AEPD (Spain) - E/00647/2019 - CO/00198/2020
AEPD (Spain) - E/00647/2019 - CO/00198/2020 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 4(16) GDPR Article 4(22) GDPR Article 4(23) GDPR Article 60(8) GDPR Article 80(2) GDPR |
Type: | Complaint |
Outcome: | Rejected |
Started: | |
Decided: | |
Published: | 18.11.2021 |
Fine: | None |
Parties: | FACEBOOK IRELAND LIMITED FACUA - ASOCIACIÓN DE CONSUMIDORES Y USUARIOS EN ACCIÓN |
National Case Number/Name: | E/00647/2019 - CO/00198/2020 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | Carmen Villarroel |
The Spanish DPA referred a case to the Irish DPA regarding Facebook transfers of data to third parties. The Irish DPA rejected the case, since Ireland has not implemented Article 80(2) GDPR and the consumer organisation that brought the claim in Spain could therefore not act without an individual mandate.
English Summary
Facts
A consumers organisation lodged a complaint with the Spanish DPA (AEPD) against Facebook, since according to a series of news articles, Facebook had shared their users' personal data with over 150 third organisations without the users' consent.
Holding
The AEPD referred the complaint to the Irish Data Protection Commission (DPC) through the Internal Market Information system (IMI), since Facebook Ireland has their main establishment in Ireland, pursuant to the definition set by Article 4(16) GDPR. And, since the DPC is the lead authority with regard to Facebook Ireland, the DPC is in charge of cases regarding Facebook's international transfers of personal data, in accordance to Article 4(23) GDPR.
According to the AEPD, there are other concerned DPAs in this case, as defined in Article 4(22) GDPR: Spain, Belgium, Rhineland-Palatinate, Netherlands, Lower Saxony, Italy, Luxembourg, France, Sweden, Thuringia, Hesse, Norway, Berlin, Hungary, Finland, Saarland, Slovenia, North Rhine-Westphalia, Portugal, Slovakia, Greece, Austria and Poland.
The DPC rejected the case, alleging that it came from an organisation without an individual mandate. According to the DPC, Ireland has not implemented Article 80(2) GDPR and therefore the authority cannot handle a complaint lodged by an organisation mentioned in such Article (a not-for-profit body, organisation or association which has been properly constituted in accordance with the law of a Member State, has statutory objectives which are in the public interest, and is active in the field of the protection of data subjects' rights and freedoms with regard to the protection of their personal data).
Since the case had been rejected, the AEPD manifested that it was the competent authority to notify the complainant, in accordance with Article 60(8) GDPR. Therefore, the AEPD archived the proceedings, without prejudice of the consumers organisation lodging a new complaint following the mandate of an individual data subject.
Notwithstanding, according to the DPC, these facts are currently under investigation by the DPA within the competences attributed to it as lead authority.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/6 N / Ref .: E / 00647/2019 - CO / 00198/2020 RESOLUTION OF ACTION FILE Of the actions followed on the occasion of the claim presented in the Agency Spanish Data Protection, for alleged violation of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, regarding the protection of natural persons with regard to data processing personal data and the free circulation of these data (hereinafter, RGPD) and having as a basis the following FACTS FIRST: Dated December 26, 2018 and with entry registration number 212801/2018, a claim had entered this Agency, related to a Cross-border processing of personal data carried out by FACEBOOK IRELAND LIMITED, presented by FACUA - ASSOCIATION OF CONSUMERS AND USERS IN ACTION (hereinafter, the claimant) for an alleged violation of Article 6.1 of the RGPD. The grounds on which the claimant bases the claim are related to the fact that the social network Facebook could have shared the data of its users with more than 150 companies without the consent of the users, as collected in several newspaper articles. Along with the claim, the urls of several articles collected in the press are provided Spanish in which information is provided on the matter and a copy of said articles. *** URL.1 *** URL.2 *** URL.3 SECOND: FACEBOOK IRELAND LIMITED has its main establishment or unique in Ireland. THIRD: Taking into account the cross-border nature of the claim, with On February 22, 2019, the claim was forwarded to the authority control authority of Ireland as it is competent to act as a supervisory authority main, in accordance with the provisions of article 56.1 of the RGPD, agreeing to the file provisional procedure. FOURTH: This referral was made through the "Market Information System Interior ”(IMI). C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 2/6 However, the Irish supervisory authority rejected the case, as it came from a association without an individual mandate. As explained by the Irish supervisory authority, the national law that completes the GDPR in Ireland (the “Irish Data Protection Act 2018”) has not implemented its art. 80.2, and, by Therefore, this authority cannot manage a claim filed by an entity, non-profit organization or association that has been properly constituted under the law of a Member State, the statutory objectives of which are to public interest and act in the field of protection of rights and freedoms of those interested in the protection of their personal data, with independence of the mandate of an interested party. FIFTH: Notwithstanding the foregoing, these events are being the subject of a research carried out by the DPC within the competences it has attributed as main authority. FOUNDATIONS OF LAW I: Competition In accordance with the provisions of article 60.8 of the RGPD, the Director of the Agency Spanish Data Protection is competent to adopt this resolution, according to the provisions of article 47 of Organic Law 3/2018, of December 5, of Protection of Personal Data and guarantee of digital rights (hereinafter LOPDGDD). II: Internal Market Information System (IMI) The Internal Market Information System is regulated by the Regulation (EU) No. 1024/2012, of the European Parliament and of the Council, of 25 October 2012 (IMI Regulation), and its objective is to promote cooperation administrative cross-border, mutual assistance between Member States and the information exchange. III: Determination of the territorial scope As specified in article 66 of the LOPDGDD: "1. Except in the cases referred to in article 64.3 of this organic law, the Spanish Agency for Data Protection must, prior to carrying out of any other action, including the admission for processing of a claim or the commencement of preliminary investigative actions, examine their competence and determine the national or cross-border character, in any of its modalities, of the procedure to follow. 2. If the Spanish Agency for Data Protection considers that you do not have the condition of the main supervisory authority for the processing of the procedure will send, without further ado procedure, the claim made to the main supervisory authority that considers competent, so that it is given the appropriate course. The agency C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 3/6 Española de Protección de Datos will notify this circumstance to who, if applicable, would have made the claim. The agreement by which the referral referred to in the previous paragraph is resolved will involve the provisional filing of the procedure, without prejudice to the fact that the Agency Spanish Data Protection Issue, if applicable, the resolution to the one referred to in section 8 of article 60 of Regulation (EU) 2016/679. " IV: Main establishment, cross-border treatment and supervisory authority principal Article 4.16 of the GDPR defines "main establishment": "A) in what refers to a person responsible for the treatment with establishments in more than one Member State, the place of its central administration in the Union, unless decisions about the purposes and means of treatment are take in another establishment of the person in charge in the Union and the latter establishment has the power to enforce such decisions, in which case the establishment that made such decisions shall be deemed main establishment; b) in what refers to a person in charge of the treatment with establishments in more than one Member State, the place of its central administration in the Union or, if it lacks this, the establishment of the person in charge in the Union where the carry out the main treatment activities in the context of the activities of a manager's establishment to the extent that the processor is subject to specific obligations under this Regulation" For its part, article 4.23 of the RGPD considers "cross-border treatment": "A) the processing of personal data carried out in the context of the activities of establishments in more than one Member State of a controller or a processor in the Union, if the controller or the the person in charge is established in more than one Member State, or b) the processing of personal data carried out in the context of activities of a single establishment of a manager or manager of the treatment in the Union, but which substantially affects or is likely to substantially affects interested parties in more than one Member State " The RGPD provides, in its article 56.1, for cases of cross-border processing, provided for in its article 4.23), in relation to the competence of the main control, that, without prejudice to the provisions of article 55, the authority of control of the main establishment or the sole establishment of the person in charge or The person in charge of the treatment will be competent to act as a control authority principal for the cross-border processing carried out by said controller or commissioned in accordance with the procedure established in article 60. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 4/6 In the case examined, as stated, FACEBOOK IRELAND LIMITED has its main or sole establishment in Ireland, so that the supervisory authority of Ireland is competent to act as the lead supervisory authority. V: interested control authority In accordance with the provisions of article 4.22) of the RGPD, it is the Authority of interested control, the control authority affected by the data processing personal because: a.- The person in charge or in charge of the treatment is established in the territory of the Member State of that supervisory authority; b.- The interested parties who reside in the Member State of that authority of control are substantially affected or are likely to be substantially affected by the treatment, or c.- A claim has been filed with that control authority. In these proceedings, they act as the "interested supervisory authority" the supervisory authorities of: Spain, Belgium, Rhineland-Palatinate, the Netherlands, Lower Saxony, Italy, Luxembourg, France, Sweden, Thuringia, Hesse, Norway, Berlin, Hungary, Finland, Saarland, Slovenia, North Rhine-Westphalia, Portugal, Slovakia, Greece, Austria and Poland. VI: Cooperation and coherence procedure Article 60 of the RGPD, which regulates the cooperation procedure between the main supervisory authority and the other interested supervisory authorities, has in its section 8, the following: 8. Notwithstanding the provisions of section 7, when a claim, the supervisory authority to which it has been submitted will adopt the decision, will notify the claimant and inform the data controller. " VII: Question claimed and legal reasoning. In this case, it has been submitted to the Spanish Data Protection Agency claim for an alleged violation of Article 6.1 of the RGPD, related to a cross-border processing of personal data, carried out by FACEBOOK IRELAND LIMITED. The grounds on which the claimant bases the claim are related to the fact that the social network Facebook could have shared the data of its users with more than 150 companies without the consent of the users, as collected in several newspaper articles. The aforementioned claim was transferred to the DPC as it was competent to act as main supervisory authority. However, the claim was rejected, as it came from of an association without an individual mandate. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 5/6 As explained by the Irish supervisory authority, the national law that completes the GDPR in Ireland (the “Irish Data Protection Act 2018”) has not implemented its art. 80.2, and, by Therefore, this authority cannot manage a claim filed by an entity, non-profit organization or association that has been properly constituted under the law of a Member State, the statutory objectives of which are to public interest and act in the field of protection of rights and freedoms of those interested in the protection of their personal data, with independence of the mandate of an interested party. However, the DPC has also reported that these events are being subjected to of an investigation that they are carrying out within the competences that it has attributed as main authority. So, taking into account that Ireland has not implemented the provision contained in art. 80.2 of the RGPD, but that the reported events are being object of an investigation by the DPC, the file of this claim proceeds without prejudice to the fact that FACUA may present another claim as a representative of an interested party as provided in article 80.1 of the RGPD, providing the mandatory power of attorney. Therefore, in accordance with the provisions, by the Director of the Spanish Agency for Data Protection, HE REMEMBERS: FIRST: PROCEED TO THE FILE of the claim presented, dated February 26, December 2018 and with entry registration number 212801/2018 SECOND: NOTIFY this resolution to the CLAIMANT In accordance with the provisions of article 50 of the LOPDGDD, this resolution will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure as prescribed by the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure Common of Public Administrations, and in accordance with the provisions of the arts. 112 and 123 of the aforementioned Law 39/2015, of October 1, interested parties may file, optionally, an appeal for reconsideration before the Director of the Agency Spanish Data Protection within a period of one month from the day following notification of this resolution or directly contentious appeal administrative before the Contentious-Administrative Chamber of the National Court, in accordance with the provisions of article 25 and paragraph 5 of the provision Additional fourth of Law 29/1998, of July 13, regulating the Jurisdiction Contentious-Administrative, within two months from the next day upon notification of this act, as provided in article 46.1 of the aforementioned Law. 1103-160721 Mar Spain Martí Director of the Spanish Agency for Data Protection C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 6/6 C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es