AEPD (Spain) - PS/00131/2020
AEPD (Spain) - PS/00131/2020 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 13 GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | 12.05.2021 |
Published: | 18.05.2021 |
Fine: | None |
Parties: | TRABAJADORES DEL CENTRO INTEGRADO DE FORMACIÓN PROFESIONAL SOMESO CONSELLERÍA DE EDUCACIÓN, UNIVERSIDAD Y FORMACIÓN PROFESIONAL DE LA XUNTA DE GALICIA |
National Case Number/Name: | PS/00131/2020 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | n/a |
The Spanish DPA warned a regional Education and Universities Department for not informing their workers adequately about a biometric identification system they were implementing.
English Summary
Facts
A group of workers of a educational centre filed a complaint with the Spanish DPA (AEPD) against their regional Education and Universities Department.
The Department was in the process of implementing a biometric identification system for their workers. Such system was meant to be a voluntary way of identification for the teachers of the centre.
Holding
The AEPD found that the controller had not properly informed the workers about the biometric system. When the workers asked about the information listed under Article 13 GDPR, they only received a generic answer saying that the personal data were being processed in accordance with the data protection law, and that the contracts made with the providers of the service were also compliant.
The AEPD noted that the processing was not illegal. The controller had a legal basis for the processing (the performance of a contract), and was also relying in one of the exceptions from Article 9(2) GDPR, required for the processing of special categories of data: the processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment. Such obligations originate in the Spanish Workers' Statute; its Article 20(3) allows the employer to use different methods of control and surveillance to verify that the employee effectively complies with their duties and obligations.
However, the AEPD remarked that neither the information provided to the workers nor the answer to their latter request for such information were appropriate, specially in light of a processing of personal data of a sensitive nature, such as biometric data.
The AEPD therefore concluded that the controller had violated Article 13 GDPR, by not providing the information listed by the Article to their workers. The AEPD only issued a warning to the controller.
The authority took into account the actions that the controller took during the course of the proceeding to mitigate the infringement: the stopped the processing and the use of the system, they deleted all the collected data, and they compromised to involve the DPO in further similar projects, as well as to carry out a data protection impact assessment and to devise new data protection protocols.
Comments
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/14 Procedure Nº: PS / 00131/2020 RESOLUTION OF SANCTIONING PROCEDURE Of the procedure instructed by the Spanish Agency for Data Protection and based on to the following BACKGROUND FIRST: D. A.A.A., representing WORKERS OF THE CENTER INTEGRATED PROFESSIONAL TRAINING SOMESO (hereinafter, the claimant), dated 11/08/2019, filed a claim with the Spanish Agency of Data Protection. The claim is directed against CONSELLERÍA DE EDUCATION, UNIVERSITY AND VOCATIONAL TRAINING OF THE XUNTA DE GALICIA with NIF S1511001H (hereinafter, the claimed one). The reasons on which the claim are: the disagreement with the implementation of a control system of access and schedule by fingerprint without informing the workers in accordance with the provisions of the regulations on the protection of Personal data. SECOND: Upon receipt of the claim, the Subdirectorate General of Inspec- Data management proceeded to carry out the following actions: On 12/04/2019, the claim submitted for analysis was transferred to the defendant and communication to the claimant of the decision adopted in this regard. Likewise, he is required so that within one month it sent certain information to the Agency tion: - Copy of the communications, of the adopted decision that has been sent to the claimant regarding the transfer of this claim, and accreditation that the claimant has received the communication of that decision. - Report on the causes that have motivated the incidence that has originated the claim. - Report on the measures adopted to prevent incidents from occurring similar companies. - Any other that you consider relevant. On 01/09/2020, the Ministry in response to the claim presented by the workers In summary, the authors state that a time control system has not been implemented using fingerprint as a single management system, but rather the use of the fingerprint fingerprint corresponds to an alternative and voluntary modality to the biometric signature for workers, established in accordance with data protection regulations. And it provides: Consent model for the processing of biometric data and Information information on the attendance management system. THIRD: On 03/30/2020, in accordance with article 65 of the LOPDGDD, the Di- C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 2/14 rector of the Spanish Agency for Data Protection agreed to admit to processing the re claim filed by the claimant against the defendant. FOURTH: On 09/30/2020, the Director of the Spanish Protection Agency of Data agreed to initiate a sanctioning procedure for the claimed party, for the alleged fraction of article 13 of the RGPD, typified in article 83.5.b) of the aforementioned Regulations. to and sanctioned in accordance with the provisions of article 77 of the LOPDGDD. FIFTH: Notified the initiation agreement, the claimed, on 10/15/2020, presented brief of allegations stating the following: that upon receipt of the initiation agreement, carried out the investigation of the events requesting detailed information from the center educational; that it is the directors of public educational centers in Galicia who make concrete organizational and management decisions that may involve dealing with data collection of personal data; that CIFP Someso has implemented a system electronic attendance management system for the staff that provides services and due to the in which said control was carried out was not effective for the adequate compliance ment of the ends; that currently the electronic attendance management system of the personnel who provide service in the CIFP Someso is done by signing in a tablet or laptop and also an optional mode, more agile and comfortable, that works with the fingerprint registration, whose use is suspended in the act- tuality; that in relation to the impact evaluation carried out, the Department is currently addressing a global project to adapt to the protection regulations of data, in order to prepare a record of treatment activities much more detailed and complete than the one currently published and which will culminate with the conducting impact evaluations of those treatments in which it is necessary; that the duty of information was fulfilled by making available to the entire personal information regarding the treatment carried out; which was also required to management of the center immediate cessation of the use of the access control system and time- river by fingerprint, as well as the erasure of biometric data that were collected for such purpose and any trace thereof; that to prevent situations similar to the one that is the subject of this procedure recur, from the Consellería is working on updating and expanding the Protocol of Pro- Data protection in the educational field in order to achieve homogenization, as far as possible, the requirements and measures to be adopted in terms of data protection, in the hiring carried out directly by the educational centers. SIXTH: On 10/21/2020 a test practice period began, according to the taking the following - To consider reproduced for evidentiary purposes the claim filed by the claimant and its documentation, the documents obtained and generated by the Inspection services that are part of file E / 11349/2019. - To consider reproduced for evidentiary purposes, the allegations to the initial agreement cio presented by the claimed and the documentation that accompanies them. SEVENTH: On 03/29/2021 a Proposal for Resolution was issued to the effect that sanction the claimed person for infringement of article 13 of the RGPD, typified in article C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 3/14 83.5.b) of the RGPD, with warning in accordance with article 77 of the LO- PDGDD. Once the period legally indicated at the time of this Resolution has elapsed, the claimed, he had not submitted a written statement. EIGHTH: Of the actions carried out in the present procedure, there have been accredited the following: PROVEN FACTS FIRST: The claimant submitted a written entry dated 11/08/2019 in the Spanish Agency for Data Protection, expressing its disagreement with the im- plantation of the time and access control system by fingerprint by the claimed without the workers having been adequately informed of the compliance with the provisions of the regulations on personal data protection sonal. SECOND: Written document of 11/06/2019 from the claimant stating that the workers of the vocational training center filed a claim with them motivated by the following facts: that at the beginning of October he was informed each the implementation of a time control system based on the use of the fingerprint without being communicated the relevant information prescribed by the GDPR; who requested such relevant information from the management of the center, such as the concerning the identification of the person in charge and in charge of the treatment, the DPD, personal data sonals made available in the elaboration of said control system, measures technical and organizational, etc .; that the answer given by the center at two points was generic indicating that personal data is protected in accordance with the existing legislation. THIRD: The answer given by the educational center, by means of a letter of 10/18/2019, informing that: "1. The personal data of all workers of CIFP Someso are provided Texts in accordance with or prescribed in the current legislation and are used solely and exclusively mind to manage the internal activities of the center. 2. All contracts that CIFP Someso has signed with companies that have access to two years files that contain personal data for two workers from the center foron celebrated according to the specified requirements to the effect of the vixen-lexislation tea". FOURTH: The respondent, in writing dated 01/09/2020, stated that the CIFP Someso did not had "implemented a fingerprint time control system" as a system management system (as it seems to imply), but rather that the use of the fingerprint lar corresponds to an alternative and voluntary registration modality for workers res ”and that the necessary guarantees had been fulfilled for the start-up of the said attendance management system and provided the external consent model C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 4/14 prisoner for the processing of biometric data and the information document to the workers. FIFTH: The respondent, in writing dated 10/15/2020, stated that: “As an initial measure, In addition, the management of the CIPF SOMESO was required to immediately cease the use of the access control system and time by fingerprint, as well as erasure of the biometric data that were collected for this purpose and of any trace of the same ... ”and that“ In order to avoid that situations may recur in future if- to which is the object of this procedure, the Department is working on by updating and expanding the Data Protection Protocol in the area educational framework in order to achieve homogenization, as far as possible, measures and measures to be adopted in the field of data protection, in the contracting carried out carried out directly by the educational centers ... " FOUNDATIONS OF LAW I The Director of the Es- Data Protection box, in accordance with the provisions of art. 58.2 of RGPD and in art. 47 and 48.1 of LOPDGDD. II The legitimacy for the treatment of the fingerprint for the control of the workers by the employer we must look for it in article 9 and 6 of the RGPD. Article 9 of the RGPD establishes in its sections 1 and 2.b) the following: "1. The processing of personal data that reveal the origin is prohibited ethnic or racial, political opinions, religious or philosophical convictions, or affinity union membership, and the processing of genetic data, biometric data aimed at identifying unequivocally identify a natural person, data related to health or data related to you to the sexual life or sexual orientations of a natural person. 2. Section 1 shall not apply when one of the circumstances occurs. following: (…) b) the treatment is necessary for the fulfillment of obligations and the exercise cio of specific rights of the person responsible for the treatment or of the interested party in the field of labor law and social security and protection, in the to the extent authorized by the Union law of the Member States or a collective agreement under the law of the Member States that establish adequate guarantees of respect for fundamental rights and of the interests of the interested party. " C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 5/14 Article 6.1.b) of the RGPD indicates: "1. The treatment will only be lawful if at least one of the following is met terms: (…) b) the treatment is necessary for the performance of a contract in which the The person concerned is part of or for the application at his request of precon- tractual. " The defendant has legitimacy, based on the indicated regulations, to carry out the labor control of its workers and as long as it complies with the found in the fifth Law Foundation. III The facts that motivate the claim presented and that are the subject of the proceeding This is specified in the disagreement with the implementation of a system of access control and schedule by fingerprint without informing the workers in accordance with the provisions of the regulations on the protection of Personal data. These facts suppose the violation of what is indicated in article 13 of the RGPD, by not properly informing about the planned treatment in relation to the control of transfer by fingerprint, in accordance with the pronouncements established in the aforementioned article. This article determines the information that must be provided to the interested party in the moment of collecting your data, establishing the following: "Article 13. Information that must be provided when personal data is obtained from the interested party. 1. When personal data relating to him are obtained from an interested party, the res- responsible for the treatment, at the time these are obtained, it will facilitate all the information listed below: a) the identity and contact details of the person in charge and, where appropriate, his / her re presenter; b) the contact details of the data protection officer, if applicable; c) the purposes of the treatment to which the personal data are destined and the legal basis ridic of treatment; d) when the treatment is based on article 6, paragraph 1, letter f), the interests legitimacy of the person in charge or of a third party; e) the recipients or categories of recipients of personal data, in your case; f) where appropriate, the intention of the person responsible to transfer personal data to a third country or international organization and the existence or absence of a decision C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 6/14 adequacy of the Commission, or, in the case of indicated transfers, given in articles 46 or 47 or article 49, paragraph 1, second subparagraph, references reference to adequate or appropriate guarantees and the means to obtain a copy of these or the fact that they have been loaned. 2. In addition to the information mentioned in section 1, the person responsible for the treatment will facilitate the interested party, at the time the personal data is obtained sonal, the following information necessary to guarantee data processing loyal and transparent: a) the period during which the personal data will be kept or, when not where possible, the criteria used to determine this deadline; b) the existence of the right to request access to the data controller to the personal data relating to the interested party, and its rectification or deletion, or the limitation of its treatment, or to oppose the treatment, as well as the right cho to data portability; c) when the treatment is based on article 6, paragraph 1, letter a), or the Article 9, paragraph 2, letter a), the existence of the right to withdraw consent at any time, without affecting the legality of the treatment based on sado in the consent prior to its withdrawal; d) the right to file a claim with a supervisory authority; e) if the communication of personal data is a legal or contractual requirement, or a necessary requirement to sign a contract, and if the interested party is obliged to do to provide personal data and is informed of the possible consequences cias that not provide such data; f) the existence of automated decisions, including profiling, to referred to in article 22, paragraphs 1 and 4, and, at least in such cases, infor- significant influence on applied logic, as well as the importance and consequences of planned sequences of said treatment for the interested party. 3. When the person responsible for the treatment plans the subsequent treatment of data personal coughs for a purpose other than that for which they were collected, will provide to the interested party, prior to said further processing, information about that other purpose and any additional relevant information pursuant to section 2. 4. The provisions of sections 1, 2 and 3 shall not apply when and in the extent to which the interested party already has the information ”. IV In the present case, the claimant states that at the beginning of October They were informed of the use of a time control system by means of fingerprint without being duly informed in accordance with the regulations on the protection of personal data. It also contributes the letter sent to the management of the training center stating its disagreement dad and requesting information about it. Likewise, there is the response made to the claimant in which it is indicated in two points, as it appears in the proven facts, that the personal data C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 7/14 nal of all workers are protected in accordance with current legislation and that the companies that have access to the files containing the aforementioned data have been celebrated with all the requirements indicated in the current legislation, and of the It follows that neither the information transmitted nor the channel used was the most adequate given the quality and specialty of the data that were in question, having made a greater effort in the information and communication policy cation about the intended treatment. In the first place, it should be noted that the implementation and integration of a issue of time control based on fingerprint by the employer, must be informed the employees in a complete, clear, concise manner and, in addition, the aforementioned information training must be completed with reference to both the legal bases that give openness to this type of access control, as well as to the basic information to which it reference in article 13 of the RGPD. In the case examined, the response offered by the training center to the writer submitted by the claimant, related to the aforementioned control by means of transfer with fingerprint, it cannot be considered as the most suitable. Second, the installation of a control system based on the collection and treatment of the fingerprint of the employees implies the treatment of their data personal since personal data is all that information about a person physical identified or identifiable in accordance with article 4.1 of the RGPD. As for the fingerprint, it is also data that must be qualified. two as biometric data and in accordance with article 4.14 of the RGPD have this consideration when they have been “obtained from a specific technical treatment co, relating to the physical, physiological or behavioral characteristics of a physical person that allow or confirm the unique identification of said person, such as images facial features or fingerprint data ”. This means that, in accordance with article 9.1 of the RGPD, in the case of Therefore, the specific regime envisaged for the special categories of data provided for in article 9 of the RGPD. In this sense, recital 51 of the RGPD highlights the nature of restrictive with which the processing of these data can be admitted: “(51) ... Such personal data should not be processed, unless it is allowed its treatment in specific situations contemplated in this Regulation, given that Member States may lay down specific provisions ficas on data protection in order to adapt the application of the rules of the this Regulation to the fulfillment of a legal obligation or to the fulfillment of a mission carried out in the public interest or in the exercise of public powers conferring two to the person responsible for the treatment. In addition to the specific requirements of that treatment, regulation, the general principles and other rules of this Regulation must be applied. ment, especially with regard to the conditions of lawfulness of the treatment. I know must explicitly establish exceptions to the general prohibition of treatment of these special categories of personal data, among other things when the in- the person concerned gives their explicit consent or in the case of specific needs, in particularly when the treatment is carried out within the framework of legitimate activities by certain associations or foundations whose objective is to allow the exercise of fundamental liberties. And recital 52 indicates that C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 8/14 “(52) Likewise, exceptions to the prohibition to treat categories must be authorized special categories of personal data when established by Union law or Member States and provided that the appropriate guarantees are given, in order to promote to collect personal data and other fundamental rights, when it is in the public interest co, in particular the processing of personal data in the field of labor legislation. ral, legislation on social protection, including pensions and for security purposes quality, supervision and health alert, prevention or control of communicable diseases and other serious threats to health ... " In accordance with these considerations, the processing of biometric data from special categories will require, in addition to the concurrence of one of the legal bases cases established in article 6 of the RGPD, some of the exceptions provided in the Article 9.2 of the RGPD. The analysis of the legal basis of legitimacy to carry out this treatment comes of article 6 of the RGPD, regarding the legality of the treatment, which in its section 1, letter b) states: “The treatment will be lawful if at least one of the following con- terms: (…) b) the treatment is necessary for the performance of a contract in which the interested party is a party or for the application at his request of pre-contractual measures tuals (…) ”. By virtue of this precept, the treatment would be lawful and would not require the consent of ment, when the data processing is carried out for the fulfillment of relations contractual of a labor nature. This precept would also cover the data processing of employees. two publics, although their relationship is not strictly contractual. It should be noted lar that, on occasions, for the fulfillment of its obligations in relation to the public employees, the Administration has to process certain data to which the RGPD refers, in its article 9, as “special categories of data cough". On the other hand, and as highlighted in recital 51 of the same RGPD, insofar as biometric data is of a special category in the cases of biometric identification (art. 9.1 RGPD), it will be necessary for one of the the exceptions provided in article 9.2 of the RGPD that would allow lifting the prohibition General bition of the treatment of these types of data established in article 9.1. At this point, special mention must be made of letter b) of article 9.2 of the RGPD, according to which the general prohibition of biometric data processing does not it will be applied when “the treatment is necessary for the fulfillment of obligations tions and the exercise of specific rights of the person responsible for the treatment or the involved in the field of labor law and social security and protection, in the to the extent authorized by Union law of the Member States or a collective agreement in accordance with the law of the Member States that establishes adequate guarantees of respect for fundamental rights and the interests of the interested". In Spanish law, article 20 of the Consolidated Text of the Statute of workers (TE), approved by Royal Legislative Decree 2/2015, of October 23, bre, provides for the possibility for the employer to adopt surveillance and control measures to verify compliance with the labor obligations of its workers: "3. The employer may adopt the measures he deems most appropriate to monitor lance and control to verify compliance by the worker with their obligations and C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 9/14 labor duties, keeping in their adoption and application the consideration due to their dignity and taking into account, where appropriate, the actual capacity of the workers with disabilities ”. And in the Basic Statute of the Public Employee, approved by Royal Decree Le- Legislative 5/2015, of October 30, in its article 54 in relation to the principles of conduct of public employees points out: “The unemployment of the corresponding tasks teeth to your job will be enhanced diligently and fulfilling the day and the established schedule " The possibility of using systems based on biomedical data is undeniable. tricos to carry out access and time control, although it does not seem that is or should be the only system that can be used: thus the use of personal cards them, the use of personal codes, the direct visualization of the marking point, etc., which may constitute, by themselves or in combination with any of the others available systems, equally effective measures to carry out the control. In any case, prior to the decision on the start-up control system of this type and taking into account its implications, treat- processing of biometric data aimed at uniquely identifying a natural person physics, it would be mandatory to carry out an Impact Assessment related to the protection of personal data to evaluate both the legitimacy of the treatment and its proportionality such as the determination of the existing risks and the measures to mitigate them in accordance with the provisions of article 35 RGPD. V Biometric data is closely linked to a person, given who can use a certain unique property of an individual for their identification cation or authentication. According to Opinion 3/2012 on the evolution of biometric technologies, “Biometric data irrevocably changes the relationship between the body and the identity. tity, since they make the characteristics of the human body legible by means of machines and are subject to further use. " In relation to them, the Opinion specifies that it is possible to distinguish different types of treatments by stating that “Biometric data can be processed and stored in different ways. Sometimes the biometric information captured from a person is stored It is cooked and treated raw, which makes it possible to recognize the source from which it comes without special knowledge; for example, a photograph of a face, a photograph of a fingerprint or a voice recording. Other times, raw biometric information captured is treated in such a way that only certain characteristics or traits are extracted and they are saved as a biometric template. " The processing of these data is expressly permitted by the RGPD when do the employer has a legal basis, which is usually the contract itself of work. In this regard, the STS of July 2, 2007 (Rec. 5017/2003), which has legitimate tenure the treatment of biometric data carried out by the Administration for the time control of its public employees, without the need for consent. prior training of workers. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 10/14 However, the following should be noted: O The worker must be informed about these treatments. O The principles of limitation of the purpose, necessity, pro- portionality and data minimization. In any case, the treatment must also be adequate, pertinent and not exclusive. cession in relation to said purpose. Therefore, biometric data that are not necessary necessary for this purpose should be eliminated and the creation of new data will not always be justified. a biometric database (Opinion 3/2012 of the Art. 29 Working Group). O Use of biometric templates: Biometric data must be stored as biometric templates whenever possible. The template should be taken from a way that is specific to the biometric system in question and not used by other data controllers of similar systems in order to ensure that a person can only be identified in biometric systems that have a legal basis for this operation. O The biometric system used and the security measures chosen must ensure that reuse of the biometric data in question is not possible for another purpose. O Mechanisms based on encryption technologies should be used, in order to prevent unauthorized reading, copying, modification or deletion of biometric data. O Biometric systems should be designed so that they can be revoked the identity bond. O You must choose to use data formats or specific technologies that make it impossible to interconnect biometric databases and disclose data not verified. O Biometric data should be deleted when they are not linked to the finalization fact that motivated their treatment and, if possible, mechanisms should be implemented automated data deletion. SAW Article 83.5. b) of the RGPD, considers that the infringement of “the rights of the interested parties according to articles 12 to 22 ”, is punishable, in accordance with the paragraph 5 of the aforementioned article 83 of the aforementioned Regulation, “with administrative fines tives of € 20,000,000 maximum or, in the case of a company, of an amount equivalent to a maximum of 4% of the total annual global business volume for the year previous financial cio, opting for the one with the highest amount ”. The LOPDGDD in its article 71, Infractions, states that: “The acts and conducts to which the appar- Articles 4, 5 and 6 of Article 83 of Regulation (EU) 2016/679, as well as those resulting be contrary to this organic law ”. The LOPDGDD in its article 72 indicates for the purposes of prescription: "Infractions considered very serious: C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 11/14 "1. Based on the provisions of article 83.5 of the Regulation (EU) 2016/679 are considered very serious and will prescribe after three years the infractions that suppose a substantial violation of the articles mentioned therein and, in part, ticular, the following: (…) h) The omission of the duty to inform the affected party about the treatment of their personal data in accordance with the provisions of articles 13 and 14 of the Regulation- ment (EU) 2016/679 and 12 of this organic law. (…) " VII However, the LOPDGDD in its article 77, Regime applicable to certain two categories of data controllers or managers, establishes the following: "1. The regime established in this article will be applied to the treatments of those who are responsible or in charge: a) The constitutional bodies or those with constitutional relevance and the institutions tions of the autonomous communities analogous to them. b) The jurisdictional bodies. c) The General State Administration, the Administrations of the communities autonomous communities and the entities that make up the Local Administration. d) Public bodies and public law entities linked to or pending of the Public Administrations. e) The independent administrative authorities. f) The Bank of Spain. g) Public law corporations when the purposes of the treatment are related to the exercise of powers of public law. h) Public sector foundations. i) Public Universities. j) Consortia. k) The parliamentary groups of the Cortes Generales and the Legislative Assemblies autonomous communities, as well as the political groups of the Local Corporations. 2. When the managers or managers listed in section 1 commit- have any of the infractions referred to in articles 72 to 74 of this law organic, the competent data protection authority will issue a resolution sanctioning them with warning. The resolution will also establish the measures to be adopted to stop the conduct or correct the effects cough of the offense that had been committed. The resolution will be notified to the person in charge of the treatment, to the earning that depends hierarchically, where appropriate, and those affected who had the condition of interested party, if applicable. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 12/14 3. Without prejudice to the provisions of the previous section, the protection authority tion of data will also propose the initiation of disciplinary actions when there is sufficient evidence to do so. In this case, the procedure and the sanctions to apply will be those established in the legislation on disciplinary or sanctioning dor that is applicable. Likewise, when the infractions are attributable to authorities and managers, and the existence of technical reports or recommendations for treatment is accredited that had not been duly attended to, in the resolution imposing the The sanction will include a reprimand with the name of the responsible position and will order the publication in the Official Gazette of the State or regional gives. 4. The data protection authority must be informed of the resolutions tions that fall in relation to the measures and actions referred to in the previous sections. 5. They will be communicated to the Ombudsman or, where appropriate, to the institutions of the autonomous communities, the actions carried out and the resolutions tions issued under the protection of this article. 6. When the competent authority is the Spanish Agency for the Protection of Data, it will publish on its website with due separation the resolutions related to to the entities of section 1 of this article, with express indication of the identity of the person in charge or in charge of the treatment that had committed the infringement tion. When the competence corresponds to an autonomous protection authority of data will be, in terms of the publicity of these resolutions, to what is available its specific regulations ”. In the assumption that concerns us and as indicated previously, the present sanctioning procedure evidences that the defendant has not adequately informed- mind in relation to the control of access to the facilities of the training center using a fingerprint system, as an alternative and voluntary system to that of the firm. In accordance with the evidence available, such conscientious conduct It constitutes an infringement of the provisions of article 13 of the RGPD. The RGPD, without prejudice to the provisions of its article 83, contemplates in its article Article 77 the possibility of resorting to the sanction of warning to correct the treatment of personal data that do not conform to their forecasts, when they respond to sabers or managers listed in section 1 committed any of the infractions regulations referred to in articles 72 to 74 of this organic law. However, the defendant has stated that the management of the CIPF SOMESO the immediate cessation of the use of the access and time control system by fingerprint, as well as the erasure of biometric data that were required fitted to such an object and of any trace thereof and, furthermore, that the center of the need to communicate to the data protection officer of the Conse- The forecast of contracting any service or supply that could involve ner an innovative treatment of personal data of students, their families, lias or the staff of the center itself, so that the data protection officer could advise in a timely manner on the legality of said treatment and supervise the C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 13/14 GDPR compliance. Likewise, it has been pointed out that to prevent them from repeating similar situations arise, the Department is working on updating and expansion of the Data Protection Protocol in the educational field for homo- Generate, as far as possible, the requirements and measures to be adopted regarding the protection of data, in the hiring carried out directly by the educational centers. On the other hand, the defendant has also considered relevant to point out that: - He is fully aware of the special sensitivity of personal data. treated by some of its services, as well as by dependent educational centers. teeth of the same, and especially, those related to minors. - That, among said adaptation works, there are: - The review and analysis of each of the treatments carried out, according to its purposes and bases of the treatment, which suppose the corresponding act lization of the record of processing activities on the already published to the entry into force of the LOPDGDD, and which will be disseminated through the page corporate gina of the Xunta de Galicia - The review and update of informative clauses for people interested parties (adaptation of the legitimizing bases of the special treatment regarding the applicability of consent) and the necessary to regulate the relationship responsible-person in charge of the treatment or between ponsables in your case. - Carrying out the corresponding risk analyzes and evaluations of impact on data protection. - The provision of training sessions on personal data processing sonals addressed to the staff of the Consellería. - Once the adaptation work has been completed, the Delegate for the protection of data of this Department will send an informative circular in this regard addressed to users of the information system in which the status of di- chos works, the main documentation and regulations on the matter. Therefore, in light of the foregoing, it is considered that the response of the claim has been reasonable and its action diligent, correcting the incidence not proce- urging the adoption of additional measures, since the sus- pension of the fingerprint access control system, as well as the erasure of the biometric data that were collected, adopting other types of measures of quality technical and organizational nature in accordance with the regulations on protection tion of data indicated above and avoid reoccurring situations. such as the one that gave rise to the present claim, which is the main purpose of the procedures with respect to those entities listed in article 77 of the LOPDGDD. Therefore, in accordance with the applicable legislation and the graduation criteria assessed tion of the sanctions whose existence has been proven, The Director of the Spanish Data Protection Agency RESOLVES: C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 14/14 FIRST: IMPOSE THE CONSELLERÍA DE EDUCACIÓN, UNIVERSIDAD Y TRAMA- PROFESSIONAL TION OF THE XUNTA DE GALICIA, with NIF S1511001H, for an fraction of article 13 of the RGPD, typified in article 83.5.b) of the RGPD, a san- warning in accordance with the provisions of article 77 of the LO- PDGDD. SECOND: NOTIFY this resolution to the CONSELLERÍA DE EDUCACIÓN, UNIVERSITY AND VOCATIONAL TRAINING OF THE XUNTA DE GALICIA, with NIF S1511001H. In accordance with the provisions of article 50 of the LOPDGDD, the This Resolution will be made public once it has been notified to the interested parties. Against this resolution, which ends the administrative procedure in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPA- CAP, the interested parties may file, optionally, an appeal for reconsideration before the Director of the Spanish Data Protection Agency within one month to count from the day after the notification of this resolution or directly appeal contentious administrative procedure before the Contentious-Administrative Chamber of the National authority, in accordance with the provisions of article 25 and section 5 of the Fourth additional provision of Law 29/1998, of July 13, regulating the Jurisdiction Contentious-administrative diction, within two months from the day if- following the notification of this act, as provided in article 46.1 of the aforementioned Law. Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPA- CAP, the final administrative resolution may be suspended provisionally if the interested party expresses his intention to file contentious-administrative appeal. If this is the case, the interested party must formally communicate this fact through writing addressed to the Spanish Agency for Data Protection, presenting it through of the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica- web /], or through any of the other records provided for in art. 16.4 of the ci- Tada Law 39/2015, of October 1. You must also forward to the Agency the documentation tion that proves the effective filing of the contentious-administrative appeal. Yes the Agency was not aware of the filing of the contentious-administrative appeal nistrative within a period of two months from the day following the notification of the This resolution would terminate the precautionary suspension. Mar Spain Martí Director of the Spanish Agency for Data Protection C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es