AEPD (Spain) - EXP202201681

From GDPRhub
Revision as of 15:11, 8 August 2023 by Ba (talk | contribs) (I elaborated further on the legal reasoning and the facts.)
AEPD - EXP202201681 (PS/00345/2022)
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 12 GDPR
Article 13 GDPR
Article 37(5) GDPR
Article 34(1)(a)
Type: Complaint
Outcome: Upheld
Started: 21.12.2021
Decided:
Published:
Fine: 14000 EUR
Parties: COLEGIO OFICIAL DE ARQUITECTOS DE GRANADA
National Case Number/Name: EXP202201681 (PS/00345/2022)
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: Sainey Belle

The Spanish DPA fined a controller €5,000 due to the conflicts of interest in the exercise its DPO's tasks. In addition, it issued a fine of €8,000 for lack of information on its website and €1,000 for the use of third-party analytical cookies without consent.

English Summary

Facts

On 21 December 2021, a data subject filed a complaint with the Spanish alleging a number of data protection violations by the Official College of Architects of Granada, the controller.

In particular, the data subject argued that: a) the controller failed to inform the supervisory authority about the appointment of its DPO, pursuant to Article 34(1)(a) LOPDGDD; b) there was a conflict of interest between the functions performed by the person appointed to the position of DPO; c) there was a lack of adequate information in the controller's privacy policy; d) the controller was using non-essential cookies on its website without obtaing consent.

The DPA opened an investigation on the controller and notified it to present its defense. In response, the controller recognized that it was necessary to adapt its privacy and cookies policy, but claimed to be already conducting audits and implementing corrective measures. Regarding the alleged conflict of interests, the controller maintained that it was a mere presumption, not concretely demonstrated. However, it reported that it appointed a new person for the position.

The DPA proceeded with the investigations and visited the controller's website to collect evidence.

Holding

The DPA highlighted the relevance of the DPO for ensuring compliance with data protection regulations. It recalled this position is regulated in Articles 37 to 39 GDPR, provisions that were interpreted by Article 29 Working Party in the Guidelines on Data Protection Officers. In addition to advice, the DPO fulfills other important functions such as carrying out DPIAs and internal inspections and being the point of contact with the supervisory authority. To adequately perform these tasks, independence is essential. In this sense, Article 38(3) GDPR provides that the DPO shall not receive instructions, be dismissed or or punished by the controller/processor for exercising its functions.

As a general rule, conflicting positions within an organisation may include senior management positions (such as chief executive officer, chief operating officer, chief financial officer, chief medical officer, head of the marketing department, head of human resources or head of the IT department), but also other positions lower down in the organisational structure if such positions lead to the determination of the means and purposes of the processing of personal data. For instance, a conflict of interest may arise if a DPO is asked to represent the controller or processor in court in data protection cases.

In the case at hand, the DPA found that the position held by the person appointed as the DPO was incompatible with the performance of these tasks as it could lead to the determination of the purposes and means of data processing. Therefore, it found a violation of Article 38(6) GDPR.

Furthermore, the DPA confirmed that the complaints sheet available on the controller's website did not provide all the necessary information required by Article 13 GDPR.

Finally, the DPA emphasized that, in its Opinion 4/2012 on cookie consent exemption, the Article 29 WP considered that cookies such as “user input cookies” (those used to fill in forms or to manage a shopping basket); “authentication” or “user identification cookies” (session); “user security cookies (those used to detect erroneous and repeated attempts to connect to a website)”; “media player session cookies”; “load balancing session cookies”; “user interface customization cookies”; and some plugins to exchange social content do not require consent to be used. However, after browsing the website, the DPA concluded that the controller installed analytical third-party cookies that were not described in its policy, which is not covered by the consent exemption. For this reason, the DPA found a violation of Article 22(2) LSSI.

In light of the above violations, DPA has imposed the following fines:

- €5,000 for the violation of Article 38(6) GDPR;

- €8,000 for the violation of Article 13 GDPR;

- €1,000 for the violation of Article 22(2) LSSI.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

1/60








     Procedure No.: EXP202201681 (PS/00345/2022)

               RESOLUTION OF THE SANCTION PROCEDURE


Of the actions carried out by the Spanish Data Protection Agency before
the OFFICIAL COLLEGE OF ARCHITECTS OF GRANADA, with CIF.: Q1875003D,
owner of the website, www.coagranada.es/ (hereinafter "the claimed party"), in
by virtue of the claim filed by A.A.A., (hereinafter, "the claiming party"),
for the alleged violation of data protection regulations: Regulation (EU)

2016/679, of the European Parliament and of the Council, of 04/27/16, regarding the Protection
of Natural Persons with regard to the Processing of Personal Data and the
Free Circulation of these Data (RGPD) and Organic Law 3/2018, of December 5,
Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD),
and Law 34/2002, of July 11, on Services of the Information Society and

Electronic Commerce (LSSI) and attending to the following:

                                  BACKGROUND

FIRST: On 12/21/21, he entered this Agency, through the Council of
Transparency and Data Protection of the Junta de Andalucía, document presented by

the claimant, in which he indicated, among other things, the following:

       "It has been observed how the College repeatedly fails to comply with the
       current regulations on the protection of personal data,
       thus endangering the privacy of the data of the members and therefore

       Your rights.

       The first of the facts on which the present claim is formulated,
       refers to the absence of communication from the Data Protection Officer
       of the Official College of Architects of Granada to the Council of Transparency and

       Data Protection of Andalusia. Remember that according to the law
       current (Art. 34.1.A. of the LOPDGDD) the Professional Associations are
       obliged to designate a Data Protection Officer and therefore
       notification to the competent body, in this case the Council of
       Transparency and Data Protection of Andalusia.


       Likewise, and in relation to the appointment of Delegate for the Protection of
       Data, according to the accompanying document (Document
       nº1), the Governing Board of the College, in a session held on April 11,
       2019 adopted the following agreement: "Appoint *** POSITION 1 of the College
       Architects Officer as Data Protection Delegate for the College

       of Architects”

       Regardless of whether the appointment could violate the requirements
       fixed by art. 37.5 of the GDPR, related to the qualities and knowledge of the
       DPD, what does seem evident is that said appointment could

       contravene the postulates of the Working Group of Art. 29 when in its
       document "Guidelines on Data Protection Delegates" indicate
       that the organization must guarantee the absence of conflict of interest in the
       figure of the DPD whenever it provides other functions, noting that "the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/60








       DPD cannot hold a position in the organization that leads him to determine the
       purposes and means of processing.

       At the web address https://coagranada.es/quejas-y-reclamaciones/
       corresponding to the website of the Official College of Architects of Granada,

       There are two links for downloading the respective forms for the
       formulation of complaints and claims, being able to observe in said
       printed (Documents No. 2 and 3) the existence of a privacy policy that does not
       meets all the requirements of the arts. 12 and 13 of the GDPR and what
       is more serious, it is indicated as Responsible for the Treatment to the
       *** POSITION 1 of the College, an issue that generates clear misinformation in

       interested parties, since as you know the body to which I am addressing the
       Responsible for the Treatment is not ***POSITION.1 but the College itself
       Official Architects of Granada, which can generate an obvious
       confusion and misinformation to stakeholders. It is even more serious, when the
       position of DPD and the GDPR falls on the same person, the ***POINT.1 of the

       School.

       The web page https://coagranada.es/ presents an informative notice about
       cookies that violates the latest guidelines of the AEPD since according to
       indicates in said informative notice that the mere use of the website implies the
       Acceptance for the installation of cookies.


       The privacy policy of the website of the Official College of Architects of
       Granada, which is available at the following web address
       (https://coagranada.es/politica-de-privacidad-y-tratamiento-de-datos/
       (Document No. 4) has the following deficiencies: 1.- The data is not indicated
       Contact information for the Data Protection Officer. 2.- Incorrect application of

       the legitimizing basis of consent in section 5 of the policy, by
       choose this basis as the one that legitimizes the processing of personal data
       derived from the sending of emails, without stating a mechanism of
       expression of consent that meets the established requirements
       by current legislation. 3.- There is no clear and unequivocal identification of the
       legitimizing bases of data processing, since in section 3 of

       said policy literally states "Consent will always be required
       for the processing of your personal data that may be for one or more
       specific purposes about which prior information will be given with absolute
       transparency". However, later in section no. 6 of the web,
       other legitimizing bases other than consent are detailed, producing
       confusion about the true legitimizing bases applied by the entity.


       Likewise, it was possible to appreciate the existence of privacy policies not
       adapted to current regulations (eg visa application form that is
       attached as Document No. 5).


       Finally, it is wished to state that, as stated in the
       letter addressed to the Official College of Architects of Granada on 03-23-
       2021 (Document No. 6), there are well-founded reasons to believe that the
       disciplinary proceedings conducted by the College do not enjoy the
       corresponding technical and organizational measures that guarantee the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/60








       confidentiality and integrity of the personal data contained in the
       themselves, since there is no record of incorporation of documents or
       proceedings to the file.

The claim document is accompanied by the following relevant documentation for the

present procedure:

    - Copy of the document that A.A.A., collegiate ***COLEGIADO.1, sends to the
       claimant, on 08/30/21, where, among others, you can read:

           or "(...) The Governing Board of the College in its session held on

               April 2019 adopted, among others, the following agreement: "(AIG)
               04.11.19/08.- DESIGNATE THE *** POSITION. 1 OF THE OFFICIAL ASSOCIATION
               OF ARCHITECTS AS DELEGATE OF PROTECTION OF
               DATA FOR THE SCHOOL OF ARCHITECTS.” therefore i can
               inform you that, currently, the Data Protection Officer of the

               Official College of Architects of Granada is his *** POSITION. 1 D.
               B.B.B. (…)”.

    - Copy of the "Complaint Sheet" of the Official College of Architects of
       Granada where you can read, among others, the following information with
       Regarding the data protection policy:


           o Official College of Architects of Granada. Plaza de San Agustin Nº3,
               18001 Grenada. General Secretary . Area of Attention to the Collegiate and
               to user. The data collected will form part of the File of the
               COAGRANADA, being Responsible for ***POINT.1 of the same, to

               who will have to address in writing in the case of exercising the rights
               of access, opposition, rectification and cancellation, in accordance with the
               L.O.P.D.

    - Copy of the "Visa Application" addressed to the Dean of the Official College of
       Architects of Granada, where you can read, among others, the following

       Information regarding the data protection policy:

           o In accordance with the provisions of LO 15/1999 on Data Protection of
               Personal character, the existence of a file is reported
               automated whose purpose is the provision of the requested service. The

               Applicants expressly consent to the
               treatment and transfer of existing data in the automated file
               to the various Spanish Official Colleges of Architects and to other
               administrative bodies, for the purposes related to the function of
               visa. Signatories may exercise the right of access,
               rectification, opposition and cancellation in writing before the C.O.A. of

               Granada, with address at Plaza de San Agustín Nº 3, 18001 Granada,
               email coagranada@coagranada.org

SECOND: On 03/03/22, in accordance with the provisions of article 65.4
of the LOPDGDD Law, by this Agency, said claim was transferred


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/60








to the claimed party, to proceed with its analysis and report, within a period of
month, about what was stated in the claim document.


THIRD: On 04/01/22, the claimed party filed a response brief
to the request made by this Agency, in which, among others, it stated:

       "Specifically, the claimant refers to the text of the Legal Notice of
       First Layer in relation to the Cookies Policy, which, as of the date of the
       claim, 12/21/21, showed: https://coagranada.sedelectronica.es/

       “We use cookies to ensure that we give the best user experience
       on our website. If you continue to use this site we will assume that you agree
       agreement I accept.”

       This First Layer Legal Notice was located at the bottom of the screen,

       and the formula to obtain consent was exclusively by pressing the
       "I accept" button, that is, by means of an unequivocal action carried out by the
       user. However, when you continue browsing, the Initial Notice of
       First Layer kept appearing in case the user wanted to
       consult the Cookies Policy, which was found in the link located in the
       expression highlighted in orange we will assume that you agree. In its

       moment, it was interpreted that, by continuing to browse, the user was showing
       according to the notice provided.

       On March 29, 2022, this College contacted the company
       specialized in data protection adaptation services, the entity

       "PSN Sercon S.L.U.", which has analyzed and made a preliminary report on
       potential irregularities on the COA website, report attached
       to this document as annex I (INITIAL ANALYSIS OF THE OFFICIAL SCHOOL WEB
       OF ARCHITECTS OF GRANADA) in which the main
       non-compliances detected in a first approximation to the process of

       regularization and adaptation to the current regulatory framework on data protection
       and other legislation applicable to the COA Granada website.

       The work to adapt the Privacy Policy has already begun
       of the COA Granada website and its Cookies Policy, as can be
       check on the links:


        https://coagranada.es/politica-de-privacidad-y-tratamiento-de-datos/
        https://coagranada.es/politica-sobre-recogida-y-tratamiento-de-cookies/

       They indicate that work is being done to update and adapt them to

       current legislation. Efficacy controls referred to the Privacy Policy
       Privacy, the COA Granada, with the assistance of the entity PSN Sercon SLU,
       Currently they are the following:

        A redesign of the Privacy Policy and its Registry is being carried out

       of Treatment Activities following the criteria of the Document "Informe
       on Internet Privacy Policies, Adaptation to the GDPR”, 2018- AEPD.



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/60








        An annual audit program has been established, in line with the
       principle of proactive responsibility of art. 24.1 of the GDPR


       In relation to the measures adopted for the adequacy of the use of
       cookies to the applicable regulations on data protection, since
       The First Layer of Cookies Notice has been modified, following the
       guidelines of the Document "Guide on the use of Cookies", published by the
       AEPD 2020.


       An audit of existing cookies on the website of the
       COA Granada, with the use of the tools recommended by the
       National Institute of Cybersecurity, INCIBE, https://www.incibe.es/protege-tu-
       company/blog/are-cookies-and-show-them-website for, later,
       carry out an analysis of its usefulness, necessity and validity. The result of

       this analysis is in the process of elaboration.

       Likewise, the mechanism to collect the
       consent, replacing it with a banner with the indications established
       by the applicable regulations: ownership of the website, purpose of cookies,
       existence of third-party cookies and the possibility of configuring cookies,

       rejection and acceptance of them.

       The Official College of Architects of Granada, through its Governing Board
       chaired by the Dean who signs this document, recognizes the
       need to adapt the cookie policy and its privacy policy. Is by

       For this reason, on March 30 of this year, it was decided to start
       immediately of the work of adequacy and adaptation of the aspects
       required by that AEPD in order to comply with the provisions
       both in the LOPDGDD, as well as in the RGDP and the LSSI.


       Consequently, by virtue of all of the foregoing, and given that the
       COAGranada, is in the process of implementing the measures
       corrective measures on its own initiative, respectfully requests that the
       FILE of the Claim that has given rise to File 202201681
       This has been the criteria maintained by the Spanish Agency for the Protection of
       Data in its Resolution R/00461/2019 -Procedure No.: A/00013/2019.

       “Well, in view of the aforementioned circumstances, it is considered necessary
       emphasize that the National Court, in its Judgment of November 29,
       2013, (Rec. 455/2011), Sixth Legal Basis warns, regarding
       the legal nature of this figure, which despite referring to the warning
       regulated in article 45.6 of Organic Law 15/1999, of December 13,

       Protection of Personal Data (LOPD) has full application to the
       warning regulated by the LSSI, which "does not constitute a sanction" and which is
       It deals with "corrective measures for the cessation of the constitutive activity of the
       infraction" that replace the sanction. The Judgment understands that the article
       45.6 of the LOPD (these considerations must be understood as done, so

       here it concerns article 39 bis, 2 of the LSSI) confers on the Spanish Agency
       of Data Protection a "power" different from the sanctioner whose
       exercise is conditioned to the concurrence of special circumstances
       described in the precept

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/60









       In congruence with the nature attributed to awareness -as a
       alternative to the sanction when, given the circumstances of the case, the subject

       of the infringement is not deserving of that- whose object is the imposition of
       corrective measures, the aforementioned SAN concludes that when the measures
       pertinent corrective measures had already been adopted, what is appropriate in Law
       It will be to agree on the File of the proceedings.

       In the present case, taking into account that the corrective measures that

       would proceed to impose were already adopted on its own initiative, and that it has been
       verified that cookies are not currently installed on the analyzed website,
       in harmony with the pronouncement of the National Court included in the
       SAN of 11/29/2013 (Rec. 455/2011) must agree to file the
       proceedings of this proceeding”.


       It is also worth mentioning Resolution R/03132/2016, of December 19, of that
       Spanish Data Protection Agency-Procedure No.: A/00411/2016-:
       “In congruence with the nature attributed to awareness as a
       alternative to the sanction when, given the circumstances of the case, the subject
       of the infringement is not deserving of it, the Judgment of the Hearing

       The cited National concludes that when the corrective measures object of the
       warning had already been adopted by the offender, what is appropriate in
       The right is to agree to file the proceedings.

       In view of the pronouncement contained in the Judgment of the Hearing

       National of 11/29/2013 (Rec. 455/2011), subsequently reinforced in its
       Judgment dated 06/10/2014 (RJCA 2014, 571) (Rec. 166/2013), references
       to the cases in which the subject responsible for the infringement has adopted
       the appropriate corrective measures to remedy the situation created, and in
       harmony with what has been indicated, the proceedings must be filed

       practiced.”. And, likewise, the Resolutions of that AEPD R/02863/2016 of
       December 14 - Procedure No.: A/00242/2016-, R/02906/2015 of December 17
       November- Procedure No.: A/00172/2015- or R/00001/2015 of 145 of
       January- Procedure No.: A/00289/2014.

       The Judgment of the National Court (Chamber of Administrative Litigation,

       Section 1) of November 29, 2013 - JUR 2014\14399-established the following:
       "However, given that it was proven that the denounced by initiative
       itself had already adopted a series of corrective measures , which it communicated to
       the Spanish Data Protection Agency, and that it had verified that
       the data of the complainant were no longer locatable on the website of the accused, the

       Spanish Data Protection Agency did not consider it appropriate to impose on the
       denounced the obligation to carry out other corrective measures, therefore
       that it did not agree to any requirement in this regard to it. Remember that at
       having knowledge of the complaint, the denounced entity, proceeded by
       own initiative to go to Google to remove the URL where

       reproduced the Magazine and the article, to ask their collaborators to
       remove any names from their articles or any other information
       likely to appear personal data and that they review the appointments in the private area
       of the web to delete any other sensitive data, and, finally, to review the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/60








       configuration of the accesses so that the search engines did not have access to the
       Journals.


       Consequently, if the AEPD considered that the corrective measures had already been
       pertinent in the case, how it happened, as expressed in the resolution
       appealed, the appropriate administrative action in law was the file of
       the proceedings, without making any warning or request to the
       denounced entity, as this is deduced from the correct interpretation of the
       Article 45.6 of the LOPD, taking into account its systematic and teleological interpretation."


       Judgment no. 447/2016 of 23
       September and no. 363/2016 of July 8, issued by the National Court
       (Contentious-Administrative Chamber, Section 1)-RJCA 2016\1072 and JUR
       2016\166417- "Consequently, when, as occurs in the case that we

       occupies, given the circumstances of the case and, in particular, the nature of
       the facts and the significant concurrence of the criteria established in the
       fifth paragraph of article 45 of the LOPD, it is estimated that the subject
       responsible for the infringement is not deserving of the sanction provided for the
       itself, and that in its place the obligation to carry out
       certain corrective measures, proceeding therefore the application of the

       article 45.6 of the LOPD, there is no room for the imposition of any "warning"
       as a sanctioning measure. On the contrary, what proceeds in
       such a case is to "warn" or require the responsible subject in order to comply in the
       term indicated with such obligation, as is clear from the
       interpretation of the legal precept examined>> . In the same sense, it

       Pronounce S October 17, 2014 (JUR 2014, 267483) -appeal No.
       150/2013 -, May 8, 15 (JUR 2015, 154993) -appeal No. 122/2014 -, and July 8
       of 2016 (JUR 2016, 166417) -appeal No. 242/2014 -

       Therefore, based on the foregoing, it is not applicable, as claimed by the

       plaintiff, the warning, instead of the financial sanction imposed, since
       As has been reflected, the warning included in the LOPD does not have
       punitive nature”.

FOURTH: On 07/27/22, this Agency accessed the document
"Collective Complaints and Claims Sheet": https://coagranada.es/wp-content/

uploads/2021/02/Hoja_queja_reclamaciones_colegiados_V02.pdf , where you can
read, at the bottom of it, below the form, the following legend:

       “Official College of Architects of Granada. Plaza de San Agustin Nº3, 18001
       Grenade. General Secretary . Area of Attention to the Collegiate and to the User.


       The data collected will form part of the COAGRANADA File, being the
       Responsible for *** POSITION 1 of the same, to whom it will have to be addressed in writing
       in the case of exercising the rights of access, opposition, rectification and
       cancellation, in accordance with the L.O.P.D.”


FIFTH: On 07/27/22, this Agency accessed the website
https://www.coagranada.es/ verifying in it, the following characteristics


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 8/60








regarding the processing of personal data, about its "Privacy Policy" and about
its “Cookie Policy”:


       a).- Regarding the obtaining of the personal data of the users of the page
       Web:

1º.- Through the link <<contact>>, located at the top of the page
main page, the web displays a form where you can enter personal data
of users such as name, email and subject.


In order to send the form, the user must necessarily click on the option:

       _ I have read and accept the <<Privacy Policy>> <<send>>


       b).- About the "Privacy Policy" on the website

If you wish to access the "Privacy Policy" through the existing link in the
contact form or through the existing link at the bottom of the page
main, the web redirects the user to a new page https://coagranada.es/politica-
de-privacidad-y-tratamiento-de-datos/, where information is provided, regarding

the protection of personal data of: the identity of the owner of the website and the Delegate
Data Protection; the purpose of the personal data obtained from the
collegiate; training/events; web users; citizen services; Within
conservation of personal data obtained; the legitimacy of the treatment of
personal information; the recipients; on the rights that assist users and

where and how to request them, as well as the possibility of filing a claim with the
competent authority.

       c).- About the Cookies Policy on the web:


The inspection is carried out with the developer tools that
provided by the Mozilla Firefox browser, in which the
cache and cookies have been removed. The tool has also been used
EDPS (Web Evidence Collector) for analysis

Observing the cookie installation panel, it can be verified that a

session cookie PHPSESSID and another from Google, _GRECAPTCHA.

According to Opinion 4/2012 of WP 194 on the exemption of the requirement of
cookie consent, the exemption applied to authentication cookies could
apply to others introduced specifically to strengthen the security of the service

requested, for example, those cookies whose purpose is to detect attempts
erroneous and repeated connection to a website or for protection of the information system
connection against abuses such as _GRECAPTCHA.

However, after browsing the website, it is observed that cookies are installed

from third parties of a non-excepted nature, which are not reported in the policies, to
despite not having given consent through the banner. the circumstance is given
that these analytical cookies are installed through the insertion of a map


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 9/60








interactive program of the Institute for Geoenvironmental Health of the Vivo Sano Foundation in the
page: https://coagranada.es/mapa-zonas-radon-en-elnuevo-cte-db-hs6/ .

2.- There is an information banner about cookies on the main page with the
following message:


    “We use our own and third-party cookies for analytical, functional,
 performance to offer services appropriate to your profile, as well as own advertising
  and from third parties. The basis of treatment is consent, except in the case of
 Essential cookies for the proper functioning of the website. can accept
all cookies by clicking the <<ACCEPT>> button or configuring them or rejecting their use

  pressing the <<CONFIGURE>> button. You can get more information in our
                               <<Cookie Policy>>,

               <<Accept>> <<Reject>> <<Settings>>


If you wish to reject all cookies that are not technical or necessary, clicking
in the <<reject>> option, it is checked how the web continues to use the same
third-party cookies (from Google) indicated above.

3.- If the cookies control panel is accessed through the link <<Configure>>, the
web displays a page or control panel verifying that the groups of cookies

They are pre-marked in the “deactivated” option:

    - Strictly Necessary Cookies: Off  On.
    - Analytical and Advertising Cookies: Off  On.
    - Functional Cookies: Off  On.
    - Analytical Cookies: Off  On.


                  <<Save Changes>> <<Activate All>>

If you choose "Save changes" without having accepted any group of cookies, you will
Check how the web continues to use the same cookies indicated above.


4.- If you want to access the "Cookies Policy" through the existing link in the
information banner of the first layer, through the existing link in the panel
control or through the existing link at the bottom of the main page, the web
redirects the user to a new page https://coagranada.es/politica-sobre-recogida-y-
treatment-of-cookies/ where information is provided on: what are cookies, definition and
generic function of cookies; types of cookies; what type of cookies are used in the

web and what is its purpose; how to disable cookies; cookies identify
used and information is provided on how to accept, deny, revoke the
consent or eliminate cookies, through the tools installed in the
web or through browsers installed on the terminal equipment.


SIXTH: On 09/06/22, the Director of the Spanish Agency for the Protection of
Datos agreed to initiate disciplinary proceedings against the claimed party, in accordance with the
provided in articles 63 and 64 of the LPACAP, when appreciating reasonable indications of
violation of the provisions of the articles:


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 10/60








    - Article 38.6 of the GDPR, due to the conflict of interest detected in the
       appointment of *** POSITION 1 of the Association as Delegate of Protection of
       data, with an initial sanction of 5,000 euros (five thousand euros). Also, it

       warned that the alleged offence, if confirmed, may lead to the
       imposition of measures, according to article 58.2 d) of the GDPR. Along with it and
       In accordance with article 58.2 of the GDPR, it was also indicated that the measure
       corrective action that could be imposed would be to order him to name a
       Data Protection Officer in which he was not involved in a conflict
       of interest, as stipulated in article 38 of the GDPR.


    - Article 13 of the GDPR, due to the lack of information provided in the data sheets
       claims, about the processing of personal data obtained, with
       an initial penalty of 8,000 euros (eight thousand euros). Along with it and
       In accordance with article 58.2 of the GDPR, it was indicated that the measure

       corrective action that could be imposed would be to order him to include, in the
       forms used in the School, where personal data is obtained, all
       the information referred to in article 13 of the GDPR, referring to the treatment of
       Personal information.


    - Article 22.2 of the LSSI, regarding the use of third-party cookies from
       non-excepted character, without the consent of the user, with a penalty
       initial amount of 1,000 euros (one thousand euros).

SEVENTH: On 09/29/22, the claimant entity submits a written statement of allegations to

the initiation of the file in which the procedure is requested to be archived based on
the following considerations:

1.- Regarding the conflict of interest regarding the data protection officer of
This College.-


It points out that such a “conflict of interest” cannot be presumed, as has been said, taking
only as a basis the Statutes of COAGranada, in relation to the composition
and functions of the Governing Board, of the Permanent Commission and of the functions
of ***POINT.1 of COAGranada, since, of the statutory precepts that are
invoked by that AEPD (14.1, 13.2, 15 and 17) no existence of any

“conflict of interest” on the part of ***POINT.1 of COAGranada regarding the
protection of the interests of the Collegiate and third parties, in terms of protection of
data.

Regarding the violation of art. 38.6 of the GDPR, referring to the eventual "conflict of

interests”, the enumeration of functions of the Board is inappropriate and insufficient
of Government, as well as of the Permanent Commission and of ***PUESTO.1, all of them
established in the Particular Statutes of the Official College of Architects of
Grenada, to reach the conclusion that "the existence of a conflict is evident
of interest by ***POSITION.1 of the Official College of Architects of Granada

to act as DPD of said Body.

The COAGranada proceeded to appoint the DPD in the figure of his *** POSITION.1
thus guaranteeing the participation of the Data Protection Officer in all


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 11/60








issues relating to the protection of personal data and, for your support and
advice provided him with the competition and assistance of the external Legal Department.


Reference is also made to the fact that COAGranada designated its
*** POSITION 1 as Data Protection Officer was the subject of a complaint before
this Agency dated July 8, 2021 by the same claimant and who was
archived by Resolution of this AEPD on 11/11/21, therefore, there are two
Contrary resolutions, so that, in the first, infringing conduct is not imputed
any regarding the appointment of the Data Protection Officer in the figure

*** POSITION 1 of the College and, however, in the second, with said appointment
COAGranada is accused of a violation of art. 38.6 of the GDPR.

Finally, it states that the Official College of Architects of Granada adopted the
decision to appoint a new Data Protection Officer on April 26

2022, anticipating the proposed corrective action and request that it be taken into account
account this decision under art. 83.2.c) of the GDPR.


2.- about the lack of information in the forms on "complaints and claims".


Regarding the sanction referred to for the violation of art. 13 GDPR, state that they
has incorporated all the information referred to in art. 13 of the GDPR to the forms to
disposition of both Collegiate and the general public, for which they request
that this measure be taken into account under art. 83.2.c) of the GDPR.


3.- about the cookie policy

It states that the breach is due to the use of a third-party cookie for the use
of an interactive map and request that for the establishment of the amount of the
sanction is taken into account the absolute absence of guilt or illegality

of the fact as a consequence of the significant concurrence of several of the criteria
set out in article 40, based on the following criteria:

-Intentionality: COAGranada made the map available to its Members
interactive to facilitate compliance with the provisions contained in the Royal
Decree 732/2019, of December 20, by which the Technical Code of the

Building approved by RD 314/2006, of March 17, providing information
on the basic concepts related to the regulatory modification, without
to collect any information.

- Period of time during which the eventual infringement was committed. The map has already

been removed from the web and was available to the public during the period
established between February 10, 2022 and September 20, 2022, the day on which it was
retired.

-Recidivism due to the commission of offenses of the same nature: This College does not

has previously been convicted of any similar offence.

4.- Regarding improper or erroneous interpretation of article 77.2 of the LOPDGDD


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 12/60








At this point, the application of article 77.2 of the LOPDGDD is reiterated in the same
terms that they already stated in their letter dated 04/1/22.


Regarding the aforementioned article 77 of the LOPDGDD, they allege that the AEPD distinguishes the
public and "private" functions exercised or held by the Professional Associations but
state that these associations of professionals are Corporations of
Public Law and it is considered that it is not appropriate to impute only as "functions
private" those that are the object of the presumed infringing conducts that are imputed and
"disconnect" them without any reason or justification from public functions, in which

they can also be completely incardinated.

The following is a reproduction of the statutory precepts invoked that imply the
exercise of public functions, which are perfectly extensible to behaviors
accused; and these can perfectly overlap with such pubic functions

such as article 13. 2. It will correspond to the Governing Board, specifically;
article 15. The Permanent Commission and article 17. The *** POSITION.1. "It corresponds to
***POINT.1:

It is also stated that the Spanish Data Protection Agency, in its
Resolutions of May 24, 2021, Procedure No.: PS/00416/2020 and of May 11

2021, Procedure No.: PS/00347/2020, has adopted a different criterion from that followed in
this Sanctioning File before Public Law Corporations.

EIGHTH: On 04/10/23, this Agency once again accessed the
web page https://www.coagranada.es/ being aware of the following

Characteristics regarding its "Cookies Policy":

When entering the web for the first time, once the terminal equipment has been cleaned of the history of
navigation and cookies, without accepting new cookies or taking any action on
the web page, it has been verified that a single cookie "_GRECAPTCHA" is used,

whose purpose is to provide your risk analysis, such as detecting
erroneous and repeated connection attempts.

NINTH: On 04/10/23, this Agency accessed the data sheet
complaints and claims of the College of Architects of Granada, accessible through
of the link https://coagranada.es/quejas-y-reclamaciones/ verifying that in the

You can read the following message:

       Official College of Architects of Granada. Plaza de San Agustin Nº3, 18001
       Grenade. General Secretary. Area of Attention to the Collegiate and the User.


       In compliance with the provisions of EU Regulation 2016/679, of 27
       April 2016, hereinafter GDPR, the Official College of Architects of Granada
       with address at PLAZA DE SAN AGUSTÍN 3, 18001 GRANADA and NIF nº
       Q1875003D informs you that the collection and processing of your data through the
       The purpose of this form is the administrative, fiscal and

       accounting provided for in the legislation of professional associations and our
       statutes. Your data may be communicated to the General Council of Colleges
       Officials of Architects, related organizations and the Public Administration without
       prejudice to other assignments provided by law. Your data will be kept

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 13/60








       during the time necessary to comply with legal obligations. In
       You can consult additional information on this treatment at any time.
       or exercise the rights of access, rectification, deletion and opposition,
       portability and limitation of treatment by directing your request to the address above
       indicated or by email to protecciondedatos@coagranada.org. Also, in case

       If you consider your right to the protection of personal data violated, you may
       file a claim with the Spanish Data Protection Agency
       (www.agpd.es).

TENTH: On 04/10/23, a resolution proposal was formulated in the sense that
the party claimed for the infringement of article 38.6 of the GDPR is sanctioned, for the

conflict of interest detected in the appointment of *** POSITION 1 of the College
as Data Protection Delegate, with a penalty of 5,000 euros (five thousand
euro); for the infringement of article 13 of the GDPR, for the lack of information
provided in the claims forms, on the treatment of the data
personal data obtained, with a penalty of 8,000 euros (eight thousand euros) and for the

violation of article 22.2 of the LSSI, regarding the use of third-party cookies
of a non-excepted nature, without the consent of the user, with a sanction of
1,000 euros (one thousand euros).

Likewise, it was proposed that the claimed party be required so that, within the term
determined, adopt the necessary measures to adapt its performance to the

personal data protection regulations.

ELEVENTH: On 04/28/23, this Agency received a written
allegations to the proposed resolution, in which the claimed party reiterates and
confirms its previous allegations and once again requests the file of the
procedure. In this letter, the defendant states the following:


       FIRST.- REGARDING THE "CONFLICT OF INTERESTS" OF THE
       *** POSITION 1 OF THIS SCHOOL AS DELEGATE OF PROTECTION OF
       DATA, THE PROPOSED RESOLUTION IS INCONSISTENT AND
       CONTINUES IF DISTORTING THE PRINCIPLES OF CLASSIFICATION AND LEGALITY,
       PERSONAL TO THE SANCTION PROCEDURE, WHICH OPERATE IN

       FAVOR OF COAGRANADA AND AGAINST THAT AGENCY.-

       The Draft Resolution does not actually refute the allegations made
       by this College, especially regarding the violation of the principles
       of typicality and legality. Moreover, without addressing and dealing with these principles
       invoked in our pleadings brief, considers, without foundation or

       some piece of evidence- Cfr. Last paragraph of FD II a) that "it is evident the
       existence of a conflict of interest on the part of ***POSITION.1 of the College
       Official of Architects of Granada to act as DPD of said body”.

       At this point it is necessary to remember that this Agency continues to be based on some

       “Guidelines” or “best practices of the Working Group on
       Data Protection". It is clear that any administrative offense
       must take as an inexcusable foundation a normative element (legal, or
       regulation) which, in the present case, does not exist, since it results in all
       inappropriate point to take as a title of imputation some guidelines or

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 14/60








       recommendations, given that this implies a violation of the principles of
       typicity and legality. Even in article 29 of the “Guidelines on the
       data protection delegates (DPD)" of said Working Group, it will be

       to set an "example" (that "a DPO be asked to represent the person responsible or
       to the data processor before the courts in cases related to the
       Data Protection").

       The mere fact of mentioning an example in a sanctioning procedure already
       implies per se, dispensing with the essential factual element that must distort

       the principle of presumption of innocence and, likewise, even applying as
       implausible example, there are no similar circumstances in the present
       Sanctioning procedure. On the other hand, the considerations of the aforementioned
       "Working Group" regarding the "conflict of interest of the DPD are
       extremely generic and, in no way, can they serve as a basis

       to enervate the aforementioned presumption of innocence.

       Moreover, even applying such "Criteria" -which is not rejected either
       would result in the existence of a “conflict of interest” to appoint the
       *** POSITION 1 of the College, with the assistance and support of the Legal Department of the
       COAGranada, as DPD. The “Criteria” themselves establish that the

       determination or consideration of the existence of a "conflict of interest" in
       the figure of the DPD must be "considered on a case-by-case basis", which has not been done
       for that AEPD.

       In this sense, it is worth mentioning the Judgment of the Court of Justice of the Union

       Commission (Sixth Chamber) of February 9, 2023, Case C-453/21: “Fourth
       question referred for a preliminary ruling 43 Third, as regards the context in which
       that article 38, section 6, of the GDPR is registered, it should be noted that,
       according to article 39, paragraph 1, letter b) of the GDPR, the protection officer
       of data has the function, in particular, of supervising compliance with the

       provided in the GDPR, other data protection provisions of the
       Union or of the Member States and of the policies of the person in charge or of the
       person in charge of the treatment regarding the protection of personal data,
       including assignment of responsibilities, awareness raising and training of
       staff involved in processing operations, and audits
       corresponding.


       From this it can be deduced that they cannot be entrusted to a protection delegate
       of data, its functions or tasks that lead it to determine the purposes and
       means of processing personal data of the controller or
       from his manager. Indeed, in accordance with Union Law or the Law of

       Member States in the field of data protection, the control of these
       purposes and means must be carried out independently by said
       delegate.

       The determination of the existence of a conflict of interest, in the sense of the

       art 38 paragraph 6 of the GDPR, must be carried out on a case-by-case basis, on the basis of
       an assessment of all the relevant circumstances, in particular, of
       the organizational structure of the controller or his manager and in the light of all
       applicable regulations, including any policies of the latter.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 15/60









       In view of all the above considerations, it is appropriate to reply to the
       fourth question referred that Article 38(6) of the GDPR must

       interpreted as meaning that there may be a "conflict of interest", in
       the meaning of this provision, when entrusted to a delegate of
       data protection other functions or tasks that would lead it to
       determine the purposes and means of processing personal data in the
       within the person responsible for the treatment or his manager, which is the responsibility of
       determine in each case the national judge on the basis of all the

       relevant circumstances, in particular the organizational structure of the
       responsible for the treatment or its manager and in light of all the regulations
       applicable, including any policies of the latter.

       By virtue of all of the above, the TJ (Sixth Chamber) declares: (...) 2) Article 38,

       Paragraph 6 of Regulation 2016/679 must be interpreted in the sense that
       there may be a "conflict of interest" within the meaning of this provision,
       when other functions are entrusted to a data protection officer
       or tasks that would lead him to determine the ends and means of the
       processing of personal data within the controller or
       of his person in charge, which is the responsibility of the national judge to determine in each case

       on the basis of all the relevant circumstances, in particular the
       organizational structure of the data controller or its manager and
       light of all applicable regulations, including any policies of these
       last.


       On this point, that Agency confuses the very concept of "conflict of
       interests” when he seems to equate the position of ***POSITION.1 of the College to
       "management positions", given that, as a result of the application of article 17
       of the Particular Statutes of COAGranada, it is evident that the
       ***POSITION.1 does not in any way hold such senior management functions,

       This concept is also applicable to other types of entities, not to COAGranada.
       To these considerations, as it cannot be otherwise, it is not offered by
       that AEPD response or factual or legal foundation that distorts it.

       And this is especially relevant, given that the expression "conflict of
       interests” implies the application of an indeterminate legal concept that, in

       a disciplinary procedure, while restrictive of rights, must
       be applied with extreme caution and with a strong factual heritage, probative
       and legal-regulatory that supports it, all of which has not happened in the
       present case.


       And it is that "the conflict of interest" has to be proven by that Agency and not
       be presumed, which is what has happened in this Procedure
       Sanctioner. It is not possible to presume, as has been said, such a "conflict of interest"
       taking as a basis only the Statutes of COAGranada, regarding
       to the composition and functions of the Governing Board, the Commission

       Permanent and of the functions of ***POSITION.1 of COAGranada, position
       that, of the statutory precepts that are invoked by that AEPD (14.1, 13.2,
       15 and 17) does not infer any existence of "conflict of interest" on the part of the


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 16/60








       *** POSITION 1 of COAGranada regarding the protection of the interests of the
       Collegiate and third parties in terms of data protection.


       That is to say, of the statutory precepts that regulate the functions of the Board of
       Government (Art. 13.2), its composition (Article 14.1), the Permanent Commission
       of the Governing Board (article 15) and, especially, the powers of the
       *** POSITION.1 (article 17) in no way can the performance of
       functions that imply a "conflict of interest" with the figure of the DPD.


       The COAGranada proceeded to appoint the DPD in the figure of his
       ***POINT.1 thus guaranteeing the participation of the DPD in all
       issues relating to the protection of personal data and, for your support and
       advice endowed him with the help and assistance of the Legal Department of the
       COAGranada.


       2.- As has been said, the sanctioning power of the Public Administration
       is directly linked to the principles that inspire criminal law, given that
       Both powers are an expression of the Legal System of the State, as
       as expressed in the Constitutional Text itself (art. 25) and recognizes the
       jurisprudence of the Constitutional Court from the STC 18/1 981, of June 8 and

       a very reiterated jurisprudential doctrine of the TS (STS September 29, 1980
       and STS November 4, 1980 and STS November 10, 1980, among others).

       The sanctioning power of the Administration is based
       constitutional in article 25 of the CE. It is reiterated doctrine of the Court

       Constitutional (STC 77/83, of October 3, STS 42/87, of April 7; STC
       29/1989, of February 6) that the administrative sanctioning order
       includes a double guarantee: the first, of a material nature, supposes the
       need for normative predetermination of illegal conduct and sanctions
       corresponding, through legal precepts that allow predicting, with

       sufficient degree of certainty, the conducts that constitute an infraction and the
       applicable penalties or sanctions.

       It appears derived from the binding mandate or "lex certa" and is specified in
       the requirement of normative predetermination of the illegal conducts and of the
       corresponding sanctions, which places on the legislator the duty of

       configure them in the penalizing laws with the greatest possible precision
       (principle of typicality) so that citizens can know in advance
       the scope of what is proscribed and thus foresee the consequences of their actions.
       (STC 242/2005, of October 10 and STC 162/2008, of December 15). The
       second, of a formal nature, refers to the range of norms

       typifying the infractions and regulating the sanctions, insofar as they
       the term "current legislation" contained in art. 25.1 CE is expressive of
       a reserve of law.

       Therefore, the formal guarantee implies that the law must contain the determination

       of the essentials. Well then, the material guarantee comes to constitute
       the aforementioned principle of typicality, which "supposes the imperative
       need for normative predetermination of the infringing conducts and the
       corresponding sanctions, that is, the existence of legal precepts (lex

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 17/60








       previous) that allow predicting with a sufficient degree of certainty (lex certa)
       those behaviors and know what to expect in terms of responsibility and
       to eventual sanction" (Cf. STC 61/1990, of March 29 and STC 24/1996 of
       February 13; STS April 20, 2006; STS November 18, 2000; STS December 20
       1999; SAN of December 2, 2011; STS No. 74/2017, Litigation Chamber

       Administrative, of January 23). For its part, article 27 of Law 40/2015
       of October 1, of LRJSP-, includes the so-called principle of typicality, according to the
       which only constitute administrative infractions the violations of the
       legal system foreseen as such infractions by a Law.

       The principle of classification, related to that of legality, requires that the fact

       that allegedly has an illegal character is expressly found
       foreseen as an infraction in some precept of the legal system
       administrative. For a conduct to be classified as typical, and for
       Therefore, unlawful and punishable, it is necessary that there is a coincidence between the action
       carried out by the actor and the conduct exposed in the applicable legal precept.

       Through the application of the principle of typicality, it is intended to verify if a
       event that occurred in reality meets all the characteristics described in the
       law as presuppositions of the infringement of a rule of a punitive nature.

       For this, it is necessary that the action be subsumed in a sanctioning precept,
       understanding as such that part of the offense that describes all the elements

       subjective and objective that, as a whole, give rise to the infringement of the
       rule. According to Judgment no. 4672/2022 of December 23, of the Court
       Superior Court of Justice of Catalonia, (Contentious-Administrative Chamber,
       Section 4)-JUR 2023\48531-: "Requirements of the principle of classification in matters
       administrative penalty that, as is well known, despite the notable
       conciseness and taking into account the implicit content of the aforementioned article 25 of the

       Constitution (judgment of the Constitutional Court 34/1996, of March 11
       (RTC 1996, 34) ), has been highlighted since ancient times by jurisprudence
       constitutional in relation to what has been called the guarantee
       material of the principle of legality (among many others, from the judgment of the
       Constitutional Court 42/1987, of April 7 (RTC 1987, 42), for the
       judgments of the Constitutional Court 3, 11, 12, 100 and 101/1988, of June 8

       (RTC 1988, 101), 161, 200 and 219/1989, of December 21 (RTC 1989, 219),
       61/1990, of March 29 (RTC 1990, 61), 207/1990, of December 17 (RTC
       1990, 207), 120 and 212/1996, 133/1999, of July 14, 142/1999, of July 22
       (RTC 1999, 142), and 60 and 276/2000, of November 16 (RTC 2000, 276) ),
       that comes to be identified with the traditional principle of typicity of faults and
       administrative sanctions (sentences of the Supreme Court, Third Chamber, of

       dates January 16 and June 8, 1992, February 5 and October 2, 2002)
       and that always requires the necessary certain normative predetermination of the
       specific conducts that by action or omission are deemed to constitute a
       illegal administrative, with prohibition of possible analogical interpretations
       to the effect or extensive in malam partem (ruling of the Constitutional Court

       125/2001, of June 4 (RTC 2001, 125), citing their previous judgments
       81/1995, of June 5 (RTC 1995, 81), 34/1996, of March 11, (RTC 1996,
       34) 64/2001, of March 17 (RTC 2001, 64), and order of the Court
       Constitutional 3/1993, of January 14, and 72/1993, of March 1; as well as
       Judgment of the Supreme Court, Third Chamber, of May 30, 1981, of 4

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 18/60








       of June 1983, of December 29, 1987, of October 20, 1998, of
       February 22, 2000 and March 3, 2003). Or put it in words
       of the Constitutional Court itself, among many other previous and subsequent
       in its judgment 113/2002, of May 9 (RTC 2002, 113), in the following
       terms: "(...) Specifically, in relation to the material guarantee referred to

       is subject to the sanctioning power of the Administration, we have
       specified that normative predetermination supposes the existence of
       legal precepts (lex prior) that allow predicting with a sufficient degree of accuracy
       certainty (lex certa) the infringing behaviors and knowing in advance to which
       abide in terms of the attached responsibility and the eventual sanction that
       the offender can deserve (STC 219/1989, of December 21, FJ

       4; 61/1990, of March 29, FJ 7; and 133/1999, of July 15, FJ 2) ".

       Also being well-consolidated jurisprudential doctrine that teaches
       that in the exercise of its sanctioning administrative power the
       acting sanctioning administration does not properly respond to the exercise

       of an administrative power of essence or discretionary tendency but rather
       predominantly regulated for the application to each specific case of the framework
       normative pre-established sanctions with a general nature in the legal system
       applicable sanctioning law, which entails, from the outset, the requirement of
       the necessary adequacy and rigor in the classification of the imputed facts and in
       its punctual incardination and adequate subsumption in the legally infringing type

       defined for its correction, in such a way that the contrary, certainly,
       would be determinative of violation of the subjective fundamental right since
       targeted and all recognized by the current constitutional text ex article
       25.1 of the Constitution (sentences of the Constitutional Court 77/1983, of 3
       of October (RTC 1983, 77) ,199 7 and 3/1988, of January 21 (RTC 1988, 3) ),
       which, because it is subject to constitutional protection, would incur an eventual

       sanctioning administrative action infringing the same in the vice of
       full nullity today provided for in article 47.1. a) of Law 39/2015
       ".

       3.- Finally, in relation to the non-compliance related to the appointment
       of the DPD, it must be recorded that, prior to the receipt of

       Resolution PS/00345/2022, as known and known to that Agency, the
       COAGranada adopted the decision to appoint a new Delegate of
       Data Protection on April 26, 2022, with electronic receipt no.
       REGAGE22e00014921519, meeting the requirements of art. 38 of the GDPR.

       This College has anticipated the proposed corrective measure and we request

       that this decision be taken into account under art. 83.2.c) of the GDPR, which
       establishes the following: “[…] When deciding to impose an administrative fine
       and its amount in each individual case shall be duly taken into account: c)
       any measure taken by the controller or processor to
       alleviate the damages and losses suffered by the interested parties.” In this point

       We also invoke the proportionality application of art 29.3 LRJSP.

       SECOND.- ON THE LACK OF INFORMATION IN THE FORMS
       ABOUT "COMPLAINTS AND CLAIMS".


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 19/60








       Regarding the sanction referred to for the violation of art. 13 GDPR, it is reiterated
       what is stated in the First Allegation, in the sense that no response is given and
       what is alleged by COAGranada in its pleadings is addressed. So and

       as stated in this, was applied as soon as this fact became known, the
       proposed corrective action having incorporated all the information
       referred to in article 13 of the GDPR to the forms available to both
       Collegiate as well as the general public, for which we request that
       Take this measure into account under art. 83.2.c) of the GDPR.


       On this point, related to what is stated in the First Allegation, the lack of
       concurrence of an essential element implies that the active subject has not
       committed the conduct described in the type allegedly violated by its
       action, therefore, it is perfectly lawful. That is, the atypicality
       determines the absence of responsibility for the subject responsible and, therefore,

       hence, the impossibility of displaying the effects of the ius puniendi on the subject.

       Furthermore, for the action to be considered typical, and therefore,
       display legal effects, it is necessary that together with the objective elements of
       typicality the so-called subjective elements of typicality concur. based on
       principle of subjective typicity requires that, in order to proceed to impute and

       sanction for an action, the voluntary nature of the active subject is confirmed.

       In this sense, jurisprudence has repeatedly required the
       existence of guilt to be able to impose an administrative sanction,
       to the point that today it is configured as one of the pillars on the

       that the sanctioning administrative law is established, discarding all
       sanction outside of negligent or negligent conduct and, therefore,
       discarding what has traditionally been called responsibility
       objective.


       Specifically, regarding guilt, the Constitutional Court has declared that, in
       Indeed, the Spanish Constitution undoubtedly enshrines the principle of guilt
       as a basic structural principle of Criminal Law and has added that, without
       However, the constitutional consecration of this principle does not imply in any way
       that the Constitution has made a certain mode of
       understand it (Cf. STC 150/1991).


       This principle of culpability governs in matters of administrative infractions,
       because to the extent that the sanction of said infraction is one of the
       manifestations of the ius puniendi of the State is inadmissible in our
       system a regime of strict liability or without fault (Cf. STC

       76/1990). This same sentence requires guilt in the case of infractions
       administrative acts committed by legal entities, affirming that "...Even
       this TC has described the principle of personal responsibility as "correct"
       by own facts principle of the personality of the penalty or sanction (STC
       219/1988).


       All this, however, does not prevent our Administrative Law from admitting
       direct liability of legal persons, recognizing them, therefore,
       infringing capacity. This does not mean, at all, that in the case of

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 20/60








       administrative offenses committed by legal entities
       suppressed the subjective element of guilt.


       Law 40/2015 itself, on the Legal Regime of the Public Sector, provides in its
       Article 28 that "they may only be penalized for acts constituting
       administrative infraction natural and legal persons, as well as, when a
       Law recognizes the capacity to act, the affected groups, the unions and
       entities without legal personality and independent estates or
       self-employed, who are responsible for them by way of fraud or negligence".

       The majority jurisprudence of our Supreme Court (from its
       judgments of January 24 and 25 and May 9, 1983) and the doctrine of the Tribunal
       Constitutional (after its STC 76/1990) emphasize that the principle of
       Guilt, even without explicit recognition in the Constitution, is inferred from
       the principles of legality and prohibition of excess (art. 25.1 CE), or of the

       requirements inherent to a rule of law, and require the existence of
       fraud or fault

       The requirement of guilt in the penalizing administrative law has
       impregnated the jurisprudence of the Supreme Court in the different areas
       materials in which he has had the opportunity to speak, discarded by

       legal and constitutional requirement, strict liability, that is, regardless of
       from any wrongdoing. In this way, the principle of guilt
       constitutes an essential element of the administrative offense.

       THIRD.- ABOUT THE COOKIES POLICY


       In relation to the sanction proposal "About the Cookies Policy", as
       as the Resolution Proposal itself acknowledges, when entering the web by
       first time, without accepting cookies or performing any action on the page,
       You can check that non-technical cookies are not used or

       necessary.

       The breach detected is due to the use of a third-party cookie by the
       use of an interactive map. Based on art. 39 bis a) of Law 34/2002, of 11
       July, Information Society Services and Electronic Commerce,
       We request that the establishment of for the establishment of the amount of

       the sanction takes into account the absolute absence of guilt of the
       defendant or the illegality of the act as a consequence of the
       significant concurrence of several of the criteria set forth in article 40,
       based on the following criteria: -Intentionality: The COAGranada
       made the interactive map available to its members to facilitate the

       compliance with the provisions contained in Royal Decree 732/2019, of
       December 20, by which the Technical Building Code was modified
       approved by Royal Decree 314/2006, of March 17, providing
       information on the basics related to the modification
       regulations, without the intention of collecting any information.


       Period of time during which the eventual infringement was committed. The map
       has already been removed from the web and was available to the public during the
       period established between February 10, 2022 and withdrew on February 20, 2022.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 21/60








       September 2022. -The recidivism by commission of infractions of the same
       Nature: This College has not been previously condemned by any
       similar offence. At this point it is invoked, as in the Allegation
       above, the principle of guilt and, in addition, that of proportionality.


       FOURTH.- WE UNDERSTAND THAT THE PROPOSED RESOLUTION
       REITERATES THE IMPROPER OR WRONG INTERPRETATION OF THE ARTICLE
       77.2 OF THE ORGANIC LAW 3/2018 OF DECEMBER 5, OF PROTECTION
       OF PERSONAL DATA AND GUARANTEE OF RIGHTS
       DIGITALESLOPDGDD-.


       We invoke the application of article 77.2 of the LOPDGDD in the same terms
       that we already exposed in our letter dated April 1, 2022. And it is that,
       here it is also necessary to remember that we are in the heart of a
       disciplinary procedure, in which they are applied, as inspiring principles
       of the criminal order, that of presumption of innocence and that of in dubio pro reo.


       Regarding the aforementioned article 77 of the LOPDGDD, that Agency distinguishes the
       public and "private" functions exercised or held by the Colleges
       Professionals. But it is that, in addition to being associative entities of
       professional, privately-based, the fundamental thing for the purposes that we here
       occupy, is that they are Public Law Corporations. And, at this point,

       We consider that it is not appropriate to impute only as "private functions"
       those who are the object of the presumed infringing conducts that are imputed and
       “disconnect” them without any reason or justification from public functions, in
       which can also be totally incardinated.

       What is inappropriate at all points is to try to justify spuriously

       the exercise of "private functions" overlapping it with a norm that is not
       in application mode, such as Law 7/2006, of May 31, on the exercise of
       titled professions and professional associations of the Community
       Autonomous of Catalonia.

       Said Law is not applicable neither by reason of the matter, nor of the territory and,

       even less within a disciplinary procedure, which leads us
       again to the violation of the principles of classification and legality, without
       can be "presumed", without any evidence or factual foundation
       and legal, the exercise of private functions erring in the normative framework of
       application and assuming that the alleged infringements have been in the
       exercise of such functions.


       If we take into account the statutory precepts that the AEPD invokes
       regarding the alleged “conflict of interest” of ***POINT.1 of the
       COAGranada, the statutory precepts invoked by that AEPD
       involve the exercise of public functions, which are perfectly extensible

       to the imputed conducts; and these can be perfectly imbricated as
       pubic functions

       -Article 13. 2. It will correspond to the Governing Board, specifically: "a)
       Prepare draft standards of a general nature and the promotion of

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 22/60








       procedure of approval and reform of the statutes. b) Propose to the
       General Assembly the matters that concern it, provide advice and
       technical support and arbitrate the means leading to the exact compliance of the
       agreed by it. c) Resolve the applications for the incorporation of new
       collegiate, of collegiate withdrawals and on the suspension of collegiate services and

       of college status. d) Authorize the registration of Companies
       Professionals in the corresponding Association Registry, upon request, who
       may be processed electronically through the single window established in
       this School e) Collect, distribute and manage the funds of the School,
       in accordance with the provisions of the Title on the Economic and Patrimonial Regime of
       the present Particular Statutes. h) Promote actions of all kinds through

       favor of the profession. i) Know the actions carried out due to
       urgency by the Dean or by the Permanent Commission, assuming them or
       censoring them when they were not within their own competence. j)
       Resolve as many proposals as the Permanent Commission may put forward k)
       Exercise the disciplinary function and adopt precautionary measures, initiating, of

       ex officio or by virtue of denunciation, the disciplinary files, in which it will dictate
       the corresponding Resolution. The exercise of such functions may be delegated
       in the Dean, in a group of members of the Governing Board or in a
       Commission. l) Send to the Investigating Commission the Files initiated in
       disciplinary matter, for the purposes of its processing and formulation of the
       corresponding proposed resolution. m) Initially approve the

       Regulations for the operation of attendance and telematic voting in the
       General Assembly, in order to be definitively approved by the General Assembly
       General of the Collegiates.”

       -Article 15. The Permanent Commission. The Governing Board will be constituted in
       Permanent Commission, made up of the Dean, the ***POSITION.1 and the Treasurer

       as ex officio members, for the fulfillment of the functions assigned to them
       in these Statutes. Corresponds to the Permanent Commission of the Board of
       Governance of the School: 1. Put into practice the guidelines issued by the
       Governing Board. 2. Propose to the Governing Board as many acts as are
       consequence of the powers that it has assumed. 3. The adoption of
       the necessary measures to comply with the agreements of the Board of

       Government. 5. Adopt decisions on matters of an urgent nature
       that, being the competence of the Governing Board, cannot suffer
       postponement until the meeting of the latter, having to account for these acts,
       for its ratification, in the first session held by the Governing Board. 6.
       Those functions expressly delegated by the Governing Board.


       -Article 17. The *** POSITION.1. “Corresponds to *** POSITION.1: 1. Organize, with
       the approval of the Dean and according to the criteria of the Governing Board,
       The school secretary. 2. Provisionally resolve on admission
       of the new members in accordance with the provisions of these Statutes
       individuals. 3. Receive and process all requests and communications that are

       directed to the College and its different Bodies, reporting them to whoever
       corresponds. 4. Issue the certifications that are requested and must be
       issued and keep the registration book of collegiate. 6. Make notifications
       college ups and downs. 7. Keep the minute books of the meetings of the
       General Assembly of members, Governing Board and the Commission

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 23/60








       Permanent and transfer the agreements, monitoring compliance
       thereof.". 10. Direct the services of the College offices.”.

       And, as a complement to the previous statutory precepts in article 6
       the functions of COAGranada are listed, fully governed by Public Law -

       Article 6. Functions. "Without prejudice to those reserved to the Superior Council of
       the Colleges of Architects of Spain and the Andalusian Council of Colleges
       Official Architects, are functions of the Official College of Architects of
       Granada, in its territorial scope, those expressly determined, for the
       achievement of its purposes, in the legislation on Professional Associations and,
       specifically, the following: 1. Registration: e) Facilitate the bodies

       courts and Public Administrations, in accordance with the laws, the
       List of members who may be required to intervene as
       experts or designate them directly, as appropriate. f) Equip yourself with the systems
       appropriate electronic communications and computer programs that
       allow citizens, Collegiates and other practicing Architects

       in its territory, to the Public Administrations and to the organizations declared
       authorities, resolve their administrative relations with them in
       single window system, without prejudice to the fact that it can also be done by other
       ways. g) Establish and maintain a telematic and in-person customer service
       to consumers and users and to Collegiates and other architects with the functions
       that the Law establishes and those that regulate the Superior Council of Schools of

       Architects, the Andalusian Council of Official Colleges of Architects and this
       School, according to the Law

       2. Representation and relations with Public Administrations: a)
       Represent the profession, in the territorial area that corresponds to it, before the
       public powers of the Andalusian Autonomous Community and others

       Public Administrations, defending the general interests of the
       profession, lending their collaboration in the matters of their competence, to
       which may enter into agreements to carry out activities of interest
       common, as well as for the promotion of actions aimed at defending the
       public interest and, especially, of the users of the professional services of
       the collegiate, with the different Public Administrations and with organizations

       public or private. When the representation must take place before bodies
       with jurisdiction outside the scope of the College and refers to matters that
       beyond its territorial scope, the actions will be carried out with the
       prior knowledge or through mediation of the Superior Council or Andalusian Council,
       as appropriate. b) Prior agreement of the Governing Council of the Junta de
       Andalusia, which must be published in the Official Gazette of the Junta de

       Andalusia, exercise administrative functions related to the profession,
       all this prior to the report of the Andalusian Council of Official Colleges of
       Architects and the express acceptance of the College. c) Act before the Judges and
       Courts, inside and outside their territorial scope, both in their own name and in
       defense of the goals and interests of the profession and professionals

       members of the Association or practitioners in its territorial scope, as in name,
       on their behalf and in their procedural substitution, in the defense that they themselves
       voluntarily entrust him. d) Report in legal proceedings or
       administrative proceedings in which fees or other professional issues are discussed,
       when required to do so. e) Inform, in accordance with the Laws, the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 24/60








       draft provisions at the local level that regulate or directly affect
       to the professional attributions or the conditions of activity of the
       Architects as well as those of regional scope when it does not correspond to the
       Andalusian Council. f) Cooperate in the improvement of teaching and research
       of architecture, urbanism and the environment. g) Participate and

       represent the profession in congresses, juries and advisory bodies to
       request of the Administration or individuals. i) Exercise the right of petition
       in accordance with the Law. j) Attend, in its capacity as competent body, the
       requests for information that are requested, in accordance with the provisions
       in Spanish or European Union legislation, both by individuals
       as by the Collegiate and other practicing architects or by the organisms

       national or international authorized by law.

       3. Ordination: a) Ensure the ethics and dignity of the profession, both in the
       reciprocal relations of the Architects as in those of these with their clients
       or with the organizations in which they carry out their professional work. b) Watch

       by the optional independence of the Architect in any of the
       modalities of professional practice. c) Avoid and prosecute before the Courts
       professional intrusion. d) Establish, within the scope of its competence,
       criteria on the minimum required levels of professional diligence, in
       particular, regarding the presentation of works and the quality control and
       monitoring of the works. e) Visa in accordance with what is established in the

       regulatory or legal application standards the professional works of the
       Architects. The visa will in no case include the fees, nor the
       Other contractual conditions for the provision of professional services
       agreed by the Architects with their clients. f) Prevent competition
       unfair between the Architects in the terms established in the legislation
       in force on unfair competition. g) Exercise disciplinary power over the

       Architects and Professional Societies that fail to comply with their collegiate duties
       or professionals, both legal and deontological, approving for this purpose a
       Code of Ethics, in accordance with the provisions of the Law and by the Council
       Superior of the Colleges of Architects of Spain and the Andalusian Council of
       Official Colleges of Architects. Said Code will be accessible to
       Collegiate and other practicing architects and consumers and users of

       their professional services. i) Advise members and others
       practicing architects as well as consumers and users of their
       professional services on the contracting conditions of the services
       professionals of the Architects, seeking the best definition and guarantee of
       the respective obligations and rights. j) Establish, within the scope of its
       competence, regulations on professional activity in the exercise of these

       management functions, subject to the Statutes and other
       general provisions of application.

       4. Service: e) Resolve by award, in accordance with the legislation on arbitration
       and to the collegiate Rules of Procedure itself, conflicts between

       Collegiate and citizens, or raised by the latter, that are
       submitted in matters related to the professional competence of the
       Architects. f) Establish fee scales merely for
       indicative for the sole purpose of cost appraisals in conflicts or
       jurisdictional proceedings. i) Provide the collaboration that is required in

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 25/60








       the organization and dissemination of competitions that affect Architects and
       ensure the adequacy of their calls to the regulatory standards of the
       professional exercise. m) Exercise as many administrative powers as may be

       legally attributed, collaborate with the Administration by carrying out
       of studies or issuance of reports and exercise the powers that are
       attributed by other norms of legal or regulatory rank, or are
       delegated by the Public Administrations or derived from agreements of
       collaboration. n) Prepare the letter of services to the citizen, offer
       information on the content of the profession and the members registered in the

       College, respecting the provisions of the regulations on data protection
       of a personal nature. o) Guarantee collaboration with the Administration of the
       Junta de Andalucía and its dependent bodies, as well as with the other
       Public Administrations and public entities in the control of situations of
       members who, due to their status as public employees at their service,

       could be affected due to incompatibility for the exercise of
       professional activities. p) Exercise arbitration and mediation functions in the
       Conflicts that, for professional reasons, arise between the Collegiate,
       between members and citizens, and between them when they decide
       freely, all in accordance with the applicable legislation on
       arbitration and mediation.


       5. Organization: a) Approve the Particular Statutes and their modifications
       prior report from the Higher Council of Colleges about its compatibility
       with the General Statutes of the Colleges of Architects and their Council
       Superior, submitting them to a report from the Andalusian Council of Official Colleges

       of Architects for its subsequent qualification of legality and registration in the
       Registration of Professional Associations of Andalusia by the Ministry
       competent. b) Prepare and approve the annual income budgets and
       expenses, as well as their accounts and settlements. d) Issue regulations of
       organization and internal functioning for the development and of those present

       Statutes.".

       And the Spanish Data Protection Agency itself, in its Resolutions of
       May 24, 2021, Procedure No.: PS/00416/2020 and May 11, 2021,
       Procedure No.: PS/00347/2020 has adopted a different criterion from that followed in
       this Sanctioning File before Public Law Corporations.

       Thus, the first of the aforementioned Resolutions establishes the following:

       "The denounced facts are specified that through the web page
       http//www.albuixech.es/wp-content/uploads/ ownership of the claimed could be
       access personal data of neighbors such as ID, telephone, disability,

       economic situation and that despite the fact that he had stated that he had solved the
       incidence, the corresponding measures had not been taken since
       he could still access the data of the neighbors.

       Article 83.5 a) of the GDPR (LCEur 2016, 605), considers that the infringement of

       "the basic principles for the treatment, including the conditions for the
       consent under articles 5, 6, 7 and 9" is punishable, according to
       with section 5 of the aforementioned article 83 of the aforementioned GDPR, "with fines
       administrative costs of €20,000,000 maximum or, in the case of a company,

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 26/60








       of an amount equivalent to a maximum of 4% of the total turnover
       global annual report of the previous financial year, opting for the one with the highest
       amount". On the other hand, the LOPDGDD (RCL 2018, 1629), for the purposes of
       prescription, in its article 72 indicates: "Infringements considered very serious:
       1. Based on what is established in article 83.5 of the Regulation (EU)

       2016/679 are considered very serious and will prescribe after three years the
       offenses involving a substantial violation of the articles
       mentioned therein and, in particular, the following: a) The treatment of
       personal data violating the principles and guarantees established in the
       Article 5 of Regulation (EU) 2016/679. (...)" V The violation of article 32
       of the GDPR (LCEur 2016, 605) is typified in article 83.4.a) of the

       cited GDPR in the following terms:

       4. Violations of the following provisions will be penalized, according to
       with paragraph 2, with administrative fines of EUR 10,000,000 as
       maximum or, in the case of a company, an amount equivalent to 2%

       maximum of the overall annual total turnover of the financial year
       above, opting for the one with the highest amount: a) the obligations of the
       responsible and of the manager in accordance with articles 8, 11, 25 to 39, 42 and 43.
       (...)" For its part, the LOPDGDD (RCL 2018, 1629) in its article 71,
       Violations, states that: "Infractions are the acts and conducts to the
       referred to in paragraphs 4, 5 and 6 of article 83 of Regulation (EU)

       2016/679, as well as those that are contrary to this organic law". And
       in its article 73, for prescription purposes, it qualifies as "Offences
       considered serious": "Based on what is established in article 83.4 of the
       Regulation (EU) 2016/679 are considered serious and will prescribe after two years
       the infractions that suppose a substantial infringement of the articles
       mentioned therein and, in particular, the following: (...) g) The

       breach, as a consequence of the lack of due diligence, of the
       technical and organizational measures that have been implemented in accordance with the
       required by article 32.1 of Regulation (EU) 2016/679". (...)"

       VI The proven facts show access through the website
       http//www.albuixech.es/wp-content/uploads owned by the defendant to the

       personal data of residents of the town (ID, telephone,
       disability, economic situation, etc.), despite having stated to
       this AEPD that had provided a solution to the incident, breaking and
       violating technical and organizational measures and the duty to
       data confidentiality. As stated in the background and accredited
       based on the proven facts of the procedure, it has been proven that the

       file resolution of the initial claim, the claimant filed an appeal
       optional replacement against the relapsed resolution showing its
       disagreement and stating that the defendant had not taken the measures
       adequate since, despite what was alleged, the data continued to be accessed
       of the municipal website, contributing together with the new appeal document

       relevant documentation.

       After the analysis and checks carried out, it was found that there
       published documents containing information with character data


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 27/60








       personnel who had not been eliminated or anonymized, estimating the
       appeal and agreeing to the admission of the claim presented.


       Therefore, the entity's actions constitute a violation of the principles of
       confidentiality and data security, regulated in articles 5.1.f) and
       32.1 of the GDPR (LCEur 2016, 605), and typified in articles 83.5.a) and
       83.4.a) of the GDPR. However, in order to clarify the terms of the
       incident produced and that led to the opening of this proceeding
       sanctioning party, the defendant by letter of 02/18/2021 indicated that if

       Well at first I installed a WP Content Copy Protection Pro plugin for
       block access to existing documents on the website of the
       City Council and carry out the elimination of the files that contained
       personal data published on the aforementioned page, after receiving the
       agreement to open the procedure the computer service treated in a

       first moment of solving the incident, reaching the conclusion that the
       measure adopted (install a plugin to block access to the web),
       seemed insufficient since although it prevented access to the contents
       it was still possible to access them if the URL address was known
       of the published files.


       Therefore, the migration of the entity's website to another server was carried out
       which determined that the content that could have been accessed with
       Prior to the aforementioned date, it was deleted, and it was not possible to access the
       same from the moment the migration was performed. For the purpose of
       avoid incidents such as the one that occurred, the new website adopted a

       series of technical measures: remove access to the wp-content folder and its
       content through. htaccess ; check before serving WP permissions
       using the is-luger-logged-in function, to retrieve a file for a
       wp-content subfolder etc. In addition, the defendant has indicated that he assumes
       its responsibility as a consequence of the infractions committed, although

       considers that the efforts made to improve
       security measures in order to ensure the safety and security of
       confidentiality of personal data for which it is responsible
       and that the violation is not due to inaction or lack of proactivity in the
       compliance with data protection regulations.


       On the other hand, it should be noted that the defendant provides a screen print
       of the web page where the content of the character data should be
       staff that caused the claim and who are currently
       deleted, not being possible to access them VII The LOPDGDD
       (RCL 2018, 1629) in its article 77, Regime applicable to certain

       categories of controllers or processors, establishes what
       following: In the case at hand, in accordance with the evidence of
       those that are available and without prejudice to what results from the instruction, said
       conduct could constitute, on the part of the defendant, a possible violation of the
       provided in article 5.1.f) and 32.1 of the GDPR (LCEur 2016, 605).


       It should be noted that the GDPR, without prejudice to the provisions of its article 83,
       contemplates in its article 77 the possibility of resorting to the sanction of
       warning to correct the processing of personal data that is not

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 28/60








       conform to their forecasts, when those responsible or in charge
       listed in section 1 committed any of the offenses to which
       refer to articles 72 to 74 of this organic law. Also, it is contemplated
       that the resolution issued will establish the measures to be adopted
       so that the conduct ceases, the effects of the infraction are corrected

       committed and its adequacy to the requirements contemplated in the
       Articles 5.1.f) and 32.1 of the GDPR, as well as the contribution of means
       certifying compliance.

       However, it is considered that the response formulated by the defendant in
       letter dated 02/18/2021 has been reasonable, correcting the incident

       produced, not proceeding to urge the adoption of additional measures to those already
       taken by the defendant, which is one of the main purposes of the
       procedures with respect to those entities listed in article 77
       LOPDGDD, having been accredited the suspension of the website of the
       entity where the information contained the character data

       neighbors staff having migrated it to another server and adopting
       measures to prevent the occurrence of events such as those that gave rise to the
       claim.

       Therefore, in accordance with the applicable legislation and assessed the criteria of
       graduation of sanctions whose existence has been accredited, The

       Director of the Spanish Data Protection Agency RESOLVES:
       FIRST IMPOSE ALBUIXECH CITY COUNCIL, with NIF
       P4601400G, for a violation of article 5.1.f) of the GDPR (LCEur 2016, 605)
       , typified in article 83.5.a) of the GDPR, a penalty of warning, of
       in accordance with article 77 of the LOPDGDD (RCL 2018, 1629). SECOND
       TO IMPOSE the CITY COUNCIL OF ALBUIXECH, with NIF P4601400G, for

       an infringement of article 32.1 of the GDPR (LCEur 2016, 605), typified in the
       Article 83.4.a) of the GDPR, a warning sanction, in accordance with
       article 77 of the LOPDGDD (RCL 2018, 1629)”. About these resolutions
       dictated by the AEPD itself, the Resolution Proposal is not pronounced.

       FIFTH.- ABSENCE OF DETERMINATION OF THE CORRESPONDING TYPE

       TO THE PROPOSED SANCTIONS AND LACK OF REASONS FOR THE
       DETERMINATION OF THE AMOUNT THEREOF. ALTERNATIVE AND
       SUBSIDIARILY, INVOCATION OF THE PRINCIPLE OF
       PROPORTIONALITY.

       The Resolution Proposal does not establish which are the specific types

       of the sanctions that are proposed and the determination and graduation of the
       quantum of the same, which entails an absence of contrary motivation
       to article 35.1 a) of Law 39/2015 of October 1, on Procedure
       Common Administrative of Public Administrations. The type is not specified
       of infraction committed (we understand that, slight) nor is it motivated why they are imposed

       the respective sanctions of 5,000, 8,000 and 1,000 euros. With this you can
       consider that it has generated defenselessness for COAGranada.

       Alternatively and subsidiarily, in the event that it is estimated that
       one or more of the infractions contained in the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 29/60








       Resolution Proposal, we request the application of the principle of
       proportionality established in the aforementioned article 29.3 of the LRJSP as well as
       also invoked article 83.2.c) of the GDPR.

       The principle of proportionality in its application aspect, has served in the

       jurisprudence as an important mechanism of jurisdictional control of the
       exercise of the sanctioning power of the Administration when the norm
       establishes for an infraction several possible sanctions or indicates a margin
       quantitative for the fixing of the pecuniary sanction; and, thus, it has been insisting
       in which the aforementioned principle of proportionality or the individualization of
       the sanction to adapt it to the seriousness of the fact, make the determination

       of the sanction a regulated activity and, of course, it is possible in the
       jurisdiction not only the confirmation or elimination of the sanction imposed but also
       its modification or reduction (Cf. Judgment of the National Court of December 11,
       March 2008, Rec. 501/2006). In this sense, it is worth mentioning the Judgment of the
       Supreme Court of September 25, 2003 (Rec. 527/1998): "The power

       disciplinary measure is not discretionary and this implies that, when for
       a certain infraction has legally provided for a list of sanctions,
       the imposition of a more serious or higher than that established with the character of
       minimum must be clearly motivated by consigning the
       specific reasons and circumstances on which the superior malice or
       negligence that are taken into account to choose that greater punishment. This is how the

       interdiction of arbitrariness of article 9.3 of the Constitution and also the
       principle of proportionality included in the guarantees of article 25 of the
       same constitutional text.

       Therefore, the principle of proportionality implies that, since the activity is
       sanctioning of the Administration an activity typically of application of

       the rules, the factors that have to preside over its application are based on
       what is available in each sector of the Legal System and, especially,
       in the concurrent circumstances. As established in the Judgment of the
       Superior Court of Justice of Castilla y León de Burgos, nº 3/2017 of 13
       January (Rec. 80/2016): "It is precisely in this area that a
       extraordinarily clarifying role the motivation of the concrete act

       administrative sanction and to the extent that it will define not
       only the circumstances modifying the responsibility appreciated and
       proven but, in addition, the specific reason that the Administration understands that
       concurs to, within the margins granted by law, impose a specific
       sanction".


       It is for this reason that, by virtue of what is stated in these Claims,
       in the event that it is deemed that there are infringing conducts and consequent
       sanctions to be applied, be it by reducing as much as possible their
       economic amount, since given the concurrent circumstances, the
       total amount of 14,000 euros seems disproportionate and excessive (said

       be with due respect and in strict terms of defense. I ASK THE
       SPANISH DATA PROTECTION AGENCY: That, having
       presented this brief, please admit it and consider the allegations
       which are formulated therein. Granada for Madrid, on the date of signing
       electronics.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 30/60









                               PROVEN FACTS:

Of the actions carried out in this procedure and of the information and
documentation presented by the parties, the following have been accredited

facts:

First: To the claim document presented in this Agency on 12/21/21,
attached the following documentation relevant to this proceeding:

    - Copy of the document that A.A.A., collegiate ***COLEGIADO.1, sends to the

       claimant, on 08/30/21, where, among others, you can read:

           or "(...) The Governing Board of the College in its session held on
              April 2019 adopted, among others, the following agreement: "(AIG)
              04.11.19/08.- DESIGNATE THE *** POSITION. 1 OF THE OFFICIAL ASSOCIATION

              OF ARCHITECTS AS DELEGATE OF PROTECTION OF
              DATA FOR THE SCHOOL OF ARCHITECTS.” therefore i can
              inform you that, currently, the Data Protection Officer of the
              Official College of Architects of Granada is his *** POSITION. 1 D.
              B.B.B. (…)”.


    - Copy of the "Complaint Sheet" of the Official College of Architects of
       Granada where you can read, among others, the following information with
       Regarding the data protection policy:

           o Official College of Architects of Granada. Plaza de San Agustin No. 3,

              18001 Grenada. General Secretary . Area of Attention to the Collegiate and
              to user. The data collected will form part of the File of the
              COAGRANADA, being Responsible for ***POINT.1 of the same, to
              who will have to address in writing in the case of exercising the rights
              of access, opposition, rectification and cancellation, in accordance with the
              L.O.P.D.


    - Copy of the "Visa Application" addressed to the Dean of the Official College of
       Architects of Granada, where you can read, among others, the following
       Information regarding the data protection policy:

           o In accordance with the provisions of LO 15/1999 on Data Protection of

              Personal character, the existence of a file is reported
              automated whose purpose is the provision of the requested service. The
              Applicants expressly consent to the
              treatment and transfer of existing data in the automated file
              to the various Spanish Official Colleges of Architects and to other

              administrative bodies, for the purposes related to the function of
              visa. Signatories may exercise the right of access,
              rectification, opposition and cancellation in writing before the C.O.A. of
              Granada, with address at Plaza de San Agustín Nº 3, 18001 Granada,
              email coagranada@coagranada.org


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 31/60








Second: On 07/27/22, this Agency verified that in the
document "Member Complaints and Claims Sheet", accessible on the page
Web,


https://coagranada.es/wp-content/uploads/2021/02/
Sheet_complaint_reclamations_collegiate_V02.pdf,

that there was only the following legend referring to the data protection of
personal character:


       “Official College of Architects of Granada. Plaza de San Agustin No. 3, 18001
       Grenade. General Secretary. Area of Attention to the Collegiate and the User.

       The data collected will form part of the COAGRANADA File, being the

       Responsible for *** POSITION 1 of the same, to whom it will have to be addressed in writing
       in the case of exercising the rights of access, opposition, rectification and
       cancellation, in accordance with the L.O.P.D.”

It was also found that in the document "Complaints and Claims Sheet of
Consumers and Users”, accessible on the website,


https://coagranada.es/wp-content/uploads/2021/02/
Sheet_complaint_claims_consumers_V02.pdf

that only the following information related to data protection existed

of a personal nature:

       “Official College of Architects of Granada. Plaza de San Agustin No. 3, 18001
       Grenade. General Secretary. Area of Attention to the Collegiate and the User.


       The data collected will form part of the COAGRANADA File, being the
       Responsible for *** POSITION 1 of the same, to whom it will have to be addressed in writing
       in the case of exercising the rights of access, opposition, rectification and
       cancellation, in accordance with the L.O.P.D.”

On 04/10/23, this Agency accessed the complaint form and

complaints from the College of Architects of Granada, accessible through the link
https://coagranada.es/quejas-y-reclamaciones/ verifying that it
you can read the following message:

       Official College of Architects of Granada. Plaza de San Agustin Nº3, 18001

       Grenade. General Secretary. Area of Attention to the Collegiate and the User.

       In compliance with the provisions of EU Regulation 2016/679, of 27
       April 2016, hereinafter GDPR, the Official College of Architects of Granada
       with address at PLAZA DE SAN AGUSTÍN 3, 18001 GRANADA and NIF nº

       Q1875003D informs you that the collection and processing of your data through the
       The purpose of this form is the administrative, fiscal and
       accounting provided for in the legislation of professional associations and our
       statutes. Your data may be communicated to the General Council of Colleges

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 32/60








       Officials of Architects, related organizations and the Public Administration without
       prejudice to other assignments provided by law. Your data will be kept
       during the time necessary to comply with legal obligations. In

       You can consult additional information on this treatment at any time.
       or exercise the rights of access, rectification, deletion and opposition,
       portability and limitation of treatment by directing your request to the address above
       indicated or by email to protecciondedatos@coagranada.org. Also, in case
       If you consider your right to the protection of personal data violated, you may
       file a claim with the Spanish Data Protection Agency

       (www.agpd.es).

Third: About the "Cookies Policy" of the website https://www.coagranada.es/
It was initially found that a third-party cookie of an unauthorized nature was used.
excepted, without the prior consent of the web user. the circumstance is given

that this analytical cookie was installed through the insertion of a map
interactive of the Institute for Geoenvironmental Health of the "Vivo Sano" Foundation in the
page: https://coagranada.es/mapa-zonas-radon-en-elnuevo-cte-db-hs6/ .

On 04/10/23, this Agency accessed the website again
https://www.coagranada.es/ having knowledge of the following characteristics

regarding its “Cookies Policy”:

When entering the web for the first time, once the terminal equipment has been cleaned of the history of
navigation and cookies, without accepting new cookies or taking any action on
the web page, it has been verified that a single cookie "_GRECAPTCHA" is used,

whose purpose is to provide your risk analysis, such as detecting
erroneous and repeated connection attempts.

                           FUNDAMENTALS OF LAW


                                           YO.-
                                     Competence:

    - Regarding the processing of personal data and the "Privacy Policy":

The Director of the Spanish Agency is competent to resolve this procedure

of Data Protection, by virtue of the powers that article 58.2 of the GDPR recognizes
each Control Authority and, as established in arts. 47, 64.2 and 68.1 of the Law
LOPDGDD.

    - About the "Cookies Policy":


The Director of the Spanish Agency is competent to resolve this procedure
Data Protection, in accordance with the provisions of art. 43.1, paragraph
second, that of the LSSI Law.




                                           II
       Reply to the allegations presented to the resolution proposal

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 33/60









a).- Regarding the alleged conflicts of interest of the Data Protection Officer
(DPD) in the person of ***POSITION.1 of the Official College of Architects of Granada.


There is evidence that, in the session held by the Governing Board of the College of
Architects of Granada, on 04/11/19 the agreement was adopted to designate ***POSITION.1
of said Association as Delegate of Data Protection (PDP) and thus specified
expressly in the meeting minutes: "(...) Therefore, I can inform you that,
currently the Data Protection Delegate of the Official College of Architects of

Granada is his ***POST.1 D. B.B.B. (…)”.

According to the claimed party, the decision was made to appoint a new
Data Protection Delegate dated 04/26/22, and that was notified to the
Agency in response to the requirements of art. 38 of the GDPR.


In the allegations presented by the defendant entity, both in the initiation of the
file as in the motion for a resolution essentially defends that
There has never been any conflict of interest for the appointment of ***POSITION.1
as Delegate of Data Protection (DPD), in the College of Architects of
Grenade.


Well then, we must begin this section by indicating that, as indicated in
repeatedly this Agency, the greatest novelty presented by the GDPR is the
evolution of a model based, fundamentally, on the control of compliance with
current legislation to another that rests on the principle of active responsibility, which

that requires a prior assessment by the person in charge or by the person in charge of the treatment
of the risk that the processing of personal data could generate in order to
Based on said assessment, adopt the appropriate measures.

A fundamental role within the new model of active responsibility is

will perform the DPD. Also following on this point the Statement of Reasons for the
LPDGDD, "the figure of the DPD acquires outstanding importance in the GDPR and so
includes the Organic Law, which starts from the principle that it can have a
obligatory or voluntary, being or not integrated in the organization of the person in charge or
manager and be both a natural person and a legal person.


Section 4 of CHAPTER IV, of the GDPR -articles 37 to 39-, regulates
detailed figure of the DPD. In connection with the interpretation and application of these
precepts can refer to the guidelines contained in the document of the Group of the
Article 29 "Guidelines on Data Protection Delegates" -WP243-,
last revised and adopted on April 5, 2017.


This regulation is complemented by the provisions of CHAPTER III of the
TITLE V of the LOPDGDD-, whose articles 34 to 37 contain some
specialties directly applicable to our domestic law. Specifically, the
The appointment of the data protection officer is included in article 37 of the

GDPR, expanding in article 34 of the LOPDGDD the spectrum of subjects
bound to their appointment.



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 34/60








From the foregoing it can be deduced that the requirement for the appointment of a DPD should not
interpreted, without further ado, as a mere formality, having to comply with the
requirements established in the applicable legal regulations. Consequently, it turns out

necessary to carry out a brief analysis of the functions and resources of which
dispose of the DPD. Thus, it must be based on the important functions that article 39.1 of the
GDPR assigns:

       "1. The data protection officer will have at least the following
       Functions: a) inform and advise the person in charge or the person in charge of the treatment

       and to the employees who deal with the treatment of the obligations that
       are incumbent under this Regulation and other provisions of
       data protection of the Union or of the Member States; b) supervise the
       compliance with the provisions of this Regulation, of other
       data protection provisions of the Union or of the Member States and

       of the policies of the person in charge or of the person in charge of the treatment regarding
       protection of personal data, including the assignment of responsibilities, the
       awareness and training of personnel involved in security operations
       treatment, and the corresponding audits; c) offer advice that
       asked about the impact assessment relating to the protection of
       data and supervise its application in accordance with article 35; d) cooperate

       with the control authority; e) act as a point of contact for the authority
       control for issues relating to treatment, including consultation prior to
       referred to in article 36, and consult, where appropriate, on any
       another matter." It is, therefore, functions of advice and
       supervision aimed at guaranteeing adequate compliance with regulations

       on protection of personal data, pointing out article 39.2 that "The
       data protection officer will carry out his functions providing the
       due attention to the risks associated with processing operations,
       taking into account the nature, scope, context and purposes of the
       treatment".


Likewise, article 38.1 clearly establishes that: "The person in charge and the person in charge of
of the treatment will guarantee that the data protection officer participates in an
adequately and in a timely manner in all matters relating to the protection of
personal information".


In addition to the important advisory functions assigned to the DPD,
including the cases in which it is necessary to carry out an impact assessment
because they are high-risk treatments, and specifying the functions of supervision,
Article 36 of the LOPDGDD provides that: "The delegate may inspect the
procedures related to the purpose of this organic law and issue

recommendations within the scope of its powers", that "In the exercise of its
functions the data protection officer will have access to personal data and
treatment processes, not being able to oppose to this access the person in charge or the
person in charge of the treatment the existence of any duty of confidentiality or
secrecy, including that provided for in article 5 of this organic law", and that, "When the

data protection delegate appreciates the existence of a relevant violation in
data protection matter will document it and notify it immediately to the
administrative and management bodies of the person in charge or the person in charge of the treatment”.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 35/60








On the other hand, article 39.1.e) of the GDPR also establishes as functions of the DPO
“Act as the contact point of the control authority for questions related to the
treatment, including the prior consultation referred to in article 36, and carry out

consultations, where appropriate, on any other matter.

For the proper fulfillment of these tasks, the GDPR requires certain requirements
of training of the DPD, and that it is endowed with the necessary resources. To the
training requirements, refers to article 37.5 GDPR, providing that "The
data protection officer will be appointed based on their qualities

professionals and, in particular, their specialized knowledge of Law and
data protection practice and its ability to perform the
functions indicated in article 39”. For its part, article 35 of the LOPDGDD
adds that "Fulfillment of the requirements established in article 37.5 of the
Regulation (EU) 2016/679 for the appointment of the data protection officer,

whether a natural or legal person, may be demonstrated, among other means, through
voluntary certification mechanisms that will take particular account of the
Obtaining a university degree certifying specialized knowledge in
data protection law and practice.

In order to the best interpretation and application of these precepts, you can go to

the guidelines contained in the document of the Group of Article 29 “Guidelines on the
Data Protection Delegates" -WP243-, last revised and adopted on
April 5, 2017, that, in relation to the knowledge and skills of the DPD,
note the following points:


    - Level of knowledge: The level of knowledge required is not defined
       strictly, but must be commensurate with the sensitivity, complexity, and quantity
       of the data that an organization processes. For example, when the activity of
       data processing is especially complex or when it involves a large
       amount of sensitive data, the DPO may need a higher level of

       knowledge and support. There is also a difference depending on whether the
       organization systematically transfers personal data outside the Union
       Union or if said 9 Legal Cabinet transfers are occasional.

       Thus, the DPO must be chosen carefully, taking due account of
       issues relating to data protection that arise in the organization.


    - Professional qualities: Indicate that, although article 37, section 5, does not
       specifies the professional qualities that must be taken into account when
       appointment of the DPO, an important factor is that he has knowledge
       on national and European protection legislation and practices

       of data and a deep understanding of the GDPR.

    - Ability to perform their duties: The DPO's ability to
       perform their functions must be interpreted both in reference to their
       personal qualities and knowledge as to his position within the

       organization.




C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 36/60








       Personal qualities should include, for example, integrity and a level
       high professional ethics; the primary concern of the DPD should be
       enable compliance with the GDPR.


       The DPD plays a key role in promoting a culture of
       data protection within the organization and contributes to the application of
       essential elements of the GDPR, such as the principles related to the treatment of
       data, the rights of the interested parties, the protection of the data from the
       design and by default, recording of processing activities, security

       of the treatment and the notification and communication of the violations of the
       data security.

       On the other hand, the need to provide the DPO with the necessary resources for the
       performance of their duties is included as an obligation of the person in charge

       in article 38.2 of the RGPD: "The person in charge and the person in charge of the treatment
       will support the data protection officer in the performance of the
       functions mentioned in article 39, providing the necessary resources
       for the performance of said functions and access to personal data and
       processing operations, and for the maintenance of their knowledge
       specialized”.


       In particular, the following aspects should be taken into account: · Active support
       to the work of the DPD by senior management (at the level of the board of
       administration). Sufficient time for the DPO to comply with its
       functions, which is particularly important when appointing a DPO

       internal part-time or when the external DPO carries out the protection of
       data in a complementary way to other obligations.

       Otherwise, conflicting priorities could lead to neglect of the
       DPO obligations. It is essential to have enough time to

       dedicate it to DPD tasks. It is good practice to establish a
       percentage of time for the DPD's own work when it is not carried out
       full time. It is also good practice to determine the time
       necessary to perform the work, the appropriate level of priority for the
       functions of the DPO and for the DPO (or organization) to write a plan of
       job. Adequate support in terms of financial resources, infrastructure

       (premises, facilities, equipment) and personnel, as required. ·

Therefore, what is essential is that DPDs meet the training and
independence that allow them to adequately develop the functions that the
GDPR assigns them, as Recital 97 of the GDPR recalls, "The level of

necessary specialized knowledge must be determined, in particular, according to
of the data processing operations carried out and the protection
required for personal data processed by the person in charge or in charge”.

In this way, and provided that its independence is adequately guaranteed, it

relevant is that the functions assigned to the DPD can be carried out effectively,
taking into account, equally, the criterion of availability, fundamental
to ensure that data subjects can easily contact the DPO (according to
to article 38.4 of the GDPR, "interested parties may contact the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 37/60








data protection officer for all matters relating to the
processing of your personal data and the exercise of your rights under the
this Regulation").


In conclusion, these functions can be carried out effectively if the following are met:
training requirements when proceeding with the appointment of the DPO and is endowed with the
necessary resources, including, as noted by the Article 29 Group, a DPO team
(a DPD and his staff), a team that must be proportional to the size and structure of the
organization, as well as the sensitivity, complexity and amount of data that

an organization deals with, and the availability of the DPO must be guaranteed so that
interested parties can contact him, as well as communicate with the authorities of
Data Protection.

Focusing now on the questions related to independence and the possible

conflicts of interest of the delegate, must comply with the legal norms that the
regulates the position of the delegate in his relations with the person in charge and/or with the
treatment manager. Thus, article 36 of the LOPDDD provides the following:

       "Position of the data protection officer" 1. The data protection officer
       data will act as interlocutor of the person in charge or in charge of the treatment

       before the Spanish Data Protection Agency and the authorities
       data protection regulations. The delegate may inspect the
       procedures related to the purpose of this organic law and issue
       recommendations within the scope of their competences. 2. When it comes to
       a natural person integrated into the organization of the person in charge or in charge

       of the treatment, the data protection officer may not be removed or
       sanctioned by the person in charge or in charge for carrying out their duties
       unless he incurred in willful intent or gross negligence in his exercise.

The independence of the data protection officer will be guaranteed within the

organization, avoiding any conflict of interest.” For his part, he
Article 38.3 of the GDPR, when regulating the position of the Data Protection delegate,
underlines their independence by pointing out that the person in charge and the person in charge of the
treatment will guarantee that the data protection officer does not receive any
instruction regarding the performance of said functions, and cannot be
dismissed or sanctioned by the person in charge or in charge of carrying out their

functions, and reporting directly to the highest hierarchical level of the
responsible or in charge.

In addition, according to the Article 29 Group document “Guidelines on the
Data Protection Delegates”, last revised and adopted on April 5

of 2017 -WP243-, their appointment must take into account the element
regarding the independence of the DPO. Thus, article 38.3 of the GDPR establishes some
basic guarantees for delegates to act independently within the
organization in which they provide their services, including that "they do not receive any
instruction relative to the exercise of their tasks”.


It is important to note that those bound to comply with the GDPR are responsible
or the person in charge of the treatment, so that, if they adopt decisions contrary to the


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 38/60








rule and advice provided by the delegate, he must be given the possibility
to clearly express their dissatisfied opinion regarding said decisions.


The aforementioned article 38.3 also refers to the fact that the delegates of
data protection "should not be dismissed or penalized by the person in charge or the
entrusted with carrying out its functions", which supposes a reinforcement of its
autonomy and independence. Yes, you could be fired or sanctioned accordingly
with the applicable contractual, labor or criminal legislation of each country, for reasons
other than the performance of their duties.


In relation to the possible conflict of interest of the delegate, the guidelines on the
data protection delegates adopted by the Protection Working Group
Data of Article 29, -WP243-, state the following: “3.5. Conflict of interest The
Article 38(6) allows DPOs to “perform other functions and duties”.

However, it requires the organization to ensure that "such functions and
tasks do not give rise to a conflict of interest.

The absence of conflict of interest is closely linked to the requirement to act
independently. This assumes, in particular, that the DPO cannot occupy a
position in the organization that leads him to determine the purposes and means of the treatment of

personal information. On the other hand, although DPOs may have other functions,
They can only be entrusted with other tasks and tasks if these do not give rise to
conflicts of interest. Due to the specific organizational structure of each
organization, this should be considered on a case-by-case basis.


As a general rule, conflicting positions within an organization can
include senior management positions (such as CEO, Director of
operations, financial director, medical director, head of the department of
marketing, head of human resources or director of the IT department) but
also other lower positions in the organizational structure if such positions or positions

lead to the determination of the purposes and means of processing.

In addition, a conflict of interest may also arise, for example, if a
DPO representing the controller or processor in court
in cases related to data protection.


From the foregoing it can be deduced that, regardless of the formula adopted for their appointment,
the appointment of the data protection officer must meet the requirements
derived from the principle of independence in the development of its activity, and must
ensure that the performance of their functions and duties do not give rise to conflict
of interests. The provision of a data protection officer in organizations

public or private requires that the selection conform to the legal requirements
established and, in particular, that specialized knowledge in
law and practice of data protection indicated by the GDPR.

For the rest, the formula adopted for the appointment of DPD will depend on the

decision adopted by the entity in which he performs his duties, such as
consequence of its organizational autonomy. However, questions regarding the
autonomy of the organizations in which the delegates belong, clearly
derived from the regulations analyzed in this report, cannot be an obstacle to the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 39/60








necessary guarantee of the independence of the data protection officer - ex
article 38 GDPR- within the framework of internal and external legal relations that
maintain in the development of its functions.


Thus, in any case, it will be enforceable, as provided for in article 36 of the LOPDGDD,
that (i) in the case of a natural person integrated into the organization of the
responsible or in charge of the treatment, the data protection officer does not
may be removed or penalized by the person in charge or in charge of carrying out
their functions unless they were guilty of intent or gross negligence in their exercise, that (ii)

the independence of the data protection officer is guaranteed within the
organization, avoiding any conflict of interest, and that (iii) when the
data protection delegate appreciates the existence of a relevant violation in
data protection matters, document it and immediately notify the
administrative and management bodies of the person in charge or in charge of the treatment.


In short, although Section 4 of CHAPTER IV of the GDPR -articles 37 to 39-,
contemplates for DPOs wide possibilities regarding their appointment and
frame in the organization of the entities to which its designation refers, not
it is less true that said autonomy must be reconciled with the demands derived
of the principle of independence of the delegate, and it must be guaranteed that the exercise of

their duties do not give rise to situations of incompatibility or conflict of interest.

In the legal norms that regulate the figure of the data protection delegate, it is
configure the requirement of their independence as inherent to the performance of their
functions.


In the case at hand, the Governing Board of the College of Architects of
Grenada, in a session held on 04/11/19, adopted the agreement to designate the
*** POSITION 1 of said College as Data Protection Delegate (DPD), and thus
it is certified in the letter sent by the Association to the claimant on 08/30/21: "(...) Therefore,

Therefore, I can inform you that, currently, the Data Protection Delegate of the
Official College of Architects of Granada is his *** POSITION. 1 D. B.B.B. (…)”.

In the Order of February 20, 2018, which approves the modification of the
Statutes of the Official College of Architects of Granada establishes, in its article 13
and 14, the functions and composition of its Governing Board; in its article 15, the

functions of the Permanent Commission and in its article 17, the functions of the
*** POSITION 1 of the College.

As we have previously indicated, Section 4 of CHAPTER IV, of the GDPR -
articles 37 to 39-, regulates in detail the figure of the DPD and in relation to the

interpretation and application of these precepts, you can refer to the guidelines contained
in the document of the Group of Article 29 “Guidelines on the Delegates of
Data Protection" -WP243-, last revised and adopted on April 5,
2017: (https://ec.europa.eu/newsroom/article29/itemdetail.cfm?item_id=612048).


This regulation is complemented by the provisions of CHAPTER III of the
TITLE V of the LOPDGDD-, whose articles 34 to 37 contain some
specialties directly applicable to our domestic law. Thus, article 36


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 40/60








LOPDGDD guarantees the independence of the DPO within the organization, having to
avoid any conflict of interest.


For its part, article 38.3 of the GDPR, when regulating the position of the DPD, underlines its
independence by stating that the person in charge and the person in charge of the treatment
will ensure that the data protection officer does not receive any instructions in
regarding the performance of said functions, and cannot be dismissed or
sanctioned by the person in charge or the person in charge for carrying out their functions, and
reporting directly to the highest hierarchical level of the person in charge or

in charge.

In the specific case that he does not occupy, the functions as *** POSITION 1 of the College of
Architects of Granada that incur in a conflict of interest, are all those in
the one that carries out activities or advises as ***POSITION.1 on issues that may

be affected by the data protection of the members, personnel at the service of the
School or users of the same and also have to develop the functions of
a DPD.

If we look at the functions of *** POSITION 1 of the Official College of
Architects (article 17) that can be influenced by data protection, we

we find that it has powers to: 2. Provisionally resolve on the
admission of new members in accordance with the provisions of these
Particular Statutes. 3. Receive and process all requests and communications that
addressed to the College and its different Bodies, reporting them to whoever
corresponds. 4. Issue the certifications that are requested and must be issued and

keep the registration book of collegiate. 5. Annually formulate the lists of collegiate
in its different versions. These lists must be arranged annually in the
deadlines provided in these Particular Statutes for the purposes of elections. 6.
Make notifications of high and low college. 7. Keep the minute books of the
meetings of the General Assembly of collegiate, Governing Board and the Commission

Permanent and transfer the agreements, monitoring compliance with the
themselves.

Likewise, ***POSITION.1 is an ex officio member of the Governing Board, whose
functions (article 13.2), which may be affected by data protection, the
following: c) Resolve the applications for the incorporation of new members, of dismissals

collegiate and on the suspension of collegiate services and collegiate status.
e) Collect, distribute and manage the School's funds, in accordance with the provisions of
the Title on Economic and Patrimonial Regime of the present Statutes
individuals. k) Exercise the disciplinary function and adopt precautionary measures, initiating,
ex officio or by virtue of a complaint, the disciplinary proceedings, in which the

corresponding Resolution.

Also, as a member of the Permanent Commission of the Official College (article 15),
that it has as functions, which may be affected by data protection, the
following: 1. Put into practice the guidelines issued by the Governing Board. 2.

Propose to the Governing Board as many acts as a consequence of the
competences that it has assumed. 3. The adoption of the necessary measures
for the fulfillment of the agreements of the Governing Board. 4. Organize the
College office services.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 41/60









In greater abundance, it means that *** POSITION 1 of this official school forms
part of these two collegiate management and administration bodies, which determine

purposes and means of treatment, with voice and vote, in such a way that, in addition to their
advice, their will conforms to that of the collegiate body.

Therefore, taking into account the functions that, according to the GDPR, correspond to the DPD and the
functions that, according to the Order of February 20, 2018, which approves the
Modification of the Statutes of the Official College of Architects of Granada,

correspond to the Governing Board and the Permanent Commission of the Official College
of Architects of Granada, in addition to those of the position of ***POSITION.1, it is
the existence of a conflict of interest on the part of ***POSITION.1 of the
Official College of Architects of Granada to act as DPO of said Organism,
since it was appointed as DPD on 04/11/19 until 04/26/22 when it was adopted

the decision to replace him.

b).- Regarding the alleged lack of information in the forms on “complaints and
claims”, referring to the treatment of personal data obtained in the
themselves.


As could be verified by this Agency, on 07/27/22, when accessing the document
Refer to the "Member Complaints and Claims Sheet" through the link:

https://coagranada.es/wp-content/uploads/2021/02/Hoja_queja_reclamaciones_cole-
giados_V02.pdf


You can read, in the lower part of it, below the form, the following le-
yenda:

       “Official College of Architects of Granada. Plaza de San Agustin No. 3, 18001

       Grenade. General Secretary. Area of Attention to the Collegiate and the User.

       The data collected will form part of the COAGRANADA File, being the
       Responsible for *** POSITION 1 of the same, to whom it will have to be addressed in writing
       in the case of exercising the rights of access, opposition, rectification and cancellation
       celación, in accordance with the L.O.P.D.”


It was also possible to verify that same day, 07/27/22, that in the document "Hoja de
Complaints and Claims from Consumers and Users" accessible at the link:

https://coagranada.es/wp-content/uploads/2021/02/Hoja_queja_reclamaciones_consu-

midores_V02.pdf

there was the following legend:

       “Official College of Architects of Granada. Plaza de San Agustin No. 3, 18001

       Grenade. General Secretary. Area of Attention to the Collegiate and the User.

       The data collected will form part of the COAGRANADA File, being the
       Responsible for *** POSITION 1 of the same, to whom it will have to be addressed in writing

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 42/60








       in the case of exercising the rights of access, opposition, rectification and cancellation
       celación, in accordance with the L.O.P.D.”


In the brief of allegations to the initiation of the file, presented by the entity
claimed before this Agency on 09/29/22, it was indicated, among others, that: "(...) Regarding
to the sanction referred to for the violation of art. 13 GDPR, we must record
of the application of the proposed corrective measure and that all the information has been incorporated.
information referred to in art. 13 of the GDPR to the forms available to both
Collegiate as well as the general public, for which we request that you take into

account this measure under art. 83.2.c) of the GDPR (…)”.

In the verification carried out by this Agency after writing allegations of
the sheets of complaints and claims of the College of Architects of Granada, accessed
via the link https://coagranada.es/quejas-y-reclamaciones/, it was requested to read

The next message:

       Official College of Architects of Granada. Plaza de San Agustin Nº3, 18001
       Grenade. General Secretary. Area of Attention to the Collegiate and the User.

       In compliance with the provisions of EU Regulation 2016/679, of 27

       April 2016, hereinafter GDPR, the Official College of Architects of Granada
       with address at PLAZA DE SAN AGUSTÍN 3, 18001 GRANADA and NIF nº
       Q1875003D informs you that the collection and processing of your data through the
       The purpose of this form is the administrative, fiscal and con-
       table provided for in the legislation of professional associations and our statutes.

       Your data may be communicated to the General Council of Official Colleges
       of Architects, related organizations and the Public Administration without prejudice to
       other assignments provided by law. Your data will be kept during the
       time necessary to comply with legal obligations. At any mo-
       moment you can consult the additional information of this treatment or exercise

       the rights of access, rectification, deletion and opposition, portability and limitation
       treatment by directing your request to the address indicated above or by
       email to protecciondedatos@coagranada.org. Also, if you consider
       violated your right to the protection of personal data, you may file
       a claim before the Spanish Data Protection Agency (www.a-
       gpd.es).


Well, article 12.1 of the GDPR establishes, regarding the requirements that must be met
the information that the data controller must make available to the interested parties
resados, the following:


       "1. The person in charge of the treatment will take the appropriate measures to facilitate
       to the interested party all the information indicated in articles 13 and 14, as well as any
       any communication pursuant to articles 15 to 22 and 34 relating to the treatment
       information, in a concise, transparent, intelligible and easily accessible form, with a slow
       clear and simple language, in particular any information directed specifically-

       mind a child The information will be provided in writing or by other means,
       including, if applicable, by electronic means. When requested by the interested party,
       The information may be provided orally provided that identity is proven.
       of the interested party by other means (…)”.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 43/60









And for its part, article 13 of the GDPR, details the information that must be provided to the
interested when the data is collected directly from him, establishing the following:

next:

        "1. When personal data relating to him or her is obtained from an interested party, the
        responsible for the treatment, at the time they are obtained, will provide you with
        tare:


        a) the identity and contact details of the person in charge and, where appropriate, their re-
        presenter; b) the contact details of the data protection officer, in
        Their case; c) the purposes of the processing for which the personal data is intended and the
        legal basis of the treatment; d) when the treatment is based on article 6,
        paragraph 1, letter f), the legitimate interests of the controller or a third party; and)

        recipients or categories of recipients of personal data, in
        Their case; f) where appropriate, the intention of the person responsible for transferring personal data
        to a third country or international organization and the existence or absence of
        an adequacy decision by the Commission, or, in the case of transfers
        indicated in articles 46 or 47 or article 49, paragraph 1, second paragraph,
        reference to the adequate or appropriate guarantees and to the means to obtain

        a copy of these or the fact that they have been provided.

        2. In addition to the information mentioned in section 1, the person responsible for the
        treatment will provide the interested party, at the time the data is obtained,
        personal data, the following information necessary to guarantee treatment

        fair and transparent data management: a) the period during which the data will be kept;
        personal data or, when this is not possible, the criteria used to determine
        nar this term; b) the existence of the right to request the data controller
        access to personal data relating to the interested party, and its rectification
        tion or deletion, or the limitation of its treatment, or to oppose the treatment,

        as well as the right to data portability; c) when the treatment is-
        tea based on Article 6(1)(a) or Article 9(2)(2)
        a), the existence of the right to withdraw consent at any time,
        without this affecting the legality of the processing based on prior consent.
        he saw his withdrawal; d) the right to lodge a complaint with an authority
        of control; e) if the communication of personal data is a legal requirement or

        contractual, or a necessary requirement to sign a contract, and if the interested party
        is obliged to provide personal data and is informed of the possi-
        possible consequences of not providing such data; f) the existence of decisions
        automated, including profiling, referred to in article 22,
        paragraphs 1 and 4, and, at least in such cases, significant information about the

        applied logic, as well as the significance and intended consequences of that
        treatment for the interested party.

Therefore, it is evident that, at least since the claimant submits the brief
claim on 12/21/21 to 09/29/22, date on which the claimed party filed

the allegations to the initiation indicating having solved the observed deficiencies
given by this Agency, there is a violation of the provisions of the GDPR res-
regarding the information that must be provided to users when obtaining
of them your personal data, such as the identity and contact details of the person responsible.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 44/60








ble, the purposes of the processing for which the personal data is intended and the legal basis
of the treatment; the possible recipients or categories of recipients of the data
personal cough, if applicable; the period during which the personal data will be kept

or, when this is not possible, the criteria used to determine this term or the
right to file a claim with a control authority, for which
comply with the provisions of current regulations on data protection.

c).- About the Cookies Policy of the website https://www.coagranada.es/.


On 07/27/22, it was found that when entering the website of the College
Oficial de Arquitectos de Granada https://www.coagranada.es/ two were used
cookies "PHPSESSID" and another from Google, "_GRECAPTCHA".

According to Opinion 4/2012 of WP 194 on the exemption of the requirement of

cookie consent, the exemption applied to authentication cookies could
apply to others introduced specifically to strengthen the security of the service
requested, for example, those cookies whose purpose is to detect attempts
erroneous and repeated connection to a website or for protection of the information system
connection against abuses as in the case of “_GRECAPTCHA”.


However, after browsing the website, it was observed that cookies were installed
from third parties of a non-excepted nature, which were not reported in the policies. HE
It so happens that these analytical cookies are installed through the insertion
of an interactive map of the Institute for Geoenvironmental Health of the Vivo Foundation
Healthy on the page: https://coagranada.es/mapa-zonas-radon-en-elnuevo-cte-db-hs6/

.

In the subsequent checks carried out by this Agency, regarding the
"Cookies Policy" of the website https://www.coagranada.es/, on 04/10/23 the
last one on 05/03/23, it is observed that the web only uses the cookie

“_GRECAPTCHA”, established in order to provide its risk analysis against
the erroneous and repeated attempts to connect to the web.

In this sense, the GT29, in its Opinion 4/2012, interpreted that among the cookies
excepted would be the user input Cookies" (those used to
fill in forms, or as management of a shopping cart); cookies from

authentication or user identification (session); user security cookies
(those used to detect erroneous and repeated attempts to connect to a site
Web); media player session cookies; session cookies to balance
load; user interface customization cookies and some of
complement (plug-in) to exchange social content.


These cookies would be excluded from the scope of application of article 22.2 of the
LSSI, and, therefore, it would not be necessary to inform or obtain consent about your
use. On the contrary, it will be necessary to inform and obtain the prior consent of the
user before the use of any other type of cookies, both first and second

third party, session or persistent.

Therefore, the use of third-party cookies of a non-excepted nature,
during the time they were active, at least since 07/27/22, date of the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 45/60








detection by this Agency of said cookies until 04/10/23, suppose for
part of the defendant, the commission of the infringement of article 22.2 of the LSSI.


Regarding the application of the principle of proportionality alleged by the entity
claimed, it must be indicated that it is not applicable because in the present case, the file
penalized for infraction of article 22.2 of the LSSI, it was only considered as
aggravating, the existence of intentionality, an expression interpreted as equivalent to
degree of guilt in accordance with the Judgment of the National Court of
11/12/07 relapse in Appeal no. 351/2006.


d).- On the possible application of article 77.2 of the LOPDGDD in the present case.

The art. 83.7 of the GDPR establishes that: "Without prejudice to the corrective powers of the
control authorities (…) each Member State may establish rules on whether

can, and to what extent, impose administrative fines on authorities and bodies
public establishments established in that Member State".

In application of the aforementioned article, article 77 LOPDGDD, on the regime applicable to
certain categories of controllers or processors, establishes,
on the regime applicable to the Entities that make up the Public Administration, which

following:

       "1. The regime established in this article will be applied to the treatments
       of those who are responsible or in charge: (...)


       g) Public law corporations when the purposes of the treatment
       related to the exercise of public law powers.

Before entering into its analysis, previously, it must be taken into account that the
Professional Associations, are corporations of Public Law, protected by the Law

and recognized by the State, with its own legal personality and full capacity to
the fulfillment of its purposes.

Despite qualifying as a Public Law corporation, it is necessary to have
present that it can also exercise functions of a legal-private nature,
depending on whether the College is acting in the exercise of public functions or, for the

contrary, in the exercise of private functions.

Before continuing, clarify the error by referring to Law 7/2006, of May 31,
when it should actually have been referred to as the head of the applicable regulations
to professional associations, to Law 2/1974, of February 13, on Associations

Professionals, although this Law was already referenced and included in the tag "(...) or
other regulations”.

Well, even though the Professional Associations are legal corporations
Public, protected by law and recognized by the State, with legal personality

own and full capacity for the fulfillment of its purposes (art. 1.1 Law 2/1974, of 13
February, of Professional Associations) have a mixed nature that implies that,
Indeed, the Colleges carry out public functions, but they also carry out
activities and provide services to their members under private law.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 46/60










It is true that the legal regime of these organizations is necessarily complex.

since it lacks uniformity and has to adapt to nature (public or
private) of the activity carried out by the College at all times. The functions
practices to be exercised by the Professional Associations are, essentially, the management of the
professional practice, which includes the exercise of sanctioning power and control
compliance with ethical standards. In the absence of such functions
public, it is not possible to speak properly of Colleges but of private associations

dedicated to the achievement of goals oriented to the exclusive benefit of their
members.


As we have already indicated in section a).- “Regarding the alleged conflicts of

interests of the Data Protection Officer (DPO) in the person of ***POSITION.1
of the Official College of Architects of Granada”, the functions of the *** POSITION.1
of the Official College of Architects (article 17) that can be affected by the
data protection, we find that it has powers to: 2. Resolve
provisionally about the admission of new members in accordance with
the provisions of these Particular Statutes. 3. Receive and process all requests and

communications addressed to the College and its different Bodies, giving an account of
them to whom it may concern. 4. Issue the certifications that are requested and must be
issued and keep the registration book of collegiate. 5. Formulate annually the lists of
collegiate in its different versions. These lists must be annually
arranged within the terms set forth in these Particular Statutes for the purposes of

elections. 6. Make notifications of college registrations and withdrawals. 7. Carry the books
of minutes of the meetings of the General Assembly of collegiate, Governing Board and
of the Permanent Commission and transfer the agreements, keeping track of the
compliance thereof.


Likewise, ***POSITION.1 is an ex officio member of the Governing Board, whose
functions (article 13.2), which may be affected by data protection, the
following: c) Resolve the applications for the incorporation of new members, of dismissals
collegiate and on the suspension of collegiate services and collegiate status.
e) Collect, distribute and manage the School's funds, in accordance with the provisions of
the Title on Economic and Patrimonial Regime of the present Statutes

individuals. k) Exercise the disciplinary function and adopt precautionary measures, initiating,
ex officio or by virtue of a complaint, the disciplinary proceedings, in which the
corresponding Resolution.

In greater abundance, it means that, in this specific case, the claim is

constrains "the privacy of the data of the members and therefore their rights", for
which goes beyond public functions.

Therefore, in the present case, the conflict of interest detected in the appointment
*** POSITION 1 of the College as Data Protection Delegate as we have already

set forth in section a).- “Regarding the alleged conflicts of interest of the Delegate
of Data Protection (DPD) in the person of *** POSITION 1 of the Official College of
Arquitectos de Granada", and the lack of information provided in the sheets of
claims of the College, on the treatment of personal data of the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 47/60








private users, have no place in any of the public functions that
attributed by the regulations, so it would not be possible to apply in this case what is established in the
Article 77 of the LOPDGDD and on the "Cookies Policy", indicate that they are governed by the

LSSI, therefore art. 77 of the LOPDGDD.

e).- On the allegations presented regarding the Resolutions of this Agency
of May 24, 2021, Procedure No.: PS/00416/2020 and of May 11, 2021,
Procedure No.: PS/00347/2020


In the resolution of PS/00416/2020, the following can be read verbatim:

       "(...) It should be noted that the GDPR, without prejudice to what is established in its
       article 83, contemplates in its article 77 the possibility of resorting to the sanction of
       warning to correct the processing of personal data that is not

       conform to their forecasts, when those responsible or in charge
       listed in section 1 committed any of the offenses to which
       Articles 72 to 74 of this organic law refer (...).

However, as we have previously indicated, the conflict of interest detected
in the appointment of ***POSITION.1 of the Association as Delegate of Protection of

data, and the lack of information provided in the claims forms of the
Colegio, on the treatment of personal data of private users, not
have no place in any of the public functions attributed to them by the regulations, so
that it would not be possible to apply either, in this case what is established in article 77 of the
LOPDGDD.


d).- On the absence of determination of the type corresponding to the sanctions
proposals and lack of motivation to determine their amount,
alternatively and secondarily, invocation of the principle of proportionality.


Violations in the field of data protection are typified in the sections
4, 5 and 6 of article 83 of the GDPR. It is a classification by referral, admitted
fully by our Constitutional Court. In this sense, also article 71
of the LOPDGDD makes a reference to them by stating that "They constitute
offenses the acts and behaviors referred to in sections 4, 5 and 6 of the
Article 83 of Regulation (EU) 2016/679, as well as those that are contrary to the

present organic law”.

In this sense, the Opinion of the Council of State of October 26, 2017 regarding
to the Draft Organic Law on Protection of Personal Data
provides that "The European Regulation does typify, even though it does so in a sense

generic, conduct constituting an infringement: in effect, sections 4, 5 and 6 of
its article 83 contains a catalog of infractions for violation of the precepts
of the European standard indicated in such sections.

The offenses established in articles 72, 73 and 74 of the LOPDGDD are only for

effects of the prescription, as stated in the beginning of each and every one of these
precepts. This need arose in our State since it does not exist in the GDPR
any reference to the statute of limitations relating to offences, given that this institute
legal is not specific to all EU Member States.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 48/60









We must start from the fact that the GDPR is a directly applicable legal norm, which has
been developed by the LOPDGDD, only in what the first allows. So

is clear and as regards the prescription in the explanatory statement of the
LOPDGDD when it states that "The categorization of offenses is introduced to
the sole purpose of determining the prescription periods, having the description of
the typical behaviors as the only object the enumeration of exemplary way of
some of the punishable acts that should be understood as included within the types
general established in the European standard. The organic law regulates the assumptions of

interruption of the prescription based on the constitutional requirement of the
knowledge of the facts that are imputed to the person”.
It results from the application and interpretation of the RGPD, and not from the LOPDGDD, which
determines the seriousness of an infringement based on a series of conditions
provided therein.


As we can see, the RGPD does not present a typification in
very serious, serious or minor infractions typical of the Spanish legal system, nor
neither can it be deduced from his diction that the violation of the precepts of the
article 83.4 of the GDPR correspond to minor infractions and the precepts of article
83.5 or article 83.6 of the GDPR correspond to serious infringements.


Thus, recital 148 speaks of serious infringements as opposed to minor ones
when it determines that, “In case of minor infraction, or if the fine that is likely to
were imposed would constitute a disproportionate burden on a natural person, in
place of sanction by means of a fine, a warning may be imposed. must not

However, special attention should be paid to the nature, severity and duration of the
infraction, to its intentional nature, to the measures taken to alleviate the damages and
damages suffered, the degree of responsibility or any previous infringement
pertinent, to the way in which the supervisory authority has learned of the
infringement, compliance with measures ordered against the person responsible or in charge,

adherence to codes of conduct and any other aggravating or
extenuating.".

For all these reasons, the seriousness of an infringement is determined for the purposes of the GDPR and
with the elements endowed by it.


Once again, we bring up the aforementioned Opinion of the Council of State, which
explains in great profusion: "On the other hand, the European Regulation does not distinguish,
when setting the amount of the sanctions, between very serious, serious and minor infractions,
as stated in the preamble to the Draft. Actually, the European standard
is limited to distinguishing, depending on the maximum quantitative limit of the fine to be imposed,

among some infractions that can be sanctioned "with administrative fines of 10
EUR 000 000 maximum or, in the case of a company, an amount
equivalent to a maximum of 2% of the total annual global business volume of the financial year
previous financial" (section 4 of article 83), and other infractions that can be
sanctioned "with administrative fines of a maximum of 20,000,000 EUR or,

in the case of a company, an amount equivalent to a maximum of 2% of the
overall annual total turnover of the previous financial year" (paragraphs 5 and 6
of article 83). From this distinction it can be deduced that, for the Law of the European Union,
the offenses typified in sections 5 and 6 of article 83 can reach

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 49/60








have the same and greater seriousness than those contemplated in section 4 of the
same article 83 of the European Regulation. The European standard is thus limited to
establish two categories of offenses based on their seriousness.


The limitation periods for infringements are not provided for in the
European Regulation and, therefore, there is a tacit but peaceful understanding that
Member States have the power to establish such terms. The
determination of such deadlines must be based, as is well known, on the
severity of the offence.


Well, the offenses provided for in section 4 of article 83, on the one hand, and in the
paragraphs 5 and 6 of article 83 of the European Regulation, on the other, have a different
maximum limit -10,00,000 euros or 2% of the business volume in the first case,
20,000,000 euros or 4% of the business volume in the second- but the same limit

minimum, which in both cases is 1 euro. The existence of such wide margins
quantitative indicates that the violations of article 83, whether those of section 4 are
those of sections 5 and 6, can be of very different entity and that, for this reason, do not
may have the same limitation period those offenses that, due to their
severity, are close to the upper quantitative limit than those other
that, due to their lightness, are closer to the lower quantitative limit.


In such circumstances, the setting of the limitation periods would not be resolved.
satisfactorily, applying to the infractions of the precepts mentioned in
sections 5 and 6 of article 83 a term longer than the infringements of the
precepts mentioned in section 4 of article 83, given that infringements

contemplated both precepts, in case of being light, they would require a period of
lower prescription.

From this point of view and with the sole purpose of establishing its limitation period,
A distinction has been made between "merely formal infringements" and "violations

substantial" of such precepts, considering the former as "violations
minor" with a limitation period of one year and the latter as "violations
serious" and "very serious" with prescription periods of two and three years
respectively. In the opinion of the Council of State, this classification of offences,
to the extent that it is carried out for the sole purpose of determining certain terms of
statute of limitations for offenses not provided for in the European Regulation, cannot

be understood contrary to the provisions of the European standard.

This classification is not, however, important in terms of the amount of the
fines. The determination of the amount of the fines to be imposed for the violation of
the precepts mentioned in sections 4, 5 and 6 of article 83 of the Regulation

In accordance with the European standard, it is the responsibility of the control authorities, of
according to the graduation criteria established in section 2 of this same
provision, among which is the "nature" or "seriousness" of the offence".

Within the quantitative limits established by the European Regulation, the

control authorities, according to the greater or less seriousness of the infringement,
They must fix the amount of the fines. Certainly, the margins available to the
control authorities are very large - from 1 euro to 10,000,000 euros per violation of
the precepts mentioned in section 4 of article 83 and from 1 euro to 20,000,000

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 50/60








euros for violation of the precepts mentioned in sections 5 and 6-, which
confers on such authorities a high degree of discretion, far superior to those
which is usual in countries of our legal tradition.


It is, in any case, the model desired by the European Regulation, hence the
distinction between minor, serious and very serious infractions contemplated in the
Draft may not have a consequence in determining the maximum amount
of minor infractions, and in any case the determination of their
amount made by the control authorities, according to the circumstances of the case

concretely, within the limits established in that regulation”.

Thus, the classification of offenses for the purposes of the prescription of
LOPDGDD does not have virtuality in terms of determining the severity of the
infringement for the purposes of the GDPR or with respect to the imposition of fines

corresponding”.

Well then, in the proposed resolution of this file, notified to the
concerned on 04/10/23, the facts that are considered
proven and their exact legal classification in the section "PROVEN FACTS" and in
the FD II in response to the allegations indicated the following:


In point a).- On the alleged conflicts of interest of the Delegate of
Data Protection (DPD) in the person of *** POSITION 1 of the Official College of
Architects from Granada.


The offense was determined:

       Therefore, taking into account the functions that, according to the GDPR, correspond to the
       DPD and the functions that, according to the Order of February 20, 2018, by which
       the modification of the Statutes of the Official College of Architects is approved

       of Granada, correspond to the Governing Board and the Permanent Commission
       of the Official College of Architects of Granada, in addition to those of the position
       of ***POINT.1, it is evident the existence of a conflict of interest for
       part of *** POSITION 1 of the Official College of Architects of Granada for
       act as DPO of said Organism, finding ourselves before the violation of the
       article 38.6) of the GDPR.


The person responsible and the proposed sanction were identified:

       “FIRST: That by the Director of the Spanish Agency for the Protection of
       Data is sanctioned to the OFFICIAL COLLEGE OF ARCHITECTS OF GRANADA,

       owner of the website, https://www.coagranada.es/, by:

       Violation of article 38.6 of the GDPR, due to the conflict of interest detected in
       the appointment of *** POSITION 1 of the College as Protection Delegate
       of data, with a penalty of 5,000 euros (five thousand euros) (...)


In accordance with the provisions of the GDPR, the amount of the fine was valued at 5,000 euros,
that is in the lower section of the possible sanctions, thus giving
compliance with the provisions of article 83.1 of the GDPR: "Each control authority

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 51/60








ensure that the imposition of administrative fines under this
article for the infringements of this Regulation indicated in sections 4, 5 and
6 are in each individual case, effective, proportionate and dissuasive.”


On the other hand, article 83.2 of the GDPR states that "administrative fines shall be
will impose, depending on the circumstances of each individual case, additionally
or substitute for the measures referred to in article 58, paragraph 2, letters a) to h) and
j). When deciding the imposition of an administrative fine and its amount in each case
will be duly taken into account:” (emphasis added).


That is, it provides for the assessment of the penalty as a whole, taking into account each and every
one of the concurrent circumstances in the specific case and that are
provided for in the aforementioned precept.


The jurisprudence pronounces itself along the same lines when it refers to the principle of
proportionality, "fundamental principle that beats and presides over the graduation process
of sanctions and implies, in legal terms, "its adequacy to the seriousness of the
fact constituting the infringement" as provided in article 29.3 of Law 40/2015,
of the Legal Regime of the Public Sector, given that any sanction must be determined in
consistency with the entity of the offense committed and according to a criterion of

proportionality in relation to the circumstances of the fact.” (Sentences of the
Supreme Court of December 3, 2008 (rec. 6602/2004) and April 12, 2012
(rec. 5149/2009) and Judgment of the National Court of May 5, 2021 (rec.
1437/2020), among others).


Thus, the Judgment of the Third Chamber of the Supreme Court, dated May 27,
2003 (rec. 3725/1999), indicates that "Proportionality, pertaining specifically to
to the scope of the sanction, constitutes one of the principles that govern the Law
Sanctioning administrative, and represents an instrument of control of the exercise of the
disciplinary power by the Administration within, even, the margins that, in

principle, indicates the applicable rule for such exercise. It is certainly a concept
difficult to determine a priori, but which tends to adjust the sanction, by establishing
its specific graduation within the indicated possible margins, to the severity of the
fact constituting the infringement, both in its aspect of unlawfulness and of
guilt, weighing as a whole the objective and subjective circumstances
that make up the budget of punishable fact (...)"


We can also cite for this purpose the Supreme Court Judgment 713/2019, of 29
of May (rec. 1857/2018): "We will begin by pointing out that the proportionality of the
sanctions implies that they come tempered to the particular gravity
of the fact in conjunction with the circumstances of a subjective nature (which refer to the

offender) and objective (which refer to the typical fact) being that in the field of law
administrative sanction in general and in the field of the stock market in
In particular, there are no dosimetry criteria similar to those included in the article
66 of the CP and that the modifying circumstances differ from those of the scope
penal. Let us remember that there is no room for automatic application, without any qualification of the

guiding principles of criminal law to the sanctioning administrative procedure
(S.TS 6-10-2003 Rec.772/1998).”



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 52/60








For this reason, Directives 04/2022 of the European Committee for Data Protection on the
calculation of administrative fines in accordance with the RGPD, in its version of 12
May 2022, submitted to public consultation, indicate that "As regards the

evaluation of these elements, increases or decreases in a fine do not
They can be previously determined through tables or percentages. It is reiterated that the
The actual quantification of the fine will depend on all the elements collected during the
research and other considerations also related to the experiences
of the supervisory authority regarding fines.”


In point b).- Regarding the alleged lack of information in the forms on “complaints
and claims”, referring to the treatment of personal data obtained in the
themselves.

The offense was determined:


       “From what is evident that the forms lacked the necessary information
       ria established in article 13 GDPR, such as, for example, the identity and
       contact details of the person in charge, the purposes of the treatment for which they are intended
       the personal data and the legal basis of the treatment; the possible recipients
       names or categories of recipients of personal data, if applicable; he

       period during which the personal data will be kept or, when it is not
       possible, the criteria used to determine this term or the right to pre-
       file a claim with a control authority, for which they failed to comply with the
       stipulated in the current regulations on data protection


The person responsible and the proposed sanction were identified:

       “FIRST: That by the Director of the Spanish Agency for the Protection of
       Data is sanctioned to the OFFICIAL COLLEGE OF ARCHITECTS OF GRANADA,
       owner of the website, https://www.coagranada.es/, by:


       (...) Violation of article 13 of the GDPR, due to the lack of information
       provided in the claims forms, on the treatment of the data
       obtained, (with a penalty of 8,000 euros) (...)

In accordance with the provisions of the GDPR, the amount of the fine was valued at 5,000 euros,

that is in the lower section of the possible sanctions, thus giving
compliance with the provisions of article 83.1 of the GDPR: "Each control authority
ensure that the imposition of administrative fines under this
article for the infringements of this Regulation indicated in sections 4, 5 and
6 are in each individual case, effective, proportionate and dissuasive.”


We reiterate the considerations set forth in the previous section in relation to
with the determination of the amount of the fine.

In point c).- On the treatment of personal data and the "Policy of

Privacy” of the web: https://www.coagranada.es/ whose owner is the Official College of
Granada architects:

The lack of infringement was determined:

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 53/60









       "Therefore, in the present case, according to the evidence available
       At this time, it is considered that the management of personal data that
       makes the web page, https://www.coagranada.es/ does not contradict what
       stipulated in the RGPD regarding the consent in the treatment of the

       personal data and the information that must be provided to the interested party
       when your personal data is obtained from it.

In point d).- About the Cookies Policy of the website
https://www.coagranada.es/.


The offense is determined:

       "Therefore, the use of third-party cookies of a non-existent nature
       excepted, which are not reported in the policies and despite not having
       given the consent through the banner could suppose on the part of the

       claimed, the commission of the infringement of article 22.2 of the LSSI

The person responsible and the proposed sanction were identified:

       “FIRST: That by the Director of the Spanish Agency for the Protection of
       Data is sanctioned to the OFFICIAL COLLEGE OF ARCHITECTS OF GRANADA,

       owner of the website, https://www.coagranada.es/, by:

       (...) Violation of article 22.2 of the LSSI, regarding the use of cookies
       from third parties of a non-excepted nature, without the consent of the user, with
       a penalty of 1,000 euros (one thousand euros).


The fine to be imposed has been determined in application of the provisions determined
in the LSSI.

e).- On the allegations presented as a consequence of the filing in the
exp202101340 and the change of criteria in this file.


According to the claimed party, on 07/08/21, the claimant submitted a written
before this Agency, in the same sense as the present claim, indicating, among
others, that:

       "(...) Such is the lack of knowledge regarding PD on the part of this College,
       that according to these accredited by their statements, the *** POSITION.1 holds the

       title of DPD and Responsible for the processing of personal data at the same
       time. As evidenced by the text that accompanies the sheet of
       claims of this College, (...)"

Well then, this claim was filed by Resolution of the AEPD dated

of 11/11/21 in file E/08892/2021, indicating in it that:

       "(...) Once the reasons presented by the OFFICIAL SCHOOL OF
       ARCHITECTS OF GRANADA, who work in the file, it has been verified
       the lack of rational indications of the existence of an infringement in the field

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 54/60








       competence of the Spanish Data Protection Agency, not proceeding,
       consequently, the opening of a disciplinary procedure.


On 11/23/21, the claimant filed an appeal for reversal (RR/0731/21),
against the resolution issued by the Director of the Spanish Agency for the Protection of
Data, in which, among others, it indicated that "the AEPD should clarify whether the DPD and
the ***POINT.1 of COAG can be the same person”.

On 04/04/22, this Agency issued a resolution on the appeal of

replacement RR/0731/21, indicating in it, regarding the issue expressed
by the claimant, in relation to the duplication of charges, DPD and ***POSITION 1 of the
COAG, the following:

       "Regarding the appointment as data protection delegate in the same

       person who holds the position of ***POSITION.1 general, it should be noted that the
       appellant party cannot claim that in the appeal phase the
       recounts facts that it did not state in a previous procedural phase.

       The LPACAP provides in its article 118: "They will not be taken into account in the
       resolution of the appeals, facts, documents or allegations of the appellant,

       when having been able to provide them in the claims process, they have not
       made. Nor may the practice of evidence be requested when their lack of
       realization in the procedure in which the appealed decision was issued outside
       attributable to the interested party."


       This norm contains a rule that is nothing more than the positive concretion for
       the common administrative scope of the general principle that the Law does not cover the
       abuse of the right (article 7.2 of the Civil Code), in this case, the abuse of the
       procedural law. There is no doubt that this principle is intended to prevent
       that the processing of allegations and evidence of the procedures of

       application, as it would be if the interested parties could choose, at their discretion,
       the moment in which to present evidence and allegations, since this
       it would be contrary to an elementary procedural order.

       The claimed party has informed that the person designated as delegate of
       data protection possesses the competencies and has the knowledge

       required for the performance of said position, adding that they have the
       collaboration of external professionals who are experts in the matter”.

Therefore, there has not been a change in criteria of the administration, but rather, in the
exposed cases, the reason why they were archived was because there was no proof

sufficient for the imputation of an infraction. In fact, this is how it is stated in the
resolution of inadmissibility, that the principle of presumption of innocence is applied and that,
not having sufficient evidence of non-compliance, we proceed to archive the
claim. In the same sense, the resolution of the appeal of
reinstatement, particularly in relation to that breach, what it says is that in phase

of appeal cannot be taken into account facts other than those valued throughout
of the procedure. This does not prevent a new claim from being filed.
in which aspects can be accredited by the claimant that reveal the
existence of a violation.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 55/60









f).- About the Cookies Policy of the website https://www.coagranada.es/.


On 07/27/22, it was found that when entering the website of the College
Oficial de Arquitectos de Granada https://www.coagranada.es/ a cookie was installed
session ID PHPSESSID and another from Google, _GRECAPTCHA. The first is a cookie
technique and the second is used by websites developed with WordPress as the
which is the object of analysis, to protect web forms from spam and attacks
external.


According to Opinion 4/2012 of WP 194 on the exemption of the requirement of
cookie consent, the exemption applied to authentication cookies could
apply to others introduced specifically to strengthen the security of the service
requested, for example, those cookies whose purpose is to detect attempts

erroneous and repeated connection to a website or for protection of the information system
connection against abuses such as _GRECAPTCHA.

However, after browsing the website, it is observed that cookies are installed
from third parties of a non-excepted nature, which are not reported in the policies, to
despite not having given consent through the banner. the circumstance is given

that these analytical cookies are installed through the insertion of a map
interactive program of the Institute for Geoenvironmental Health of the Vivo Sano Foundation in the
page: https://coagranada.es/mapa-zonas-radon-en-elnuevo-cte-db-hs6/

Therefore, there was a clear violation of current regulations (LSSI) by not informing

the users of the web of the installation of third-party cookies of a non-
excepted.
                                          III.-
                       Violation committed and Sanction to be imposed


   Regarding the alleged conflicts of interest of the Data Protection Officer
 (DPD) in the person of ***POSITION.1 of the Official College of Architects of Granada.

In accordance with the available evidence, set forth in section a)
of DF II, it is considered that there is a violation of article 38.6) of the GDPR.


This infraction can be sanctioned with a fine of a maximum of €10,000,000 or,
in the case of a company, an amount equivalent to a maximum of 2% of the
total annual global business volume of the previous financial year, opting for the
of greater amount, in accordance with article 83.4.a) RGPD.


For its part, article 73.w) LOPDGDD, considers serious, for the purposes of prescription:

       “Not enabling the effective participation of the data protection officer in
       all matters relating to the protection of personal data, not
       support him or interfere in the performance of his duties”.


In accordance with the precepts indicated, for the purpose of setting the amount of the sanction to
imposed in the present case, it is considered appropriate to graduate the sanction according to
with the following aggravating criteria established in article 83.2 of the GDPR:

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 56/60









    - The number of interested parties affected by the processing of their personal data
        (section a), bearing in mind the relationship that the College of Architects of

        Granada has with the registered members, the contracted personnel and with the
        users in general.

It is also considered that it is appropriate to graduate the sanction to be imposed in accordance with the
following aggravating criteria, established in article 76.2 of the LOPDGDD:


    - The linking of the activity of the offender with the performance of treatment of
        personal data, (section b), considering the level of implementation of the
        College in the community, in which personal data of
        Hundreds of people who access their services.


The balance of the circumstances contemplated in article 83.2 of the GDPR and 76.2
LOPDGDD, with respect to the offense committed by violating the provisions of the
Article 38.6 GDPR, allows a final penalty of 5,000 euros (five thousand euros) to be set.

On the other hand, it is not appropriate to require a corrective measure since the DPD of the
Official College of Architects of Granada in another person that is not the *** POSITION.1

of the same.
                                           IV.-
                        Violation committed and Sanction to be imposed

       Regarding the alleged lack of information in the forms on "complaints and

   claims”, referring to the treatment of personal data obtained in the
                                        themselves.

In accordance with the available evidence, set forth in section b)
of DF II, it is considered that there is a violation of article 13) of the GDPR


This infraction can be penalized as established in article 83.5.b) of the
GDPR, where it is established that:

       Violations of the following provisions will be penalized, according to
       with paragraph 2, with administrative fines of EUR 20,000,000 as

       maximum or, in the case of a company, an amount equivalent to 4%
       maximum of the overall annual total turnover of the financial year
       above, opting for the one with the highest amount: a) the rights of the interested parties
       pursuant to articles 12 to 22”.


In this sense, article 74.a) of the LOPDGDD, considers light, for the purposes of
prescription:

       "Breach of the principle of transparency of information or the right
       of information of the affected party for not providing all the information required by the

       articles 13 and 14 of Regulation (EU) 2016/679.”




C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 57/60








In accordance with the precepts indicated, for the purpose of setting the amount of the sanction to
imposed in the present case, it is considered appropriate to graduate the sanction according to
with the following aggravating criteria established in article 83.2 of the GDPR:


    - The number of interested parties affected by the processing of their personal data
        (section a), bearing in mind the relationship that the College of Architects of
        Granada has with the registered members, the contracted personnel and with the
        users in general.


It is also considered that it is appropriate to graduate the sanction to be imposed in accordance with the
following aggravating criteria, established in article 76.2 of the LOPDGDD:

    - The linking of the activity of the offender with the performance of treatment of
        personal data, (section b), considering the level of implementation of the

        College in the community, in which personal data of
        Hundreds of people who access their services.

The balance of the circumstances contemplated in article 83.5.b) of the GDPR, with
regarding the offense committed by violating the provisions of article 13 of the GDPR,
allows a final penalty of 8,000 euros (eight thousand euros) to be set.


On the other hand, it is not appropriate to require a corrective measure as the
Substitution of the information provided in the “complaints and claims” models
adjusting to the provisions of article 13 of the GDPR.


                                           V.-
                        Violation committed and Sanction to be imposed

      About the Cookies Policy of the website https://www.coagranada.es/.


Article 22.2 of the LSSI establishes that users must be provided with information
clear and complete information on the use of storage devices and
data recovery and, in particular, on the purposes of data processing.
This information must be provided in accordance with the provisions of the GDPR.

Therefore, when the use of a cookie entails a treatment that enables the

identification of the user, those responsible for the treatment must ensure the
compliance with the requirements established by the regulations on the protection of
data.

However, it is necessary to point out that they are exempted from compliance with the

obligations established in article 22.2 of the LSSI those necessary cookies
for the intercommunication of terminals and the network and those that provide a service
expressly requested by the user.

In this sense, the GT29, in its Opinion 4/2012, interpreted that among the cookies

excepted would be the user input Cookies" (those used to
fill in forms, or as management of a shopping cart); cookies from
authentication or user identification (session); user security cookies
(those used to detect erroneous and repeated attempts to connect to a site

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 58/60








Web); media player session cookies; session cookies to balance
load; user interface customization cookies and some of
complement (plug-in) to exchange social content.


These cookies would be excluded from the scope of application of article 22.2 of the
LSSI, and, therefore, it would not be necessary to inform or obtain consent about your
use. On the contrary, it will be necessary to inform and obtain the prior consent of the
user before the use of any other type of cookies, both first and second
third party, session or persistent.


In this case, when entering the web for the first time, without accepting cookies or making
no action on the page, it has been verified that cookies are not used that
They are not technical or necessary.


However, after browsing the website, it is observed that cookies are used
third parties of a non-excepted nature, which are not reported in the policies, despite
of not having given consent through the banner. The circumstance occurs that
These analytical cookies are installed through the insertion of an interactive map of the
Institute for Geoenvironmental Health of the Vivo Sano Foundation on the page:
https://coagranada.es/mapa-zonas-radon-en-elnuevo-cte-db-hs6/


Therefore, the use of third-party cookies of a non-excepted nature,
which are not reported in the policies and despite not having given consent
through the banner could suppose on the part of the defendant, the commission of the
infringement of article 22.2 of the LSSI, since it establishes that:


       “Service providers may use storage devices and
       recovery of data in terminal equipment of recipients, provided
       that they have given their consent after they have been
       provided clear and complete information on its use, in particular on

       the purposes of data processing, in accordance with the provisions of the Law
       Organic 15/1999, of December 13, on the protection of personal data
       staff.

       When technically possible and effective, the recipient's consent
       to accept the processing of the data may be facilitated through the use of the

       appropriate parameters of the browser or other applications.

       The foregoing will not prevent the possible storage or access of a technical nature
       for the sole purpose of carrying out the transmission of a communication over a network of
       electronic communications or, to the extent strictly

       necessary, for the provision of a service of the information society
       expressly requested by the addressee.

This infraction is typified as "mild" in article 38.4 g), of the aforementioned Law, which
considered as such: "Use data storage and recovery devices

when the information has not been provided or the consent of the
recipient of the service in the terms required by article 22.2.", and may be
sanctioned with a fine of up to €30,000, in accordance with article 39 of the aforementioned
LSSI.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 59/60









In accordance with said criteria, it is deemed appropriate to impose a penalty of 1,000
euros, (thousand euros), for the violation of article 22.2 of the LSSI, for the time that
maintained the use of non-excepted cookies without the prior consent of the
user


Therefore, in accordance with the applicable legislation and assessed the criteria of
graduation of sanctions whose existence has been accredited, the Director of the
Spanish Data Protection Agency

                                     RESOLVES:


FIRST: IMPOSE the OFFICIAL ASSOCIATION OF ARCHITECTS OF GRANADA, with
CIF.: Q1875003D, owner of the website, https://www.coagranada.es/, the following
sanctions:


    - For violation of article 38.6 of the GDPR, due to the conflict of interest
       detected in the appointment of ***POSITION.1 of the College as Delegate
       of Data Protection a sanction of 5,000 euros (five thousand euros).

    - For the infringement of article 13 of the GDPR, due to the lack of information
       provided in the claims forms, on the treatment of the data

       obtained, a penalty of 8,000 euros (eight thousand euros).

    - For the violation of article 22.2 of the LSSI, regarding the use of
       third-party cookies of a non-excepted nature, without the consent of the
       user, a penalty of 1,000 euros (one thousand euros).



Being the total sanction of 14,000 euros (fourteen thousand euros).

SECOND: NOTIFY this resolution to the OFFICIAL ASSOCIATION OF

ARCHITECTS OF GRANADA.

THIRD: Warn the penalized party that the sanction imposed must make it effective
once this resolution is enforceable, in accordance with the provisions of Article
Article 98.1.b) of Law 39/2015, of October 1, on Administrative Procedure

Common of Public Administrations, within the voluntary payment period indicated in the
Article 68 of the General Collection Regulations, approved by Royal Decree
939/2005, of July 29, in relation to art. 62 of Law 58/2003, of 17
December, by depositing it in the restricted account No. ES00 0000 0000 0000
0000 0000, opened in the name of the Spanish Data Protection Agency in the
Banco CAIXABANK, S.A. or otherwise, it will proceed to its collection in

executive period.

Once the notification has been received and once executed, if the execution date is
between the 1st and 15th of each month, both inclusive, the term to make the payment
voluntary will be until the 20th day of the following or immediately following business month, and if
between the 16th and the last day of each month, both inclusive, the payment term

It will be until the 5th of the second following or immediately following business month.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 60/60









In accordance with the provisions of article 50 of the LOPDGDD, this

Resolution will be made public once the interested parties have been notified.

Against this resolution, which puts an end to the administrative procedure (article 48.6 of the
LOPDGDD), and in accordance with the provisions of articles 112 and 123 of the Law
39/2015, of October 1, of the Common Administrative Procedure of the

Public Administrations, interested parties may optionally file
appeal for reversal before the Director of the Spanish Agency for Data Protection
within a month from the day following notification of this
resolution or directly contentious-administrative appeal before the Chamber of
contentious-administrative of the National Court, in accordance with the provisions of the

article 25 and in section 5 of the fourth additional provision of Law 29/1998, of
July 13, regulating the Contentious-administrative Jurisdiction, within the period of
two months from the day following the notification of this act, according to what
provided for in article 46.1 of the aforementioned legal text.


Finally, it is noted that in accordance with the provisions of art. 90.3 a) of Law 39/2015,
of October 1, of the Common Administrative Procedure of the Administrations
Public, the firm resolution may be temporarily suspended in administrative proceedings if
The interested party declares his intention to file a contentious-administrative appeal.
If this is the case, the interested party must formally communicate this fact through

writing addressed to the Spanish Data Protection Agency, presenting it through
of the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica-
web/], or through any of the other registries provided for in art. 16.4 of the
aforementioned Law 39/2015, of October 1. You must also transfer to the Agency the
documentation proving the effective filing of the contentious appeal-

administrative. If the Agency was not aware of the filing of the appeal
contentious-administrative proceedings within a period of two months from the day following the
Notification of this resolution would terminate the precautionary suspension.

Mar Spain Marti

Director of the Spanish Data Protection Agency.





















C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es