AEPD (Spain) - EXP202201681
AEPD - EXP202201681 (PS/00345/2022) | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 13 GDPR Article 38(6) GDPR Article 22(2) |
Type: | Complaint |
Outcome: | Upheld |
Started: | 21.12.2021 |
Decided: | |
Published: | |
Fine: | 14,000 EUR |
Parties: | COLEGIO OFICIAL DE ARQUITECTOS DE GRANADA |
National Case Number/Name: | EXP202201681 (PS/00345/2022) |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | Sainey Belle |
The Spanish DPA fined a controller €5,000 due to the conflicts of interest in the exercise its DPO's tasks. In addition, it issued a fine of €8,000 for lack of information on its website and another of €1,000 for the use of third-party analytical cookies without consent.
English Summary
Facts
On 21 December 2021, a data subject filed a complaint with the Spanish alleging a number of data protection violations by the Official College of Architects of Granada, the controller.
In particular, the data subject argued that: a) the controller failed to inform the supervisory authority about the appointment of its DPO, pursuant to Article 34(1)(a) LOPDGDD; b) there was a conflict of interest between the functions performed by the person appointed to the position of DPO; c) there was a lack of adequate information in the controller's privacy policy; d) the controller was using non-essential cookies on its website without obtaing consent.
The DPA opened an investigation on the controller and notified it to present its defense. In response, the controller recognized that it was necessary to adapt its privacy and cookies policy, but claimed to be already conducting audits and implementing corrective measures. Regarding the alleged conflict of interests, the controller maintained that it was a mere presumption, not concretely demonstrated. However, it reported that it appointed a new person for the position.
The DPA proceeded with the investigations and visited the controller's website to collect evidence.
Holding
The DPA highlighted the relevance of the DPO for ensuring compliance with data protection regulations. It recalled this position is regulated in Articles 37 to 39 GDPR, provisions that were interpreted by Article 29 Working Party in the Guidelines on Data Protection Officers. In addition to advice, the DPO fulfills other important functions such as carrying out DPIAs and internal inspections and being the point of contact with the supervisory authority. To adequately perform these tasks, independence is essential. In this sense, Article 38(3) GDPR provides that the DPO shall not receive instructions, be dismissed or or punished by the controller/processor for exercising its functions.
As a general rule, conflicting positions within an organisation may include senior management positions (such as chief executive officer, chief operating officer, chief financial officer, chief medical officer, head of the marketing department, head of human resources or head of the IT department), but also other positions lower down in the organisational structure if such positions lead to the determination of the means and purposes of the processing of personal data. For instance, a conflict of interest may arise if a DPO is asked to represent the controller or processor in court in data protection cases.
In the case at hand, the DPA found that the position held by the person appointed as the DPO was incompatible with the performance of these tasks as it could lead to the determination of the purposes and means of data processing. Therefore, it found a violation of Article 38(6) GDPR.
Furthermore, the DPA confirmed that the complaints sheet available on the controller's website did not provide all the necessary information required by Article 13 GDPR.
Finally, the DPA emphasized that, in its Opinion 4/2012 on cookie consent exemption, the Article 29 WP considered that cookies such as “user input cookies” (those used to fill in forms or to manage a shopping basket); “authentication” or “user identification cookies” (session); “user security cookies (those used to detect erroneous and repeated attempts to connect to a website)”; “media player session cookies”; “load balancing session cookies”; “user interface customization cookies”; and some plugins to exchange social content do not require consent to be used. However, after browsing the website, the DPA concluded that the controller installed analytical third-party cookies that were not described in its policy, which is not covered by the consent exemption. For this reason, the DPA found a violation of Article 22(2) LSSI.
In light of the above violations, DPA has imposed the following fines:
- €5,000 for the violation of Article 38(6) GDPR;
- €8,000 for the violation of Article 13 GDPR;
- €1,000 for the violation of Article 22(2) LSSI.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/60 Procedure No.: EXP202201681 (PS/00345/2022) RESOLUTION OF THE SANCTION PROCEDURE Of the actions carried out by the Spanish Data Protection Agency before the OFFICIAL COLLEGE OF ARCHITECTS OF GRANADA, with CIF.: Q1875003D, owner of the website, www.coagranada.es/ (hereinafter "the claimed party"), in by virtue of the claim filed by A.A.A., (hereinafter, "the claiming party"), for the alleged violation of data protection regulations: Regulation (EU) 2016/679, of the European Parliament and of the Council, of 04/27/16, regarding the Protection of Natural Persons with regard to the Processing of Personal Data and the Free Circulation of these Data (RGPD) and Organic Law 3/2018, of December 5, Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD), and Law 34/2002, of July 11, on Services of the Information Society and Electronic Commerce (LSSI) and attending to the following: BACKGROUND FIRST: On 12/21/21, he entered this Agency, through the Council of Transparency and Data Protection of the Junta de Andalucía, document presented by the claimant, in which he indicated, among other things, the following: "It has been observed how the College repeatedly fails to comply with the current regulations on the protection of personal data, thus endangering the privacy of the data of the members and therefore Your rights. The first of the facts on which the present claim is formulated, refers to the absence of communication from the Data Protection Officer of the Official College of Architects of Granada to the Council of Transparency and Data Protection of Andalusia. Remember that according to the law current (Art. 34.1.A. of the LOPDGDD) the Professional Associations are obliged to designate a Data Protection Officer and therefore notification to the competent body, in this case the Council of Transparency and Data Protection of Andalusia. Likewise, and in relation to the appointment of Delegate for the Protection of Data, according to the accompanying document (Document nº1), the Governing Board of the College, in a session held on April 11, 2019 adopted the following agreement: "Appoint *** POSITION 1 of the College Architects Officer as Data Protection Delegate for the College of Architects” Regardless of whether the appointment could violate the requirements fixed by art. 37.5 of the GDPR, related to the qualities and knowledge of the DPD, what does seem evident is that said appointment could contravene the postulates of the Working Group of Art. 29 when in its document "Guidelines on Data Protection Delegates" indicate that the organization must guarantee the absence of conflict of interest in the figure of the DPD whenever it provides other functions, noting that "the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 2/60 DPD cannot hold a position in the organization that leads him to determine the purposes and means of processing. At the web address https://coagranada.es/quejas-y-reclamaciones/ corresponding to the website of the Official College of Architects of Granada, There are two links for downloading the respective forms for the formulation of complaints and claims, being able to observe in said printed (Documents No. 2 and 3) the existence of a privacy policy that does not meets all the requirements of the arts. 12 and 13 of the GDPR and what is more serious, it is indicated as Responsible for the Treatment to the *** POSITION 1 of the College, an issue that generates clear misinformation in interested parties, since as you know the body to which I am addressing the Responsible for the Treatment is not ***POSITION.1 but the College itself Official Architects of Granada, which can generate an obvious confusion and misinformation to stakeholders. It is even more serious, when the position of DPD and the GDPR falls on the same person, the ***POINT.1 of the School. The web page https://coagranada.es/ presents an informative notice about cookies that violates the latest guidelines of the AEPD since according to indicates in said informative notice that the mere use of the website implies the Acceptance for the installation of cookies. The privacy policy of the website of the Official College of Architects of Granada, which is available at the following web address (https://coagranada.es/politica-de-privacidad-y-tratamiento-de-datos/ (Document No. 4) has the following deficiencies: 1.- The data is not indicated Contact information for the Data Protection Officer. 2.- Incorrect application of the legitimizing basis of consent in section 5 of the policy, by choose this basis as the one that legitimizes the processing of personal data derived from the sending of emails, without stating a mechanism of expression of consent that meets the established requirements by current legislation. 3.- There is no clear and unequivocal identification of the legitimizing bases of data processing, since in section 3 of said policy literally states "Consent will always be required for the processing of your personal data that may be for one or more specific purposes about which prior information will be given with absolute transparency". However, later in section no. 6 of the web, other legitimizing bases other than consent are detailed, producing confusion about the true legitimizing bases applied by the entity. Likewise, it was possible to appreciate the existence of privacy policies not adapted to current regulations (eg visa application form that is attached as Document No. 5). Finally, it is wished to state that, as stated in the letter addressed to the Official College of Architects of Granada on 03-23- 2021 (Document No. 6), there are well-founded reasons to believe that the disciplinary proceedings conducted by the College do not enjoy the corresponding technical and organizational measures that guarantee the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 3/60 confidentiality and integrity of the personal data contained in the themselves, since there is no record of incorporation of documents or proceedings to the file. The claim document is accompanied by the following relevant documentation for the present procedure: - Copy of the document that A.A.A., collegiate ***COLEGIADO.1, sends to the claimant, on 08/30/21, where, among others, you can read: or "(...) The Governing Board of the College in its session held on April 2019 adopted, among others, the following agreement: "(AIG) 04.11.19/08.- DESIGNATE THE *** POSITION. 1 OF THE OFFICIAL ASSOCIATION OF ARCHITECTS AS DELEGATE OF PROTECTION OF DATA FOR THE SCHOOL OF ARCHITECTS.” therefore i can inform you that, currently, the Data Protection Officer of the Official College of Architects of Granada is his *** POSITION. 1 D. B.B.B. (…)”. - Copy of the "Complaint Sheet" of the Official College of Architects of Granada where you can read, among others, the following information with Regarding the data protection policy: o Official College of Architects of Granada. Plaza de San Agustin Nº3, 18001 Grenada. General Secretary . Area of Attention to the Collegiate and to user. The data collected will form part of the File of the COAGRANADA, being Responsible for ***POINT.1 of the same, to who will have to address in writing in the case of exercising the rights of access, opposition, rectification and cancellation, in accordance with the L.O.P.D. - Copy of the "Visa Application" addressed to the Dean of the Official College of Architects of Granada, where you can read, among others, the following Information regarding the data protection policy: o In accordance with the provisions of LO 15/1999 on Data Protection of Personal character, the existence of a file is reported automated whose purpose is the provision of the requested service. The Applicants expressly consent to the treatment and transfer of existing data in the automated file to the various Spanish Official Colleges of Architects and to other administrative bodies, for the purposes related to the function of visa. Signatories may exercise the right of access, rectification, opposition and cancellation in writing before the C.O.A. of Granada, with address at Plaza de San Agustín Nº 3, 18001 Granada, email coagranada@coagranada.org SECOND: On 03/03/22, in accordance with the provisions of article 65.4 of the LOPDGDD Law, by this Agency, said claim was transferred C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 4/60 to the claimed party, to proceed with its analysis and report, within a period of month, about what was stated in the claim document. THIRD: On 04/01/22, the claimed party filed a response brief to the request made by this Agency, in which, among others, it stated: "Specifically, the claimant refers to the text of the Legal Notice of First Layer in relation to the Cookies Policy, which, as of the date of the claim, 12/21/21, showed: https://coagranada.sedelectronica.es/ “We use cookies to ensure that we give the best user experience on our website. If you continue to use this site we will assume that you agree agreement I accept.” This First Layer Legal Notice was located at the bottom of the screen, and the formula to obtain consent was exclusively by pressing the "I accept" button, that is, by means of an unequivocal action carried out by the user. However, when you continue browsing, the Initial Notice of First Layer kept appearing in case the user wanted to consult the Cookies Policy, which was found in the link located in the expression highlighted in orange we will assume that you agree. In its moment, it was interpreted that, by continuing to browse, the user was showing according to the notice provided. On March 29, 2022, this College contacted the company specialized in data protection adaptation services, the entity "PSN Sercon S.L.U.", which has analyzed and made a preliminary report on potential irregularities on the COA website, report attached to this document as annex I (INITIAL ANALYSIS OF THE OFFICIAL SCHOOL WEB OF ARCHITECTS OF GRANADA) in which the main non-compliances detected in a first approximation to the process of regularization and adaptation to the current regulatory framework on data protection and other legislation applicable to the COA Granada website. The work to adapt the Privacy Policy has already begun of the COA Granada website and its Cookies Policy, as can be check on the links: https://coagranada.es/politica-de-privacidad-y-tratamiento-de-datos/ https://coagranada.es/politica-sobre-recogida-y-tratamiento-de-cookies/ They indicate that work is being done to update and adapt them to current legislation. Efficacy controls referred to the Privacy Policy Privacy, the COA Granada, with the assistance of the entity PSN Sercon SLU, Currently they are the following: A redesign of the Privacy Policy and its Registry is being carried out of Treatment Activities following the criteria of the Document "Informe on Internet Privacy Policies, Adaptation to the GDPR”, 2018- AEPD. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 5/60 An annual audit program has been established, in line with the principle of proactive responsibility of art. 24.1 of the GDPR In relation to the measures adopted for the adequacy of the use of cookies to the applicable regulations on data protection, since The First Layer of Cookies Notice has been modified, following the guidelines of the Document "Guide on the use of Cookies", published by the AEPD 2020. An audit of existing cookies on the website of the COA Granada, with the use of the tools recommended by the National Institute of Cybersecurity, INCIBE, https://www.incibe.es/protege-tu- company/blog/are-cookies-and-show-them-website for, later, carry out an analysis of its usefulness, necessity and validity. The result of this analysis is in the process of elaboration. Likewise, the mechanism to collect the consent, replacing it with a banner with the indications established by the applicable regulations: ownership of the website, purpose of cookies, existence of third-party cookies and the possibility of configuring cookies, rejection and acceptance of them. The Official College of Architects of Granada, through its Governing Board chaired by the Dean who signs this document, recognizes the need to adapt the cookie policy and its privacy policy. Is by For this reason, on March 30 of this year, it was decided to start immediately of the work of adequacy and adaptation of the aspects required by that AEPD in order to comply with the provisions both in the LOPDGDD, as well as in the RGDP and the LSSI. Consequently, by virtue of all of the foregoing, and given that the COAGranada, is in the process of implementing the measures corrective measures on its own initiative, respectfully requests that the FILE of the Claim that has given rise to File 202201681 This has been the criteria maintained by the Spanish Agency for the Protection of Data in its Resolution R/00461/2019 -Procedure No.: A/00013/2019. “Well, in view of the aforementioned circumstances, it is considered necessary emphasize that the National Court, in its Judgment of November 29, 2013, (Rec. 455/2011), Sixth Legal Basis warns, regarding the legal nature of this figure, which despite referring to the warning regulated in article 45.6 of Organic Law 15/1999, of December 13, Protection of Personal Data (LOPD) has full application to the warning regulated by the LSSI, which "does not constitute a sanction" and which is It deals with "corrective measures for the cessation of the constitutive activity of the infraction" that replace the sanction. The Judgment understands that the article 45.6 of the LOPD (these considerations must be understood as done, so here it concerns article 39 bis, 2 of the LSSI) confers on the Spanish Agency of Data Protection a "power" different from the sanctioner whose exercise is conditioned to the concurrence of special circumstances described in the precept C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 6/60 In congruence with the nature attributed to awareness -as a alternative to the sanction when, given the circumstances of the case, the subject of the infringement is not deserving of that- whose object is the imposition of corrective measures, the aforementioned SAN concludes that when the measures pertinent corrective measures had already been adopted, what is appropriate in Law It will be to agree on the File of the proceedings. In the present case, taking into account that the corrective measures that would proceed to impose were already adopted on its own initiative, and that it has been verified that cookies are not currently installed on the analyzed website, in harmony with the pronouncement of the National Court included in the SAN of 11/29/2013 (Rec. 455/2011) must agree to file the proceedings of this proceeding”. It is also worth mentioning Resolution R/03132/2016, of December 19, of that Spanish Data Protection Agency-Procedure No.: A/00411/2016-: “In congruence with the nature attributed to awareness as a alternative to the sanction when, given the circumstances of the case, the subject of the infringement is not deserving of it, the Judgment of the Hearing The cited National concludes that when the corrective measures object of the warning had already been adopted by the offender, what is appropriate in The right is to agree to file the proceedings. In view of the pronouncement contained in the Judgment of the Hearing National of 11/29/2013 (Rec. 455/2011), subsequently reinforced in its Judgment dated 06/10/2014 (RJCA 2014, 571) (Rec. 166/2013), references to the cases in which the subject responsible for the infringement has adopted the appropriate corrective measures to remedy the situation created, and in harmony with what has been indicated, the proceedings must be filed practiced.”. And, likewise, the Resolutions of that AEPD R/02863/2016 of December 14 - Procedure No.: A/00242/2016-, R/02906/2015 of December 17 November- Procedure No.: A/00172/2015- or R/00001/2015 of 145 of January- Procedure No.: A/00289/2014. The Judgment of the National Court (Chamber of Administrative Litigation, Section 1) of November 29, 2013 - JUR 2014\14399-established the following: "However, given that it was proven that the denounced by initiative itself had already adopted a series of corrective measures , which it communicated to the Spanish Data Protection Agency, and that it had verified that the data of the complainant were no longer locatable on the website of the accused, the Spanish Data Protection Agency did not consider it appropriate to impose on the denounced the obligation to carry out other corrective measures, therefore that it did not agree to any requirement in this regard to it. Remember that at having knowledge of the complaint, the denounced entity, proceeded by own initiative to go to Google to remove the URL where reproduced the Magazine and the article, to ask their collaborators to remove any names from their articles or any other information likely to appear personal data and that they review the appointments in the private area of the web to delete any other sensitive data, and, finally, to review the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 7/60 configuration of the accesses so that the search engines did not have access to the Journals. Consequently, if the AEPD considered that the corrective measures had already been pertinent in the case, how it happened, as expressed in the resolution appealed, the appropriate administrative action in law was the file of the proceedings, without making any warning or request to the denounced entity, as this is deduced from the correct interpretation of the Article 45.6 of the LOPD, taking into account its systematic and teleological interpretation." Judgment no. 447/2016 of 23 September and no. 363/2016 of July 8, issued by the National Court (Contentious-Administrative Chamber, Section 1)-RJCA 2016\1072 and JUR 2016\166417- "Consequently, when, as occurs in the case that we occupies, given the circumstances of the case and, in particular, the nature of the facts and the significant concurrence of the criteria established in the fifth paragraph of article 45 of the LOPD, it is estimated that the subject responsible for the infringement is not deserving of the sanction provided for the itself, and that in its place the obligation to carry out certain corrective measures, proceeding therefore the application of the article 45.6 of the LOPD, there is no room for the imposition of any "warning" as a sanctioning measure. On the contrary, what proceeds in such a case is to "warn" or require the responsible subject in order to comply in the term indicated with such obligation, as is clear from the interpretation of the legal precept examined>> . In the same sense, it Pronounce S October 17, 2014 (JUR 2014, 267483) -appeal No. 150/2013 -, May 8, 15 (JUR 2015, 154993) -appeal No. 122/2014 -, and July 8 of 2016 (JUR 2016, 166417) -appeal No. 242/2014 - Therefore, based on the foregoing, it is not applicable, as claimed by the plaintiff, the warning, instead of the financial sanction imposed, since As has been reflected, the warning included in the LOPD does not have punitive nature”. FOURTH: On 07/27/22, this Agency accessed the document "Collective Complaints and Claims Sheet": https://coagranada.es/wp-content/ uploads/2021/02/Hoja_queja_reclamaciones_colegiados_V02.pdf , where you can read, at the bottom of it, below the form, the following legend: “Official College of Architects of Granada. Plaza de San Agustin Nº3, 18001 Grenade. General Secretary . Area of Attention to the Collegiate and to the User. The data collected will form part of the COAGRANADA File, being the Responsible for *** POSITION 1 of the same, to whom it will have to be addressed in writing in the case of exercising the rights of access, opposition, rectification and cancellation, in accordance with the L.O.P.D.” FIFTH: On 07/27/22, this Agency accessed the website https://www.coagranada.es/ verifying in it, the following characteristics C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 8/60 regarding the processing of personal data, about its "Privacy Policy" and about its “Cookie Policy”: a).- Regarding the obtaining of the personal data of the users of the page Web: 1º.- Through the link <<contact>>, located at the top of the page main page, the web displays a form where you can enter personal data of users such as name, email and subject. In order to send the form, the user must necessarily click on the option: _ I have read and accept the <<Privacy Policy>> <<send>> b).- About the "Privacy Policy" on the website If you wish to access the "Privacy Policy" through the existing link in the contact form or through the existing link at the bottom of the page main, the web redirects the user to a new page https://coagranada.es/politica- de-privacidad-y-tratamiento-de-datos/, where information is provided, regarding the protection of personal data of: the identity of the owner of the website and the Delegate Data Protection; the purpose of the personal data obtained from the collegiate; training/events; web users; citizen services; Within conservation of personal data obtained; the legitimacy of the treatment of personal information; the recipients; on the rights that assist users and where and how to request them, as well as the possibility of filing a claim with the competent authority. c).- About the Cookies Policy on the web: The inspection is carried out with the developer tools that provided by the Mozilla Firefox browser, in which the cache and cookies have been removed. The tool has also been used EDPS (Web Evidence Collector) for analysis Observing the cookie installation panel, it can be verified that a session cookie PHPSESSID and another from Google, _GRECAPTCHA. According to Opinion 4/2012 of WP 194 on the exemption of the requirement of cookie consent, the exemption applied to authentication cookies could apply to others introduced specifically to strengthen the security of the service requested, for example, those cookies whose purpose is to detect attempts erroneous and repeated connection to a website or for protection of the information system connection against abuses such as _GRECAPTCHA. However, after browsing the website, it is observed that cookies are installed from third parties of a non-excepted nature, which are not reported in the policies, to despite not having given consent through the banner. the circumstance is given that these analytical cookies are installed through the insertion of a map C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 9/60 interactive program of the Institute for Geoenvironmental Health of the Vivo Sano Foundation in the page: https://coagranada.es/mapa-zonas-radon-en-elnuevo-cte-db-hs6/ . 2.- There is an information banner about cookies on the main page with the following message: “We use our own and third-party cookies for analytical, functional, performance to offer services appropriate to your profile, as well as own advertising and from third parties. The basis of treatment is consent, except in the case of Essential cookies for the proper functioning of the website. can accept all cookies by clicking the <<ACCEPT>> button or configuring them or rejecting their use pressing the <<CONFIGURE>> button. You can get more information in our <<Cookie Policy>>, <<Accept>> <<Reject>> <<Settings>> If you wish to reject all cookies that are not technical or necessary, clicking in the <<reject>> option, it is checked how the web continues to use the same third-party cookies (from Google) indicated above. 3.- If the cookies control panel is accessed through the link <<Configure>>, the web displays a page or control panel verifying that the groups of cookies They are pre-marked in the “deactivated” option: - Strictly Necessary Cookies: Off On. - Analytical and Advertising Cookies: Off On. - Functional Cookies: Off On. - Analytical Cookies: Off On. <<Save Changes>> <<Activate All>> If you choose "Save changes" without having accepted any group of cookies, you will Check how the web continues to use the same cookies indicated above. 4.- If you want to access the "Cookies Policy" through the existing link in the information banner of the first layer, through the existing link in the panel control or through the existing link at the bottom of the main page, the web redirects the user to a new page https://coagranada.es/politica-sobre-recogida-y- treatment-of-cookies/ where information is provided on: what are cookies, definition and generic function of cookies; types of cookies; what type of cookies are used in the web and what is its purpose; how to disable cookies; cookies identify used and information is provided on how to accept, deny, revoke the consent or eliminate cookies, through the tools installed in the web or through browsers installed on the terminal equipment. SIXTH: On 09/06/22, the Director of the Spanish Agency for the Protection of Datos agreed to initiate disciplinary proceedings against the claimed party, in accordance with the provided in articles 63 and 64 of the LPACAP, when appreciating reasonable indications of violation of the provisions of the articles: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 10/60 - Article 38.6 of the GDPR, due to the conflict of interest detected in the appointment of *** POSITION 1 of the Association as Delegate of Protection of data, with an initial sanction of 5,000 euros (five thousand euros). Also, it warned that the alleged offence, if confirmed, may lead to the imposition of measures, according to article 58.2 d) of the GDPR. Along with it and In accordance with article 58.2 of the GDPR, it was also indicated that the measure corrective action that could be imposed would be to order him to name a Data Protection Officer in which he was not involved in a conflict of interest, as stipulated in article 38 of the GDPR. - Article 13 of the GDPR, due to the lack of information provided in the data sheets claims, about the processing of personal data obtained, with an initial penalty of 8,000 euros (eight thousand euros). Along with it and In accordance with article 58.2 of the GDPR, it was indicated that the measure corrective action that could be imposed would be to order him to include, in the forms used in the School, where personal data is obtained, all the information referred to in article 13 of the GDPR, referring to the treatment of Personal information. - Article 22.2 of the LSSI, regarding the use of third-party cookies from non-excepted character, without the consent of the user, with a penalty initial amount of 1,000 euros (one thousand euros). SEVENTH: On 09/29/22, the claimant entity submits a written statement of allegations to the initiation of the file in which the procedure is requested to be archived based on the following considerations: 1.- Regarding the conflict of interest regarding the data protection officer of This College.- It points out that such a “conflict of interest” cannot be presumed, as has been said, taking only as a basis the Statutes of COAGranada, in relation to the composition and functions of the Governing Board, of the Permanent Commission and of the functions of ***POINT.1 of COAGranada, since, of the statutory precepts that are invoked by that AEPD (14.1, 13.2, 15 and 17) no existence of any “conflict of interest” on the part of ***POINT.1 of COAGranada regarding the protection of the interests of the Collegiate and third parties, in terms of protection of data. Regarding the violation of art. 38.6 of the GDPR, referring to the eventual "conflict of interests”, the enumeration of functions of the Board is inappropriate and insufficient of Government, as well as of the Permanent Commission and of ***PUESTO.1, all of them established in the Particular Statutes of the Official College of Architects of Grenada, to reach the conclusion that "the existence of a conflict is evident of interest by ***POSITION.1 of the Official College of Architects of Granada to act as DPD of said Body. The COAGranada proceeded to appoint the DPD in the figure of his *** POSITION.1 thus guaranteeing the participation of the Data Protection Officer in all C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 11/60 issues relating to the protection of personal data and, for your support and advice provided him with the competition and assistance of the external Legal Department. Reference is also made to the fact that COAGranada designated its *** POSITION 1 as Data Protection Officer was the subject of a complaint before this Agency dated July 8, 2021 by the same claimant and who was archived by Resolution of this AEPD on 11/11/21, therefore, there are two Contrary resolutions, so that, in the first, infringing conduct is not imputed any regarding the appointment of the Data Protection Officer in the figure *** POSITION 1 of the College and, however, in the second, with said appointment COAGranada is accused of a violation of art. 38.6 of the GDPR. Finally, it states that the Official College of Architects of Granada adopted the decision to appoint a new Data Protection Officer on April 26 2022, anticipating the proposed corrective action and request that it be taken into account account this decision under art. 83.2.c) of the GDPR. 2.- about the lack of information in the forms on "complaints and claims". Regarding the sanction referred to for the violation of art. 13 GDPR, state that they has incorporated all the information referred to in art. 13 of the GDPR to the forms to disposition of both Collegiate and the general public, for which they request that this measure be taken into account under art. 83.2.c) of the GDPR. 3.- about the cookie policy It states that the breach is due to the use of a third-party cookie for the use of an interactive map and request that for the establishment of the amount of the sanction is taken into account the absolute absence of guilt or illegality of the fact as a consequence of the significant concurrence of several of the criteria set out in article 40, based on the following criteria: -Intentionality: COAGranada made the map available to its Members interactive to facilitate compliance with the provisions contained in the Royal Decree 732/2019, of December 20, by which the Technical Code of the Building approved by RD 314/2006, of March 17, providing information on the basic concepts related to the regulatory modification, without to collect any information. - Period of time during which the eventual infringement was committed. The map has already been removed from the web and was available to the public during the period established between February 10, 2022 and September 20, 2022, the day on which it was retired. -Recidivism due to the commission of offenses of the same nature: This College does not has previously been convicted of any similar offence. 4.- Regarding improper or erroneous interpretation of article 77.2 of the LOPDGDD C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 12/60 At this point, the application of article 77.2 of the LOPDGDD is reiterated in the same terms that they already stated in their letter dated 04/1/22. Regarding the aforementioned article 77 of the LOPDGDD, they allege that the AEPD distinguishes the public and "private" functions exercised or held by the Professional Associations but state that these associations of professionals are Corporations of Public Law and it is considered that it is not appropriate to impute only as "functions private" those that are the object of the presumed infringing conducts that are imputed and "disconnect" them without any reason or justification from public functions, in which they can also be completely incardinated. The following is a reproduction of the statutory precepts invoked that imply the exercise of public functions, which are perfectly extensible to behaviors accused; and these can perfectly overlap with such pubic functions such as article 13. 2. It will correspond to the Governing Board, specifically; article 15. The Permanent Commission and article 17. The *** POSITION.1. "It corresponds to ***POINT.1: It is also stated that the Spanish Data Protection Agency, in its Resolutions of May 24, 2021, Procedure No.: PS/00416/2020 and of May 11 2021, Procedure No.: PS/00347/2020, has adopted a different criterion from that followed in this Sanctioning File before Public Law Corporations. EIGHTH: On 04/10/23, this Agency once again accessed the web page https://www.coagranada.es/ being aware of the following Characteristics regarding its "Cookies Policy": When entering the web for the first time, once the terminal equipment has been cleaned of the history of navigation and cookies, without accepting new cookies or taking any action on the web page, it has been verified that a single cookie "_GRECAPTCHA" is used, whose purpose is to provide your risk analysis, such as detecting erroneous and repeated connection attempts. NINTH: On 04/10/23, this Agency accessed the data sheet complaints and claims of the College of Architects of Granada, accessible through of the link https://coagranada.es/quejas-y-reclamaciones/ verifying that in the You can read the following message: Official College of Architects of Granada. Plaza de San Agustin Nº3, 18001 Grenade. General Secretary. Area of Attention to the Collegiate and the User. In compliance with the provisions of EU Regulation 2016/679, of 27 April 2016, hereinafter GDPR, the Official College of Architects of Granada with address at PLAZA DE SAN AGUSTÍN 3, 18001 GRANADA and NIF nº Q1875003D informs you that the collection and processing of your data through the The purpose of this form is the administrative, fiscal and accounting provided for in the legislation of professional associations and our statutes. Your data may be communicated to the General Council of Colleges Officials of Architects, related organizations and the Public Administration without prejudice to other assignments provided by law. Your data will be kept C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 13/60 during the time necessary to comply with legal obligations. In You can consult additional information on this treatment at any time. or exercise the rights of access, rectification, deletion and opposition, portability and limitation of treatment by directing your request to the address above indicated or by email to protecciondedatos@coagranada.org. Also, in case If you consider your right to the protection of personal data violated, you may file a claim with the Spanish Data Protection Agency (www.agpd.es). TENTH: On 04/10/23, a resolution proposal was formulated in the sense that the party claimed for the infringement of article 38.6 of the GDPR is sanctioned, for the conflict of interest detected in the appointment of *** POSITION 1 of the College as Data Protection Delegate, with a penalty of 5,000 euros (five thousand euro); for the infringement of article 13 of the GDPR, for the lack of information provided in the claims forms, on the treatment of the data personal data obtained, with a penalty of 8,000 euros (eight thousand euros) and for the violation of article 22.2 of the LSSI, regarding the use of third-party cookies of a non-excepted nature, without the consent of the user, with a sanction of 1,000 euros (one thousand euros). Likewise, it was proposed that the claimed party be required so that, within the term determined, adopt the necessary measures to adapt its performance to the personal data protection regulations. ELEVENTH: On 04/28/23, this Agency received a written allegations to the proposed resolution, in which the claimed party reiterates and confirms its previous allegations and once again requests the file of the procedure. In this letter, the defendant states the following: FIRST.- REGARDING THE "CONFLICT OF INTERESTS" OF THE *** POSITION 1 OF THIS SCHOOL AS DELEGATE OF PROTECTION OF DATA, THE PROPOSED RESOLUTION IS INCONSISTENT AND CONTINUES IF DISTORTING THE PRINCIPLES OF CLASSIFICATION AND LEGALITY, PERSONAL TO THE SANCTION PROCEDURE, WHICH OPERATE IN FAVOR OF COAGRANADA AND AGAINST THAT AGENCY.- The Draft Resolution does not actually refute the allegations made by this College, especially regarding the violation of the principles of typicality and legality. Moreover, without addressing and dealing with these principles invoked in our pleadings brief, considers, without foundation or some piece of evidence- Cfr. Last paragraph of FD II a) that "it is evident the existence of a conflict of interest on the part of ***POSITION.1 of the College Official of Architects of Granada to act as DPD of said body”. At this point it is necessary to remember that this Agency continues to be based on some “Guidelines” or “best practices of the Working Group on Data Protection". It is clear that any administrative offense must take as an inexcusable foundation a normative element (legal, or regulation) which, in the present case, does not exist, since it results in all inappropriate point to take as a title of imputation some guidelines or C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 14/60 recommendations, given that this implies a violation of the principles of typicity and legality. Even in article 29 of the “Guidelines on the data protection delegates (DPD)" of said Working Group, it will be to set an "example" (that "a DPO be asked to represent the person responsible or to the data processor before the courts in cases related to the Data Protection"). The mere fact of mentioning an example in a sanctioning procedure already implies per se, dispensing with the essential factual element that must distort the principle of presumption of innocence and, likewise, even applying as implausible example, there are no similar circumstances in the present Sanctioning procedure. On the other hand, the considerations of the aforementioned "Working Group" regarding the "conflict of interest of the DPD are extremely generic and, in no way, can they serve as a basis to enervate the aforementioned presumption of innocence. Moreover, even applying such "Criteria" -which is not rejected either would result in the existence of a “conflict of interest” to appoint the *** POSITION 1 of the College, with the assistance and support of the Legal Department of the COAGranada, as DPD. The “Criteria” themselves establish that the determination or consideration of the existence of a "conflict of interest" in the figure of the DPD must be "considered on a case-by-case basis", which has not been done for that AEPD. In this sense, it is worth mentioning the Judgment of the Court of Justice of the Union Commission (Sixth Chamber) of February 9, 2023, Case C-453/21: “Fourth question referred for a preliminary ruling 43 Third, as regards the context in which that article 38, section 6, of the GDPR is registered, it should be noted that, according to article 39, paragraph 1, letter b) of the GDPR, the protection officer of data has the function, in particular, of supervising compliance with the provided in the GDPR, other data protection provisions of the Union or of the Member States and of the policies of the person in charge or of the person in charge of the treatment regarding the protection of personal data, including assignment of responsibilities, awareness raising and training of staff involved in processing operations, and audits corresponding. From this it can be deduced that they cannot be entrusted to a protection delegate of data, its functions or tasks that lead it to determine the purposes and means of processing personal data of the controller or from his manager. Indeed, in accordance with Union Law or the Law of Member States in the field of data protection, the control of these purposes and means must be carried out independently by said delegate. The determination of the existence of a conflict of interest, in the sense of the art 38 paragraph 6 of the GDPR, must be carried out on a case-by-case basis, on the basis of an assessment of all the relevant circumstances, in particular, of the organizational structure of the controller or his manager and in the light of all applicable regulations, including any policies of the latter. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 15/60 In view of all the above considerations, it is appropriate to reply to the fourth question referred that Article 38(6) of the GDPR must interpreted as meaning that there may be a "conflict of interest", in the meaning of this provision, when entrusted to a delegate of data protection other functions or tasks that would lead it to determine the purposes and means of processing personal data in the within the person responsible for the treatment or his manager, which is the responsibility of determine in each case the national judge on the basis of all the relevant circumstances, in particular the organizational structure of the responsible for the treatment or its manager and in light of all the regulations applicable, including any policies of the latter. By virtue of all of the above, the TJ (Sixth Chamber) declares: (...) 2) Article 38, Paragraph 6 of Regulation 2016/679 must be interpreted in the sense that there may be a "conflict of interest" within the meaning of this provision, when other functions are entrusted to a data protection officer or tasks that would lead him to determine the ends and means of the processing of personal data within the controller or of his person in charge, which is the responsibility of the national judge to determine in each case on the basis of all the relevant circumstances, in particular the organizational structure of the data controller or its manager and light of all applicable regulations, including any policies of these last. On this point, that Agency confuses the very concept of "conflict of interests” when he seems to equate the position of ***POSITION.1 of the College to "management positions", given that, as a result of the application of article 17 of the Particular Statutes of COAGranada, it is evident that the ***POSITION.1 does not in any way hold such senior management functions, This concept is also applicable to other types of entities, not to COAGranada. To these considerations, as it cannot be otherwise, it is not offered by that AEPD response or factual or legal foundation that distorts it. And this is especially relevant, given that the expression "conflict of interests” implies the application of an indeterminate legal concept that, in a disciplinary procedure, while restrictive of rights, must be applied with extreme caution and with a strong factual heritage, probative and legal-regulatory that supports it, all of which has not happened in the present case. And it is that "the conflict of interest" has to be proven by that Agency and not be presumed, which is what has happened in this Procedure Sanctioner. It is not possible to presume, as has been said, such a "conflict of interest" taking as a basis only the Statutes of COAGranada, regarding to the composition and functions of the Governing Board, the Commission Permanent and of the functions of ***POSITION.1 of COAGranada, position that, of the statutory precepts that are invoked by that AEPD (14.1, 13.2, 15 and 17) does not infer any existence of "conflict of interest" on the part of the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 16/60 *** POSITION 1 of COAGranada regarding the protection of the interests of the Collegiate and third parties in terms of data protection. That is to say, of the statutory precepts that regulate the functions of the Board of Government (Art. 13.2), its composition (Article 14.1), the Permanent Commission of the Governing Board (article 15) and, especially, the powers of the *** POSITION.1 (article 17) in no way can the performance of functions that imply a "conflict of interest" with the figure of the DPD. The COAGranada proceeded to appoint the DPD in the figure of his ***POINT.1 thus guaranteeing the participation of the DPD in all issues relating to the protection of personal data and, for your support and advice endowed him with the help and assistance of the Legal Department of the COAGranada. 2.- As has been said, the sanctioning power of the Public Administration is directly linked to the principles that inspire criminal law, given that Both powers are an expression of the Legal System of the State, as as expressed in the Constitutional Text itself (art. 25) and recognizes the jurisprudence of the Constitutional Court from the STC 18/1 981, of June 8 and a very reiterated jurisprudential doctrine of the TS (STS September 29, 1980 and STS November 4, 1980 and STS November 10, 1980, among others). The sanctioning power of the Administration is based constitutional in article 25 of the CE. It is reiterated doctrine of the Court Constitutional (STC 77/83, of October 3, STS 42/87, of April 7; STC 29/1989, of February 6) that the administrative sanctioning order includes a double guarantee: the first, of a material nature, supposes the need for normative predetermination of illegal conduct and sanctions corresponding, through legal precepts that allow predicting, with sufficient degree of certainty, the conducts that constitute an infraction and the applicable penalties or sanctions. It appears derived from the binding mandate or "lex certa" and is specified in the requirement of normative predetermination of the illegal conducts and of the corresponding sanctions, which places on the legislator the duty of configure them in the penalizing laws with the greatest possible precision (principle of typicality) so that citizens can know in advance the scope of what is proscribed and thus foresee the consequences of their actions. (STC 242/2005, of October 10 and STC 162/2008, of December 15). The second, of a formal nature, refers to the range of norms typifying the infractions and regulating the sanctions, insofar as they the term "current legislation" contained in art. 25.1 CE is expressive of a reserve of law. Therefore, the formal guarantee implies that the law must contain the determination of the essentials. Well then, the material guarantee comes to constitute the aforementioned principle of typicality, which "supposes the imperative need for normative predetermination of the infringing conducts and the corresponding sanctions, that is, the existence of legal precepts (lex C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 17/60 previous) that allow predicting with a sufficient degree of certainty (lex certa) those behaviors and know what to expect in terms of responsibility and to eventual sanction" (Cf. STC 61/1990, of March 29 and STC 24/1996 of February 13; STS April 20, 2006; STS November 18, 2000; STS December 20 1999; SAN of December 2, 2011; STS No. 74/2017, Litigation Chamber Administrative, of January 23). For its part, article 27 of Law 40/2015 of October 1, of LRJSP-, includes the so-called principle of typicality, according to the which only constitute administrative infractions the violations of the legal system foreseen as such infractions by a Law. The principle of classification, related to that of legality, requires that the fact that allegedly has an illegal character is expressly found foreseen as an infraction in some precept of the legal system administrative. For a conduct to be classified as typical, and for Therefore, unlawful and punishable, it is necessary that there is a coincidence between the action carried out by the actor and the conduct exposed in the applicable legal precept. Through the application of the principle of typicality, it is intended to verify if a event that occurred in reality meets all the characteristics described in the law as presuppositions of the infringement of a rule of a punitive nature. For this, it is necessary that the action be subsumed in a sanctioning precept, understanding as such that part of the offense that describes all the elements subjective and objective that, as a whole, give rise to the infringement of the rule. According to Judgment no. 4672/2022 of December 23, of the Court Superior Court of Justice of Catalonia, (Contentious-Administrative Chamber, Section 4)-JUR 2023\48531-: "Requirements of the principle of classification in matters administrative penalty that, as is well known, despite the notable conciseness and taking into account the implicit content of the aforementioned article 25 of the Constitution (judgment of the Constitutional Court 34/1996, of March 11 (RTC 1996, 34) ), has been highlighted since ancient times by jurisprudence constitutional in relation to what has been called the guarantee material of the principle of legality (among many others, from the judgment of the Constitutional Court 42/1987, of April 7 (RTC 1987, 42), for the judgments of the Constitutional Court 3, 11, 12, 100 and 101/1988, of June 8 (RTC 1988, 101), 161, 200 and 219/1989, of December 21 (RTC 1989, 219), 61/1990, of March 29 (RTC 1990, 61), 207/1990, of December 17 (RTC 1990, 207), 120 and 212/1996, 133/1999, of July 14, 142/1999, of July 22 (RTC 1999, 142), and 60 and 276/2000, of November 16 (RTC 2000, 276) ), that comes to be identified with the traditional principle of typicity of faults and administrative sanctions (sentences of the Supreme Court, Third Chamber, of dates January 16 and June 8, 1992, February 5 and October 2, 2002) and that always requires the necessary certain normative predetermination of the specific conducts that by action or omission are deemed to constitute a illegal administrative, with prohibition of possible analogical interpretations to the effect or extensive in malam partem (ruling of the Constitutional Court 125/2001, of June 4 (RTC 2001, 125), citing their previous judgments 81/1995, of June 5 (RTC 1995, 81), 34/1996, of March 11, (RTC 1996, 34) 64/2001, of March 17 (RTC 2001, 64), and order of the Court Constitutional 3/1993, of January 14, and 72/1993, of March 1; as well as Judgment of the Supreme Court, Third Chamber, of May 30, 1981, of 4 C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 18/60 of June 1983, of December 29, 1987, of October 20, 1998, of February 22, 2000 and March 3, 2003). Or put it in words of the Constitutional Court itself, among many other previous and subsequent in its judgment 113/2002, of May 9 (RTC 2002, 113), in the following terms: "(...) Specifically, in relation to the material guarantee referred to is subject to the sanctioning power of the Administration, we have specified that normative predetermination supposes the existence of legal precepts (lex prior) that allow predicting with a sufficient degree of accuracy certainty (lex certa) the infringing behaviors and knowing in advance to which abide in terms of the attached responsibility and the eventual sanction that the offender can deserve (STC 219/1989, of December 21, FJ 4; 61/1990, of March 29, FJ 7; and 133/1999, of July 15, FJ 2) ". Also being well-consolidated jurisprudential doctrine that teaches that in the exercise of its sanctioning administrative power the acting sanctioning administration does not properly respond to the exercise of an administrative power of essence or discretionary tendency but rather predominantly regulated for the application to each specific case of the framework normative pre-established sanctions with a general nature in the legal system applicable sanctioning law, which entails, from the outset, the requirement of the necessary adequacy and rigor in the classification of the imputed facts and in its punctual incardination and adequate subsumption in the legally infringing type defined for its correction, in such a way that the contrary, certainly, would be determinative of violation of the subjective fundamental right since targeted and all recognized by the current constitutional text ex article 25.1 of the Constitution (sentences of the Constitutional Court 77/1983, of 3 of October (RTC 1983, 77) ,199 7 and 3/1988, of January 21 (RTC 1988, 3) ), which, because it is subject to constitutional protection, would incur an eventual sanctioning administrative action infringing the same in the vice of full nullity today provided for in article 47.1. a) of Law 39/2015 ". 3.- Finally, in relation to the non-compliance related to the appointment of the DPD, it must be recorded that, prior to the receipt of Resolution PS/00345/2022, as known and known to that Agency, the COAGranada adopted the decision to appoint a new Delegate of Data Protection on April 26, 2022, with electronic receipt no. REGAGE22e00014921519, meeting the requirements of art. 38 of the GDPR. This College has anticipated the proposed corrective measure and we request that this decision be taken into account under art. 83.2.c) of the GDPR, which establishes the following: “[…] When deciding to impose an administrative fine and its amount in each individual case shall be duly taken into account: c) any measure taken by the controller or processor to alleviate the damages and losses suffered by the interested parties.” In this point We also invoke the proportionality application of art 29.3 LRJSP. SECOND.- ON THE LACK OF INFORMATION IN THE FORMS ABOUT "COMPLAINTS AND CLAIMS". C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 19/60 Regarding the sanction referred to for the violation of art. 13 GDPR, it is reiterated what is stated in the First Allegation, in the sense that no response is given and what is alleged by COAGranada in its pleadings is addressed. So and as stated in this, was applied as soon as this fact became known, the proposed corrective action having incorporated all the information referred to in article 13 of the GDPR to the forms available to both Collegiate as well as the general public, for which we request that Take this measure into account under art. 83.2.c) of the GDPR. On this point, related to what is stated in the First Allegation, the lack of concurrence of an essential element implies that the active subject has not committed the conduct described in the type allegedly violated by its action, therefore, it is perfectly lawful. That is, the atypicality determines the absence of responsibility for the subject responsible and, therefore, hence, the impossibility of displaying the effects of the ius puniendi on the subject. Furthermore, for the action to be considered typical, and therefore, display legal effects, it is necessary that together with the objective elements of typicality the so-called subjective elements of typicality concur. based on principle of subjective typicity requires that, in order to proceed to impute and sanction for an action, the voluntary nature of the active subject is confirmed. In this sense, jurisprudence has repeatedly required the existence of guilt to be able to impose an administrative sanction, to the point that today it is configured as one of the pillars on the that the sanctioning administrative law is established, discarding all sanction outside of negligent or negligent conduct and, therefore, discarding what has traditionally been called responsibility objective. Specifically, regarding guilt, the Constitutional Court has declared that, in Indeed, the Spanish Constitution undoubtedly enshrines the principle of guilt as a basic structural principle of Criminal Law and has added that, without However, the constitutional consecration of this principle does not imply in any way that the Constitution has made a certain mode of understand it (Cf. STC 150/1991). This principle of culpability governs in matters of administrative infractions, because to the extent that the sanction of said infraction is one of the manifestations of the ius puniendi of the State is inadmissible in our system a regime of strict liability or without fault (Cf. STC 76/1990). This same sentence requires guilt in the case of infractions administrative acts committed by legal entities, affirming that "...Even this TC has described the principle of personal responsibility as "correct" by own facts principle of the personality of the penalty or sanction (STC 219/1988). All this, however, does not prevent our Administrative Law from admitting direct liability of legal persons, recognizing them, therefore, infringing capacity. This does not mean, at all, that in the case of C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 20/60 administrative offenses committed by legal entities suppressed the subjective element of guilt. Law 40/2015 itself, on the Legal Regime of the Public Sector, provides in its Article 28 that "they may only be penalized for acts constituting administrative infraction natural and legal persons, as well as, when a Law recognizes the capacity to act, the affected groups, the unions and entities without legal personality and independent estates or self-employed, who are responsible for them by way of fraud or negligence". The majority jurisprudence of our Supreme Court (from its judgments of January 24 and 25 and May 9, 1983) and the doctrine of the Tribunal Constitutional (after its STC 76/1990) emphasize that the principle of Guilt, even without explicit recognition in the Constitution, is inferred from the principles of legality and prohibition of excess (art. 25.1 CE), or of the requirements inherent to a rule of law, and require the existence of fraud or fault The requirement of guilt in the penalizing administrative law has impregnated the jurisprudence of the Supreme Court in the different areas materials in which he has had the opportunity to speak, discarded by legal and constitutional requirement, strict liability, that is, regardless of from any wrongdoing. In this way, the principle of guilt constitutes an essential element of the administrative offense. THIRD.- ABOUT THE COOKIES POLICY In relation to the sanction proposal "About the Cookies Policy", as as the Resolution Proposal itself acknowledges, when entering the web by first time, without accepting cookies or performing any action on the page, You can check that non-technical cookies are not used or necessary. The breach detected is due to the use of a third-party cookie by the use of an interactive map. Based on art. 39 bis a) of Law 34/2002, of 11 July, Information Society Services and Electronic Commerce, We request that the establishment of for the establishment of the amount of the sanction takes into account the absolute absence of guilt of the defendant or the illegality of the act as a consequence of the significant concurrence of several of the criteria set forth in article 40, based on the following criteria: -Intentionality: The COAGranada made the interactive map available to its members to facilitate the compliance with the provisions contained in Royal Decree 732/2019, of December 20, by which the Technical Building Code was modified approved by Royal Decree 314/2006, of March 17, providing information on the basics related to the modification regulations, without the intention of collecting any information. Period of time during which the eventual infringement was committed. The map has already been removed from the web and was available to the public during the period established between February 10, 2022 and withdrew on February 20, 2022. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 21/60 September 2022. -The recidivism by commission of infractions of the same Nature: This College has not been previously condemned by any similar offence. At this point it is invoked, as in the Allegation above, the principle of guilt and, in addition, that of proportionality. FOURTH.- WE UNDERSTAND THAT THE PROPOSED RESOLUTION REITERATES THE IMPROPER OR WRONG INTERPRETATION OF THE ARTICLE 77.2 OF THE ORGANIC LAW 3/2018 OF DECEMBER 5, OF PROTECTION OF PERSONAL DATA AND GUARANTEE OF RIGHTS DIGITALESLOPDGDD-. We invoke the application of article 77.2 of the LOPDGDD in the same terms that we already exposed in our letter dated April 1, 2022. And it is that, here it is also necessary to remember that we are in the heart of a disciplinary procedure, in which they are applied, as inspiring principles of the criminal order, that of presumption of innocence and that of in dubio pro reo. Regarding the aforementioned article 77 of the LOPDGDD, that Agency distinguishes the public and "private" functions exercised or held by the Colleges Professionals. But it is that, in addition to being associative entities of professional, privately-based, the fundamental thing for the purposes that we here occupy, is that they are Public Law Corporations. And, at this point, We consider that it is not appropriate to impute only as "private functions" those who are the object of the presumed infringing conducts that are imputed and “disconnect” them without any reason or justification from public functions, in which can also be totally incardinated. What is inappropriate at all points is to try to justify spuriously the exercise of "private functions" overlapping it with a norm that is not in application mode, such as Law 7/2006, of May 31, on the exercise of titled professions and professional associations of the Community Autonomous of Catalonia. Said Law is not applicable neither by reason of the matter, nor of the territory and, even less within a disciplinary procedure, which leads us again to the violation of the principles of classification and legality, without can be "presumed", without any evidence or factual foundation and legal, the exercise of private functions erring in the normative framework of application and assuming that the alleged infringements have been in the exercise of such functions. If we take into account the statutory precepts that the AEPD invokes regarding the alleged “conflict of interest” of ***POINT.1 of the COAGranada, the statutory precepts invoked by that AEPD involve the exercise of public functions, which are perfectly extensible to the imputed conducts; and these can be perfectly imbricated as pubic functions -Article 13. 2. It will correspond to the Governing Board, specifically: "a) Prepare draft standards of a general nature and the promotion of C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 22/60 procedure of approval and reform of the statutes. b) Propose to the General Assembly the matters that concern it, provide advice and technical support and arbitrate the means leading to the exact compliance of the agreed by it. c) Resolve the applications for the incorporation of new collegiate, of collegiate withdrawals and on the suspension of collegiate services and of college status. d) Authorize the registration of Companies Professionals in the corresponding Association Registry, upon request, who may be processed electronically through the single window established in this School e) Collect, distribute and manage the funds of the School, in accordance with the provisions of the Title on the Economic and Patrimonial Regime of the present Particular Statutes. h) Promote actions of all kinds through favor of the profession. i) Know the actions carried out due to urgency by the Dean or by the Permanent Commission, assuming them or censoring them when they were not within their own competence. j) Resolve as many proposals as the Permanent Commission may put forward k) Exercise the disciplinary function and adopt precautionary measures, initiating, of ex officio or by virtue of denunciation, the disciplinary files, in which it will dictate the corresponding Resolution. The exercise of such functions may be delegated in the Dean, in a group of members of the Governing Board or in a Commission. l) Send to the Investigating Commission the Files initiated in disciplinary matter, for the purposes of its processing and formulation of the corresponding proposed resolution. m) Initially approve the Regulations for the operation of attendance and telematic voting in the General Assembly, in order to be definitively approved by the General Assembly General of the Collegiates.” -Article 15. The Permanent Commission. The Governing Board will be constituted in Permanent Commission, made up of the Dean, the ***POSITION.1 and the Treasurer as ex officio members, for the fulfillment of the functions assigned to them in these Statutes. Corresponds to the Permanent Commission of the Board of Governance of the School: 1. Put into practice the guidelines issued by the Governing Board. 2. Propose to the Governing Board as many acts as are consequence of the powers that it has assumed. 3. The adoption of the necessary measures to comply with the agreements of the Board of Government. 5. Adopt decisions on matters of an urgent nature that, being the competence of the Governing Board, cannot suffer postponement until the meeting of the latter, having to account for these acts, for its ratification, in the first session held by the Governing Board. 6. Those functions expressly delegated by the Governing Board. -Article 17. The *** POSITION.1. “Corresponds to *** POSITION.1: 1. Organize, with the approval of the Dean and according to the criteria of the Governing Board, The school secretary. 2. Provisionally resolve on admission of the new members in accordance with the provisions of these Statutes individuals. 3. Receive and process all requests and communications that are directed to the College and its different Bodies, reporting them to whoever corresponds. 4. Issue the certifications that are requested and must be issued and keep the registration book of collegiate. 6. Make notifications college ups and downs. 7. Keep the minute books of the meetings of the General Assembly of members, Governing Board and the Commission C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 23/60 Permanent and transfer the agreements, monitoring compliance thereof.". 10. Direct the services of the College offices.”. And, as a complement to the previous statutory precepts in article 6 the functions of COAGranada are listed, fully governed by Public Law - Article 6. Functions. "Without prejudice to those reserved to the Superior Council of the Colleges of Architects of Spain and the Andalusian Council of Colleges Official Architects, are functions of the Official College of Architects of Granada, in its territorial scope, those expressly determined, for the achievement of its purposes, in the legislation on Professional Associations and, specifically, the following: 1. Registration: e) Facilitate the bodies courts and Public Administrations, in accordance with the laws, the List of members who may be required to intervene as experts or designate them directly, as appropriate. f) Equip yourself with the systems appropriate electronic communications and computer programs that allow citizens, Collegiates and other practicing Architects in its territory, to the Public Administrations and to the organizations declared authorities, resolve their administrative relations with them in single window system, without prejudice to the fact that it can also be done by other ways. g) Establish and maintain a telematic and in-person customer service to consumers and users and to Collegiates and other architects with the functions that the Law establishes and those that regulate the Superior Council of Schools of Architects, the Andalusian Council of Official Colleges of Architects and this School, according to the Law 2. Representation and relations with Public Administrations: a) Represent the profession, in the territorial area that corresponds to it, before the public powers of the Andalusian Autonomous Community and others Public Administrations, defending the general interests of the profession, lending their collaboration in the matters of their competence, to which may enter into agreements to carry out activities of interest common, as well as for the promotion of actions aimed at defending the public interest and, especially, of the users of the professional services of the collegiate, with the different Public Administrations and with organizations public or private. When the representation must take place before bodies with jurisdiction outside the scope of the College and refers to matters that beyond its territorial scope, the actions will be carried out with the prior knowledge or through mediation of the Superior Council or Andalusian Council, as appropriate. b) Prior agreement of the Governing Council of the Junta de Andalusia, which must be published in the Official Gazette of the Junta de Andalusia, exercise administrative functions related to the profession, all this prior to the report of the Andalusian Council of Official Colleges of Architects and the express acceptance of the College. c) Act before the Judges and Courts, inside and outside their territorial scope, both in their own name and in defense of the goals and interests of the profession and professionals members of the Association or practitioners in its territorial scope, as in name, on their behalf and in their procedural substitution, in the defense that they themselves voluntarily entrust him. d) Report in legal proceedings or administrative proceedings in which fees or other professional issues are discussed, when required to do so. e) Inform, in accordance with the Laws, the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 24/60 draft provisions at the local level that regulate or directly affect to the professional attributions or the conditions of activity of the Architects as well as those of regional scope when it does not correspond to the Andalusian Council. f) Cooperate in the improvement of teaching and research of architecture, urbanism and the environment. g) Participate and represent the profession in congresses, juries and advisory bodies to request of the Administration or individuals. i) Exercise the right of petition in accordance with the Law. j) Attend, in its capacity as competent body, the requests for information that are requested, in accordance with the provisions in Spanish or European Union legislation, both by individuals as by the Collegiate and other practicing architects or by the organisms national or international authorized by law. 3. Ordination: a) Ensure the ethics and dignity of the profession, both in the reciprocal relations of the Architects as in those of these with their clients or with the organizations in which they carry out their professional work. b) Watch by the optional independence of the Architect in any of the modalities of professional practice. c) Avoid and prosecute before the Courts professional intrusion. d) Establish, within the scope of its competence, criteria on the minimum required levels of professional diligence, in particular, regarding the presentation of works and the quality control and monitoring of the works. e) Visa in accordance with what is established in the regulatory or legal application standards the professional works of the Architects. The visa will in no case include the fees, nor the Other contractual conditions for the provision of professional services agreed by the Architects with their clients. f) Prevent competition unfair between the Architects in the terms established in the legislation in force on unfair competition. g) Exercise disciplinary power over the Architects and Professional Societies that fail to comply with their collegiate duties or professionals, both legal and deontological, approving for this purpose a Code of Ethics, in accordance with the provisions of the Law and by the Council Superior of the Colleges of Architects of Spain and the Andalusian Council of Official Colleges of Architects. Said Code will be accessible to Collegiate and other practicing architects and consumers and users of their professional services. i) Advise members and others practicing architects as well as consumers and users of their professional services on the contracting conditions of the services professionals of the Architects, seeking the best definition and guarantee of the respective obligations and rights. j) Establish, within the scope of its competence, regulations on professional activity in the exercise of these management functions, subject to the Statutes and other general provisions of application. 4. Service: e) Resolve by award, in accordance with the legislation on arbitration and to the collegiate Rules of Procedure itself, conflicts between Collegiate and citizens, or raised by the latter, that are submitted in matters related to the professional competence of the Architects. f) Establish fee scales merely for indicative for the sole purpose of cost appraisals in conflicts or jurisdictional proceedings. i) Provide the collaboration that is required in C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 25/60 the organization and dissemination of competitions that affect Architects and ensure the adequacy of their calls to the regulatory standards of the professional exercise. m) Exercise as many administrative powers as may be legally attributed, collaborate with the Administration by carrying out of studies or issuance of reports and exercise the powers that are attributed by other norms of legal or regulatory rank, or are delegated by the Public Administrations or derived from agreements of collaboration. n) Prepare the letter of services to the citizen, offer information on the content of the profession and the members registered in the College, respecting the provisions of the regulations on data protection of a personal nature. o) Guarantee collaboration with the Administration of the Junta de Andalucía and its dependent bodies, as well as with the other Public Administrations and public entities in the control of situations of members who, due to their status as public employees at their service, could be affected due to incompatibility for the exercise of professional activities. p) Exercise arbitration and mediation functions in the Conflicts that, for professional reasons, arise between the Collegiate, between members and citizens, and between them when they decide freely, all in accordance with the applicable legislation on arbitration and mediation. 5. Organization: a) Approve the Particular Statutes and their modifications prior report from the Higher Council of Colleges about its compatibility with the General Statutes of the Colleges of Architects and their Council Superior, submitting them to a report from the Andalusian Council of Official Colleges of Architects for its subsequent qualification of legality and registration in the Registration of Professional Associations of Andalusia by the Ministry competent. b) Prepare and approve the annual income budgets and expenses, as well as their accounts and settlements. d) Issue regulations of organization and internal functioning for the development and of those present Statutes.". And the Spanish Data Protection Agency itself, in its Resolutions of May 24, 2021, Procedure No.: PS/00416/2020 and May 11, 2021, Procedure No.: PS/00347/2020 has adopted a different criterion from that followed in this Sanctioning File before Public Law Corporations. Thus, the first of the aforementioned Resolutions establishes the following: "The denounced facts are specified that through the web page http//www.albuixech.es/wp-content/uploads/ ownership of the claimed could be access personal data of neighbors such as ID, telephone, disability, economic situation and that despite the fact that he had stated that he had solved the incidence, the corresponding measures had not been taken since he could still access the data of the neighbors. Article 83.5 a) of the GDPR (LCEur 2016, 605), considers that the infringement of "the basic principles for the treatment, including the conditions for the consent under articles 5, 6, 7 and 9" is punishable, according to with section 5 of the aforementioned article 83 of the aforementioned GDPR, "with fines administrative costs of €20,000,000 maximum or, in the case of a company, C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 26/60 of an amount equivalent to a maximum of 4% of the total turnover global annual report of the previous financial year, opting for the one with the highest amount". On the other hand, the LOPDGDD (RCL 2018, 1629), for the purposes of prescription, in its article 72 indicates: "Infringements considered very serious: 1. Based on what is established in article 83.5 of the Regulation (EU) 2016/679 are considered very serious and will prescribe after three years the offenses involving a substantial violation of the articles mentioned therein and, in particular, the following: a) The treatment of personal data violating the principles and guarantees established in the Article 5 of Regulation (EU) 2016/679. (...)" V The violation of article 32 of the GDPR (LCEur 2016, 605) is typified in article 83.4.a) of the cited GDPR in the following terms: 4. Violations of the following provisions will be penalized, according to with paragraph 2, with administrative fines of EUR 10,000,000 as maximum or, in the case of a company, an amount equivalent to 2% maximum of the overall annual total turnover of the financial year above, opting for the one with the highest amount: a) the obligations of the responsible and of the manager in accordance with articles 8, 11, 25 to 39, 42 and 43. (...)" For its part, the LOPDGDD (RCL 2018, 1629) in its article 71, Violations, states that: "Infractions are the acts and conducts to the referred to in paragraphs 4, 5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that are contrary to this organic law". And in its article 73, for prescription purposes, it qualifies as "Offences considered serious": "Based on what is established in article 83.4 of the Regulation (EU) 2016/679 are considered serious and will prescribe after two years the infractions that suppose a substantial infringement of the articles mentioned therein and, in particular, the following: (...) g) The breach, as a consequence of the lack of due diligence, of the technical and organizational measures that have been implemented in accordance with the required by article 32.1 of Regulation (EU) 2016/679". (...)" VI The proven facts show access through the website http//www.albuixech.es/wp-content/uploads owned by the defendant to the personal data of residents of the town (ID, telephone, disability, economic situation, etc.), despite having stated to this AEPD that had provided a solution to the incident, breaking and violating technical and organizational measures and the duty to data confidentiality. As stated in the background and accredited based on the proven facts of the procedure, it has been proven that the file resolution of the initial claim, the claimant filed an appeal optional replacement against the relapsed resolution showing its disagreement and stating that the defendant had not taken the measures adequate since, despite what was alleged, the data continued to be accessed of the municipal website, contributing together with the new appeal document relevant documentation. After the analysis and checks carried out, it was found that there published documents containing information with character data C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 27/60 personnel who had not been eliminated or anonymized, estimating the appeal and agreeing to the admission of the claim presented. Therefore, the entity's actions constitute a violation of the principles of confidentiality and data security, regulated in articles 5.1.f) and 32.1 of the GDPR (LCEur 2016, 605), and typified in articles 83.5.a) and 83.4.a) of the GDPR. However, in order to clarify the terms of the incident produced and that led to the opening of this proceeding sanctioning party, the defendant by letter of 02/18/2021 indicated that if Well at first I installed a WP Content Copy Protection Pro plugin for block access to existing documents on the website of the City Council and carry out the elimination of the files that contained personal data published on the aforementioned page, after receiving the agreement to open the procedure the computer service treated in a first moment of solving the incident, reaching the conclusion that the measure adopted (install a plugin to block access to the web), seemed insufficient since although it prevented access to the contents it was still possible to access them if the URL address was known of the published files. Therefore, the migration of the entity's website to another server was carried out which determined that the content that could have been accessed with Prior to the aforementioned date, it was deleted, and it was not possible to access the same from the moment the migration was performed. For the purpose of avoid incidents such as the one that occurred, the new website adopted a series of technical measures: remove access to the wp-content folder and its content through. htaccess ; check before serving WP permissions using the is-luger-logged-in function, to retrieve a file for a wp-content subfolder etc. In addition, the defendant has indicated that he assumes its responsibility as a consequence of the infractions committed, although considers that the efforts made to improve security measures in order to ensure the safety and security of confidentiality of personal data for which it is responsible and that the violation is not due to inaction or lack of proactivity in the compliance with data protection regulations. On the other hand, it should be noted that the defendant provides a screen print of the web page where the content of the character data should be staff that caused the claim and who are currently deleted, not being possible to access them VII The LOPDGDD (RCL 2018, 1629) in its article 77, Regime applicable to certain categories of controllers or processors, establishes what following: In the case at hand, in accordance with the evidence of those that are available and without prejudice to what results from the instruction, said conduct could constitute, on the part of the defendant, a possible violation of the provided in article 5.1.f) and 32.1 of the GDPR (LCEur 2016, 605). It should be noted that the GDPR, without prejudice to the provisions of its article 83, contemplates in its article 77 the possibility of resorting to the sanction of warning to correct the processing of personal data that is not C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 28/60 conform to their forecasts, when those responsible or in charge listed in section 1 committed any of the offenses to which refer to articles 72 to 74 of this organic law. Also, it is contemplated that the resolution issued will establish the measures to be adopted so that the conduct ceases, the effects of the infraction are corrected committed and its adequacy to the requirements contemplated in the Articles 5.1.f) and 32.1 of the GDPR, as well as the contribution of means certifying compliance. However, it is considered that the response formulated by the defendant in letter dated 02/18/2021 has been reasonable, correcting the incident produced, not proceeding to urge the adoption of additional measures to those already taken by the defendant, which is one of the main purposes of the procedures with respect to those entities listed in article 77 LOPDGDD, having been accredited the suspension of the website of the entity where the information contained the character data neighbors staff having migrated it to another server and adopting measures to prevent the occurrence of events such as those that gave rise to the claim. Therefore, in accordance with the applicable legislation and assessed the criteria of graduation of sanctions whose existence has been accredited, The Director of the Spanish Data Protection Agency RESOLVES: FIRST IMPOSE ALBUIXECH CITY COUNCIL, with NIF P4601400G, for a violation of article 5.1.f) of the GDPR (LCEur 2016, 605) , typified in article 83.5.a) of the GDPR, a penalty of warning, of in accordance with article 77 of the LOPDGDD (RCL 2018, 1629). SECOND TO IMPOSE the CITY COUNCIL OF ALBUIXECH, with NIF P4601400G, for an infringement of article 32.1 of the GDPR (LCEur 2016, 605), typified in the Article 83.4.a) of the GDPR, a warning sanction, in accordance with article 77 of the LOPDGDD (RCL 2018, 1629)”. About these resolutions dictated by the AEPD itself, the Resolution Proposal is not pronounced. FIFTH.- ABSENCE OF DETERMINATION OF THE CORRESPONDING TYPE TO THE PROPOSED SANCTIONS AND LACK OF REASONS FOR THE DETERMINATION OF THE AMOUNT THEREOF. ALTERNATIVE AND SUBSIDIARILY, INVOCATION OF THE PRINCIPLE OF PROPORTIONALITY. The Resolution Proposal does not establish which are the specific types of the sanctions that are proposed and the determination and graduation of the quantum of the same, which entails an absence of contrary motivation to article 35.1 a) of Law 39/2015 of October 1, on Procedure Common Administrative of Public Administrations. The type is not specified of infraction committed (we understand that, slight) nor is it motivated why they are imposed the respective sanctions of 5,000, 8,000 and 1,000 euros. With this you can consider that it has generated defenselessness for COAGranada. Alternatively and subsidiarily, in the event that it is estimated that one or more of the infractions contained in the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 29/60 Resolution Proposal, we request the application of the principle of proportionality established in the aforementioned article 29.3 of the LRJSP as well as also invoked article 83.2.c) of the GDPR. The principle of proportionality in its application aspect, has served in the jurisprudence as an important mechanism of jurisdictional control of the exercise of the sanctioning power of the Administration when the norm establishes for an infraction several possible sanctions or indicates a margin quantitative for the fixing of the pecuniary sanction; and, thus, it has been insisting in which the aforementioned principle of proportionality or the individualization of the sanction to adapt it to the seriousness of the fact, make the determination of the sanction a regulated activity and, of course, it is possible in the jurisdiction not only the confirmation or elimination of the sanction imposed but also its modification or reduction (Cf. Judgment of the National Court of December 11, March 2008, Rec. 501/2006). In this sense, it is worth mentioning the Judgment of the Supreme Court of September 25, 2003 (Rec. 527/1998): "The power disciplinary measure is not discretionary and this implies that, when for a certain infraction has legally provided for a list of sanctions, the imposition of a more serious or higher than that established with the character of minimum must be clearly motivated by consigning the specific reasons and circumstances on which the superior malice or negligence that are taken into account to choose that greater punishment. This is how the interdiction of arbitrariness of article 9.3 of the Constitution and also the principle of proportionality included in the guarantees of article 25 of the same constitutional text. Therefore, the principle of proportionality implies that, since the activity is sanctioning of the Administration an activity typically of application of the rules, the factors that have to preside over its application are based on what is available in each sector of the Legal System and, especially, in the concurrent circumstances. As established in the Judgment of the Superior Court of Justice of Castilla y León de Burgos, nº 3/2017 of 13 January (Rec. 80/2016): "It is precisely in this area that a extraordinarily clarifying role the motivation of the concrete act administrative sanction and to the extent that it will define not only the circumstances modifying the responsibility appreciated and proven but, in addition, the specific reason that the Administration understands that concurs to, within the margins granted by law, impose a specific sanction". It is for this reason that, by virtue of what is stated in these Claims, in the event that it is deemed that there are infringing conducts and consequent sanctions to be applied, be it by reducing as much as possible their economic amount, since given the concurrent circumstances, the total amount of 14,000 euros seems disproportionate and excessive (said be with due respect and in strict terms of defense. I ASK THE SPANISH DATA PROTECTION AGENCY: That, having presented this brief, please admit it and consider the allegations which are formulated therein. Granada for Madrid, on the date of signing electronics. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 30/60 PROVEN FACTS: Of the actions carried out in this procedure and of the information and documentation presented by the parties, the following have been accredited facts: First: To the claim document presented in this Agency on 12/21/21, attached the following documentation relevant to this proceeding: - Copy of the document that A.A.A., collegiate ***COLEGIADO.1, sends to the claimant, on 08/30/21, where, among others, you can read: or "(...) The Governing Board of the College in its session held on April 2019 adopted, among others, the following agreement: "(AIG) 04.11.19/08.- DESIGNATE THE *** POSITION. 1 OF THE OFFICIAL ASSOCIATION OF ARCHITECTS AS DELEGATE OF PROTECTION OF DATA FOR THE SCHOOL OF ARCHITECTS.” therefore i can inform you that, currently, the Data Protection Officer of the Official College of Architects of Granada is his *** POSITION. 1 D. B.B.B. (…)”. - Copy of the "Complaint Sheet" of the Official College of Architects of Granada where you can read, among others, the following information with Regarding the data protection policy: o Official College of Architects of Granada. Plaza de San Agustin No. 3, 18001 Grenada. General Secretary . Area of Attention to the Collegiate and to user. The data collected will form part of the File of the COAGRANADA, being Responsible for ***POINT.1 of the same, to who will have to address in writing in the case of exercising the rights of access, opposition, rectification and cancellation, in accordance with the L.O.P.D. - Copy of the "Visa Application" addressed to the Dean of the Official College of Architects of Granada, where you can read, among others, the following Information regarding the data protection policy: o In accordance with the provisions of LO 15/1999 on Data Protection of Personal character, the existence of a file is reported automated whose purpose is the provision of the requested service. The Applicants expressly consent to the treatment and transfer of existing data in the automated file to the various Spanish Official Colleges of Architects and to other administrative bodies, for the purposes related to the function of visa. Signatories may exercise the right of access, rectification, opposition and cancellation in writing before the C.O.A. of Granada, with address at Plaza de San Agustín Nº 3, 18001 Granada, email coagranada@coagranada.org C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 31/60 Second: On 07/27/22, this Agency verified that in the document "Member Complaints and Claims Sheet", accessible on the page Web, https://coagranada.es/wp-content/uploads/2021/02/ Sheet_complaint_reclamations_collegiate_V02.pdf, that there was only the following legend referring to the data protection of personal character: “Official College of Architects of Granada. Plaza de San Agustin No. 3, 18001 Grenade. General Secretary. Area of Attention to the Collegiate and the User. The data collected will form part of the COAGRANADA File, being the Responsible for *** POSITION 1 of the same, to whom it will have to be addressed in writing in the case of exercising the rights of access, opposition, rectification and cancellation, in accordance with the L.O.P.D.” It was also found that in the document "Complaints and Claims Sheet of Consumers and Users”, accessible on the website, https://coagranada.es/wp-content/uploads/2021/02/ Sheet_complaint_claims_consumers_V02.pdf that only the following information related to data protection existed of a personal nature: “Official College of Architects of Granada. Plaza de San Agustin No. 3, 18001 Grenade. General Secretary. Area of Attention to the Collegiate and the User. The data collected will form part of the COAGRANADA File, being the Responsible for *** POSITION 1 of the same, to whom it will have to be addressed in writing in the case of exercising the rights of access, opposition, rectification and cancellation, in accordance with the L.O.P.D.” On 04/10/23, this Agency accessed the complaint form and complaints from the College of Architects of Granada, accessible through the link https://coagranada.es/quejas-y-reclamaciones/ verifying that it you can read the following message: Official College of Architects of Granada. Plaza de San Agustin Nº3, 18001 Grenade. General Secretary. Area of Attention to the Collegiate and the User. In compliance with the provisions of EU Regulation 2016/679, of 27 April 2016, hereinafter GDPR, the Official College of Architects of Granada with address at PLAZA DE SAN AGUSTÍN 3, 18001 GRANADA and NIF nº Q1875003D informs you that the collection and processing of your data through the The purpose of this form is the administrative, fiscal and accounting provided for in the legislation of professional associations and our statutes. Your data may be communicated to the General Council of Colleges C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 32/60 Officials of Architects, related organizations and the Public Administration without prejudice to other assignments provided by law. Your data will be kept during the time necessary to comply with legal obligations. In You can consult additional information on this treatment at any time. or exercise the rights of access, rectification, deletion and opposition, portability and limitation of treatment by directing your request to the address above indicated or by email to protecciondedatos@coagranada.org. Also, in case If you consider your right to the protection of personal data violated, you may file a claim with the Spanish Data Protection Agency (www.agpd.es). Third: About the "Cookies Policy" of the website https://www.coagranada.es/ It was initially found that a third-party cookie of an unauthorized nature was used. excepted, without the prior consent of the web user. the circumstance is given that this analytical cookie was installed through the insertion of a map interactive of the Institute for Geoenvironmental Health of the "Vivo Sano" Foundation in the page: https://coagranada.es/mapa-zonas-radon-en-elnuevo-cte-db-hs6/ . On 04/10/23, this Agency accessed the website again https://www.coagranada.es/ having knowledge of the following characteristics regarding its “Cookies Policy”: When entering the web for the first time, once the terminal equipment has been cleaned of the history of navigation and cookies, without accepting new cookies or taking any action on the web page, it has been verified that a single cookie "_GRECAPTCHA" is used, whose purpose is to provide your risk analysis, such as detecting erroneous and repeated connection attempts. FUNDAMENTALS OF LAW YO.- Competence: - Regarding the processing of personal data and the "Privacy Policy": The Director of the Spanish Agency is competent to resolve this procedure of Data Protection, by virtue of the powers that article 58.2 of the GDPR recognizes each Control Authority and, as established in arts. 47, 64.2 and 68.1 of the Law LOPDGDD. - About the "Cookies Policy": The Director of the Spanish Agency is competent to resolve this procedure Data Protection, in accordance with the provisions of art. 43.1, paragraph second, that of the LSSI Law. II Reply to the allegations presented to the resolution proposal C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 33/60 a).- Regarding the alleged conflicts of interest of the Data Protection Officer (DPD) in the person of ***POSITION.1 of the Official College of Architects of Granada. There is evidence that, in the session held by the Governing Board of the College of Architects of Granada, on 04/11/19 the agreement was adopted to designate ***POSITION.1 of said Association as Delegate of Data Protection (PDP) and thus specified expressly in the meeting minutes: "(...) Therefore, I can inform you that, currently the Data Protection Delegate of the Official College of Architects of Granada is his ***POST.1 D. B.B.B. (…)”. According to the claimed party, the decision was made to appoint a new Data Protection Delegate dated 04/26/22, and that was notified to the Agency in response to the requirements of art. 38 of the GDPR. In the allegations presented by the defendant entity, both in the initiation of the file as in the motion for a resolution essentially defends that There has never been any conflict of interest for the appointment of ***POSITION.1 as Delegate of Data Protection (DPD), in the College of Architects of Grenade. Well then, we must begin this section by indicating that, as indicated in repeatedly this Agency, the greatest novelty presented by the GDPR is the evolution of a model based, fundamentally, on the control of compliance with current legislation to another that rests on the principle of active responsibility, which that requires a prior assessment by the person in charge or by the person in charge of the treatment of the risk that the processing of personal data could generate in order to Based on said assessment, adopt the appropriate measures. A fundamental role within the new model of active responsibility is will perform the DPD. Also following on this point the Statement of Reasons for the LPDGDD, "the figure of the DPD acquires outstanding importance in the GDPR and so includes the Organic Law, which starts from the principle that it can have a obligatory or voluntary, being or not integrated in the organization of the person in charge or manager and be both a natural person and a legal person. Section 4 of CHAPTER IV, of the GDPR -articles 37 to 39-, regulates detailed figure of the DPD. In connection with the interpretation and application of these precepts can refer to the guidelines contained in the document of the Group of the Article 29 "Guidelines on Data Protection Delegates" -WP243-, last revised and adopted on April 5, 2017. This regulation is complemented by the provisions of CHAPTER III of the TITLE V of the LOPDGDD-, whose articles 34 to 37 contain some specialties directly applicable to our domestic law. Specifically, the The appointment of the data protection officer is included in article 37 of the GDPR, expanding in article 34 of the LOPDGDD the spectrum of subjects bound to their appointment. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 34/60 From the foregoing it can be deduced that the requirement for the appointment of a DPD should not interpreted, without further ado, as a mere formality, having to comply with the requirements established in the applicable legal regulations. Consequently, it turns out necessary to carry out a brief analysis of the functions and resources of which dispose of the DPD. Thus, it must be based on the important functions that article 39.1 of the GDPR assigns: "1. The data protection officer will have at least the following Functions: a) inform and advise the person in charge or the person in charge of the treatment and to the employees who deal with the treatment of the obligations that are incumbent under this Regulation and other provisions of data protection of the Union or of the Member States; b) supervise the compliance with the provisions of this Regulation, of other data protection provisions of the Union or of the Member States and of the policies of the person in charge or of the person in charge of the treatment regarding protection of personal data, including the assignment of responsibilities, the awareness and training of personnel involved in security operations treatment, and the corresponding audits; c) offer advice that asked about the impact assessment relating to the protection of data and supervise its application in accordance with article 35; d) cooperate with the control authority; e) act as a point of contact for the authority control for issues relating to treatment, including consultation prior to referred to in article 36, and consult, where appropriate, on any another matter." It is, therefore, functions of advice and supervision aimed at guaranteeing adequate compliance with regulations on protection of personal data, pointing out article 39.2 that "The data protection officer will carry out his functions providing the due attention to the risks associated with processing operations, taking into account the nature, scope, context and purposes of the treatment". Likewise, article 38.1 clearly establishes that: "The person in charge and the person in charge of of the treatment will guarantee that the data protection officer participates in an adequately and in a timely manner in all matters relating to the protection of personal information". In addition to the important advisory functions assigned to the DPD, including the cases in which it is necessary to carry out an impact assessment because they are high-risk treatments, and specifying the functions of supervision, Article 36 of the LOPDGDD provides that: "The delegate may inspect the procedures related to the purpose of this organic law and issue recommendations within the scope of its powers", that "In the exercise of its functions the data protection officer will have access to personal data and treatment processes, not being able to oppose to this access the person in charge or the person in charge of the treatment the existence of any duty of confidentiality or secrecy, including that provided for in article 5 of this organic law", and that, "When the data protection delegate appreciates the existence of a relevant violation in data protection matter will document it and notify it immediately to the administrative and management bodies of the person in charge or the person in charge of the treatment”. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 35/60 On the other hand, article 39.1.e) of the GDPR also establishes as functions of the DPO “Act as the contact point of the control authority for questions related to the treatment, including the prior consultation referred to in article 36, and carry out consultations, where appropriate, on any other matter. For the proper fulfillment of these tasks, the GDPR requires certain requirements of training of the DPD, and that it is endowed with the necessary resources. To the training requirements, refers to article 37.5 GDPR, providing that "The data protection officer will be appointed based on their qualities professionals and, in particular, their specialized knowledge of Law and data protection practice and its ability to perform the functions indicated in article 39”. For its part, article 35 of the LOPDGDD adds that "Fulfillment of the requirements established in article 37.5 of the Regulation (EU) 2016/679 for the appointment of the data protection officer, whether a natural or legal person, may be demonstrated, among other means, through voluntary certification mechanisms that will take particular account of the Obtaining a university degree certifying specialized knowledge in data protection law and practice. In order to the best interpretation and application of these precepts, you can go to the guidelines contained in the document of the Group of Article 29 “Guidelines on the Data Protection Delegates" -WP243-, last revised and adopted on April 5, 2017, that, in relation to the knowledge and skills of the DPD, note the following points: - Level of knowledge: The level of knowledge required is not defined strictly, but must be commensurate with the sensitivity, complexity, and quantity of the data that an organization processes. For example, when the activity of data processing is especially complex or when it involves a large amount of sensitive data, the DPO may need a higher level of knowledge and support. There is also a difference depending on whether the organization systematically transfers personal data outside the Union Union or if said 9 Legal Cabinet transfers are occasional. Thus, the DPO must be chosen carefully, taking due account of issues relating to data protection that arise in the organization. - Professional qualities: Indicate that, although article 37, section 5, does not specifies the professional qualities that must be taken into account when appointment of the DPO, an important factor is that he has knowledge on national and European protection legislation and practices of data and a deep understanding of the GDPR. - Ability to perform their duties: The DPO's ability to perform their functions must be interpreted both in reference to their personal qualities and knowledge as to his position within the organization. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 36/60 Personal qualities should include, for example, integrity and a level high professional ethics; the primary concern of the DPD should be enable compliance with the GDPR. The DPD plays a key role in promoting a culture of data protection within the organization and contributes to the application of essential elements of the GDPR, such as the principles related to the treatment of data, the rights of the interested parties, the protection of the data from the design and by default, recording of processing activities, security of the treatment and the notification and communication of the violations of the data security. On the other hand, the need to provide the DPO with the necessary resources for the performance of their duties is included as an obligation of the person in charge in article 38.2 of the RGPD: "The person in charge and the person in charge of the treatment will support the data protection officer in the performance of the functions mentioned in article 39, providing the necessary resources for the performance of said functions and access to personal data and processing operations, and for the maintenance of their knowledge specialized”. In particular, the following aspects should be taken into account: · Active support to the work of the DPD by senior management (at the level of the board of administration). Sufficient time for the DPO to comply with its functions, which is particularly important when appointing a DPO internal part-time or when the external DPO carries out the protection of data in a complementary way to other obligations. Otherwise, conflicting priorities could lead to neglect of the DPO obligations. It is essential to have enough time to dedicate it to DPD tasks. It is good practice to establish a percentage of time for the DPD's own work when it is not carried out full time. It is also good practice to determine the time necessary to perform the work, the appropriate level of priority for the functions of the DPO and for the DPO (or organization) to write a plan of job. Adequate support in terms of financial resources, infrastructure (premises, facilities, equipment) and personnel, as required. · Therefore, what is essential is that DPDs meet the training and independence that allow them to adequately develop the functions that the GDPR assigns them, as Recital 97 of the GDPR recalls, "The level of necessary specialized knowledge must be determined, in particular, according to of the data processing operations carried out and the protection required for personal data processed by the person in charge or in charge”. In this way, and provided that its independence is adequately guaranteed, it relevant is that the functions assigned to the DPD can be carried out effectively, taking into account, equally, the criterion of availability, fundamental to ensure that data subjects can easily contact the DPO (according to to article 38.4 of the GDPR, "interested parties may contact the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 37/60 data protection officer for all matters relating to the processing of your personal data and the exercise of your rights under the this Regulation"). In conclusion, these functions can be carried out effectively if the following are met: training requirements when proceeding with the appointment of the DPO and is endowed with the necessary resources, including, as noted by the Article 29 Group, a DPO team (a DPD and his staff), a team that must be proportional to the size and structure of the organization, as well as the sensitivity, complexity and amount of data that an organization deals with, and the availability of the DPO must be guaranteed so that interested parties can contact him, as well as communicate with the authorities of Data Protection. Focusing now on the questions related to independence and the possible conflicts of interest of the delegate, must comply with the legal norms that the regulates the position of the delegate in his relations with the person in charge and/or with the treatment manager. Thus, article 36 of the LOPDDD provides the following: "Position of the data protection officer" 1. The data protection officer data will act as interlocutor of the person in charge or in charge of the treatment before the Spanish Data Protection Agency and the authorities data protection regulations. The delegate may inspect the procedures related to the purpose of this organic law and issue recommendations within the scope of their competences. 2. When it comes to a natural person integrated into the organization of the person in charge or in charge of the treatment, the data protection officer may not be removed or sanctioned by the person in charge or in charge for carrying out their duties unless he incurred in willful intent or gross negligence in his exercise. The independence of the data protection officer will be guaranteed within the organization, avoiding any conflict of interest.” For his part, he Article 38.3 of the GDPR, when regulating the position of the Data Protection delegate, underlines their independence by pointing out that the person in charge and the person in charge of the treatment will guarantee that the data protection officer does not receive any instruction regarding the performance of said functions, and cannot be dismissed or sanctioned by the person in charge or in charge of carrying out their functions, and reporting directly to the highest hierarchical level of the responsible or in charge. In addition, according to the Article 29 Group document “Guidelines on the Data Protection Delegates”, last revised and adopted on April 5 of 2017 -WP243-, their appointment must take into account the element regarding the independence of the DPO. Thus, article 38.3 of the GDPR establishes some basic guarantees for delegates to act independently within the organization in which they provide their services, including that "they do not receive any instruction relative to the exercise of their tasks”. It is important to note that those bound to comply with the GDPR are responsible or the person in charge of the treatment, so that, if they adopt decisions contrary to the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 38/60 rule and advice provided by the delegate, he must be given the possibility to clearly express their dissatisfied opinion regarding said decisions. The aforementioned article 38.3 also refers to the fact that the delegates of data protection "should not be dismissed or penalized by the person in charge or the entrusted with carrying out its functions", which supposes a reinforcement of its autonomy and independence. Yes, you could be fired or sanctioned accordingly with the applicable contractual, labor or criminal legislation of each country, for reasons other than the performance of their duties. In relation to the possible conflict of interest of the delegate, the guidelines on the data protection delegates adopted by the Protection Working Group Data of Article 29, -WP243-, state the following: “3.5. Conflict of interest The Article 38(6) allows DPOs to “perform other functions and duties”. However, it requires the organization to ensure that "such functions and tasks do not give rise to a conflict of interest. The absence of conflict of interest is closely linked to the requirement to act independently. This assumes, in particular, that the DPO cannot occupy a position in the organization that leads him to determine the purposes and means of the treatment of personal information. On the other hand, although DPOs may have other functions, They can only be entrusted with other tasks and tasks if these do not give rise to conflicts of interest. Due to the specific organizational structure of each organization, this should be considered on a case-by-case basis. As a general rule, conflicting positions within an organization can include senior management positions (such as CEO, Director of operations, financial director, medical director, head of the department of marketing, head of human resources or director of the IT department) but also other lower positions in the organizational structure if such positions or positions lead to the determination of the purposes and means of processing. In addition, a conflict of interest may also arise, for example, if a DPO representing the controller or processor in court in cases related to data protection. From the foregoing it can be deduced that, regardless of the formula adopted for their appointment, the appointment of the data protection officer must meet the requirements derived from the principle of independence in the development of its activity, and must ensure that the performance of their functions and duties do not give rise to conflict of interests. The provision of a data protection officer in organizations public or private requires that the selection conform to the legal requirements established and, in particular, that specialized knowledge in law and practice of data protection indicated by the GDPR. For the rest, the formula adopted for the appointment of DPD will depend on the decision adopted by the entity in which he performs his duties, such as consequence of its organizational autonomy. However, questions regarding the autonomy of the organizations in which the delegates belong, clearly derived from the regulations analyzed in this report, cannot be an obstacle to the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 39/60 necessary guarantee of the independence of the data protection officer - ex article 38 GDPR- within the framework of internal and external legal relations that maintain in the development of its functions. Thus, in any case, it will be enforceable, as provided for in article 36 of the LOPDGDD, that (i) in the case of a natural person integrated into the organization of the responsible or in charge of the treatment, the data protection officer does not may be removed or penalized by the person in charge or in charge of carrying out their functions unless they were guilty of intent or gross negligence in their exercise, that (ii) the independence of the data protection officer is guaranteed within the organization, avoiding any conflict of interest, and that (iii) when the data protection delegate appreciates the existence of a relevant violation in data protection matters, document it and immediately notify the administrative and management bodies of the person in charge or in charge of the treatment. In short, although Section 4 of CHAPTER IV of the GDPR -articles 37 to 39-, contemplates for DPOs wide possibilities regarding their appointment and frame in the organization of the entities to which its designation refers, not it is less true that said autonomy must be reconciled with the demands derived of the principle of independence of the delegate, and it must be guaranteed that the exercise of their duties do not give rise to situations of incompatibility or conflict of interest. In the legal norms that regulate the figure of the data protection delegate, it is configure the requirement of their independence as inherent to the performance of their functions. In the case at hand, the Governing Board of the College of Architects of Grenada, in a session held on 04/11/19, adopted the agreement to designate the *** POSITION 1 of said College as Data Protection Delegate (DPD), and thus it is certified in the letter sent by the Association to the claimant on 08/30/21: "(...) Therefore, Therefore, I can inform you that, currently, the Data Protection Delegate of the Official College of Architects of Granada is his *** POSITION. 1 D. B.B.B. (…)”. In the Order of February 20, 2018, which approves the modification of the Statutes of the Official College of Architects of Granada establishes, in its article 13 and 14, the functions and composition of its Governing Board; in its article 15, the functions of the Permanent Commission and in its article 17, the functions of the *** POSITION 1 of the College. As we have previously indicated, Section 4 of CHAPTER IV, of the GDPR - articles 37 to 39-, regulates in detail the figure of the DPD and in relation to the interpretation and application of these precepts, you can refer to the guidelines contained in the document of the Group of Article 29 “Guidelines on the Delegates of Data Protection" -WP243-, last revised and adopted on April 5, 2017: (https://ec.europa.eu/newsroom/article29/itemdetail.cfm?item_id=612048). This regulation is complemented by the provisions of CHAPTER III of the TITLE V of the LOPDGDD-, whose articles 34 to 37 contain some specialties directly applicable to our domestic law. Thus, article 36 C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 40/60 LOPDGDD guarantees the independence of the DPO within the organization, having to avoid any conflict of interest. For its part, article 38.3 of the GDPR, when regulating the position of the DPD, underlines its independence by stating that the person in charge and the person in charge of the treatment will ensure that the data protection officer does not receive any instructions in regarding the performance of said functions, and cannot be dismissed or sanctioned by the person in charge or the person in charge for carrying out their functions, and reporting directly to the highest hierarchical level of the person in charge or in charge. In the specific case that he does not occupy, the functions as *** POSITION 1 of the College of Architects of Granada that incur in a conflict of interest, are all those in the one that carries out activities or advises as ***POSITION.1 on issues that may be affected by the data protection of the members, personnel at the service of the School or users of the same and also have to develop the functions of a DPD. If we look at the functions of *** POSITION 1 of the Official College of Architects (article 17) that can be influenced by data protection, we we find that it has powers to: 2. Provisionally resolve on the admission of new members in accordance with the provisions of these Particular Statutes. 3. Receive and process all requests and communications that addressed to the College and its different Bodies, reporting them to whoever corresponds. 4. Issue the certifications that are requested and must be issued and keep the registration book of collegiate. 5. Annually formulate the lists of collegiate in its different versions. These lists must be arranged annually in the deadlines provided in these Particular Statutes for the purposes of elections. 6. Make notifications of high and low college. 7. Keep the minute books of the meetings of the General Assembly of collegiate, Governing Board and the Commission Permanent and transfer the agreements, monitoring compliance with the themselves. Likewise, ***POSITION.1 is an ex officio member of the Governing Board, whose functions (article 13.2), which may be affected by data protection, the following: c) Resolve the applications for the incorporation of new members, of dismissals collegiate and on the suspension of collegiate services and collegiate status. e) Collect, distribute and manage the School's funds, in accordance with the provisions of the Title on Economic and Patrimonial Regime of the present Statutes individuals. k) Exercise the disciplinary function and adopt precautionary measures, initiating, ex officio or by virtue of a complaint, the disciplinary proceedings, in which the corresponding Resolution. Also, as a member of the Permanent Commission of the Official College (article 15), that it has as functions, which may be affected by data protection, the following: 1. Put into practice the guidelines issued by the Governing Board. 2. Propose to the Governing Board as many acts as a consequence of the competences that it has assumed. 3. The adoption of the necessary measures for the fulfillment of the agreements of the Governing Board. 4. Organize the College office services. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 41/60 In greater abundance, it means that *** POSITION 1 of this official school forms part of these two collegiate management and administration bodies, which determine purposes and means of treatment, with voice and vote, in such a way that, in addition to their advice, their will conforms to that of the collegiate body. Therefore, taking into account the functions that, according to the GDPR, correspond to the DPD and the functions that, according to the Order of February 20, 2018, which approves the Modification of the Statutes of the Official College of Architects of Granada, correspond to the Governing Board and the Permanent Commission of the Official College of Architects of Granada, in addition to those of the position of ***POSITION.1, it is the existence of a conflict of interest on the part of ***POSITION.1 of the Official College of Architects of Granada to act as DPO of said Organism, since it was appointed as DPD on 04/11/19 until 04/26/22 when it was adopted the decision to replace him. b).- Regarding the alleged lack of information in the forms on “complaints and claims”, referring to the treatment of personal data obtained in the themselves. As could be verified by this Agency, on 07/27/22, when accessing the document Refer to the "Member Complaints and Claims Sheet" through the link: https://coagranada.es/wp-content/uploads/2021/02/Hoja_queja_reclamaciones_cole- giados_V02.pdf You can read, in the lower part of it, below the form, the following le- yenda: “Official College of Architects of Granada. Plaza de San Agustin No. 3, 18001 Grenade. General Secretary. Area of Attention to the Collegiate and the User. The data collected will form part of the COAGRANADA File, being the Responsible for *** POSITION 1 of the same, to whom it will have to be addressed in writing in the case of exercising the rights of access, opposition, rectification and cancellation celación, in accordance with the L.O.P.D.” It was also possible to verify that same day, 07/27/22, that in the document "Hoja de Complaints and Claims from Consumers and Users" accessible at the link: https://coagranada.es/wp-content/uploads/2021/02/Hoja_queja_reclamaciones_consu- midores_V02.pdf there was the following legend: “Official College of Architects of Granada. Plaza de San Agustin No. 3, 18001 Grenade. General Secretary. Area of Attention to the Collegiate and the User. The data collected will form part of the COAGRANADA File, being the Responsible for *** POSITION 1 of the same, to whom it will have to be addressed in writing C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 42/60 in the case of exercising the rights of access, opposition, rectification and cancellation celación, in accordance with the L.O.P.D.” In the brief of allegations to the initiation of the file, presented by the entity claimed before this Agency on 09/29/22, it was indicated, among others, that: "(...) Regarding to the sanction referred to for the violation of art. 13 GDPR, we must record of the application of the proposed corrective measure and that all the information has been incorporated. information referred to in art. 13 of the GDPR to the forms available to both Collegiate as well as the general public, for which we request that you take into account this measure under art. 83.2.c) of the GDPR (…)”. In the verification carried out by this Agency after writing allegations of the sheets of complaints and claims of the College of Architects of Granada, accessed via the link https://coagranada.es/quejas-y-reclamaciones/, it was requested to read The next message: Official College of Architects of Granada. Plaza de San Agustin Nº3, 18001 Grenade. General Secretary. Area of Attention to the Collegiate and the User. In compliance with the provisions of EU Regulation 2016/679, of 27 April 2016, hereinafter GDPR, the Official College of Architects of Granada with address at PLAZA DE SAN AGUSTÍN 3, 18001 GRANADA and NIF nº Q1875003D informs you that the collection and processing of your data through the The purpose of this form is the administrative, fiscal and con- table provided for in the legislation of professional associations and our statutes. Your data may be communicated to the General Council of Official Colleges of Architects, related organizations and the Public Administration without prejudice to other assignments provided by law. Your data will be kept during the time necessary to comply with legal obligations. At any mo- moment you can consult the additional information of this treatment or exercise the rights of access, rectification, deletion and opposition, portability and limitation treatment by directing your request to the address indicated above or by email to protecciondedatos@coagranada.org. Also, if you consider violated your right to the protection of personal data, you may file a claim before the Spanish Data Protection Agency (www.a- gpd.es). Well, article 12.1 of the GDPR establishes, regarding the requirements that must be met the information that the data controller must make available to the interested parties resados, the following: "1. The person in charge of the treatment will take the appropriate measures to facilitate to the interested party all the information indicated in articles 13 and 14, as well as any any communication pursuant to articles 15 to 22 and 34 relating to the treatment information, in a concise, transparent, intelligible and easily accessible form, with a slow clear and simple language, in particular any information directed specifically- mind a child The information will be provided in writing or by other means, including, if applicable, by electronic means. When requested by the interested party, The information may be provided orally provided that identity is proven. of the interested party by other means (…)”. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 43/60 And for its part, article 13 of the GDPR, details the information that must be provided to the interested when the data is collected directly from him, establishing the following: next: "1. When personal data relating to him or her is obtained from an interested party, the responsible for the treatment, at the time they are obtained, will provide you with tare: a) the identity and contact details of the person in charge and, where appropriate, their re- presenter; b) the contact details of the data protection officer, in Their case; c) the purposes of the processing for which the personal data is intended and the legal basis of the treatment; d) when the treatment is based on article 6, paragraph 1, letter f), the legitimate interests of the controller or a third party; and) recipients or categories of recipients of personal data, in Their case; f) where appropriate, the intention of the person responsible for transferring personal data to a third country or international organization and the existence or absence of an adequacy decision by the Commission, or, in the case of transfers indicated in articles 46 or 47 or article 49, paragraph 1, second paragraph, reference to the adequate or appropriate guarantees and to the means to obtain a copy of these or the fact that they have been provided. 2. In addition to the information mentioned in section 1, the person responsible for the treatment will provide the interested party, at the time the data is obtained, personal data, the following information necessary to guarantee treatment fair and transparent data management: a) the period during which the data will be kept; personal data or, when this is not possible, the criteria used to determine nar this term; b) the existence of the right to request the data controller access to personal data relating to the interested party, and its rectification tion or deletion, or the limitation of its treatment, or to oppose the treatment, as well as the right to data portability; c) when the treatment is- tea based on Article 6(1)(a) or Article 9(2)(2) a), the existence of the right to withdraw consent at any time, without this affecting the legality of the processing based on prior consent. he saw his withdrawal; d) the right to lodge a complaint with an authority of control; e) if the communication of personal data is a legal requirement or contractual, or a necessary requirement to sign a contract, and if the interested party is obliged to provide personal data and is informed of the possi- possible consequences of not providing such data; f) the existence of decisions automated, including profiling, referred to in article 22, paragraphs 1 and 4, and, at least in such cases, significant information about the applied logic, as well as the significance and intended consequences of that treatment for the interested party. Therefore, it is evident that, at least since the claimant submits the brief claim on 12/21/21 to 09/29/22, date on which the claimed party filed the allegations to the initiation indicating having solved the observed deficiencies given by this Agency, there is a violation of the provisions of the GDPR res- regarding the information that must be provided to users when obtaining of them your personal data, such as the identity and contact details of the person responsible. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 44/60 ble, the purposes of the processing for which the personal data is intended and the legal basis of the treatment; the possible recipients or categories of recipients of the data personal cough, if applicable; the period during which the personal data will be kept or, when this is not possible, the criteria used to determine this term or the right to file a claim with a control authority, for which comply with the provisions of current regulations on data protection. c).- About the Cookies Policy of the website https://www.coagranada.es/. On 07/27/22, it was found that when entering the website of the College Oficial de Arquitectos de Granada https://www.coagranada.es/ two were used cookies "PHPSESSID" and another from Google, "_GRECAPTCHA". According to Opinion 4/2012 of WP 194 on the exemption of the requirement of cookie consent, the exemption applied to authentication cookies could apply to others introduced specifically to strengthen the security of the service requested, for example, those cookies whose purpose is to detect attempts erroneous and repeated connection to a website or for protection of the information system connection against abuses as in the case of “_GRECAPTCHA”. However, after browsing the website, it was observed that cookies were installed from third parties of a non-excepted nature, which were not reported in the policies. HE It so happens that these analytical cookies are installed through the insertion of an interactive map of the Institute for Geoenvironmental Health of the Vivo Foundation Healthy on the page: https://coagranada.es/mapa-zonas-radon-en-elnuevo-cte-db-hs6/ . In the subsequent checks carried out by this Agency, regarding the "Cookies Policy" of the website https://www.coagranada.es/, on 04/10/23 the last one on 05/03/23, it is observed that the web only uses the cookie “_GRECAPTCHA”, established in order to provide its risk analysis against the erroneous and repeated attempts to connect to the web. In this sense, the GT29, in its Opinion 4/2012, interpreted that among the cookies excepted would be the user input Cookies" (those used to fill in forms, or as management of a shopping cart); cookies from authentication or user identification (session); user security cookies (those used to detect erroneous and repeated attempts to connect to a site Web); media player session cookies; session cookies to balance load; user interface customization cookies and some of complement (plug-in) to exchange social content. These cookies would be excluded from the scope of application of article 22.2 of the LSSI, and, therefore, it would not be necessary to inform or obtain consent about your use. On the contrary, it will be necessary to inform and obtain the prior consent of the user before the use of any other type of cookies, both first and second third party, session or persistent. Therefore, the use of third-party cookies of a non-excepted nature, during the time they were active, at least since 07/27/22, date of the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 45/60 detection by this Agency of said cookies until 04/10/23, suppose for part of the defendant, the commission of the infringement of article 22.2 of the LSSI. Regarding the application of the principle of proportionality alleged by the entity claimed, it must be indicated that it is not applicable because in the present case, the file penalized for infraction of article 22.2 of the LSSI, it was only considered as aggravating, the existence of intentionality, an expression interpreted as equivalent to degree of guilt in accordance with the Judgment of the National Court of 11/12/07 relapse in Appeal no. 351/2006. d).- On the possible application of article 77.2 of the LOPDGDD in the present case. The art. 83.7 of the GDPR establishes that: "Without prejudice to the corrective powers of the control authorities (…) each Member State may establish rules on whether can, and to what extent, impose administrative fines on authorities and bodies public establishments established in that Member State". In application of the aforementioned article, article 77 LOPDGDD, on the regime applicable to certain categories of controllers or processors, establishes, on the regime applicable to the Entities that make up the Public Administration, which following: "1. The regime established in this article will be applied to the treatments of those who are responsible or in charge: (...) g) Public law corporations when the purposes of the treatment related to the exercise of public law powers. Before entering into its analysis, previously, it must be taken into account that the Professional Associations, are corporations of Public Law, protected by the Law and recognized by the State, with its own legal personality and full capacity to the fulfillment of its purposes. Despite qualifying as a Public Law corporation, it is necessary to have present that it can also exercise functions of a legal-private nature, depending on whether the College is acting in the exercise of public functions or, for the contrary, in the exercise of private functions. Before continuing, clarify the error by referring to Law 7/2006, of May 31, when it should actually have been referred to as the head of the applicable regulations to professional associations, to Law 2/1974, of February 13, on Associations Professionals, although this Law was already referenced and included in the tag "(...) or other regulations”. Well, even though the Professional Associations are legal corporations Public, protected by law and recognized by the State, with legal personality own and full capacity for the fulfillment of its purposes (art. 1.1 Law 2/1974, of 13 February, of Professional Associations) have a mixed nature that implies that, Indeed, the Colleges carry out public functions, but they also carry out activities and provide services to their members under private law. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 46/60 It is true that the legal regime of these organizations is necessarily complex. since it lacks uniformity and has to adapt to nature (public or private) of the activity carried out by the College at all times. The functions practices to be exercised by the Professional Associations are, essentially, the management of the professional practice, which includes the exercise of sanctioning power and control compliance with ethical standards. In the absence of such functions public, it is not possible to speak properly of Colleges but of private associations dedicated to the achievement of goals oriented to the exclusive benefit of their members. As we have already indicated in section a).- “Regarding the alleged conflicts of interests of the Data Protection Officer (DPO) in the person of ***POSITION.1 of the Official College of Architects of Granada”, the functions of the *** POSITION.1 of the Official College of Architects (article 17) that can be affected by the data protection, we find that it has powers to: 2. Resolve provisionally about the admission of new members in accordance with the provisions of these Particular Statutes. 3. Receive and process all requests and communications addressed to the College and its different Bodies, giving an account of them to whom it may concern. 4. Issue the certifications that are requested and must be issued and keep the registration book of collegiate. 5. Formulate annually the lists of collegiate in its different versions. These lists must be annually arranged within the terms set forth in these Particular Statutes for the purposes of elections. 6. Make notifications of college registrations and withdrawals. 7. Carry the books of minutes of the meetings of the General Assembly of collegiate, Governing Board and of the Permanent Commission and transfer the agreements, keeping track of the compliance thereof. Likewise, ***POSITION.1 is an ex officio member of the Governing Board, whose functions (article 13.2), which may be affected by data protection, the following: c) Resolve the applications for the incorporation of new members, of dismissals collegiate and on the suspension of collegiate services and collegiate status. e) Collect, distribute and manage the School's funds, in accordance with the provisions of the Title on Economic and Patrimonial Regime of the present Statutes individuals. k) Exercise the disciplinary function and adopt precautionary measures, initiating, ex officio or by virtue of a complaint, the disciplinary proceedings, in which the corresponding Resolution. In greater abundance, it means that, in this specific case, the claim is constrains "the privacy of the data of the members and therefore their rights", for which goes beyond public functions. Therefore, in the present case, the conflict of interest detected in the appointment *** POSITION 1 of the College as Data Protection Delegate as we have already set forth in section a).- “Regarding the alleged conflicts of interest of the Delegate of Data Protection (DPD) in the person of *** POSITION 1 of the Official College of Arquitectos de Granada", and the lack of information provided in the sheets of claims of the College, on the treatment of personal data of the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 47/60 private users, have no place in any of the public functions that attributed by the regulations, so it would not be possible to apply in this case what is established in the Article 77 of the LOPDGDD and on the "Cookies Policy", indicate that they are governed by the LSSI, therefore art. 77 of the LOPDGDD. e).- On the allegations presented regarding the Resolutions of this Agency of May 24, 2021, Procedure No.: PS/00416/2020 and of May 11, 2021, Procedure No.: PS/00347/2020 In the resolution of PS/00416/2020, the following can be read verbatim: "(...) It should be noted that the GDPR, without prejudice to what is established in its article 83, contemplates in its article 77 the possibility of resorting to the sanction of warning to correct the processing of personal data that is not conform to their forecasts, when those responsible or in charge listed in section 1 committed any of the offenses to which Articles 72 to 74 of this organic law refer (...). However, as we have previously indicated, the conflict of interest detected in the appointment of ***POSITION.1 of the Association as Delegate of Protection of data, and the lack of information provided in the claims forms of the Colegio, on the treatment of personal data of private users, not have no place in any of the public functions attributed to them by the regulations, so that it would not be possible to apply either, in this case what is established in article 77 of the LOPDGDD. d).- On the absence of determination of the type corresponding to the sanctions proposals and lack of motivation to determine their amount, alternatively and secondarily, invocation of the principle of proportionality. Violations in the field of data protection are typified in the sections 4, 5 and 6 of article 83 of the GDPR. It is a classification by referral, admitted fully by our Constitutional Court. In this sense, also article 71 of the LOPDGDD makes a reference to them by stating that "They constitute offenses the acts and behaviors referred to in sections 4, 5 and 6 of the Article 83 of Regulation (EU) 2016/679, as well as those that are contrary to the present organic law”. In this sense, the Opinion of the Council of State of October 26, 2017 regarding to the Draft Organic Law on Protection of Personal Data provides that "The European Regulation does typify, even though it does so in a sense generic, conduct constituting an infringement: in effect, sections 4, 5 and 6 of its article 83 contains a catalog of infractions for violation of the precepts of the European standard indicated in such sections. The offenses established in articles 72, 73 and 74 of the LOPDGDD are only for effects of the prescription, as stated in the beginning of each and every one of these precepts. This need arose in our State since it does not exist in the GDPR any reference to the statute of limitations relating to offences, given that this institute legal is not specific to all EU Member States. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 48/60 We must start from the fact that the GDPR is a directly applicable legal norm, which has been developed by the LOPDGDD, only in what the first allows. So is clear and as regards the prescription in the explanatory statement of the LOPDGDD when it states that "The categorization of offenses is introduced to the sole purpose of determining the prescription periods, having the description of the typical behaviors as the only object the enumeration of exemplary way of some of the punishable acts that should be understood as included within the types general established in the European standard. The organic law regulates the assumptions of interruption of the prescription based on the constitutional requirement of the knowledge of the facts that are imputed to the person”. It results from the application and interpretation of the RGPD, and not from the LOPDGDD, which determines the seriousness of an infringement based on a series of conditions provided therein. As we can see, the RGPD does not present a typification in very serious, serious or minor infractions typical of the Spanish legal system, nor neither can it be deduced from his diction that the violation of the precepts of the article 83.4 of the GDPR correspond to minor infractions and the precepts of article 83.5 or article 83.6 of the GDPR correspond to serious infringements. Thus, recital 148 speaks of serious infringements as opposed to minor ones when it determines that, “In case of minor infraction, or if the fine that is likely to were imposed would constitute a disproportionate burden on a natural person, in place of sanction by means of a fine, a warning may be imposed. must not However, special attention should be paid to the nature, severity and duration of the infraction, to its intentional nature, to the measures taken to alleviate the damages and damages suffered, the degree of responsibility or any previous infringement pertinent, to the way in which the supervisory authority has learned of the infringement, compliance with measures ordered against the person responsible or in charge, adherence to codes of conduct and any other aggravating or extenuating.". For all these reasons, the seriousness of an infringement is determined for the purposes of the GDPR and with the elements endowed by it. Once again, we bring up the aforementioned Opinion of the Council of State, which explains in great profusion: "On the other hand, the European Regulation does not distinguish, when setting the amount of the sanctions, between very serious, serious and minor infractions, as stated in the preamble to the Draft. Actually, the European standard is limited to distinguishing, depending on the maximum quantitative limit of the fine to be imposed, among some infractions that can be sanctioned "with administrative fines of 10 EUR 000 000 maximum or, in the case of a company, an amount equivalent to a maximum of 2% of the total annual global business volume of the financial year previous financial" (section 4 of article 83), and other infractions that can be sanctioned "with administrative fines of a maximum of 20,000,000 EUR or, in the case of a company, an amount equivalent to a maximum of 2% of the overall annual total turnover of the previous financial year" (paragraphs 5 and 6 of article 83). From this distinction it can be deduced that, for the Law of the European Union, the offenses typified in sections 5 and 6 of article 83 can reach C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 49/60 have the same and greater seriousness than those contemplated in section 4 of the same article 83 of the European Regulation. The European standard is thus limited to establish two categories of offenses based on their seriousness. The limitation periods for infringements are not provided for in the European Regulation and, therefore, there is a tacit but peaceful understanding that Member States have the power to establish such terms. The determination of such deadlines must be based, as is well known, on the severity of the offence. Well, the offenses provided for in section 4 of article 83, on the one hand, and in the paragraphs 5 and 6 of article 83 of the European Regulation, on the other, have a different maximum limit -10,00,000 euros or 2% of the business volume in the first case, 20,000,000 euros or 4% of the business volume in the second- but the same limit minimum, which in both cases is 1 euro. The existence of such wide margins quantitative indicates that the violations of article 83, whether those of section 4 are those of sections 5 and 6, can be of very different entity and that, for this reason, do not may have the same limitation period those offenses that, due to their severity, are close to the upper quantitative limit than those other that, due to their lightness, are closer to the lower quantitative limit. In such circumstances, the setting of the limitation periods would not be resolved. satisfactorily, applying to the infractions of the precepts mentioned in sections 5 and 6 of article 83 a term longer than the infringements of the precepts mentioned in section 4 of article 83, given that infringements contemplated both precepts, in case of being light, they would require a period of lower prescription. From this point of view and with the sole purpose of establishing its limitation period, A distinction has been made between "merely formal infringements" and "violations substantial" of such precepts, considering the former as "violations minor" with a limitation period of one year and the latter as "violations serious" and "very serious" with prescription periods of two and three years respectively. In the opinion of the Council of State, this classification of offences, to the extent that it is carried out for the sole purpose of determining certain terms of statute of limitations for offenses not provided for in the European Regulation, cannot be understood contrary to the provisions of the European standard. This classification is not, however, important in terms of the amount of the fines. The determination of the amount of the fines to be imposed for the violation of the precepts mentioned in sections 4, 5 and 6 of article 83 of the Regulation In accordance with the European standard, it is the responsibility of the control authorities, of according to the graduation criteria established in section 2 of this same provision, among which is the "nature" or "seriousness" of the offence". Within the quantitative limits established by the European Regulation, the control authorities, according to the greater or less seriousness of the infringement, They must fix the amount of the fines. Certainly, the margins available to the control authorities are very large - from 1 euro to 10,000,000 euros per violation of the precepts mentioned in section 4 of article 83 and from 1 euro to 20,000,000 C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 50/60 euros for violation of the precepts mentioned in sections 5 and 6-, which confers on such authorities a high degree of discretion, far superior to those which is usual in countries of our legal tradition. It is, in any case, the model desired by the European Regulation, hence the distinction between minor, serious and very serious infractions contemplated in the Draft may not have a consequence in determining the maximum amount of minor infractions, and in any case the determination of their amount made by the control authorities, according to the circumstances of the case concretely, within the limits established in that regulation”. Thus, the classification of offenses for the purposes of the prescription of LOPDGDD does not have virtuality in terms of determining the severity of the infringement for the purposes of the GDPR or with respect to the imposition of fines corresponding”. Well then, in the proposed resolution of this file, notified to the concerned on 04/10/23, the facts that are considered proven and their exact legal classification in the section "PROVEN FACTS" and in the FD II in response to the allegations indicated the following: In point a).- On the alleged conflicts of interest of the Delegate of Data Protection (DPD) in the person of *** POSITION 1 of the Official College of Architects from Granada. The offense was determined: Therefore, taking into account the functions that, according to the GDPR, correspond to the DPD and the functions that, according to the Order of February 20, 2018, by which the modification of the Statutes of the Official College of Architects is approved of Granada, correspond to the Governing Board and the Permanent Commission of the Official College of Architects of Granada, in addition to those of the position of ***POINT.1, it is evident the existence of a conflict of interest for part of *** POSITION 1 of the Official College of Architects of Granada for act as DPO of said Organism, finding ourselves before the violation of the article 38.6) of the GDPR. The person responsible and the proposed sanction were identified: “FIRST: That by the Director of the Spanish Agency for the Protection of Data is sanctioned to the OFFICIAL COLLEGE OF ARCHITECTS OF GRANADA, owner of the website, https://www.coagranada.es/, by: Violation of article 38.6 of the GDPR, due to the conflict of interest detected in the appointment of *** POSITION 1 of the College as Protection Delegate of data, with a penalty of 5,000 euros (five thousand euros) (...) In accordance with the provisions of the GDPR, the amount of the fine was valued at 5,000 euros, that is in the lower section of the possible sanctions, thus giving compliance with the provisions of article 83.1 of the GDPR: "Each control authority C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 51/60 ensure that the imposition of administrative fines under this article for the infringements of this Regulation indicated in sections 4, 5 and 6 are in each individual case, effective, proportionate and dissuasive.” On the other hand, article 83.2 of the GDPR states that "administrative fines shall be will impose, depending on the circumstances of each individual case, additionally or substitute for the measures referred to in article 58, paragraph 2, letters a) to h) and j). When deciding the imposition of an administrative fine and its amount in each case will be duly taken into account:” (emphasis added). That is, it provides for the assessment of the penalty as a whole, taking into account each and every one of the concurrent circumstances in the specific case and that are provided for in the aforementioned precept. The jurisprudence pronounces itself along the same lines when it refers to the principle of proportionality, "fundamental principle that beats and presides over the graduation process of sanctions and implies, in legal terms, "its adequacy to the seriousness of the fact constituting the infringement" as provided in article 29.3 of Law 40/2015, of the Legal Regime of the Public Sector, given that any sanction must be determined in consistency with the entity of the offense committed and according to a criterion of proportionality in relation to the circumstances of the fact.” (Sentences of the Supreme Court of December 3, 2008 (rec. 6602/2004) and April 12, 2012 (rec. 5149/2009) and Judgment of the National Court of May 5, 2021 (rec. 1437/2020), among others). Thus, the Judgment of the Third Chamber of the Supreme Court, dated May 27, 2003 (rec. 3725/1999), indicates that "Proportionality, pertaining specifically to to the scope of the sanction, constitutes one of the principles that govern the Law Sanctioning administrative, and represents an instrument of control of the exercise of the disciplinary power by the Administration within, even, the margins that, in principle, indicates the applicable rule for such exercise. It is certainly a concept difficult to determine a priori, but which tends to adjust the sanction, by establishing its specific graduation within the indicated possible margins, to the severity of the fact constituting the infringement, both in its aspect of unlawfulness and of guilt, weighing as a whole the objective and subjective circumstances that make up the budget of punishable fact (...)" We can also cite for this purpose the Supreme Court Judgment 713/2019, of 29 of May (rec. 1857/2018): "We will begin by pointing out that the proportionality of the sanctions implies that they come tempered to the particular gravity of the fact in conjunction with the circumstances of a subjective nature (which refer to the offender) and objective (which refer to the typical fact) being that in the field of law administrative sanction in general and in the field of the stock market in In particular, there are no dosimetry criteria similar to those included in the article 66 of the CP and that the modifying circumstances differ from those of the scope penal. Let us remember that there is no room for automatic application, without any qualification of the guiding principles of criminal law to the sanctioning administrative procedure (S.TS 6-10-2003 Rec.772/1998).” C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 52/60 For this reason, Directives 04/2022 of the European Committee for Data Protection on the calculation of administrative fines in accordance with the RGPD, in its version of 12 May 2022, submitted to public consultation, indicate that "As regards the evaluation of these elements, increases or decreases in a fine do not They can be previously determined through tables or percentages. It is reiterated that the The actual quantification of the fine will depend on all the elements collected during the research and other considerations also related to the experiences of the supervisory authority regarding fines.” In point b).- Regarding the alleged lack of information in the forms on “complaints and claims”, referring to the treatment of personal data obtained in the themselves. The offense was determined: “From what is evident that the forms lacked the necessary information ria established in article 13 GDPR, such as, for example, the identity and contact details of the person in charge, the purposes of the treatment for which they are intended the personal data and the legal basis of the treatment; the possible recipients names or categories of recipients of personal data, if applicable; he period during which the personal data will be kept or, when it is not possible, the criteria used to determine this term or the right to pre- file a claim with a control authority, for which they failed to comply with the stipulated in the current regulations on data protection The person responsible and the proposed sanction were identified: “FIRST: That by the Director of the Spanish Agency for the Protection of Data is sanctioned to the OFFICIAL COLLEGE OF ARCHITECTS OF GRANADA, owner of the website, https://www.coagranada.es/, by: (...) Violation of article 13 of the GDPR, due to the lack of information provided in the claims forms, on the treatment of the data obtained, (with a penalty of 8,000 euros) (...) In accordance with the provisions of the GDPR, the amount of the fine was valued at 5,000 euros, that is in the lower section of the possible sanctions, thus giving compliance with the provisions of article 83.1 of the GDPR: "Each control authority ensure that the imposition of administrative fines under this article for the infringements of this Regulation indicated in sections 4, 5 and 6 are in each individual case, effective, proportionate and dissuasive.” We reiterate the considerations set forth in the previous section in relation to with the determination of the amount of the fine. In point c).- On the treatment of personal data and the "Policy of Privacy” of the web: https://www.coagranada.es/ whose owner is the Official College of Granada architects: The lack of infringement was determined: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 53/60 "Therefore, in the present case, according to the evidence available At this time, it is considered that the management of personal data that makes the web page, https://www.coagranada.es/ does not contradict what stipulated in the RGPD regarding the consent in the treatment of the personal data and the information that must be provided to the interested party when your personal data is obtained from it. In point d).- About the Cookies Policy of the website https://www.coagranada.es/. The offense is determined: "Therefore, the use of third-party cookies of a non-existent nature excepted, which are not reported in the policies and despite not having given the consent through the banner could suppose on the part of the claimed, the commission of the infringement of article 22.2 of the LSSI The person responsible and the proposed sanction were identified: “FIRST: That by the Director of the Spanish Agency for the Protection of Data is sanctioned to the OFFICIAL COLLEGE OF ARCHITECTS OF GRANADA, owner of the website, https://www.coagranada.es/, by: (...) Violation of article 22.2 of the LSSI, regarding the use of cookies from third parties of a non-excepted nature, without the consent of the user, with a penalty of 1,000 euros (one thousand euros). The fine to be imposed has been determined in application of the provisions determined in the LSSI. e).- On the allegations presented as a consequence of the filing in the exp202101340 and the change of criteria in this file. According to the claimed party, on 07/08/21, the claimant submitted a written before this Agency, in the same sense as the present claim, indicating, among others, that: "(...) Such is the lack of knowledge regarding PD on the part of this College, that according to these accredited by their statements, the *** POSITION.1 holds the title of DPD and Responsible for the processing of personal data at the same time. As evidenced by the text that accompanies the sheet of claims of this College, (...)" Well then, this claim was filed by Resolution of the AEPD dated of 11/11/21 in file E/08892/2021, indicating in it that: "(...) Once the reasons presented by the OFFICIAL SCHOOL OF ARCHITECTS OF GRANADA, who work in the file, it has been verified the lack of rational indications of the existence of an infringement in the field C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 54/60 competence of the Spanish Data Protection Agency, not proceeding, consequently, the opening of a disciplinary procedure. On 11/23/21, the claimant filed an appeal for reversal (RR/0731/21), against the resolution issued by the Director of the Spanish Agency for the Protection of Data, in which, among others, it indicated that "the AEPD should clarify whether the DPD and the ***POINT.1 of COAG can be the same person”. On 04/04/22, this Agency issued a resolution on the appeal of replacement RR/0731/21, indicating in it, regarding the issue expressed by the claimant, in relation to the duplication of charges, DPD and ***POSITION 1 of the COAG, the following: "Regarding the appointment as data protection delegate in the same person who holds the position of ***POSITION.1 general, it should be noted that the appellant party cannot claim that in the appeal phase the recounts facts that it did not state in a previous procedural phase. The LPACAP provides in its article 118: "They will not be taken into account in the resolution of the appeals, facts, documents or allegations of the appellant, when having been able to provide them in the claims process, they have not made. Nor may the practice of evidence be requested when their lack of realization in the procedure in which the appealed decision was issued outside attributable to the interested party." This norm contains a rule that is nothing more than the positive concretion for the common administrative scope of the general principle that the Law does not cover the abuse of the right (article 7.2 of the Civil Code), in this case, the abuse of the procedural law. There is no doubt that this principle is intended to prevent that the processing of allegations and evidence of the procedures of application, as it would be if the interested parties could choose, at their discretion, the moment in which to present evidence and allegations, since this it would be contrary to an elementary procedural order. The claimed party has informed that the person designated as delegate of data protection possesses the competencies and has the knowledge required for the performance of said position, adding that they have the collaboration of external professionals who are experts in the matter”. Therefore, there has not been a change in criteria of the administration, but rather, in the exposed cases, the reason why they were archived was because there was no proof sufficient for the imputation of an infraction. In fact, this is how it is stated in the resolution of inadmissibility, that the principle of presumption of innocence is applied and that, not having sufficient evidence of non-compliance, we proceed to archive the claim. In the same sense, the resolution of the appeal of reinstatement, particularly in relation to that breach, what it says is that in phase of appeal cannot be taken into account facts other than those valued throughout of the procedure. This does not prevent a new claim from being filed. in which aspects can be accredited by the claimant that reveal the existence of a violation. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 55/60 f).- About the Cookies Policy of the website https://www.coagranada.es/. On 07/27/22, it was found that when entering the website of the College Oficial de Arquitectos de Granada https://www.coagranada.es/ a cookie was installed session ID PHPSESSID and another from Google, _GRECAPTCHA. The first is a cookie technique and the second is used by websites developed with WordPress as the which is the object of analysis, to protect web forms from spam and attacks external. According to Opinion 4/2012 of WP 194 on the exemption of the requirement of cookie consent, the exemption applied to authentication cookies could apply to others introduced specifically to strengthen the security of the service requested, for example, those cookies whose purpose is to detect attempts erroneous and repeated connection to a website or for protection of the information system connection against abuses such as _GRECAPTCHA. However, after browsing the website, it is observed that cookies are installed from third parties of a non-excepted nature, which are not reported in the policies, to despite not having given consent through the banner. the circumstance is given that these analytical cookies are installed through the insertion of a map interactive program of the Institute for Geoenvironmental Health of the Vivo Sano Foundation in the page: https://coagranada.es/mapa-zonas-radon-en-elnuevo-cte-db-hs6/ Therefore, there was a clear violation of current regulations (LSSI) by not informing the users of the web of the installation of third-party cookies of a non- excepted. III.- Violation committed and Sanction to be imposed Regarding the alleged conflicts of interest of the Data Protection Officer (DPD) in the person of ***POSITION.1 of the Official College of Architects of Granada. In accordance with the available evidence, set forth in section a) of DF II, it is considered that there is a violation of article 38.6) of the GDPR. This infraction can be sanctioned with a fine of a maximum of €10,000,000 or, in the case of a company, an amount equivalent to a maximum of 2% of the total annual global business volume of the previous financial year, opting for the of greater amount, in accordance with article 83.4.a) RGPD. For its part, article 73.w) LOPDGDD, considers serious, for the purposes of prescription: “Not enabling the effective participation of the data protection officer in all matters relating to the protection of personal data, not support him or interfere in the performance of his duties”. In accordance with the precepts indicated, for the purpose of setting the amount of the sanction to imposed in the present case, it is considered appropriate to graduate the sanction according to with the following aggravating criteria established in article 83.2 of the GDPR: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 56/60 - The number of interested parties affected by the processing of their personal data (section a), bearing in mind the relationship that the College of Architects of Granada has with the registered members, the contracted personnel and with the users in general. It is also considered that it is appropriate to graduate the sanction to be imposed in accordance with the following aggravating criteria, established in article 76.2 of the LOPDGDD: - The linking of the activity of the offender with the performance of treatment of personal data, (section b), considering the level of implementation of the College in the community, in which personal data of Hundreds of people who access their services. The balance of the circumstances contemplated in article 83.2 of the GDPR and 76.2 LOPDGDD, with respect to the offense committed by violating the provisions of the Article 38.6 GDPR, allows a final penalty of 5,000 euros (five thousand euros) to be set. On the other hand, it is not appropriate to require a corrective measure since the DPD of the Official College of Architects of Granada in another person that is not the *** POSITION.1 of the same. IV.- Violation committed and Sanction to be imposed Regarding the alleged lack of information in the forms on "complaints and claims”, referring to the treatment of personal data obtained in the themselves. In accordance with the available evidence, set forth in section b) of DF II, it is considered that there is a violation of article 13) of the GDPR This infraction can be penalized as established in article 83.5.b) of the GDPR, where it is established that: Violations of the following provisions will be penalized, according to with paragraph 2, with administrative fines of EUR 20,000,000 as maximum or, in the case of a company, an amount equivalent to 4% maximum of the overall annual total turnover of the financial year above, opting for the one with the highest amount: a) the rights of the interested parties pursuant to articles 12 to 22”. In this sense, article 74.a) of the LOPDGDD, considers light, for the purposes of prescription: "Breach of the principle of transparency of information or the right of information of the affected party for not providing all the information required by the articles 13 and 14 of Regulation (EU) 2016/679.” C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 57/60 In accordance with the precepts indicated, for the purpose of setting the amount of the sanction to imposed in the present case, it is considered appropriate to graduate the sanction according to with the following aggravating criteria established in article 83.2 of the GDPR: - The number of interested parties affected by the processing of their personal data (section a), bearing in mind the relationship that the College of Architects of Granada has with the registered members, the contracted personnel and with the users in general. It is also considered that it is appropriate to graduate the sanction to be imposed in accordance with the following aggravating criteria, established in article 76.2 of the LOPDGDD: - The linking of the activity of the offender with the performance of treatment of personal data, (section b), considering the level of implementation of the College in the community, in which personal data of Hundreds of people who access their services. The balance of the circumstances contemplated in article 83.5.b) of the GDPR, with regarding the offense committed by violating the provisions of article 13 of the GDPR, allows a final penalty of 8,000 euros (eight thousand euros) to be set. On the other hand, it is not appropriate to require a corrective measure as the Substitution of the information provided in the “complaints and claims” models adjusting to the provisions of article 13 of the GDPR. V.- Violation committed and Sanction to be imposed About the Cookies Policy of the website https://www.coagranada.es/. Article 22.2 of the LSSI establishes that users must be provided with information clear and complete information on the use of storage devices and data recovery and, in particular, on the purposes of data processing. This information must be provided in accordance with the provisions of the GDPR. Therefore, when the use of a cookie entails a treatment that enables the identification of the user, those responsible for the treatment must ensure the compliance with the requirements established by the regulations on the protection of data. However, it is necessary to point out that they are exempted from compliance with the obligations established in article 22.2 of the LSSI those necessary cookies for the intercommunication of terminals and the network and those that provide a service expressly requested by the user. In this sense, the GT29, in its Opinion 4/2012, interpreted that among the cookies excepted would be the user input Cookies" (those used to fill in forms, or as management of a shopping cart); cookies from authentication or user identification (session); user security cookies (those used to detect erroneous and repeated attempts to connect to a site C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 58/60 Web); media player session cookies; session cookies to balance load; user interface customization cookies and some of complement (plug-in) to exchange social content. These cookies would be excluded from the scope of application of article 22.2 of the LSSI, and, therefore, it would not be necessary to inform or obtain consent about your use. On the contrary, it will be necessary to inform and obtain the prior consent of the user before the use of any other type of cookies, both first and second third party, session or persistent. In this case, when entering the web for the first time, without accepting cookies or making no action on the page, it has been verified that cookies are not used that They are not technical or necessary. However, after browsing the website, it is observed that cookies are used third parties of a non-excepted nature, which are not reported in the policies, despite of not having given consent through the banner. The circumstance occurs that These analytical cookies are installed through the insertion of an interactive map of the Institute for Geoenvironmental Health of the Vivo Sano Foundation on the page: https://coagranada.es/mapa-zonas-radon-en-elnuevo-cte-db-hs6/ Therefore, the use of third-party cookies of a non-excepted nature, which are not reported in the policies and despite not having given consent through the banner could suppose on the part of the defendant, the commission of the infringement of article 22.2 of the LSSI, since it establishes that: “Service providers may use storage devices and recovery of data in terminal equipment of recipients, provided that they have given their consent after they have been provided clear and complete information on its use, in particular on the purposes of data processing, in accordance with the provisions of the Law Organic 15/1999, of December 13, on the protection of personal data staff. When technically possible and effective, the recipient's consent to accept the processing of the data may be facilitated through the use of the appropriate parameters of the browser or other applications. The foregoing will not prevent the possible storage or access of a technical nature for the sole purpose of carrying out the transmission of a communication over a network of electronic communications or, to the extent strictly necessary, for the provision of a service of the information society expressly requested by the addressee. This infraction is typified as "mild" in article 38.4 g), of the aforementioned Law, which considered as such: "Use data storage and recovery devices when the information has not been provided or the consent of the recipient of the service in the terms required by article 22.2.", and may be sanctioned with a fine of up to €30,000, in accordance with article 39 of the aforementioned LSSI. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 59/60 In accordance with said criteria, it is deemed appropriate to impose a penalty of 1,000 euros, (thousand euros), for the violation of article 22.2 of the LSSI, for the time that maintained the use of non-excepted cookies without the prior consent of the user Therefore, in accordance with the applicable legislation and assessed the criteria of graduation of sanctions whose existence has been accredited, the Director of the Spanish Data Protection Agency RESOLVES: FIRST: IMPOSE the OFFICIAL ASSOCIATION OF ARCHITECTS OF GRANADA, with CIF.: Q1875003D, owner of the website, https://www.coagranada.es/, the following sanctions: - For violation of article 38.6 of the GDPR, due to the conflict of interest detected in the appointment of ***POSITION.1 of the College as Delegate of Data Protection a sanction of 5,000 euros (five thousand euros). - For the infringement of article 13 of the GDPR, due to the lack of information provided in the claims forms, on the treatment of the data obtained, a penalty of 8,000 euros (eight thousand euros). - For the violation of article 22.2 of the LSSI, regarding the use of third-party cookies of a non-excepted nature, without the consent of the user, a penalty of 1,000 euros (one thousand euros). Being the total sanction of 14,000 euros (fourteen thousand euros). SECOND: NOTIFY this resolution to the OFFICIAL ASSOCIATION OF ARCHITECTS OF GRANADA. THIRD: Warn the penalized party that the sanction imposed must make it effective once this resolution is enforceable, in accordance with the provisions of Article Article 98.1.b) of Law 39/2015, of October 1, on Administrative Procedure Common of Public Administrations, within the voluntary payment period indicated in the Article 68 of the General Collection Regulations, approved by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003, of 17 December, by depositing it in the restricted account No. ES00 0000 0000 0000 0000 0000, opened in the name of the Spanish Data Protection Agency in the Banco CAIXABANK, S.A. or otherwise, it will proceed to its collection in executive period. Once the notification has been received and once executed, if the execution date is between the 1st and 15th of each month, both inclusive, the term to make the payment voluntary will be until the 20th day of the following or immediately following business month, and if between the 16th and the last day of each month, both inclusive, the payment term It will be until the 5th of the second following or immediately following business month. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 60/60 In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once the interested parties have been notified. Against this resolution, which puts an end to the administrative procedure (article 48.6 of the LOPDGDD), and in accordance with the provisions of articles 112 and 123 of the Law 39/2015, of October 1, of the Common Administrative Procedure of the Public Administrations, interested parties may optionally file appeal for reversal before the Director of the Spanish Agency for Data Protection within a month from the day following notification of this resolution or directly contentious-administrative appeal before the Chamber of contentious-administrative of the National Court, in accordance with the provisions of the article 25 and in section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-administrative Jurisdiction, within the period of two months from the day following the notification of this act, according to what provided for in article 46.1 of the aforementioned legal text. Finally, it is noted that in accordance with the provisions of art. 90.3 a) of Law 39/2015, of October 1, of the Common Administrative Procedure of the Administrations Public, the firm resolution may be temporarily suspended in administrative proceedings if The interested party declares his intention to file a contentious-administrative appeal. If this is the case, the interested party must formally communicate this fact through writing addressed to the Spanish Data Protection Agency, presenting it through of the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica- web/], or through any of the other registries provided for in art. 16.4 of the aforementioned Law 39/2015, of October 1. You must also transfer to the Agency the documentation proving the effective filing of the contentious appeal- administrative. If the Agency was not aware of the filing of the appeal contentious-administrative proceedings within a period of two months from the day following the Notification of this resolution would terminate the precautionary suspension. Mar Spain Marti Director of the Spanish Data Protection Agency. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es