AEPD (Spain) - PS/00244/2021
AEPD (Spain) - PS/00244/2021 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 6 GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | |
Published: | 29.09.2021 |
Fine: | 5.000 EUR |
Parties: | CYNGASA, S.L. |
National Case Number/Name: | PS/00244/2021 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | CSO |
The Spanish DPA (AEPD) fined a company €5,000 for transferring the data of an employee without legitimacy and, therefore, in breach of Article 6 GDPR.
English Summary
Facts
An employee signed an employment contract with the company Cyngasa, S.L. Some time later, the employee asked the Spanish Social Security for a employment history report. In this report, the employee found that, although he had signed the employment contract with Cyngasa, another company had registered him with the Social Security. That company was Calderería y soldadura de Estructuras Metálicas, S.L. Consequently, Cyngasa had transferred the employee's data to Calderería y soldadura de Estructuras Metálicas without justification and without the employee's consent.
Neither of the two companies involved responded to the requirements of the AEPD. This particular decision (PS/00244/2021) sanctions the company that transferred the data, but there is another decision of the AEPD in which it also sanctions the transferee company (PS/00245/2021).
Holding
The AEPD does not detail the reasons for the breach and simply points out that the transfer of an employee data to a third party company without consent is a breach of Article 6 GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/5 Procedure No.: PS / 00244/2021 RESOLUTION OF SANCTIONING PROCEDURE Of the procedure instructed by the Spanish Agency for Data Protection and based on to the following BACKGROUND FIRST: A.A.A. (hereinafter, the claimant) dated December 28, 2020 filed a claim with the Spanish Data Protection Agency. The claim is directed against CYNGASA, S.L. with CIF B70537774 (hereinafter, the reclaimed). The reasons on which the claim is based are that the claimant when requesting a report of working life has been aware that although his employment relationship was initially agreed with the company CYNGASA on 08/04/2020, this company He was withdrawn from social security without his knowledge on 08/07/2020 and was given registered again on 08/10/2020 in the company CALDERERIA Y SOLDADURA DE STRUCTURAS METALICAS, S, L ', without the consent of the claimant to CYNGASA for the transfer of their personal data, to said company. Along with the claim, provide a work life report SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5 December, Protection of Personal Data and guarantee of digital rights (in hereinafter LOPDGDD), with reference number E / 01392/2021, a transfer of said claim to the defendant on February 26, 2021, to proceed with its analysis and inform this Agency within a month, of the actions taken carried out to adapt to the requirements provided in the data protection regulations. No response to this request has been received. THIRD: On May 11, 2021, the Director of the Spanish Agency for Data Protection agreed to accept for processing the claim presented by the claimant. FOURTH: On July 14, 2021, the Director of the Spanish Agency for Data Protection agreed to initiate a sanctioning procedure for the complained party, by the alleged violation of article 6 of the RGPD, typified in article 83.5 of the RGPD. In view of all the actions, by the Spanish Agency for Data Protection In this proceeding, the following are considered proven facts, C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 2/5 FACTS FIRST: When requesting a work life report, the claimant has had knowledge of that the company complained about transferred your personal data to a third company without your consent. SECOND: On July 25, 2021, the respondent is notified of the agreement of initiation of this procedure, converting said agreement into a resolution proposal in accordance with articles 64.2.f) and 85 of Law 39/2015, of October 1, on Common Administrative Procedure of Public Administrations (LPACAP), at the Failure to make the claimed allegations within the indicated period. FOUNDATIONS OF LAW I By virtue of the powers that article 58.2 of the RGPD recognizes to each authority of control, and as established in articles 47 and 48 of the LOPDGDD, the Director of the Spanish Data Protection Agency is competent to initiate and to solve this procedure. II Organic Law 3/2018, of December 5, on the Protection of Personal Data and guarantee of digital rights, in its article 4.11 defines the consent of the interested as “any manifestation of free will, specific, informed and unequivocal by which the interested party accepts, either through a declaration or a clear affirmative action, the processing of personal data that concerns you ”. In this sense, article 6.1 of the RGPD establishes that “in accordance with provided in article 4.11 of Regulation (EU) 2016/679, it is understood by consent of the affected party any manifestation of free, specific will, informed and unequivocal by which it accepts, either through a statement or a clear affirmative action, the processing of personal data that concerns him ”. III In accordance with the evidence available at the present time, considers that the denounced events, that is, transferring the personal data of the claimant to the company of BOILER AND WELDING OF STRUCTURES METALICAS, S.L. without the prior consent of the owner of said personal data constitute a violation of article 6 of the RGPD. IV Article 72.1 b) of the LOPDGDD states that “depending on what is established in the Article 83.5 of Regulation (EU) 2016/679, are considered very serious and will prescribe At three years, the infractions that suppose a substantial violation of the articles mentioned in that and in particular, the following: C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 3/5 c) The processing of personal data without any of the conditions of legality of the treatment in article 6 of Regulation (EU) 2016/679. " V Article 58.2 of the RGPD provides the following: “Each control authority will have of all of the following corrective powers listed below: b) direct a warning to any person in charge or in charge of the treatment when the treatment operations have infringed the provisions of this Regulation; d) order the person in charge of the treatment that the operations of treatment comply with the provisions of this Regulation, where appropriate, in a certain way and within a specified time frame; i) impose an administrative fine in accordance with article 83, in addition to or instead of the measures mentioned in this section, according to the circumstances of each case particular; SAW This offense can be sanctioned with a fine of € 20,000,000 maximum or, in the case of a company, an amount equivalent to a maximum of 4% of the total annual global business volume of the previous financial year, opting for the of greater amount, in accordance with article 83.5 of the RGPD. Likewise, it is considered that the sanction to be imposed should be adjusted in accordance with the following criteria established in article 83.2 of the RGPD: As aggravating factors the following: In the present case we are facing negligent action by the entity claimed (article 83.2 b) upon transferring the claimant's personal data to the company of BOILER AND WELDING OF METALLIC STRUCTURES, S.L. without the prior consent of the owner of said data. In addition, basic personal identifiers are affected, (art 83.2 g), such as name and surname, your social security number, work life, and so on. Therefore, in accordance with the applicable legislation and assessed the criteria of graduation of sanctions whose existence has been proven, the Director of the Spanish Data Protection Agency RESOLVES: FIRST: IMPOSE CYNGASA, S.L., with CIF B70537774, for an infringement of the Article 6 of the RGPD, typified in article 83.5 of the RGPD, a fine of 5,000 euros (five thousand euros). SECOND: NOTIFY this resolution to CYNGASA, S.L. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 4/5 THIRD: Warn the sanctioned person that the sanction imposed by a Once this resolution is enforceable, in accordance with the provisions of the Article 98.1.b) of Law 39/2015, of October 1, on Administrative Procedure Common of Public Administrations (hereinafter LPACAP), within the payment period voluntary established in art. 68 of the General Collection Regulations, approved by Royal Decree 939/2005, of July 29, in relation to article 62 of the Law 58/2003, of December 17, by means of your entry, indicating the NIF of the sanctioned person and the procedure number at the top of this document, in the restricted account number ES00 0000 0000 0000 0000 0000, opened in the name of the Spanish Agency for Data Protection in the banking entity CAIXABANK, S.A .. Otherwise, it will be collected in the executive period. Received the notification and once executive, if the date of execution is found Between the 1st and the 15th of each month, both inclusive, the deadline for making the payment volunteer will be until the 20th of the following or immediately subsequent business month, and if between the 16th and the last day of each month, both inclusive, the payment term it will be until the 5th of the second following or immediately subsequent business month. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which ends the administrative procedure in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the Interested parties may optionally file an appeal for reconsideration before the Director of the Spanish Agency for Data Protection within a month to counting from the day after the notification of this resolution or directly contentious-administrative appeal before the Contentious-Administrative Chamber of the National High Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-administrative jurisdiction, within two months from the day following notification of this act, as provided in article 46.1 of the referred Law. Finally, it is pointed out that in accordance with the provisions of article 90.3 a) of the LPACAP, The final resolution may be suspended provisionally through administrative channels if the interested party expresses his intention to file contentious-administrative appeal. If this is the case, the interested party must formally communicate this fact through writing addressed to the Spanish Agency for Data Protection, presenting it through of the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica- web /], or through any of the other records provided for in article 16.4 of the cited Law 39/2015, of October 1. You must also transfer to the Agency the documentation that proves the effective filing of the contentious appeal- administrative. If the Agency was not aware of the filing of the appeal contentious-administrative within a period of two months from the day following the notification of this resolution would terminate the precautionary suspension. Mar Spain Martí Director of the Spanish Agency for Data Protection C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 5/5 C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es