AEPD (Spain) - PS/00366/2019
AEPD - PS/00366/2019 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 5(1)(d) GDPR Article 4 LOPDGDD |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | 10.12.2020 |
Published: | |
Fine: | None |
Parties: | AGENCIA ESTATAL DE ADMINISTRACIÓN TRIBUTARIA (AEAT) |
National Case Number/Name: | PS/00366/2019 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | Francesc Julve Falcó |
The Spanish Data Protection Agency (AEPD) imposed a warning sanction against the State Tax Administration Agency (AEAT) for infringement of Article 5 (1) (d) GDPR, i.e. lack of accuracy in the processing of personal data.
English Summary
Facts
The claim was initiated by an employer who, when he wanted to register a worker in the Social Security system and requested the reduction of the contribution, was refused on the grounds that the claimant was not up to date with his tax obligations, since the tax agency's files contained the notation "fiscal offense".
The Tax Agency recognized that the lack of updating of data was due to an error, and proceeded to solve and update the data processing systems.
Dispute
Is the lack of accuracy when processing personal data by the tax authorities an infringement of Article 5 (1) (d) GDPR?
Holding
The AEPD agreed to impose a penalty for infringement of Article 5 (1) (d) for lack of accuracy in the processing of personal data, due to an out-of-date data processing system.
As regulated in article 77 LOPDGDD it will be agreed that the sanction corresponds to a "warning" when the entity sanctioned is a public administration.
Furthermore, due to the updating of systems and other measures that have been carried out in the processes carried out by the sanctioned entity, the AEPD did not consider it necessary to impose other types of corrective sanctions.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/10 Procedure No.: PS / 00366/2019 RESOLUTION OF SANCTIONING PROCEDURE Of the procedure instructed by the Spanish Agency for Data Protection and based on the following BACKGROUND FIRST: D. A.A.A. (hereinafter, the claimant) on 05/20/2019 filed claim before the Spanish Agency for Data Protection. The claim is directs against STATE AGENCY OF TAX ADMINISTRATION, with NIF Q2826000H (hereinafter, the claimed one). The reasons on which the claim is based are in short: that the claimant when registering a female worker with Social Security On 04/06/2018 he requested a reduction in his quotation. The request was denied by the TGSS, requesting the claimant to present a certificate of being at the current of your tax obligations. After the presentation of two certificates positives issued by the AEAT the TGSS denies the bonus informing the claimant that the AEAT files contain the annotation "tax offense". He On 02/08/2019, the complainant addressed the AEAT DPD requesting explanations opportune, as inaccurate and contradictory data appear in their files. The DPD responds on 04/01/2019 pointing out that the data in the AEAT file are correct, however, the Legal Assistance application did not complete a field, motivating the issuance of the wrong certificate with a negative result requested by the TGSS. SECOND: Upon receipt of the claim, the Subdirectorate General of Data Inspection proceeded to carry out the following actions: On 06/12/2019, the brief presented for his analysis and communication to the affected party of the decision taken in this regard. Equally, he was required to submit to the determined Agency within a month information: - Report on the Impact Assessment carried out before the implementation of improvements in the Legal Aid application. -The decision taken to anticipate this claim. - Report on the measures adopted to prevent the occurrence of similar incidents. - Any other that you consider relevant. The one claimed by writing of 07/12/2019 refers, first of all, to the system of issuance of certificates of being up to date with the payment of tax obligations and the channels through which it is possible to make requests, as well as access by part of other organisms to the services of requesting certificates of being at the current payment of tax obligations and the incidence occurred in the case of the claimant. In relation to the questions raised, the respondent does not consider it necessary carry out an impact assessment as the claim does not concern a C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 2/10 certain treatment but with an error in the recording of the status of a file. That the situation of the DNI of the claimed person is corrected and reviewed. That the data used in the generation of the claimant's certificate had been registered in the year 2012 and due to an error the status of the file had not been updated adequately. Regarding the measures adopted, they can be summarized in three lines of action: 1. That since 2015 the Legal Assistance application has integrated different controls to help employees using this app and improve quality of the data; all controls are in place and there is no evidence of similar errors. 2. That the files prior to 2015 are under review and are realizing gradually and, 3. That as a result of the case under study, the DPD sent the Management Group AET electronics proposing a general review of the issuance procedure of tax certificates in order to identify improvements in the management and information that is provided to interested parties. THIRD: On 10/09/2019, in accordance with article 65 of the LOPDGDD, the Director of the Spanish Data Protection Agency agreed to admit for processing the claim filed by the claimant against the defendant. FOURTH: The complainant's written document dated 10/22/2019 stating that based on article 77.2 and 78.3 of the RGPD that state “2. The authority of control to which the claim has been submitted will inform the claimant about the course and result of the claim, including the possibility of accessing the judicial protection under article 78 "and" 3. Actions against an authority of control must be exercised before the courts of the Member State in which it is control authority established ”, he was going to resort to the Contentious Jurisdiction Administrative, for what it required the AEPD to provide the information requested refers to article 77.2 of the RGPD, as well as the corresponding claim before the European Data Protection Supervisor given the disinterest shown by the AEPD by not deigning to answer your claim. FIFTH: On 03/12/2020, the Director of the Spanish Agency for the Protection of Data agreed to initiate a sanctioning procedure for the claimed person for the alleged infringement of article 5.1.d) of the RGPD. SIXTH: Once the aforementioned commencement agreement was notified, the defendant submitted a written allegations on 06/12/2020 stating, in summary: that as a consequence of the claim, the circumstances that allowed the certificates to be issued were reviewed, so that currently the conditions in the application have been modified legal entity of the AEAT, so that a negative certificate is issued and that the DPD sent a proposal to the Electronic Administration Group of the Tax Agency, proposing a general review of this procedure; what happened in the case of claimant is not the consequence of a breach of the principle of accuracy of the data, but precisely the technical and organizational measures adopted to minimize and correct errors in the automated processing of personal data to the issuance of certificates of being up to date with tax obligations; what Although it could be considered that the claimant's data were inaccurate, for not the field in the Legal Assistance application has been incorporated into your file, The truth is that article 5.1.d) of the RGPD, in relation to the update, does not impose C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 3/10 adopt disproportionate measures to update the data, if not reasonable ones, taking into account the available means and the purpose for which the data is used; the unnecessary processing of sanctioning procedure for having solved the claim; that although it is considered that there was non-compliance by the AEAT of the principle of data accuracy, corrective measures have been adopted timely, addressing the claim of the claimed. SEVENTH: On 08/18/2020 it was agreed to open a trial period, remembering the following: - To consider reproduced for evidentiary purposes the claim filed by the claimant and its documentation, the documents obtained and generated by the Inspection Services before the AEAT that are part of the file E / 05725/2019. - To consider reproduced for evidentiary purposes, the allegations to the agreement of start PS / 00366/2019 submitted by the claimed. EIGHTH: On 11/16/2020, Proposal for Resolution was notified to the effect that by the Director of the AEPD the claimed person will be sanctioned for an infraction of the article 5.1.d) of the RGPD, typified in article 83.5.a) of the RGPD, with warning. After the term established by the claimed, at the time of this Resolution, he had not presented any written allegation. NINTH: Of the actions carried out in the present procedure, there have been accredited the following, PROVEN FACTS FIRST. On 05/20/2019 you have entry into the Spanish Agency for the Protection of Written data filed by the claimant; the claim is directed against the AEAT motivated by registering a worker with Social Security and requesting the reduction of its contribution, was denied by the TGSS, informing the claimant that was not aware of its tax obligations since in the files of the AEAT there is the annotation "tax offense". The claimant addressed on 02/08/2019 to the DPD of the AEAT requesting the appropriate explanations, as data is recorded in its files inaccurate and contradictory. The DPD responds on 04/01/2019 noting that the data that work in the AEAT file are correct, however, in the application Legal Assistance a field was not completed, motivating the issuance of the certificate wrong with the negative result of the request before the TGSS. SECOND. It is provided by the claimant diligence of appearance in the Special delegation of the AEAT in Madrid dated 03/22/2019 in which it is requested explanation of the situation created by the certificate issued and identification of the acting official. THIRD. There is a written written addressed to the AEAT DPD on 02/08/2029 in the that the claimant requests explanations about the incident that occurred and that it is subject to this claim. FOURTH. There is a response from the DPD dated 05/20/2019, stating that “When you have requested it from the TGSS, although the meaning of the certificate is NEGATIVE, It has been provided as a reason for the denial: “M. Tax Crime ”, for their transfer and that could request a review before the Tax Agency. It must be recognized that the term Tax Crime is unfortunate and a message of the type would have been preferable C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 4/10 "Go to your tax office to review the situation" and that "Once analyzed your case and having identified the causes that have caused the situation you have described, has proceeded to update the Legal Aid application. In this way, from now and while circumstances do not change, the meaning of the tax certificate will be the same, regardless of whether it is requested before the Tax Agency or through a body integrated into the information supply system where Certificates of being up to date with payment of tax obligations are offered. This modification has been in effect since March 26, 2019 ”. In the light of what happened, a series of modifications is also indicated in order to prevent situations such as the one that gave rise to the claim. FOUNDATIONS OF LAW I By virtue of the powers that article 58.2 of the RGPD recognizes to each control authority, and as established in articles 47 and 48 of the LOPDGDD, the Director of the Spanish Data Protection Agency is competent to initiate and to solve this procedure. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 5/10 II Article 5, Principles relating to treatment, of the RGPD establishes that: "1. The personal data will be: (…) d) accurate and, if necessary, updated; all measures will be taken reasonable for the personal data to be deleted or rectified without delay that are inaccurate with respect to the purposes for which they are treated ("accuracy"); (…) Also article 4, Accuracy of the data, of the new Organic Law 3/2018, of December 5, Protection of Personal Data and guarantee of rights digital (hereinafter LOPDGDD), states: "1. In accordance with article 5.1.d) of Regulation (EU) 2016/679 the data will be exact and, if necessary, updated. 2. For the purposes provided for in article 5.1.d) of Regulation (EU) 2016/679, It will not be attributable to the person responsible for the treatment, provided that he has adopted all reasonable measures so that they are suppressed or rectified without delay, the inaccuracy of personal data, with respect to the purposes for which they are processed, when inaccurate data: a) They had been obtained by the person responsible directly from the affected party. b) They had been obtained by the person in charge of a mediator or intermediary in the event that the rules applicable to the sector of activity to which it belongs the person responsible for the treatment established the possibility of intervention an intermediary or mediator who collects on his own behalf the data of the affected for transmission to the person in charge. The mediator or intermediary will assume the responsibilities that may arise in the event of communication to the data controller that does not correspond to the provided by the affected party. c) They were subjected to treatment by the person responsible for having received them from another person responsible by virtue of the exercise by the affected party of the right to portability in accordance with article 20 of Regulation (EU) 2016/679 and the provisions in this organic law. d) They were obtained from a public registry by the person in charge ”. III C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 6/10 In the present case, as stated in the antecedent and first proven fact The claim filed is due to the fact that the claimant upon registering with the Security Social to a worker on 04/06/2018 requested a reduction in her contribution for being older than 50 years; The request was denied by the TGSS, on the grounds that had debts with the AEAT, requesting the claimant to present a certificate to be up to date with their fiscal and tax obligations; for what I request to this positive certification body of being up to date with its obligations prosecutors; four months have elapsed since the certificate request and in the face of silence I request an appearance by requesting an appointment at the AEAT without having obtained a satisfactory answer, although the next day it was issued positive electronic certificate of your tax situation that was presented to the TGSS was once again rejected due to the existence of a tax offense, having been hidden such circumstance until 11/18/2018; Faced with such an unusual situation, he goes to DPD who, after more than a month without obtaining a response, presented himself at the headquarters of the AEAT where he exposed his situation and after five days he receives a reply from the DPD considering it entirely unsatisfactory and unfortunate. It is true that the documentation in the file shows that the defendant would have violated article 5.1.d), principle of accuracy, in relation to Article 4 of the LOPDGDD by keeping inaccurate data related to the claimant without having corrected them, appearing since 2012 as linked to a crime fiscal. The DPD himself in the written reply to the request / complaint of the claimant noted on 04/01/2019 that “The explanation of why this data is not complete It is due to the age of the information, which is prior to the improvements made in the Legal Assistance Application, to help the public employee in the maintenance of the data and status of the files ”and that“ When it has requested to the TGSS, although the meaning of the certificate is NEGATIVE, it has been provided as a reason for denial: “M. Tax Crime ”, for their transfer and that could request a review before the Tax Agency. It must be recognized that the term Tax crime is unfortunate and a message such as "Go to your tax office to review the situation ”. Therefore, it is true that the complainant himself has admitted that the data that were used to generate the claimant's certificate and that had been registered in 2012, due to an error the status of the file properly. However, it is also true that on the occasion of the request / complaint of the complainant, the parameters used to issue the certificates of so that at present the conditions in the consultation with Argos have been modified Criminal, application of the AEAT, in the issuance of negative certificates; furthermore, as a result of the complainant's case, the DPD submitted a proposal to the Administration Group Electronic of the Tax Agency, proposing "a general review of this procedure in order to identify improvements in the management of certificates and the information that is provided to the interested parties who request them, having modified the descriptions of the reason for refusal provided to the Petitioning Public Administrations ”. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 7/10 It should also be noted that on the occasion of the claim, a series of measures that aim to avoid similar incidents in the future as the one that has given rise to the present claim: Since 2015, the Legal Assistance application has integrated different controls to help employees using this app and improve quality of the data. That controls have been included in the Legal Assistance application for ensure that the necessary data are provided to the files and that they are not left without complete and the generation of follow-up reports has also been facilitated. status of the files that allow better control of them, controls that are already in place with no evidence of errors similar to those reported by the claimant. All files prior to 2015 are under review by the legal services of the Tax Agency delegations. The Data Protection Delegate has submitted a proposal to the Group of Electronic Administration of the Tax Agency, where the areas that participate in the procedure for issuing tax certificates, proposing a general review of this procedure in order to identify improvements in the management of certificates and the information provided to interested parties who request them. IV Article 83.5 a) of the RGPD, considers that the infringement of “the principles basic for the treatment, including the conditions for consent in accordance with of articles 5, 6, 7 and 9 ”is punishable. On the other hand, the LOPDGDD in its article 72, for the purposes of prescription, indicates which are: “Violations considered very serious: 1. In accordance with the provisions of article 83.5 of the Regulation (EU) 2016/679 are considered very serious and will prescribe after three years the infractions that suppose a substantial violation of the articles mentioned in that and, in in particular, the following: a) The processing of personal data violating the principles and guarantees established in article 5 of Regulation (EU) 2016/679. (…) " However, the LOPDGDD in its article 77, Regime applicable to certain categories of data controllers or managers, establishes the following: "1. The regime established in this article will apply to the treatments of those who are responsible or in charge: a) Constitutional bodies or those with constitutional relevance and institutions of the autonomous communities analogous to them. b) The jurisdictional bodies. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 8/10 c) The General State Administration, the Administrations of the autonomous communities and entities that make up the Local Administration. d) Public bodies and public law entities linked to or dependent on Public Administrations. e) The independent administrative authorities. f) The Bank of Spain. g) Public law corporations when the purposes of the treatment are related to the exercise of powers of public law. h) Public sector foundations. i) Public Universities. j) Consortia. k) The parliamentary groups of the Cortes Generales and the Assemblies Autonomous legislatures, as well as the political groups of the Corporations Local. 2. When the managers or managers listed in section 1 commit any of the offenses referred to in articles 72 to 74 of this organic law, the competent data protection authority will dictate resolution sanctioning them with warning. The resolution will establish Likewise, the measures to be adopted to stop the conduct or to correct the effects of the offense that had been committed. The resolution will be notified to the person in charge of the treatment, at body on which it depends hierarchically, where appropriate, and those affected who have the condition of interested party, if applicable. 3. Without prejudice to the provisions of the previous section, the authority of data protection will also propose the initiation of disciplinary actions when there is sufficient evidence to do so. In this case, the procedure and Sanctions to be applied will be those established in the legislation on disciplinary regime or sanctioner that is applicable. Likewise, when the infractions are attributable to authorities and managers, and the existence of technical reports or recommendations for treatment is accredited that had not been duly attended, in the resolution in which the The sanction will include a warning with the name of the position responsible and will order the publication in the Official Gazette of the State or Autonomous corresponds. 4. The data protection authority must be informed of the resolutions that fall in relation to the measures and actions to which they refer the previous sections. 5. They will be communicated to the Ombudsman or, where appropriate, to the institutions of the autonomous communities, the actions carried out and the Resolutions issued under this article. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 9/10 6. When the competent authority is the Spanish Agency for the Protection of Data, it will publish on its website with due separation the resolutions referring to the entities of section 1 of this article, with express indication of the identity of the person in charge or in charge of the treatment who had committed the infringement. When the competence corresponds to an autonomous protection authority of data will be, as for the publicity of these resolutions, to what is available its specific regulations ”. In accordance with the evidence available, the conduct of the claimed constitutes a violation of the provisions of article 5.1.d) of the RGPD. It should be noted that article 77 of the LOPDGDD contemplates the possibility of go to the sanction of warning to correct data processing personal data that do not conform to their forecasts, when those responsible or managers listed in section 1 committed any of the infractions to the referred to in articles 72 to 74 of this organic law. Likewise, it is contemplated that the resolution issued will establish the measures that is appropriate to adopt so that the conduct ceases, the effects of the offense are corrected that had been committed through the adoption of the measures and the contribution of means of accrediting compliance with what is required, a regulation that is not a A novelty since it was also partly included in the previous LOPD. Now, taking into account that the claim of the interested party was addressed, issuing the requested certificate and reviewing the false negative that had been issued at the request of the TGSS and that, in addition, complementary measures were adopted how to include the reason for provisional dismissal in the application file legal status of the claimed in order to avoid similar incidents; that the parameter of the automated certificate issuance application to reduce false negatives requiring human intervention; that the message that was modified the remote petitioning Public Administration receives certificates of being up to date current of tax obligations on the cause of the denial of the certificate, etc., as indicated previously, it is not appropriate to urge the adoption of measures additional, having been accredited, that the defendant has adopted all those that are reasonable, in accordance with the provisions of the regulations on Data Protection. Therefore, in light of the foregoing, it is not appropriate to urge the adoption of measures additional, having been proven, that the defendant has adopted the measures reasonable, in accordance with the regulations on data protection, which As he himself points out, it is the main purpose of the procedures regarding those entities listed in article 77 of the LOPDGDD. Therefore, in accordance with the applicable legislation, The Director of the Spanish Agency for Data Protection RESOLVES: C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 10/10 FIRST: IMPOSE STATE AGENCY OF TAX ADMINISTRATION, with NIF Q2826000H, for the violation of article 5.1.d) of the RGPD, typified in the Article 83.5.a) of the RGPD, a warning sanction. SECOND: NOTIFY this resolution to the STATE AGENCY OF TAX ADMINISTRATION, with NIF Q2826000H. In accordance with the provisions of article 50 of the LOPDGDD, the This Resolution will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the interested parties may optionally file an appeal for reversal before the Director of the Spanish Agency for Data Protection within a period of month from the day after notification of this resolution or directly contentious-administrative appeal before the Contentious-Administrative Chamber of the National High Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-administrative jurisdiction, within a period of two months from the day following notification of this act, as provided in article 46.1 of the referred Law. Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP, the final resolution may be suspended in an administrative way If the interested party expresses his intention to file a contentious appeal- administrative. If this is the case, the interested party must formally communicate this made by writing to the Spanish Agency for Data Protection, Presenting it through the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica-web/], or through any of the rest records provided for in art. 16.4 of the aforementioned Law 39/2015, of October 1. As well must forward to the Agency the documentation that proves the effective filing of the contentious-administrative appeal. If the Agency is not aware of the filing of the contentious-administrative appeal within a period of two months from the day after the notification of this resolution, would terminate the precautionary suspension. Mar Spain Martí Director of the Spanish Agency for Data Protection C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es