APDCAT (Catalonia) - PS 33/2024: Difference between revisions
No edit summary |
No edit summary |
||
Line 84: | Line 84: | ||
Moreover, it pointed out that the system does not completely capture biometric data, but only some of its characteristic features in order to be able to authenticate users and without in any case having biometric data as a unique identifier, reproducible in other systems. | Moreover, it pointed out that the system does not completely capture biometric data, but only some of its characteristic features in order to be able to authenticate users and without in any case having biometric data as a unique identifier, reproducible in other systems. | ||
Finally, it argued that a DPIA was not necessary since the processing at hand did not involve any kind of | Finally, it argued that a DPIA was not necessary since the processing at hand did not involve any kind of sensitive data. | ||
=== Holding === | === Holding === | ||
Line 99: | Line 99: | ||
Therefore, the DPA concluded that the processing at hand was not relying on any valid legal basis. As a consequence, it found a violation of [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]] in combination with [[Article 9 GDPR|Article 9 GDPR]]. | Therefore, the DPA concluded that the processing at hand was not relying on any valid legal basis. As a consequence, it found a violation of [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]] in combination with [[Article 9 GDPR|Article 9 GDPR]]. | ||
Thirdly, the DPA did not agree with the controller’s argument regarding the DPIA. In contrast with the controller’s statement, the DPA found that the processing did involve Article 9 | Thirdly, the DPA did not agree with the controller’s argument regarding the DPIA. In contrast with the controller’s statement, the DPA found that the processing did involve [[Article 9 GDPR]] data. | ||
In particular, it pointed out that [[Article 35 GDPR#3b|Article 35(3)(b) GDPR]] requires a DPIA when a processing on large scale of special categories of data is involved. | In particular, it pointed out that [[Article 35 GDPR#3b|Article 35(3)(b) GDPR]] requires a DPIA when a processing on large scale of special categories of data is involved. |
Revision as of 08:22, 7 October 2024
APDCAT - PS 33/2024 | |
---|---|
Authority: | APDCAT (Catalonia) |
Jurisdiction: | Spain |
Relevant Law: | Article 5(1)(a) GDPR Article 9(2)(b) GDPR Article 35(1) GDPR Article 35(3)(b) GDPR Article 35(4) GDPR Article 28(2) LOPDGDD |
Type: | Complaint |
Outcome: | Upheld |
Started: | 13.01.2024 |
Decided: | |
Published: | 10.09.2024 |
Fine: | n/a |
Parties: | Ajuntament de la Canonja |
National Case Number/Name: | PS 33/2024 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Catalan, Valencian |
Original Source: | APDCAT (in CA) |
Initial Contributor: | fb |
The DPA found that a municipality violated Article 9 GDPR after it implemented a fingerprint timekeeping system for its employees.
English Summary
Facts
On 1 January 2021, the controller, a municipality, introduced a new timekeeping system for its employees. This system implied that the employees needed to use their fingerprint to record their time.
On 13 January 2024, some data subjects filed a complaint with the DPA.
The controller argued that the legal basis it can rely on is Article 6(1)(c) GDPR.
Moreover, it pointed out that the system does not completely capture biometric data, but only some of its characteristic features in order to be able to authenticate users and without in any case having biometric data as a unique identifier, reproducible in other systems.
Finally, it argued that a DPIA was not necessary since the processing at hand did not involve any kind of sensitive data.
Holding
First, the DPA noted that timekeeping systems that use fingerprints are systems that process biometric data.
Moreover, the DPA pointed out that, as also acknowledged by the controller, this system is able to associate the characteristics of a data subject’s fingerprint to a code that identifies only one data subject. This means that the fingerprint serves as “unique identifier”.
Therefore, according to the DPA, there are no doubts that fingerprints fall into the definition of biometric data set by Article 4(14) GDPR.
Secondly, the DPA recalled that the processing of biometric data falls into the scope of Article 9 GDPR. Therefore, the controller cannot invoke the legal basis provided for by Article 6(1)(c) GDPR, but should prove that the processing falls into one of the exceptions listed in Article 9(2) GDPR.
Since the controller referred to the existence of a legal obligation, the DPA assessed if the processing at hand could rely on Article 9(2)(b) GDPR. The DPA pointed out that the applicable national law and collective agreement does not state that the controller should use such a timekeeping system.
Therefore, the DPA concluded that the processing at hand was not relying on any valid legal basis. As a consequence, it found a violation of Article 5(1)(a) GDPR in combination with Article 9 GDPR.
Thirdly, the DPA did not agree with the controller’s argument regarding the DPIA. In contrast with the controller’s statement, the DPA found that the processing did involve Article 9 GDPR data.
In particular, it pointed out that Article 35(3)(b) GDPR requires a DPIA when a processing on large scale of special categories of data is involved.
Moreover, the DPA recalled that Article 28(2)(c) of the Spanish Data Protection Act (Llei orgànica 3/2018, de 5 de desembre, de protecció de dades personals i garantia dels drets digitals - LOPDGDD) states that a DPIA should be carried out when the processing is not merely incidental or ancillary to the special categories of data referred to in Article 9 GDPR.
Finally, the DPA pointed out that, according to Article 35(4) GDPR, on 6 May 2019 it had published a list of the kind of processing operations which are subject to a DPIA. Among the processing operation listed, one could find processing operations that involve special categories of data including biometric data.
Therefore, the DPA held that the controller would have needed to carry out a DPIA and found a violation of Article 35(1) GDPR.
On these grounds, the DPA ordered the controller to adopt corrective measures consisting in implementing a timekeeping system that does not use fingerprints.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Catalan, Valencian original. Please refer to the Catalan, Valencian original for more details.
File identification Resolution of sanctioning procedure no. PS 33/2024, referring to the City Council of La canon Background 1. On 13/01/2024, the Catalan Data Protection Authority received a letter of complaint against the City Council of La Canonja, on the grounds of a presumption non-compliance with the regulations on personal data protection. The reporting person stated that the City Council would have implemented the registration system by means of the imprint typing fact that it considers could contravene data protection regulations personal 2. The Authority opened a preliminary information phase (No. IP 26/2024), to determine whether the facts were capable of motivating the initiation of a sanctioning procedure, in accordance with what is foreseen in article 7 of Decree 278/1993, of November 9, on the procedure penalty of application to the areas of competence of the Generalitat, and article 55.2 of the Law 39/2015, of 1 October, on the common administrative procedure of administrations public (LPAC). In this information phase, on 31/01/2024 the reported entity was required to confirm the implementation of a fingerprint recognition system for record the working day of municipal workers; indicate the legal basis legitimizer of the aforementioned treatment; pointed out which workers have the obligation to register through this system; and provided a copy of the protection impact assessment of personal data (AIPD) in relation to the reported data processing, in case of not done 3. On 02/14/2024, La Canonja City Council responded to the request with a letter in which he stated the following: - That "the City Council has a control system through the fingerprint of the workers, but it must be pointed out that this system does not register the fingerprint except in agreement with some characteristic features it gives them a code, and this code being the data that is it deals with the system used and without fingerprints being stored, OK with the principle of data minimization (...)". - That "this system has been operational since January 1, 2021 to carry out the control of the presence of civil servants, labor staff and casual staff; but not being a medium intended for personnel from external companies that can provide their services at the City Hall". - That, by means of this tool, "biometric data is not captured in full, but some characteristic features in order to be able to authenticate the users and nothing else if biometric data is available as a unique identifier, reproducible in others systems". - That "the cause that legitimizes its treatment is that determined in article 6.1.c of RGPD: "The treatment is necessary to fulfill a legal obligation applicable to responsible for the treatment”; and for this reason, as detailed in the point above, it is only taken from official and labor personnel, without being taken from external persons with whom this link is not available as an employer by the City Council". - That, "all workers are informed at the beginning of their employment relationship with the City Council of their obligations and functions as far as they are data users (...)". - That "this system does not capture, store or reproduce fingerprints fingerprints of the workers, but the assignment of a worker code that cannot be reproduced in other systems and which therefore cannot be qualified as identifiers unique This fact implies that these category data cannot be considered special and therefore, does not comply with any of the requirements established in article 37 of the RGPD where it is determined how the corresponding impact assessment on it was perceived data processing to be carried out by this City Council". The reported entity concluded that the time control system it implemented "does not capture biometric data that involve a complete reproduction of these or grant one unique identifier for the worker that can be reproduced in other systems". 4. On 27/03/2024, the director of the Catalan Data Protection Authority agreed start a disciplinary procedure against the Council of Canonja for two alleged infractions: an infraction provided for in article 83.5.a, in relation to the articles 5 and 9, and another violation provided for in article 83.4.a, in relation to article 35, all of them of Regulation (EU) 2016/679 of the European Parliament and of the Council, of April 27, relating to the protection of natural persons with regard to the processing of personal data and freedom circulation of this data (RGPD). This initiation agreement was notified to the entity charged on 04/03/2024. 5. In the initiation agreement, the imputed entity was granted a term of 10 working days to formulate allegations and propose the practice of tests that it considers convenient for defend their interests. 6. On 04/05/2024, La Canonja City Council made objections to the agreement of initiation, which are addressed in section 2 of the fundamentals of law. 7. On 07/22/2024, the person instructing this procedure formulated a resolution proposal, by which it was proposed that the director of the Catalan Authority of Data Protection stated that the City Council of La Canonja had incurred, first place, in an infringement provided for in article 83.5.a in relation to article 5; and secondly, in an infringement provided for in article 83.4.a in relation to article 35, all of them of the RGPD. This resolution proposal was notified on 07/22/2024 and a period of 10 days to formulate allegations. 8. The deadline has been exceeded and no objections have been submitted. 2/12 Proven facts 1. The Council of La Canonja uses a time control system by means of the imprint fingerprint, which involves the processing of the biometric data of its official staff, labor and occasional. This system went into operation on 01/01/2021. 2. La Canonja City Council did not carry out a protection impact assessment of data (AIPD), due to the implementation of a time control system, by means of the fingerprint. Fundamentals of law 1. The provisions of the LPAC and article 15 of the Decree apply to this procedure 278/1993, according to the provisions of DT 2a of Law 32/2010, of October 1, of the Catalan Data Protection Authority. In accordance with articles 5 and 8 of the Law 32/2010, the resolution of the sanctioning procedure corresponds to the Director of the Authority Catalan Data Protection Authority. 2. The imputed entity has not formulated allegations in the resolution proposal, but it has made in the initiation agreement. Regarding this, it is considered appropriate to reiterate the following more relevant than the motivated response of the instructing person to these allegations. The letter that the entity presented before the agreement to initiate this procedure described the time control system implemented and pointed out that "it does not register the fingerprint typing but in accordance with some characteristic features gives them a code, and this being this code the data that is treated by the system used and without the fingerprints being stored fingerprints, in accordance with the principle of minimization (...). Then, La Canonja City Council pointed out that, although this system is operative from 01/01/2021, to carry out the presence control of officials, from labor and casual staff, it is not a medium aimed at people from external companies, who provide their services to the City Council. In relation to this end, it indicated that the legal basis that would legitimize its treatment is that provided for in article 6.1.c RGPD “el treatment is necessary for the fulfillment of a legal obligation applicable to responsible for the treatment" reason why "it is only taken from official staff and employment, without hiring external people with whom this is not available binding as an employer by the City Council." Likewise, the entity's allegations also pointed out that "data is not captured biometrics in full form, but some characteristic features in order to be able to authenticate to users and without biometric data such as an identifier being available in any case unique, reproducible in other systems.” The entity also argued that it is aware of the change in criteria of the Spanish Agency of Personal Data Protection (AEPD) regarding the use of fingerprints, in the month of November 2023, and pointed out that, this new legal position exposed to a guide of the AEPD, and which is reproduced by this Authority "cannot be considered a consolidated criterion." Faced with this scenario, the entity added that the Professional Association 3/12Espanyola de Privacitat has raised an open consultation with the AEPD about this matter In the second point of his allegations, presented before the initiation agreement, the City Council reiterated that the system "does not capture or store or reproduce the fingerprints of the workers but the assignment of a worker code that is not can be reproduced in other systems and therefore cannot be qualified as identifiers unique". For this reason, he argued that none of the requirements “established in article 37 of the RGPD where it is determined how the corresponding assessment was perceived of impact on the data processing to be carried out by this Council". respect of this issue, the allegations expose the entity's disagreement with consideration that “fingerprint data” are special categories “in that they do not provide a unique identifier of the interested party reproducible in other systems”, and also does not share that it is a new technology, given that "this has been a popular technology and established throughout the Spanish territory in the last 15 years." Well, the City Council's allegations will be answered immediately, starting from the analysis of its positioning, with respect to the two imputations formulated. 2.1 On the use of the fingerprint for the purposes of time control and work attendance Fingerprint registration systems constitute systems of processing of biometric data, which are configured from the collection of the fingerprint, and which allow the creation of biometric templates, intended for the identification of a specific individual. Article 4.14 of the RGPD defines biometric data as “personal data obtained from a specific technical treatment, related to the characteristics physical, physiological or behavioral characteristics of a natural person that allow or confirm the unique identification of said person, such as facial images or fingerprint data." In these terms, there is no doubt that the collection of personal data referred to the fingerprint of a person constitutes the collection of biometric information. In the same way, the use of a biometric template, which allows one to be identified specific person, constitutes a processing of personal data. Well, as stated article 4.1 of the RGPD "any person whose identity can be determined, directly or indirectly, in particular through a identifier, como por ejemplo a number, an identification number, data from location, an online identifier or one or more elements of identity physical, physiological, genetic, psychological, economic, cultural or social of said person." Faced with this scenario, the City Council has recognized that, based on distinctive features of a person's fingerprint, obtains a code that allows them to be identified when accessing the municipal offices. This personal data processing operation, allows authenticating a person, using a biometric analysis process. In this sense, the A biometric template is an instrument that allows you to describe a specific characteristic of a person natural person, so that a machine can interpret it for control purposes schedule, presence, among others. In fact, using this template acts as one unique identifier of a person that, even if it does not allow obtaining or drawing of the fingerprint of an individual, it does allow him to be uniquely identified. cut off 4/12 for example, acts in the same way as a national identification number. from we can't get a person's face from the ID number, but we can to identify Having said that, there is no doubt that the treatment carried out by the reported City Council, with purposes of time control and the presence of its workers, constitutes a treatment of special categories of data. At this point, recital 51 of the RGPD refers to the treatment derived from the image of a person, and highlights the restrictive nature with which he can be admitted processing of special categories of data: “[…] The treatment of photographs should not be systematically considered treatment of special categories of personal data, they are only found included in the definition of biometric data when it is to be processed with specific technical means allow unique identification or authentication of a natural person. Such personal data must not be processed, unless allow its treatment in specific situations contemplated in the present Regulation, given that the Member States can establish specific provisions on data protection in order to adapt the application of the rules of this Regulation to the fulfillment of an obligation legal or to the fulfillment of a mission carried out in the public interest or in the exercise of public powers conferred on the controller. In addition to the requirements specific to that treatment, the general and other principles must be applied rules of this Regulation, especially in what refers to the conditions of legality of the treatment. Exceptions to the must be explicitly established general prohibition of treatment of these special categories of data personal, among other things when the interested party gives his explicit consent or dealing with specific needs, in particular when the treatment is carried out in the framework of legitimate activities by certain associations or foundations whose objective is to allow the exercise of fundamental freedoms.” Well, from the account of the allegations presented by the City Council, it can be inferred that the treatment of the biometric data of municipal staff would be legitimized by the article 6.1.c GDPR. However, the truth is that this Authority differs from this position legal and maintains that the processing of personal data, based on automated mechanisms, with the aim of authenticating a person, is not protected by the invoked legal basis given that it is conditional on the concurrence of one of the exceptions in article 9.2 RGPD, and the City Council has not invoked any that could exempt this treatment. In any case, given that the City Council invoked that it carries out this treatment of data given the need to comply with a legal obligation applicable to responsible for the treatment (art. 6.1.c RGPD), reference must be made to the case provided for in the article 9.2.b RGPD (“the treatment is necessary for the fulfillment of obligations and exercise of specific rights of the person in charge of the treatment or of the interested party in the field of Labor law and security and social protection, to the extent that it is authorized by him Law of the Union of Member States is a collective agreement according to Member State law that establishes adequate guarantees of respect for them fundamental rights and interests of the interested party;). 5/12 In effect, article 9.2.b RGPD not only provides that the treatment must be necessary for to the fulfillment of the obligations of the person in charge, but adds that he must be authorized by the law of the Union of member states, or of a collective agreement. And, in this point, it should be noted that the regulations in force in the field of labor law and civil service law, does not determine any mechanism by which the employer or contracting administration can control the registration of the working day of its workers, based on data processing biometrics of its workers. In this same sense, there is no forecast either that authorizes these personal data operations, to control the presence of the personal, without it being noted that a specific collective agreement has been adopted that gave coverage for this action, in terms of time control. Thus, given the lack of regulatory authorization, the time control by means of the imprint fingerprinting cannot be protected in article 6.1.c, nor in article 9.2.b; both of the RGPD. Consequently, it must be concluded that the processing of personal data carried out La Canonja Town Council is not covered by any of the legal bases of the RGPD. In addition, it is necessary to respond to the City Council's allegation according to which, given the modification of the criteria of the AEPD, in its Guide on “control treatments of presence via biometric systems" dated 23/11/2023, this criterion would not be "consolidated". Well, this Authority is not subject to the criteria of the AEPD, given that both control authorities have independence, and are not related through means of a hierarchical relationship. Secondly, it must be noted that, the criterion adopted by the AEPD in November 2023, is the consolidated criterion that this Authority has followed since entry in force of the RGPD (vid. Opinion CNS 21/2020, CNS 2/2022, Resolution of the procedure sanctioner no. 1/2022). By way of example, in Opinion CNS 21/2020 this Authority already concluded that: "Biometric data subjected to specific technical treatments aimed at biometric recognition, either in the form of biometric identification or authentication biometric, must be considered as a special category of data. It is considered, for as much as a special category data, the fingerprint to which a specific technical treatment is applied, when it is used for the purpose of authenticating the identity of a natural person." In fact, the reiterated and consolidated position of this Authority coincides with what has been stated in Directives 05/2022 of the European Data Protection Committee (CEPD), on the use of facial recognition in the field of public order forces. These guidelines, to your section 12, establish that the concept of biometric data refers to "authentication" and the "identification" of a person. This idea is reinforced by the fact that, even if they are about different concepts, both have the purpose of identifying a person. As in consequently, the general prohibition provided for in article 9.1 of the RGPD extends to cases of identification and authentication, and also affects the cases in which data processing biometrics is carried out in order to compare the information of a pattern or template previously established biometric. Therefore, the City Council's allegation, which maintains that the criterion adopted by the AEPD is not a consolidated criterion, it cannot succeed for the purposes of exonerating him from responsibility given that, as it should seen, it is the reiterated doctrine of this Authority that the use of fingerprints to identify a person, constitutes processing of biometric data. And, in this regard, it should be noted 6/12 that the actions of the City Council fall within the scope of competence of this Authority, and not from the AEPD. 2.2 About the data protection impact assessment (AIPD) As has been advanced, the City Council starts from the premise that the AIPD was not necessary because it did not deal with special categories of personal data, nor did it use a technology new Well, for the reasons set out in the previous point, these allegations, with regard to treatment of "identifying" data, cannot succeed given that the reported treatment involves a personal data operation involving biometric data. Having said that, article 35 of the RGPD provides that an AIPD must be carried out when "it is likely that a type of treatment, in particular if it uses new technologies, by its nature, scope, context or purposes, it entails a high risk for people's rights and freedoms physical, the person responsible for the treatment will carry out, before the treatment, an evaluation of the impact of processing operations on the protection of personal data. a unique one evaluation will be able to address a series of similar treatment operations that involve similar high risks.” In accordance with the above, the second section of article 35 of the RGPD provides that the AIPD is will require in particular when the treatment involves: "a) systematic and comprehensive evaluation of personal aspects of physical persons who it is based on an automated treatment, such as the elaboration of profiles, and about which basis decisions are taken that produce legal effects for natural persons or that significantly affect them in a similar way; b) large-scale treatment of the special categories of data referred to article 9, section 1, or personal data relating to convictions and infractions criminal offenses referred to in article 10, or c) large-scale systematic observation of a public access area. 4. The control authority will establish and publish a list of the types of operations of treatment that require an impact assessment related to data protection in accordance with section 1. (...)." And, in turn, article 28.2 of Organic Law 3/2018, of December 5, on the protection of personal data and guarantee of digital rights (LOPDGDD) lists some cases in which the existence of a high risk for the rights and freedoms of people is considered likely, among which, and for the purposes that are of interest here, sections c and d of this article stand out: "c) When the treatment is not merely incidental or accessory to the categories special data referred to in articles 9 and 10 of Regulation (EU) 2016/679 and 9 and 10 of this Organic Law or of the data related to the commission of infractions administrative d) When the treatment involves an evaluation of personal aspects of those affected with the purpose of creating or using personal profiles of these, in particular through analysis or prediction of aspects related to your performance at work, your economic situation, the your health, your personal preferences or interests, your reliability or behavior, their financial solvency, their location or their movements.” 7/12 In accordance with the provisions of article 35 of the RGPD, the Authority published on 06/05/2019 the "list of types of data processing that require impact assessment relating to data protection" prior to its commencement. As indicated in the reference document, when the treatment complies with two or more criteria included in this list, it may become necessary to carry out an AIPD. The more criteria the treatment meets in question, the greater will be the associated risks and the greater will be the certainty of the need for perform the AIPD. In this case, the following criteria should be highlighted: - Treatments that involve observation, monitoring, supervision, geolocation or control of the interested party in a systematic and exhaustive manner, including the collection of data i metadata through networks, applications or in public access areas, as well as the processing of unique identifiers that allow the identification of service users of the information society such as web services, interactive TV, mobile applications, etc. (criterion number 3). - Treatments that involve the use of special categories of data to which it refers article 9.1 of the RGPD, data relating to convictions or criminal offenses to which refers to article 10 of the RGPD or data that allow the financial situation to be determined - Treatments that involve the use of biometric data for the purpose of identifying unique way to a natural person (criterion number 5). - Treatments that involve the use of new technologies or an innovative use of consolidated technologies, including the use of technologies on a new scale, with a new goal or combined with others in a way that involves new forms of collection and use of data, with risk to the rights and freedoms of people (criterion number 10). At this point, the need to carry out the AIPD is due to the fact that the City Council of La Canonja deals with special categories of personal data of all municipal staff (art. 35.3 RGPD) for labor control purposes so that, based on the information that collects, can adopt decisions with legal relevance on the data holders. In this regard, already in Guidelines 3/2019, on the processing of personal data by of video devices, of the European Committee for the Protection of Personal Data, in relation with the treatment of special categories of personal data a high risk was recognized that made it necessary to carry out an AIPD: "73. The use of biometric data and, in particular, facial recognition entails high risks for the rights of those interested. It is fundamental that the recourse to said technologies, but duly respecting the principles of legality, necessity, proportionality and minimization of data as established by RGPD Although the use of these technologies can be perceived as particularly effective, those responsible for the treatment must first of all evaluate the impact on fundamental rights and freedoms and consider means less intrusive to achieve their legitimate purpose of treatment.” At this point, it cannot be ignored that the implementation of a system that records the working day from the fingerprint of the staff of a City Council requires that it is carry out a set of operations that involve the following actions: identification of the employee; collection of your fingerprint; creation of a biometric template or pattern; storage and conservation of this information; identification of the natural person in the 8/12 signing process; record of data related to their behavior (inputs and outputs of work); among others. In accordance with the above, this set of operations, linked to the processing of data from City Council staff justify the need to carry out an impact assessment (AIPD) prior to the start of the data processing, in order to be able to assess in a way anticipated the potential risks to which the data holders are exposed. As an example, there are obvious risks in the event that the technology used does not guarantee a way enough that the template obtained from the biometric data will not match the use in other similar systems, as well as other risks associated with eventual losses of data confidentiality. In this sense, also CNS opinions no. 2/2022 and no. 19/2023 of this Authority, on the use of biometric data for the control of presence in the workplace, conclude the need to carry out an AIPD against biometric data processing with the purpose of controlling the presence or working hours of the workers. In literal terms, the CNS 19/2023 establishes the following: "On the basis of article 35 of the RGPD, and of the List of types of treatment of data that require published data protection impact assessment by this Authority, it is concluded that the treatment proposed by the City Council requires carrying out an AIPD in which, among other issues, the legitimacy of the treatment and the determination of existing risks and the measures for mitigate it.” And, finally, the need to carry out an AIPD is also evident given that, although the use of machines that can read the fingerprint has been normalized in recent years, where appropriate point out that the City Council of La Canonja has made innovative use of a technology, given that through this has obtained information about the habits of its workers (e.g.: working hours) that allow him to adopt decisions with legal relevance that may affect the holders of the data. In conclusion, despite the fact that the circumstances described required the completion of an AIPD prior to the reported processing of personal data, in order to be able to know the impact for a the protection of personal data that could mean opting for the implementation of a system of fingerprint recognition, to record the working day of their employees workers, the City Council has not provided any evidence to verify that it carried out the AIPD. Contrary to this, he has denied the need for this. All this, bearing in mind that, in addition, the reported treatment is not protected by any legal basis of article 6 RGPD 3. Legal qualification of proven facts 3.1 Proven fact 1st In relation to the facts described in point one of the proven facts section, relating to the implementation of a time control system through data processing biometrics, it is necessary to go to article 5.1.a of the RGPD, which provides that "personal data will be treated in a lawful, fair and transparent manner in relation to the interested party (lawfulness, 9/12 loyalty and transparency)". Likewise, it is also necessary to go to article 9.2 RGPD which provides the exceptions that legitimize the treatment of special categories of personal data. Well, during the processing of this procedure, the fact described in point 1 has been proven of the proven facts section, which is constitutive of the offense provided for in article 83.5.a of the RGPD, which typifies the violation of “basic principles for treatment including the conditions for consent in accordance with articles 5, 6, 7 and 9" among which there are includes the principle of legality, in relation to the treatment of special categories of data (articles 5.1.a and 9 RGPD). The conduct addressed here has been included as a very serious infraction in article 72.1.e of the LOPDGDD, in the following form: "e) The processing of personal data of the categories referred to in article 9 of Regulation (EU) 2016/679, without any of the circumstances provided for in aforementioned precept and article 9 of this Organic Law." 3.2 Proven fact 2nd With regard to the fact described in point 2 of the proven facts section, referring to the lack of carrying out an AIPD, it is necessary to refer to article 35 of the RGPD and article 28 LOPDGDD, previously transcribed. In accordance with what has been explained, the failure to carry out an AIPD constitutes the violation provided for in article 83.4.a of the RGPD, which typifies the violation of "the obligations of the person in charge and the person in charge pursuant to articles 8, 11, 25 to 39, 42 and 43", among which there is the one provided for in article 35 RGPD, relating to the AIPD. In turn, this conduct has been included as a serious infraction in article 73.t of the LOPDGDD, in the following form: "t) The processing of personal data without having carried out the impact assessment of the processing operations in the protection of personal data in the cases in which that is enforceable." 4. Article 77.2 LOPDGDD provides that, in the case of infractions committed by those responsible or in charge listed in art. 77.1 LOPDGDD, the data protection authority competent: "(...) must issue a resolution that declares the violation and establishes, if applicable, the measures that should be adopted so that the conduct ceases or the effects of the are corrected infraction that has been committed, with the exception of that provided for in article 58.2.i of the Regulation (EU) 2016/679 of the European Parliament and of the Council, of April 27, 2016. The resolution must be notified to the person in charge or the person in charge of the treatment, to the body of the which depends hierarchically, if applicable, and to those affected who have the condition interested party, if applicable." And section 3 of art. 77 LOPDGDD, establishes that: 10/12 "Without prejudice to what is established in the previous section, the data protection authority has to also propose the initiation of disciplinary actions when there are sufficient indications to do it In this case, the procedure and the sanctions that must be applied are those that establishes the legislation on disciplinary or sanctioning regime that is applicable. (...).” In terms similar to the LOPDGDD, article 21.2 of Law 32/2010, determines the following: "2. In the case of infractions committed in relation to publicly owned files, the director or director of the Catalan Data Protection Authority must issue a resolution that declare the infringement and establish the measures to be taken to correct its effects. (...)”. By virtue of this faculty, the Town Council of La Canonja must be requested to, as soon as possible possible, make available to the municipal staff a time registration system and work presence that does not involve the processing of biometric data (e.g. register the schedule or attendance through card reading). It is also required because, within a period of two months, counting from the day after the notification thereof resolution, confirm the implementation of this measure, without prejudice to the faculty inspection of this Authority to carry out the corresponding checks. Finally, it should be remembered that, in relation to the existence of a legitimizing basis for treatment of biometric data, in the same way that a collective agreement could constitute a legitimizing legal basis for the processing of staff biometric data labor, the public administrations in relation to their civil servants, have mechanisms for determining working conditions, which must be approved with the participation of workers' representative bodies, which could be configured as a legal basis, which can legitimize the use of the fingerprint, in a similar way to the agreements aforementioned groups. In this sense, in the event that, in the future, a base is available legal entity that legitimizes this processing of personal data, it will be necessary that the City Council of La Canonja performs the relevant AIPD. resolution For all this, I resolve: 1. Declare that the Council of La Canonja has committed two offences: one offence provided for in article 83.5.a in relation to article 5; and, another violation provided for in the article 83.4.a in relation to article 35; all of them from the RGPD. 2. Request the City Council of La Canonja to adopt corrective measures indicated in the 4th legal basis and accredit the actions before this Authority carried out to fulfill them. 3. Notify this resolution to La Canonja Town Council. 4. Communicate the resolution to the Ombudsman, in accordance with the provisions of the article 77.5 of the LOPDGDD. 5. Order that this resolution be published on the Authority's website (apdcat.gencat.cat), from in accordance with article 17 of Law 32/2010, of October 1. 11/12 Against this resolution, which puts an end to the administrative process in accordance with articles 26.2 of Law 32/2010 and 14.3 of Decree 48/2003, of February 20, which approves the Statute of the Catalan Data Protection Agency, with discretion the imputed entity can file an appeal before the director of the Catalan Protection Authority Data, within one month from the day after its notification, according to with what is provided for in article 123 et seq. of Law 39/2015. It can also be interposed directly an administrative contentious appeal before the administrative contentious courts of Barcelona, within two months from the day after yours notification, in accordance with articles 8, 14 and 46 of Law 29/1998, of July 13, regulating of the administrative contentious jurisdiction. If the imputed entity expresses to the Authority its intention to file a contentious appeal administrative against the administratively firm resolution, the resolution will be suspended precautionary in the terms provided for in article 90.3 of the LPAC. Likewise, the accused entity can file any other appeal it deems appropriate to defend their interests. The director 12/12