AEPD (Spain) - PS/00384/2020
AEPD (Spain) - PS/00384/2020 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 5(1)(f) GDPR Article 32 GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | 28.06.2021 |
Published: | 02.07.2021 |
Fine: | None |
Parties: | DIRECCIÓN GENERAL DE LA GUARDIA CIVIL |
National Case Number/Name: | PS/00384/2020 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | Paola L. |
The Spanish DPA issued a warning to a Directorate of the Spanish Police Force for infringing on the principle of confidentiality by sending an email containing sensitive personal data about the data subject to the generic email address of an unrelated police unit (which was accessible by third parties).
English Summary
Facts
The Spanish DPA (AEPD) received a complaint against a Directorate from the Spanish Police Force (Guardia Civil) indicating that an email containing an agreement to commence a procedure for the suspension of the data subject's firearm license was sent to a generic email address of a different unit which did not have any relation to the procedure, other than notifying the data subject, and that could be accessed by third parties.
The email was accessible by the whole police unit, while the purpose of the sending was only to notify the data subject about the commencement of the procedure.
Holding
The AEPD held that the facts constituted an infringement of Article 5(1)(f) GDPR for violating the principle of confidentiality and Article 32 GDPR for failing to implement appropriate technical and organisational measures according to the risk and sensitivity of the personal data processed, since third parties that was not in charge of the procedure and did not need to access the data had access to it.
The AEPD warned the directorate and provided them with one month to review its processes and bring them into compliance with GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/12 Procedure No.: PS / 00384/2020 RESOLUTION OF SANCTIONING PROCEDURE Of the procedure instructed by the Spanish Agency for Data Protection and based on to the following BACKGROUND FIRST: D. A.A.A., in the name and on behalf of D. B.B.B. (hereinafter, the claimant) on 07/30/2019 filed a claim with the Spanish Agency for Data Protection. The claim is directed against the GENERAL DIRECTORATE OF THE CIVIL GUARD with NIF S2816003D (hereinafter, the claimed one). The reasons on which bases the claim are, in summary: the transfer without consent and the dissemination of personal information of the affected party contained in the agreement to initiate suspension of your weapons license, when this document is attached in an email sent on 09/17/2018 from the generic account, al-cmd-almeria-ia@guardiacivil.org, ownership of the Weapons Intervention Unit of the Civil Guard of Almería, to the generic account al-pto-canjayar@guardiacivil.es, owned by the Unit of the Canjayar, in order to notify the interested party. After the resolution of inadmissibility for processing, dated 09/06/2019, the claimant files an appeal for reversal alleging that the email was sent in the scope of work to generic recipients with sensitive personal data. That the Sender and recipient email accounts are not personal but accounts of certain departments of the Civil Guard being able to be consulted by indeterminate and numerous people who are part of them. On 10/16/2019 an estimate resolution was issued. SECOND: In view of the facts denounced in the claim and the documents provided by the claimant, the Subdirectorate General for Inspection of Data proceeded to carry out preliminary investigation actions for the clarification of the facts in question, by virtue of the powers of investigation granted to the control authorities in article 57.1 of the Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter RGPD), and of in accordance with the provisions of Title VII, Chapter I, Second Section, of the Law Organic 3/2018, of December 5, Protection of Personal Data and guarantee of digital rights (hereinafter LOPDGDD). On 12/04/2019, the complained party sent this Agency the following information: 1. That what is called in the complaint a generic email account it is not such. That the CIVIL GUARD has an isolated private communication network from abroad and which can only be accessed from official media within which there is a messaging system called GroupWise in which each Unit or Workstation may be assigned an address for exclusive use by the personnel of that Unit for internal communications and which is accessed after C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 2/12 Identify yourself with a smart card and an individual password. 2. That this system is used on a regular basis for communications between the different Units, as it is guaranteed that any communication or documentation that is sent through it is isolated from the outside and maintains its level of confidentiality. 3. Shows your disagreement in relation to the indiscriminate transfer of data personal. It indicates that the instruction of an administrative procedure requires that between the different bodies or departments involved in it is shared information in order to carry out the function assigned to the Administration (the control of the documentation that authorizes the possession of small arms to guarantee the proper use of the same and by derivation the security of third parties) and the right of the administered to know the facts on which such action is based and receive complete information in this regard. 4. That the complainant himself was one of those who accessed said system of courier service on the date of submission of the same together with the Sergeant Commander of post and four other civil guards. That the fact of having access to the messaging does not imply that such an act was carried out. 5. That if, after more than one year of said communication, the The complainant does not indicate that it has had significance and with it a damage For him, it is to be assumed that the person who agreed to it was he or those in charge of notify you of the initiation of the procedure. 6. That regarding the Sender's Weapons Intervention, access to said system of messaging was within the reach of the personnel assigned to that unit, a total of eleven people, which, as in the previous case, does not mean that they agreed to said document. THIRD: On 11/08/2020, the Director of the Spanish Protection Agency of Data agreed to initiate a sanctioning procedure for the claimed party, for the alleged infringement of articles 5.1.f) and 32.1 of the RGPD, sanctioned in accordance with provided in article 58.2.b) of the RGPD. FOURTH: Notified the start agreement, the claimed on 11/30/2020 presented a written of allegations, noting that the allegations made on the 05/30/2020 and that the complainant's complaint refers to a mere possibility that someone had accessed your personal data without being able to affirm it, so the alleged infractions have not materialized. FIFTH: On 12/14/2020 a test practice period began, remembering the following: - To consider reproduced for evidentiary purposes the claim filed by the claimant and its documentation, the documents obtained and generated by the Inspection services that are part of file E / 10062/2019. - To consider reproduced for evidentiary purposes, the allegations to the initiation agreement presented by the claimed C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 12/3 - Request the claimant a copy of the documentation in their possession related to the sanctioning procedure that for any reason had not been provided in the moment of the claim or, if deemed appropriate, any other manifestation in relation to the facts denounced. SIXTH: On 05/27/2021 a resolution proposal was formulated in the sense following: 1. That the Director of the Spanish Agency for Data Protection is addressed warning against the defendant, for the violation of articles 5.1.f) and 32 of the RGPD, typified, respectively, in articles 83.5.a) and 83.4.a) of the same Regulation. 2. That the defendant be required to, within the period to be determined, adopt the necessary measures to adapt the treatment operations carried out to the regulations for the protection of personal data, with the scope expressed in the Fundamentals of Rights of the proposed resolution. SEVENTH: Notified the claimed entity of the aforementioned resolution proposal, with On 06/07/2021, this Agency received a written statement of allegations in which states again that it has not been proven that a third party has had knowledge of personal data, nor the damage caused to the claimant. On the other hand, in relation to the transfer of information from one management body to another, Actions have been put in place to avoid future repetitions, such as the Circular prepared by the Data Protection Delegate (DPD), indicated with the number DPD 1-2020, of 12/01/2020, which has been disseminated to all Units and It is available on the DPD Intranet. Provide a copy of this Circular, which states the following: “Regarding the first question, guarantee confidentiality, provided that it is attached to a electronic communication documentation that includes personal data, especially when the They contain health data (medical, psychological or health documentation of any kind); related to criminal or administrative sanctions (sentences, notification of sanctions, disciplinary procedures); or referring to actions derived from the foregoing (withdrawal of weapons, summons to appear, etc.), must be sent in encrypted folders with password that will be provided after identifying the applicant as belonging to the Unit or recipient body as the one that must resolve the issue, not having to be facilitated to units or intermediary bodies that do not need to know the specific content of the documentation for processing, limiting as much as possible the number of people who access it and should be able if necessary to respond to a It denounces identifying those who have accessed it. In those cases in which it is documentation that must be delivered to the interested party, it will be ensured that said delivery is made guaranteeing the maximum possible reserve and that this is carried out by their direct command, avoiding that it is carried out by personnel who performs bureaucratic tasks, unless said delivery is materialized in a sealed envelope; on In these cases, it must be stated on the receipt that the recipient receives the documentation with such guarantees of confidentiality. When, in the case of documents that must be signed by the interested party and returned to the C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 4/12 sending unit or body, the provisions of the previous paragraph will be observed for the delivery and firm; and the aforementioned measures will be adopted for their return through electronic communications. In those cases in which other means of communication are used, postal, etc., adopt analogous measures adapted to the environment always with the aim of guaranteeing the confidentiality of personal data. Improper practices such as printing and keeping copies of documentation should be avoided sent or delivered, which compromise and make it difficult to maintain the confidentiality of said information over time ”. Of the actions carried out in this proceeding, there have been accredited the following: PROVEN FACTS FIRST: Dated 09/17/2018, from the email address al-cmd- almeria-ia@guardiacivil.org, assigned to the Weapons Intervention Unit of the Civil Guard of Almería, an email was sent to the address al-pto- canjayar@guardiacivil.es, belonging to the Canjayar Post Unit, with the subject “Rdo. Agreement to start suspension of weapons license type ... (type license, name, surname and ID of the claimant) for notification to the interested party ”. The text of the message is as follows: "Notification is sent for delivery to the interested party, having to send a dated copy and signed upon receipt to this I.A., for submission to the Zone Headquarters, such as indicated in the c.e. attached". This email attached the document to which its subject refers, which corresponds to the agreement to initiate the procedure for suspending the weapons license initiated at the claimant by the General Directorate of the Civil Guard. This document includes the identifying data of the claimant, their administrative situation and destination, as well as all the factual circumstances that determined the initiation of said procedure (police and judicial actions taken against the claimant for gender violence). SECOND: The respondent has informed this Agency that it has a system of courier that assigns each unit or post an address for exclusive use by the staff of the unit in question. In the case of the email address corresponding to the Unit of the Canjayar Post, it is indicated that it could be accessed by the Sergeant Commander of the post, the claimant and four guards more civilians. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 5/12 FOUNDATIONS OF LAW I By virtue of the powers that article 58.2 of the RGPD recognizes to each authority of control, and as established in articles 47 and 48 of the LOPDGDD, the Director of the Spanish Data Protection Agency is competent to initiate and to solve this procedure. II Article 58 of the RGPD, Powers, states: "two. Each supervisory authority shall have all the following corrective powers indicated at continuation: (…) b) punish any person in charge or in charge of the treatment with warning when the treatment operations have infringed the provisions of this Regulation; (…) ”. First, article 5 of the RGPD establishes the principles that must govern the treatment of personal data and mentions among them that of "integrity and confidentiality ”: "1. The personal data will be: (…) f) treated in such a way as to guarantee adequate security of personal data, including protection against unauthorized or illegal processing and against its loss, accidental destruction or damage, through the application of technical or organizational measures appropriate ("integrity and confidentiality"). (…) ”. Article 5, Duty of confidentiality, of the LOPDGDD, states that: "1. Those responsible and in charge of data processing as well as all the people who intervene in any phase of this will be subject to the duty of confidentiality to which refers to article 5.1.f) of Regulation (EU) 2016/679. 2. The general obligation indicated in the previous section will be complementary to the duties of professional secrecy in accordance with its applicable regulations. 3. The obligations established in the previous sections will be maintained even when the relationship between the obliged party and the person in charge of the treatment would have ended ”. III The documentation in the file proves that the defendant violated the Article 5 of the RGPD, principles relating to treatment, in relation to Article 5 of the LOPGDD, duty of confidentiality, materialized in the dissemination of data from personal character relating to the claimant contained in the agreement to initiate suspension of his gun license, attached to an email that was C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 6/12 sent to the generic account al-pto-canjayar@guardiacivil.es, which is owned by the Unit of the Canjayar Post (Almería), which was within reach and could be accessed by the personnel assigned to said unit, a total of five people, in addition to the claimant. This duty of confidentiality, previously the duty of secrecy, is intended to prevent leakage of data not consented to by the owners of the themselves. Therefore, this duty of confidentiality is an obligation that is incumbent not only on the responsible and in charge of the treatment but to everyone who intervenes in any treatment phase and complementary to the duty of professional secrecy. The respondent has alleged that there is no indiscriminate transfer of data personal and that the instruction of an administrative procedure requires that different administrative units or departments share information. Without However, what happens in this case does not conform to this scheme, since the Information regarding the complainant is not forwarded to an intervening unit formally in the procedure followed against it. Likewise, the defendant has stated that the proceedings do not prove that a third party has accessed confidential information related to the claimant. However, does not take into account the factual circumstances that have given rise to the present process. In this case, it is established that the notification of the opening agreement of a gun license suspension procedure, followed against the claimant, was forwarded to a generic email account, owned by the Unit of the Canjayar Post, in order for it to be delivered to the interested party, that is, the claimant. This shipment, in itself considered, already constitutes an infringement to the personal data protection regulations, insofar as it enables the access to information related to the claimant by third parties. Besides, the formalization or completion of this procedure, with the delivery of the agreement to the claimant, implies that a third party or several accessed the information. To this In this regard, it is advisable to reproduce again the instructions contained in the mentioned email about the delivery of documentation: "Notification is sent for delivery to the interested party, having to send a dated copy and signed upon receipt to this I.A., for submission to the Zone Headquarters, such as indicated in the c.e. attached". IV Article 83.5 a) of the RGPD, considers that the infringement of "the basic principles for the treatment, including the conditions for consent under the Articles 5, 6, 7 and 9 ”is punishable, in accordance with section 5 of the aforementioned Article 83 of the aforementioned RGPD, “with administrative fines of € 20,000,000 as maximum or, in the case of a company, of an amount equivalent to 4% as maximum total annual global business volume of the previous financial year, opting for the highest amount ”. On the other hand, the LOPDGDD, for prescription purposes, in its article 72 indicates: C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 7/12 “Violations considered very serious: "1. In accordance with the provisions of article 83.5 of Regulation (EU) 2016/679, considered very serious and will prescribe after three years the infractions that suppose a substantial violation of the articles mentioned therein and, in particular, the following: a) The processing of personal data violating the principles and guarantees established in the Article 5 of Regulation (EU) 2016/679. (…) ”. V Second, article 32 of the RGPD "Security of treatment", establishes that: "1. Taking into account the state of the art, the costs of application, and the nature, the scope, context and purposes of the treatment, as well as risks of probability and severity variables for the rights and freedoms of individuals, the person in charge and the person in charge of the treatment will apply appropriate technical and organizational measures to guarantee a level security appropriate to the risk, which, where appropriate, includes, among others: a) pseudonymisation and encryption of personal data; b) the ability to ensure confidentiality, integrity, availability and resilience permanent treatment systems and services; c) the ability to restore the availability and access to personal data in a manner fast in the event of a physical or technical incident; d) a process of regular verification, evaluation and assessment of the effectiveness of the measures technical and organizational to guarantee the security of the treatment. 2. When evaluating the adequacy of the security level, particular account shall be taken of the risks posed by data processing, in particular as a consequence of the accidental or illegal destruction, loss or alteration of transmitted personal data, stored or otherwise processed, or unauthorized communication or access to said data. 3. Adherence to a code of conduct approved in accordance with article 40 or to a mechanism of certification approved pursuant to article 42 may serve as an element to demonstrate the compliance with the requirements established in section 1 of this article. 4. The person in charge and the person in charge of the treatment will take measures to guarantee that any person acting under the authority of the controller or processor and has access personal data can only process said data following instructions from the person in charge, unless it is obliged to do so by virtue of the law of the Union or of the Member States ”. The violation of article 32 of the RGPD is classified in article 83.4.a) of the aforementioned RGPD in the following terms: "4. Violations of the following provisions will be sanctioned, in accordance with the paragraph 2, with administrative fines of a maximum of EUR 10 000 000 or, in the case of a company, of an amount equivalent to a maximum of 2% of the total annual business volume overall for the previous financial year, opting for the one with the highest amount: a) the obligations of the controller and the person in charge pursuant to articles 8, 11, 25 to 39, 42 and 43. (…) ”. 28001 - Madrid 6 sedeagpd.gob.es 8/12 For its part, the LOPDGDD in its article 71, Infractions, states that: “The acts and conducts referred to in sections 4, 5 and 6 of the Article 83 of Regulation (EU) 2016/679, as well as those that are contrary to this organic Law. And in its article 73, for the purposes of prescription, it qualifies as “Infractions considered serious ”: "Based on what is established in article 83.4 of Regulation (EU) 2016/679, they are considered serious and will prescribe after two years the infractions that suppose a substantial violation of the articles mentioned therein and, in particular, the following: (…) g) The breach, as a consequence of the lack of due diligence, of the measures technical and organizational that have been implemented as required by article 32.1 of Regulation (EU) 2016/679. (…) ”. SAW The GDPR defines personal data security breaches as “all those security violations that cause destruction, loss or accidental or illegal alteration of personal data transmitted, stored or processed otherwise, or unauthorized communication or access to said data ”. From the documentation in the file, it is proven that the claimed person has Article 32.1 of the RGPD has been violated, when a security incident occurs consisting of transferring the claimant's data by means of a corporate email that it was accessible to all members of the target unit. It should be noted that the RGPD in the aforementioned precept does not establish a list of the security measures that are applicable according to the data that are the object of treatment, but establishes that the person in charge and the person in charge of the treatment apply technical and organizational measures that are appropriate to the risk involved the treatment, taking into account the state of the art, the application costs, the nature, scope, context and purposes of the treatment, the risks of probability and seriousness for the rights and freedoms of the interested persons. Likewise, the security measures must be adequate and proportionate to the risk detected, noting that the determination of the technical measures and organizational must be carried out taking into account: pseudonymisation and encryption, ability to guarantee confidentiality, integrity, availability and resilience, the ability to restore availability and access to data after an incident, process verification (not audit), evaluation and assessment of the effectiveness of measures. In any case, when evaluating the adequacy of the security level, the particularly take into account the risks presented by data processing, such as consequence of accidental or illegal destruction, loss or alteration of data personal data transmitted, preserved or otherwise processed, or the communication or unauthorized access to said data and that could cause damages physical, material or immaterial. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 9/12 In this same sense, recital 83 of the RGPD states that: “(83) In order to maintain security and prevent the treatment from violating the provisions of the this Regulation, the person in charge or the person in charge must assess the risks inherent treatment and apply measures to mitigate them, such as encryption. These measures should guarantee an adequate level of security, including confidentiality, taking into account the state of the technique and the cost of its application with respect to the risks and the nature of the data personnel to be protected. When assessing the risk in relation to the safety of the data, the risks arising from the processing of the data must be taken into account personal data, such as accidental or unlawful destruction, loss or alteration of personal data transmitted, stored or otherwise processed, or unauthorized communication or access to said data, susceptible in particular to causing physical, material or immaterial ”. In the present case, as stated in the facts and in the framework of the case file investigation E / 10062/2019, the claim presented was transferred to the defendant for its analysis, requesting the contribution of information related to the incident claimed in which it shows its disagreement with the indiscriminate transfer of data, Although it states that access to the internal messaging system was within the reach of the personnel assigned to that unit. The responsibility of the claimed person is determined by the security bankruptcy revealed by the claimant. The respondent is responsible for taking decisions aimed at effectively implementing technical measures and appropriate organizational arrangements to ensure a level of security appropriate to the risk to ensure the confidentiality of the data and, among them, those aimed at restoring the availability and access to data quickly in the event of a physical incident or technical. However, from the documentation provided prior to processing of the procedure, it is not known whether any measure had been taken in order to end to incidents such as the one that gave rise to the claim. In accordance with the foregoing, it appears that the defendant is responsible for the infringement of the RGPD for the violation of article 32, infringement typified in the Article 83.4.a) of the same Regulation. VII However, also the LOPDGDD in its article 77, “Regime applicable to certain categories of controllers or those in charge of the treatment ”, establishes the following: "1. The regime established in this article will be applicable to the treatments of which are responsible or in charge: a) The constitutional bodies or those with constitutional relevance and the institutions of the autonomous communities analogous to them. b) The jurisdictional bodies. c) The General State Administration, the Administrations of the autonomous communities and the entities that make up the Local Administration. d) Public bodies and public law entities linked or dependent on the Public administrations. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 10/12 e) The independent administrative authorities. f) The Bank of Spain. g) Public law corporations when the purposes of the treatment are related with the exercise of powers of public law. h) Public sector foundations. i) Public Universities. j) Consortia. k) The parliamentary groups of the Cortes Generales and the Legislative Assemblies autonomic, as well as the political groups of the Local Corporations. 2. When the managers or managers listed in section 1 commit any of the offenses referred to in articles 72 to 74 of this organic law, the authority of data protection that is competent shall issue a resolution sanctioning them with warning. The resolution will also establish the measures to be adopted so that the conduct ceases or the effects of the offense that had been committed are corrected. The resolution will be notified to the person in charge or in charge of the treatment, the body of which hierarchically depends, where appropriate, and those affected who had the status of interested, if applicable. 3. Without prejudice to the provisions of the previous section, the data protection authority will also propose the initiation of disciplinary actions when there are indications enough for it. In this case, the procedure and the sanctions to be applied will be the established in the legislation on disciplinary or sanctioning regime that results from app. Likewise, when the infractions are attributable to authorities and managers, and the existence of technical reports or recommendations for treatment that had not been duly attended to, the resolution imposing the sanction will include a reprimand with the name of the responsible position and the publication will be ordered in the Official Gazette of the State or autonomous region that corresponds. 4. The data protection authority must be notified of the resolutions that fall in relation to the measures and actions referred to in the previous sections. 5. They will be communicated to the Ombudsman or, where appropriate, to the analogous institutions of the autonomous communities the actions carried out and the resolutions issued under the this article. 6. When the competent authority is the Spanish Agency for Data Protection, this will publish on its website with due separation the resolutions referring to the entities of section 1 of this article, expressly indicating the identity of the person responsible or person in charge of the treatment that had committed the infringement. When the competence corresponds to an autonomous data protection authority, it will be, in terms of the publicity of these resolutions, to what its regulations provide specific ”. It should be noted that the LOPDGDD contemplates in its article 77 the possibility of warn the person responsible for the infringement and require him to adapt the treatments of personal data that do not conform to their forecasts, when those responsible or those in charge of the treatment listed in section 1 commit any of the offenses referred to in articles 72 to 74 of this Organic Law. For this reason, a resolution proposal was prepared to agree to require the 28001 - Madrid 6 sedeagpd.gob.es 11/12 responsible entity the adoption of the necessary measures to carry out that adaptation to the personal data protection regulations, preventing the administrative actions carried out can be accessed by people who do not they intervene directly in its formalization. Specifically, in the case of administrative notifications, it was advised that such notifications be delivered directly to the interested party, without the intermediation of other units outside the are entrusted with the action in question; or, to try that notification with the collaboration of some other unit, always avoiding that it can access the content of the act that is notified. Knowing this response by the claimed, on the occasion of the hearing process granted, provided a copy of a "Circular" issued by the DPD, regarding the sending of documentation through electronic communications. After analyzing this Circular, find some improvements in their forecasts, such as the encryption of folders to which It will be accessed using the password provided to the interested party. However, there are other instructions that do not meet the requirements mentioned above, such as are the delivery of documentation through the "direct command" of the interested party or the Sending documents "open" to be signed by the interested party and returned to the sending unit. The same Circular warns about “practices inadequate such as printing or keeping a copy ”of the documentation submitted, which is equivalent to recognizing that the possibility that a third party can access the documentation is maintained. Therefore, it is considered appropriate to require the defendant so that the notifications that must practice guarantee the confidentiality of the personal data that they contain. In this regard, it is noted that not meeting the requirements of this body can be considered as a serious administrative offense by “not cooperating with the Control Authority ”before the requirements made, being able to be valued as conduct at the time of the opening of an administrative sanctioning procedure. Therefore, in accordance with the applicable legislation and assessed the criteria of graduation of sanctions whose existence has been proven, the Director of the Spanish Data Protection Agency RESOLVES: FIRST: DIRECT AN APPOINTMENT to the entity DIRECTORATE GENERAL OF LA GUARDIA CIVIL, with NIF S2816003D, for a violation of articles 5.1.f) and 32 of the RGPD, typified in articles 83.5.a) and 83.4.a) of the RGPD, respectively. SECOND: REQUEST the entity DIRECTORATE GENERAL OF THE CIVIL GUARD, so that, within a period of one month, counted from the notification of this resolution, adapt to the personal data protection regulations the operations processing of personal data carried out, with the scope expressed in the Basis of Law VII. Within the indicated period, the GENERAL DIRECTORATE OF THE GUARDIA CIVIL must justify before this Spanish Agency for Data Protection attention to this requirement. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 12/12 THIRD: NOTIFY this resolution to the GENERAL DIRECTORATE OF THE CIVIL GUARD. FOURTH: COMMUNICATE this resolution to the Ombudsman, of in accordance with the provisions of article 77.5 of the LOPDGDD. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which ends the administrative procedure in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the Interested parties may optionally file an appeal for reconsideration before the Director of the Spanish Agency for Data Protection within a month to counting from the day after the notification of this resolution or directly contentious-administrative appeal before the Contentious-Administrative Chamber of the National High Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-administrative jurisdiction, within two months from the day following notification of this act, as provided in article 46.1 of the referred Law. Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP, may provisionally suspend the final resolution through administrative channels if the interested party expresses his intention to file contentious-administrative appeal. If this is the case, the interested party must formally communicate this fact through writing addressed to the Spanish Agency for Data Protection, presenting it through of the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica- web /], or through any of the other records provided for in art. 16.4 of the cited Law 39/2015, of October 1. You must also transfer to the Agency the documentation that proves the effective filing of the contentious appeal- administrative. If the Agency is not aware of the filing of the appeal contentious-administrative within a period of two months from the day following the notification of this resolution would terminate the precautionary suspension. 938-131120 Mar Spain Martí Director of the Spanish Agency for Data Protection C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es