AEPD (Spain) - PS/00257/2020
AEPD - PS/00257/2020 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 37 GDPR LOPDGDD |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | |
Published: | 11.01.2021 |
Fine: | None |
Parties: | Ayuntamiento de Arroyomolinos |
National Case Number/Name: | PS/00257/2020 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | n/a |
The Spanish DPA (AEPD) issued a reprimand to the Spanish municipality Ayuntamiento de Arroyomolinos for lacking a DPO for more than two years after the entry into force of the GDPR.
English Summary
Facts
Ayuntamiento de Arroyomolinos was found lacking a DPO. The defendant has provided the measures it has in the meantime adopted: with a service contract from 28.09.2020 a DPO has been appointed.
Dispute
Was this municipality under the obligation of appointing a DPO?
Holding
The Spanish DPA recalled that the public administrations act as controllers for the processing of personal data and on some occasions as processors. As a result, they are subject to the GDPR and must fulfill all its obligations, including the obligation to appoint a data protection officer. This obligation had to be fulfilled starting from 28.05.2018, the date of entry into force of the GDPR. The Spanish DPA issued a reprimand to Ayuntamiento de Arroyomolinos for violating Article 37 GDPR. The reprimand was issued by virtue of the power conferred by Article 58(2)(b) GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/7 Procedure No.: PS/00257/2020 RESOLUTION OF SANCTIONING PROCEDURE From the procedure instructed by the Spanish Data Protection Agency and based to the following: BACKGROUND FIRST: D. A.A.A. (hereinafter the complainant) dated 20 January 2020 filed a complaint with the Spanish Data Protection Agency. The claim is directed against the Town Hall of Arroyomolinos with NIF P2801500F (hereinafter referred to as the Respondent). The complainant states that he received on his behalf a notification from City Council, and it contains the data and facts that motivate the imposition from a sanction to another person. On the other hand, it points out that the consistory does not have a Delegate for the Protection of Data. Together with the complaint, you will provide the notification that you have been sent. SECOND: In view of the facts denounced in the complaint and the the documents provided by the claimant are transferred to the claimant. On 24 July 2020, the petitioner states: "that on 20 January 2020 the complainant was informed that on the day of notification of the Resolution there was a computer failure, and in the notification of its procedure the body of the resolution of the previous notification. The department proceeded to review the notifications generated, finding none more erroneous, also proceeded to add further revision controls on the documents generated so that this situation will not be repeated. You were also informed that your data have not been transferred to third parties, have only been used for the notification of the procedure between claimant and this Town Hall". THIRD: On 25 September 2020, the Director of the Spanish Agency of Data Protection agreed to initiate sanctioning proceedings against the respondent, with in accordance with Articles 63 and 64 of Law 39/2015 of 1 October on the Common Administrative Procedure for Public Administrations (hereinafter referred to as the "Common Administrative Procedure"), LPACAP), for the alleged violation of Article 37 of the GPRS, typified in Article 83.4 of the RGPD. FOURTH: Once the above-mentioned agreement to initiate the proceedings had been notified, the respondent submitted a letter of in which he stated, in summary: "that on 28 September 2020 was awarded by Decree No 2497/2020 for technical assistance services for information security (ENS) support and updating, and C/ Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 2/7 protection of personal data (RGPD-LOPDGDD) and Delegate Service of Data Protection, for a period of 12 months. In good time before the date of termination of the contract and having on the basis of the work carried out by the DPD during this time, it is already planned to call for tenders publicly for a maximum of 4 years the Data Protection Delegate, with the aim is for this Town Hall to have this figure permanently. In compliance with the duty to communicate the appointment of the DPD by this City Council to the AEPD in accordance with the provisions of Article 34.3 LOPDGDD, is the following information is provided: START UP, S.L. CIF B33667494 Attached to this letter: Decree No. 2497/2020 on the award of service contract and technical-economic proposal of the company Start up CDF S.L. which details the content of the services to be provided". FIFTH: On 13 October 2020, the instructor of the procedure agreed on the opening of a trial period, with the incorporation of the preliminary investigation proceedings, E/02287/2020, as well as documents provided by the respondent on 8 October 2020. SIXTH: A motion for resolution was tabled on 18 November 2020, proposing to sanction the Town Hall of Arroyomolinos with a warning NIF P2801500F, for an infringement of Article 37 of the RGPD, typified in Article 83.4 of the RGPD. SEVENTH: After notification of the motion for a resolution, the respondent submitted a letter of allegations in which, in summary, he stated "FIRST - That on September 28, 2020, it was awarded by Decree No 2497/2020 technical assistance service contract for support and updates in information security (ENS) and personal data protection (RGPD-LOPGDD) and the Data Protection Officer Service, for a period of 12 months to the company Start up CDF S.L. SECOND: The duty to communicate the appointment of the DPD by this City Council to the AEPD in accordance with the provisions of Article 34.3 LOPDGDD. THIRD: The proposal for a resolution of the AEPD indicates that "In this case the evidence is based on the documents provided with their allegations to the agreement of initiation that the respondent has appointed as Delegate of Data Protection: START UP, S.L. CIF B33667494." FOURTH - Taking into consideration the Judgment of the Audiencia Nacional de 29/11/2013, (ECR 455/2011), on the basis of the Sixth warning regulated in article 45.6 of the LOPD and regarding its nature legal warns that it "does not constitute a penalty" and that these are "measures corrective measures for the cessation of the activity constituting the infringement" replacing sanction. The Decision understands that Article 45.6 of the LOPD confers on the AEPD C/ Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 3/7 a "power" different from the sanctioning power, the exercise of which is conditional on the concurrence of the special circumstances described in the precept. At congruence with the nature attributed to the warning as an alternative to penalty when, in view of the circumstances of the case, the subject of the offence is not and considering that the object of the warning is the imposition of corrective measures, the above-mentioned SAN concludes that where these measures have already have been adopted, it is appropriate in law to agree to the closure of the performances". In view of all that has been done, by the Spanish Data Protection Agency the following are regarded as established facts in these proceedings, FACTS FIRST: The person claimed lacks the figure of a data protection representative. SECOND: The City Council of Arroyomolinos, has contributed in the present the measures it has taken, including the penalties it has imposed: Technical assistance service contract for support and updates in information security (ENS) and personal data protection (RGPD-LOPDGDD) and the Data Protection Officer Service, for a period of 12 months. Communication of the appointment of the Data Protection Officer: START UP, S.L. CIF B33667494 Decree No 2497/2020 on the award of service contracts and proposals technical-economic of the company START UP CDF S.L. LEGAL FOUNDATIONS I By virtue of the powers conferred on each authority in Article 58(2) of the GPRS control, and in accordance with the provisions of Articles 47 and 48.1 of the LOPDGDD, the the Spanish Data Protection Agency is competent to resolve this procedure. II Public administrations act as data controllers of and, in some cases, they are in charge of the management of the processing, for which they are responsible, in accordance with the principle of proactive, to meet the obligations detailed in the RGPD, including the obligation to appoint a data protection officer and to notify the latter of his or her AEPD The obligation is imposed by Article 37 of the RGPD, which states C/ Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 4/7 "1. The data controller and the processor shall appoint a delegate of data protection whenever: (a) the processing is carried out by a public authority or body, except courts acting in their judicial capacity Article 37.3 and 4 of the RGPD states about the designation of the DPD "When the the controller or the person responsible for the processing is a public authority or may appoint a single data protection officer for several of these authorities or bodies, taking into account their organisational structure and size. 4. In cases other than those referred to in paragraph 1, the person responsible or processing agent or associations and other bodies representing categories of managers or supervisors may appoint a delegate of protection or must designate it if required by Union or national law members. The Data Protection Officer may act on behalf of these associations and other bodies representing decision-makers or managers" The LOPDGDD determines in its article 34.1 and 3: "Designation of a delegate of data protection " 1. Data controllers and processors must appoint a delegate of data protection in the cases provided for in article 37.1 of the Regulation (EU) 2016/679 and, in any case, in the case of the following entities: 3. Data controllers and processors shall communicate within ten days to the Spanish Data Protection Agency or, where appropriate, to the authorities data protection, appointments, appointments and dismissals of employees the data protection delegates both in cases where they are obliged to be appointed as in the case of voluntary appointment. The infringement is contemplated as such in Article 83.4.a of the RGPD which states: "4. The infringements of the following provisions shall be penalised in accordance with the paragraph 2, with administrative fines of up to EUR 10 000 000 or in the case of an enterprise, an amount equivalent to a maximum of 2 % of total annual turnover for the previous financial year, opting for the largest: (a) the obligations of the person responsible and of the person appointed under Articles 8, 11, 25 to 39, 42 y 43;” Article 83.7 of the RGPD states: "Without prejudice to the corrective powers of the supervisory authorities under the ar- in accordance with Article 58(2), each Member State may lay down rules as to whether or not a of, and to what extent, imposing administrative fines on public authorities and bodies public bodies established in that Member State" Article 58(2) of the GPRS states: "Each supervisory authority shall have all the C/ Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 5/7 the following corrective powers are indicated below: (b) sanction any person responsible for or in charge of the processing, with a warning as to how if the processing operations have infringed the provisions of this Regulation, the mento; (d) order the controller or processor to carry out the processing operations treatment are in accordance with the provisions of this Regulation, where appropriate, in a certain way and within a specified time". In this sense, Article 77.1 c) and 2, 4 and 5 of the LOPGDD, indicates: 1. The regime established in this article shall apply to the processing of who are responsible or in charge: c) The General State Administration, the Community Administrations the local authorities and the entities that make up the local administration. 2 "Where the persons responsible for, or in charge of, the activities listed in paragraph 1 commit any of the offences referred to in articles 72 to 74 of this law authority shall issue an opinion on the matter resolution sanctioning them with a warning. The resolution will establish also the measures to be taken to ensure that the conduct ceases or is corrected the effects of the infringement that has been committed. The decision shall be notified to the controller or processor, to the that is hierarchically dependent, where appropriate, and to those affected who have the status of interested party, if any." 4.The data protection authority must be informed of decisions that be made in connection with the measures and actions referred to in paragraphs previous. 5.They shall be communicated to the Ombudsman or, where appropriate, to similar institutions of the autonomous communities the actions taken and the decisions handed down under this article." III Article 73 of the LOPDDG states Infringements considered serious: "In accordance with Article 83(4) of Regulation (EU) 2016/679, the consider serious and will prescribe after two years any infringements involving a substantial breach of the articles mentioned in that one, and in particular the following: (v) Failure to comply with the obligation to appoint a data protection representative when his appointment is required in accordance with Article 37 of the Regulation (EU) 2016/679 and article 34 of this organic law" C/ Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 6/7 By means of a statement of claim, the respondent has stated that he has already designated Data Protection Delegate. In spite of this, the Spanish Data Protection Agency has sanctioned the complainant with a penalty of a warning, since the latter must have had a delegate from data protection in accordance with article 37 of the RGPD, from 25 May 2018, when the RGPD came into force. Therefore, in accordance with the applicable legislation and assessed on the basis of graduation of the sanctions whose existence has been accredited, the Director of Spanish Data Protection Agency RESOLVES: FIRST: IMPOSE on the ARROYOMOLINOS CITY COUNCIL, with NIF P2801500F, for a violation of Article 37 of the GPRS, as defined in Article 83.4 of the RGPD, a warning sanction. SECOND: TO NOTIFY this resolution to the CITY COUNCIL OF ARROYOMOLINOS. THIRD: To communicate this resolution to the Ombudsman, of in accordance with the provisions of Article 77.5 of the LOPDGDD In accordance with the provisions of Article 50 of the LOPDGDD, this The decision will be made public after it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the LOPDGDD, and in accordance with Article 123 of the LPACAP, the the interested parties may, on an optional basis, lodge an appeal for reversal with the Director of the Spanish Data Protection Agency within one month to counting from the day following notification of this resolution or directly contentious-administrative appeal to the Administrative Chamber of the Audiencia Nacional, in accordance with Article 25 and paragraph 5 of the fourth additional provision of Law 29/1998 of 13 July 1998, regulating Contentious-Administrative Jurisdiction, within two months from day following notification of this act, as provided for in Article 46(1) of the referred to Law. Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP, it is may suspend, as a precautionary measure, the final administrative decision if the the applicant states that he intends to bring an administrative appeal. If this is the case, the interested party must formally communicate this fact by written to the Spanish Data Protection Agency, submitting it through from the Agency's Electronic Register [https://sedeagpd.gob.es/sede-electronica- web/], or through any of the other registers provided for in Article 16.4 of the the aforementioned Law 39/2015 of 1 October. It must also transfer to the Agency the documentation proving the effective filing of the contentious action C/ Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 7/7 administrative. If the Agency is not aware that the action has been brought administrative proceedings within two months of the day following the notification of the present resolution, would terminate the precautionary suspension. 938-131120 Mar Spain Martí Director of the Spanish Data Protection Agency