AEPD (Spain) - PS/00129/2020

From GDPRhub
Revision as of 11:44, 16 June 2021 by NN (talk | contribs)
AEPD (Spain) - PS/00129/2020
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 13 GDPR
Type: Complaint
Outcome: Rejected
Started:
Decided: 03.06.2021
Published:
Fine: None
Parties: n/a
National Case Number/Name: PS/00129/2020
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: Emma RM

The Spanish DPA determined that the Spanish Tax Authority had complied with GDPR requirements when introducing a new biometric system used to register employee's working hours and building access. It further determined that the Authority had given data subjects adequate information about the system.

English Summary

Facts

A civil servant of the Spanish Tax Authority complained about their employer beginning to use a biometric system to register access and working hours of employees without proper information to the affected data subjects.

The Tax Authority rejected the claim by providing evidence that it had informed employees of the new system before starting to collect their fingerprints and additional information for use in the system.

Holding

The Spanish DPA held that the information provided by the Tax Authority to its employees was clear, precise and concise enough to satisfy the requirements of the GDPR. Furthermore, the Tax Authority also complied with the requirements of choosing the correct legal basis for the processing of sensitive data and of performing a Data Protection Impact Assessment.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

                                                                               1/12










 Procedure Nº: PS / 00129/2020


                  RESOLUTION OF SANCTIONING PROCEDURE

Of the procedure instructed by the Spanish Agency for Data Protection and based on the
following



                                     BACKGROUND

FIRST: The claims filed by two CLAIMANTS, see ANNEX
GENERAL have entry dates 04/10 and 05/13/2019, respectively, at the Agency

Spanish Data Protection. The claim is directed against STATE AGENCY OF
TAX ADMINISTRATION, with CIF Q2826000H (hereinafter, the one claimed). The
reasons on which the claims are based are that in the Delegation of the State Agency
of Tax Administration of *** LOCALIDAD.1, located at *** ADDRESS.1 of
*** LOCALITY. 1, it is planned to install an access and time control system to

officials and workforce based on a fingerprint system.

The claimants state that “it has begun to require obtaining the signature of
via email ”. They indicate that an attempt has been made to obtain information regarding
the legality of the transfer of these data as well as the correct treatment of the same and

that the data that the employer intends to obtain constitutes data especially
protected (biometric data). Such data is described in article 9.1 of the Regulation
(EU) 2016/679 of the European Parliament and of the Council of 04/27/2016 on protection
of natural persons with regard to the processing of personal data and the free
circulation of these data (hereinafter, GDPR). Article 9.2.b of the RGPD exempts
that prohibition of treatment if this is necessary for the fulfillment of obligations and the

exercise of specific rights of the person responsible for the treatment or of the interested party in the
field of labor law and social security and protection, insofar as it is
authorized by the Union law of the Member States or a collective agreement with
in accordance with the law of the Member States that establishes adequate guarantees,
existing the mandatory impact assessment on the protection of data derived from said

treatment violating the provisions of article 35 of the Regulation.

They consider that the implementation of the system is not proportional and does not comply with the law
planned.


Claimant 1, who claims to be a civil servant (file E / 5312/2019) provides a copy of a
e-mail "sent to the officials" of the claimed, of 04/10/2019, entitled

“New fingerprint identification system for access control and schedule
in the Delegation of *** LOCALIDAD.1 ”, in which it is reported:

  - The implementation of the system and that the employees will be summoned for the
take of the footprint. The date on which it is summoned appears.


  -The collection system registers "certain minutiae of the fingerprint, not the image of it",
"It is not possible to reconstruct the footprint they characterize." "This information is saved
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 2/12








encrypted "

  -The AEAT is responsible for the treatment, indicating that article 9.2.1 b) applies as
exception for the aforementioned treatment as it is deemed necessary for the fulfillment of

obligations and exercise of specific rights of the person in charge or the interested party in the
field of labor law, to the extent authorized by Union or
Member States or a collective agreement under State law
members that establish adequate guarantees of respect for fundamental rights and
of the interests of the interested party; ”, indicating that“ consent will not be required, when the

data processing is carried out for the fulfillment of contractual relationships of a nature
labor, "regardless of whether it is specially protected data or not" From
of taking the fingerprint how each employee must sign in at the lathes, indistinctly with
fingerprint or electronic ID for entering or leaving the workplace "

A pdf ANNEX document is attached: "lathe information file" although it does not refer to its

content so it cannot be read.

  -A letter is also added that is entitled "new identification system through
fingerprint to control accesses and schedules in the *** LOCALIDAD.1 ”delegation, which
contains information on legal coverage as well as “basic information on
data protection ”, purpose, legal basis, person in charge, rights and additional information

detailed by clicking link.

-Copy of the document “Quick guide for the use of AEAT access control” that
accompanies, and in addition to a graphic explanation of the position of the finger and pressure on the
reader, figure that when the fingerprint is entered, “it is being checked against 1,000”, and “it ends

when your DNI number appears on the screen "
Claimant 2 (file E / 6247/2019), adds that the electronic DNI system of each
worker is used if a fingerprint mechanism error occurs and the system is running.
progressively implemented throughout Spain, and that not previously informed each

worker of the purposes and other mandatory legal requirements for the treatment.


SECOND: Upon receipt of the claim, the General Subdirectorate for Inspection of
Data proceeded to carry out the following actions:


The claims were transferred to the respondent for analysis and communication to the
complainants of the decision taken in this regard. Likewise, he was required so that in the
within a month send the Agency certain information:


       - Copy of the communications, of the adopted decision that has been sent to the
       claimant regarding the transfer of this claim, and accreditation that the
       claimant has received communication of that decision.

       - Report on the causes that have motivated the incidence that has originated the
       claim.


       - Report on the measures adopted to prevent incidents from occurring
       Similar.


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 12/3








       - Any other that you consider relevant.


For claimant 2, the claim is transferred and responses are received on 07/29 and 10/10/2019.
It is indicated that the processes respond to the need to homogenize the systems of

access control and presence of personnel to the various buildings of the Tax Agency
because in some there are lathes, while in others there are only wall-mounted devices for
clocking, considering the fingerprint registration system easier to use than the system
of magnetic stripe card readers, which was a weaker system and generated
many incidents in the management of the life cycle of the cards, including the management of the
loss erased and so on. With an environment of more than 26,000 employees and more than 400

buildings, the project began in 2016. This measure was selected by a series of
guarantees such as that only a few minutiae are saved at the time the
paw print. The minutiae are stored encrypted and kept in a decentralized system
from where they are distributed to building lathes when employees are
expressly authorized to access. Each employee is authorized to access the

concrete buildings and in their lathes the encrypted minutiae are downloaded so that
each time the user wants to enter or exit they can be compared with the footprint that is put on
in the reader.

In June 2017, the beginning of the deployment of the solution was addressed. In a pilot phase,
carried out work by the working group to adapt to the General Regulations of

Data Protection, of the security and control commission and tax informatics, arriving
at the conclusion of its viability and proportionality on the basis of the legitimacy of the
Tax Agency to control access and hours of its employees.

When the RGPD came into force, the existence of biometric data in the
personnel file and in the register of treatment activities.


The implementation will be carried out gradually in all the buildings of the Tax Agency.
It has no end date.

Information and instructions were distributed to the offices where the implementation was to begin
of the system for distribution to employees with system information and

guarantees of each call of the employee to go through personnel to carry out the
registration of the fingerprints before starting the integration the offices that have considered it
timely. They have distributed this information in a personalized way by sending an email
electronic to each employee. In ANNEX 1 attached in evidence of corporate mail with
the information provided to employees used in the special delegation of
*** LOCALITY. 1.


Regarding the questions raised:

-They consider that the information provided to the employees of the offices is complete
clear and concise. The legal bases on which access control is carried out and

The guarantees are explained and the basic information required by the regulations is provided.

A link to the intranet of the Tax Agency was offered and more information is accessed
detailed. You can consult the record of treatment activities


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 4/12








There is no request for more information on the system in the contact mailbox
of queries made to the Data Protection Delegate



-As for the consideration of excessive treatment when there are other alternatives
stresses that employees are also informed that fingerprints are not stored
fingerprints but only a few minutiae or traces that are contrasted at the time of performing the

access control. From these minutiae it is not possible to reconstruct the complete footprint and
these minutiae are stored encrypted.

Provide a copy of ANNEX I that contains the same email provided by the claimant
1 of 04/10/2019 and the attached attachments.


In ANNEX II, the informative content of the access to the link offered in the information.


Provides ANNEX III, copy of the model call for fingerprint registration -which coincides with the
provided by Claimant 1, "basic information on data protection", purpose,
legal basis, person in charge, rights and additional detailed information by clicking on
link the information is completed - informing among other points:


"As an alternative to identification through fingerprint readers, for cases
where technical recognition problems arise, the new system will allow

also identification by electronic DNI. In this case the identification is based on
the reading of the public part of this certificate, which allows consulting the basic data of
identification (DNI number, name and surname), without the need for the worker
provide the PIN that protects the use of the certificates for authentication purposes
in electronic services or signature processes, nor will the data that may have

archived the chip of the DNI. In this case, the legal coverage of the data processing is
based on article 6.1.b) of Regulation (EU) 2016/679. "



In ANNEX II, the result of accessing the link offered in the basic information about
data protection, which generally informs about the processing of employee data
public for the fulfillment of legal obligations in the matter of personnel, including
among others the time control data.



In the second shipment, he sends a copy of the EIPD.

On 07/2 and 09/09/2019, the respondent responds to claim 1.
Provide a copy of EIPD Fingerprint


In response to the questions raised by the AEPD, it indicates that claimant 1
He is a worker of the AEAT and answers the questions with the same arguments as for
claimant 2.






C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 5/12








THIRD: On 09/23 and 11/25/2019, in accordance with article 65 of the LOPDGDD, the
Director of the Spanish Data Protection Agency agreed to admit for processing the
claims filed.


FOURTH: On 09/30/2020, the Director of the AEPD agreed:

"INITIATE SANCTIONING PROCEDURE to the STATE ADMINISTRATIVE AGENCY
TAX, with CIF Q2826000H, for the alleged violation of article 13 of the RGPD,
contemplated in article 83.5.b) of the aforementioned Regulation.


For the purposes specified in the art. 64.2 b) of Law 39/2015, of October 1, on
Common Administrative Procedure of Public Administrations, the sanction that
could correspond would be of Apercibimiento ”.



FIFTH: The complainant dated 10/15/2019 presents the following allegations:


Claimant 2 is not an employee of the Tax Agency and with respect to claimant 1, the
04/26/2019 you were sent, like others, in your same situation, email

summoning you to register the minutiae of your fingerprint.

They attach a copy of said email informing you of the operation of the system,
responsible the Tax Agency, the legitimizing base and the indistinct system of the
fingerprint or electronic ID for entering and leaving the workplace and you are summoned to

take the fingerprint on 05/03.

A document called "lathes information file" was also attached, with a
informative content about the fingerprint system, which also contains
basic information on Data Protection, with the person in charge, the purpose, the basis

legal treatment, recipients and additional and detailed information with a
link. This email was also received by claimant 1, including acknowledgment
of receipt of 04/26/2019.

-Adds that on the violation of article 13, which specifies the principle of transparency of the
Article 5.1 a of the RGPD, consider that the data have been obtained directly from the

interested and has been informed with basic information and with a link to access the
simple way immediately to the rest of the information. The information is amply contained
in the document in which each employee is summoned to take their biometric data
as it refers that the person in charge is the Tax Agency, the purpose of the
treatment and the possibility of exercising the rights therefore it is considered that they are fulfilled

the requirements.

Provides a new copy of the fingerprint EIP.

As ANNEX 2, the information that appears by clicking the link that appears in the emails

electronic information and communication to employees and that provides and extends the
information on treatments related to human resources management.



C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 6/12








Provides a model call for fingerprint registration, which contains the information section
Basic on Data Protection and the link that expands the details and information
additional.


In ANNEX 4 provides a call 04/26/2020 new identification system through
fingerprint.

It is an email sent on 04/26/2019 to Tax Agency personnel, stating
among others the claimant 1. Again, the email contains information about the

system, the legitimizing base and the indistinct alternative system of the electronic DNI and the
pdf file called "lathe information file" of which a copy is provided for reading.
The document coincides with the informative account of the system, and it contains the section on
basic information on Data Protection and the link to additional information and
detailed information on Data Protection, as well as a graphic scheme called "guide

fast use of access control ”.

It also provides a copy of the acknowledgment of receipt 04/26/2019 of the email sent to
claimant 1.



SIXTH: On 04/22/2021, the Director of the AEPD agreed to change the
instructor.

SEVENTH: A resolution proposal was issued with the following literal:


“That the Director of the Spanish Agency for Data Protection declares the
ARCHIVE of the procedure due to non-existence of infringement by the STATE AGENCY OF
TAX ADMINISTRATION, with CIF Q2826000H, for the alleged violation of the
article 13 of the RGPD, in accordance with article 83.5 b) of the RGPD. "


Regarding the proposal, no allegations were received.


                                   PROVEN FACTS

1- In the Delegation of the State Tax Administration Agency of *** LOCALIDAD.1,

*** ADDRESS.1 of *** LOCALITY.1, it is planned to install an access system,
control and time registration for officials and workforce based on a system of
fingerprint. Gradually, the system is being implemented throughout Spain,


2-It is proven that the claimed sends an email to the employees, being
complainant 1 official, on 04/10/2019, entitled “new identification system through

fingerprint for access control and schedule in the *** LOCALIDAD.1 ”Delegation,
(model call for fingerprint registration) in which it is reported:

  - Of the implementation of the system for which it is responsible for the treatment, and of the next
summons each employee to take the fingerprint.


  -The collection system registers "certain minutiae of the fingerprint, not the image of it",
"It is not possible to reconstruct the footprint they characterize" and the "information is saved
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 7/12








encrypted "

  -The AEAT indicates that article 9.2.1 b) applies as an exception to the aforementioned
treatment when understanding necessary for the fulfillment of obligations and exercise of

specific rights of the person in charge or of the interested party in the field of labor law.

It is accompanied by email:

 -An ANNEX pdf document: "lathe information file" entitled "new system of
identification by fingerprint to control access and schedules in the delegation of

*** LOCALIDAD.1 ”, which contains information on legal coverage as well as
"Basic information on data protection", purpose, legal basis, responsible,
rights and additional detailed information. There is also a reference to a link in the
that by clicking on link information is added.


The document "Quick guide for the use of AEAT access control" with an explanation
graph of the position of the finger and pressure on the reader, figuring that when the
fingerprint, “it is being checked against 1,000”, and “it ends when its number of
DNI ”.

3- The complained party has a data protection impact assessment document
about the collection system, fingerprint registration for the purpose of registration and control
schedule.

4-The respondent provides a copy of the same content of the email provided by claimant 1, if

Well, this shipment foresees another date for the call for fingerprint collection and your name and
surnames as recipient, being sent on 04/26/2020.


                              FOUNDATIONS OF LAW


                                               I

By virtue of the powers that article 58.2 of the RGPD recognizes to each authority of
control, and as established in arts. 47 and 48.1 of the LOPDGDD, the Director of the
Spanish Data Protection Agency is competent to resolve this procedure.


                                               II

Biometric data is closely linked to a person, since it can
use a certain unique property of an individual for identification or

authentication.

According to Opinion 3/2012 on the evolution of biometric technologies, “The data
biometrics irrevocably change the relationship between the body and identity, since
make the characteristics of the human body machine-readable and
subject to further use. "


In relation to them, the Opinion specifies that it is possible to distinguish different types of treatment
noting that “Biometric data can be processed and stored in different ways.
Sometimes the biometric information captured from a person is stored and processed in

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 12/8








gross, which makes it possible to recognize the source from which it comes without special knowledge;
For example, a photograph of a face, a photograph of a fingerprint, or a recording of
voice. Other times, the raw biometric information captured is treated in such a way that only

certain characteristics or traits are extracted and saved as a biometric template. "

The processing of these data is expressly permitted by the RGPD when the
The employer has a legal basis, which is usually the employment contract itself. TO
In this regard, the STS of July 2, 2007 (Rec. 5017/2003), which has understood legitimate the
treatment of biometric data carried out by the Administration for the time control of

its public employees, without the prior consent of the workers being required.

However, the following should be noted:

        - The worker must be informed about these treatments.


        - The principles of limitation of the purpose, necessity,
proportionality and data minimization.

In any case, the treatment must also be adequate, pertinent and not excessive in
relation to said purpose. Therefore, biometric data that are not necessary for

that purpose should be removed and the creation of a database will not always be justified
biometrics (Opinion 3/2012 of the Art. 29 Working Group).

        - Use of biometric templates: Biometric data must be stored as
biometric templates whenever possible. The template will need to be removed in a

that is specific to the biometric system in question and not used by others
data controllers of similar systems in order to ensure that a person only
can be identified in biometric systems that have a legal basis for
this operation.


        - The biometric system used and the security measures chosen must
ensure that re-use of the biometric data in question is not possible for
other purpose.

        - Mechanisms based on encryption technologies should be used in order to avoid the
unauthorized reading, copying, modification or deletion of biometric data.


        - Biometric systems must be designed in such a way that the
identity bond.

        - You must choose to use data formats or specific technologies that

prevent the interconnection of biometric databases and the disclosure of data not
proven.

        - Biometric data must be deleted when they are not linked to the purpose
that motivated their treatment and, if possible, mechanisms should be implemented

automated data deletion.

                                               III


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 9/12








The legitimacy for the treatment of the fingerprint for the control of the workers
on the part of the employer we must look for it in article 9 and 6 of the RGPD.


Article 9 of the RGPD establishes in its sections 1 and 2.b) the following:

        "1. The processing of personal data that reveal the origin is prohibited
ethnic or racial, political opinions, religious or philosophical convictions, or affiliation
union, and the treatment of genetic data, biometric data aimed at identifying
uniquely to a natural person, data related to health or data related to life

sexual or sexual orientations of a natural person.

        2. Section 1 shall not apply when one of the circumstances occurs
following:


… B) the treatment is necessary for the fulfillment of obligations and the exercise of
specific rights of the data controller or interested party in the field of
Labor law and social security and protection, insofar as authorized by the
Union law of the Member States or a collective agreement under the
The law of the Member States that establishes adequate guarantees of respect for the
fundamental rights and interests of the interested party. "


Article 6.1.b) of the RGPD indicates:

        "1. The treatment will only be lawful if at least one of the following is met
terms:

        b) the treatment is necessary for the performance of a contract in which the
interested party is party or for the application at his request of pre-contractual measures. "

The claimed has legitimacy, based on the indicated regulations, to carry out the
labor control of its workers, as long as it meets the requirements indicated in the

Second Law Foundation.

The infringement imputed in the agreement to initiate article 13 of the RGPD, was for not informing
with all the guarantees of the planned treatment, adoption of the mechanism for the control of
schedule to employees by fingerprint.


 This article determines the information that must be provided to the interested party in the
moment of collecting your data, establishing the following:

 "Article 13. Information to be provided when personal data is obtained
Of the interested.


        1. When personal data relating to him are obtained from an interested party, the
responsible for the treatment, at the time these are obtained, will provide you with all the
information listed below:


        a) the identity and contact details of the person in charge and, where appropriate, of their
        representative;
        b) the contact details of the data protection officer, if applicable;


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 10/12








        c) the purposes of the treatment to which the personal data are destined and the legal basis
        of the treatment; 4.5.2016 L 119/40 Official Journal of the European Union EN
        d) when the treatment is based on article 6, paragraph 1, letter f), the interests

        legitimate of the person in charge or of a third party;
        e) the recipients or categories of recipients of personal data, in their
        case;
        f) where appropriate, the intention of the person responsible to transfer personal data to a third party
        country or international organization and the existence or absence of a decision of
        adequacy of the Commission, or, in the case of transfers indicated in the

        Articles 46 or 47 or Article 49, paragraph 1, second subparagraph, reference to the
        adequate or appropriate warranties and the means to obtain a copy of these or
        to the fact that they have been borrowed.

        2. In addition to the information mentioned in section 1, the person responsible for the

treatment will provide the interested party, at the time the personal data is obtained,
the following information necessary to guarantee fair data processing and
transparent:

        a) the period during which the personal data will be kept or, when it is not
        possible, the criteria used to determine this deadline;

        b) the existence of the right to request the data controller for access to the
        personal data relating to the interested party, and its rectification or deletion, or the limitation
        of its treatment, or to oppose the treatment, as well as the right to portability
        of the data;
        c) when the treatment is based on article 6, paragraph 1, letter a), or the

        Article 9, paragraph 2, letter a), the existence of the right to withdraw consent in
        at any time, without affecting the legality of the treatment based on the
        consent prior to its withdrawal;
        d) the right to file a claim with a supervisory authority;
        e) if the communication of personal data is a legal or contractual requirement, or a

        necessary requirement to sign a contract, and if the interested party is obliged to
        provide personal data and are informed of the possible consequences of
        not provide such data;
        f) the existence of automated decisions, including profiling, to which
        referred to in article 22, paragraphs 1 and 4, and, at least in such cases, information
        significant on the applied logic, as well as the importance and consequences

        provided for said treatment for the interested party.


        3. When the data controller plans the further processing of data
personal data for a purpose other than that for which they were collected, will provide the

interested party, prior to said further processing, information on that other purpose and
any additional relevant information pursuant to section 2.

        4. The provisions of paragraphs 1, 2 and 3 shall not apply when and in the
to the extent that the interested party already has the information ”.


Regarding the alleged infraction of lack of information, it is proven not only that
given, but rather the one that has been given before the data was collected, and it is estimated that


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 11/12








sufficient, adequate and comprehensive. It gives meaning and explains what the registration of the
footprint, its purposes, and graphically the operation of the system.


Although part of the claims, both allude to the fact that he had not obtained information
additionally, it should be indicated that the information provided as well as the added links
They are adequate and do not imply a reduction in the rights of those affected. The
information that contemplates the RGPD and the LOPDGDD, warning that the claimed has been
preparing the gradual application of the measures with the organizational adaptations and
techniques that involve the deployment of the system, so the procedure must be

filed as there is no violation.

Therefore, in accordance with the applicable legislation,

the Director of the Spanish Data Protection Agency RESOLVES:


FIRST: DECLARE the FILE of the procedure for non-existence of infringement of the
Article 13 of the RGPD of the STATE AGENCY OF TAX ADMINISTRATION, with
CIF Q2826000H.

SECOND: NOTIFY this resolution to the STATE AGENCY OF

TAX ADMINISTRATION with the sending of the attached General Annex.

THIRD: In accordance with the provisions of article 50 of the LOPDGDD, the
This Resolution will be made public once it has been notified to the interested parties.


Against this resolution, which ends the administrative procedure in accordance with art. 48.6 of the
LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the
Interested parties may optionally file an appeal for reconsideration before the Director of
the Spanish Data Protection Agency within a month from the day
following notification of this resolution or directly contentious appeal

administrative law before the Contentious-Administrative Chamber of the National Court, with
in accordance with the provisions of article 25 and paragraph 5 of the fourth additional provision
of Law 29/1998, of July 13, regulating the Contentious-Administrative Jurisdiction,
within two months from the day following notification of this act,
as provided in article 46.1 of the aforementioned Law.


Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP, you may
provisionally suspend the final administrative resolution if the interested party manifests
his intention to file a contentious-administrative appeal. If this is the case, the
The interested party must formally communicate this fact by writing to the Agency
Spanish Data Protection, presenting it through the Electronic Registry of the

Agency [https://sedeagpd.gob.es/sede-electronica-web/], or through any of the
remaining records provided for in art. 16.4 of the aforementioned Law 39/2015, of October 1.
You must also send the Agency the documentation that proves the filing
effective contentious-administrative appeal. If the Agency is not aware of the
filing of the contentious-administrative appeal within a period of two months from the date

following the notification of this resolution, it would terminate the suspension
precautionary.



C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 12/12













                                                                                            938-131120
Mar Spain Martí
Director of the Spanish Agency for Data Protection















GENERAL ANNEX

CLAIMANT 1- D. A.A.A.


CLAIMANT 2- D.B.B.B.












































C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es