AEPD (Spain) - EXP202205850
AEPD - EXP202205850 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 5(1) GDPR Organic Law 3/2018 on Protection of Personal Data and Guarantee of Digital Rights |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | |
Published: | |
Fine: | n/a |
Parties: | De La Guardia Civil |
National Case Number/Name: | EXP202205850 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | n/a |
De La Guardia de Civil was given a written warning for sharing an email containing excrddive health data of an employee on medical leave contrary to the data minimisation principle contained in Article 5.
English Summary
Facts
The data subject is a civil guard, who was on medical leave following an incident at work. During his tenure on medical leave, he received a call from a colleague, who had access to the corporate mail of the Civil Guard (the Controller) advising him that a file was opened regarding confiscating his weaponry at the start of his leave. The email also alluded to the data subject needing to appear at the psychological office for assessment.
Holding
Within the body of the emails, there was no reference to his exact diagnosis or any other health data. The mere fact he was on leave from his post will not be a new and/or a hidden fact, the hierarchical superior who received the email was already aware. The data subject would have also been required to communicate it in order to ensure that he is not appointed to the service until he is discharged from leave (regardless of the type of leave) as in the case of any worker. Further, the matter will be known by the rest of his colleagues by the simple observation of his absence at work without the need to receive any formal communication.
The Controller sought to argue that it is common knowledge within the service for guards to go through a psychological assessment in order to determine their fitness for work per the applicable regulations. In addition, the email served as communication to the wider company in order to make them aware of the absence of the data subject. They also sought to rely on an Informed Consent Form (“ICF”) signed by the data subject authorising the processing of his medical data. The data subject argued that the ICF was inaccurate, not very transparent and did not comply with Article 13 GDPR. The AEPD stated the ICF alluded to the repealed Organic Law 15/1999 (pre GDPR).
The AEPD was of the opinion that the e-mail which specifies that the data subject "should report to the Psychology Office of the Command for the purpose of examination" contains excessive data for the intended purpose of processing as per Article 5(1) GDPR and Recital 39 GDPR.
Although it may be considered necessary, as stated by the Controller, to send the information on the data subjects medical leave to his superior officer, and it could even be admitted that it is also necessary to communicate that weapons must be removed, it is totally unnecessary to add specific medical data, such as the appointment at the psychology office. The only information that was necessary to the superior is that the data subject will not be available for service due to being in a situation of incapacity for work, it was not essential to explicitly mention the reason that has given rise to such medical leave or the tests that he/she must undergo. This means the data processed was not limited to what was necessary and exceeded the purpose for which it was processed.
The Controller was given a written warning.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/9 File No.: EXP202205850 RESOLUTION OF SANCTIONING PROCEDURE Of the procedure instructed by the Spanish Agency for Data Protection and based on to the following BACKGROUND FIRST: A.A.A. (hereinafter, the claiming party) dated May 12, 2022 filed a claim with the Spanish Data Protection Agency. The claim is directed against D.G. OF THE CIVIL GUARD with NIF S2816003D (in forward, DGGC). The reasons on which the claim is based are the following: The claimant is a civil guard. By decision of a superior, an Information is opened Reserved to clarify what happened in a performance carried out by him in the exercise of their functions. On 10/26/2021, within the aforementioned procedure, the claimant's statement is taken, he is informed of his right to listen to an audio provided by the complainant (Criminal proceedings for an alleged crime of abuse of authority, archived) and shows that recording to another component of the *** POSITION 1, (...), in case you recognize the voice of the complaining party. On 12/17/2021, it requests information on whether the aforementioned has been shown recording to (...) as a voice expert. Noting that, if not, understands that said treatment would not be legitimized and that said action is not would have been carried out in accordance with arts. 5.1.f) and 32 of the GDPR, a request that is denied through Resolution dated 12/24/2021, not having the condition of interested in Reserved Information, not being able to provide data or information about it. Presents an Appeal against said resolution and it is dismissed again through Resolution dated 03/14/2022 for the same reason. On the other hand, he alleges that, being on sick leave due to work stress, he receives a call from a colleague of ***POINT.1, who has access to the corporate mail of the position, and informs him that a file has been opened for anomalous conduct to the withdrawal of weapons and is summoned for an act of delivery of weapons, as regulated in the Weapons Regulation and Law 4/2015 for the protection of Citizen Security. Provides Official Letter dated 03/11/20XX on the subject: "Report on Communication Withdrawn of Armament of a civil guard". It considers that this form of communication was already sanctioned by this Agency in the procedure PS/00384/2020, not having established customization measures of communications, revealing data related to your health to all staff of the Since they have general access to said corporate mail. It also states that the act of handing over the weapons took place in an office open to the public for the processing of weapons licenses in general in the town of ***LOCATION.1, exposing his personal image both to the three agents who serve the public, such as the agents who go there and civilian personnel who carry out their administrative procedures, which it considers to be in breach of legal precepts before cited. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 2/9 On 01/31/2022, the firm was presented with an Informed Consent that alludes to the repealed L.O. 15/1999, which, in the claimant's opinion, is inaccurate, little transparent and does not comply with the provisions of art. 13 of the GDPR. In addition, it alleges that on 02/09/2022, it requested access to data and information from interest for your defense regarding the Confidential Information opened against your person and to know if it complies with the data protection regulations and the National Scheme of security. Along with the notification is provided: -Office of summons for appearance by instruction of a reserved information. -Certificate of the events that occurred on ***DATE.1 at (...) hours -Complaint filed by B.B.B., a retired civil guard, against the claimant, in the one that says to provide a CD with a recording in relation to the events that occurred on the day ***DATE.1 at (...) hours, and a photograph showing the license plates of the official vehicles. He states that he received by WhatsApp, sent by a relative, the audio file. -Writ of provisional dismissal of the Court (...) of ***LOCATION.2. -Writ of refusal of information for not being an interested party in the information reserved. -Written informed consent to access and use clinical information that is in the file of the complaining party for the processing of a disability application. SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5 December, Protection of Personal Data and guarantee of digital rights (in forward LOPDGDD), said claim was transferred to the DGGC, so that proceed to its analysis and inform this Agency within a month of the actions carried out to adapt to the requirements established in the regulations of Data Protection. The transfer, which was carried out in accordance with the regulations established in Law 39/2015, of October 1, of the Common Administrative Procedure of the Administrations Public (hereinafter, LPACAP), was collected on 06/14/2022 as stated in the acknowledgment of receipt in the file. On 06/27/2022, this Agency received a written response indicating: "The General Directorate of the Civil Guard has protocolized as a measure, both for citizens as well as for the civil guards themselves, who, when there is a medical leave with a diagnosis of mental illness, the withdrawal of the weapons, both official and private, that in his capacity as a member of the Armed Forces and State Security Bodies of which they may be in possession. With the foregoing, an attempt is made to prevent the state of mental alteration that he presents causes both harmful actions against third parties and self-injurious behaviors of a nature suicidal, which redounds to the benefit not only of society, but also of the own member of the Body as a human being. In order to put the foregoing into effect in the case at hand, an email was sent email on October 13, 2021, from the Medical Service of the Command C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 3/9 from ***LOCATION.1 to ***COMPANY.1 and ***POINT.2, with the following text: <<Today the assistance service has learned of this Unit, of the medical leave related to the Civil Guard D.A.A.A. (XX.XXX.XXX), bound for ***POINT.1. Likewise, it is agreed that said Civil Guard must appear at the Office of Psychology of the Command to the object of recognition on the day 11/18/XX at 09:00. Proceed to the withdrawal of official and private weapons possessed by said Civil Guard>> In the text of said email, as can be seen, no reference is made any diagnosis or other health data. The fact that it is mentioned that he is of low for the Service is nothing new, since the Hierarchical Superior who receives already knows this, since the Civil Guard itself has to communicate it to effects of not being named Service until registration occurs (regardless of the type of sick leave) as in the case of any worker, an issue that will be known by the rest of the classmates by the simple observation of his absence in the I work without the need for you to communicate anything. In this way, it cannot be accepted, as indicated by the claimant, that there has been indiscriminate communication of their situation in the absence of adoption of security measures. The only thing that has been communicated is the administrative fact of your Temporary Work Incapacity, which is necessary for the name of the person to know the daily service, not to count on it. We understand that the necessary confidentiality measures have been kept in the as possible, knowing only those who had a “need to know” and insofar as they had it." THIRD: On August 12, 2022, in accordance with article 65 of the LOPDGDD, the claim presented by the claimant party was admitted for processing. FOURTH: On October 25, 2022, the Director of the Spanish Agency for Data Protection agreed to initiate disciplinary proceedings against the claimed party, for the alleged infringement of Article 5.1.c) of the GDPR, typified in Article 83.4 of the GDPR. Once the Initiation Agreement was notified, the DGGC submitted a written statement of allegations, in which synthesis stated: -That the reason for the communication made by email, sent by the Medical Service of the Command of ***LOCATION.1 and the ***COMPAÑÍA.1 and the ***POINT.2, it was not only to notify who appoints daily service the medical leave of the complaining party, in order that no service be indicated, as indicated in the response to the transfer of the claim that the AEPD made at the time, in the which textually specify: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 4/9 "In the text of said email, as can be seen, no reference is made any diagnosis or other health data. (...) The only thing that has been communicated is the administrative fact of your Temporary Work Incapacity, which is necessary for know who appoints the daily service, so as not to count on him”, but also, the purpose of said email was to indicate that "the claimant must go to the psychology office on the mentioned date to be submitted to the mandatory recognition according to internal procedures", because they do not understand that "There is no other way to let you know but to send a communication to your destination at in order to be informed of it", given that "according to article 23 of the Organic Law 11/2007 of October 22, Regulating the Rights and Duties of the Members of the Civil Guard, nominated for psychophysical examinations, the Civil Guards have the obligation to submit to the necessary psychophysical examinations to determine their fitness for service. In this regard, this Agency observes that the purpose initial communication of an absence due to IT, for the purpose of not appointing service to the person who is on leave, with the addition in the letter of allegations, also communicate in the same email that must notify the civil guard on discharge of their obligation to undergo an examination, "since according to article 23 of the Law Organic 11/2007 of October 22, Regulating the Rights and Duties of the Members of the Civil Guard, nominated for psychophysical examinations, the Civil Guards have the obligation to submit to examinations psychophysical tests necessary to determine his fitness for service. This Agency does not share the criteria that said communication to the ***COMPANY.1 and the ***POINT.2, given that, the Law 29/2014, of November 28, of the Civil Guard Personnel Regime indicates in its article 103: (the underlining corresponds to the AEPD) 1. In the Health of the Civil Guard are included the medical services and the health inspection and will have the support of psychological care. 2. Corresponds to the Health of the Civil Guard, regardless of the health benefits to which Corps personnel are entitled for their belonging to the Special Regime of the Social Security of the Forces Armed: a) Determine the existence of the precise psychophysical conditions for the admission to educational training centers and for the loss of status student, in accordance with the provisions of article 35.2 and article 48.1 b). b) Carry out the follow-up and control of the temporary absences of the personnel of the Civil Guard Corps, and advise and report on this matter to the Chiefs unit, center or organism. c) Assess and confirm, where appropriate, temporary leave that have been issued by physicians unrelated to Body Health whose recovery has not occurred before the tenth day after they were issued. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 5/9 d) Arrange that those who are on temporary leave be subjected to the psychophysical examinations deemed appropriate. e) Issue opinions directly or through medical-expert bodies, detailing in them the diagnosis of the disease or pathological process and the degree of disability that corresponds to determine the aptitude for the stakeholder service. f) Issue the mandatory opinions determined by the class legislation liabilities of the State, for the purpose of determining, where appropriate, in accordance with the established in article 98, the limitation to occupy certain destinations or the retirement pass as a consequence of the fact that the affected person is disabled totally for the performance of the functions of the Civil Guard. For the development of its powers, the Health of the Civil Guard may establish contracts or collaboration agreements with certain medical professionals or public or private entities. 3. The services referred to in the first section of this article are authorized to access the reports and diagnoses related to the situations of temporary leave of the members of the Corps, in order to exercise the functions entrusted to them, with the limits established by the Current regulations regarding the treatment and protection of personal data staff. In accordance with section 3 of article 103 of the aforementioned legal text, the reports and diagnoses related to situations of temporary leave does not have to be known neither by hierarchical superiors nor by people in charge of setting daily the services to be performed by the staff assigned to the corresponding unit. Therefore, this Agency confirms the criterion that the summons to the Cabinet of Psychology is a piece of information that is not pertinent, adequate or necessary in communication made of the situation of temporary leave of the complaining party. It is considered more appropriate to make such a summons to the affected person directly, and not across your entire target drive. FIFTH: On November 14, 2022, a resolution proposal was formulated, proposing that the Director of the Spanish Data Protection Agency impose on D.G. OF THE CIVIL GUARD, with NIF S2816003D, for an infraction of the Article 5.1.c) of the GDPR, typified in Article 83.4 of the GDPR a penalty of warning. Notified of the resolution proposal, no allegations have been presented to it. In view of all the proceedings, by the Spanish Agency for Data Protection In this proceeding, the following are considered proven facts: PROVEN FACTS C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 6/9 FIRST AND ONLY: It is proven that an email was sent on the 13th October 2021, from the Medical Service of the Command of ***LOCATION.1 to ***COMPANY.1 and ***POINT.2, with the following text: <<Today the assistance service has learned of this Unit, of the medical leave related to the Civil Guard D.A.A.A. (XX.XXX.XXX), bound for ***POINT.1. Likewise, it is agreed that said Civil Guard must appear at the Office of Psychology of the Command to the object of recognition on the day 11/18/XX at 09:00. Proceed to the withdrawal of official and private weapons possessed by said Civil Guard>> FUNDAMENTALS OF LAW Yo In accordance with the powers that article 58.2 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter GDPR), grants each control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the Organic Law 3/2018, of December 5, Protection of Personal Data and guarantee of digital rights (hereinafter, LOPDGDD), is competent to initiate and resolve this procedure the Director of the Spanish Protection Agency of data. Likewise, article 63.2 of the LOPDGDD determines that: "The procedures processed by the Spanish Data Protection Agency will be governed by the provisions in Regulation (EU) 2016/679, in this organic law, by the provisions regulations dictated in its development and, insofar as they do not contradict them, with character subsidiary, by the general rules on administrative procedures." II Article 5, "Principles relating to processing" of the GDPR establishes: "1. Personal data will be: (…) c) adequate, pertinent and limited to what is necessary in relation to the purposes for which that are processed ("data minimization");" It must be clarified that this article does not limit the excess of data, but the need. Is In other words, the personal data will be "adequate, pertinent and limited to the need", for which they were collected, in such a way that, if the objective pursued can achieved without excessive data processing, this should be done at all case. Similarly, recital 39 of the GDPR indicates that: "Personal data only should be processed if the purpose of the processing cannot reasonably be achieved by other media." Therefore, only the data that is "adequate, relevant and not excessive in relation to the purpose for which they are obtained or processed”. The categories of data selected for processing must be those strictly C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 7/9 necessary to achieve the stated purpose and the controller must strictly limit data collection to information that is directly related to the specific goal that is intended to be achieved. In this case, the email sent by the Medical Service of the Command of ***LOCATION.1 to ***COMPANY.1 and ***POSITION.2, in which it is specified that the complaining party "should appear in the Cabinet of Psychology of the Command to the object of recognition" contains excessive data for the intended purpose. Although it may be considered necessary, as stated by the DGGC, to send the information of the claiming party's medical leave to his hierarchical superior, including the fact that it is necessary to communicate, likewise, that it should be proceed to the withdrawal of weapons, it is totally unnecessary to add medical data specific, such as the appointment in the Psychology cabinet, since, to know that the complaining party is not available for the service due to being in a situation of Work Incapacity, it is not essential to explicitly cite the reason given place to said medical leave or the tests that must be submitted. From the instruction carried out in this proceeding it is concluded that the DGGC has violated the provisions of article 5.1.c) of the GDPR, by sending an email email to the unit of destination of the complaining party, in which, in addition to communicate that you are on leave, which must be taken into account to not assign him service, it is indicated that he must report to the psychology office, This last fact is unnecessary to add. II Article 83.5 of the GDPR, under the heading "General conditions for the taxation of administrative fines”, provides: Violations of the following provisions will be sanctioned, in accordance with the paragraph 2, with administrative fines of maximum EUR 20,000,000 or, in the case of a company, an amount equivalent to a maximum of 4% of the total annual global business volume of the previous financial year, opting for the highest amount: a) the basic principles for the treatment, including the conditions for the consent under articles 5, 6, 7 and 9; (…)” In this regard, the LOPDGDD, in its article 71 "Infractions" establishes that: "The acts and behaviors referred to in sections 4, 5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that result contrary to this organic law”. For the purposes of the limitation period, article 72 "Infractions considered very serious” of the LOPDGDD indicates: "1. Based on what is established in article 83.5 of Regulation (EU) 2016/679, are considered very serious and will prescribe after three years the infractions that C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 8/9 a substantial violation of the articles mentioned therein and, in particular, the following: a) The processing of personal data in violation of the principles and guarantees established in article 5 of Regulation (EU) 2016/679. (…)” IV. Article 83 paragraph 7 of the GDPR provides the following: Without prejudice to the corrective powers of the control authorities under of Article 58(2), each Member State may lay down rules on whether can, and to what extent, impose administrative fines on authorities and bodies public establishments established in that Member State.” Likewise, article 77 “Regime applicable to certain categories of responsible or in charge of the treatment" of the LOPDGDD provides the following: "1. The regime established in this article will be applicable to the treatment of who are responsible or in charge: (…) c) The General State Administration, the Administrations of the communities autonomous entities and the entities that make up the Local Administration. (…) 2. When the managers or managers listed in section 1 commit any of the offenses referred to in articles 72 to 74 of this law organic, the data protection authority that is competent will dictate resolution sanctioning them with a warning. The resolution will establish likewise, the measures that should be adopted to cease the conduct or to correct it. the effects of the offense committed. 3. Without prejudice to what is established in the previous section, the data protection authority data will also propose the initiation of disciplinary actions when there are enough evidence for it. In this case, the procedure and the sanctions to be applied will be those established in the legislation on the disciplinary or sanctioning regime that be applicable. Likewise, when the infringements are attributable to authorities and executives, and the existence of technical reports or recommendations for treatment that have not been adequately addressed, in The resolution in which the sanction is imposed will include a reprimand with name of the responsible position and the publication in the Official Gazette will be ordered of the State or autonomous community that corresponds. 4. The data protection authority must be informed of the resolutions that fall in relation to the measures and actions referred to in the sections previous. 5. They will be communicated to the Ombudsman or, where appropriate, to similar institutions of the autonomous communities the actions carried out and the resolutions issued under this article. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 9/9 V Therefore, in accordance with the applicable legislation and assessed the criteria of graduation of sanctions whose existence has been accredited, the Director of the Spanish Data Protection Agency RESOLVES: FIRST: IMPOSE D.G. OF THE CIVIL GUARD, with NIF S2816003D, for a infringement of Article 5.1.c) of the GDPR, typified in Article 83.4 of the GDPR, a warning sanction. SECOND: NOTIFY this resolution to D.G. OF THE CIVIL GUARD. THIRD: COMMUNICATE this resolution to the Ombudsman, in in accordance with the provisions of article 77.5 of the LOPDGDD. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once the interested parties have been notified. Against this resolution, which puts an end to the administrative process in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the Interested parties may optionally file an appeal for reversal before the Director of the Spanish Agency for Data Protection within a period of one month from count from the day following the notification of this resolution or directly contentious-administrative appeal before the Contentious-administrative Chamber of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-administrative jurisdiction, within a period of two months from the day following the notification of this act, as provided for in article 46.1 of the referred Law. Finally, it is noted that in accordance with the provisions of art. 90.3 a) of the LPACAP, may provisionally suspend the firm resolution in administrative proceedings if the The interested party expresses his intention to file a contentious-administrative appeal. If this is the case, the interested party must formally communicate this fact through writing addressed to the Spanish Data Protection Agency, presenting it through of the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica- web/], or through any of the other registries provided for in art. 16.4 of the aforementioned Law 39/2015, of October 1. You must also transfer to the Agency the documentation proving the effective filing of the contentious appeal- administrative. If the Agency was not aware of the filing of the appeal contentious-administrative proceedings within a period of two months from the day following the Notification of this resolution would terminate the precautionary suspension. 938-181022 Mar Spain Marti Director of the Spanish Data Protection Agency C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es