AEPD (Spain) - EXP202104896
AEPD - EXP202104896 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 9(2) GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | |
Published: | |
Fine: | 10.000 EUR |
Parties: | n/a |
National Case Number/Name: | EXP202104896 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | Bernardo Armentano |
AEPD held that the requirement of a vaccine passport or a negative test for Covid-19 to access a table tennis test site violated Article 9(2) GDPR, The controller was fined 10.000 euros.
English Summary
Facts
Federación Nacional de Tenis de Mesa, the data controller, organized a test for certification of table tennis coaches. After registering for the test, the data subject received an email requiring the submission of a Covid-19 vaccine passport or a negative PCR test in order to be allowed to access the location where the test was going to take place. In response, the data subject argued that such a requirement needed a legitimate basis. Before the day of the test, the controller sent a list to the owner of the location informing the name and the identity number of those who have met the entry requirements. The data subject filed a complaint with the Spanish DPA claiming that they were forced to provide information about their health. The data controller alleged that the purpose of the data processing was preventing the spread of COVID-19. According to the controller, the processing was necessary to protect vital interests of the participants and was carried out in the public interest in collaboration with the Public Administration.
Holding
First, the AEPD emphasized that the approval of sanitary rules must be made in accordance with the general prevention and hygiene measures against COVID-19 indicated by public health authorities. In the case at hand, it observed that the sanitary regulations in force at the time of the test did not require vaccination certificates or any diagnostic infection tests, such as PCR. The AEPD also recalled that exam participants are not employees and, therefore, not subject to occupational risk prevention laws. With regard to the alleged legal basis for the processing of health data, the AEPD rejected the vital interest clause as participants were able to give their consent. Similarly, it considered that sports federation are not public entities and, for this reason, cannot rely on public interests nor on the exercise of public powers. In addition, the AEPD pointed out that there were other measures that were less intrusive to the privacy of the participants. For instance, it would be sufficient to request them to show said documents when entering the test site. For these reasons, the AEPD ruled that the data controller did not have a legal basis for the processing of health data and concluded that they violated Article 9(2) of the GDPR, imposing a fine of 10.000 euros on the controller.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/33 File No.: EXP202104896 - RESOLUTION OF SANCTIONING PROCEDURE Of the procedure instructed by the Spanish Agency for Data Protection and based on the following BACKGROUND FIRST: A.A.A. (hereinafter, the claimant) on 11/8/2021 filed claim before the Spanish Data Protection Agency. The claim is directed against ROYAL SPANISH FEDERATION OF TABLE TENNIS with NIF Q2878038E, (RFETM), and against the SUPERIOR SPORTS COUNCIL, (CSD). The reasons on which The claim is based on the following: On 11/20/2021, he had to appear to take the tennis coach exam table in the facilities of the ***RESIDENCIA.1, Madrid, dependent on the CSD. On 11/2/2021, he received an email of which he provides a copy, from RFETM (sports management) in which they explain based on a previous email, by indicating "I understand what we comment" and indicates that: "the Residence establishes as a mandatory requirement to be able to access its facilities be vaccinated. They ask us as a Federation, that Let's certify that all attendees have the full vaccine schedule. For For this we need attendees to certify that they have completed the vaccination through of a document that accredits it."" ... I propose that you send the document to the RFETM medical adviser, Doctor..., in order for your medical data to remain protected. The doctor's email is …@gmail.com. In case of not proving that you have with the vaccine we cannot certify that you have it. We just need you to help us be able to find a solution." You consider that you are required to deliver documents related to your health data and I don't know if there is an obligation. SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5/12, of Protection of Personal Data and guarantee of digital rights (hereinafter LOPDGDD), on 11/29/2021 the claim was transferred to the RFETM and the CSD so that they proceed to their analysis and inform this Agency within a month of the actions carried out to adapt to the requirements established in the regulations of Data Protection. Although the notification was validly made for both entities, only the RFETM on 12/28/2021, indicating: 1) The coach exams are called by the RFETM for those who wish to obtain the title, in accordance with the powers regulated in Sports Law 10/1990 of 10/15. 2) As a consequence of the pandemic, in order to be able to take the exam in the Residence facilities, "it is necessary in accordance with the applicable regulations C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 2/33 in this regard, the monitoring of a health protocol, in order to preserve the health of all participants, members of the Residence and members of the RFETM (workers).” "The protocol was prepared jointly by the Federation and the Department of CSD facilities, by virtue of the obligations imposed on the Federation and the CSD as organizer of the activity and owner of the center where the tests were carried out, among other regulations, by law 2/2021, of 03/29, on urgent prevention measures containment and coordination to deal with the health crisis caused by the COVID-19, articles 5, 15 and 16 in order not to spread the virus and preserve health.” It does not provide a copy of the protocol. 3) By email, all applicants for the exam were informed, including the claimant, that for access to the examination room "they had to provide the certificate of vaccination well to an email address of the Director of Activities Sports or through their simple display at the entrance to the classroom.” 4) The claimant initially opposed submitting the certificate, requesting its withdrawal of said requirement, responding the Federation "on 2/11 and by the same means of send the document to the medical adviser of the Royal Federation, the doctor... in order to that your medical data is protected", without the defendant taking advantage of this alternative. However, those responsible for "Training, and the course, of the RFETM continued in its attempt to offer alternatives" and a solution to the claimant, "offering him the possibility of to provide at the time of the examination a PCR test carried out within the previous 72 hours, which would allow us to safeguard their own integrity and the integrity of the rest of the participants, informing to this effect by telephone to the interested in dates prior to the exam.“ Provide a copy of the letter of 11/11/2021, addressed to the claimant in which he gives the two alternatives. “However, and in response to the brief presented on his behalf by his lawyer, objecting to presenting the vaccination certificate, dated 11/18, he was answered in the same sense in which he had been informed by telephone, that is, offering him the alternative to presenting the negative certificate of the PCR test”. Provide a copy of writing the one offered by the two alternatives. "On the day appointed for the examination, the claimant appeared at the place and at the indicated time, and exhibited at the entrance of the same, negative certificate of the PCR Test, within 72 hours prior to the activity, allowing access to the facility and being able to perform the test." 5) “Once the activity was finished, all vaccination certificates were destroyed COVID-19 of the rest of the students sent to the email address of the responsible for the treatment, which were sent freely and with consent, and with knowledge of the purpose of the health data requirement”. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 3/33 6) Considers that “in accordance with art. 6 of the GDPR, the processing of data, when at least one of the following conditions is met, the interested party gave your consent for one or more specific purposes, as the case may be; the treatment is necessary to protect vital interests of the data subject or of another natural person, objective end of the protocol adopted by the CSD and the RFETM”. “On the other hand, as it deals with data that could be considered special categories, the processing is justified (mere display) under art. 9 h) of the aforementioned GDPR in order to prevent the rights of the workers of the RFETM and the residence of athletes, and for the purposes of social utility, already mentioned, of prevention of spread of the virus, in sports facilities, the residence of athletes from Alto performance "JOAQUIN BLUME" In this sense, also refer to the regulations on occupational risk prevention, since there are labor personnel in the same, being a obligation of the companies, in accordance with the instructions of the Ministry of Health and the aforementioned regulations, to establish all the necessary measures to preserve the health and the spread of the virus 7) They have not proceeded to the data processing but have limited themselves to verifying that the necessary circumstances were present to be able to attend the sports center dependent on the CSD, in accordance with the protocol established for this purpose. It considers that the data has not been processed, has not been stored, limiting itself to the mere examination of the documentation that validated access to sports facilities. "No list of people excluded or included has been carried out, nor has proceeded to no storage of said data.” The interested party had two alternatives: medical certificate of vaccination or negative PCR, and exhibiting the latter, they consider that this measure was not established as mandatory, but as an alternative and always on a voluntary basis. “The claimant only showed the result of the test, without providing or collecting any data identification of the same, but an opposition to the requirements of access to a venue closed property of the CSD.” “The decision to request the COVID certificate, or failing that, the PCR test, was a measure agreed between facilities of the Higher Sports Council and the Royal Spanish Table Tennis Federation”. THIRD: On 01/24/2022, in accordance with article 65 of the LOPDGDD, the admitted for processing the claim presented by the claimant. ROOM; On 05/03/2022, the Director of the AEPD agreed: "START SANCTION PROCEDURE against ROYAL SPANISH FEDERATION OF TABLE TENNIS, with NIF Q2878038E, for the alleged violation of the articles: -6.1 of the GDPR, in accordance with article 83.5.a) of the GDPR and article 72.1.b) of the LOPDGDD. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 4/33 -9.2 of the GDPR, in accordance with article 83.5.a) of the GDPR and article 72.1.e) of the LOPDGDD. “ "For the purposes specified in the art. 64.2 b) of Law 39/2015, of 1/10, on Procedure Common Administrative Law of Public Administrations, the sanctions that could correspond would be 6,000 euros and 10,000 euros, without prejudice to what results from The instruction." FIFTH: The defendant makes allegations on 05/17/2022, indicating: 1) The exam that was held on 11/20/2021, was the last test of the completion of the compulsory face-to-face part of a call for the level 1 sports technician course in table tennis, summoned through circular 43, season 2020/2021, dated 03/16/2021. It does not appear from the access requirements that at the time of the course You must have a federal license. 2) On 10/14/2021, an email was received from the CSD that addressed all the Federations in which it was notified "updating of access regulations to the Center for High Yield (CAR)", indicating that the "complete vaccination schedule" was necessary and "if could not be due to a medical prescription, it would be necessary to provide a proof of antigen or PCR no older than 24 hours”. It also required the submission of two lists "certifying complete vaccination", one with athletes (internal scholarship recipients, external and long-lasting concentrates, and another with those authorized to use facilities-attached file to provide the requested information-, having the Rules effective from 10/25/2021. Provide a copy of the email sent that so testifies in which it is appreciated that it is due to "the changes in the protocols of the Covid- 19 and given the evolution of the pandemic and the preventive measures that have been taken”, As recipients, the multiple Spanish Federations appear. 3) On 10/15/2021, the defendant informed the students that access to the exam in the CAR, required, at the request of the center, the "COVID passport". It does, however, provide... an email dated 05/15/2022, addressed from the formation of the defendant, to different emails, from informative type about the exam that will be in the Blume Residence, and "to access there it is the COVID passport is necessary” ”We would need you to send us your passport COVID to this email”. 4) Provide the claimant, a copy of the claimant's email dated 10/26/2021, of which the following stands out: – “I am replying to the email dated 10/15/2021 that you sent me, requesting that I send you the COVID passport as a condition of access to the Residence…”, he continues indicating that health data is being requested and that a legitimate basis would be required to request them with In order to access the exam site, whether public or private, "I ask you to confirm that I can access the > Blume Residence for the common block exam of the course from > Level 1 Trainer, without sending you the COVID passport.” -It is followed by another email from the claim of the same day, indicating that it is forwarded to the responsible. 5) On 11/8/2021, a claim was received on behalf of the claimant to be removed- meet the vaccination requirements. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 5/33 The defendant states that she "directed several official communications, reiterating the double possibility of presenting a vaccination certificate or exhibiting a negative test, adding the mail of the doctor of the entity to which it can be directed, with dates 1 1 and 11/18/2021. All students were able to take advantage of the double option of presenting the certificate or the negative test, accessing all of them and the training staff of the Federation to Residence (provides doc 6)”. In it, he addresses exclusively the claimant, explains that the need to provide the data comes from "regulations agreed", and that "The regulations for access to the examination site are clear and includes different options such as the presentation of a negative PCR test performed within 72 hours prior to taking the exam or submitting the vaccination schedule certificate. “…unfortunately from the Royal Federation Table Tennis Association we must indicate that D. must, if he wants to appear at the exam next Saturday, November 20, meet the requirements established by those responsible for the facility, in this case the Higher Sports Council, in the same conditions as the rest of the classmates who will be examined on this date, thereby protecting public health. 6) He considers that he has a legitimizing basis for the treatment of data, considering that he Article 8.2 of the LOPDGDD would be applicable, considering that the law from which derives the treatment that enables the exercise of public powers, acting as collaborating agent, which was carried out in this case, related to the training of its sports technicians, is Sports Law 10/1990, which gives the Federations said public powers. In addition, it reiterates the legitimacy of the treatment to protect vital interests of the interested party based on the report of the Legal Cabinet of the AEPD 17/2020 and recital 46 of the GDPR. He considers that his actions could only be subject to a warning, as indicated by the article 77 of the LOPDGDD, since he acted in the call and execution of the course of coaches, public function of an administrative nature, including the part of the organization and conduct and conditions of said examination in the CAR as well, as exercise of public functions of an administrative nature, acting in this case as collaborating agent of the Public Administration, in accordance with article 33.1.d) of the Sports Law, and under the control and supervision of the CSD. As a comparison, he gives the example of the disciplinary procedure file, in Resolution R/00985/2011, which filed and opened an infraction by Public Administration, according to the then current LOPD, 15/1999. 7) Alludes to the decision of the TS, fourth section contentious administrative chamber, 1112/2021 of 09/14/2021, to certify that the display of the COVID passport does not violates the right to equality, and that appreciates an objective and reasonable justification for allow or not access to the corresponding establishment, since it is about the protection the health and lives of people in a way that prevents or restricts the spread of the pandemic. "In the same way, the court rules out the violation of the fundamental right to Protection of Personal Data when what is established to enter the interior of a certain establishment is the mere exhibition, that is to say, to teach to show the Documentation in any of the three required modalities. Without, of course, can collect the data of those attending such premises, nor can a C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 6/33 file, nor do a computer processing in this regard" In this case, "the students They voluntarily chose to send the documentation to the email of the Technical Director of the RFETM or display it at the entrance to the venue. The CSD was transferred a list with the names of the members who could access the Center and pass the security control that the CAR has established" 8) The imposition of the CSD and the good faith of the defendant means that the fact cannot be considered unlawful, acting in a "state of necessity". The non-request of the documentation would mean not being able to finish your task. 9) It must be considered that the CAR is a main center of reference in sport, where more than 250 elite athletes live, hence more regulations are imposed strict within its contingency plan. The CSD requirement applies to all people who access the premises of the CSD, and the protocols and contingency plans adopted by the CSD, come from Order 1362/2021 of 10/21, of the Ministry of Health of the CCAA of Madrid, by which Order 1244/2021, of 1/10, is modified by which establishes preventive measures to deal with the health crisis caused by COVID-19. Considers that in view of the special circumstances of the access center, the epidemiological situation, there is legitimacy for the treatment of data contemplated in article 9.2 of the GDPR based on section h) and i) of said article. In the first case, under the guarantee of a professional, the medical doctor of the Federation, B.B.B., citing article 9.3 of the GDPR. 10) Regarding economic sanctions, for the infringement of article 6.1 of the GDPR, contemplated in the provisions of section 83.2.a), indicates that the purpose of the treatment was to comply with the mandate of the CSD, none of the members of the course that had to attend the exam suffered any type of damage or harm, since they voluntarily communicated the requested data, understanding that they carried out a clear action affirmative. The circumstances of 83.2.b) of the GDPR would not apply, since the defendant does not have premises where to carry out public functions of an administrative nature-exams- must use the premises of the CSD, and abide by the rules on access and use that the same impose. Article 83.2.c) of the GDPR has not been taken into account, since the RFETM tried to accommodate the demands of the CSD to the manifestations against the claimant, understanding their position and trying to offer new alternatives. Regarding the amount for the infringement of article 9 of the GDPR, consider the category of health data would be implicit in the typification, so it cannot be aggravating, and on that of 83.2.d) of the GDPR, they only requested the strictly necessary data that were treated, only for the intended purpose, they were not stored, being limited to communicate to the CSD “that the people who were going to access the premises complied with the access requirements” imposed by the CSD. SIXTH: On 11/11/2021, a testing period begins, assuming they have been reproduced for evidentiary purposes, the claim filed by the claimant and its documentation, C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 7/33 the documents obtained and generated during the phase of admission to processing of the claim, and previous actions that are part of procedure E/12548/2021. Likewise, the allegations to the agreement to start the procedure are reproduced referenced sanctioner, presented by the defendant and the documentation that they accompanies. In addition, it is decided to request: -To the claimed, report or contribution: a) Number of people who were examined and confirm if all the people who they took the table tennis sports technician course they had to have a license federative. On 11/28/2022, a response is received. Reproduces the general and specific requirements of circular 43 season 20/21 and in It is not found that they should be federated, although the defendant states that all of them were federated on the date of the exam, providing a certificate, adding A total of 20 students attended. a) How did you respond to the reasoned request that on behalf of the claimant Did they register on 11/8/2021 about the non-enforceability of the COVID passport? He moved to CSD? He was told that the conditions were imposed by the CSD, and that the RFETM did not had jurisdiction to modify said protocol. c) If the verification of entrance to the access to the exam was carried out by personnel of the claimed or from the CSD, of the residence?, and if they were given any list for verification of access of people. He states that access control was carried out by the CSD security service. The defendant sent to the CSD on 11/19/2021, a list of students who had presenting a vaccination certificate or negative test. Provide a copy of document number 1, which contains said certificate of students who had presented their "certificate of vaccination or a negative PCR test in the previous 72 hours”. format contains name and surnames, and NIF, of 29 people. "On 11/20, since there were two people not included in the list, a communication to the CSD and to the surveillance and security service of the same, together with the claimant who appeared with a negative PCR test on the same day 20 at the gates" and from which also had to certify. Provide document 2, e-mail in which this is communicated inclusion with names and surnames in the same terms as those in the list. The message It is sent with a copy to various addresses with csd domain, including Security and an address with domain gmail.com, in addition to various addresses of the RFETM. c) If the possibility of presenting a vaccination certificate or negative test was communicated and was offered only to the claimant or to other persons, accrediting the communication to C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 8/33 all participants. If the final admission with antigen test or PCR that uses the claimant, was consulted by the defendant to the CSD, documents that prove it. He answers that this possibility “was offered and known by all the students”. One of the emails that were sent is provided where they are reminded that they can send vaccination certificate or negative test and this is how it is viewed in document 3, e-mail of 11/17/2021, adding that "for both cases to those who have not already sent it, it is necessary to send it urgently to ***EMAIL.1.” He adds that the CSD sent an email on 12/17, which contains new guidelines for access to the CAR in Madrid . "-If it is the first time that the Madrid CAR is accessed, the corresponding Federation will justify the presentation of a negative antigen test, subsequently it will not be requested test unless they present symptoms, in the case of being vaccinated. -In case of not being vaccinated, you must present a negative test before accessing the CAR, In addition, tests will be carried out every 3 days or 72 hours during the period that accesses the CAR. -In both cases, vaccinated or not vaccinated, if there is an absence of several days per competition, returns from the weekend or for another reason, they must submit proof of negative antigen 24 hours in advance maximum. The federations will be responsible for certifying the results of these tests” It does not provide a document that verifies that it is from the date indicated and the content. d) "Copy of the first communication where the literal and date are appreciated, sent to the claimant, that, in addition to vaccination, he can provide test certificates diagnoses, likewise the first communication to the rest of the people who were going to examine." "In addition, in allegations they stated:" "In compliance with this obligation, the RFETM, dated October 15, 2021, from the training department sends an email informing the students that the The exam will be at the Blume Residence Hall and that in order to access it, the center requires the COVID passport.” However, they provided an email dated 05/15/2022, therefore, it is requested: accreditation of the delivery and content of the text they indicate. In addition, clarification of why in the referred email it is read that they request "passport COVID", when the literal of the CSD indicated "complete vaccination schedule" and "if it is not could by any medical prescription, it would be necessary to provide an antigen test or PCR no older than 24 hours”. It indicates that on 10/15/2021, an email was sent from the training department where students are informed of the location of the exam and that in order to gain access, "the Center will require the COVID passport” ”The fact that in the arguments phase it was provided and The May date appears, it must have been due to some error or overlapping of emails forwarded” “Reference is made to this COVID passport, since the proof of antigens implied an economic cost for the students and the vaccination certificate C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 9/33 It was free. However, in other emails and conversations with the students, they were communicates the double option. This email is the one used during the course to communicate with the students and there is fluid communication between them and the coaches, federation staff teachers. The students understood the situation generated by COVID as logical. The only student who expressed his qualms in accrediting such extremes, they tried to give him different solutions.” e) The protocol requires "sending lists certifying complete vaccination" to the CSD. Mode and the way in which this communication was put into practice, if it was by sending a copy of the vaccines, photograph of the same, e-mail et., what information was transferred and how many were sent, since the instructions of the CSD were received. The Federation directs to the CSD a list with the students who have accredited the vaccination o Negative PCR dated 11/19/2021 and on the 20th, another email where the name is attached of another 3 students, including the claimant's, these lists have already been provided in document 1 and 2 that contains name and surname and ID of the people who have provided negative PCR or vaccination certificate without distinction between them, do not no further documentation or information is transmitted. The CSD is the one required to be able to access the exam site that the Federation provides List of students who have the complete vaccination schedule or negative test, being the obligation of the Federation to comply with the mandate of the CSD to prepare a list certifying that the students included in it meet these requirements. f) During the transfer they stated: "As a consequence of the current pandemic situation caused by COVID 19, to be able to take the level 1 coach exam, in the premises mentioned, it is necessary in accordance with the applicable regulations in this regard, the monitoring of a health protocol, in order to preserve the health of all participants, members of the residence and members of the Royal Spanish Federation of Table Tennis (workers) The protocol was prepared jointly by the RFETM and the facilities department of the CSD", details are requested in which the RFETM of that joint health protocol, and a copy of it if available. He replied that he did not participate in its preparation, but that his role in front of the It is limited to "the acceptance and fulfillment of the requisitions that communicating to the federations”. g) During the transfer, they stated: that the attendees “should provide a certificate of vaccination, either to the email address of the activities director sports, or by simply displaying it at the entrance to the classroom.", then they added: ”The claimant initially opposed submitting the vaccination certificate, requesting the withdrawal of said requirement from the call, to which was answered by this Federation, on the same date, that is, 11/2, and by the same means, that made us “Get the document to the RFETM medical adviser, Doctor B.B.B., so that he your medical data is protected. The doctor's email is ***EMAIL.2.” C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 10/33 In this regard, you are requested to report how many emails were received in both addresses and because two mailboxes were created, the difference between one person and the other, and the course that was given to the contents of those emails, dates and destruction of the documents, proof of destruction, if the person who sent it was verified with some receipt, and how they were used for access on 11/20/2021 of the conducting the face-to-face test. “The students used two email addresses, both official, from the RFETM to send the vaccination certificates or the negative test, ***EMAIL.3 and ***EMAIL.1. “ “The first was the normal channel of communication between students and those responsible for training, and the second was offered two days before the exam due to the need to obtain the necessary data to submit the list and have access to the exam. All students listed in the DOC. No. 1 sent the required documentation to one of those two emails. Only the name of the student was extracted from said documentation, to include it in the list that was transferred to the CSD. All documentation submitted by students was eliminated on November 22, 2021, as stated in DOC No. 5. The mail of doctor B.B.B., (RFETM classifier doctor) was only offered to the claimant, without it being used since he provided PCR just before the exam. In document 5 that it provides, it is indicated that on "11/22/2021 the destruction of the documents attached to emails received at the addresses ***EMAIL.1 and ***EMAIL.3 with the COVID passport concept”. h) Report the role played by your Data Protection Delegation in the claim. “The RFETM did not communicate this circumstance to the Data Protection Delegate, in how much it considered that it was a norm of obligatory compliance by the Federation, considering that there was no room for negotiation or any modification of it. The The Data Protection Delegation became aware of it once the AEPD communicated the claim filed against the RFETM.” -AL CSD, a) Regarding the rules of access given to the Federations (in this case to the Royal Spanish Table Tennis Federation, which was going to hold an examination test on 11/21/2021 at the ***RESIDENCE.1 for coach), informing by email to the different Spanish federations, on 10/14/2021, with the literal: "To access the CAR it will be necessary to be vaccinated with the complete schedule, if it is not could by any medical prescription it will be necessary to provide an antigen test or PCR not older than 24 hours, repeating this test every 72 hours” They are asked for the regulations under the protection of the one they demanded to be able to access said space to the Federations and their members the vaccination or test requirements diagnosis, prior medical accreditation that he could not be vaccinated, as well as the instruction or protocol in which said requirements are formalized. Likewise, if any health authority reported on the necessity or proportionality to require such diagnostic tests or vaccination certificate on Federated or people who As in this case, they agree to use their facilities to take an exam. report C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 11/33 also if the Data Protection Delegation intervened in the aforementioned requirements providing the report issued if it were the case. b) Protocol or contingency plan in the year 2021-October, to December 2021 on preventive measures to deal with the health crisis of COVID 19. c) Regarding the lists of people from the Federations that they had to communicate for access to the CAR, specifically in this case by the Royal Federation Table Tennis Association, to access the tests to be held at the *** RESIDENCE.1 on 11/21/2021, what procedure for processing this data that received had, and date until which they have been stored, or certification of deletion of the data if it had taken place. Also specifying how many lists the company sent them RFETM, and dates, with copies if they had them. d) If they received observations or complaints from the Federations for the requirement of this type of health data as an obligation for access to its facilities, what response is I hate them. Once the letter was received, the CSD did not respond. SEVENTH: On 12/9/2022, the literal proposal is issued: "That the Director of the Spanish Agency for Data Protection sanctions ROYAL SPANISH FEDERATION OF TABLE TENNIS, with NIF Q2878038E, by: -An infringement of article 6.1 of the GDPR, in accordance with article 83.5.a) of the GDPR, and for the purposes of prescription in article 72.1.b) of the LOPDGDD, with a fine Administrative of 6,000 euros. - An infringement of article 9.2 of the GDPR, in accordance with article 83.5.a) of the GDPR, and for the purposes of prescription in article 72.1.e) of the LOPDGDD, with a fine administrative fee of 10,000 euros.” EIGHTH: On 12/23/2022 the claimed -Dissatisfied with the expression of the fourth proven fact in which it is indicated that "the claimant opposed submitting the certificate requesting the withdrawal of said requirement.” inasmuch as they consider that the claimant opposed "presenting or exhibiting, both the vaccination certificate as well as the negative test carried out in the last 72 hours”. He The complainant, aware of the two alternatives, requested the withdrawal of both options, refusing the mere exhibition, urged that they be "eliminated within a period of 72 hours from the referred protocol any differentiation between vaccinated, people who do not provide their medical and non-vaccinated data”. -Reiterates its lack of guilt, by giving the claimed compliance with the demands of the obligations imposed by the CSD, and directed to all the Federations on 10/14 and the 12/17/2021. He adds that he acted under the conviction that there was a protocol of Sanitary measures approved by the CSD "that prohibits entry into the examination area C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 12/33 to those users who are not included in a list, who must carry out their own federations, certifying that they have provided a vaccination certificate or test negative made in the 72 hours prior to access”. The Federation did not transfer to the CSD the claim, considering that he was acting having received a mandate, "to certify that the attendees met the entry requirements..." and performs the necessary acts for its compliance, on the basis that it understands that the CSD has approved a protocol that bound them.” -The claimant exhibited the negative result of the test on the same day of the examination before the CSD security personnel, confirming that same day by email the claim to the CSD permission for access. Based on this, it estimates that there was no data processing of the claimant, "without any documentation being collected or transferred", determining access and inclusion in the list of attendees. -Reiterates that they have legitimacy for the treatment of the data of the attendees, and that In this case, there may be several. On obtaining consent due to the fact that there have been people who presented their certificate by sending it by email or showing it when accessing, attendees they had the option of not providing the certificate that did not carry as a sanction not being able to access to the place, but rather having to show it so that the defendant could certify before the CSD his mandate, existing option of one way or another. "So the students who sent the documentation, freely gave their consent for said act, given that they could opt for mere display.” The art. 8 of the LOPDGDD, establishes in relation to said article 6, that “2. He processing of personal data can only be considered based on compliance with a mission carried out in the public interest or in the exercise of public powers vested in the responsible, in the terms provided in article 6.1 e) of Regulation (EU) 2016/679, when it derives from a competence attributed by a norm with the force of law. In this sense, and as previously stated, it is Law 10/1990 itself, of October 15, of Sport, which confers on the federations the exercise of said public powers. Therefore, given that the treatment of the data object of the present file was carried out in the exercise of the public powers conferred on the RFETM as collaborating agent in the training of sports technicians, said action does not contravenes art. 6 LPD, insofar as it establishes that the treatment will be lawful if at least one of the listed conditions is met.” Therefore, it reiterates that, in addition to its own powers, it acts as a collaborating agent of the Public Administration in the training of table tennis sports technicians, exercising by delegation public functions of an administrative nature, under the tutelage of the CSD. It refers to the control and supervision of the rules by which the Federation is governed, from the Statutes that are published by resolution of the CSD, or the Regulation of the national coaching school or sports education. Add or link this acting as a collaborating agent, to the fact that he requested the use of the Residence "Joaquín Blume", dependent on the CSD, since the defendant lacks its own premises and "acts in this matter, under the tutelage and coordination of the CSD." Consider that the holding the exam is one more element in the promotion of sports technicians, "the body that coordinates, supervises and protects, and that ultimately is the one who imposes the rules C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 13/33 of use of said premises, to exercise the functions by the different Federations sports that by law can be entrusted to him" He believes that sports federations must be considered assimilated to entities referred to in article 77 of the LOPDGDD, and there would be no economic sanction. Furthermore, in In this case, it agrees that the requirement of possible data processing derives from direct requirement of the public body, CSD, which if expressly contemplated in the said precept. "Similarly, reference is made to opinion 6/2014 on the concept of legitimate interest of the data controller, to conclude that it is not admissible in the this file, the existence of protection of vital interests of the interested party or of another natural person, as there is no danger of life or death in case of not treating the data, or a qualified tangible hazard associated with it. However, the position maintained in the Covid Report N/REF: 0017/2020 of the Legal Office of the AEPD, in what it establishes on the same concept that "Said legal basis of the treatment (the vital interest) may be sufficient for the processing of personal data aimed at protect all those people susceptible to being infected in the spread of an epidemic, which would justify, from the point of view of data processing personal, in the widest possible way, the measures adopted for this purpose, including even if they are aimed at protecting unnamed or in principle unidentified persons or identifiable, since the vital interests of said natural persons must be safeguarded, and this is recognized by the data protection regulations personal”. - “Absence of economic benefits.” A fine is expected to be imposed on the federation for an action in compliance with a legally imposed obligation and from which it does not obtain any type of economic benefit. “The Federation economically depends on annual subsidies from the Ministry of Culture and Sports". -Absence of connection of the activity of the Federation with the realization of processing of personal data. In this sense, the LOPD recognizes that circumstance and thus only requires the Data Protection Delegate, to those federations sports, that process data of minors. It stands out a lot in the resolution that is not notified the Data Protection Officer and that this implies more guilty, when, on the contrary, the Law does not require having a data protection officer, when the data of minors is not processed, as was the case in this case when they were all of legal age. (art.34 of the LOPDGDD). - Lack of intentionality in the actions of the Federation. The pandemic situation, mass nature of vaccination, the legislative diversity between the different autonomous communities on requirements for access to the premises, which caused a total confusion when implementing them. -An aggravation of the sanction is requested due to the fact that on the part of the Federation the list requested by the CSD is drawn up and transferred to it. It should be noted that C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 14/33 in said list it is not distinguished if they are vaccinated or not, the remission of the same is necessary for the purpose for which the data was requested and sent to the official CSD emails. All the participants were aware and for this purpose exhibited or contributed the documentation, to appear on the list that the CSD required. In this sense, “estimate that the transfer or communication of data between Public Administrations, while carried out, precisely and solely, to achieve the purpose or one of the purposes for which obeys the very creation of the file and the collection of those, and not, therefore, for the exercise of different powers or powers that deal with different matters, is already covered by the consent initially given by the owner of the data for its collection and treatment. That is, in such a case, the need for a new consent whose specific purpose is that assignment or communication." Supreme Court (Contentious-Administrative Chamber, Section 3) Judgment of April 15, 2002. RJ 2002\4689. -Indicates that the purpose of the treatment was none other than to comply with the mandate of the CSD, autonomous body of an administrative nature through which the action is exercised of the AGE in the field of sport, certifying the requirements established by the CSD, the ultimate purpose being that of students being able to take the technical exam table tennis. -There was no intention to violate any rule or harm the rights of the users. assistants - "There is no claim by any of the students who exhibited or contributed the documentation, given that none of the members of the course that had to attend the examination suffered any type of damage or loss, since they voluntarily communicated The requested data. Including the claimant, who agreed to the examination after showing negative test. All documentation was duly removed upon completion the final exam. “ - Point c) of the aforementioned article "any measure taken by the person in charge or in charge of the treatment to alleviate the damages and losses suffered by the interested parties", given that the RFETM tried to accommodate the demands of the Higher Sports Council to the demonstrations against the claimant, understanding their position and trying to obtain new alternatives without undermining their rights. Note that the claimant, the same day that he formally submitted his complaint to the RFETM, filed a claim with the AEPD. The Federation, oblivious to the interposition of said claim, he addressed the claimant on several occasions to try to reach a solution without the affected party suffering any impairment of their rights, offering the participation of the Federation's medical service, which in any case implies a mitigating and non-aggravating circumstance as described in the proposed resolution. -Provide a copy of the email from the CSD of 12/17/2021, “new access rules CAR Madrid COVID 19", addressed to various Federations, including the one claimed. In it writing indicates that "it will be mandatory to access", "the Federation will justify the negative antigen test presentation", or "if there is an absence of several days per competition”, being responsible for certifying the results of these tests. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 15/33 PROVEN FACTS 1) The claimant claims that he was going to take an exam on 11/20/2021 to "table tennis coach" who had summoned the defendant and was required to present the complete vaccination schedule against COVID 19. The place where the test is carried out was chosen by the defendant, in the facilities of the "Joaquín Blume" residence, High Performance Center (CAR), owned by the Higher Sports Council. The test of the exam, corresponded to the last of the mandatory face-to-face part, of a Announcement of the level 1 course of sports technician of table tennis. was summoned by circular 43, of 03/16/2021, 2020/2021 season and the date was already determined 11/20/2021 as the exam date. According to the lists provided by the defendant in tests, 32 students finally attended, including the claimant, all of them federated as certified, although it was not a requirement to take the exam. 2) On 10/14/2021, the defendant received an email from the CSD with a copy to all Sports federations in which an update of access regulations was notified to (CAR), Residence, indicating that the "complete vaccination schedule" was necessary and "If it is not possible due to a medical prescription, it would be necessary to provide a proof of antigen or PCR no older than 24 hours”. It also required the referral of lists "certifying complete vaccination", with those authorized to use the facilities-attached file to provide the requested information-, having the Rules effective from 10/25/2021. The email added that it was due to "the changes in the Covd-19 protocols and in view of the evolution of the pandemic and the measures preventive measures that have been taken. The defendant did not have or obtain a copy of the protocol and the CSD did not send a copy of it. 3) Upon request for evidence of the role of the Data Protection Delegation in the claim, the defendant indicated that she did not inform him, considering that "it was a standard of obligatory compliance by the Federation, considering that it was not possible negotiation or any modification of the same.", nor does it appear that it gave knowledge of the claimant's claims, indicating that if he gave notice "When the AEPD became aware of it, it communicated the claim filed against the RFETM” 4) The defendant - training department - communicated on 10/15/2021, to the students that they were going to be examined, that the examination center, Residence J. Blume, of the CSD, required to access to take the exam, the "COVID passport", and "We would need you to You will send us your COVID passport to this email" (for training, used to communicate with students). The claimant sent an email in response to it on 10/26/2021 noting that for this a legitimate basis is required, being health data. The Federation responded on 2/11 (sports management, with a copy to training) that the requirement was imposed by the head of the headquarters, CSD "giving the option of sending the document to the medical adviser of the Royal Federation, the doctor... so that your medical data are protected”, without the defendant taking advantage of this measure or alternative. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 16/33 On 11/8/2021, the claimant asked the respondent to eliminate the vaccination and was answered in writing dated 11/11/2021, that the conditions came imposed by the CSD, and that the RFETM had no jurisdiction to modify said protocol, existing "the possibility of an alternative such as the presentation of PCR refusal of the last 72 hours” “that they have already tried to expose”. There is another letter from the defendant to the claimant dated 11/18/2021, reiterating that the protocol belongs to the CSD to offer health guarantees to attendees, and protect the public health, reiterating the option of the PCR test to the certified vaccination schedule. 5) It is proven that on 11/17/2021, the defendant informed the students in an email "that they can send a vaccination certificate or negative test” indicating the email address: ***EMAIL.1. 6) The defendant sent a list to the CSD on 11/19/2021, of the students who had accredited to the claimed the presentation of "the vaccine or diagnostic test PCR negative in the previous 72 hours", in the form of a certificate, a total of 29, containing their names and surnames and the NIF. These students sent their vaccination certificates and evidence, without distinguishing the one claimed in the list if it is of one type or another. The claimed indicates that the students used two email addresses, both official, from the RFETM to send you the vaccination certificates or the negative test, ***EMAIL.3 and ***EMAIL.1, the first being the one used as normal between the person in charge of training and the students, the second, were offered two days before the exam due to the need to obtain the necessary data to submit the list and have access to the exam. The claimed indicates that the address ***EMAIL.2, as belonging according to the claimed to a medical advisor from the RFETM, offered himself exclusively to the claimant in an e Response email to the claimant on 2/11, but it was not used. The mode of sending and receiving the list of 11/18/2021 is unknown. The following day, the defendant also communicated to the CSD in an email, a total of three more students, including the claimant, also with name and surname and NIF, certifying that they can access. The e-mail is sent with a copy to various addresses, among others, to a Gmail address, several csd domains, including staff from security, and different sections of the claimed. 7) On the day of the exam, the access control was carried out by the staff of Security stationed at the Residence, and at the access, the claimant appeared and exhibited negative certificate of the PCR Test, confirming in email -proven fact previous - the one claimed that same day to the CSD the permission for access. 8) According to what was expressed by the defendant, access to the Residence is due to a CSD protocol that establishes obligations not to spread the virus and preserve the health, mentioning articles 5, 15 and 16 of Law 2/2021 of 03/29, on measures Urgent measures for prevention, containment and coordination to face the health crisis caused by COVID-19, which do not establish the power to establish enforceability contribution of vaccination certificate or PCR test. The defendant, as a Federation, does not show that it had a part or intervened in the decision of the imposition of the vaccination requirement ordered by the CSD in the mail of C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 17/33 10/14/2021 for access to the Residence, although he has stated that it was a "measure consensual”, has also stated that it was only up to him to obey said requirement, if nor is there evidence that he transferred the various complaints of the claimant to the CSD before said imposition, (three writings) nor to the DPD, since the defendant has stated, that he did not give know the facts to this but when the first letter of the AEPD was entered with the claim. 9) The defendant, despite having stated that the requirement of certification of the vaccination or PCR tests are imposed by the CSD, owner of the facility, considers the treatment lawful based on: -The interested parties gave their consent for "one or more purposes". -The treatment is necessary to protect vital interests of the interested party or of another Physical person. -Carries out a mission of public interest as a collaborating agent of the Public Administration when exercising public functions of an administrative nature (art 30.2 and 33-1-d) of the Law 10/1990 of 10/15 of Sport). -For the treatment of special health data, he stated that it is carried out at the under article 9.h) of the GDPR, based on the prevention of employee health of the RFETM and of the residence, where the tests were held, in order to avoid the virus spread. FUNDAMENTALS OF LAW Yo In accordance with the powers that article 58.2 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter GDPR), grants each control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the Law Organic 3/2018, of December 5, Protection of Personal Data and guarantee of the digital rights (hereinafter, LOPDGDD), is competent to initiate and resolve this procedure the Director of the Spanish Data Protection Agency. Likewise, article 63.2 of the LOPDGDD determines that: "The procedures processed by the Spanish Data Protection Agency will be governed by the provisions in Regulation (EU) 2016/679, in this organic law, by the provisions regulations dictated in its development and, insofar as they do not contradict them, with character subsidiary, by the general rules on administrative procedures." II The claimant, in the exercise of a right, to qualify as a coach of a modality of the RFETM, must undergo an exam on 11/20/2021 carried out by the RFETM and which is held in some facilities of the “Joaquín Blume” residence, which They depend on the CSD. At the time of submitting the application for the examination, it is not You need to be federated. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 18/33 The Federations perform various functions in relation to their own field, powers in which they act. Law 10/1990 of 10/15 on Sports states in its article 30: "1. The Spanish sports federations are private entities, with personality its own legal system, whose scope of action extends to the entire territory of the State, in the development of the competences that are its own, integrated by Federations regional sports, sports clubs, athletes, technicians, judges and referees, Professional Leagues, if any, and other interested groups that promote, practice or contribute to the development of sport. 2. The Spanish sports federations, in addition to their own powers, exercise, by delegation, public functions of an administrative nature, acting in this case as collaborating agents of the Public Administration.” Among other functions, which are exercised under the supervision and coordination of the CSD, would be the of “Collaborating with the State Administration and that of the Autonomous Communities in the training of sports technicians”. (art 33 1.d Sports Law) The approval of regulations for health protection and access to residence have to be carried out, in accordance with the provisions of the general measures of prevention and hygiene against COVID-19 indicated by the health authorities. In this case, the CSD rules are not intended exclusively for the staff who attend the exam, They are general access rules that are sent to all Federations by diffusion general. In the same, which are unknown, it was obliged to provide a certificate of vaccination in order to access it. Article 3 of the Organic Law 3/1986, of 14/04, on Special Measures in the field of Public Health, is a norm of coverage of the sanitary measures that involve some restriction of fundamental rights, specifically, when it provides that "with the In order to control communicable diseases, the health authority, in addition to carry out general preventive actions, may adopt the appropriate measures for the control of the sick, of the people who are or have been in contact with the themselves and the immediate environment, as well as those deemed necessary in case of risk of a communicable nature". Law 2/2021 that mentions the RFTM establishes protocols that contemplate ventilation, cleaning and disinfection measures appropriate to the characteristics of the workplaces, entities or holders of economic activities. This Law states that the adoption of necessary measures for its compliance will correspond to the General State Administration with the collaboration of the Autonomous Communities. Nothing is indicated about the vaccination certificates or the obligatory nature of tests of diagnosis of infection such as a PCR. Neither has the CCAA of Madrid issued any regulations that develop measures of specific prevention as a consequence of the evolution of the epidemiological situation derived from the Covid-19, nor therefore explicit and specific about the exhibition requirement documentation of vaccination or diagnostic test to access establishments such as the place where the exam is held, to which attendance is required, in order to C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 19/33 realization. Order 1362/2021 of 10/21 of the Ministry of Health, by which modifies Order 1244/2021, of 10/1, which establishes preventive measures to deal with the health crisis caused by COVID-19, apart from measures preventive measures and the non-obligation to wear a mask when carrying out an activity outdoor sport, does not determine any aspect in terms of the requirement to provide vaccination certificate or diagnostic test. The RFETM indicates that it collected vaccination and test certificates that were sent to two e-mail addresses, one of them the training one, which was operational from the start, and another that was launched shortly after the exam was held. Besides upon receipt of such certificates, they were kept for a while. On the other hand, it they made lists with data to the CSD, and the claimant, in addition to being in a of those lists, he agreed by showing his PCR test. In principle, the claimant urged athletes to have to send by email your “COVID passport”, a term from Parliament Regulation 2021/953 European Union and of the Council of 06/14/2021, or EU digital COVID certificate, which is not specified that it included PCR tests. Taking into account that the option of the PCR tests, was limited, since they must be valid for 72 hours before the exam, it is estimated that vaccination certificates were collected from the notice, 10/15/2021 and only 72 hours before, the aforementioned PCR would have been received, estimating that the Most of them, also because they are free, would be certified. Being the general rule that vaccination is voluntary, moreover, the "performing of diagnostic tests for infection for the detection of COVID-19 are limited to those cases in which there is a prior prescription by a physician and comply with criteria established by the competent health authority.” (second section of Order SND/ 344/2020 of 04/13 establishing exceptional measures to reinforce the National Health System and containment of the health crisis caused by the COVID-19, BOE (04/14/2020). As indicated in the preamble of that standard, it is In this way, it tries to limit the performance of diagnostic tests for the detection of COVID-19 to those cases in which there is a prior prescription by a physician and conform to criteria established by the competent health authority, submitting In this way, the regime for carrying out this type of evidence is based on the prior existence of medical criteria that advise its performance. If this medical indication exists, the scope of the obligation for the assistants to the residence of the CSD. II Based on data collected from exam attendees through vaccination certificates sent to the email addresses recommended by the RFETM, two, there has been a data processing defined in article 4.2 of the GDPR as: “any operation or set of operations carried out on personal data or sets of personal data, whether by automated procedures or not, such as the collection, registration, organization, structuring, conservation, adaptation or modification, C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 20/33 extraction, consultation, use, communication by transmission, diffusion or any other form of authorization of access, comparison or interconnection, limitation, deletion or destruction;" An email and a letter have also been sent, both with complete lists of people who went to examine the CSD on 11/20/2021 for the defendant. Therefore, there has been no mere exhibition of the document, or documents of the examination attendees, as they have been collected, sent, stored, verified and They have created lists and sent e-mails with these data, on which they have been certified, including the claimant, knowing that each one has provided the required data, which that enters into the concept of data processing, for which reason the GDPR. The less intrusive alternative option might have been the mere display on the day of the examination, without any annotation even on the access door on the day of the examination, of the certificates or evidence granting access. In this case, the defendant deals with health data defined in article 4.15 of the GDPR, which indicates: “Health-related data: personal data relating to the physical or mental health of a natural person, including the provision of health care services, revealing information about your state of health;” For its part, Considering (35) "Among the personal data related to health, must include all data relating to the state of health of the interested party that give information about your past, present or future physical or mental health status. (…) all number, symbol or data assigned to a natural person that identifies them in a unambiguous for sanitary purposes; information obtained from tests or examinations of a part of the body or a body substance, including from genetic data and biological samples, and any information relating, by way of example, to a disease, disability, risk of disease, medical history, the clinical treatment or the physiological or biomedical state of the person concerned, regardless of its source, for example a doctor or other healthcare professional, a hospital, a medical device, or an in vitro diagnostic test.” The GDPR establishes a very broad concept of health data, and grants it a regime specific menu, corresponding to the so-called "special categories of data" to referred to in article 9 of the normative text. They are named that way because their processing involves situations in which a serious data protection risk arises, from the consequences that its improper use may have for people, and it is considered so harmful that their treatment is prohibited unless it is applied an exception. Article 9 of the GDPR indicates: "1. The processing of personal data that reveals the ethnic origin or race, political opinions, religious or philosophical convictions, or affiliation union, and the processing of genetic data, biometric data aimed at identifying unequivocally to a natural person, data relating to health or data relating to life C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 21/33 sexuality or sexual orientation of a natural person. 2. Section 1 shall not apply when one of the circumstances occurs following: a) the interested party gave their explicit consent for the processing of said data personal data for one or more of the specified purposes, except when the Law of the Union or of the Member States establishes that the prohibition mentioned in the section 1 cannot be lifted by the interested party; b) the treatment is necessary for the fulfillment of obligations and the exercise of specific rights of the controller or the interested party in the field of Labor law and social security and protection, to the extent that it is authorized Union or Member State law or a collective agreement pursuant to Law of the Member States establishing adequate guarantees of respect for the fundamental rights and interests of the interested party; c) the processing is necessary to protect the vital interests of the data subject or of another natural person, in the event that the interested party is not capable, physically or legally, to give consent; d) the treatment is carried out, within the scope of its legitimate activities and with the due guarantees, by a foundation, an association or any other body without profit, whose purpose is political, philosophical, religious or trade union, provided that the Treatment refers exclusively to current or former members of such bodies or persons who maintain regular contact with them in relation to their purposes and as long as the personal data is not communicated outside of them without the consent of the interested parties; e) the treatment refers to personal data that the interested party has made manifestly public; f) the treatment is necessary for the formulation, exercise or defense of claims or when the courts act in the exercise of their judicial function; g) the processing is necessary for reasons of essential public interest, on the basis of the law of the Union or of the Member States, which must be proportional to the objective pursued, essentially respecting the right to data protection and establish adequate and specific measures to protect the interests and rights fundamentals of the interested party; h) the treatment is necessary for the purposes of preventive or occupational medicine, evaluation of the worker's work capacity, medical diagnosis, provision of assistance or health or social treatment, or management of assistance systems and services health and social, on the basis of Union or Member State law or in under a contract with a healthcare professional and without prejudice to the conditions and guarantees referred to in section 3; i) the processing is necessary for reasons of public interest in the field of health such as protection against serious cross-border threats to health, or to guarantee high levels of quality and safety of health care and C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 22/33 medicines or medical devices, on the basis of Union law or of the Member States to establish adequate and specific measures to protect the rights and freedoms of the interested party, in particular professional secrecy, j) the processing is necessary for purposes of archiving in the public interest, purposes of scientific or historical research or statistical purposes, in accordance with article 89, paragraph 1, on the basis of Union or Member State law, which must be proportional to the objective pursued, essentially respect the right to protection of data and establish adequate and specific measures to protect the interests and fundamental rights of the interested party. 3. The personal data referred to in section 1 may be processed for the aforementioned purposes in section 2, letter h), when your treatment is carried out by a professional subject to the obligation of professional secrecy, or under its responsibility, in accordance with the Law of the Union or of the Member States or with the rules established by the competent national bodies, or by any other person also subject to the secrecy obligation under Union or Member State law or the standards established by the competent national bodies. 4. Member States may maintain or introduce additional conditions, including limitations, regarding the treatment of genetic data, biometric data or data relating to health." These applications with exceptions can be considered requirements that only limit the scope of the prohibition, but which, in and of themselves, do not offer a reason of sufficient legitimacy for the treatment. In this sense, the applicability of the ex- Exceptions of article 9.2 a) to j) of the GDPR does not exclude the applicability of the requirements of article 6.1 of the GDPR, and both, when applicable, must be applied cumulatively. mind. This translates into practice in that even if it were proven that in the specific case If there were any circumstances that would lift the prohibition of data processing of health, is not enough for its legality, requiring a legal basis for the indicated in article 6.1 of the GDPR that establishes the assumptions that allow considering lawful processing of personal data: "1. Processing will only be lawful if at least one of the following is fulfilled conditions: a) the interested party gave his consent for the processing of his personal data for one or more specific purposes; b) the treatment is necessary for the execution of a contract in which the interested party is party or for the application at his request of pre-contractual measures; c) the processing is necessary for compliance with a legal obligation applicable to the responsible for the treatment; d) the processing is necessary to protect the vital interests of the data subject or of another Physical person; e) the treatment is necessary for the fulfillment of a mission carried out in the interest public or in the exercise of public powers conferred on the data controller; C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 23/33 f) the treatment is necessary for the satisfaction of legitimate interests pursued by the data controller or by a third party, provided that such interests are not the interests or fundamental rights and freedoms of the data subject prevail require the protection of personal data, in particular when the interested party is a child. The provisions of letter f) of the first paragraph shall not apply to the treatment carried out by public authorities in the exercise of their functions IV. It is appropriate to assess the causes alleged by the defendant that would lift the treatment of the health data, the defendant indicated as such: -art. 9 h) of the aforementioned GDPR, in order to prevent the rights of workers in the RFETM and the residence of athletes, and with the purposes of social utility, already said, of prevention of the spread of the virus, in sports facilities, the residence of high performance athletes "JOAQUIN BLUME". Also the existence of staff employee of the residence being an obligation of the companies the application of Occupational risk prevention measures to preserve health and avoid spreading the virus. The defendant argues that given the pandemic situation, in order to carry out the examination established "in accordance with the applicable regulations the monitoring of a health protocol" in order to preserve the health of the participants, members of the residence and members of the defendant (workers). The protocol was developed by the CSD, without having the claimed copy of any, or knowing its content, despite inform this AEPD that he had participated in it. Thus, the CSD sent an email to all the Federations, alluding to this situation. The CSD avoided responding both in the transfer and in the requested tests. For this purpose, The situation described is transferable and comparable to any other public entity in the that visits from the public are received or that first-class public services are also provided need, since the assistants are going to take an exam, they will not stay there any longer longer than the duration of the test, an element that seems to clearly differentiate those who reside over there. There is no doubt that in the health crisis situation caused by COVID-19, the employer is obliged to adopt extraordinary measures aimed at preventing new infections of COVID-19 and these measures must be applied taking into account the criteria defined by the health authorities. The action procedure for occupational risk prevention services against exposure to SARS COV-2, approved by the Ministry of Health, has already been indicated, which provides for the practice of diagnostic tests, prior prescription optional of the employees and if there is no obligation as a general rule for them to perform any test or provide a vaccination certificate in the performance of their positions, it is not understood why for a third party outside that circle it is required in based on said norm, or used for the protection of those. serve as an example that for the groups of ambulance transport technicians there was no standard any, including prevention of occupational hazards, which obliges the company to carry out company to perform the COVID 19 detection test (STS fourth room, social, judgment 562/2021 of 05/20). C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 24/33 These occupational risk prevention or social protection regulations do not apply when the third party to be examined is not an employee and therefore is not subject to right to prevent occupational hazards that must be applied. Likewise, I don't know appreciates the note of necessity, when information about a possible immunity against the disease does not contribute significantly to the protection of the rest of personnel or the person himself, to the extent that the protocols for the prevention of risks adopted by the health and labor authorities apply equally to the entire personnel, orienting themselves as regards the presence of infection to the cases suspects. Regarding the alleged vital interest of article 9.2 c) "the treatment is necessary to protect vital interests of the data subject or of another natural person, in the event that the interested party is not able, physically or legally, to give his consent;", no It seems the case in which the assistants could give their consent. Therefore, it is estimated that there is no alleged cause that would lift the prohibition of the treatment of special data, considering that article 9.2 of the GDPR. V Now it is appropriate to assess the cumulative legitimating bases of data processing of health alleged by the defendant included in article 6.1 of the GDPR. Base applicable legitimizing entity must be determined before treatment begins and must be keep record. In the privacy notice or information on data processing to which subjects to whom they are collected, the legal basis for the treatment and the purpose thereof. The students who take the exam have a legal relationship with the defendant, Oriented towards taking the exams and obtaining the title. Each student formalized his request and paid the amount established, submitting to the face examination process to have the degree after the successive examination processes to which they have been submitted. The RFTM alludes to the legal basis that allows the processing of the data of the people to be examined, who meet “at least one of the following conditions: "the interested party gave his consent for one or more specific purposes, As is the case, the processing is necessary to protect vital interests of the interested party or another natural person, final objective of the protocol”. Recital 42 of the GDPR indicates: "...Consent should not be considered freely provided when the interested party does not enjoy true or free choice or not You can deny or withdraw your consent without suffering any prejudice.” Article 4.11 of the GDPR defines: "consent of the interested party": any expression of free, specific, informed and unequivocal by which the interested party accepts, either through a declaration or a clear affirmative action, the processing of personal data that concerns you” C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 25/33 Regarding the consent that the RFETM expresses, it has obtained due to the fact that there have been people who presented their vaccination certificate, sending it by email to the enabled address, or display it when accessing, said consent would not be valid If your non-contribution will have negative consequences such as not having access to the exam, as is the case, so that it cannot be classified as free will in its provision being conditioned by those consequences. The defendant must certify in any case that there is an element, vaccination, or a negative PCR test has been performed in the 72 hours prior to the exam. Either way, data is required from health of the person to be examined, data that by the mere fact of being certified, will continue to be health data. For this reason, it is indifferent that they do not appear or are Differentiate those who provide a vaccination certificate or antigen test. Throughout case, and so the defendant warned the claimant, if either of the two was not provided, access was not possible, and therefore the performance of the test, as its access, becoming a norm of general access for any person that the CSD had established, which affected the athletes who resided there, but also the who agreed, for any reason, in this case, to carry out a test of exam. Thus, "Consent should not be considered freely given when the interested party does not enjoy true or free choice or cannot deny or withdraw his consent without suffering any prejudice" (recital 42). In general, consent can only be an adequate legal basis if it is offered to the stakeholder control and real choice as to whether to accept or reject the conditions offered or reject them without suffering any prejudice. here, besides there was the option of being able to send by e-mail to a training address and address certificates or tests, to which was added the sending of lists with the data name and surname and ID to another group of CSD employees. Those who delivered the certificate through e-mail were in that situation, being the truth that When requesting consent, the data controller has the obligation to assess whether said consent will meet all the requirements for obtaining a valid consent. The implementation of consent as a legal basis for treatment must be subject to strict requirements since it affects the rights of the interested party and the data controller wishes to carry out a treatment operation that would be unlawful without the consent of the interested party. It also considers that, having carried out the training of sports technicians, it has "Collaborated with the Administration" "under the tutelage and coordination of the CSD", Considering that it exercises public functions of an administrative nature by delegation, acting as a collaborating agent of the Public Administration, which would include the access to the headquarters that the CSD programs as necessary to provide the certificate of vaccination or PCR. Estimates the defendant that could be covered in the base of the Article 6.1.e) of the GDPR which states: "The processing is necessary for compliance of a mission carried out in the public interest or in the exercise of public powers conferred on the data controller” Regarding the legal relationship leading to obtaining the title of coach, the parties develop a relationship, in the course of which, by going to take the exam to a specific headquarters, they are required by the owner of that headquarters, in this case an entity administrative guardian, the CSD, the contribution of health data. It seems clear that issues such as the system for contesting questions in the examination, qualification of exercises, and their challenge, or to some extent the issuance C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 26/33 of the titles if they have a clear direct relationship with the training and obtaining the title. But in this specific case, the access rules that do not call into question the claimed, would be common to any person, not for taking the exam but for the fact of accessing, which does not deduce its intrinsic legitimate and necessary relationship with the tests. Although it can be seen that the function is characterized by the note adduced by the defendant, access to the Residence is subject to the common norms for the rest of the people, so that this function does not reach influence the access regime established by the CSD to legitimize the treatment of data with such consideration. On the other hand, it is not possible to “accumulate legal bases with the same purpose”, nor to go from one legal basis to another or retrospectively use another basis when encountering problems to justify the validity problems of the previous base, and should be the application and selection of the base duly informed to those affected when it is collect the data. Controllers must decide which is the applicable legal basis before collecting the data. Regarding the legal basis for processing for vital interest, "necessary to protect vital interests of the interested party or of another natural person”, in this case, the personnel who attends to the performance of the tests, or the staff of the residence that can keep relation to tests. Recital (46) of the GDPR already recognizes that in exceptional situations, such as an epidemic, the legal basis of the treatments can be multiple, based both on the public interest, such as in the vital interest of the data subject or another natural person. (46) The processing of personal data should also be considered lawful when necessary to protect an interest essential to the life of the data subject or that of another physical person. In principle, personal data should only be processed on the basis of the vital interest of another natural person when the processing does not may manifestly be based on a different legal basis. certain types of processing may respond both to important reasons of public interest as well as the vital interests of the interested party, such as when the treatment is necessary for humanitarian purposes, including epidemic control and its spread, or in situations of humanitarian emergency, especially in case of natural or man-made disasters. Article 6.1.d) of the GDPR considers not only that vital interest is a sufficient basis legal treatment to protect the "interested party", in this case the person who submitted to the examination, but that such a legal basis can be used to protect the vital interests "of another natural person", which by extension means that they can be both unidentified or identifiable persons, as well as unnamed, in terms of holding an interest worth safeguarding. In addition, it does not emerge as indicated by the Article 6.3 of the GDPR that the need for the basis of the treatment for reasons of vital interest has to be established by the law of the Union or the law of the Member States applicable to the data controller. After analyzing this basis of legitimation, it is considered that it would cover the treatment originated C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 27/33 due to the pandemic situation in the specific framework of carrying out an official examination to obtain the qualification of trainer in a residence for athletes, for that the alleged infringement of article 6.1 of the GDPR must be archived. SAW The offense is typified in article 83.5.a) of the GDPR, which indicates: 5. Violations of the following provisions will be penalized, in accordance with the paragraph 2, with administrative fines of a maximum of EUR 20,000,000 or, in the case of of a company, in an amount equivalent to a maximum of 4% of the volume of overall annual total business of the previous financial year, opting for the one with the highest amount: a) the basic principles for the treatment, including the conditions for the consent under articles 5, 6, 7 and 9; For the purposes of prescription in the LOPDGDD, its article 72.1) states: "1. Based on what is established in article 83.5 of Regulation (EU) 2016/679, are considered very serious and will prescribe after three years the infractions that suppose a substantial violation of the articles mentioned therein and, in particular, the following: "e) The processing of personal data of the categories referred to in article 9 of Regulation (EU) 2016/679, without any of the circumstances provided in said precept and in article 9 of this organic law.” VII Sections d) and i) of article 58.2 of the GDPR provide the following: "Each control authority will have all the following corrective powers indicated below: (…) "d) order the person in charge or person in charge of the treatment that the operations of treatment comply with the provisions of this Regulation, where appropriate, in accordance with the a certain manner and within a specified period;” “i) impose an administrative fine in accordance with article 83, in addition to or instead of the measures mentioned in this section, according to the circumstances of each case particular;" C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 28/33 In this case, the sanctioning procedure of an administrative fine is resorted to, given the category of the data that is collected and the risks of the rights and freedoms that with they are compromised. VIII Law 10/1990 of 10/15, on Sports, states in its article 30.2: "The Spanish sports federations, in addition to their own powers, exercise, by delegation, public functions of an administrative nature, acting in this case as collaborating agents of the Public Administration.” Regarding the allegation that the defendant must be considered to be a collaborating agent, in the exercise of public powers in the work of the call for the formation of its technicians, which are provided for in Sports Law 10/1990 (art. 33.1.d), it must be indicated as already mentioned, that the place where the exam was held, which conditioned the contribution of vaccination is an accessory element of said competence, it is not imposed The celebration in that place is not a norm, but rather there were general rules for access, to any member, of any Federation, not linked in a specific way to the performance of any test related to the training courses. That way, that another could have been chosen that would not have imposed that requirement of limitation of rights, or having selected one of their own directly, and this does not make the claim Made in the subject of those mentioned in article 77 of the LOPDGDD, which indicates: "1. The regime established in this article will be applicable to the treatment of who are responsible or in charge: d) Public bodies and public law entities linked or dependent of the Public Administrations g) Public law corporations when the purposes of the processing are related to the exercise of public law powers. 2. When the managers or managers listed in section 1 commit any of the offenses referred to in articles 72 to 74 of this organic law, the competent data protection authority will issue a resolution sanctioning them with warning. The resolution will also establish the measures that should be adopted to cease the conduct or to correct the effects of the infraction that had been committed." For the rest, a Sports Federation, even if it exercises the functions indicated by the claimed, it would not be classified as a public law corporation, according to already recognized the judgment of the Constitutional Court 67/1986 of 05/24/1985, appeal 364/1983, which makes the application of said regime doubly unfeasible. Regarding the allegation that the imposition of the request for the vaccination certificate It was imposed on him by the organizer, CSD, there is no record that he raised any issue that was accurately raised by the claimant on at least three occasions, assuming as own the request and requesting it, and establishing the proper means to carry out its treatment, collecting and storing the data, as well as preparing lists that were sent to the CSD. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 29/33 IX The determination of the sanctions that should be imposed in the present case requires obtaining observe the provisions of articles 83.1) and .2) of the GDPR, precepts that, respectively, mind, provide the following: "1. Each control authority will guarantee that the imposition of administrative fines under this Article for the breaches of this Regulation indicated in paragraphs 4, 5 and 6 are in each individual case effective, proportionate and dissuasive. sorias.” "2. Administrative fines will be imposed, depending on the circumstances of each individual case, in addition to or in lieu of the measures contemplated in article 58, paragraph 2, letters a) to h) and j). When deciding to impose an administrative fine and its amount in each individual case shall be duly taken into account: a) the nature, seriousness and duration of the offence, taking into account the nature, scope or purpose of the processing operation in question, as well as the number of interested parties affected and the level of damages they have suffered; b) intentionality or negligence in the infringement; c) any measure taken by the controller or processor to mitigate the damages and losses suffered by the interested parties; d) the degree of responsibility of the data controller or processor, given account of the technical or organizational measures that have been applied by virtue of the articles articles 25 and 32; e) any previous infringement committed by the controller or processor; f) the degree of cooperation with the supervisory authority in order to remedy the in- fraction and mitigate the possible adverse effects of the infringement; g) the categories of personal data affected by the infringement; h) the way in which the supervisory authority became aware of the infringement, in particular whether the controller or processor notified the infringement and, if so, to what extent; i) when the measures indicated in article 58, paragraph 2, have been ordered previously against the person in charge or the manager in question in relation to the same As a matter, compliance with said measures; j) adherence to codes of conduct under article 40 or certification mechanisms. cation approved in accordance with article 42, and k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as the financial benefits obtained or the losses avoided, directly or indirectly. you, through the infraction.” Within this section, the LOPDGDD contemplates in its article 76, entitled: "Sanctions and corrective measures”: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 30/33 "1. The sanctions provided for in sections 4, 5 and 6 of article 83 of Regulation (EU) 2016/679 will be applied taking into account the graduation criteria established in the section 2 of said article. 2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679 also may be taken into account: a) The continuing nature of the offence. b) Linking the offender's activity with data processing personal. c) The benefits obtained as a consequence of the commission of the infraction. d) The possibility that the conduct of the affected party could have led to the commission of the infraction. e) The existence of a merger by absorption process subsequent to the commission of the violation, which cannot be attributed to the absorbing entity. f) The affectation of the rights of minors. g) Have, when it is not mandatory, a data protection delegate. h) Submission by the person responsible or in charge, on a voluntary basis, to alternative conflict resolution mechanisms, in those cases in which there are controversies between those and any interested party. 3. It will be possible, complementary or alternatively, the adoption, when appropriate, of the remaining corrective measures referred to in article 83.2 of Regulation (EU) 2016/679.” In accordance with the precepts transcribed, for the purpose of setting the amount of the sanction of fine to be imposed in the present case, typified in article 83.5.a) of the GDPR, of which the RFETM is held responsible for the infringement of article 9.2 of the GDPR, it is estimated concurrent as aggravating factors the following factors that reveal a greater illegality and/or culpability in the conduct of the defendant: - Article 83.2 g) “the categories of personal data affected by the infraction" health data have been collected for which it is necessary to carry out actively, either an action, vaccination, with which a certificate is obtained, or a infection detection test, in order to be able to perform the exams. These dates, In addition, they were communicated to an e-mail address for the formation of the defendant, and to another of the same entity, being saved and were also communicated by email to the CSD to different groups with a copy. - Article 83.2 d) “the degree of responsibility of the person responsible or in charge of the treatment, taking into account the technical or organizational measures that have been applied by virtue of articles 25 and 32”, considering the nature referred to the data of health that intrinsically suppose an exception to its treatment, object of restrictive interpretation, and that restriction has not been considered in the design of the treatment, as it shows that the complaints of the affected were neither transferred nor C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 31/33 valued by the DPD, answering that they were imposed norms. having a DPD, that the data affect minors so that they participate only in those cases, it is not adequate to establish said figure. Regarding the alleged lack of guilt of the defendant, article 28 of Law 40/2015, of 1/10 of the legal regime of the public sector, states: “1. They can only be penalized for acts constituting an administrative infraction, natural and legal persons, as well as such as, when a Law recognizes their capacity to act, the affected groups, the unions and entities without legal personality and the independent patrimonies or self-employed, who are responsible for them by way of fraud or negligence.” The jurisprudence of the Supreme Court, in line with that of the Constitutional Court, has established that the sanctioning power of the Administration, as manifestation of the ius puniendi of the State, is governed by the principles of criminal law, being the basic structural principle of guilt, incompatible with a regime of strict liability, no fault The Supreme Court (Sentences of 04/16 and 22/1991) considers that the element of the guilt it follows "that the action or omission, classified as a punishable offense administratively, it must be, in any case, attributable to its author, due to intent or recklessness. inexcusable inaccuracy, negligence or ignorance.” This requirement of guilt in the field of administrative offenses has been reiterated endlessly by the jurisprudence of the Supreme Court. Thus, the SSTS of 12 (dated. 388/1994) and 05/19/1998, Sixth Section, affirm that in the sanctioning field "it is ve- given any attempt to build strict liability" and that "in the field of administrative responsibility is not enough that the conduct is unlawful and typical, but it is also necessary that it be guilty, that is, the consequence of an action or omission attributable to its author due to malice or imprudence, negligence or inexcusable ignorance. saber (...) that is, as a requirement derived from article 25.1 of the Constitution, no one may be sentenced or punished except for acts that can be imputed to him under fraud or guilt (principle of guilt)". In view of the exposed jurisprudence, it is appropriate to conclude that when a action that could incur an administrative infraction, must be examined effects of not proceeding to initiate a disciplinary procedure automatically. Yeah well, intent or negligence is not necessary in the commission of an infraction, but rather the mere negligence to be able to demand responsibility from the offender, it is no less true that, As stated by the Constitutional Court "beyond simple negligence, the facts They cannot be penalized." In the present case, the defendant indicated to the students that she had passed a protocol together with the CSD, and up to three times the defendant answered the petitions of the claimant that questioned the legitimizing basis of the treatment of data of the COVID 19, without knowing the claimed the regulation that manifests was applicable, of the CSD, and ultimately preferring the sacrifice of their own rights, asking for the vaccination to be carried out or to pay for a PCR, rather than clarifying the basis of the aforementioned obligation as an imposition, and may have paralyzed the process before the invasion of the rights of those attending the tests, estimating the prevalence of themselves. It is therefore considered that there is guilt in the conduct of the defendant. Considering the circumstances, an amount of the fine of 10,000 euros is considered. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 32/33 Therefore, in accordance with the applicable legislation and assessed the criteria of graduation of sanctions whose existence has been accredited, the Director of the Spanish Data Protection Agency RESOLVES: FIRST: IMPOSE the ROYAL SPANISH TABLE TENNIS FEDERATION, with NIF Q2878038E, by: - An infringement of article 9.2 of the GDPR, in accordance with article 83.5.a) of the GDPR, and for the purposes of prescription in article 72.1.e) of the LOPDGDD, a fine Administrative of 10,000 euros. SECOND: NOTIFY this resolution to the ROYAL SPANISH FEDERATION OF TABLE TENNIS. THIRD: Warn the penalized person that they must make the imposed sanction effective Once this resolution is enforceable, in accordance with the provisions of art. 98.1.b) of Law 39/2015, of 1/10, on the Common Administrative Procedure of Public Administrations (hereinafter LPACAP), within the voluntary payment term established in art. 68 of the General Collection Regulations, approved by Royal Decree 939/2005, of 07/29, in relation to art. 62 of Law 58/2003, of 12/17, through its entry, indicating the NIF of the sanctioned party and the number of the procedure that appears in the heading of this document, in the restricted account IBAN number: ES00- 0000-0000-0000-0000-0000, opened in the name of the Spanish Agency for the Protection of Data in the banking entity CAIXABANK, S.A.. Otherwise, it will proceed to its collection in executive period. Once the notification has been received and once executed, if the execution date is between on the 1st and 15th of each month, both inclusive, the period for making the voluntary payment It will be until the 20th day of the following or immediately following business month, and if it is between on the 16th and last day of each month, both inclusive, the payment period will be until the 5th of second following or immediately following business month. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once the interested parties have been notified. Against this resolution, which puts an end to the administrative process in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the Interested parties may optionally file an appeal for replacement before the Director of the Spanish Agency for Data Protection within a period of one month from the day following the notification of this resolution or directly contentious appeal before the Contentious-Administrative Chamber of the National Court, in accordance with the provisions of article 25 and section 5 of the additional provision fourth of Law 29/1998, of 07/13, regulating the Contentious Jurisdiction- administration, within a period of two months from the day following the notification of this act, as provided in article 46.1 of the aforementioned Law. Finally, it is noted that in accordance with the provisions of art. 90.3 a) of the LPACAP, may provisionally suspend the firm resolution in administrative proceedings if the interested party C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 33/33 expresses its intention to file a contentious-administrative appeal. If this is the one case, the interested party must formally communicate this fact by writing to the Spanish Data Protection Agency, presenting it through the Registry Email from the Agency [https://sedeagpd.gob.es/sede-electronica-web/], or through any of the other records provided for in art. 16.4 of the aforementioned LPCAP. Also must transfer to the Agency the documentation that proves the effective filing of the Sponsored links. If the Agency were not aware of the filing of the contentious-administrative appeal within a period of two months from the day following the notification of this resolution, would terminate the suspension precautionary 938-181022 Mar Spain Marti Director of the Spanish Data Protection Agency C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es