of privacy is proportional to the expected benefits. If he benefit is relatively minor, such as greater comfort or slight savings, then the loss of privacy is not appropriate. The fourth aspect to evaluate the adequacy of a biometric system is to consider whether a less invasive means of intimacy would achieve the desired end.” Idea that is reiterated in section 72 of Guidelines 3/2019 on the treatment of personal data through video devices, dated 01/29/2020, from the CEPD, which indicates: “The use of biometric data and, in particular, facial recognition entails high risks for the rights of the interested parties. It is essential that the resource to such technologies takes place with due respect for the principles of legality, necessity, proportionality and data minimization as established by the GDPR. Although the use of these technologies may be perceived as particularly effective, those responsible for the treatment must first evaluate the impact on fundamental rights and freedoms and consider less intrusive means of achieve its legitimate purpose of processing. That is, we would have to answer the question of whether This biometric application is something that is really essential and necessary, or is it just “convenient”. Since the processing of biometric data implies restricting rights and freedoms of the interested parties, the obligation to process only “personal data that is appropriate, relevant and limited to what is necessary in relation to the purposes for which that are processed” provided for by the principle of data minimization/processing of the article 5.1.c) of the RGPD, must be interpreted in accordance with the provisions of the reiterated jurisprudence of our Constitutional Court regarding the need to verify that any restrictive measure of fundamental rights (treatment biometric in this case) overcomes what is called “the triple judgment of proportionality.” This implies that, first of all, it is necessary to verify whether it meets the following three requirements or conditions referred to by the Constitutional Court: "if such measure is likely to achieve the proposed objective (suitability judgment); yes, furthermore, it is necessary, in the sense that there is no other more moderate measure for the achievement of such purpose with equal effectiveness (judgment of necessity); and finally, if It is weighted or balanced, since more benefits or advantages are derived from it. for the general interest that damages other goods or values in conflict (judgment of proportionality in the strict sense). Document provided by the claimant. After analyzing the impact evaluation provided by the defendant, it can be seen which suffers from important defects: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 43/51 First of all, it must be made clear that a data protection impact assessment data is not a mere formal document that is included as a procedure prior to carrying out the treatment. On the contrary, it is the document that reflects an analysis that must begin with a criterion as basic as if for the carrying out the activity in question, it is necessary to carry out data processing personal. If this first analysis is not passed, it should not be performed or continue with treatment. Next, if it is essential to carry out data processing personal data, an analysis must be carried out regarding the typology of personal data treaties. And this, because together with other elements, they will determine the risks that such treatment implies and that must be evaluated by the person responsible for the treatment. AND In view of them, proceed to the analysis of the need, suitability and proportionality, so that a result is obtained according to which the if the risks involved in the treatment, and depending on the established measures, organizational and security, whether or not they advise its implementation. This brings us back to the concept of data protection impact assessment as a material as well as formal concept. Formal because the existence of a document that summarizes it, accompanied by of a set of documents that, for the sake of proactive responsibility, prove its realization. Among others, the documentation prior to the EIPD must be present in that the need for the decision to carry out the DPIA has been expressed; also specifies all the documentation prepared on the occasion of carrying out the DPIA and justification of the results obtained in the DPIA and the measures adopted to respect, including the documentation related to the participation of the Delegate of Data Protection, if applicable, in its preparation. And material because it must carry out the analyzes mentioned above and contain a verdict that allows the treatment to be carried out. That is, the impact evaluation is not not only a document that must be prepared, but a judgment that must be overcome. Only if produces said improvement, that is, if the conviction is reached that the risks existing ones are acceptable depending on the technical and organizational measures, of all type, established, the treatment may be carried out under the established conditions. And, in the event that the exceedance occurs, additional provisions must be made reactive measures, so that, in the event of risks materializing, they are avoided or minimize the impact on the rights and freedoms of data subjects personal. Well, in relation to the document provided by the claimed party, there is no describe the purposes of the treatment. For these purposes, the only reference contained in the document is to indicate that the treatment would be legitimized by compliance of a legal obligation (Workers' Statute) and an indication of “The purpose that is intended to be covered requires all the data to be collected and for all the affected persons/interested parties (principle of data minimization)”, followed by the expression “YES” C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 44/51 Necessity and proportionality to. Need The impact assessment provided by the controller does not contain a true judgment on the necessity and proportionality in carrying out the treatment object of the proceedings. For these purposes, said document contains only the following explanation: "Other systems have been ruled out, e.g. card signing because after the experience With it, conflictive situations arose. This is a service in which There is a high staff turnover. When the card system was used for signing, sometimes it was transferred to other people who were not the owner of it, personnel not related to it being present in the work area with all the risks that involve job security. The use of the fingerprint is the system that allows you to avoid these criminal situations and guarantees correct compliance with the labor regulations and prevent unauthorized access” The need implies that a combined evaluation is required, based on facts, on the effectiveness of the measure for the objective pursued and on whether it is less intrusive compared to other options to achieve the same goal. Necessity should not be confused with utility of the system. It may be that the detection of fingerprint makes it easier to avoid having to carry a card, which takes a few seconds less in its access, which is automatic and instantaneous and not excessively expensive. Obviously, a fingerprint system can be useful, but it doesn't have to be objectively necessary (the latter being what really must be present). As established in opinion 3/2012 on the evolution of biometric technologies- of WG 29-, it must be examined “if it is essential to satisfy that need, and not only the most appropriate or profitable.” Options and alternatives must be analyzed before establish a new system that represents an exaggerated limitation of the right of each user, when there may be less invasive means of privacy, and not opting for what is practical or agile and comfortable, when the rights of its owners are at stake. That a system previously established to achieve a purpose is not effective, as the claimed party claims regarding its card signing-in system, it does not means that there are no other systems that are effective without the need to perform a biometric treatment. And all of them must be considered, taking into account a detailed description of them, and not only the one that they previously assert that It was not effective. The jurisprudence of the CJEU applies a strict necessity assessment to any limitation on the exercise of the rights to the protection of personal data personal and respect for private life in relation to the processing of personal data. personal nature: "the exceptions and limitations in relation to the protection of Personal data should be applied only to the extent that they are strictly necessary. The ECtHR applies a strict necessity assessment in depending on the context and all existing circumstances, as in the case of secret control measures. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 45/51 In this regard, none of that is done in the document provided. This is limited to affirm that the fingerprint signing system would be justified by alleged problems that could arise from the transfer of cards between workers. In Regarding this aspect, nothing explains why some other is not feasible. supervision system that would avoid this problem and why, ultimately, the Fingerprint processing is essential and other systems cannot be used less intrusive than the processing of biometric data. Consequently, if there are alternatives available so that at a given time all fans opt for non-biometric access, and consent is articulated free, express and specific that allows you to choose between these other less intrusive methods and biometrics, this implies that the processing of biometric data is not necessary for the purpose of controlling the identity of those who access the cheering stands. In no case is the judgment of necessity overcome because the biometric treatment there's no need. b. Suitability. The principle of suitability implies the need to evaluate that there is a logical and direct between the treatment and the objective pursued. In this sense, the only explanation provided in this regard by the claimed party is the following: “Suitability judgment: to achieve the objective of access control and the day work, the system through the fingerprint hash has been the appropriate one for us for the purpose pursued. The effectiveness threshold that should be reached for comply with the purposes of the treatment, it must be practically 100%, it is the compliance with a legal obligation and guaranteeing safety in the workplace. “We consider the effectiveness of this system to help us reach this threshold.” The claimed party adds nothing more in this regard, limiting itself to affirming the effectiveness of a system like the one established for signing. It does not detail why this is the system suitable, particularly based on the risks involved, nor does it explain why What do you consider the effectiveness of the system to be total? In fact, he does not affirm that said effectiveness is complete but rather that “The threshold of effectiveness that should be achieved to comply with the purposes of the treatment, it must be practically 100”. That is, no proves its effectiveness, but is limited to declaring an objective to be achieved). c. Proportionality Once a legislative measure is considered necessary, it must be analyzed in detail. depending on its proportionality. An assessment of proportionality implies, therefore, Generally, assess what “safeguards” should accompany a measure (e.g. on surveillance) to reduce the risks posed by the planned measure for fundamental rights and freedoms of the affected persons, at a level «acceptable» /proportional. Another factor that must be taken into account when evaluating the proportionality of a proposed measure is the effectiveness of existing measures above the proposed one. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 46/51 If measures already exist for a similar or identical purpose, their effectiveness must be evaluated systematically as part of the proportionality assessment. Without that evaluation of the effectiveness of existing measures that pursue a similar objective or the same, it cannot be considered that the evaluation of the proportionality of a new measure. There must be a logical link between the measure and the legitimate objective pursued. For that the principle of proportionality is respected, the advantages resulting from the measure should not be overcome by the disadvantages that the measure causes with respect to the exercise of fundamental rights. And one of the factors that play in the Proportionality is the effectiveness of the measures of existing measures, above of the proposal, if in the same context measures already existed for a purpose similar or identical, must be considered, otherwise the assessment of proportionality will not has been duly carried out. As can easily be seen, the impact evaluation provided does not deduces any judgment on proportionality. In this regard, the Protection Guide of data in labor relations, of this AEPD (May 2021), clarifies the following in its “Biometric data” section: "4. Storage will preferably be done on a personal device, before than going to centralized storage. A password must be used Specific encryption for reading devices to effectively protect these data against all unauthorized access.” In the case in question, we are faced with a centralized system. And by Otherwise, nothing about the proportionality judgment appears in the evaluation of impact contributed by the person responsible. Risk analysis Article 35.7.d) of the RGPD establishes as part of the minimum content of the data protection impact assessment the following: “d) the measures planned to address the risks, including guarantees, security measures security and mechanisms that guarantee the protection of personal data, and to demonstrate compliance with this Regulation, taking into account the rights and legitimate interests of the interested parties and other affected persons.” Observing the corresponding section of the impact assessment document provided, it is concluded that a very partial view of the risks has been included, including (apart from the generic risk of “not carrying out a risk assessment” impact”, those related to the security of information systems (possible cyberattacks, breaches, etc.). On the contrary, nothing is included about guarantees and mechanisms that guarantee the Protection of personal data. Nothing related to the possible treatment of the information stored in relation to biometric data or any other aspect other than the security of the information. Much less an analysis of the risks from the perspective of the rights and interests of those interested and affected. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 47/51 Based on the above, it cannot be considered that the person responsible has fulfilled its obligation to carry out and pass an impact assessment relating to data protection in relation to fingerprint processing. XIII Classification of the violation of article 35 RGPD The aforementioned violation of article 35 of the RGPD implies the commission of the violations typified in article 83.4 of the RGPD that under the heading “General conditions for the imposition of administrative fines” provides: “Infringements of the following provisions will be sanctioned, in accordance with the paragraph 2, with administrative fines of a maximum of EUR 10 000 000 or, In the case of a company, an amount equivalent to a maximum of 2% of the global total annual business volume of the previous financial year, opting for the largest amount: b) the obligations of the controller and the processor pursuant to Articles 8, 11, 25 to 39, 42 and 43; (…)” In this regard, the LOPDGDD, in its article 71 “Infringements” establishes that “The acts and conduct referred to in sections 4, 5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that result contrary to this organic law.” For the purposes of the limitation period, article 73 “Infringements considered serious” of the LOPDGDD indicates: “Based on what is established in article 83.4 of Regulation (EU) 2016/679, are considered serious and will prescribe after two years the infractions that involve a substantial violation of the articles mentioned therein and, in particular, the following: t) The processing of personal data without having carried out the evaluation of the impact of processing operations on the protection of personal data in the “cases in which it is required” XIV Lack of impact assessment article 35 RGPD. This violation can be punished with a fine of a maximum of €10 million or, In the case of a company, an amount equivalent to a maximum of 2% of the global total annual business volume of the previous financial year, opting for the of larger amounts, in accordance with article 83.4 of the RGPD. Likewise, it is considered that it is appropriate to graduate the sanction to be imposed in accordance with the following criteria established by article 83.2 of the RGPD: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 48/51 - Duration of the violation. It would have lasted at least since October 2021 (date of sending the original clause), without the inspector would have confirmed his termination at any time. (art. 83.2.a) - The category of personal data affected by the infringement. It must be kept in Keep in mind that the fingerprint is biometric data and in accordance with article 9 of the GDPR are considered special categories of data “the processing of genetic data, biometric data aimed at uniquely identifying a natural person." In this regard, the risk situation created by the lack of security measures is aggravated with respect to data that does not have the consideration of specials (article 83.2.g) According to these criteria, it is estimated that the corresponding sanction is a fine. ONE HUNDRED THOUSAND EUROS (€100,000) XV Adoption of measures Once the violation is confirmed, it is agreed to impose measures on the person responsible. appropriate to adjust their actions to the regulations mentioned in this act, in order in accordance with the provisions of the aforementioned article 58.2 d) of the RGPD, according to which each control authority may “order the person responsible or in charge of the treatment to processing operations comply with the provisions of this Regulation, where appropriate, in a certain manner and within a period specified…". The imposition of this measure is compatible with the sanction consisting of an administrative fine, as provided in art. 83.2 of the GDPR. Specifically, based on the violations observed, the following are established: measures, establishing the deadline for compliance within SIX MONTHS: - Inform all workers appropriately, including all extremes that have not been included until now, as detailed in the legal foundations of this resolution - Establish the necessary security measures to prevent access by personnel not expressly authorized, as well as to guarantee the deletion of the footprint after his capture. Also to separate access to the tables that They contain the hash of the fingerprints and the identification data of the workers. - Prepare a data protection impact assessment that contains all the extremes provided for in article 35 of the RGPD, in particular taking take into account the defects pointed out in this resolution. Additionally, and in accordance with articles 90.3 of the LPCAP, and 58. 2.f), of the RGPD, in This resolution agrees that within a period of ten days from its notification, the claimed temporary limit or definitively the treatment of the control system time using the fingerprint, as long as it does not adequately inform the workers, until you complete and pass a health protection impact assessment. valid processing data, which takes into account the risks to the rights and freedoms of employees and the appropriate measures and guarantees for their treatment, or even if it were carried out, it would be necessary to carry out the consultation forecast established C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 49/51 in article 36 of the RGPD and ultimately, until it complies with the regulations of Data Protection. In this sense, the Agency has recently published a guide on presence control through biometric treatment systems that are It is available on its website where the necessary requirements are indicated to establish a system of these characteristics. It is warned that failure to comply with the order to adopt measures imposed by this body in the sanctioning resolution may be considered as an infraction administrative in accordance with the provisions of the RGPD, classified as an infringement in its article 83.5 and 83.6, such conduct may motivate the opening of a subsequent administrative sanctioning procedure. Therefore, in accordance with the applicable legislation and evaluated the criteria of graduation of sanctions whose existence has been proven, the Director of the Spanish Data Protection Agency RESOLVES: FIRST: IMPOSE on CTC EXTERNALIZACIÓN, S.L., with NIF B60924131, the following fines: - For a violation of Article 13 of the RGPD, typified in Article 83.5 of the RGPD a fine of 200,000 euros (TWO HUNDRED THOUSAND euros). - For a violation of Article 32 of the RGPD, typified in Article 83.4 of the RGPD, a fine of 65,000 euros (SIXTY-FIVE THOUSAND euros) - For a violation of Article 35 of the RGPD, typified in Article 83.4 of the GDPR, a fine of 100,000 euros (ONE HUNDRED THOUSAND euros). This makes a total of €365,000 (THREE HUNDRED AND SIXTY-FIVE THOUSAND euros). SECOND: ORDER to CTC EXTERNALIZACIÓN, S.L., with NIF B60924131, which pursuant to article 58.2.d) of the RGPD, within 6 months, prove that proceeded to comply with the following measures: - Inform all workers appropriately, including all extremes that have not been included until now, as detailed in the legal foundations of this resolution - Establish the necessary security measures to prevent access by personnel not expressly authorized, as well as to guarantee the deletion of the footprint after his capture. Also to separate access to the tables that They contain the hash of the fingerprints and the identification data of the workers. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 50/51 - Prepare a data protection impact assessment that contains all the extremes provided for in article 35 of the RGPD, in particular taking take into account the defects pointed out in this resolution, and overcome it. - Comply with data protection regulations. THIRD. ORDER, in accordance with articles 90.3 of the LPCAP, and 58. 2.f), of the RGPD, to CTC EXTERNALIZACIÓN, S.L., with NIF B60924131 which, within the period of ten days from the notification of this resolution, temporary or definitive limit treatment of the time control system using the fingerprint, as long as it is not adequately inform workers, until they carry out and pass an evaluation of valid data protection impact of the processing, which takes into account the risks to the rights and freedoms of employees and the measures and guarantees suitable for its treatment, or even if it were carried out, it would be necessary to make the forecast consultation established in article 36 of the RGPD and ultimately, until it is in accordance with data protection regulations FOURTH: NOTIFY this resolution to CTC EXTERNALIZACIÓN, S.L.. FIFTH: This resolution will be enforceable once the deadline to file the optional resource for replacement (one month counting from the day following the notification of this resolution) without the interested party having made use of this power. The sanctioned person is warned that he must make effective the sanction imposed once This resolution is executive, in accordance with the provisions of art. 98.1.b) of Law 39/2015, of October 1, on the Common Administrative Procedure of the Public Administrations (hereinafter LPACAP), within the voluntary payment period established in art. 68 of the General Collection Regulations, approved by Real Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003, of 17 December, through your entry, indicating the NIF of the sanctioned person and the number of procedure that appears in the heading of this document, in the account restricted IBAN number: ES00-0000-0000-0000-0000-0000 (BIC/SWIFT Code: CAIXESBBXXX), opened on behalf of the Spanish Data Protection Agency in the banking entity CAIXABANK, S.A.. Otherwise, it will be collection in executive period. Once the notification is received and once enforceable, if the enforceable date is between the 1st and 15th of each month, both inclusive, the deadline to make the payment voluntary will be until the 20th of the following month or immediately following business month, and if The payment period is between the 16th and last day of each month, both inclusive. It will be until the 5th of the second following or immediately following business month. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the Interested parties may optionally file an appeal for reconsideration before the Director of the Spanish Data Protection Agency within a period of one month to count from the day following the notification of this resolution or directly C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 51/51 contentious-administrative appeal before the Contentious-administrative Chamber of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-administrative Jurisdiction, within a period of two months from the day following the notification of this act, as provided for in article 46.1 of the referred Law. Finally, it is noted that in accordance with the provisions of art. 90.3 a) of the LPACAP, may provisionally suspend the final resolution through administrative channels if the interested party expresses his intention to file a contentious-administrative appeal. If this is the case, the interested party must formally communicate this fact through writing addressed to the Spanish Data Protection Agency, presenting it through of the Agency's Electronic Registry [https://sedeagpd.gob.es/sede-electronica- web/], or through any of the other registries provided for in art. 16.4 of the cited Law 39/2015, of October 1. You must also transfer to the Agency the documentation that proves the effective filing of the contentious appeal administrative. If the Agency was not aware of the filing of the appeal contentious-administrative within a period of two months from the day following the notification of this resolution would terminate the precautionary suspension. 938-21112023 Sea Spain Martí Director of the Spanish Data Protection Agency C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es