AEPD (Spain) - PS/00326/2020

From GDPRhub
Revision as of 14:29, 13 December 2023 by Ar (talk | contribs) (Ar moved page AEPD - PS/00326/2020 to AEPD (Spain) - PS/00326/2020)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
AEPD - PS/00326/2020
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 37(1)(a) GDPR
Artcile 34(1) LOPDGDD
Artcile 34(3) LOPDGDD
Type: Complaint
Outcome: Upheld
Started:
Decided: 11.11.2020
Published: 25.11.2020
Fine: None
Parties: Ayuntamiento de Mejorada del Campo
National Case Number/Name: PS/00326/2020
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: n/a

The Spanish DPA (AEPD) held that a municipal council (Ayuntamiento de Mejorada del Campo) was in violation of Article 37(1)(a) GDPR as it did not designate a data protection officer despite being a public authority which processes personal data.

English Summary

Facts

The complainant filed a complaint before the Spanish DPA because the municipal council in question, "Ayuntamineto de Mejorada del Campo" does not have a data protection officer.

Ayuntamiento de Mejorada del Campo did not contest the facts.

Dispute

Does the absence of a data protection officer in a municipal council implicate a violation of Article 37(1)(a) GDPR?

Holding

The Spanish DPA (AEPD) held that public authorities such as the municipal council in question often act as data controllers. They must therefore abide by the principle of accountability and have other obligations under the GDPR.

The Spanish DPA held that one of those obligations consists in naming a data protection officer (DPO) and to notify the Spanish DPA of his existence. This is an obligation imposed on public authorities under Article 37(1) GDPR. This obligation is also within Article 34(1) and (3) of the Spanish data protection law (LOPDGDD).

The Spanish DPA therefore imposed a warning sanction on Ayuntamiento de Mejorada del Campo for a violation of Article 37(1) GDPR and asked the council to designate a DPO within a month.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

                                                                               1/5











     Procedure Nº: PS / 00326/2020

               RESOLUTION OF SANCTIONING PROCEDURE

Of the procedure instructed by the Spanish Agency for Data Protection and based on

to the following

                                  BACKGROUND

FIRST: A.A.A. (hereinafter, the claimant) dated May 4, 2020

filed a claim with the Spanish Agency for Data Protection. The
claim is directed against CITY COUNCIL OF IMPROVEMENT OF THE FIELD with NIF
P2808400B (hereinafter, the claimed one).

The reasons on which the claim is based are that the aforementioned city council lacks a

data protection officer.

SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5
December, Protection of Personal Data and guarantee of digital rights (in
hereinafter LOPDGDD), with reference number E / 04008/2020, a transfer of

said claim to the defendant, on June 7, 2020, to proceed with its
analysis and inform this Agency within a month, of the actions taken
carried out to comply with the requirements provided in the data protection regulations.

THIRD: On September 30, 2020, the Director of the Spanish Agency

of Data Protection agreed to initiate a sanctioning procedure to the claimed, by the
alleged infringement of article 37 of the RGPD, typified in article 83.4 of the RGPD.

FOURTH: On October 8, 2020, the agreement to initiate this
procedure, becoming the same proposal for resolution of conformity

with articles 64.2.f) and 85 of Law 39/2015, of October 1, on the Procedure
Common Administrative of Public Administrations (LPACAP), by not carrying out
allegations within the indicated period.

       In view of all the actions, by the Spanish Protection Agency

of Data in this procedure the following are considered proven facts,

                                      ACTS

FIRST: The claimed City Council lacks a Delegate for the Protection of

Data.

SECOND: the defendant has not presented any allegation.







C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 2/5








                           FOUNDATIONS OF LAW

                                            I


By virtue of the powers that article 58.2 of the RGPD recognizes to each authority of
control, and as established in arts. 47 and 48.1 of the LOPDGDD, the Director of
The Spanish Agency for Data Protection is competent to resolve this
process.


                                            II

The public administrations act as data controllers of
personal character and, on some occasions, they perform functions of managers
treatment, for what corresponds to them, following the principle of responsibility

proactively, meet the obligations that the RGPD details, among which is included, the
Obligation to appoint a data protection officer and communicate it to this
AEPD

The obligation is imposed by article 37 of the RGPD, which indicates:


"1. The person in charge and the person in charge of the treatment will designate a delegate of
data protection provided that:

a) the treatment is carried out by a public authority or body, except those
courts that act in the exercise of their judicial function; "


Article 37.3 and 4 of the RGPD indicates on the designation of the DPD “When the
responsible or the person in charge of the treatment is an authority or public body,
may designate a single data protection officer for several of these
authorities or bodies, taking into account their organizational structure and size.


4. In cases other than those contemplated in section 1, the controller or the
in charge of the treatment or the associations and other bodies that represent
categories of managers or managers may designate a protection delegate
data or must designate it if required by Union or State law
members. The data protection officer may act on their behalf

associations and other organizations that represent managers or managers. "

The LOPDGDD determines in its article 34.1 and 3: ”Appointment of a delegate of
Data Protection "


1. Those responsible and in charge of the treatment must designate a delegate
of data protection in the cases provided for in article 37.1 of the Regulation
(EU) 2016/679 and, in any case, in the case of the following entities:

3. Those responsible and in charge of the treatment will communicate within ten

days to the Spanish Data Protection Agency or, where appropriate, to the authorities
autonomic data protection, appointments, appointments and terminations of
the data protection delegates both in the cases in which they are
obligated to their appointment as in the case in which it is voluntary.

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 3/5









The infringement is considered as such in article 83.4.a of the RGPD which states: ”4. The
Infractions of the following provisions will be sanctioned, in accordance with the

paragraph 2, with administrative fines of a maximum of EUR 10 000 000 or,
in the case of a company, an amount equivalent to a maximum of 2% of the
total annual global business volume of the previous financial year, opting for
the highest amount:

a) The obligations of the person in charge and the person in charge in accordance with articles 8, 11, 25 a

39, 42 and 43; "

Article 83.7 of the RGPD indicates:

“Without prejudice to the corrective powers of the control authorities by virtue of the

Article 58 (2), each Member State may lay down rules on whether
can, and to what extent, impose administrative fines on authorities and bodies
public establishments established in said Member State "

Article 58.2 of the RGPD indicates: "Each control authority will have all the
following corrective powers listed below:


b) sanction any person responsible or in charge of the treatment with warning
when the treatment operations have infringed the provisions of this
Regulation;


d) order the person in charge of the treatment that the operations of
treatment are in accordance with the provisions of this Regulation, where appropriate,
in a certain way and within a specified period ”.

In this sense, article 77.1 c) and 2, 4 and 5 of the LOPGDD, indicates:


1. The regime established in this article shall apply to the treatments of
those who are responsible or in charge:

c) The General Administration of the State, the Administrations of the Communities
autonomous entities and the entities that make up the Local Administration.


2 “When the managers or managers listed in section 1 commit
any of the infractions referred to in articles 72 to 74 of this law
organic, the competent data protection authority will dictate
resolution sanctioning them with warning. The resolution will establish

Likewise, the measures to be adopted to stop the conduct or to correct
the effects of the offense that had been committed.

The resolution will be notified to the person in charge of the treatment, the body of the
that depends hierarchically, where appropriate, and those affected who had the condition

interested party, if applicable. "




C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 4/5








4.The resolutions that
fall in relation to the measures and actions referred to in the sections
previous.


5 will be communicated to the Ombudsman or, where appropriate, to similar institutions
of the autonomous communities the actions carried out and the resolutions issued
under this article. "

                                           III


Article 73 of the LOPDDG indicates: "Violations considered serious

"Based on what is established in article 83.4 of Regulation (EU) 2016/679,
considered serious and will prescribe after two years the infractions that suppose a

substantial violation of the articles mentioned therein and, in particular, the
following: "

v) Failure to comply with the obligation to appoint a data protection officer
when their appointment is required in accordance with article 37 of the Regulations
(EU) 2016/679 and article 34 of this organic law. "


Therefore, in accordance with the applicable legislation and the criteria of
graduation of sanctions whose existence has been proven,

the Director of the Spanish Agency for Data Protection RESOLVES:


FIRST: IMPOSE THE COUNCIL OF IMPROVEMENT OF THE FIELD with NIF
P2808400B, for a violation of article 37.1 of the RGPD, in accordance with article
83.4 of the RGPD, a warning sanction.


SECOND: REQUIRE the claimed party to accredit within one month
before this body the fulfillment of designating a Delegate for the Protection of
Data, in accordance with article 37.1 of the RGPD.

THIRD: COMMUNICATE this resolution to the Ombudsman, of
in accordance with the provisions of article 77.5 of the LOPDGDD.


FOURTH: NOTIFY the present resolution to the IMPROVEMENT CITY COUNCIL
FROM THE FIELD.

In accordance with the provisions of article 50 of the LOPDGDD, this

Resolution will be made public once it has been notified to the interested parties.

Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the
LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the
Interested parties may file, optionally, an appeal for reconsideration before the

Director of the Spanish Agency for Data Protection within a month to
count from the day after notification of this resolution or directly
contentious-administrative appeal before the Contentious-Administrative Chamber of the
National High Court, in accordance with the provisions of article 25 and section 5 of

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 5/5








the fourth additional provision of Law 29/1998, of July 13, regulating the

Contentious-administrative jurisdiction, within a period of two months from the
day following notification of this act, as provided in article 46.1 of the
referred Law.


Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP,
may provisionally suspend the final resolution through administrative channels if the
interested party expresses his intention to file contentious-administrative appeal.
If this is the case, the interested party must formally communicate this fact through

letter addressed to the Spanish Agency for Data Protection, presenting it through
of the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica-
web /], or through any of the other records provided for in art. 16.4 of the
cited Law 39/2015, of October 1. You must also transfer to the Agency the
documentation proving the effective filing of the contentious appeal-

administrative. If the Agency was not aware of the filing of the appeal
contentious-administrative within a period of two months from the day following the
notification of this resolution would terminate the precautionary suspension.



Mar Spain Martí
Director of the Spanish Agency for Data Protection





































C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es