AEPD (Spain) - PS/00131/2020

From GDPRhub
Revision as of 15:34, 14 June 2021 by Cvl (talk | contribs)
AEPD (Spain) - PS/00131/2020
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 13 GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 12.05.2021
Published: 18.05.2021
Fine: None
Parties: TRABAJADORES DEL CENTRO INTEGRADO DE FORMACIÓN PROFESIONAL SOMESO
CONSELLERÍA DE EDUCACIÓN, UNIVERSIDAD Y FORMACIÓN PROFESIONAL DE LA XUNTA DE GALICIA
National Case Number/Name: PS/00131/2020
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: n/a

The Spanish DPA warned a regional Education and Universities Department for not informing their workers adequately about a biometric identification system they were implementing.

English Summary

Facts

A group of workers of a educational centre filed a complaint with the Spanish DPA (AEPD) against their regional Education and Universities Department.

The Department was in the process of implementing a biometric identification system for their workers. Such system was meant to be a voluntary way of identification for the teachers of the centre.

Holding

The AEPD found that the controller had not properly informed the workers about the biometric system. When the workers asked about the information listed under Article 13 GDPR, they only received a generic answer saying that the personal data were being processed in accordance with the data protection law, and that the contracts made with the providers of the service were also compliant.

The AEPD noted that the processing was not illegal. The controller had a legal basis for the processing (the performance of a contract), and was also relying in one of the exceptions from Article 9(2) GDPR, required for the processing of special categories of data: the processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment. Such obligations originate in the Spanish Workers' Statute; its Article 20(3) allows the employer to use different methods of control and surveillance to verify that the employee effectively complies with their duties and obligations.

However, the AEPD remarked that neither the information provided to the workers nor the answer to their latter request for such information were appropriate, specially in light of a processing of personal data of a sensitive nature, such as biometric data.

The AEPD therefore concluded that the controller had violated Article 13 GDPR, by not providing the information listed by the Article to their workers. The AEPD only issued a warning to the controller.

The authority took into account the actions that the controller took during the course of the proceeding to mitigate the infringement: the stopped the processing and the use of the system, they deleted all the collected data, and they compromised to involve the DPO in further similar projects, as well as to carry out a data protection impact assessment and to devise new data protection protocols.

Comments

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

                                                                             1/14








                                                Procedure Nº: PS / 00131/2020



               RESOLUTION OF SANCTIONING PROCEDURE


Of the procedure instructed by the Spanish Agency for Data Protection and based on
to the following


                                 BACKGROUND

FIRST: D. A.A.A., representing WORKERS OF THE CENTER
INTEGRATED PROFESSIONAL TRAINING SOMESO (hereinafter, the
claimant), dated 11/08/2019, filed a claim with the Spanish Agency

of Data Protection. The claim is directed against CONSELLERÍA DE
EDUCATION, UNIVERSITY AND VOCATIONAL TRAINING OF THE XUNTA DE
GALICIA with NIF S1511001H (hereinafter, the claimed one). The reasons on which the
claim are: the disagreement with the implementation of a control system of
access and schedule by fingerprint without informing the

workers in accordance with the provisions of the regulations on the protection of
Personal data.


SECOND: Upon receipt of the claim, the Subdirectorate General of Inspec-
Data management proceeded to carry out the following actions:

On 12/04/2019, the claim submitted for analysis was transferred to the defendant
and communication to the claimant of the decision adopted in this regard. Likewise, he is

required so that within one month it sent certain information to the Agency
tion:

       - Copy of the communications, of the adopted decision that has been sent to the
       claimant regarding the transfer of this claim, and accreditation that
       the claimant has received the communication of that decision.

       - Report on the causes that have motivated the incidence that has originated the
       claim.

       - Report on the measures adopted to prevent incidents from occurring
       similar companies.

       - Any other that you consider relevant.
On 01/09/2020, the Ministry in response to the claim presented by the workers
In summary, the authors state that a time control system has not been implemented

using fingerprint as a single management system, but rather the use of the fingerprint
fingerprint corresponds to an alternative and voluntary modality to the biometric signature for
workers, established in accordance with data protection regulations.

And it provides: Consent model for the processing of biometric data and Information
information on the attendance management system.


THIRD: On 03/30/2020, in accordance with article 65 of the LOPDGDD, the Di-

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 2/14








rector of the Spanish Agency for Data Protection agreed to admit to processing the re
claim filed by the claimant against the defendant.



FOURTH: On 09/30/2020, the Director of the Spanish Protection Agency
of Data agreed to initiate a sanctioning procedure for the claimed party, for the alleged
fraction of article 13 of the RGPD, typified in article 83.5.b) of the aforementioned Regulations.
to and sanctioned in accordance with the provisions of article 77 of the LOPDGDD.



FIFTH: Notified the initiation agreement, the claimed, on 10/15/2020, presented
brief of allegations stating the following: that upon receipt of the initiation agreement,
carried out the investigation of the events requesting detailed information from the center
educational; that it is the directors of public educational centers in Galicia who
make concrete organizational and management decisions that may involve dealing with

data collection of personal data; that CIFP Someso has implemented a system
electronic attendance management system for the staff that provides services and due to the
in which said control was carried out was not effective for the adequate compliance
ment of the ends; that currently the electronic attendance management system
of the personnel who provide service in the CIFP Someso is done by signing in a

tablet or laptop and also an optional mode, more agile and comfortable,
that works with the fingerprint registration, whose use is suspended in the act-
tuality; that in relation to the impact evaluation carried out, the Department is
currently addressing a global project to adapt to the protection regulations
of data, in order to prepare a record of treatment activities much
more detailed and complete than the one currently published and which will culminate with the

conducting impact evaluations of those treatments in which it is
necessary; that the duty of information was fulfilled by making available to the entire
personal information regarding the treatment carried out; which was also required to
management of the center immediate cessation of the use of the access control system and time-
river by fingerprint, as well as the erasure of biometric data that were

collected for such purpose and any trace thereof; that to prevent
situations similar to the one that is the subject of this procedure recur, from the
Consellería is working on updating and expanding the Protocol of Pro-
Data protection in the educational field in order to achieve homogenization,
as far as possible, the requirements and measures to be adopted in terms of data protection, in

the hiring carried out directly by the educational centers.


SIXTH: On 10/21/2020 a test practice period began, according to the
taking the following

        - To consider reproduced for evidentiary purposes the claim filed by the
        claimant and its documentation, the documents obtained and generated by the
        Inspection services that are part of file E / 11349/2019.

        - To consider reproduced for evidentiary purposes, the allegations to the initial agreement
        cio presented by the claimed and the documentation that accompanies them.



SEVENTH: On 03/29/2021 a Proposal for Resolution was issued to the effect that
sanction the claimed person for infringement of article 13 of the RGPD, typified in article
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 3/14








83.5.b) of the RGPD, with warning in accordance with article 77 of the LO-
PDGDD.

Once the period legally indicated at the time of this Resolution has elapsed, the
claimed, he had not submitted a written statement.



EIGHTH: Of the actions carried out in the present procedure, there have been
accredited the following:

                                 PROVEN FACTS


FIRST: The claimant submitted a written entry dated 11/08/2019 in the
Spanish Agency for Data Protection, expressing its disagreement with the im-
plantation of the time and access control system by fingerprint by the

claimed without the workers having been adequately informed of the
compliance with the provisions of the regulations on personal data protection
sonal.


SECOND: Written document of 11/06/2019 from the claimant stating that

the workers of the vocational training center filed a claim with them
motivated by the following facts: that at the beginning of October he was informed
each the implementation of a time control system based on the use of the
fingerprint without being communicated the relevant information prescribed by the
GDPR; who requested such relevant information from the management of the center, such as the

concerning the identification of the person in charge and in charge of the treatment, the DPD, personal data
sonals made available in the elaboration of said control system, measures
technical and organizational, etc .; that the answer given by the center at two points was
generic indicating that personal data is protected in accordance with the
existing legislation.



THIRD: The answer given by the educational center, by means of a letter of
10/18/2019, informing that:

"1. The personal data of all workers of CIFP Someso are provided
Texts in accordance with or prescribed in the current legislation and are used solely and exclusively
mind to manage the internal activities of the center.

2. All contracts that CIFP Someso has signed with companies that have access to
two years files that contain personal data for two workers from the center
foron celebrated according to the specified requirements to the effect of the vixen-lexislation
tea".



FOURTH: The respondent, in writing dated 01/09/2020, stated that the CIFP Someso did not
had "implemented a fingerprint time control system" as a system
management system (as it seems to imply), but rather that the use of the fingerprint
lar corresponds to an alternative and voluntary registration modality for workers

res ”and that the necessary guarantees had been fulfilled for the start-up of the
said attendance management system and provided the external consent model
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 4/14








prisoner for the processing of biometric data and the information document to the
workers.



FIFTH: The respondent, in writing dated 10/15/2020, stated that: “As an initial measure,
In addition, the management of the CIPF SOMESO was required to immediately cease the use of the
access control system and time by fingerprint, as well as erasure
of the biometric data that were collected for this purpose and of any trace of
the same ... ”and that“ In order to avoid that situations may recur in future if-

to which is the object of this procedure, the Department is working on
by updating and expanding the Data Protection Protocol in the area
educational framework in order to achieve homogenization, as far as possible,
measures and measures to be adopted in the field of data protection, in the contracting carried out
carried out directly by the educational centers ... "



                             FOUNDATIONS OF LAW


                                              I



        The Director of the Es-
Data Protection box, in accordance with the provisions of art. 58.2 of
RGPD and in art. 47 and 48.1 of LOPDGDD.



                                             II


        The legitimacy for the treatment of the fingerprint for the control of the
workers by the employer we must look for it in article 9 and 6 of the RGPD.

        Article 9 of the RGPD establishes in its sections 1 and 2.b) the following:

        "1. The processing of personal data that reveal the origin is prohibited
ethnic or racial, political opinions, religious or philosophical convictions, or affinity
union membership, and the processing of genetic data, biometric data aimed at identifying
unequivocally identify a natural person, data related to health or data related to

you to the sexual life or sexual orientations of a natural person.
        2. Section 1 shall not apply when one of the circumstances occurs.

following:
        (…)

        b) the treatment is necessary for the fulfillment of obligations and the exercise
        cio of specific rights of the person responsible for the treatment or of the interested party
        in the field of labor law and social security and protection, in the

        to the extent authorized by the Union law of the Member States
        or a collective agreement under the law of the Member States that
        establish adequate guarantees of respect for fundamental rights and
        of the interests of the interested party. "

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 5/14








        Article 6.1.b) of the RGPD indicates:

        "1. The treatment will only be lawful if at least one of the following is met
terms:

        (…)
        b) the treatment is necessary for the performance of a contract in which the

        The person concerned is part of or for the application at his request of precon-
        tractual. "


        The defendant has legitimacy, based on the indicated regulations, to
carry out the labor control of its workers and as long as it complies with the

found in the fifth Law Foundation.


                                             III



        The facts that motivate the claim presented and that are the subject of the proceeding
This is specified in the disagreement with the implementation of a system of
access control and schedule by fingerprint without informing the
workers in accordance with the provisions of the regulations on the protection of
Personal data.

        These facts suppose the violation of what is indicated in article 13 of the
RGPD, by not properly informing about the planned treatment in relation to the control
of transfer by fingerprint, in accordance with the pronouncements established in

the aforementioned article.
        This article determines the information that must be provided to the interested party in the

moment of collecting your data, establishing the following:
        "Article 13. Information that must be provided when personal data is

obtained from the interested party.
        1. When personal data relating to him are obtained from an interested party, the res-
responsible for the treatment, at the time these are obtained, it will facilitate all the

information listed below:
        a) the identity and contact details of the person in charge and, where appropriate, his / her re

        presenter;
        b) the contact details of the data protection officer, if applicable;

        c) the purposes of the treatment to which the personal data are destined and the legal basis
        ridic of treatment;

        d) when the treatment is based on article 6, paragraph 1, letter f), the interests
        legitimacy of the person in charge or of a third party;

        e) the recipients or categories of recipients of personal data,
        in your case;

        f) where appropriate, the intention of the person responsible to transfer personal data to a
        third country or international organization and the existence or absence of a decision

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 6/14








        adequacy of the Commission, or, in the case of indicated transfers,
        given in articles 46 or 47 or article 49, paragraph 1, second subparagraph, references
        reference to adequate or appropriate guarantees and the means to obtain

        a copy of these or the fact that they have been loaned.
        2. In addition to the information mentioned in section 1, the person responsible for the
treatment will facilitate the interested party, at the time the personal data is obtained

sonal, the following information necessary to guarantee data processing
loyal and transparent:

        a) the period during which the personal data will be kept or, when not
        where possible, the criteria used to determine this deadline;
        b) the existence of the right to request access to the data controller

        to the personal data relating to the interested party, and its rectification or deletion, or
        the limitation of its treatment, or to oppose the treatment, as well as the right
        cho to data portability;

        c) when the treatment is based on article 6, paragraph 1, letter a), or the
        Article 9, paragraph 2, letter a), the existence of the right to withdraw consent
        at any time, without affecting the legality of the treatment based on
        sado in the consent prior to its withdrawal;

        d) the right to file a claim with a supervisory authority;

        e) if the communication of personal data is a legal or contractual requirement, or
        a necessary requirement to sign a contract, and if the interested party is obliged to
        do to provide personal data and is informed of the possible consequences
        cias that not provide such data;

        f) the existence of automated decisions, including profiling, to
        referred to in article 22, paragraphs 1 and 4, and, at least in such cases, infor-

        significant influence on applied logic, as well as the importance and consequences of
        planned sequences of said treatment for the interested party.
        3. When the person responsible for the treatment plans the subsequent treatment of data

personal coughs for a purpose other than that for which they were collected, will provide
to the interested party, prior to said further processing, information about that other
purpose and any additional relevant information pursuant to section 2.

        4. The provisions of sections 1, 2 and 3 shall not apply when and in
the extent to which the interested party already has the information ”.


                                             IV



        In the present case, the claimant states that at the beginning of October
They were informed of the use of a time control system by means of
fingerprint without being duly informed in accordance with the

regulations on the protection of personal data. It also contributes
the letter sent to the management of the training center stating its disagreement
dad and requesting information about it.

        Likewise, there is the response made to the claimant in which it is indicated in
two points, as it appears in the proven facts, that the personal data
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 7/14








nal of all workers are protected in accordance with current legislation and that
the companies that have access to the files containing the aforementioned data have
been celebrated with all the requirements indicated in the current legislation, and of the

It follows that neither the information transmitted nor the channel used was the most
adequate given the quality and specialty of the data that were in question,
having made a greater effort in the information and communication policy
cation about the intended treatment.

        In the first place, it should be noted that the implementation and integration of a
issue of time control based on fingerprint by the employer, must be
informed the employees in a complete, clear, concise manner and, in addition, the aforementioned information
training must be completed with reference to both the legal bases that give

openness to this type of access control, as well as to the basic information to which it
reference in article 13 of the RGPD.
        In the case examined, the response offered by the training center to the writer

submitted by the claimant, related to the aforementioned control by means of transfer
with fingerprint, it cannot be considered as the most suitable.

        Second, the installation of a control system based on the collection
and treatment of the fingerprint of the employees implies the treatment of their data
personal since personal data is all that information about a person
physical identified or identifiable in accordance with article 4.1 of the RGPD.

        As for the fingerprint, it is also data that must be qualified.
two as biometric data and in accordance with article 4.14 of the RGPD have this
consideration when they have been “obtained from a specific technical treatment
co, relating to the physical, physiological or behavioral characteristics of a physical person

that allow or confirm the unique identification of said person, such as images
facial features or fingerprint data ”.

        This means that, in accordance with article 9.1 of the RGPD, in the case of
Therefore, the specific regime envisaged for the special categories of
data provided for in article 9 of the RGPD.

        In this sense, recital 51 of the RGPD highlights the nature of
restrictive with which the processing of these data can be admitted:

        “(51) ... Such personal data should not be processed, unless it is allowed
its treatment in specific situations contemplated in this Regulation,
given that Member States may lay down specific provisions
ficas on data protection in order to adapt the application of the rules of the
this Regulation to the fulfillment of a legal obligation or to the fulfillment of

a mission carried out in the public interest or in the exercise of public powers conferring
two to the person responsible for the treatment. In addition to the specific requirements of that treatment,
regulation, the general principles and other rules of this Regulation must be applied.
ment, especially with regard to the conditions of lawfulness of the treatment. I know
must explicitly establish exceptions to the general prohibition of treatment

of these special categories of personal data, among other things when the in-
the person concerned gives their explicit consent or in the case of specific needs, in
particularly when the treatment is carried out within the framework of legitimate activities by
certain associations or foundations whose objective is to allow the exercise of
fundamental liberties.

        And recital 52 indicates that
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 8/14








        “(52) Likewise, exceptions to the prohibition to treat categories must be authorized
special categories of personal data when established by Union law or
Member States and provided that the appropriate guarantees are given, in order to promote

to collect personal data and other fundamental rights, when it is in the public interest
co, in particular the processing of personal data in the field of labor legislation.
ral, legislation on social protection, including pensions and for security purposes
quality, supervision and health alert, prevention or control of communicable diseases
and other serious threats to health ... "

        In accordance with these considerations, the processing of biometric data from
special categories will require, in addition to the concurrence of one of the legal bases
cases established in article 6 of the RGPD, some of the exceptions provided in the

Article 9.2 of the RGPD.
        The analysis of the legal basis of legitimacy to carry out this treatment comes
of article 6 of the RGPD, regarding the legality of the treatment, which in its section 1, letter

b) states: “The treatment will be lawful if at least one of the following con-
terms: (…) b) the treatment is necessary for the performance of a contract in which
the interested party is a party or for the application at his request of pre-contractual measures
tuals (…) ”.

        By virtue of this precept, the treatment would be lawful and would not require the consent of
ment, when the data processing is carried out for the fulfillment of relations
contractual of a labor nature.

        This precept would also cover the data processing of employees.
two publics, although their relationship is not strictly contractual. It should be noted
lar that, on occasions, for the fulfillment of its obligations in relation to the

public employees, the Administration has to process certain data
to which the RGPD refers, in its article 9, as “special categories of data
cough".

        On the other hand, and as highlighted in recital 51 of the same RGPD,
insofar as biometric data is of a special category in the cases
of biometric identification (art. 9.1 RGPD), it will be necessary for one of the
the exceptions provided in article 9.2 of the RGPD that would allow lifting the prohibition

General bition of the treatment of these types of data established in article 9.1.
        At this point, special mention must be made of letter b) of article 9.2 of the
RGPD, according to which the general prohibition of biometric data processing does not

it will be applied when “the treatment is necessary for the fulfillment of obligations
tions and the exercise of specific rights of the person responsible for the treatment or the
involved in the field of labor law and social security and protection, in the
to the extent authorized by Union law of the Member States or a
collective agreement in accordance with the law of the Member States that establishes

adequate guarantees of respect for fundamental rights and the interests of the
interested".

        In Spanish law, article 20 of the Consolidated Text of the Statute of
workers (TE), approved by Royal Legislative Decree 2/2015, of October 23,
bre, provides for the possibility for the employer to adopt surveillance and control measures
to verify compliance with the labor obligations of its workers:

        "3. The employer may adopt the measures he deems most appropriate to monitor
lance and control to verify compliance by the worker with their obligations and
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 9/14








labor duties, keeping in their adoption and application the consideration due to
their dignity and taking into account, where appropriate, the actual capacity of the workers
with disabilities ”.

       And in the Basic Statute of the Public Employee, approved by Royal Decree Le-
Legislative 5/2015, of October 30, in its article 54 in relation to the principles of
conduct of public employees points out: “The unemployment of the corresponding tasks

teeth to your job will be enhanced diligently and fulfilling the day and
the established schedule "

       The possibility of using systems based on biomedical data is undeniable.
tricos to carry out access and time control, although it does not seem that
is or should be the only system that can be used: thus the use of personal cards
them, the use of personal codes, the direct visualization of the marking point,
etc., which may constitute, by themselves or in combination with any of the others
available systems, equally effective measures to carry out the control.

       In any case, prior to the decision on the start-up
control system of this type and taking into account its implications, treat-

processing of biometric data aimed at uniquely identifying a natural person
physics, it would be mandatory to carry out an Impact Assessment related to the protection
of personal data to evaluate both the legitimacy of the treatment and its
proportionality such as the determination of the existing risks and the measures to
mitigate them in accordance with the provisions of article 35 RGPD.



                                            V


       Biometric data is closely linked to a person, given

who can use a certain unique property of an individual for their identification
cation or authentication.
       According to Opinion 3/2012 on the evolution of biometric technologies,

“Biometric data irrevocably changes the relationship between the body and the identity.
tity, since they make the characteristics of the human body legible by means of
machines and are subject to further use. "

       In relation to them, the Opinion specifies that it is possible to distinguish different types of
treatments by stating that “Biometric data can be processed and stored in
different ways. Sometimes the biometric information captured from a person is stored
It is cooked and treated raw, which makes it possible to recognize the source from which it comes without

special knowledge; for example, a photograph of a face, a photograph of a
fingerprint or a voice recording. Other times, raw biometric information
captured is treated in such a way that only certain characteristics or traits are extracted and
they are saved as a biometric template. "

       The processing of these data is expressly permitted by the RGPD when
do the employer has a legal basis, which is usually the contract itself
of work. In this regard, the STS of July 2, 2007 (Rec. 5017/2003), which has
legitimate tenure the treatment of biometric data carried out by the Administration

for the time control of its public employees, without the need for consent.
prior training of workers.

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 10/14








        However, the following should be noted:

        O The worker must be informed about these treatments.
        O The principles of limitation of the purpose, necessity, pro-

portionality and data minimization.
        In any case, the treatment must also be adequate, pertinent and not exclusive.

cession in relation to said purpose. Therefore, biometric data that are not necessary
necessary for this purpose should be eliminated and the creation of new data will not always be justified.
a biometric database (Opinion 3/2012 of the Art. 29 Working Group).

        O Use of biometric templates: Biometric data must be stored
as biometric templates whenever possible. The template should be taken from
a way that is specific to the biometric system in question and not used
by other data controllers of similar systems in order to ensure that
a person can only be identified in biometric systems that have

a legal basis for this operation.
        O The biometric system used and the security measures chosen must

ensure that reuse of the biometric data in question is not possible
for another purpose.
        O Mechanisms based on encryption technologies should be used, in order to

prevent unauthorized reading, copying, modification or deletion of biometric data.
        O Biometric systems should be designed so that they can be revoked

the identity bond.
        O You must choose to use data formats or specific technologies that

make it impossible to interconnect biometric databases and disclose data
not verified.
        O Biometric data should be deleted when they are not linked to the finalization

fact that motivated their treatment and, if possible, mechanisms should be implemented
automated data deletion.


                                            SAW



        Article 83.5. b) of the RGPD, considers that the infringement of “the rights of
the interested parties according to articles 12 to 22 ”, is punishable, in accordance with the
paragraph 5 of the aforementioned article 83 of the aforementioned Regulation, “with administrative fines
tives of € 20,000,000 maximum or, in the case of a company, of an amount

equivalent to a maximum of 4% of the total annual global business volume for the year
previous financial cio, opting for the one with the highest amount ”.

        The LOPDGDD in its article 71, Infractions, states that:
        “The acts and conducts to which the appar-
Articles 4, 5 and 6 of Article 83 of Regulation (EU) 2016/679, as well as those resulting

be contrary to this organic law ”.
        The LOPDGDD in its article 72 indicates for the purposes of prescription: "Infractions

considered very serious:

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 11/14








        "1. Based on the provisions of article 83.5 of the Regulation (EU)
2016/679 are considered very serious and will prescribe after three years the infractions that
suppose a substantial violation of the articles mentioned therein and, in part,

ticular, the following:
        (…)

        h) The omission of the duty to inform the affected party about the treatment of their
        personal data in accordance with the provisions of articles 13 and 14 of the Regulation-
        ment (EU) 2016/679 and 12 of this organic law.

        (…) "

                                            VII


        However, the LOPDGDD in its article 77, Regime applicable to certain

two categories of data controllers or managers, establishes the following:
        "1. The regime established in this article will be applied to the treatments
of those who are responsible or in charge:

        a) The constitutional bodies or those with constitutional relevance and the institutions
        tions of the autonomous communities analogous to them.

        b) The jurisdictional bodies.

        c) The General State Administration, the Administrations of the communities
        autonomous communities and the entities that make up the Local Administration.

        d) Public bodies and public law entities linked to or
        pending of the Public Administrations.

        e) The independent administrative authorities.

        f) The Bank of Spain.
        g) Public law corporations when the purposes of the treatment
        are related to the exercise of powers of public law.

        h) Public sector foundations.

        i) Public Universities.

        j) Consortia.
        k) The parliamentary groups of the Cortes Generales and the Legislative Assemblies

        autonomous communities, as well as the political groups of the Local Corporations.
        2. When the managers or managers listed in section 1 commit-

have any of the infractions referred to in articles 72 to 74 of this law
organic, the competent data protection authority will issue a resolution
sanctioning them with warning. The resolution will also establish
the measures to be adopted to stop the conduct or correct the effects
cough of the offense that had been committed.

        The resolution will be notified to the person in charge of the treatment, to the
earning that depends hierarchically, where appropriate, and those affected who had the
condition of interested party, if applicable.


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 12/14








        3. Without prejudice to the provisions of the previous section, the protection authority
tion of data will also propose the initiation of disciplinary actions when
there is sufficient evidence to do so. In this case, the procedure and the sanctions to

apply will be those established in the legislation on disciplinary or sanctioning
dor that is applicable.
        Likewise, when the infractions are attributable to authorities and managers,

and the existence of technical reports or recommendations for treatment is accredited
that had not been duly attended to, in the resolution imposing the
The sanction will include a reprimand with the name of the responsible position and
will order the publication in the Official Gazette of the State or regional
gives.

        4. The data protection authority must be informed of the resolutions
tions that fall in relation to the measures and actions referred to in the
previous sections.

        5. They will be communicated to the Ombudsman or, where appropriate, to the institutions
of the autonomous communities, the actions carried out and the resolutions

tions issued under the protection of this article.
        6. When the competent authority is the Spanish Agency for the Protection of

Data, it will publish on its website with due separation the resolutions related to
to the entities of section 1 of this article, with express indication of the
identity of the person in charge or in charge of the treatment that had committed the infringement
tion.

        When the competence corresponds to an autonomous protection authority
of data will be, in terms of the publicity of these resolutions, to what is available
its specific regulations ”.

        In the assumption that concerns us and as indicated previously, the present
sanctioning procedure evidences that the defendant has not adequately informed-
mind in relation to the control of access to the facilities of the training center

using a fingerprint system, as an alternative and voluntary system to that of the
firm.
        In accordance with the evidence available, such conscientious conduct

It constitutes an infringement of the provisions of article 13 of the RGPD.
        The RGPD, without prejudice to the provisions of its article 83, contemplates in its article

Article 77 the possibility of resorting to the sanction of warning to correct the treatment
of personal data that do not conform to their forecasts, when they respond to
sabers or managers listed in section 1 committed any of the infractions
regulations referred to in articles 72 to 74 of this organic law.

        However, the defendant has stated that the management of the
CIPF SOMESO the immediate cessation of the use of the access and time control system
by fingerprint, as well as the erasure of biometric data that were required
fitted to such an object and of any trace thereof and, furthermore, that the

center of the need to communicate to the data protection officer of the Conse-
The forecast of contracting any service or supply that could involve
ner an innovative treatment of personal data of students, their families,
lias or the staff of the center itself, so that the data protection officer
could advise in a timely manner on the legality of said treatment and supervise the

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 13/14








GDPR compliance. Likewise, it has been pointed out that to prevent them from repeating
similar situations arise, the Department is working on updating
and expansion of the Data Protection Protocol in the educational field for homo-

Generate, as far as possible, the requirements and measures to be adopted regarding the protection of
data, in the hiring carried out directly by the educational centers.
        On the other hand, the defendant has also considered relevant to point out that:

        - He is fully aware of the special sensitivity of personal data.
treated by some of its services, as well as by dependent educational centers.

teeth of the same, and especially, those related to minors.
        - That, among said adaptation works, there are:

               - The review and analysis of each of the treatments carried out, according to
        its purposes and bases of the treatment, which suppose the corresponding act
        lization of the record of processing activities on the already published to the

        entry into force of the LOPDGDD, and which will be disseminated through the page
        corporate gina of the Xunta de Galicia

               - The review and update of informative clauses for people
        interested parties (adaptation of the legitimizing bases of the special treatment
        regarding the applicability of consent) and the necessary
        to regulate the relationship responsible-person in charge of the treatment or between
        ponsables in your case.

        - Carrying out the corresponding risk analyzes and evaluations of
        impact on data protection.

        - The provision of training sessions on personal data processing
        sonals addressed to the staff of the Consellería.

        - Once the adaptation work has been completed, the Delegate for the protection of
        data of this Department will send an informative circular in this regard addressed to
        users of the information system in which the status of di-
        chos works, the main documentation and regulations on the matter.



        Therefore, in light of the foregoing, it is considered that the response of the claim
has been reasonable and its action diligent, correcting the incidence not proce-
urging the adoption of additional measures, since the sus-

pension of the fingerprint access control system, as well as the erasure
of the biometric data that were collected, adopting other types of measures of quality
technical and organizational nature in accordance with the regulations on protection
tion of data indicated above and avoid reoccurring situations.
such as the one that gave rise to the present claim, which is the main purpose of
the procedures with respect to those entities listed in article 77 of the

LOPDGDD.


Therefore, in accordance with the applicable legislation and the graduation criteria assessed
tion of the sanctions whose existence has been proven,

The Director of the Spanish Data Protection Agency RESOLVES:


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 14/14








FIRST: IMPOSE THE CONSELLERÍA DE EDUCACIÓN, UNIVERSIDAD Y TRAMA-
PROFESSIONAL TION OF THE XUNTA DE GALICIA, with NIF S1511001H, for an
fraction of article 13 of the RGPD, typified in article 83.5.b) of the RGPD, a san-

warning in accordance with the provisions of article 77 of the LO-
PDGDD.

SECOND: NOTIFY this resolution to the CONSELLERÍA DE EDUCACIÓN,
UNIVERSITY AND VOCATIONAL TRAINING OF THE XUNTA DE GALICIA, with NIF
S1511001H.


       In accordance with the provisions of article 50 of the LOPDGDD, the
This Resolution will be made public once it has been notified to the interested parties.

       Against this resolution, which ends the administrative procedure in accordance with art.

48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPA-
CAP, the interested parties may file, optionally, an appeal for reconsideration before
the Director of the Spanish Data Protection Agency within one month to
count from the day after the notification of this resolution or directly appeal
contentious administrative procedure before the Contentious-Administrative Chamber of the
National authority, in accordance with the provisions of article 25 and section 5 of the

Fourth additional provision of Law 29/1998, of July 13, regulating the Jurisdiction
Contentious-administrative diction, within two months from the day if-
following the notification of this act, as provided in article 46.1 of the aforementioned
Law.


       Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPA-
CAP, the final administrative resolution may be suspended provisionally if the
interested party expresses his intention to file contentious-administrative appeal.
If this is the case, the interested party must formally communicate this fact through
writing addressed to the Spanish Agency for Data Protection, presenting it through

of the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica-
web /], or through any of the other records provided for in art. 16.4 of the ci-
Tada Law 39/2015, of October 1. You must also forward to the Agency the documentation
tion that proves the effective filing of the contentious-administrative appeal. Yes
the Agency was not aware of the filing of the contentious-administrative appeal
nistrative within a period of two months from the day following the notification of the

This resolution would terminate the precautionary suspension.

                                                                      Mar Spain Martí
                              Director of the Spanish Agency for Data Protection













C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es