AEPD (Spain) - EXP202204501
AEPD - EXP202204501 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 5(1)(f) GDPR Article 32 GDPR Article 37 GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | 22.03.2022 |
Decided: | 29.01.2024 |
Published: | |
Fine: | n/a |
Parties: | Ayuntamiento de Llucmajor |
National Case Number/Name: | EXP202204501 |
European Case Law Identifier: | n/a |
Appeal: | Not appealed |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | lm |
A public institution improperly stored a document with employees' personal data on its intranet. The DPA found violations of the principle of confidentiality, security measure requirements, and the obligation to designate a data protection officer.
English Summary
Facts
On 1 December 2021, a PDF was created by the resource management department of the local police of Llucmajor (the controller). The document contained the personal data of 47 police agents, including their first names, surnames, agent numbers, and sick leave information. On 12 January 2022, the document was posted on the intranet of the Llucmajor government in the ‘local police’ folder, within a subfolder labeled ‘photocopier.’
A complaint was filed with the DPA on 22 March 2022 and the DPA subsequently conducted an investigation. The controller reported that access to the document was meant to be restricted to the police headquarters and their staff, but due to an error, it was not deleted and remained in the ‘photocopier’ folder for several days. The controller also noted that the document was accessed by individuals who were not its intended recipients. The DPA found no evidence that the controller had designated a data protection officer.
Holding
The DPA held that the controller violated Article 5(1)(f), 32, and 37 GDPR. Pursuant to Article 58(2)(d), it ordered the controller to bring processing operations into compliance within 6 months. No other corrective measures were issued.
First, the DPA found that the controller violated the principle of confidentiality guarded by Article 5(1)(f) GDPR because, by keeping the document containing personal data in the ‘photocopier’ folder for a number of days rather than being immediately deleted, the personal data was exposed to unauthorised third parties.
Second, the DPA held that the controller lacked appropriate security measures to protect against data breaches pursuant to Article 32 GDPR. The DPA noted that there was no measure to ensure that documents placed in the ‘photocopier’ folder were properly deleted. In addition, the folder granted access to a number of users beyond the intended recipients.
Finally, the controller violated Article 37 GDPR because it did not have a designated data protection officer or, if it did, failed to communicate the officer to the DPA.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/20 File No.: EXP202204501 RESOLUTION OF SANCTIONING PROCEDURE From the procedure instructed by the Spanish Data Protection Agency and based to the following BACKGROUND FIRST: A.A.A. (hereinafter, the complaining party) dated March 22, 2022 filed a claim with the Spanish Data Protection Agency. The claim is directed against LLUCMAJOR CITY COUNCIL with NIF P0703100H (hereinafter, the claimed party or the City Council). The reasons on which the claim are the following: The complaining party, local police from the LLUCMAJOR CITY COUNCIL, states that, In December 2021, a PDF document has been published on the intranet with the name "Unsubscriptions until 11/30/21", available to all users, which contains the names and surnames of 47 agents, agent number, position, sick leave days of each one and the percentage of annual work absenteeism it represents. Consider that they are data that should only be accessed by STAFF members, the Chief of Police Local and human resources members. It indicates that, on January 12, 2022, the Local Police Chief published a circular, with the title "Dismissals and illnesses", congratulating the agents who had not state of discharge and recriminating and questioning the discharge of the remaining agents. HE They provide the two documents referred to, as well as evidence of publication. The complaining party also states that, after consulting the Agency, it invites it to raise the issue with the Data Protection Officer (hereinafter, DPD) of the City Council, confirming that the claimed party has not proceeded to its appointment despite legal obligation since May 2018. Lastly, he stated that on the date of presentation of the claim the document was still published. SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5 December, Protection of Personal Data and guarantee of digital rights (in hereinafter LOPDGDD), said claim was transferred to the City Council of Llucmajor, so that it could proceed with its analysis and inform this Agency within the period of one month, of the actions carried out to adapt to the requirements provided in data protection regulations. The transfer, which was carried out in accordance with the rules established in Law 39/2015, of October 1, of the Common Administrative Procedure of Administrations Public (hereinafter, LPACAP), was collected on April 21, 2022 as C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 2/20 It appears in the acknowledgment of receipt that is in the file. Dated June 24, 2022 the City Council requested an extension of the deadline to respond to the letter of transfer, which was granted. On July 6, 2022, this Agency received a response letter sent by the City Council. The same sends a report from the City Council of July 1, 2022, which, among other aspects, highlights the following: "3. It is not true that a PDF document was published on the Police intranet, when reach all users, with personal data referring to the days of dismissal of agents. 4. That it was verified how the controversial document, at the time, was saved in a temporary folder for printing, named “ photocopier”, where documents are stored before being printed on the photocopier. Evidently the report had restricted access to the Headquarters and his Staff. Resulting in that after its edition, by mistake, it was not deleted, as is usually done with this type of files. Being deleted days later, when checking how the writing was still in the folder mentioned and that had been consulted by people who were not the recipients thereof. 5. That the document is not still published nor was it published at any time in the Police intranet. 6. Indeed, the Headquarters published a circular, in which and in a manner generic, the workforce was informed of the global absenteeism data. We understand that this information is relevant and that it should be known by all the workers of the department, since as a public service that we are, high levels of absenteeism make it difficult to provide a satisfactory response to the needs of citizens, while affecting the conditions of work of the entire group, by causing, in some cases, the denial of permits and licenses provided for in the legislation, due to the obligation to “prioritize service needs that would otherwise not be met.” THIRD: On June 22, 2022, in accordance with article 65 of the LOPDGDD, the claim presented by the complaining party was admitted for processing. FOURTH: ON July 13, 2022, after having analyzed the documentation that appeared in the file, a resolution was issued by the Director of the Spanish Agency of Data Protection, agreeing to file the claim. The resolution was notified to the claimant, on July 27, 2022, as evidenced in the proceedings. FIFTH: On August 9, 2022, the complaining party filed an appeal optional replacement through the Electronic Registry of the AEPD, against the resolution relapsed into the file, in which he showed his disagreement with the contested resolution and requested that the processing of the claim continue initial presented. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 3/20 SIXTH: On February 23, 2023, the appeal filed was sent to the party claimed within the framework of the provisions of article 118.1 of Law 39/2015, of 1 October, of the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP) for the purposes of formulating the allegations and presenting the documents and supporting documents that it considers appropriate, which has been verified by written response dated May 3, 2023. SEVENTH: On May 31, 2023, it was issued by the Director of the Agency Spanish Data Protection Authority estimating the appeal for reconsideration filed by the claimant. The second legal basis of said resolution states: “ II Response to the allegations presented "In the appeal for reconsideration, he alleges that it is not true that the document was not published on the intranet, since the “photocopier” folder mentioned is precisely on the service's intranet, its use being unnecessary to send a file to print or photocopy. Likewise, it considers that, although the document has been withdrawn, the infringement has already been has occurred and sanctioning proceedings should be initiated. Finally, it highlights that the requested party has still not been appointed DPD despite to have a legal obligation to do so, which leaves citizens in a situation of helplessness. In relation to these allegations, the claimed party has informed, in the response upon initial transfer, that the document was placed in a folder accessible to third parties prior to sending it to print, remaining in the same for mistake. No representations are made in relation to the lack of appointment of DPD. In accordance with article 5.1.f) of the RGPD: f) treated in such a way as to ensure adequate safety of the personal data, including protection against unauthorized processing or unlawful and against its loss, destruction or accidental damage, through the application of appropriate technical or organizational measures ("integrity and confidentiality»). Likewise, article 32 provides: 1. Taking into account the state of the art, the application costs, and the nature, scope, context and purposes of the processing, as well as risks of varying probability and severity for the rights and freedoms of natural persons, the person responsible and the person in charge of the treatment will apply C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 4/20 appropriate technical and organizational measures to ensure a level of security appropriate to the risk, which, where appropriate, includes, among others: a) pseudonymization and encryption of personal data; b) the ability to guarantee the confidentiality, integrity, permanent availability and resilience of security systems and services treatment; c) the ability to restore availability and access to data personnel quickly in the event of a physical or technical incident; d) a process of regular verification, evaluation and assessment of the effectiveness of technical and organizational measures to ensure the safety of treatment. 2. When evaluating the adequacy of the security level, particular consideration will be given to take into account the risks presented by data processing, in particular as consequence of the accidental or unlawful destruction, loss or alteration of personal data transmitted, stored or otherwise processed, or the unauthorized communication or access to said data. 3. Adherence to a code of conduct approved pursuant to Article 40 or to a certification mechanism approved pursuant to Article 42 may serve as a element to demonstrate compliance with the requirements established in the section 1 of this article. 4. The controller and the person in charge of the treatment will take measures to ensure that any person acting under the authority of the person responsible or of the person in charge and has access to personal data can only process said data following instructions from the person responsible, unless obliged to do so under Union or Member State law. On the other hand, with respect to the appointment of the Data Protection Officer, the Article 37 of the GDPR provides: 1. The person responsible and the person in charge of the treatment will designate a delegate of data protection provided that: a) the treatment is carried out by a public authority or body, except courts acting in the exercise of their judicial function; […] In response to the hearing process, the claimed party has stated the following: “That is ratified in the entire content of the report signed on the day 07/01/2022. Interesting to state a new point […] the content of the file called by the appellant as “Baixes fins el 30-11-2021” as the generic information contained in the Headquarters circular, which does not contain C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 5/20 personal data, could be obtained by reviewing the data sheets “Daily Service” mentioned.” Without making any statement regarding the lack of appointment of DPD. Therefore, in the present case, the appeal filed is upheld.” EIGHTH: On November 15, 2023, the Director of the Spanish Agency for Data Protection agreed to initiate sanctioning proceedings against the claimed party, by: -The alleged violation of Article 5.1.f) of the RGPD, typified in the article 83.5.a), and classified as very serious for the purposes of prescription in the article 72.1 a) of the LOPDGDD. -The alleged violation of Article 32 of the RGPD, typified in article 83.4 a), and classified as serious for the purposes of prescription in article 73 f) of the LOPDGDD. -The alleged violation of Article 37 of the RGPD, typified in article 83.4 a), and classified as serious for the purposes of prescription in article 73 v) of the LOPDGDD. NINTH: The aforementioned initiation agreement has been notified in accordance with the established rules in Law 39/2015, of October 1, on the Common Administrative Procedure of the Public Administrations (hereinafter, LPACAP) and after the period granted for the formulation of allegations, it has been verified that no allegation has been received any by the claimed party. Article 64.2.f) of the LPACAP - provision of which the claimed party was informed in the agreement to open the procedure - establishes that if no allegations within the stipulated period regarding the content of the initiation agreement, when This contains a precise statement about the imputed responsibility, may be considered a proposal for a resolution. In the present case, the agreement beginning of the sanctioning file determined the facts in which the imputation, the violation of the RGPD attributed to the person complained of and the sanction that could be impose Therefore, taking into consideration that the claimed party has not made allegations to the agreement to initiate the file and in response to what established in article 64.2.f) of the LPACAP, the aforementioned initial agreement is considered in the present case proposed resolution. In view of everything that has been done, by the Spanish Data Protection Agency In this procedure, the following are considered proven facts: PROVEN FACTS FIRST: On December 1, 2021, in the resource management department of the Local Police of the Llucmajor City Council, a PDF document called- C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 6/20 do “baixes fins a 30-11-2021” (Discharges until 30-11-2021), which contained the names and surnames of 47 agents, as well as other personal data relating to said agents agents (agent number, position, sick days, and absenteeism percentage labor), which was published on the intranet of the Llucmajor City Council. In several of the screenshots provided by the claimant along with his writing of claim, there is the document called “baixes fins a 30-11-2021” (Baixes fins a 30-11-2021) until 11-30-2021) was created on December 1, 2021 at 9:38. Likewise, these screenshots show that the document called “Baixes fins a 30-11-2021” (Baixes fins a 30-11-2021) was located in the folder called “Plocal” (Local Police) on the Intranet of the Llucmajor City Council, some Some of these screenshots show the access path to said folder. SECOND: The document “baixes fins a 30-11-2021” (Deregistrations until 30-11-2021), in At first, it was housed in the folder called “photocopier”. The Llucmajor City Council recognizes that the document called “baixes fins a 11-30-2021” (Unsubscribes until 11-30-2021), by mistake, was not eliminated and remained in the temporary folder called “photocopier” for several days, In the City Council report dated July 1, 2022, it stands out: "4. That it was proven how the controversial document, at the time, was saved in a temporary folder for printing, named “photocopier”, where documents are stored before being printed on the photocopier. Evidently the report had restricted access to the Headquarters and its Staff. Resulting in that after its edition, by mistake, it was not deleted, as usually does with this type of files. Being eliminated days later, upon checking how the writing was still in the mentioned folder and that there had been “has been consulted by people who were not its recipients.” (the su- brayado is ours). THIRD: The Llucmajor City Council recognizes that, when the document denotes mined “baixes fins a 30-11-2021” (Baixes fins a 30-11-2021) was housed in the photocopier folder, people who were not recipients of said document, had ron access to its content: This is recognized by the City Council in its report of July 1, 2022: "4. That it was proven how the controversial document, at the time, was saved in a temporary folder for printing, named “photocopier”, where documents are stored before being printed on the photocopier. Evidently the report had restricted access to the Headquarters and its Staff. Resulting in that after its edition, by mistake, it was not deleted, as usually does with this type of files. Being eliminated days later, upon checking how the writing was still in the mentioned folder and that there had been “has been consulted by people who were not its recipients.” (the su- brayado is ours). FOURTH: When the document called “baixes fins a 30-11-2021” (Deregistrations until on 11-30-2021) was hosted in the folder called “Plocal” of said intranet, possibly C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 7/20 The personnel of the Local Police of the City Council, among others, could have access to it. I lie. This is shown in the screenshot called Annex 2, sent to the AEPD along with with the claim, showing the user groups that had access to said document: Computer science Local Police Local Police Staff Administrator Administrators FIFTH: There is no evidence that the Llucmajor City Council has appointed a Data Protection Officer and has communicated it to the AEPD. In the file, there is a verification carried out by AEPD personnel on 8 April 2022 at 2:40 p.m. in the Electronic Headquarters section of this Agency called mined “DPD Consultation”, in which it is verified that the Llucmajor City Council has not communicated to this Agency the contact details of your DPO. FOUNDATIONS OF LAW Yo Competence In accordance with the powers that article 58.2 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter RGPD), grants each control authority and as established in articles 47 and 48.1 of the Law Organic 3/2018, of December 5, Protection of Personal Data and guarantee of digital rights (hereinafter, LOPDGDD), is competent to initiate and resolve this procedure the Director of the Spanish Data Protection Agency. Likewise, article 63.2 of the LOPDGDD determines that: "The procedures processed by the Spanish Data Protection Agency will be governed by the provisions in Regulation (EU) 2016/679, in this organic law, by the provisions regulations dictated in its development and, insofar as they do not contradict them, with a subsidiary, by the general rules on administrative procedures." II Previous issues The Llucmajor City Council, like any other public entity, is obliged to compliance with Regulation (EU) 2016/679 of the European Parliament and of the Council, of April 27, 2016, relating to the protection of natural persons in relation to concerns the processing of personal data and the free circulation of these data -RGPD-, and LO 3/2018, of December 5, on Protection of Personal Data and Guarantee of Digital Rights -LOPDGDD- with respect to the processing of C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 8/20 personal data that they make, understanding personal data, “any information about an identified or identifiable natural person.” An identifiable natural person is considered one whose identity can be determined, directly or indirectly, in particular through an identifier, such as a name, an identification number, location data, an online identifier or one or more elements of the physical, physiological, genetic, psychological identity, economic, cultural or social of said person. Likewise, treatment should be understood as “any operation or set of operations”. rations made on personal data or sets of personal data, whether by automated or non-automated procedures, such as collection, registration, organization, es- structuring, conservation, adaptation or modification, extraction, consultation, use- tion, communication by transmission, dissemination or any other form of enabling access, collation or interconnection, limitation, deletion or destruction.” Taking into account the above, the Llucmajor City Council would have processed the data of a personal nature of 47 local police officers in the document with the title “baixes fins a 30-11-2021” (Discharges until 30-11-2021) about which the claim relates. tion that has given rise to this sanctioning file. You carry out this activity in your capacity as data controller, given that it is who determines the ends and means of such activity, pursuant to article 4.7 of the GDPR: "responsible for the treatment" or "responsible": the natural or legal person, authority public, service or other body that, alone or together with others, determines the purposes and means of treatment; whether the law of the Union or of the Member States determines the purposes and means of the treatment, the person responsible for the treatment or the criteria es- Specific conditions for his appointment may be established by the Law of the Union or of the Member states. Article 4 section 12 of the GDPR broadly defines “violations of security of personal data” (hereinafter security breach or data breach). personal cough) as “all those security violations that cause the accidental or unlawful destruction, loss or alteration of transmitted personal data, preserved or otherwise processed, or unauthorized communication or access to said data.” III Violation of article 5.1 f) of the GDPR Article 5.1.f) of the GDPR, Principles relating to processing, states the following: "1. The personal data will be: (…) f) treated in such a way as to ensure adequate safety of the personal data, including protection against unauthorized processing or unlawful and against its loss, destruction or accidental damage, through the application C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 9/20 of appropriate technical or organizational measures ("integrity and confidentiality»)”. In the case examined in this sanctioning file, the claimant affirms that in In December, a PDF document was published on the City Council's intranet with the title “Baixes fins a 30-11-2021” (Discharges until 30-11-2021). Along with your claim, you have provided the aforementioned document, consisting of two pages. nas, which includes the casualties of local police officers related to the period lit between January 1 and November 30, 2021. Likewise, the si- following personal data relating to 47 police officers (the agent number, the position, the first and both surnames, the days of sick leave and the percentage of absenteeism boral). Along with his claim, he has also sent several screenshots. In the same but you can see images from the City Council intranet, folder called “Plocal” (Local Police), which includes the PDF document called “baixes fins a 11-30-2021” (Unsubscription until 11-30-2021), created on December 1, 2021. In the report of the Llucmajor City Council dated July 1, 2022, prepared in response to the transfer of the AEPD, it stood out: "3. It is not true that a PDF document was published on the Police intranet, when reach all users, with personal data referring to the days of dismissal of agents. 4. That it was verified how the controversial document, at the time, was saved in a temporary folder for printing, named “ photocopier”, where documents are stored before being printed on the photocopier. Evidently the report had restricted access to the Headquarters and his Staff. Resulting in that after its edition, by mistake, it was not deleted. do, as is usually done with this type of files. being eliminated days later, upon seeing how the writing was still in the aforementioned folder and that had been consulted by people who were not the recipients of the same mo. 5. That the document is not still published nor was it published at any time in the Police intranet. 6. Indeed, the Headquarters published a circular, in which and in a general manner ca, the staff was informed of the global absenteeism data. Understand- We believe that this information is relevant and that it should be known by all department workers, since as a public service that we are, we high levels of absenteeism make it difficult to respond satisfactorily to the needs citizens, while affecting the working conditions of the entire group, by causing, in some cases, the denial of permissions. rights and licenses provided for in the legislation, due to the obligation to prioritize the service needs that would otherwise not be met.” Therefore, in said report, the City Council recognizes that the document ment called “baixes fins a 30-11-2021” (Withdrawals until 30-11-2021), by mistake, was not deleted and remained in the temporary folder called “copier” for the duration. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 10/20 for several days, being consulted by people who were not recipients of the same. mo. From the information in the file, it appears that the aforementioned document, “baixes fins a 30-11-2021” (Discharges until 30-11-2021), at first, was housed in the folder called “photocopier”. Subsequently, at the time the claimant took the image captures that accompany his statement of claim, appeared in the folder called “Plo- cal” on the City Council intranet. In the present case, the personal data breach must be classified as confidential. ity, given that as a consequence of the same the data of 47 police officers premises would have been unduly exposed to third parties, violating the principle of confidentiality. Circumstance that constitutes a violation of the provisions of the article 5.1.f) of the RGPD. IV Classification and classification of the violation of article 5.1 f) of the RGPD The aforementioned violation of article 5.1 f) of the RGPD implies the commission of one of the violations classified in article 83.5 of the RGPD that under the heading “Conditions general rules for the imposition of administrative fines” provides: "5. Violations of the following provisions will be sanctioned, according to with paragraph 2, with administrative fines of EUR 20 000 000 as maximum or, in the case of a company, an amount equivalent to 4% maximum of the overall total annual turnover of the financial year above, opting for the highest amount: a) the basic principles for the treatment, including the conditions for the consent in accordance with articles 5, 6, 7 and 9;” In this regard, the LOPDGDD, in its article 71 “Infringements” establishes that “The acts and conduct referred to in sections 4, 5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that result contrary to this organic law.” For the purposes of the limitation period, article 72 “Infringements considered very “serious” of the LOPDGDD indicates: "1. Based on what is established in article 83.5 of the Regulation (EU) 2016/679 are considered very serious and will expire after three years. infractions that involve a substantial violation of the articles mentioned in that and, in particular, the following: a) The processing of personal data violating the principles and guarantees established in article 5 of Regulation (EU) 2016/679.” V Penalty for violation of article 5.1 f) of the GDPR C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 11/20 Article 83 “General conditions for the imposition of administrative fines” of the GDPR section 7 states: “Without prejudice to the corrective powers of the supervisory authorities under of Article 58(2), each Member State may establish rules whether it is possible, and to what extent, to impose administrative fines on authorities public entities and bodies established in said Member State.” Likewise, article 77 “Regime applicable to certain categories of responsible or in charge of processing” of the LOPDGDD provides the following: "1. The regime established in this article will apply to the treatments of those who are responsible or in charge: c) The General Administration of the State, the Administrations of the autonomous communities and the entities that make up the Local Administration (…) 2. When the persons responsible or in charge listed in section 1 commit any of the infractions referred to in articles 72 to 74 of this organic law, the data protection authority that results competent authority will issue a resolution declaring the infraction and establishing, in its case, the measures that should be adopted to stop the conduct or correct it. the effects of the infraction that has been committed, with the exception of the provided for in article 58.2.i of Regulation (EU) 2016/679 of the Parliament European Parliament and of the Council, April 27, 2016. The resolution will be notified to the person responsible or in charge of the treatment, to the body on which it depends hierarchically, if applicable, and to those affected who had the status of interested party, if applicable. (…) 4. The data protection authority must be informed of the resolutions that fall in relation to the measures and actions to which refer to the previous sections. 5. They will be communicated to the Ombudsman or, where appropriate, to the institutions analogous of the autonomous communities the actions carried out and the resolutions issued under this article. 6. When the competent authority is the Spanish Agency for the Protection of Data, it will publish on its website with due separation the resolutions referring to the entities of section 1 of this article, with expresses indication of the identity of the person responsible or in charge of the treatment who had committed the infraction. (…)” It is understood that a violation of article 5.1 f) of the RGPD has been committed, and it is necessary to declare the infringement of the Llucmajor City Council. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 12/20 SAW Violation of article 32 of the GDPR Article 32 of the GDPR, security of processing, establishes the following: "1. Taking into account the state of the art, the application costs, and the nature, scope, context and purposes of the processing, as well as risks of variable probability and severity for people's rights and freedoms physical, the person responsible and the person in charge of the treatment will apply technical and appropriate organizational measures to guarantee a level of security appropriate to the risk, which, if applicable, includes, among others: a) pseudonymization and encryption of personal data; b) the ability to guarantee the confidentiality, integrity, availability and permanent resilience of treatment systems and services; c) the ability to restore availability and access to data personnel quickly in the event of a physical or technical incident; d) a process of regular verification, evaluation and assessment of effectiveness of the technical and organizational measures to guarantee the security of the treatment. 2. When evaluating the adequacy of the security level, particular consideration will be given to take into account the risks presented by data processing, in particular as consequence of the accidental or unlawful destruction, loss or alteration of personal data transmitted, stored or otherwise processed, or the unauthorized communication or access to said data (The emphasis is our). (…) 4. The controller and the person in charge of the treatment will take measures to ensure that any person acting under the authority of the person responsible or of the person in charge and has access to personal data can only process said data following the instructions of the person responsible, unless required to this by virtue of the law of the Union or of the Member States.” For its part, recital 74 of the GDPR provides the following: “The responsibility of the person responsible for the treatment must be established for any processing of personal data carried out by himself or his account. In particular, the person responsible must be obliged to apply measures timely and effective and must be able to demonstrate the conformity of the processing activities with this Regulation, including the effectiveness of measures. These measures must take into account the nature, scope, context and purposes of the processing as well as the risk to the rights and freedoms of natural persons.” C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 13/20 In this sense, recital 75 of the GDPR lists a series of factors or assumptions associated with risks to the rights and freedoms of the interested parties: (the emphasis is ours) “The risks to the rights and freedoms of natural persons, of variable severity and probability, may be due to data processing that could cause physical, material or immaterial damage and harm, in particularly in cases where treatment may give rise to problems of discrimination, identity theft or fraud, financial loss, harm for reputation, loss of confidentiality of data subject to secrecy professional, unauthorized reversal of pseudonymization or any other significant economic or social harm; In cases where the interested parties of their rights and freedoms or are prevented from exercising control about your personal data; in cases where personal data treaties reveal ethnic or racial origin, political opinions, religion or philosophical beliefs, militancy in unions and data processing genetic data, data relating to health or data on sexual life, or the criminal convictions and offenses or related security measures; in the cases in which personal aspects are evaluated, in particular the analysis or prediction of aspects related to performance at work, situation economic, health, personal preferences or interests, reliability or behavior, situation or movements, in order to create or use profiles personal; in cases in which personal data of people are processed vulnerable, particularly children; or in cases where the treatment involves a large amount of personal data and affects a large number of interested.” (emphasis is ours) In the case analyzed in this file, the processing of data of a nature personnel of the 47 local police officers would not have been accompanied by some appropriate security measures. The Llucmajor City Council has not provided documentation that proves the existence of appropriate security measures intended to prevent a breach of personal data such as the one analyzed in this file may occur. As has been highlighted in the foundation of law III, the City Council of Llucmajor, in its report of July 1, 2022, prepared in response to the transfer of the AEPD recognized that the document “baixes fins a 30-11-2021” (Baixes fins a 30-11-2021) 11-2021), by mistake, it was not deleted and remained in the temporary folder named “photocopier” for several days, being consulted by people who were not recipients thereof. On the other hand, when the document was located in the folder called “Plocal” (Local Police), one of the screenshots sent along with the claim shows the user groups that had access to said document: Computer science Local Police Local Police Staff Administrator C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 14/20 Administrators It is considered that the known facts constitute an infringement, attributable to the Llucmajor City Council, for violation of article 32 of the RGPD. VII Classification and classification of the violation of article 32 of the RGPD The aforementioned violation of article 32 of the RGPD implies the commission of one of the violations classified in article 83.4 of the RGPD that under the heading “Conditions general rules for the imposition of administrative fines” provides: “Infringements of the following provisions will be sanctioned, according to with paragraph 2, with administrative fines of EUR 10 000 000 as maximum or, in the case of a company, an amount equivalent to 2% maximum of the overall total annual turnover of the financial year above, opting for the highest amount: a) the obligations of the controller and the processor pursuant to Articles 8, 11, 25 to 39, 42 and 43; (…)” In this regard, the LOPDGDD, in its article 71 “Infringements” establishes that “The acts and conduct referred to in sections 4, 5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that result contrary to this organic law.” For the purposes of the limitation period, article 73 “Infringements considered serious” of the LOPDGDD indicates: “Based on what is established in article 83.4 of Regulation (EU) 2016/679 are considered serious and will prescribe after two years the infractions that involve a substantial violation of the articles mentioned therein and, in particular, the following: (…) f) The lack of adoption of those technical and organizational measures that are appropriate to guarantee a level of security appropriate to the risk of the treatment, in the terms required by article 32.1 of the Regulation (EU) 2016/679.(…)” VIII Penalty for violation of article 32 of the GDPR Article 83 “General conditions for the imposition of administrative fines” of the GDPR section 7 states: “Without prejudice to the corrective powers of the supervisory authorities under of Article 58(2), each Member State may establish rules whether it is possible, and to what extent, to impose administrative fines on authorities public entities and bodies established in said Member State.” C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 15/20 Likewise, article 77 “Regime applicable to certain categories of responsible or in charge of processing” of the LOPDGDD provides the following: "1. The regime established in this article will apply to the treatments of those who are responsible or in charge: c) The General Administration of the State, the Administrations of the autonomous communities and the entities that make up the Local Administration (…) 2. When the persons responsible or in charge listed in section 1 commit any of the infractions referred to in articles 72 to 74 of this organic law, the data protection authority that results competent authority will issue a resolution declaring the infraction and establishing, in its case, the measures that should be adopted to stop the conduct or correct it. the effects of the infraction that has been committed, with the exception of the provided for in article 58.2.i of Regulation (EU) 2016/679 of the Parliament European Parliament and of the Council, April 27, 2016. The resolution will be notified to the person responsible or in charge of the treatment, to the body on which it depends hierarchically, if applicable, and to those affected who had the status of interested party, if applicable. (…) 4. The data protection authority must be informed of the resolutions that fall in relation to the measures and actions to which refer to the previous sections. 5. They will be communicated to the Ombudsman or, where appropriate, to the institutions analogous of the autonomous communities the actions carried out and the resolutions issued under this article. 6. When the competent authority is the Spanish Agency for the Protection of Data, it will publish on its website with due separation the resolutions referring to the entities of section 1 of this article, with expresses indication of the identity of the person responsible or in charge of the treatment who had committed the infraction. (…)” It is understood that a violation of article 32 of the RGPD has been committed, and the violation of the Llucmajor City Council. IX Violation of article 37 of the GDPR Public Administrations act as data controllers responsible for personal nature and, sometimes, they perform the functions of those in charge of the treatment for what corresponds to them, following the principle of proactive responsibility, meet the obligations that the RGPD details, which includes that of appointing C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 16/20 a data protection officer, make their contact details public and communicate it to the AEPD. Sections 1 and 7 of Article 37 of the GDPR refer to these obligations and establish, respectively: "1. The person responsible and the person in charge of the treatment will appoint a delegate of data protection provided that: a) the treatment is carried out by a public authority or body, except for courts acting in the exercise of their judicial function; (…) 7. The person responsible or the person in charge of processing will publish the data of contact the data protection officer and will communicate them to the authority of control." Regarding the appointment of the data protection officer, sections 3 and 5 article 37 of the GDPR point out that: "3. When the person responsible or in charge of the treatment is an authority or public body, a single delegate for the protection of data for several of these authorities or bodies, taking into account their organizational structure and size. (…) 5. The data protection officer will be appointed based on his or her professional qualities and, in particular, their specialized knowledge of the law and practice regarding data protection and its capacity to perform the functions indicated in article 39. 6. The data protection officer may be part of the staff of the responsible or the person in charge of the treatment or perform their functions in the framework of a service contract.” For its part, the LOPDGDD dedicates article 34 to the “Designation of a delegate of data protection”, provision that provides: "1. Those responsible and in charge of the treatment must designate a data protection delegate in the cases provided for in article 37.1 of Regulation (EU) 2016/679 (...) 3. Those responsible and in charge of the treatment will communicate within the period of ten days to the Spanish Data Protection Agency or, where appropriate, to the autonomous data protection authorities, designations, appointments and dismissals of data protection officers both in the cases in which they are obliged to be appointed, such as in the case in which it is voluntary.” The file contains a verification carried out by AEPD personnel on 8 April 2022 at 2:40 p.m. in the Electronic Headquarters section of this Agency C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 17/20 called “DPD Consultation”. It verifies that the City Council of Llucmajor has not communicated the contact details of its DPO to this Agency. It is considered that the Llucmajor City Council does not have a DPD designated as there is no notification of your appointment or designation in this Agency, being mandatory do it. As indicated, the GDPR provides that the person responsible and in charge of treatment must designate a DPO in the event that “the treatment is carried out an authority or public body”, as well as “they will publish the contact details of the data protection delegate and will communicate them to the supervisory authority.” The known facts constitute an infraction, attributable to the City Council of Llucmajor for violation of article 37 of the RGPD, “Designation of the delegate of Data Protection". x Classification and classification of the offense The aforementioned violation of article 37 of the RGPD implies the commission of the violations typified in article 83.4 of the RGPD that under the heading “General conditions for the imposition of administrative fines” provides: “Infringements of the following provisions will be sanctioned, according to with paragraph 2, with administrative fines of EUR 10 000 000 as maximum or, in the case of a company, an amount equivalent to 2% maximum of the overall total annual turnover of the financial year above, opting for the highest amount: a) the obligations of the controller and the processor pursuant to Articles 8, 11, 25 to 39, 42 and 43; (…)” In this regard, the LOPDGDD, in its article 71 “Infringements” establishes that “The acts and conduct referred to in sections 4, 5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that result contrary to this organic law.” For the purposes of the limitation period, article 73 “Infringements considered serious” of the LOPDGDD indicates: “Based on what is established in article 83.4 of Regulation (EU) 2016/679 are considered serious and will prescribe after two years the infractions that involve a substantial violation of the articles mentioned therein and, in particular, the following: v) Failure to comply with the obligation to designate a data protection delegate. data when their appointment is required in accordance with article 37 of the Regulation (EU) 2016/679 and article 34 of this organic law.” XI C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 18/20 Penalty for violation of article 37 of the GDPR Article 83 “General conditions for the imposition of administrative fines” of the GDPR section 7 states: “Without prejudice to the corrective powers of the supervisory authorities under of Article 58(2), each Member State may establish rules whether it is possible, and to what extent, to impose administrative fines on authorities public entities and bodies established in said Member State.” Likewise, article 77 “Regime applicable to certain categories of responsible or in charge of processing” of the LOPDGDD provides the following: "1. The regime established in this article will apply to the treatments of those who are responsible or in charge: c) The General Administration of the State, the Administrations of the autonomous communities and the entities that make up the Local Administration (…) 2. When the persons responsible or in charge listed in section 1 commit any of the infractions referred to in articles 72 to 74 of this organic law, the data protection authority that results The competent authority will issue a resolution declaring the infraction and establishing, in its case, the measures that should be adopted to stop the conduct or correct it. the effects of the infraction that has been committed, with the exception of the provided for in article 58.2.i of Regulation (EU) 2016/679 of the Parliament European Parliament and of the Council, April 27, 2016. The resolution will be notified to the person responsible or in charge of the treatment, to the body on which it depends hierarchically, if applicable, and to those affected who had the status of interested party, if applicable. (…) 4. The data protection authority must be informed of the resolutions that fall in relation to the measures and actions to which refer to the previous sections. 5. They will be communicated to the Ombudsman or, where appropriate, to the institutions analogous of the autonomous communities the actions carried out and the resolutions issued under this article. 6. When the competent authority is the Spanish Agency for the Protection of Data, it will publish on its website with due separation the resolutions referring to the entities of section 1 of this article, with expresses indication of the identity of the person responsible or in charge of the treatment who had committed the infraction. (…)” C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 19/20 It is understood that a violation of article 37 of the RGPD has been committed, and it is necessary to declare the violation of the Llucmajor City Council. XII Once the violations have been confirmed, it is appropriate to impose the adoption of the of appropriate measures to adjust its actions to the regulations mentioned in this act, in accordance with the provisions of the aforementioned article 58.2 d) of the RGPD, according to the which each control authority may “d) order the person responsible or in charge of the treatment that the processing operations comply with the provisions of the this Regulation, where appropriate, in a certain manner and within a specified period.” It is warned that failure to comply with the order to adopt measures imposed by this body in the sanctioning resolution may be considered as an infraction administrative in accordance with the provisions of the RGPD, classified as an infringement in its article 83.5 and 83.6, such conduct may motivate the opening of a subsequent administrative sanctioning procedure. Therefore, in accordance with the applicable legislation and evaluated the criteria of graduation of sanctions whose existence has been proven, the Director of the Spanish Data Protection Agency RESOLVES: FIRST: DECLARE that LLUCMAJOR CITY COUNCIL, with NIF P0703100H: -Has violated the provisions of Article 5.1.f) of the RGPD, an offense classified in the Article 83.5 of the GDPR. - Has violated the provisions of Article 32 of the RGPD, an offense classified in the Article 83.4 of the GDPR. - Has violated the provisions of Article 37 of the RGPD, an offense classified in the Article 83.4 of the GDPR. SECOND: ORDER to LLUCMAJOR CITY COUNCIL, with NIF P0703100H, that by virtue of article 58.2.d) of the RGPD, within a period of six months, proves that proceeded to comply with the following measures: 1. The appointment of a Data Protection Officer and communication of said appointment to the AEPD. 2. The adoption by the City Council of management measures for the information systems designed to prevent improper dissemination of data personal. THIRD: NOTIFY this resolution to the LLUCMAJOR CITY COUNCIL. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 20/20 FOURTH: COMMUNICATE this resolution to the Ombudsman, in accordance with the provisions of article 77.5 of the LOPDGDD. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the Interested parties may optionally file an appeal for reconsideration before the Director of the Spanish Data Protection Agency within a period of one month to count from the day following the notification of this resolution or directly contentious-administrative appeal before the Contentious-administrative Chamber of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-administrative Jurisdiction, within a period of two months from the day following the notification of this act, as provided for in article 46.1 of the referred Law. Finally, it is noted that in accordance with the provisions of art. 90.3 a) of the LPACAP, may provisionally suspend the final resolution through administrative channels if the interested party expresses his intention to file a contentious-administrative appeal. If this is the case, the interested party must formally communicate this fact through writing addressed to the Spanish Data Protection Agency, presenting it through of the Agency's Electronic Registry [https://sedeagpd.gob.es/sede-electronica- web/], or through any of the other registries provided for in art. 16.4 of the cited Law 39/2015, of October 1. You must also transfer to the Agency the documentation that proves the effective filing of the contentious appeal administrative. If the Agency was not aware of the filing of the appeal contentious-administrative within a period of two months from the day following the notification of this resolution would terminate the precautionary suspension. 938-21112023 Sea Spain Martí Director of the Spanish Data Protection Agency C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es