AEPD (Spain) - PS/00064/2021: Difference between revisions
From GDPRhub
m (Ar moved page AEPD - PS/00064/2021 to AEPD (Spain) - PS/00064/2021) |
(→English Machine Translation of the Decision: general overhaul of the case) |
||
| Line 50: | Line 50: | ||
}} | }} | ||
The Spanish | The Spanish Data Protection Agency sanctioned the Municipality of El Espinar with a warning for violating GDPR by publicly disclosing personal data in electoral board lists. | ||
==English Summary== | ==English Summary== | ||
===Facts=== | ===Facts=== | ||
The Spanish city council of El | The Spanish city council of El Espinar accidentally published a complete electoral list that included names, ID numbers, and addresses of polling station members, instead of the redacted version. Upon receiving the complaint, the AEPD requested the municipality to provide relevant information and to communicate their decision to the complainant. The municipality responded that an error had occurred during the publication process due to the automatic download from the "ACCEDE" software, and corrective measures were taken to remove the incorrect document and issue the correct one. Further, a circular was issued to municipal staff regarding data protection measures. | ||
===Holding=== | ===Holding=== | ||
The AEPD held that the facts constituted a data breach and were therefore a violation of Article 32(1), and additionally Article 5(1)(f) for violating the confidentiality principle. | The AEPD held that the facts constituted a data breach and were therefore a violation of [[Article 32 GDPR|Article 32(1)]] of the GDPR, for failing to ensure data security, and additionally [[Article 5 GDPR|Article 5(1)(f)]] of the GDPR, for violating the confidentiality principle. The AEPD imposed a warning on the city council, as the Spanish Data Protection Law does not allow fining public institutions. | ||
The AEPD imposed a warning on the city council, as the Spanish Data Protection Law does not allow fining public institutions. | |||
==Comment== | ==Comment== | ||
| Line 73: | Line 69: | ||
<pre> | <pre> | ||
Procedure No.: PS/00064/2021 | |||
RESOLUTION OF SANCTIONING PROCEDURE | |||
From the procedure instructed by the Spanish Data Protection Agency and based on the following | |||
BACKGROUND | |||
FIRST: Ms. A.A.A. (hereinafter, the complainant) filed a complaint with the Spanish Data Protection Agency on 08/22/2019. The complaint is directed against the CITY COUNCIL OF EL ESPINAR with NIF P4008700I (hereinafter, the respondent). The grounds for the complaint are the publication, via an official notice, of the lists of the members of the electoral tables indicating their full names, complete addresses, and ID numbers. | |||
SECOND: After receiving the complaint, the General Data Inspection Subdirectorate proceeded to carry out the following actions: | |||
On 11/28/2019, reiterated on 11/08/2019, the complaint was forwarded to the respondent for analysis and communication to the complainant of the decision made in this regard. Additionally, the respondent was required to submit specific information to the Agency within a month: | |||
- Copies of the communications and the decision made, | |||
sent to the complainant regarding the transfer of this | |||
complaint, and proof that the complainant received the | |||
communication of that decision. | |||
- A report on the causes that motivated the incident | |||
that led to the complaint. | |||
- A report on the measures taken to prevent similar | |||
incidents. | |||
- Any other relevant information. | |||
THIRD: On 06/08/2020, in accordance with Article 65 of the LOPDGDD, the Director of the Spanish Data Protection Agency agreed to admit the complaint filed by the complainant against the respondent. | |||
FOURTH: The respondent did not respond within the deadline to any of the requirements mentioned in the second fact by the AEPD. However, on 06/16/2020, a letter was received from the respondent addressing the issues raised, stating that at the extraordinary plenary session on 04/29/2019, for the draw of the composition of the electoral tables for the municipal elections of 05/26/2019, the data protection regulations were complied with, and only councilors had access to the confidential information of the residents. The draw was conducted using the "ACCEDE" software provided by the Diputación de Segovia, and these plenary sessions are not recorded, with only the names of those selected by the draw and their positions on the electoral table being recorded in the minutes. The respondent has the Bandomovil service to keep residents instantly informed of news and updates of interest, ensuring municipal information transparency. To facilitate the result of the draw for the composition of the electoral tables to residents, an extract of the main and alternate members was published, in addition to personal notification to the selected individuals. However, on this occasion, as the complainant indicated, the list automatically downloaded from the "ACCEDE" software was initially published. This error was justified by the fact that the Local Police was responsible for making personal notifications to the selected individuals, and there was a mistake with the lists. Once the error was noticed, the incorrect document was immediately deleted and replaced with the correct one. Additionally, the respondent issued a Circular on 11/16/2020 to inform staff of the measures to be taken regarding notifications in data protection matters, and a review and update of this matter is being conducted across the entire City Council to prevent future personal data security failures. | |||
FIFTH: On 02/18/2021, the Director of the Spanish Data Protection Agency agreed to initiate a sanctioning procedure against the respondent for the alleged violation of Articles 5.1.f) and 32.1 of the GDPR, sanctioned in accordance with Articles 83.5.a) and 83.4.a) of the cited GDPR, considering that the corresponding sanction would be a WARNING. | |||
SIXTH: After being notified of the initiation agreement, the respondent has not submitted any written arguments to date, thus, as per Article 64 of Law 39/2015, of October 1, of the Common Administrative Procedure of Public Administrations, paragraph f) states that if no arguments are made within the stipulated period regarding the content of the initiation agreement, it may be considered a resolution proposal if it contains a precise statement about the responsibility attributed, therefore a Resolution is issued. | |||
SEVENTH: From the actions carried out in the present procedure, the following have been proven: | |||
PROVEN FACTS | |||
FIRST: On 22/08/2019, the AEPD received a written statement from the complainant stating that the respondent had published, via an official notice, the lists of members of the electoral tables including their full names, complete addresses, and ID numbers. | |||
SECOND: In a letter dated 16/06/2020, the respondent stated that "it has the Bandomovil service to keep the residents of the municipality instantly informed of news and updates of interest and to make effective the principle of transparency of municipal information. | |||
... to facilitate the result of the draw for the composition of the electoral tables to the residents, the City Council published an extract of the primary and alternate members, in addition to the subsequent personal notification to those designated. | |||
On this occasion, as the complainant indicated, the list that is automatically downloaded from the 'ACCEDE' software was initially published... This error is justified by the fact that the Local Police were responsible for making personal notifications to those designated and there was an error with the lists. | |||
(...) | |||
Once the error was corrected, the new document was published on the Bandomovil service in accordance with the provisions of Organic Law 3/2018, of 5 December, on Personal Data Protection and guarantee of digital rights..." | |||
LEGAL GROUNDS | |||
I | |||
By virtue of the powers recognized to each supervisory authority by Article 58.2 of the GDPR, and as established in Article 47 of Organic Law 3/2018, of 5 December, on Personal Data Protection and guarantee of digital rights (hereinafter LOPDGDD), the Director of the Spanish Data Protection Agency is competent to resolve this procedure. | |||
II | |||
Law 39/2015, of 1 October, on the Common Administrative Procedure of Public Administrations, in its Article 64 "Initiation Agreement in sanctioning procedures," states: | |||
"1. The initiation agreement will be communicated to the instructor of the procedure, with the transfer of all actions taken in this regard, and will be notified to the interested parties, always considering the accused as such. The initiation will also be communicated to the complainant when the procedural rules so provide. | |||
The initiation agreement must contain at least: | |||
a) Identification of the person or persons presumably responsible. | |||
b) The facts that motivate the initiation of the procedure, their possible classification, and the sanctions that could correspond, without prejudice to the result of the investigation. | |||
c) Identification of the instructor and, if applicable, the Secretary of the procedure, with an explicit indication of their disqualification regime. | |||
d) The competent body to resolve the procedure and the rule that grants such competence, indicating the possibility that the presumed responsible party may voluntarily acknowledge their responsibility, with the effects provided in Article 85. | |||
e) Provisional measures that have been agreed upon by the competent body to initiate the sanctioning procedure, without prejudice to those that may be adopted during the procedure in accordance with Article 56. | |||
f) Indication of the right to make allegations and to be heard in the procedure, and the deadlines for exercising these rights, as well as an indication that, if no allegations are made within the stipulated period regarding the content of the initiation agreement, it may be considered a resolution proposal when it contains a precise statement about the responsibility attributed. | |||
Exceptionally, when at the time of issuing the initiation agreement there are not enough elements for the initial classification of the facts that motivate the initiation of the procedure, the mentioned classification may be made at a later stage through the preparation of a Statement of Charges, which must be notified to the interested parties." | |||
In application of the above provision and considering that no allegations have been made to the initiation agreement, it is appropriate to resolve the initiated procedure. | |||
III | |||
The reported facts are materialized in the publication, via an official notice, of the lists of the members of the electoral tables, thereby violating the duty of confidentiality. | |||
Article 5, Principles relating to processing, of the GDPR states: | |||
“1. Personal data shall be: | |||
(…) | |||
f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures (‘integrity and confidentiality’). | |||
(…)” | |||
Similarly, Article 5, Duty of confidentiality, of the new Organic Law 3/2018, of December 5, on Personal Data Protection and guarantee of digital rights (hereinafter LOPDGDD), states: | |||
“1. Data controllers and processors, as well as all persons involved at any stage of processing, shall be subject to the duty of confidentiality referred to in Article 5.1.f) of Regulation (EU) 2016/679. | |||
2. The general obligation mentioned in the previous paragraph shall be complementary to the duties of professional secrecy in accordance with their applicable regulations. | |||
3. The obligations established in the previous paragraphs shall continue even when the relationship of the obligated party with the controller or processor has ended.” | |||
IV | |||
Furthermore, Article 83.5(a) of the GDPR considers that the infringement of "the basic principles for processing, including the conditions for consent according to Articles 5, 6, 7, and 9" is punishable, in accordance with paragraph 5 of the mentioned Article 83 of the GDPR, "with administrative fines up to 20,000,000 EUR, or in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher." | |||
The LOPDGDD in its Article 72 states: “Infractions considered very serious: | |||
Based on what is established in Article 83.5 of Regulation (EU) 2016/679, the infractions that constitute a substantial breach of the articles mentioned therein and, in particular, the following, shall be considered very serious and shall expire after three years: | |||
a) The processing of personal data in violation of the principles and guarantees established in Article 5 of Regulation (EU) 2016/679. | |||
(…)” | |||
V | |||
The documentation in the file shows that the respondent violated Article 5 of the GDPR, principles relating to processing, in connection with Article 5 of the LOPDGDD, duty of confidentiality, by publishing through an official notice the lists of the members of the electoral tables for the elections of 26/05/2019, indicating personal data, thus breaching the principle of data confidentiality. | |||
This duty of confidentiality, previously known as the duty of secrecy, is understood to aim at preventing unauthorized leaks of data by their holders. | |||
Therefore, this duty of confidentiality is an obligation that lies not only with the data controller and processor but also with anyone involved at any stage of the processing and complements the duty of professional secrecy. | |||
VI | |||
Secondly, Article 32 of the GDPR, "Security of processing," establishes that: | |||
“1. Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including, among other things: | |||
a) the pseudonymization and encryption of personal data; | |||
b) the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services; | |||
c) the ability to restore the availability and access to personal data promptly in the event of a physical or technical incident; | |||
d) a process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing. | |||
When assessing the appropriate level of security, particular consideration shall be given to the risks presented by the processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored, or otherwise processed. | |||
Adherence to an approved code of conduct as referred to in Article 40 or an approved certification mechanism as referred to in Article 42 may be used as an element by which to demonstrate compliance with the requirements set out in paragraph 1 of this Article. | |||
The controller and processor shall take steps to ensure that any natural person acting under the authority of the controller or the processor who has access to personal data does not process them except on instructions from the controller, unless required to do so by Union or Member State law.” | |||
VII | |||
The GDPR is defined in Article 83.4(a) of the cited GDPR as follows: | |||
"4. Infringements of the following provisions shall be subject to administrative fines of up to 10,000,000 EUR or, in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher: | |||
a) the obligations of the controller and the processor pursuant to Articles 8, 11, 25 to 39, 42, and 43. | |||
(...)" | |||
In turn, the LOPDGDD in its Article 73, for prescription purposes, qualifies as "Serious infractions": | |||
"In accordance with what is established in Article 83.4 of Regulation (EU) 2016/679, the following infractions are considered serious and will prescribe after two years: | |||
(...) | |||
g) The breach, due to lack of due diligence, of the technical and organizational measures that have been implemented as required by Article 32.1 of Regulation (EU) 2016/679. | |||
(...)" | |||
VIII | |||
The facts presented in this complaint materialize in the publication, via an official notice, of the lists of the members of the electoral tables including full names, complete addresses, and ID numbers, breaching the technical and organizational measures. | |||
The GDPR defines personal data security breaches as "all breaches of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed." | |||
The documentation in the file provides clear evidence that the respondent violated Article 32 of the GDPR, by allowing a security incident with the publication, via an official notice, of the lists of the members of the electoral tables, permitting access to personal data in breach of the technical measures. | |||
It should be noted that the GDPR in the aforementioned provision does not establish a list of security measures that apply according to the data being processed. Instead, it states that the controller and processor shall implement technical and organizational measures appropriate to the risk involved in the processing, taking into account the state of the art, implementation costs, nature, scope, context, and purposes of processing, and the risks of varying likelihood and severity for the rights and freedoms of data subjects. | |||
Additionally, security measures must be adequate and proportionate to the identified risk, specifying that the determination of technical and organizational measures must consider: pseudonymization and encryption, the ability to ensure confidentiality, integrity, availability, and resilience, the ability to restore data availability and access promptly after an incident, and a process for regular testing, assessing, and evaluating the effectiveness of measures. | |||
In any case, when assessing the adequacy of the level of security, particular consideration should be given to the risks presented by data processing, such as accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored, or otherwise processed, and the potential physical, material, or non-material damage they could cause. | |||
In this same sense, Recital 83 of the GDPR states: | |||
“(83) In order to maintain security and prevent processing in violation of this Regulation, the controller or processor should evaluate the risks inherent in the processing and implement measures to mitigate those risks, such as encryption. These measures should ensure a level of security appropriate to the risk, including confidentiality, taking into account the state of the art and the cost of implementation in relation to the risks and the nature of the personal data to be protected. When assessing data security risks, consideration should be given to the risks presented by data processing, such as accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored, or otherwise processed, which may in particular result in physical, material, or non-material damage.” | |||
In this case, as recorded in the facts and within the framework of investigation file E/09597/2019, the AEPD forwarded the complaint to the respondent on 28/11/2019, reiterated on 08/11/2019, for analysis, requesting information related to the incident without receiving a response within the deadline. However, after the deadlines passed, a response was received confirming the reported incident, although measures had been taken to prevent future personal data security breaches. | |||
The respondent's responsibility is determined by the security breach reported by the complainant, as it is responsible for making decisions to effectively implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk to ensure data confidentiality, restore availability, and prevent access to data in the event of a physical or technical incident. However, the documentation provided indicates that the entity not only failed to meet this obligation but also did not disclose the adoption of any measures in this regard, despite being informed of the submitted complaint. | |||
In accordance with the above, the respondent is deemed to be presumably responsible for the infringement of Article 32 of the GDPR, an infringement classified in Article 83.4(a). | |||
IX | |||
Article 77 of the LOPDGDD, Applicable Regime for Certain Categories of Data Controllers or Processors, states: | |||
"1. The regime established in this article shall apply to the processing for which the following are responsible or in charge: | |||
a) Constitutional or constitutionally significant bodies and analogous institutions of the autonomous communities. | |||
b) Judicial bodies. | |||
c) The General State Administration, the administrations of the autonomous communities, and entities forming part of the Local Administration. | |||
d) Public bodies and public law entities linked to or dependent on Public Administrations. | |||
e) Independent administrative authorities. | |||
f) The Bank of Spain. | |||
g) Public law corporations when the purposes of the processing relate to the exercise of public law powers. | |||
h) Public sector foundations. | |||
i) Public universities. | |||
j) Consortia. | |||
k) Parliamentary groups of the General Courts and the legislative assemblies of the autonomous communities, as well as the political groups of local corporations. | |||
2. When the controllers or processors listed in paragraph 1 commit any of the infringements referred to in Articles 72 to 74 of this Organic Law, the competent data protection authority shall issue a resolution sanctioning them with a warning. The resolution shall also establish the measures to be adopted to cease the conduct or correct the effects of the committed infringement. | |||
The resolution shall be notified to the controller or processor, to the hierarchical superior body if applicable, and to the affected parties who have the status of interested parties, if applicable. | |||
3. Without prejudice to the provisions of the previous paragraph, the data protection authority shall also propose the initiation of disciplinary actions when there are sufficient indications for this. In this case, the procedure and sanctions to be applied shall be those established in the applicable disciplinary or sanctioning regime legislation. | |||
Likewise, when the infringements are attributable to authorities and executives, and there is evidence of technical reports or recommendations for the processing that have not been duly attended to, the resolution imposing the sanction shall include a reprimand naming the responsible position and shall order its publication in the corresponding Official State or Regional Gazette. | |||
4. The resolutions relating to the measures and actions referred to in the previous paragraphs shall be communicated to the data protection authority. | |||
5. The actions taken and the resolutions issued under this article shall be communicated to the Ombudsman or, where applicable, to analogous institutions of the autonomous communities. | |||
6. When the competent authority is the Spanish Data Protection Agency, it shall publish the resolutions referred to in this article on its website, duly separated, with an explicit indication of the identity of the responsible or in-charge who committed the infringement. | |||
When the competence corresponds to a regional data protection authority, the publicity of these resolutions shall be governed by its specific regulations." | |||
The sanctioning procedure originates from the publication of the data of the electoral table members for the elections of 26/05/2019, via an official notice, infringing data protection regulations by violating both the principle of confidentiality and the implemented technical and organizational measures. | |||
This conduct by the respondent constitutes an infringement of the provisions of Articles 5.1(f) and 32.1 of the GDPR. | |||
It should be noted that the GDPR, without prejudice to Article 83, contemplates in Article 77 the possibility of applying a warning to correct personal data processing that does not comply with its provisions when the controllers or processors listed in paragraph 1 commit any of the infringements referred to in Articles 72 to 74 of this Organic Law. | |||
Furthermore, it is contemplated that the resolution may establish the measures to be adopted to cease the conduct, correct the effects of the committed infringement, ensure the personal data processing complies with the requirements of Articles 5.1(f) and 32.1 of the GDPR, and provide evidence of compliance. | |||
However, in its response dated 16/06/2020, the respondent confirmed the initial publication of the electoral table members' list for the elections of 26/05/2019, as indicated by the complainant, but as soon as this fact was known, the incorrect document was automatically deleted, and the correct document was subsequently uploaded, leaving no trace of the erroneous document. Once the error was corrected, the new document was published on the Bandomovil service in accordance with the LOPDGDD. Subsequently, on 16/12/2020, a Circular was issued to inform the City Council staff of the measures to be taken regarding data protection notifications, and a review and update of this matter is being carried out throughout the Corporation to prevent future security and confidentiality failures of personal data. | |||
In light of the above, it is not appropriate to call for additional measures, as it has been demonstrated that the respondent has taken reasonable and adequate measures to prevent the recurrence of incidents such as the one that led to the complaint, in accordance with data protection regulations, which is the main purpose of procedures for entities related to Article 77 of the LOPDGDD. | |||
Therefore, in accordance with the applicable legislation and considering the established criteria for grading the sanctions, | |||
The Director of the Spanish Data Protection Agency RESOLVES: | |||
FIRST: TO IMPOSE on the CITY COUNCIL OF EL ESPINAR, with NIF P4008700I, for an infringement of Article 32.1 of the GDPR, classified in Article 83.4(a) of the GDPR, a warning in accordance with Article 77 of the LOPDGDD. | |||
SECOND: TO IMPOSE on the CITY COUNCIL OF EL ESPINAR, with NIF P4008700I, for an infringement of Article 5.1(f) of the GDPR, classified in Article 83.5(a) of the GDPR, a warning in accordance with Article 77 of the LOPDGDD. | |||
THIRD: TO NOTIFY this resolution to the CITY COUNCIL OF EL ESPINAR. | |||
In accordance with the provisions of Article 50 of the LOPDGDD, this Resolution shall be made public once it has been notified to the interested parties. | |||
Against this resolution, which concludes the administrative procedure in accordance with Article 48.6 of the LOPDGDD, and in accordance with the provisions of Article 123 of the LPACAP, interested parties may optionally file an appeal for reconsideration before the Director of the Spanish Data Protection Agency within one month from the day following the notification of this resolution or directly file an administrative contentious appeal before the Contentious-Administrative Chamber of the National Court, pursuant to the provisions of Article 25 and paragraph 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-Administrative Jurisdiction, within two months from the day following the notification of this act, as provided for in Article 46.1 of the aforementioned Law. | |||
Finally, it is noted that, as provided in Article 90.3(a) of the LPACAP, the firm resolution in the administrative procedure may be provisionally suspended if the interested party expresses their intention to file a contentious-administrative appeal. In this case, the interested party must formally communicate this fact by means of a letter addressed to the Spanish Data Protection Agency, submitting it through the Agency's Electronic Register [https://sedeagpd.gob.es/sede-electronica-web/], or through any of the remaining registers provided for in Article 16.4 of Law 39/2015, of October 1. The interested party must also forward to the Agency the documentation proving the effective filing of the contentious-administrative appeal. If the Agency is not aware of the filing of the contentious-administrative appeal within two months from the day following the notification of this resolution, the provisional suspension shall be deemed concluded. | |||
Mar España Martí | |||
Director of the Spanish Data Protection Agency | |||
</pre> | </pre> | ||
Latest revision as of 12:47, 10 July 2024
| AEPD - PS/00064/2021 | |
|---|---|
 | |
| Authority: | AEPD (Spain) |
| Jurisdiction: | Spain |
| Relevant Law: | Article 5(1)(f) GDPR Article 32(1) GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | |
| Published: | 15.04.2021 |
| Fine: | None |
| Parties: | AYUNTAMIENTO DE EL ESPINAR |
| National Case Number/Name: | PS/00064/2021 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Spanish |
| Original Source: | AEPD decision (in ES) |
| Initial Contributor: | n/a |
The Spanish Data Protection Agency sanctioned the Municipality of El Espinar with a warning for violating GDPR by publicly disclosing personal data in electoral board lists.
English Summary
Facts
The Spanish city council of El Espinar accidentally published a complete electoral list that included names, ID numbers, and addresses of polling station members, instead of the redacted version. Upon receiving the complaint, the AEPD requested the municipality to provide relevant information and to communicate their decision to the complainant. The municipality responded that an error had occurred during the publication process due to the automatic download from the "ACCEDE" software, and corrective measures were taken to remove the incorrect document and issue the correct one. Further, a circular was issued to municipal staff regarding data protection measures.
Holding
The AEPD held that the facts constituted a data breach and were therefore a violation of Article 32(1) of the GDPR, for failing to ensure data security, and additionally Article 5(1)(f) of the GDPR, for violating the confidentiality principle. The AEPD imposed a warning on the city council, as the Spanish Data Protection Law does not allow fining public institutions.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
Procedure No.: PS/00064/2021
RESOLUTION OF SANCTIONING PROCEDURE
From the procedure instructed by the Spanish Data Protection Agency and based on the following
BACKGROUND
FIRST: Ms. A.A.A. (hereinafter, the complainant) filed a complaint with the Spanish Data Protection Agency on 08/22/2019. The complaint is directed against the CITY COUNCIL OF EL ESPINAR with NIF P4008700I (hereinafter, the respondent). The grounds for the complaint are the publication, via an official notice, of the lists of the members of the electoral tables indicating their full names, complete addresses, and ID numbers.
SECOND: After receiving the complaint, the General Data Inspection Subdirectorate proceeded to carry out the following actions:
On 11/28/2019, reiterated on 11/08/2019, the complaint was forwarded to the respondent for analysis and communication to the complainant of the decision made in this regard. Additionally, the respondent was required to submit specific information to the Agency within a month:
- Copies of the communications and the decision made,
sent to the complainant regarding the transfer of this
complaint, and proof that the complainant received the
communication of that decision.
- A report on the causes that motivated the incident
that led to the complaint.
- A report on the measures taken to prevent similar
incidents.
- Any other relevant information.
THIRD: On 06/08/2020, in accordance with Article 65 of the LOPDGDD, the Director of the Spanish Data Protection Agency agreed to admit the complaint filed by the complainant against the respondent.
FOURTH: The respondent did not respond within the deadline to any of the requirements mentioned in the second fact by the AEPD. However, on 06/16/2020, a letter was received from the respondent addressing the issues raised, stating that at the extraordinary plenary session on 04/29/2019, for the draw of the composition of the electoral tables for the municipal elections of 05/26/2019, the data protection regulations were complied with, and only councilors had access to the confidential information of the residents. The draw was conducted using the "ACCEDE" software provided by the Diputación de Segovia, and these plenary sessions are not recorded, with only the names of those selected by the draw and their positions on the electoral table being recorded in the minutes. The respondent has the Bandomovil service to keep residents instantly informed of news and updates of interest, ensuring municipal information transparency. To facilitate the result of the draw for the composition of the electoral tables to residents, an extract of the main and alternate members was published, in addition to personal notification to the selected individuals. However, on this occasion, as the complainant indicated, the list automatically downloaded from the "ACCEDE" software was initially published. This error was justified by the fact that the Local Police was responsible for making personal notifications to the selected individuals, and there was a mistake with the lists. Once the error was noticed, the incorrect document was immediately deleted and replaced with the correct one. Additionally, the respondent issued a Circular on 11/16/2020 to inform staff of the measures to be taken regarding notifications in data protection matters, and a review and update of this matter is being conducted across the entire City Council to prevent future personal data security failures.
FIFTH: On 02/18/2021, the Director of the Spanish Data Protection Agency agreed to initiate a sanctioning procedure against the respondent for the alleged violation of Articles 5.1.f) and 32.1 of the GDPR, sanctioned in accordance with Articles 83.5.a) and 83.4.a) of the cited GDPR, considering that the corresponding sanction would be a WARNING.
SIXTH: After being notified of the initiation agreement, the respondent has not submitted any written arguments to date, thus, as per Article 64 of Law 39/2015, of October 1, of the Common Administrative Procedure of Public Administrations, paragraph f) states that if no arguments are made within the stipulated period regarding the content of the initiation agreement, it may be considered a resolution proposal if it contains a precise statement about the responsibility attributed, therefore a Resolution is issued.
SEVENTH: From the actions carried out in the present procedure, the following have been proven:
PROVEN FACTS
FIRST: On 22/08/2019, the AEPD received a written statement from the complainant stating that the respondent had published, via an official notice, the lists of members of the electoral tables including their full names, complete addresses, and ID numbers.
SECOND: In a letter dated 16/06/2020, the respondent stated that "it has the Bandomovil service to keep the residents of the municipality instantly informed of news and updates of interest and to make effective the principle of transparency of municipal information.
... to facilitate the result of the draw for the composition of the electoral tables to the residents, the City Council published an extract of the primary and alternate members, in addition to the subsequent personal notification to those designated.
On this occasion, as the complainant indicated, the list that is automatically downloaded from the 'ACCEDE' software was initially published... This error is justified by the fact that the Local Police were responsible for making personal notifications to those designated and there was an error with the lists.
(...)
Once the error was corrected, the new document was published on the Bandomovil service in accordance with the provisions of Organic Law 3/2018, of 5 December, on Personal Data Protection and guarantee of digital rights..."
LEGAL GROUNDS
I
By virtue of the powers recognized to each supervisory authority by Article 58.2 of the GDPR, and as established in Article 47 of Organic Law 3/2018, of 5 December, on Personal Data Protection and guarantee of digital rights (hereinafter LOPDGDD), the Director of the Spanish Data Protection Agency is competent to resolve this procedure.
II
Law 39/2015, of 1 October, on the Common Administrative Procedure of Public Administrations, in its Article 64 "Initiation Agreement in sanctioning procedures," states:
"1. The initiation agreement will be communicated to the instructor of the procedure, with the transfer of all actions taken in this regard, and will be notified to the interested parties, always considering the accused as such. The initiation will also be communicated to the complainant when the procedural rules so provide.
The initiation agreement must contain at least:
a) Identification of the person or persons presumably responsible.
b) The facts that motivate the initiation of the procedure, their possible classification, and the sanctions that could correspond, without prejudice to the result of the investigation.
c) Identification of the instructor and, if applicable, the Secretary of the procedure, with an explicit indication of their disqualification regime.
d) The competent body to resolve the procedure and the rule that grants such competence, indicating the possibility that the presumed responsible party may voluntarily acknowledge their responsibility, with the effects provided in Article 85.
e) Provisional measures that have been agreed upon by the competent body to initiate the sanctioning procedure, without prejudice to those that may be adopted during the procedure in accordance with Article 56.
f) Indication of the right to make allegations and to be heard in the procedure, and the deadlines for exercising these rights, as well as an indication that, if no allegations are made within the stipulated period regarding the content of the initiation agreement, it may be considered a resolution proposal when it contains a precise statement about the responsibility attributed.
Exceptionally, when at the time of issuing the initiation agreement there are not enough elements for the initial classification of the facts that motivate the initiation of the procedure, the mentioned classification may be made at a later stage through the preparation of a Statement of Charges, which must be notified to the interested parties."
In application of the above provision and considering that no allegations have been made to the initiation agreement, it is appropriate to resolve the initiated procedure.
III
The reported facts are materialized in the publication, via an official notice, of the lists of the members of the electoral tables, thereby violating the duty of confidentiality.
Article 5, Principles relating to processing, of the GDPR states:
“1. Personal data shall be:
(…)
f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures (‘integrity and confidentiality’).
(…)”
Similarly, Article 5, Duty of confidentiality, of the new Organic Law 3/2018, of December 5, on Personal Data Protection and guarantee of digital rights (hereinafter LOPDGDD), states:
“1. Data controllers and processors, as well as all persons involved at any stage of processing, shall be subject to the duty of confidentiality referred to in Article 5.1.f) of Regulation (EU) 2016/679.
2. The general obligation mentioned in the previous paragraph shall be complementary to the duties of professional secrecy in accordance with their applicable regulations.
3. The obligations established in the previous paragraphs shall continue even when the relationship of the obligated party with the controller or processor has ended.”
IV
Furthermore, Article 83.5(a) of the GDPR considers that the infringement of "the basic principles for processing, including the conditions for consent according to Articles 5, 6, 7, and 9" is punishable, in accordance with paragraph 5 of the mentioned Article 83 of the GDPR, "with administrative fines up to 20,000,000 EUR, or in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher."
The LOPDGDD in its Article 72 states: “Infractions considered very serious:
Based on what is established in Article 83.5 of Regulation (EU) 2016/679, the infractions that constitute a substantial breach of the articles mentioned therein and, in particular, the following, shall be considered very serious and shall expire after three years:
a) The processing of personal data in violation of the principles and guarantees established in Article 5 of Regulation (EU) 2016/679.
(…)”
V
The documentation in the file shows that the respondent violated Article 5 of the GDPR, principles relating to processing, in connection with Article 5 of the LOPDGDD, duty of confidentiality, by publishing through an official notice the lists of the members of the electoral tables for the elections of 26/05/2019, indicating personal data, thus breaching the principle of data confidentiality.
This duty of confidentiality, previously known as the duty of secrecy, is understood to aim at preventing unauthorized leaks of data by their holders.
Therefore, this duty of confidentiality is an obligation that lies not only with the data controller and processor but also with anyone involved at any stage of the processing and complements the duty of professional secrecy.
VI
Secondly, Article 32 of the GDPR, "Security of processing," establishes that:
“1. Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including, among other things:
a) the pseudonymization and encryption of personal data;
b) the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;
c) the ability to restore the availability and access to personal data promptly in the event of a physical or technical incident;
d) a process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
When assessing the appropriate level of security, particular consideration shall be given to the risks presented by the processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored, or otherwise processed.
Adherence to an approved code of conduct as referred to in Article 40 or an approved certification mechanism as referred to in Article 42 may be used as an element by which to demonstrate compliance with the requirements set out in paragraph 1 of this Article.
The controller and processor shall take steps to ensure that any natural person acting under the authority of the controller or the processor who has access to personal data does not process them except on instructions from the controller, unless required to do so by Union or Member State law.”
VII
The GDPR is defined in Article 83.4(a) of the cited GDPR as follows:
"4. Infringements of the following provisions shall be subject to administrative fines of up to 10,000,000 EUR or, in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher:
a) the obligations of the controller and the processor pursuant to Articles 8, 11, 25 to 39, 42, and 43.
(...)"
In turn, the LOPDGDD in its Article 73, for prescription purposes, qualifies as "Serious infractions":
"In accordance with what is established in Article 83.4 of Regulation (EU) 2016/679, the following infractions are considered serious and will prescribe after two years:
(...)
g) The breach, due to lack of due diligence, of the technical and organizational measures that have been implemented as required by Article 32.1 of Regulation (EU) 2016/679.
(...)"
VIII
The facts presented in this complaint materialize in the publication, via an official notice, of the lists of the members of the electoral tables including full names, complete addresses, and ID numbers, breaching the technical and organizational measures.
The GDPR defines personal data security breaches as "all breaches of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed."
The documentation in the file provides clear evidence that the respondent violated Article 32 of the GDPR, by allowing a security incident with the publication, via an official notice, of the lists of the members of the electoral tables, permitting access to personal data in breach of the technical measures.
It should be noted that the GDPR in the aforementioned provision does not establish a list of security measures that apply according to the data being processed. Instead, it states that the controller and processor shall implement technical and organizational measures appropriate to the risk involved in the processing, taking into account the state of the art, implementation costs, nature, scope, context, and purposes of processing, and the risks of varying likelihood and severity for the rights and freedoms of data subjects.
Additionally, security measures must be adequate and proportionate to the identified risk, specifying that the determination of technical and organizational measures must consider: pseudonymization and encryption, the ability to ensure confidentiality, integrity, availability, and resilience, the ability to restore data availability and access promptly after an incident, and a process for regular testing, assessing, and evaluating the effectiveness of measures.
In any case, when assessing the adequacy of the level of security, particular consideration should be given to the risks presented by data processing, such as accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored, or otherwise processed, and the potential physical, material, or non-material damage they could cause.
In this same sense, Recital 83 of the GDPR states:
“(83) In order to maintain security and prevent processing in violation of this Regulation, the controller or processor should evaluate the risks inherent in the processing and implement measures to mitigate those risks, such as encryption. These measures should ensure a level of security appropriate to the risk, including confidentiality, taking into account the state of the art and the cost of implementation in relation to the risks and the nature of the personal data to be protected. When assessing data security risks, consideration should be given to the risks presented by data processing, such as accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored, or otherwise processed, which may in particular result in physical, material, or non-material damage.”
In this case, as recorded in the facts and within the framework of investigation file E/09597/2019, the AEPD forwarded the complaint to the respondent on 28/11/2019, reiterated on 08/11/2019, for analysis, requesting information related to the incident without receiving a response within the deadline. However, after the deadlines passed, a response was received confirming the reported incident, although measures had been taken to prevent future personal data security breaches.
The respondent's responsibility is determined by the security breach reported by the complainant, as it is responsible for making decisions to effectively implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk to ensure data confidentiality, restore availability, and prevent access to data in the event of a physical or technical incident. However, the documentation provided indicates that the entity not only failed to meet this obligation but also did not disclose the adoption of any measures in this regard, despite being informed of the submitted complaint.
In accordance with the above, the respondent is deemed to be presumably responsible for the infringement of Article 32 of the GDPR, an infringement classified in Article 83.4(a).
IX
Article 77 of the LOPDGDD, Applicable Regime for Certain Categories of Data Controllers or Processors, states:
"1. The regime established in this article shall apply to the processing for which the following are responsible or in charge:
a) Constitutional or constitutionally significant bodies and analogous institutions of the autonomous communities.
b) Judicial bodies.
c) The General State Administration, the administrations of the autonomous communities, and entities forming part of the Local Administration.
d) Public bodies and public law entities linked to or dependent on Public Administrations.
e) Independent administrative authorities.
f) The Bank of Spain.
g) Public law corporations when the purposes of the processing relate to the exercise of public law powers.
h) Public sector foundations.
i) Public universities.
j) Consortia.
k) Parliamentary groups of the General Courts and the legislative assemblies of the autonomous communities, as well as the political groups of local corporations.
2. When the controllers or processors listed in paragraph 1 commit any of the infringements referred to in Articles 72 to 74 of this Organic Law, the competent data protection authority shall issue a resolution sanctioning them with a warning. The resolution shall also establish the measures to be adopted to cease the conduct or correct the effects of the committed infringement.
The resolution shall be notified to the controller or processor, to the hierarchical superior body if applicable, and to the affected parties who have the status of interested parties, if applicable.
3. Without prejudice to the provisions of the previous paragraph, the data protection authority shall also propose the initiation of disciplinary actions when there are sufficient indications for this. In this case, the procedure and sanctions to be applied shall be those established in the applicable disciplinary or sanctioning regime legislation.
Likewise, when the infringements are attributable to authorities and executives, and there is evidence of technical reports or recommendations for the processing that have not been duly attended to, the resolution imposing the sanction shall include a reprimand naming the responsible position and shall order its publication in the corresponding Official State or Regional Gazette.
4. The resolutions relating to the measures and actions referred to in the previous paragraphs shall be communicated to the data protection authority.
5. The actions taken and the resolutions issued under this article shall be communicated to the Ombudsman or, where applicable, to analogous institutions of the autonomous communities.
6. When the competent authority is the Spanish Data Protection Agency, it shall publish the resolutions referred to in this article on its website, duly separated, with an explicit indication of the identity of the responsible or in-charge who committed the infringement.
When the competence corresponds to a regional data protection authority, the publicity of these resolutions shall be governed by its specific regulations."
The sanctioning procedure originates from the publication of the data of the electoral table members for the elections of 26/05/2019, via an official notice, infringing data protection regulations by violating both the principle of confidentiality and the implemented technical and organizational measures.
This conduct by the respondent constitutes an infringement of the provisions of Articles 5.1(f) and 32.1 of the GDPR.
It should be noted that the GDPR, without prejudice to Article 83, contemplates in Article 77 the possibility of applying a warning to correct personal data processing that does not comply with its provisions when the controllers or processors listed in paragraph 1 commit any of the infringements referred to in Articles 72 to 74 of this Organic Law.
Furthermore, it is contemplated that the resolution may establish the measures to be adopted to cease the conduct, correct the effects of the committed infringement, ensure the personal data processing complies with the requirements of Articles 5.1(f) and 32.1 of the GDPR, and provide evidence of compliance.
However, in its response dated 16/06/2020, the respondent confirmed the initial publication of the electoral table members' list for the elections of 26/05/2019, as indicated by the complainant, but as soon as this fact was known, the incorrect document was automatically deleted, and the correct document was subsequently uploaded, leaving no trace of the erroneous document. Once the error was corrected, the new document was published on the Bandomovil service in accordance with the LOPDGDD. Subsequently, on 16/12/2020, a Circular was issued to inform the City Council staff of the measures to be taken regarding data protection notifications, and a review and update of this matter is being carried out throughout the Corporation to prevent future security and confidentiality failures of personal data.
In light of the above, it is not appropriate to call for additional measures, as it has been demonstrated that the respondent has taken reasonable and adequate measures to prevent the recurrence of incidents such as the one that led to the complaint, in accordance with data protection regulations, which is the main purpose of procedures for entities related to Article 77 of the LOPDGDD.
Therefore, in accordance with the applicable legislation and considering the established criteria for grading the sanctions,
The Director of the Spanish Data Protection Agency RESOLVES:
FIRST: TO IMPOSE on the CITY COUNCIL OF EL ESPINAR, with NIF P4008700I, for an infringement of Article 32.1 of the GDPR, classified in Article 83.4(a) of the GDPR, a warning in accordance with Article 77 of the LOPDGDD.
SECOND: TO IMPOSE on the CITY COUNCIL OF EL ESPINAR, with NIF P4008700I, for an infringement of Article 5.1(f) of the GDPR, classified in Article 83.5(a) of the GDPR, a warning in accordance with Article 77 of the LOPDGDD.
THIRD: TO NOTIFY this resolution to the CITY COUNCIL OF EL ESPINAR.
In accordance with the provisions of Article 50 of the LOPDGDD, this Resolution shall be made public once it has been notified to the interested parties.
Against this resolution, which concludes the administrative procedure in accordance with Article 48.6 of the LOPDGDD, and in accordance with the provisions of Article 123 of the LPACAP, interested parties may optionally file an appeal for reconsideration before the Director of the Spanish Data Protection Agency within one month from the day following the notification of this resolution or directly file an administrative contentious appeal before the Contentious-Administrative Chamber of the National Court, pursuant to the provisions of Article 25 and paragraph 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-Administrative Jurisdiction, within two months from the day following the notification of this act, as provided for in Article 46.1 of the aforementioned Law.
Finally, it is noted that, as provided in Article 90.3(a) of the LPACAP, the firm resolution in the administrative procedure may be provisionally suspended if the interested party expresses their intention to file a contentious-administrative appeal. In this case, the interested party must formally communicate this fact by means of a letter addressed to the Spanish Data Protection Agency, submitting it through the Agency's Electronic Register [https://sedeagpd.gob.es/sede-electronica-web/], or through any of the remaining registers provided for in Article 16.4 of Law 39/2015, of October 1. The interested party must also forward to the Agency the documentation proving the effective filing of the contentious-administrative appeal. If the Agency is not aware of the filing of the contentious-administrative appeal within two months from the day following the notification of this resolution, the provisional suspension shall be deemed concluded.
Mar España Martí
Director of the Spanish Data Protection Agency
