AEPD (Spain) - PS/00480/2020
AEPD (Spain) - PS/00480/2020 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 5(1)(f) GDPR Article 13 GDPR Article 32 GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | |
Published: | 16.11.2021 |
Fine: | None |
Parties: | sacramental y penitencial cofradía de nuestro padre jesús sacramentado y maría santísima de la piedad, amparo de los leoneses |
National Case Number/Name: | PS/00480/2020 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | n/a |
The Spanish DPA (AEPD) issued a reprimand to a Spanish religious brotherhood (sacramental y penitencial cofradía de nuestro padre jesús sacramentado y maría santísima de la piedad, amparo de los leoneses) for unlawfully processing personal data of its members.
English Summary
Facts
The claimant, a member of the brotherhood, asserts that his/her consent has never been obtained for the processing of his/her data, nor has he/she been informed of the rights to which he/she is entitled. The claimant also points out that his/her e-mail address has been exposed in the communications made by the brotherhood to its members, by sending the e-mails without a blind copy.
Holding
The Spanish DPA found out a violation of Articles 13, 32, and 5(1)(f) GDPR.
Article 13 sets out the Information to be provided where personal data are collected from the data subject. From the evidence provided by the brotherhood, it has been established that, at the time of the claimant's registration, there was not adequate information on the reasons of collection and use of e-mail address data and the purpose of the processing.
Article 32 defines rules for ensuring the security of processing. This article has been violated in so far as a security incident occurred in their system allowing access to personal data, e-mail addresses, when forwarded without using the "blind copy" option, allowing other recipients to access personal data, e-mail addresses of the other recipients of the communication in breach of the established technical and security measures. This incident equally violated the general principle of “integrity and confidentiality” as set out in Article (5)(1)(f).
For these reasons, the AEPD issued a reprimand to the religious brotherhood and ordered to correct the information provided vie email to new members.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/14 Procedure No.: PS / 00480/2020 RESOLUTION OF SANCTIONING PROCEDURE Of the procedure instructed by the Spanish Agency for Data Protection and based on the following BACKGROUND FIRST: D. A.A.A. (hereinafter, the claimant) dated 08/14/2020, filed claim before the Spanish Agency for Data Protection that is directed against SACRAMENTAL AND PENITENTIAL BROTHERHOOD OF OUR FATHER JESUS SACRAMENT AND MOST BLESSED MARY OF PIEDAD, AMPARO DE LOS LEONESES, with CIF G24294787 (hereinafter, the claimed one). The reasons on which you base the claim are that he is a member of the claimed Brotherhood and "his consent has never been obtained for the processing of your data ”,“ nor has you been informed of your rights ”. It also indicates that the data of your e-mail is exposed in the communications made by the claimed to its members, by forwarding the emails without hidden copying. Provides a copy of two emails in which you can see the emails of the recipients, 03/18, and 09/29/2019. In most of the emails its denomination is the name and surnames, including that of the claimant. In September, which has an attached pdf file called "statement" it is reported Among other aspects, of the matters agreed in the Governing Board held on 09/28/2019 and the changes of the Governing Board. An informative literal about personal data appears in both emails, indicating: "Personal data including your e-mail are treated in accordance with the provisions of the GDPR " "The purpose of this treatment will be the management of normal business activity through communication systems with all stakeholders. " "We inform you that the data has been obtained by consent of the interested party by derivation of a contractual obligation, by a legitimate assignment or from a source of public access " The possibility of exercising the rights is offered. SECOND: In view of the facts denounced and the documents provided by the claimant of which this Agency, the Subdirectorate General of Ins- Data inspection proceeded to carry out actions to clarify the facts. chos in question. On 09/28/2020, the claim submitted for analysis and communication and communicate the decision taken in this regard. Likewise, he was required C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 2/14 so that within a month it sent certain information to the Agency: - Copy of the communications, of the adopted decision that has been sent to the complainant maintain regarding the transfer of this claim, and accreditation that the claim- Mante has received the communication of that decision. - Report on the causes that have motivated the incident that has originated the claim. mation. - Report on the measures adopted to prevent incidents from occurring if- thousands. - Any other that you consider relevant. The defendant did not respond to the request made. THIRD: On 12/15/2020, in accordance with article 65 of Organic Law 3/2018, of 5/12, Protection of Personal Data and guarantee of digital rights (hereinafter LOPDGDD), the Director of the Spanish Data Protection Agency agreed to admit processing the claim presented by the claimant against the claimed. FOURTH: On 01/25/2021, the Director of the Spanish Agency for the Protection of Da- They agreed to initiate a sanctioning procedure to warn the complained party, due to the histas infractions of articles 5.1.f), 13 and 32.1 of the RGPD, sanctioned in accordance with provided in articles 83.5.a), 83.5.b) and 83.4.a) of the aforementioned RGPD. FIFTH: The commencement agreement was notified, the one claimed on 03/01/2021, presented a brief of allegations, stating: -In fact, the mistake was made of sending an email to members of the Brotherhood in which all recipients could see other people's email. The day 09/30/2019, the incident was communicated to all interested parties. Provide a copy of the document THREE with the wording of 09/30/2019 of communication of the error to the members. -It indicates that with the tool “*** TOOL.1” after 09/29/2019 they have been- Guido sent emails to the claimant without incident. Provide a copy of FOUR document, including your e-mail, "contact added on 01/12/2020" "last activity 02/14/2020", "twelve and mails delivered, eleven opened ”. Add the list of emails sent, dates, which go from 03/13/2020 to 09/07/2020, and if they have been opened, delivered, or “clicked”. -The members of the Brotherhood were informed that “to prepare the identification card of the Cofradía it is necessary to update the data and the data protection policy through a data update form-link to GOOGLE FORMS- “no copy of the form is provided- mulary. "In the aforementioned email it can be seen that any recipient can cancel at any- I would like to subscribe to this list of communications from the Brotherhood ”. "All the co- The communications include in their final part an extract of the treatment given to the data of the recipient of the communication, the rights they have and the way to exercise them, as required ge the GDPR ”. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 3/14 Provide document FIVE entitled "information of interest and form", dated 10/13/2020, in the that informs that an "identification card" is going to be elaborated, being obligatory "to fill in the following informative literal also accepting the update of the protection policy tion of data. *** URL.1 ”. The informative literal is the same as the March 2019 emails and 09/29/2019 reflected in the first event. The option “CLICK HERE TO CAN- CELEASE THE SUBSCRIPTION "" If you proceed to cancel the subscription, you will no longer receive notifications in relation to the Brotherhood, this being the only official means of information cial ”. -Provide a copy of other informative emails, reiterating the completion of the form, and containing the same informative literal with the same option to "cancel the subscription". -Adds that the claimant's personal data was collected in the registration request, not having since received communication from him that he would like to exercise none of the rights recognized in the previous legislation and in the current one. Provide a copy of the claimant's “Application for entry into the Brotherhood” with their data, including going to e-mail address, registration date 07/05/2011. The informative data collection literal indicates: -The purpose of the data processing is the "maintenance of the relationship as a person belonging to the Brotherhood, with the specific purposes established in the Statutes ”. -In addition, "these data may be used to send you information of your interest as well as on activities of the Brotherhood ”. -The explanation of the exercise of rights and the option of "if you have any questions you can send an email to ... " SIXTH: On 03/12/2021, a test practice period began, agreeing to the following Consider reproduced for evidentiary purposes: - The claim filed by the claimant and its documentation, the documents obtained two and generated by the Inspection Services that are part of the file E / 07622/2020. - The allegations to the initiation agreement PS / 00480/2020 presented by the complainant and the documentation that accompanies them. -The respondent is requested to report and, in any case, provide proof of the technical measures cases and / or organizational measures adopted in order to avoid incidents such as those have led to the opening of this proceeding. Within the term granted, no response was received. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 4/14 SEVENTH: On 04/23/2021, the change of Instructor was agreed, notifying the Claimed with the result of being returned due to surplus as the shipment was not withdrawn, crediting itself to The file. EIGHTH: On 05/04/2021, a letter from the complained party is received, which responds to the request. tion carried out in tests. - On 01/10/2020 a new email system was hired that offers services of "Web page" and "webmail e-mail system" with the system of "e-mail marke- ting ”, which is a system used for email marketing strategy, tailored to the needs of the respondent and its members. It involves the delivery of a immediate and personal contact by email to the group of people that make up the herself. Provide a copy of part of the contract in document 1. “The messages are sent directly to the inbox of the recipients received. blessing them in a particular and individual way ”. "Previously the contacts have to accept or consent to receive emails. " “Consent must be given in an ex- prey in the application for entry or registration in the Brotherhood. " -Provide in document 2, a copy of the “registration sheet” where, among others, the e-mail data, the purpose of the treatment is informed: “the management of the activity regular business life through communication systems with all stakeholders ”, and how to exercise rights. There is no information directly related to the e emails, nor the explanation of the purpose of said treatment with the option of not granting the consent in that specific aspect, and its consequences. -Details how the sending of emails is managed, starting from the creation of a series of contact lists with emails. When sending an email, it is prepared a template with the information to send to members, including a link to sign up come down. The template published in the system allows adding recipients with the name of the list, without having to access the data of each of the contacts. Attached in do- Document FIVE, the defined shipping steps. "Once the mail sent from the Brotherhood, no recipient has any access to the email addresses to which they have said information has also been sent ". In document SEIS, it states that do- document sent from the Brotherhood as we would see it by any of the senders established, but not contributed. NINTH: On 08/02/2021, a resolution proposal is issued with the literal: “That the Director of the Spanish Agency for Data Protection be sanctioned with an ap- cibimiento to SACRAMENTAL AND PENITENTIAL COFRADÍA DE NUESTRO FADRE JESÚS SACRAMENT AND MOST BLESSED MARY OF PIEDAD, AMPARO DE LOS LEONESES, with CIF G24294787, for violation of articles 13, 5.1.f) and 32.1 of the RGPD, in accordance with with the provisions of articles 83.5.b), 83.5.a) and 83.4.a) of the RGPD. “The execution tending to the correct informative adequacy is carried out by the defendant. it goes from the e-mail of the members for the use of the sending of e-mails " No allegations were received. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 5/14 PROVEN FACTS 1) The claimant has been a member of the claimed party since they submitted their “Application for entry into la Cofradía ”(discharge 07/05/2011) which included, among other information, his e-mail address. The literal informative data collection indicated that the purpose of data processing is the "Maintenance of the relationship as a person belonging to the Brotherhood, with the purposes specific established in the Statutes "" these data may be used to send you information training of your interest as well as on activities of the Brotherhood ”. 2) On 08/14/2020 the claimant's claim has entered the AEPD stating that it is member of the Confraternity claimed, and received two emails without hidden copy, being able to see all two recipients, everyone's addresses, including yours. The emails carried cha of 03/18 and 09/29/2019. The defendant acknowledges shipments without a hidden copy. The literal in- training associated with those two emails stated: "Personal data including your e-mail are treated in accordance with the provisions of the GDPR " "The purpose of this treatment will be the management of normal business activity through communication systems with all stakeholders. " "We inform you that the data has been obtained by consent of the interested party by derivation of a contractual obligation, by a legitimate assignment or from a source of public access ”. The emails sent did not contain the literal that makes it possible to stop receiving these emails. 3) It highlights a difference in information on the legitimizing base, when the data, which indicates the associative relationship as the purpose of the data, and WHAT MAY BE used to "send you information of your interest as well as activities of the Brotherhood" and the information contained in the e-mails, with the citation in the body of the en- email transmission from various legitimating bases. 4) The receipt of communications via e-mail from the complained party is not mandatory, existing in emails dated after the dates of the reported shipments, the option of "Cancel the subscription", there being no proven subscription properly by the Guilds. When the claimant registers in the Brotherhood, the use of the email to have information about the Brotherhood, nor is the option of not using it offered, or not consent to such use. 5) After 09/29/2019, emails have been sent to the claimant, providing copies, which They go from 03/13/2020 to 09/07/2020, without incidents. 6) As of 01/10/2020, the respondent hired a new email system in the one that "Previously, the contacts have to accept or consent to receive the emails." "The Consent must be expressly given in the application for entry or registration. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 6/14 tion in the Brotherhood. " It does not provide the informative literal to verify the form and content contained creto of the information implemented that could be related to the sending of email to informative effects of the Brotherhood. The respondent contributed, among others, emails sent after those who have been the subject of claims. tion, with this new system. In one of 10/13/2020, entitled: “information of interest and for- form ”, it is communicated that an“ identification card ”will be elaborated, being obligatory“ to fill in narrate the following informative literal thus also accepting the update of the Data Protection. *** URL.1 ”(the aforementioned form is not provided). However, the literal infor- Mative of the mail of 10/13/2020 is the same as the emails of March 2019 and 09/29/2019, with the addition of the option “CLICK HERE TO CANCEL THE SUBSCRIPTION” “if applicable. from the cancellation of the subscription, you will stop receiving notifications in relation to the Fradia, this being the only official means of information ”. FOUNDATIONS OF LAW I By virtue of the powers that article 58.2 of the RGPD recognizes to each control authority trol, and as established in articles 47 and 48 of the LOPDGDD, the Director of the Agency The Spanish Data Protection Company is competent to initiate and resolve this procedure. performance. II The respondent is charged with an infringement of article 13 of the RGPD, which determines the information information that must be provided to the interested party at the time of data collection, sta- stating the following: "1. When personal data relating to him are obtained from an interested party, the respondent The data controller, at the time these are obtained, will provide you with all the information indicated below: a) the identity and contact details of the person in charge and, where appropriate, their representative tante; b) the contact details of the data protection officer, if applicable; c) the purposes of the treatment to which the personal data are destined and the legal basis of the treatment; d) when the treatment is based on article 6, paragraph 1, letter f), the interests gitimos of the person in charge or of a third party; e) the recipients or categories of recipients of personal data, in their case; f) where appropriate, the intention of the person responsible to transfer personal data to a third party country or international organization and the existence or absence of an appropriate decision qualification of the Commission, or, in the case of the transfers indicated in the articles 46 or 47 or article 49, paragraph 1, second subparagraph, reference to the appropriate guarantees appropriate and the means of obtaining a copy of these or the fact that C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 7/14 that have been borrowed. 2. In addition to the information mentioned in section 1, the data controller ment will provide the interested party, at the time the personal data is obtained, the following information necessary to guarantee fair and transparent data processing: a) the period during which the personal data will be kept or, when not possible, sible, the criteria used to determine this term; b) the existence of the right to request the data controller for access to the personal data relating to the interested party, and its rectification or deletion, or the limitation of its treatment, or to oppose the treatment, as well as the right to portability of the data; c) when the treatment is based on article 6, paragraph 1, letter a), or article lo 9, section 2, letter a), the existence of the right to withdraw consent in any- at any time, without affecting the legality of the treatment based on the consent prior to withdrawal; d) the right to file a claim with a supervisory authority; e) if the communication of personal data is a legal or contractual requirement, or a re- I want necessary to sign a contract, and if the interested party is obliged to provide personal data and is informed of the possible consequences of not facilitating lite such data; f) the existence of automated decisions, including profiling, to which referred to in article 22, paragraphs 1 and 4, and, at least in such cases, significant information nificant on the applied logic, as well as the importance and consequences views of said treatment for the interested party. 3. When the data controller plans the further processing of data personal data for a purpose other than that for which they were collected, will provide the interest given, prior to said further processing, information on that other purpose and any additional relevant information pursuant to section 2. 4. The provisions of paragraphs 1, 2 and 3 shall not apply when and on the given that the interested party already has the information ”. In general, the legitimizing basis for data processing would be related to the scheme provided for in article 6.1b), the treatment is necessary for the execution of a contract or agreement in which the interested party is a party or for the application at his request of pre-contractual measures. Now, in this case, what is involved is the use of e-mail and the setting in the data collection, its use and purpose. The denounced events initially materialize in the absence of information about of the processing of personal data, especially the e-mail, if it is mandatory to provide Provide the e-mail to receive the information, or if you can, I will not consent to it, giving the option tion if so, or detailing the consequences of not providing such data. In addition, the base legal treatment of sending emails by e-mail must specify a legal basis treatment. The data collection that occurs when entering the Brotherhood must be distinguished, and contains some data and information that were given, including the e-mail, indicating that C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 8/14 will use "for the maintenance of the relationship", adding that: "In addition, these data may be used to send you information of interest, as well as about activities of the Brotherhood ”, which is what is done by sending e-mails. This option of being in- formed, which, it is deduced, as a voluntary one by containing the option to “cancel your subscription tion ”, it is not related to the maintenance of the relationship, it is not completed with the option at the time of data collection to opt out of receiving information of interest or of activities of the Brotherhood. Likewise, the information contained in the e-mails does not succeed in establishing the legal basis scammer of these shipments, mixing diverse, different and contradictory motives. By examining the information that is given in the registration of the members, it is reported in a general that the purpose of data processing is the "maintenance of the relationship as a person belonging to the Brotherhood, with the specific purposes established in the Statutes" The e-mails indicated: The purpose of this treatment will be the management of normal business activity through communication systems with all stakeholders. " The purpose of the collection must be clearly and specifically identified: it must be sufficiently detailed to determine what type of treatment is or is not included in the specified objective, and to allow compliance with the law to be assessed and data protection safeguards apply. Any purpose must be specified, that is, define enough to be explicit. The objective must be sufficiently unequivocal and clearly expressed. The requirement that the purposes be specified 'explicitly' contributes to transparency and predictability. It allows an unambiguous identification of the limits of the way in which the Controllers may use the personal data collected, in order to protect the data teresados. Each goal of treatment must be separate and specific. Maintenance o compliance with the associative relationship is one objective, the information would be another. The information of the treatment and the legitimizing basis for the use and purpose of the treatment of the e-mail offered is confusing in the wording: "We inform you that the data has been obtained by consent of the interested party by derivation of a contractual obligation, by a legitimate assignment or from a source of public access " In the discharge of the members, it is indicated that the data is for the maintenance of the relationship, not requiring consent. Even less, consent can be made derive from “a contractual obligation, by a legitimate assignment or from a source of public access ”as reported in e-mails. Originally, in the high as Cofrades, the option is not given to the affected, so that the purpose of maintaining the contractual relationship is differentiated from that of being informed C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 9/14 do, being different. For the maintenance of the relationship it is not necessary to send the e mails to associates, which is a voluntary addition, by offering the possibility of canceling the subscription. It is the responsibility of the respondent to prove compliance with the provisions of article 13 of the GDPR. Therefore, it has been proven that, at the time of the claimant's discharge, no produces adequate information in the collection and use of data from the e-mail address and purpose of information to members. Circumstance that remains and is credited with the sending the e-mails that are the subject of the claim, and which persists with the current configuration of the e-mails, which have not changed. The respondent should reevaluate the associative purposes of the activity of the respondent, of which the intrinsic acceptance of the Statutes would be part, which is the basis original legitimizer of the personal data of the members of the Brotherhood, and distinguish it from your use of emails to members. The complained party must take into account the processing of other data under another legitimizing basis. that does not obey the relationship, in this case statutory between its members and the claimed. To do this, you must take into account the elements that make up the consent informed: “for one or more specific purposes”, and the freedom to grant or withdraw it without suffer any damage, as well as the possibility of revoking it at any time with the same effects. In accordance with article 58.2 of the RGPD: "2. Each supervisory authority shall have all the following corrective powers indicated below: d) order the person in charge of the treatment that the processing operations comply with the provisions of this Regulation, when proceed, in a certain way and within a specified period; " The respondent must prove the inclusion of pertinent and adequate information to the treatment of data derived from email with informative use to its members, and inform of the modality and form by which it would be carried out. Article 83.5 b) of the RGPD, considers that the infringement of "the rights of the interested parties According to articles 12 to 22 "" is punishable, "with administrative fines of € 20,000,000 maximum or, in the case of a company, an amount equivalent to 4% as a maximum of the total annual global business volume of the previous financial year, opting for the highest amount ”. III Regarding the dissemination given to the e-mails that are the subject of a complaint, article 5 of the RGPD is- establishes the principles that must govern the processing of personal data and mentions between- among them that of "integrity and confidentiality". The aforementioned article points out that: "1. The personal data will be: C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 10/14 (…) f) processed in such a way as to guarantee adequate security of personal data personal data, including protection against unauthorized or illegal processing and against its loss. accidental damage, destruction or damage, through the application of technical or organizational measures appropriate guidelines ('integrity and confidentiality') ”. (…) Article 5, duty of confidentiality, of Organic Law 3/2018, of 5/12, on Protection of Personal Data and guarantee of digital rights (hereinafter LOPDGDD), signal- which: "1. Those responsible and in charge of data processing as well as all the persons Those involved in any phase of this will be subject to the duty of confidentiality. referred to in article 5.1.f) of Regulation (EU) 2016/679. 2. The general obligation indicated in the previous section will be complementary to the duties of professional secrecy in accordance with its applicable regulations. 3. The obligations established in the previous sections will be maintained even when the relationship of the obliged with the person in charge or in charge of the treatment has ended. I lie". The documentation in the file offers clear indications that the respondent, violated article 5.1.f) of the RGPD, principle relating to treatment, in relation to article the 5 of the LOPGDD, duty of confidentiality, when sending emails without using the blind copy option. This duty of confidentiality, or duty of secrecy, must be understood as having the purpose of It is important to avoid data leaks not being consented to by the owners of the themselves, in this case, the email addresses of the brothers. Therefore, this duty of confidentiality is an obligation that falls not only on the respondent member and in charge of the treatment, but to anyone who intervenes in any phase of the treatment and complementary to the duty of professional secrecy. The same complainant has indicated that the incident that gave rise to the complaint was motivated by vada by incorrectly sending emails to members of the Brotherhood, since the person who managed it involuntarily and accidentally must have sent as "Bcc" (where each recipient cannot see the other recipients), in instead of "To" (where each recipient can see the other recipients). Article 83.5 a) of the RGPD, considers that the infringement of “the basic principles for the treatment, including the conditions for consent in accordance with articles 5, 6, 7 and 9 ”is punishable, in accordance with section 5 of the aforementioned article 83 of the aforementioned RGPD, “with administrative fines of a maximum of € 20,000,000 or, in the case of a company dam, of an amount equivalent to a maximum of 4% of the total annual turnover overall for the previous financial year, opting for the highest amount ”. On the other hand, the LOPDGDD, for prescription purposes, in its article 72 indicates: “Violations considered very serious: C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 11/14 1. In accordance with the provisions of article 83.5 of Regulation (EU) 2016/679, considered very serious and will prescribe after three years the infractions that suppose a violation substantial declaration of the articles mentioned therein and, in particular, the following: a) The processing of personal data violating the principles and guarantees established two in article 5 of Regulation (EU) 2016/679. (…) " IV Also the conduct of sending emails to third parties violates article 32 of the RGPD "Security of the treatment", which establishes: "1. Taking into account the state of the art, the costs of application, and the nature of lence, scope, context and purposes of the treatment, as well as risks of probability and variable severity for the rights and freedoms of natural persons, the person responsible and the person in charge of the treatment will apply appropriate technical and organizational measures to guarantee a level of security appropriate to the risk, which, where appropriate, includes, among others: a) pseudonymisation and encryption of personal data; b) the ability to guarantee confidentiality, integrity, availability and resilience permanent maintenance of treatment systems and services; c) the ability to restore the availability and access to personal data of quickly in the event of a physical or technical incident; d) a process of regular verification, evaluation and assessment of the effectiveness of the technical and organizational measures to guarantee the security of the treatment. 2. When evaluating the adequacy of the security level, particular attention will be paid to take into account the risks that the data processing presents, in particular as a consequence of the destruction, loss or accidental or illegal alteration of personal data transmitted, stored or otherwise processed, or unauthorized communication or access to said data. 3. Adherence to a code of conduct approved in accordance with article 40 or to a certification authority approved pursuant to article 42 may serve as an element to determine show compliance with the requirements established in section 1 of this article. 4. The person in charge and the person in charge of the treatment will take measures to guarantee that any person acting under the authority of the controller or processor and has access to personal data can only process said data following instructions from the res- responsible, unless required to do so under Union or State law members". The RGPD defines personal data security violations as “all those security breaches resulting in accidental destruction, loss or alteration or illicit personal data transmitted, stored or otherwise processed, or the communication unauthorized access or access to said data ”. From the documentation provided to the file, evidence that the respondent has violated the ar- C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 12/14 Article 32 of the RGPD, when a security incident occurs in your system allowing the access to personal data, email addresses, when sent without using the blind copy option allowing the rest of the recipients to access the addresses of the other recipients of the communication with breach of the established technical and security measures. The respondent, on 09/30/2019, upon observing the remission of the second email, immediately realized diata to all recipients so that they were aware of said incident. It points out that since then no emails have been sent in which they have been provided personal data to other recipients. It is proven that the defendant did not have adequate measures in place regarding the treatment of data in communications to associates of your entity, considering it accredited the commission of this offense. The violation of article 32 of the RGPD is referenced in article 83.4.a) of the cited GDPR in the following terms: "4. Violations of the following provisions will be sanctioned, in accordance with section 2, with administrative fines of a maximum of EUR 10 000 000 or, in the case of of a company, of an amount equivalent to a maximum of 2% of the turnover Global annual total for the previous financial year, opting for the highest amount: a) the obligations of the controller and the processor pursuant to articles 8, 11, 25 to 39, 42 and 43. (…) " For its part, the LOPDGDD, in its article 73, for the purposes of prescription, qualifies as “Infringement tions considered serious ”: "Based on what is established in article 83.4 of Regulation (EU) 2016/679, considered serious and will prescribe after two years the infractions that suppose a vulnerability substantial tion of the articles mentioned therein and, in particular, the following: (…) g) The breach, as a consequence of the lack of due diligence, of the technical and organizational measures that have been implemented in accordance with as required by article 32.1 of Regulation (EU) 2016/679 ”. (…) " V The RGPD, without prejudice to what is established in its article 83, contemplates in its article 58.2 b) the possibility of attending the warning to correct the processing of personal data that do not conform to your forecasts. On the other hand, the following elements have also been taken into account, in particular. • It is a small entity whose main activity is not related to the C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 13/14 processing of personal data. • It is not a company and its activity is not related to making a profit. • There is no recidivism, as the commission, within a year, of more than one offense of the same nature. Therefore, in accordance with the applicable legislation, the Director of the Spanish Data Protection Agency RESOLVES: FIRST: DIRECT an APPEARANCE sanction to SACRAMENTAL AND PENITENTIAL BROTHERHOOD OF OUR FATHER JESUS SACRAMENTED AND MARY SANTÍSIMA DE LA PIEDAD, AMPARO DE LOS LEONESES, with CIF G24294787, by: - An infringement of article 32 of the RGPD, in accordance with article 83.4.a) of the RGPD. - An infringement of article 5.1.f) of the RGPD, in accordance with article 83.5.a) of the GDPR. - An infringement of article 13 of the RGPD, in accordance with article 83.5. b) of the RGPD. SECOND: By virtue of article 58.2.d) of the RGPD, the claimed party is required to correct the information and the purpose of the use of shipments through e-mails, informing to this Agency within two months of the measures adopted. It is noted that the Failure to comply with the requirement may imply the infraction provided for in article 83.6 of the RGPD. THIRD: NOTIFY this resolution to SACRAMENTAL Y PENITENCIAL BROTHERHOOD OF OUR FATHER JESUS SACRAMENTED AND MOST BLESSED MARY OF THE PIETY, PROTECTION OF THE LEONESES FOURTH: In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which ends the administrative procedure in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the Interested parties may optionally file an appeal for reconsideration before the Director of the Spanish Data Protection Agency within a month from the day following notification of this resolution or directly contentious appeal administrative law before the Contentious-Administrative Chamber of the National Court, with in accordance with the provisions of article 25 and paragraph 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-Administrative Jurisdiction, within two months from the day following notification of this act, as provided in article 46.1 of the aforementioned Law. Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP, you may provisionally suspend the final administrative resolution if the interested party manifests his intention to file a contentious-administrative appeal. If this is the case, the The interested party must formally communicate this fact by writing to the Agency Spanish Data Protection, presenting it through the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica-web/], or through any of the C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 14/14 remaining records provided for in art. 16.4 of the aforementioned Law 39/2015, of October 1. You must also send the Agency the documentation that proves the filing effective contentious-administrative appeal. If the Agency is not aware of the filing of the contentious-administrative appeal within a period of two months from the date following the notification of this resolution, it would terminate the suspension precautionary. 938-131120 Mar Spain Martí Director of the Spanish Agency for Data Protection C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es