AEPD (Spain) - PS/00257/2020

From GDPRhub
AEPD - PS/00257/2020
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 37 GDPR
LOPDGDD
Type: Investigation
Outcome: Violation Found
Started:
Decided:
Published: 11.01.2021
Fine: None
Parties: Ayuntamiento de Arroyomolinos
National Case Number/Name: PS/00257/2020
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: n/a

The Spanish DPA (AEPD) issued a reprimand to the Spanish municipality Ayuntamiento de Arroyomolinos for lacking a DPO for more than two years after the entry into force of the GDPR.

English Summary

Facts

Ayuntamiento de Arroyomolinos was found lacking a DPO. The defendant has provided the measures it has in the meantime adopted: with a service contract from 28.09.2020 a DPO has been appointed.


Dispute

Was this municipality under the obligation of appointing a DPO?


Holding

The Spanish DPA recalled that the public administrations act as controllers for the processing of personal data and on some occasions as processors. As a result, they are subject to the GDPR and must fulfill all its obligations, including the obligation to appoint a data protection officer. This obligation had to be fulfilled starting from 28.05.2018, the date of entry into force of the GDPR. The Spanish DPA issued a reprimand to Ayuntamiento de Arroyomolinos for violating Article 37 GDPR. The reprimand was issued by virtue of the power conferred by Article 58(2)(b) GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

1/7  Procedure Nº: PS / 00257/2020 RESOLUTION OF SANCTIONING PROCEDURE Of the procedure instructed by the Spanish Agency for Data Protection and based on to the following: BACKGROUND FIRST: D. A.A.A. (hereinafter, the claimant) dated January 20, 2020 filed a claim with the Spanish Agency for Data Protection. The claim is directed against the Arroyomolinos City Council with NIF P2801500F (hereinafter, the claimed). The claimant states that he received on his behalf a notification from the City Council, and it contains the data and facts that motivate the imposition of a sanction to another person. On the other hand, he points out that the consistory does not have a Delegate for the Protection of Data. Together with the claim, he provides the notification that they have sent him. SECOND: In view of the facts reported in the claim and the Documents provided by the claimant are transferred to the claimed claim. On July 24, 2020, the defendant states: “that on January 20, 2020, the claimant was informed that on the day of notification of the Resolution there was a computer failure, and in the notification of its procedure the body of the resolution of the previous notification. The department proceeded to review generated notifications, not finding any more erroneous, likewise proceeded to add more revision controls of the documents generated so that this situation is not repeated. Likewise, he was informed that his data has not been disclosed to third parties, have only been used for the notification of the procedure between the claimant and this City Council ”. THIRD: On September 25, 2020, the Director of the Spanish Agency of Data Protection agreed to initiate a sanctioning procedure for the claimed party, with in accordance with the provisions of articles 63 and 64 of Law 39/2015, of October 1, of the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP), for the alleged violation of Article 37 of the RGPD, typified in Article 83.4 of the RGPD. FOURTH: Once the aforementioned commencement agreement was notified, the defendant submitted a allegations in which he, in short, he stated: “that on September 28, 2020 was awarded by Decree No. 2497/2020 technical assistance services contract to support and update information security (ENS) and C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 2/7 protection of personal data (RGPD-LOPDGDD) and Delegate Service of Data Protection, for a period of 12 months. Sufficiently in advance of the contract end date and having As a basis for the work carried out by the DPD during that time, it is already planned to tender publicly for a maximum of 4 years the Data Protection Officer, with The aim is that this City Council permanently have this figure. In compliance with the duty to communicate the appointment of the DPO by this City Council to the AEPD in accordance with the provisions of article 34.3 LOPDGDD, The following details indicate: START UP, S.L. CIF B33667494 Attached to this document is: Decree No. 2497/2020 awarding of service contract and technical-economic proposal of the company Start up CDF S.L. in which the content of the services to be carried out is detailed ”. FIFTH: On October 13, 2020, the instructor of the procedure agreed to the opening of a period of practical tests, taking as incorporated the preliminary investigation actions, E / 02287/2020, as well as the documents provided by the defendant on October 8, 2020. SIXTH: On November 18, 2020, a resolution proposal was formulated, proposing that the Arroyomolinos City Council be sanctioned with a warning NIF P2801500F, for an infraction of Article 37 of the RGPD, typified in Article 83.4 of the RGPD. SEVENTH: Once the resolution proposal was notified, the defendant submitted a written allegations in which, in summary, it stated: "FIRST.- That on September 28, 2020 it was awarded by Decree No. 2497/2020 technical assistance service contract for support and update in information security (ENS) and personal data protection (RGPD-LOPGDD) and Data Protection Delegate Service, for a period of 12 months to the company Start up CDF S.L. SECOND.- The duty of communication of the appointment of the DPD by this City Council to the AEPD in accordance with the provisions of article 34.3 LOPDGDD. THIRD.- In the proposed resolution of the AEPD it is indicated that “In this case specifically, it has been accredited by virtue of the documents provided with their allegations to the initiation agreement that the complainant has appointed Delegate of Data Protection: START UP, S.L. CIF B33667494. " FOURTH.- Taking into consideration the Judgment of the National Court of 11/29/2013, (Rec. 455/2011), Sixth Law Foundation,what about him warning regulated in article 45.6 of the LOPD and regarding its nature legal notice that "does not constitute a sanction" and that it is "measures corrective measures for the cessation of the activity constituting the offense ”that replace the sanction. The Judgment understands that article 45.6 of the LOPD confers on the AEPD C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 3/7 a “power” different from the sanctioning one whose exercise is conditioned to the concurrence of the special circumstances described in the precept. In congruence with the nature attributed to awareness as an alternative to sanction when, given the circumstances of the case, the subject of the offense is not deserving of that, and considering that the object of the warning is the imposition of corrective measures, the aforementioned SAN concludes that when they already had been adopted, the procedure in Law is to agree on the file of the performances ”. In view of all the actions, by the Spanish Agency for Data Protection In this proceeding, the following are considered proven facts, ACTS FIRST: The claimed person lacks the figure of a data protection delegate. SECOND: The Arroyomolinos City Council, has contributed in the present sanctioning procedure the measures it has adopted, including: Technical assistance services contract for support and update in information security (ENS) and personal data protection (RGPD-LOPDGDD) and Data Protection Delegate Service, for a period of 12 months. Communication of the appointment of the Data Protection Officer: START UP, S.L. CIF B33667494 Decree No. 2497/2020 awarding the service contract and proposal technical-economic of the company START UP CDF S.L. FOUNDATIONS OF LAW I By virtue of the powers that article 58.2 of the RGPD recognizes to each authority of control, and as established in arts. 47 and 48.1 of the LOPDGDD, the Director of The Spanish Agency for Data Protection is competent to resolve this process. II The public administrations act as data controllers of personal character and, on some occasions, they perform functions of managers treatment, for what corresponds to them, following the principle of responsibility proactively, meet the obligations that the RGPD details, among which is included, the Obligation to appoint a data protection officer and communicate it to this AEPD The obligation is imposed by article 37 of the RGPD, which indicates: C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 4/7 "1. The person in charge and the person in charge of the treatment will designate a delegate of data protection provided that: a) the treatment is carried out by a public authority or body, except those courts that act in the exercise of their judicial function; " Article 37.3 and 4 of the RGPD indicates on the designation of the DPD “When the responsible or the person in charge of the treatment is an authority or public body, may designate a single data protection officer for several of these authorities or bodies, taking into account their organizational structure and size. 4. In cases other than those contemplated in section 1, the controller or the in charge of the treatment or the associations and other bodies that represent categories of managers or managers may designate a protection delegate data or must designate it if required by Union or State law members. The data protection officer may act on their behalf associations and other organizations that represent managers or managers. " The LOPDGDD determines in its article 34.1 and 3: ”Appointment of a delegate of Data Protection " 1. Those responsible and in charge of the treatment must designate a delegate of data protection in the cases provided for in article 37.1 of the Regulation (EU) 2016/679 and, in any case, in the case of the following entities: 3. Those responsible and in charge of the treatment will communicate within ten days to the Spanish Data Protection Agency or, where appropriate, to the authorities autonomic data protection, appointments, appointments and terminations of the data protection delegates both in the cases in which they are obligated to their appointment as in the case in which it is voluntary. The infringement is considered as such in article 83.4.a of the RGPD which states: ”4. The Infractions of the following provisions will be sanctioned, in accordance with the paragraph 2, with administrative fines of a maximum of EUR 10 000 000 or, in the case of a company, an amount equivalent to a maximum of 2% of the total annual global business volume of the previous financial year, opting for the highest amount: a) The obligations of the person in charge and the person in charge in accordance with articles 8, 11, 25 a 39, 42 and 43; " He Article 83.7 of the RGPD indicates: “Without prejudice to the corrective powers of the supervisory authorities under Article 58 (2), each Member State may establish rules on whether, and to what extent, administrative fines can be imposed on public authorities and bodies established in that Member State. " Article 58.2 of the RGPD states: “Each control authority will have all the C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 5/7 following corrective powers listed below: b) punish any person in charge or in charge of the treatment with warning when the treatment operations have violated the provisions of this Regulation; d) order the person in charge of the treatment that the operations of treatment are in accordance with the provisions of this Regulation, where appropriate, in a certain way and within a specified period ”. In this sense, article 77.1 c) and 2, 4 and 5 of the LOPGDD, indicates: 1. The regime established in this article will apply to the treatment of who are responsible or in charge: c) The General Administration of the State, the Administrations of the Communities autonomous entities and the entities that make up the Local Administration. 2 “When the managers or managers listed in section 1 commit any of the infractions referred to in articles 72 to 74 of this law organic, the competent data protection authority will dictate resolution sanctioning them with warning. The resolution will establish Likewise, the measures to be adopted to stop the conduct or to correct the effects of the offense that had been committed. The resolution will be notified to the person in charge of the treatment, the body of the that depends hierarchically, where appropriate, and those affected who had the condition interested party, if applicable. " 4.The resolutions that fall in relation to the measures and actions referred to in the sections previous. 5 will be communicated to the Ombudsman or, where appropriate, to similar institutions of the autonomous communities the actions carried out and the resolutions issued under this article. " III Article 73 of the LOPDDG indicates: Violations considered serious: "Based on what is established in article 83.4 of Regulation (EU) 2016/679, considered serious and will prescribe after two years the infractions that suppose a substantial violation of the articles mentioned therein and, in particular, the following: v) Failure to comply with the obligation to appoint a data protection officer when the appointment of him is required in accordance with article 37 of the Regulations (EU) 2016/679 and article 34 of this organic law. " C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 6/7 By means of a written statement, the complainant has stated that he has already designated Delegate of Data Protection. Despite this, the Spanish Agency for Data Protection, sanctions the claimed with a warning sanction since it had to have a delegate from data protection in accordance with the provisions of article 37 of the RGPD, since May 25, 2018, when the RGPD entered into force. Therefore, in accordance with the applicable legislation and the criteria of graduation of the sanctions whose existence has been accredited, the Director of the Spanish Agency for Data Protection RESOLVES: FIRST: IMPOSE the CITY COUNCIL OF ARROYOMOLINOS, with NIF P2801500F, for a violation of Article 37 of the RGPD, typified in Article 83.4 of the RGPD, a warning sanction. SECOND: NOTIFY this resolution to the CITY COUNCIL OF ARROYOMOLINOS.

THIRD: COMMUNICATE this resolution to the Ombudsman, of

in accordance with the provisions of article 77.5 of the LOPDGDD. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the Interested parties may file, optionally, an appeal for reconsideration before the Director of the Spanish Agency for Data Protection within a month to count from the day after notification of this resolution or directly contentious-administrative appeal before the Contentious-Administrative Chamber of the National High Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-administrative jurisdiction, within a period of two months from the day following notification of this act, as provided in article 46.1 of the referred Law. Finally, it is pointed out that according to to the provisions of art. 90.3 a) of the LPACAP, may provisionally suspend the final resolution through administrative channels if the interested party expresses his intention to file contentious-administrative appeal. If this is the case, the interested party must formally communicate this fact through letter addressed to the Spanish Agency for Data Protection, presenting it through of the Electronic Registry of the Agency [1], or through any of the other registries provided for in art. 16.4 of the cited Law 39/2015, of October 1. You must also transfer to the Agency the documentation proving the effective filing of the contentious appeal C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 7/7 administrative. If the Agency was not aware of the filing of the appeal contentious-administrative within a period of two months from the day following the notification of this resolution would terminate the precautionary suspension. 938-131120 Mar Spain Martí Director of the Spanish Agency for Data Protection C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es