AEPD (Spain) - PS/00188/2020
AEPD - PS/00188/2020 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 5(1)(f) GDPR 5 LOPDGDD |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | 06.08.2020 |
Published: | 06.08.2020 |
Fine: | 1800 EUR |
Parties: | ASOCIACIÓN DE VIGILANTES DE SEGURIDAD DEL AEROPUERTO DE BARCELONA |
National Case Number/Name: | PS/00188/2020 |
European Case Law Identifier: | n/a |
Appeal: | Not appealed |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | Francesc Julve Falcó |
The Spanish DPA has fined "ASOCIACIÓN DE VIGILANTES DE SEGURIDAD DEL AEROPUERTO DE BARCELONA" with €1800 for an infringement of the principle of confidentiality in the processing of data, as set out in article 5 GDPR.
English Summary
Facts
A member of the trade union representation committee distributed a census of the workers through a WhatsApp group, in which there were private non-corporate phones.
The data controller claimed that he did this so that employees could check whether their data were correct.
A worker, whose data had been disseminated in this way, complained to the Spanish DPA that the confidentiality of the processing had been breached.
Dispute
Does the distribution of the census of workers through a Whatsapp group constitute a violation of Article 5 (1) (f) GDPR?
Holding
The Spanish DPA held that were clear indications that the defendant infringed Article 5 (1) (f) GDPR, principles relating to processing with the duty of confidentiality.
This duty of confidentiality, previously a duty of secrecy, does have the purpose to prevent the leakage of data that is not consented to by the holders of the same.
Therefore, this duty of confidentiality is an obligation that does not only to the person responsible for and in charge of the processing but to anyone who any phase of the treatment and complementary to the duty of professional secrecy.
The fact that it was a non-intentional negligent action, that basic personal identifiers were affected, and that no subsequent prevention measures were carried out of the infringement was considered aggravating factors, determining the amount of the fine in €3000. This amount was reduced by the person responsible for benefiting from the corresponding legal reductions.
Comment
The Spanish DPA assessed the specific modifying circumstances, in this case, the merely local scope, the number of people affected, the conduct resulting from a lack of diligence, and the position of the person who distributed the personal data as a data processor.
The defendant made use of two reductions under Article 85 LPACAP, of 20% of the total amount each: recognition of liability and voluntary payment. So from the initial €3000 it became €1800.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
Procedure No.: PS/00188/2020 DECISION R/00367/2020 ON THE TERMINATION OF PROCEEDINGS FOR PAYMENT VOLUNTEER In the sanctioning procedure PS/00188/2020, conducted by the Agency Spanish Data Protection to ASSOCIATION OF SECURITY GUARDIANS OF BARCELONA AIRPORT, having regard to the complaint lodged by A.A.A., and in based on the following, BACKGROUND FIRST: On July 10, 2020, the Director of the Spanish Agency for Data Protection agreed to initiate a sanctioning procedure to ASSOCIATION OF BARCELONA AIRPORT SECURITY WATCHERS (hereinafter, the one being claimed), by means of the Agreement which is transcribed: << Procedure No.: PS/00188/2020 AGREEMENT ON THE INITIATION OF DISCIPLINARY PROCEEDINGS Of the actions carried out by the Spanish Agency for the Protection of Data and based on the following FACTS FIRST: Mrs. A.A.A. (hereinafter the complainant) dated 18/11/2019 filed claim before the Spanish Data Protection Agency. The claim is directed against AIRPORT SAFETY WATCHMAN ASSOCIATION DE BARCELONA with NIF G65350316 (hereinafter the claimed). The reasons in that bases the complaint are: that a member of the Ilunion Centre Committee Barcelona Airport Security has distributed through WhatsApp, the census workers to private, non-corporate phones. Provides screenshots of the application in which it is stated that the respondent sent the lists for the members of their union section to verify that their census data were correct. SECOND: Upon receipt of the complaint, the Subdirectorate General of Data Inspection proceeded to carry out the following actions: On 20/01/2020, the complaint submitted for analysis was transferred to the respondent and inform the complainant of the decision taken in this regard. Similarly, the required him to send to the Agency within one month a list of information: - Copy of the communications, of the decision taken which you have sent to claimant regarding the transfer of this claim, and proof that the The complainant has been notified of this decision. - Report on the causes of the incident which led to the claim. - Report on measures taken to prevent incidents similar. - Any other that you consider relevant. On 11/02/2020, the respondent sent a letter in which he stated that the dissemination of the through the Whatsapp group only to employees of the company llunión Seguridad S.A. of the Barcelona Airport work center affected by the the process of union elections from the electoral rolls for the same does not violate the data protection regulations, especially when such data were accessible and the purpose of the sending was to facilitate the verification of data by those workers with difficulties in moving; which on this subject has already the Supreme Court in its judgment of 27/09/2007; that the publication or dissemination of the electoral roll to workers affected by the electoral process The data protection legislation is not violated; that the use of the electoral roll carried out by the defendant, such as ***CARGO.1, in the exercise of their right to trade union activity was adequate for the purposes of the The only purpose of sending the electoral roll, as indicated in the The "screenshots" accompanying the complaint were "Check that it is your name and that your details are correct. If you see any anomaly, please let us know. that the use of the electoral register made by the defendant, as a means of ***CARGO.1, in exercising its right to trade union activity, was fully for the purposes of the electoral process, as it was only intended to facilitate the verification of the workers in the workplace of their data for the exercise of their rights of representation. On 08/06/2020, in accordance with article 65 of the LOPDGDD, the Director of the The Spanish Data Protection Agency agreed to admit the complaint about the processing filed by the claimant against the respondent. LEGAL GROUNDS I By virtue of the powers conferred on each of the parties by Article 58(2) of the GPRS the supervisory authority, and in accordance with Articles 47 and 48 of the LOPDGDD, the Director of the Spanish Data Protection Agency is competent to initiate and to resolve this procedure. II The claimed facts are materialized in the distribution through a group of WhatsApp by a member of the Ilunion Center Airport Security Committee of Barcelona, of the electoral census of workers, which could mean the violation of the principle of confidentiality. Article 5, Principles relating to processing, of the RGPD which states that "1. Personal data shall be: (…) (f) treated in such a way as to ensure adequate security of the personal data, including protection against unauthorized or unlawful processing and against their accidental loss, destruction, or damage, by implementing measures appropriate techniques or organizational arrangements ("integrity and confidentiality"). (…)” And Article 6, Legality of Processing, of the aforementioned RGPD states in point 1 that: "1. Treatment shall be lawful only if at least one of the following is fulfilled conditions: a) the data subject has given his consent to the processing of his data for one or more specific purposes; (b) processing is necessary for the performance of a contract in which the interested is a party to or for the application at his request of measures pre-contractual; (c) processing is necessary for the performance of a legal obligation applicable to the data controller; (d) processing is necessary to protect the vit(f) processing is necessary for the satisfaction of legitimate interests persecuted by the controller or by a third party, provided that there are such interests do not prevail over interests or rights and freedoms data subject's fundamental rights requiring the protection of personal data, in particularly when the person concerned is a child. Point (f) of the first subparagraph shall not apply to processing by public authorities in the exercise of their duties". (…)” Also Article 5, Duty of confidentiality, of the new Organic Law 3/2018, of 5 December, on the Protection of Personal Data and Guarantee of digital rights (hereinafter 'LOPDGDD'), points out that "Data controllers and data processors, as well as all persons intervening at any stage of this shall be subject to the duty to confidentiality referred to in Article 5(1)(f) of Regulation (EU) 2016/679. 2. The general obligation referred to in the previous paragraph shall be complementary of the duties of professional secrecy in accordance with its applicable regulations. 3. The obligations established in the previous paragraphs shall be maintained even if the relationship between the obligor and the person responsible or in charge has ended of the treatment". On the other hand, Article 83.5 a) of the RGPD, considers that the infringement of "the basic principles for treatment, including conditions for consent under Articles 5, 6, 7 and 9" is punishable, in accordance with paragraph 5 of referred to in Article 83 of the said RGPD, "with administrative fines of maximum or, in the case of a company, an amount equivalent to 4% as maximum of the total annual turnover of the previous financial year, by opting for the largest amount". And the LOPDGDD in its article 72 indicates for prescription purposes: "Infringements considered very serious: al interests of the data subject or of another natural person; (e) the processing is necessary for the performance of a task carried out in public interest or in the exercise of public authority conferred on the person responsible for treatment; 1. In accordance with Article 83(5) of the Regulation (EU) 2016/679 are considered very serious and will be subject to a three-year statute of limitations for infringements that constitute a substantial breach of the articles mentioned in that one and, in In particular, the following: a) The processing of personal data in violation of the principles and guarantees laid down in Article 5 of Regulation (EU) 2016/679. (…) III From the documentation in the file, there are clear indications of that the defendant infringed Article 5 of the RGPD, principles relating to processing, in in relation to Article 5 of the LOPGDD, duty of confidentiality, in relation to the impact produced: sending a whatsapp group of the electoral roll list. This duty of confidentiality, previously a duty of secrecy, must The purpose of this is to prevent the leakage of data that is not consented to by the holders of the same. Therefore, this duty of confidentiality is an obligation that does not only to the person responsible for and in charge of the processing, but to anyone who any phase of the treatment and complementary to the duty of professional secrecy. IV In order to determine the administrative fine to be imposed the provisions of Articles 83(1) and 83(2) of the GPRS, which they point out: "Each supervisory authority shall ensure that the imposition of fines administrative offences under this Article for infringements of this Regulation referred to in paragraphs 4, 5 and 6 are on a case-by-case basis effective, proportionate and dissuasive. 2. Administrative fines shall be imposed, depending on the circumstances of each individual case, in addition to or instead of the measures envisaged in Article 58(2)(a) to (h) and (j) In deciding to impose a fine and its amount in each individual case will be duly taken into account: (a) the nature, gravity and duration of the infringement, taking into account the nature, scope or purpose of the processing operation concerned as well as the number of stakeholders affected and the level of damage and damages they have suffered; (b) the intentionality or negligence of the infringement; (c) any measure taken by the controller or processor to mitigate the damages suffered by those concerned; (d) the degree of responsibility of the person responsible for or in charge of treatment, taking into account any technical or organisational measures that have applied under Articles 25 and 32; (e) any previous infringement committed by the person responsible for or in charge of treatment; (f) the degree of cooperation with the supervisory authority in order to put remedy the infringement and mitigate the possible adverse effects of the infringement; (g) the categories of personal data affected by the infringement; (h) the way in which the supervisory authority became aware of the infringement, in in particular whether the person responsible or the person in charge notified the infringement and, if so to what extent; (i) where the measures referred to in Article 58(2) have been ordered in advance against the person responsible or the person in charge in relation to the same matter, compliance with those measures; (j) adherence to codes of conduct under Article 40 or to mechanisms (k) any other factor aggravating or mitigating circumstances, such as the financial benefits obtained or losses avoided, directly or indirectly, through the infringement. With regard to Article 83.2(k) of the RGPD, the LOPDGDD, in its Article 76, "Sanctions and remedial measures", provides that "In accordance with Article 83(2)(k) of the Regulation (EU) 2016/679 may also be taken into account: (a) the continuing nature of the infringement b) The link between the activity of the offender and the carrying out of processing of personal data. c) The benefits obtained as a result of the commission of the infringement. (d) The possibility that the conduct of the data subject may have led to the commission of the offence. (e) The existence of a post-commission merger process of the infringement, which cannot be attributed to the absorber. f) Affecting the rights of minors. g) Having, when not compulsory, a delegate for the protection of data. h) The submission by the person responsible or in charge, with a to alternative dispute resolution mechanisms, in those cases where there are disputes between them and any interested." In accordance with the above provisions, and without prejudice to the proceedings in order to determine the amount of the fine to be imposed on imposed in the present case for the infringement defined in Article 83.5.a) of the RGPD for which the claimant is held responsible, in an initial assessment, are estimated The following factors are concurrent: The merely local scope of the treatment carried out by the entity claimed. The number of persons affected by the infringing conduct, members of the Iluniion company's electoral register. There is no evidence that the entity complained of has adopted measures to prevent similar incidents, in the light of the response sent to this body. There is no evidence that the complainant acted fraudulently, although the performance reveals a lack of diligence. The link between the activity of the offender and the processing of personal data. The entity complained of is a trade union that is not very representative. Therefore, in accordance with the above, By the Director of the Spanish Data Protection Agency, IT IS AGREED: 1. initiation of disciplinary proceedings against the association of BARCELONA AIRPORT SECURITY WATCHERS with VAT number G65350316, for the alleged infringement of article 5.1.f) of the RGPD, sanctioned in accordance with the provisions of article 83.5.a) of the aforementioned RGPD. 2. NAME R.R.R. as Instructor and S.S.S. as Secretary, indicating that any of them may be challenged, where appropriate, in accordance with the provisions of Articles 23 and 24 of Law 40/2015 of 1 October on the Legal Regime of the Sector Public (LRJSP). 3. INCORPORATE the complaint into the sanctioning file, for evidential purposes filed by the complainant and its documentation, the documents obtained and generated by the Inspection Services during the pre-investigation phase, as well as the report of previous Inspection actions; all documents that are part of the file. 4. THAT for the purposes of Article 64.2 b) of Law 39/2015, dated 1 January October, of the Common Administrative Procedure for Public Administrations (LPACAP), and Article 127(b) of the RLOPD, the sanction that may correspond for the infringement described would amount to EUR 3 000 (three thousand euros), without prejudice to result of the instruction. 5. NOTIFY this Agreement to the ASSOCIATION OF WATCHMEN OF BARCELONA AIRPORT SECURITY with NIF G65350316, expressly indicating his right to be heard in the proceedings and granting him a period of TEN WORKING DAYS to make the allegations and propose the evidence it deems appropriate. In your pleading you must provide your VAT number and the procedure number in the heading of this document. Furthermore, in accordance with Articles 64(2)(f) and 85 of the LPACAP, it is informs that, if he does not make representations within the time limit of this initiating agreement, the The same may be considered as a motion for resolution. You are also informed that, in accordance with Article 85.1 LPACAP may acknowledge its liability within the time allowed for making representations to this agreement inception which will entail a reduction of 20% of the penalty to be imposed at present procedure, equivalent in this case to EUR 600. With the implementation of this reduction, the penalty would be set at EUR 2 400, with the decision being taken on procedure with the imposition of this penalty. Similarly, at any time prior to the resolution of the This procedure, to carry out the voluntary payment of the proposed penalty, of in accordance with the provisions of Article 85(2) LPACAP, which will reduction of 20% of the amount of the fee, equivalent in this case to EUR 600. With the application of this reduction, the penalty would be set at and its payment will entail the termination of the procedure. The reduction for the voluntary payment of the penalty is cumulative with the one is to be applied for the recognition of responsibility, provided that this recognition of responsibility is shown within the time limit granted to make representations on the opening of the procedure. The payment of the amount referred to in the previous paragraph may be made at any moment before the resolution. In this case, if it is appropriate to apply both reductions, the amount of the penalty would be set at EUR 1 800. In any case, the effectiveness of either of the two above-mentioned reductions shall be conditional upon the withdrawal or waiver of any action or remedy in the administrative sanction against the sanction. If you choose to proceed with the voluntary payment of any of the amounts indicated above ('2,400 or '1,800), in accordance with the provided for in Article 85.2 above, we indicate that you must make it effective by your deposit in the restricted account nº ES00 0000 0000 0000 0000 open to name of the Spanish Data Protection Agency at CAIXABANK Bank, S.A., indicating in the concept the reference number of the procedure that appears in the heading of this document and the reason for the reduction in the amount to which You must also send proof of payment to the Subdirectorate General of Inspection to continue the procedure in accordance with the quantity entered. The procedure will last a maximum of nine months from the date of the agreement to initiate or, where appropriate, the draft agreement to initiate After this period, it will expire and consequently the archive of proceedings; in accordance with the provisions of Article 64 of the LOPDGDD. Finally, it should be noted that in accordance with Article 112.1 of the LPACAP, there is no administrative remedy against this act. Mar Spain Martí Director of the Spanish Data Protection Agency >> SECOND: On July 31, 2020, the claimant paid the 1 800 by making use of the two reductions provided for in the above transcribed agreement, which implies the recognition of the responsibility. THIRD: The payment made, within the period granted to make representations to the opening of the procedure, entails the waiver of any action or appeal in administrative sanction and recognition of responsibility in relation to the facts referred to in the Home Agreement. LEGAL BASIS I By virtue of the powers conferred on each authority in Article 58(2) of the GPRS control, and in accordance with Article 47 of Organic Law 3/2018 of 5 December December, on the Protection of Personal Data and Guarantee of Digital Rights (en hereinafter LOPDGDD), the Director of the Spanish Data Protection Agency is competent to penalise infringements committed against it Regulations; infringements of Article 48 of Law 9/2014 of 9 May, General of Telecommunications (hereinafter referred to as LGT), in accordance with the article 84.3 of the GLT, and the offences defined in articles 38.3 c), d) and i) and 38.4 d), g) and h) of Law 34/2002, of 11 July, on the services of the company information and electronic commerce (hereinafter referred to as the ISESA), as provided for in Article 43.1 of that Act II Article 85 of Law 39/2015 of 1 October on Administrative Procedure Commonwealth of Independent States (hereinafter LPACAP), under the heading "Termination in sanctioning proceedings" provides the following: "1. A sanctioning procedure has been initiated, if the offender acknowledges his responsibility, the procedure may be terminated with the imposition of the penalty as appropriate. 2. When the sanction is solely of a pecuniary nature or when it fits impose a financial penalty and a non-pecuniary penalty but it has been justified the unsuitability of the second, voluntary payment by the alleged perpetrator, in any time before the resolution, will imply the termination of the procedure, except as regards the restoration of the altered situation or the determination of compensation for damages caused by the commission of the infringement. 3. In both cases, when the sanction is solely of a pecuniary nature, the body competent to decide on the procedure shall apply reductions of, at less 20% of the amount of the proposed penalty, which may be cumulated each other. These reductions must be determined in the notification of initiation of the procedure and its effectiveness shall be conditional upon the withdrawal or waiver of any action or appeal in administrative proceedings against the sanction. The percentage of reduction provided for in this paragraph may be increased by regulation. In accordance with the above, the Director of the Spanish Data Protection Agency RESOLVES: FIRST: TO DECLARE the termination of procedure PS/00188/2020, of in accordance with Article 85 of the LPACAP. SECOND: NOTICE this resolution to the ASSOCIATION OF WATCHERS OF BARCELONA AIRPORT SECURITY. In accordance with the provisions of article 50 of the LOPDGDD, this The decision will be made public after it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure as provided for by Article 114.1.c) of Law 39/2015, of 1 October, on Administrative Procedure The persons concerned may lodge an appeal with the administrative litigation before the Administrative Chamber of the Audiencia Nacional, in accordance with Article 25 and paragraph 5 of the fourth additional provision of Law 29/1998 of 13 July 1998, regulating Contentious-Administrative Jurisdiction, within two months from day following notification of this act, as provided for in Article 46(1) of the referred to Law. Mar España Martí Director of the Spanish Data Protection Agency