AEPD (Spain) - EXP202100897
AEPD - PS-00520-2021 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 6(1) GDPR Article 83(2) GDPR Article 83(5)(a) GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | 26.07.2021 |
Decided: | |
Published: | 11.10.2022 |
Fine: | 12.000 EUR |
Parties: | Sean Serios S.L |
National Case Number/Name: | PS-00520-2021 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | Michelle Ayora |
The Spanish DPA fined an academy with € 12.000 for publishing a list with the results of a selection process. The controller reworked a list published by the organising authority and grouped the candidates by categories which informed about their health data (disability). The controller relied on legitimate interest.
English Summary
Facts
The data Subject submitted a complaint against one training academy (the controller) since their personal data was published on their website. The data involved the results of a selection process in which the data subject participated; specifically, the document contained a list elaborated by the controller with the names, last names, anonymised ID number and the category in which the participant was included. This allowed the identification of health data (disability).
In addition, the list corresponded with the provisional publication of results by the Galician Health Services (SERGAS), the authority competent for the examination and selection of candidates. Both lists are different, thus the controller made a re-work of the official list by selecting some candidates, grouping them by categories, breaking down their marks (studies, work experience, other activities) and assigning their position according to their total score.
The Spanish DPA started a sanctioning proceeding against the controller due to a violation of art. 6.1 GDPR for the lack of legal basis for the processing of personal data, including special category. Furthermore, on the publication it is not included the mandatory information regarding the origin of the data nor the right to object.
On their claims the controller argued that the legal basis was the legitimate interest since it is an academy which offers training courses and the publication was made with the aim of showing the participants, in a clearer way, the position obtained and stating that is not a processing carried out in the context of their activity since it was done only once, in relation with that specific selection process. Another argument was that the information had been made public by the SERGAS and that candidates who participate in those public selection processes expect their data to be published due to the transparency obligation of those processes.
The controller’s website showed that the company’s activity is the training of candidates to participate in public selection processes. The privacy policy contains as motive for the processing “the set-up of the student’s profiles to access the training resources, deliver their services, invoicing and send commercial communications”. The legitimacy was based on “the data subject consent”. Finally, the justification of the data’s origin was “the interested person [data subject]” and the category of data processed were “identification data, postal and electronic addresses, economic data” stating that “special category of data is not processed”.
Holding
In the first place the DPA stated that the publications on a website of data subject’s name and last name is per se considered as personal data, moreover, in this case it is distinctive since this publication is not a usual activity of the controller (as argued by them). Those data allow the identification of the data subject since the list contains people who fulfil the requirements to enroll in a specific category, adding more elements to allow the identification by a broader audience.
Regarding to the claim of the public character of the data since it was published on the SERGAS website, the DPA considers that a website is not a public accessible source. In addition, in case that the data was made public by a public entity it was done for a specific purpose and further processing, specially by other parties, must rely on its own legal basis.
When it comes to the concept of public accessible sources, GDPR regulates it in the context of the right to information and only when the data has not been collected from the data subject. Thus, in any case, data contained in a publicly accessible source must have a legal basis for further processing.
Regarding the legitimate interest, the DPA states that recital 47 GDPR “the rights an interest of the data subject could prevail in cases where the processing occurs in circumstances that don’t allow the expectation of the data subject of a further processing”. It is important Article 29 Working Party’s guidelines 6/2014, in which it is stated that it is necessary to take into account not only the data subject’s fundamental rights and freedoms but also their interests and that “legitimate” involves the need of the processing and the use of the least invasive methods to achieve the same end. For instance, the controller should have informed only to their students about the results but opted to inform the public in general.
About impact assessment the DPA highlighted the elements to include such as the bargaining position of the parties (especially the controller’s), if there is a reasonable expectation of further processing, the way that the controller handles the data (including if there is profiling or not) and the need of a balancing exercise between the data subject’s rights and interests and the controller’s legitimate interest whose results must show a prevalence of the latter, being the only case to rely on article 6.1(f).
In the present case the Spanish DPA does not observe a prevalence of the controller’s interest over the data subject’s rights due to firstly, lack of necessity being an isolated processing; secondly, lack of information to the people included on the list which might suppose a surprising processing for them; the publication of the results for a specific category of the selection process; violation of storage limitation principle (the publication lasted for more than three months); incomplete impact assessment, the controller considered the fact that the data was already on a website but didn’t include other elements of the risk such as the impact of the publication on the controller’s website; no inclusion of information regarding the right to object which is mandatory when relying on legitimate interest as legal basis for the processing (article 21.1 GDPR).
Furthermore, the DPA states that the organising entity and controller perform a different processing of the data not only for the difference of legal basis, but also because the controller reworked the list of results, showing the personal data in a different format which aims to inform especially by adding health data.
Finally, the DPA fined the company with € 12.000 for a violation of article 6.1 GDPR, according to article 83.5 GDPR in relation to severe violations.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/23 File No.: EXP202100897 RESOLUTION OF PUNISHMENT PROCEDURE Of the procedure instructed by the Spanish Agency for Data Protection and based on the following BACKGROUND FIRST: A.A.A. (hereinafter, the complaining party) dated 07/26/2021, filed claim before the Spanish Data Protection Agency. The claim is directed against SEAN SERIOS S.L. with NIF B70528989 (hereinafter, the claimed party). The claimant states that in the URL: https://www.cursosefficients. (...), appear published a list with the results of a selective process of opposition competition convened by SERGAS, which contains the personal data of the people who they agreed for the turn of (...). It ends by requesting “remove said URL”. You access the url in which the elaboration ***DATE.1 appears in the lower left, in the right "prov competition (...).Sergas". The information that appears is, of 95 candidates, three pages, with the name and surnames, the anonymized DNI in accordance with the provisions of the D.A. 7th of Organic Law 3/2018, of 5/12, Protection of Personal Data and guarantee of digital rights (in hereinafter LOPDGDD), and the notes broken down in opposition, and competition, this aspect last one that frames and distinguishes: training, experience, other activities. Then he follows the column of “total”, and “order number”. Next to each candidate, in the column "Access" can be read (...). The claimant is ranked XX, and all candidates they are listed in DI access sorted by total score. There is no reference to identification of any specific call or process. The "privacy policy" of the claimed party that offers training courses is accessed, and is incorporated into the procedure. In "purpose of data processing", there is the sending of advertising related to your data. services and products. The data will be kept as long as the relationship is maintained commercial or during the years necessary to comply with legal obligations. In section 7, “origin”, “how have we obtained your data?” They state: “the data data that we treat come from the interested party. The categories of data C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 2/23 they treat are identification data, postal or electronic addresses, economic data, specially protected data is not processed.” SECOND: In accordance with article 65.4 of the LOPDGDD, a transfer of said claim to the claimed party, so that he proceeded to analyze it and inform this Agency within a month, of the actions carried out to adapt to the requirements set forth in the data protection regulations. In the transfer it reported: “FACTS GIVING RISE TO THE CLAIM: The claimant states that on the website webcursosficients.com appears published a list with the results of a process selection of opposition contest convened by the SERGAS, in which the personal data of the people who accessed the shift (...)” On 08/23/2021, the electronic submission appears accepted, without having received response. THIRD: On 10/26/2021, in accordance with the provisions of article 65.5 of the LOPDGDD, the processing of the claim continues. FOURTH: On 01/13/2022, the Director of the AEPD agreed: “INITIATE PUNISHMENT PROCEDURE against SEAN SERIOS S.L., with NIF B70528989, for the alleged infringement of article 6.1 of the RGPD, in accordance with the article 83.5.a) of the RGPD, typified as very serious for the purposes of prescription in the article 72.1.b) of the RGPD, with an administrative fine of 12,000 euros (twelve thousand euros). For the purposes specified in the art. 64.2 b) of Law 39/2015, of 1/10 of the Procedure Common Administrative of Public Administrations (hereinafter, LPACAP), the sanction that could correspond would be an administrative fine.” FIFTH: On 01/28/2022, allegations were received from the respondent in which states: - Provides a copy of the publication of the Official Gazette of Galicia of ***DATE.1, section oppositions and competitions, Galician Health Service, RESOLUTION of ***DATE.2, of the General Directorate of Human Resources, through which the provisional scores of the contest phase of the selective process for admission in the category of (...), summoned by the Resolution of ***DATE.3, which states: "The eighth base of the Resolution of the General Directorate of Human Resources of (...), by which a contest-opposition is called for entry into the category of (...) of the Galician Health Service, provides that, carried out by the court, the assessment of the merits provided by the applicants, the General Directorate of Human Resources will publish, in the Official Gazette of Galicia, the announcement of its exhibition with an indication of the provisional score obtained by each applicant in the different sections, as well as the total evaluation of the contest phase. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 3/23 Resolves first: Publish on the website of the Galician Health Service (www.sergas.es), the provisional scores of the contest phase obtained by the applicants who passed the opposition phase of the selective process for the admission in the category of (...), summoned by Resolution of ***DATE.3. Each applicant may also consult the details of the score obtained in the different sections of the scale, in your personal electronic file at Fides/expedient-e/ process section. Resolves second, the possibility of presenting a claim against the results of the provisional assessment In the annex, which is provided with the published list, there is the SERGAS logo, scale provisional, competition phase (broken down into: training, experience and other activities) and the note of the opposition, ordered by total score from most to least, and surnames, and together all access systems (DI: disability, LI: free, Pri: internal promotion), including the one claimed. -The reason for the publication, in the case of public information, is: "to publicize the results published by SERGAS, since many of the participants in the process of selection were students of our Academy”, trying to facilitate access to the public information". -States that prior to publishing the list they carried out an "analysis of regulatory compliance” in order to confirm whether said publication could imply or not a violation of the Data Protection regulations, reaching the following conclusions: The information that was intended to be published was information published on the website of SERGAS, which is part of a selective process whose advertising and dissemination is established by a norm with the rank of Law This information is previously anonymised, as the number has been hidden. of the DNI of the participants, and the name and surname of only one person per se itself should not be considered personal data as there are numerous people with the same name and surname. “They are neither identified nor reliably identifiable. They continued with their analysis considering that "it could be a treatment of public personal data. The next approach was to determine the applicable legal basis, concluding which would be the legitimate interest consisting in facilitating access to the results provisions of the opposition contest, in the case of information previously made public what the previous regulations called sources accessible to the public, which considers applicable to the case in an entity that especially focuses on the professions sanitary C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 4/23 “Since it is public information, having been published in the Official Gazette of Galicia and on the Sergas website we understood that the rights and freedoms of the interested parties. -Refers to the judgment of the Court of Justice of the European Union of 24/11/2011 matter accumulated C 468/2010 National Association of Financial Credit Establishments (ASNEF), and C 469/2010 Federation of Electronic Commerce and Direct Marketing (FECEMD) which resolves the preliminary questions raised by the Court Supreme Court and in which the direct effect of article 7 f) of the Directive 95/46/CE. In its recitals 44 and 45 it refers to the sources accessible to the public considering that there is a minor impact on the private life of the interested party since the information is public knowledge. “The third party or third parties to whom communicate the data do not access data related to the private life of the interested party, given that the information is already public knowledge. The severity of the injury fundamental rights of the person affected by such treatment may vary in depending on whether or not the data already appears in publicly accessible sources. -They have deleted the aforementioned publication -They consider relevant to show that public information is currently is published and available on the Sergas website accompanies the Sergas address in which the aforementioned list is available, ***URL.1 and another access address to the “complete, contracting” procedure. ***URL.2 Does not accompany the access made at the time of submitting your written, nor is any element viewed. -The claimant at no time addressed the claimed by any means requesting suppression of information -States that he has acted in the belief that the treatment was adjusted to the RGPD, because prior to carrying out the treatment object of the claim they have made a “regulatory compliance analysis”. -Requests that a warning be applied instead of an economic sanction and in the event that apply this, that the sanction be reduced to 600 euros, considering the lack of intentionality and that it was limited to publishing public information, and there is no recidivism. SIXTH: On 05/24/2022, the testing period is opened, as provided in the Article 77 and 78 of Law 39/2015, of 1/10, of the Common Administrative Procedure of the Public Administrations (hereinafter, LPACAP), agreeing to consider reproduced for evidentiary purposes, the claim filed and its documentation, as well as the documents obtained and generated during the admission phase of the application claim. Likewise, it is considered reproduced for evidentiary purposes, the allegations to the agreement of initiation of the referenced sanctioning procedure, presented by the claimed party, and the accompanying documentation. The respondent is requested to report or provide the following: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 5/23 a) Reason why they only published the list of opponents of the turn (...), and reason why that they only made the sequential ordering by score order of these (...) for their differentiated ordering. On 06/15/2022, a response was received indicating that its purpose was to facilitate the access to interested parties in an orderly manner, different from the mode of publication in alphabetically, so that people, “many of them clients of our academy” can verify if your score gives you access to the job or not. It states that, on this occasion, SERGAS did not publish at the same time by order alphabetical and punctuation, but did it first only by alphabetical order, falling behind exposure by score. Provides a copy of the "general list of the definitive scale", contest phase of the SERGAS, (...), in which it appears arranged first in alphabetical order, followed by of the total score, date of elaboration ***DATE.4, the descending order is appreciated of the scores on the right side of the points, and arranged alphabetically in the left side, and a copy of the same SERGAS list, same date and titles, but ordered from the alphabetical criterion, without preference for the punctuation. It adds that in the publication of the provisional list the lists were only published mode or alphabetical order, always ordering by the one claimed by "punctuation and access” the list previously published in alphabetical order. a) Number of people who through their courses prepared for this call, through its services, and in what shifts. It states that "it is not a center for preparing oppositions, so it does not have closed groups that prepare a specific category of SERGAS. The training that teaches Efficient Courses is aimed at the merit phase, specifically it facilitates the Obtaining the points corresponding to the continuous training section in the phase competition.”, referring to cross-cutting subjects, information technology, risk prevention labor etc., scored in any of the SERGAS categories in the section on “continuous training”, being difficult to discern for which category that course has been used each student. b) Reason why there were people who were preparing this call, it was not They limited themselves to putting only their data on their website or sending them exclusively their results. It is answered with the answer of the previous point. d) Reason why they did not index an informative literal of the data collection and rights on your web page that was published. If you currently have collected data from Newsletters public employment web pages, indicate address. He points out that what they usually report is by way of news, the publications of calls made by SERGAS with direct links to its website. Give examples of links that from the website of the claimed party leads to the section in which it reports the resolution in which the listings are published. The page contains the information that has been C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 6/23 published on the web, by way of example, of SERGAS and the categories appear and "click here" Pressing takes you to the SERGAS extranet with the information "What we want to show is that in an exceptional and motivated way that the Sergas had not yet published the list in order of punctuation, we consider that in the case of information already published in a source accessible to the public such as the Official Gazette of Galicia and the website of the public body of SERGAS, would not imply a impairment of the rights of the participants that the list was ordered by punctuation". They also add that the complete DNI number was not published, since it was anonymized. It accompanies the news of its website of "ordered list of scores of the phase of contest of the opposition ***CATEGORY.1 of Sergas”, referring to the publication on *** DATE.1 on the Sergas website of the provisional lists of the phase of contest of the oppositions of different categories and points out that since it has not yet published the lists ordered by scores of the contest phase, referring to the call for ***DATE.3, "here you have them in PDF format (...), with links for each one of the shifts (free, internal, disabled). c) Copy of the record of treatment activities related to the exposure in your data web of public calls. States that its record of treatment activities does not include as such the publication on the web of information related to public calls, and that it is not an activity that they will carry out in the future. On their website they limit themselves to publishing news about publications related to calls or updated information on news published by the public administrations in relation to oppositions or contests that are being processed. Its website usually refers to the news by making a link to the body's website posting public, but never post listings directly. The only time and evidently the last one has been the publication that is the object of this process. They consider that it was a one-off event that they corrected immediately. d) In relation to your alleged legitimate interest for the treatment, you are requested to provide the document in which the consideration and analysis of said base was carried out legitimizing, and specifically how it took into account the rights and freedoms rights of those affected and because their rights to the legitimate interest do not prevail alleged, and the offer of opposition to the treatment and the causes, considering, In addition, only the disabled option appears published, and grouped. Statement that accompanies the "regulatory compliance analysis" report, dated 12/6/2019, referring to the information from the DOG of ***FECHA.1 and the SERGAS extranet, to order the already published list based on the scores obtained by the participants in the contest of the (...). It refers to the analysis of the treatment and conformity to the regulations, that the NIF number is partially, with name and surnames and punctuation. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 7/23 It does not refer to (...). “Indicates that by not having the complete number of the NIF it is not possible to consider information of a personal nature that identifies a specific person.” It seems that it would not be possible that “without making disproportionate efforts, will identify the participants except for those people who have a prior knowledge that a certain person is going to present himself to the referred contest but they will not be identifiable for the rest of the population” Then he indicates that It deals with public information that has to be disseminated by regulations with a range of Law, they must assess the legitimating basis, and refers to article 6.1 f) of the RGPD adding now that it is information that "we can consider as sources accessible to the public, since they have been previously published in an Official Gazette of Galicia and on the SERGAS extranet without the interested parties being able to oppose said treatments and even its publication being a legal obligation to which the users submit. interested by the mere fact of participating in the selection process. Add that considers that Royal Decree 1720/2007 has not been repealed, and in this regard it highlights its article 7. “For this reason it seems reasonable to think that the rights of interested parties cannot prevail against the legitimate interest pursued considering that When the data appears in sources accessible to the public, the person in charge and, where appropriate, the third party or third parties to whom the data is communicated do not access data related to the private life of the interested party given with the information is already public knowledge according to recitals 44 and 45 of the judgment of the Court of Justice of the European Union of 11/24/2011, as a consequence there is a minor impact on the rights of the interested party, which that must be appreciated at its fair value in the weighting with the legitimate interest pursued by the data controller or by the third party or third parties to whom communicate the data.” “with regard to the weighting required by article 7 letter F of Directive 95/46, the fact that the seriousness of the the infringement of the fundamental rights of the person affected by said treatment may vary depending on whether or not the data already appears in sources accessible to the public” “Taking into account that the only purpose pursued by the treatment that is intended to carry out is to facilitate access to interested parties to some lists ordered in depending on the score obtained, that many of the participants in the contest are students of our center, the requirements that legitimize the treatment in based on the provisions of article 6.1 f) of the RGPD.” e) If you have any document that accredits and verifies the date of your withdrawal can contribute it. It states that "as indicated in our pleadings brief, once notification of the initiation of this sanctioning procedure and once our advisors were able to review the information that has been the subject of the same, dated 20 January 2022, an email was sent, requesting the company to manages our website, so that it proceeds to immediate deletion” accompanies in document 3 and 4 copies of the email sent and the company that manages the web page that verifies the date of deletion, including both the link of the news like those of each of the shifts. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 8/23 4). The Instructor will verify if in the URL***URL.2 the data of the claimant. If you have any document that accredits and verifies the date of your withdrawal can bring it. For this purpose, on 06/7/2022, the internet was accessed in the GOOGLE search engine, and entered the URL indicated by the complainant without finding information in the page. It is accredited by diligence incorporated into the procedure. SEVENTH: On 07/13/2022, a resolution proposal was issued, from the literal: “That by the Director of the Spanish Agency for Data Protection, a sanction is made for SEAN SERIOS S.L., with NIF B70528989, for an infringement of article 6.1 of the RGPD, typified in article 83.5 a) of the RGPD, with a fine of 12,000 euros.” EIGHTH: The respondent, dated 07/27/2022, states: 1-No further treatment and different from the pursued by the publication in the Official Gazette of Galicia, has not incorporated any additional information, no communications have been made to the interested parties. 2-Reiterates that due to the provisions of the sole repeal of the LOPDGDD: "there are repealed as many provisions of equal or lower rank contradict, oppose, or are incompatible with the provisions of Regulation (EU) 2016/679 and in this organic law”, considers that the Royal Decree 1720 2007 that develops the LOPD would be applicable and establishes as sources accessible to the public the publications of newspapers and official bulletins, lacking the unlawful component of the infraction. 3-Reiterates that the impact on the rights of the interested party is less as it is data that come from sources of public access, "which must be appreciated at its fair value in weighting with legitimate interest”. Your interpretation of legitimate interest is plausible and justified, which evidences the lack of intentionality, fault or negligence legally required for the imposition of administrative sanctions. 4-The amount is disproportionate, "it is not a large company, it is a micro-SME". The purpose was to improve access to public information, accessible through sources accessible to the public, ordered by punctuation, instead of being ordered by alphabetical order. "The magnitude of the amount calls for its dissolution and subsequent liquidation." It should not be considered as a continuing infringement, "because said listings with the same information continues to be published on the SERGAS website”. It is also not credited “the alleged damage that may have been caused” to the claimant. There is no intentionality. No benefit was obtained, "the only purpose was that our students, who were part of this selective process, could verify more The score achieved is simple. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 9/23 5-Request the file for being your action adjusted to law, or exoneration of liability for lacking the elements of fault or negligence. Subsidiarily, it appreciate a qualified decrease in culpability or unlawfulness, resulting sufficient a warning or failing that, a minimum sanction. NINTH: Of the actions carried out in this procedure and the documentation in the file, the following have been accredited: PROVEN FACTS 1) The claimant states that in the URL ***URL.1 their data is published in a listing on a selective process of competition convened by the SERGAS. 2) The list that is contained in the URL, in pdf, is a specific preparation of the claimed, which contains only data from the shift of (...), three pages, the title indicates: “(…) elaboration ***DATE.1”. The list is ordered by total points and consequent order number, up to 104 candidates. The claimant is listed at number XX with the last three digits of the NIF and surnames and name, with the key (...), 3) The official publication of this provisional ranking of the applicants was made in the SERGAS web page, as enabled in the resolution of ***DATE.2, of the General Directorate of Human Resources, by which the scores are made public Provisional results of the contest phase of the selective process for entry into the category of (...), summoned by the Resolution of ***DATE.3 (DOG of ***DATE.1). As such listed, it is not published in the aforementioned Official Gazette. The official publication, differs of the one of the claimed one, in the copy of the official one that the claimed one contributes in its allegations, there are 80 pages, figuring the shifts mixed, and ordered by the total score obtained, the mark of the opposition and the contest phase (training, experience, other activities), and in alphabetical order, including the one claimed in the listed as it appears in the list of the claimed. 4) The page www.cursosefficients.com is dedicated to training courses such as Academy, and is the owner of the claim, thus appearing in "privacy policy". impart courses of different types and modalities that count in the training section continuation of calls. 5) In the privacy policy of the “efficient courses” website, it is indicated: 2. PURPOSE: For what purpose do we process your personal data? in Sean Serios S.L. We treat the information provided by interested persons for the following purposes: Manage registration to allow access to our systems Provide the requested service, bill it. Send advertising related to our products and services 4. LEGITIMATION: What is the legitimacy for the processing of your data? The legal basis for the treatment of the data is the consent obtained from the interested party, In addition to contracting the services C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 10/23 7. ORIGIN: How have we obtained your data? The personal data that we treat in Sean Serios S.L come from the interested party The categories of data that are treated are: Identification data. Postal or electronic addresses. Data Economic. Specially protected data is not processed 6) After receiving the initiation agreement, the respondent stated that she had withdrawn the page from her website, fact that is verified in the testing phase. 7) The respondent points out that she published the list because she gives courses that count in the assessment of the contests, in "training", without specifically identifying that the claimant would have given any for his score, or what courses may be the one in this case counted, and that its basis of legitimation is the legitimate interest, in the case of public information or information accessible to the public to which the interested parties cannot oppose for being a legal obligation for the fact of participating in a selective process 8) The Resolution of the General Directorate of Human Resources of ***DATE.3 (DOG no. XX, of XX/YY), for which a competition-opposition is called for entry into the category (...) considers the "training" section as a scale, including the assessment of courses such as occupational risk prevention, clinical management that can be offered by the claimed. 9) The defendant usually informs through the news section on its website about the calls, offering direct links to the entities so that they can be seen, for example the listings. In the case of the claim, he adds that he published by score obtained, for name and surname, (...), so that the participants could more easily see the order obtained, stating the same (its publication) in the other shifts (this is deduced from the internal mail sent on 01/20/2022, after receiving the startup agreement to a company to to delete the list, also including a referenced free shift list) and due to that the SERGAS list had a different order. 10) The publication carried out is not supported by a treatment activity that contemplate the claim, pointing out that it is the only time that it has been exposed in relation with oppositions or competitions that are being processed. 11) In the publication of the list prepared by the claimed party, it is not indicated or informed of the origin of the data, nor any information nor the right to oppose, that based on a legitimate interest in processing, should be offered. FOUNDATIONS OF LAW Yo C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 11/23 In accordance with the powers that article 58.2 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter RGPD), grants each control authority and as established in articles 47 and 48.1 of the Organic Law 3/2018, of December 5, on the Protection of Personal Data and guarantee of rights (hereinafter, LOPDGDD), is competent to initiate and resolve this procedure the Director of the Spanish Data Protection Agency. Likewise, article 63.2 of the LOPDGDD determines that: “The procedures processed by the Spanish Agency for Data Protection will be governed by the provisions in Regulation (EU) 2016/679, in this organic law, by the provisions regulations issued in its development and, as long as they do not contradict them, with a subsidiary, by the general rules on administrative procedures.” II The GDPR defines 1) "personal data": any information about an identified natural person or identifiable ("the interested party"); An identifiable natural person shall be deemed to be any person whose identity can be determined, directly or indirectly, in particular by means of a identifier, such as a name, an identification number, location, an online identifier or one or more elements of the identity physical, physiological, genetic, psychic, economic, cultural or social of said person; 2) “processing”: any operation or set of operations performed on data personal information or sets of personal data, whether by automated procedures or no, such as the collection, registration, organization, structuring, conservation, adaptation or modification, extraction, consultation, use, communication by transmission, diffusion or any other form of authorization of access, collation or interconnection, limitation, deletion or destruction; Opinion 4/2007, on the concept of personal data, adopted on 06/20 by the Working group 29, of Directive 95/46, analyzes in depth the concept of data personal data, indicating the reference: "they are all information about a natural person identified or identifiable, considering identifiable any person whose identity can be determined directly or indirectly, in particular by a number of identification or one or more specific elements characteristic of their physical identity physiological psychic economic cultural or social”. A person is directly considered identified through the name and surnames and is more individualized, when In addition, there is another identifier, for example the NIF, through which you can obtain further information about that person or any information that may specify or place it in a specific area. The conduct that consists of making reference on a web page to a person with their name and surnames, and that in this case is distinctive because it is not frequent, constitutes per se a personal data that identifies it, and to which would be added in this case that meets the requirements indicated in the call to be able to appear for the shift C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 12/23 (...), with which elements are added to be able to be identified by a larger sector of the population. Regarding the allegation of the respondent that the published data is "personal" data public” because it comes from a website, that of SERGAS, a website is not a source of access public, even taking into account what the RLOPD defined of it. If what you mean is that a data made public, this has not been by its owner, but by a public entity that under current regulations can legitimize it for publication, with a finality concrete given. This is also clear with the definition and detail of the right to data protection contained in STCO 292/2000, of 11/30, resource 1463/2000, legal basis sixth: “In this way, the object of protection of the fundamental right to data protection It is not reduced only to the intimate data of the person, but to any type of personal data. whether or not intimate, whose knowledge or use by third parties may affect their rights rights, whether fundamental or not, because their object is not only individual intimacy, which for this there is the protection that art. 18.1 CE grants, but the personal data nal. Consequently, it also reaches those public personal data that, by reason of fact of being, of being accessible to anyone's knowledge, they do not escape the power of disposition of the affected party because this is guaranteed by their right to data protection. Also for this reason, the fact that the data is of a personal nature does not mean that they only have protection those related to the private or intimate life of the person, but that the data covered classified are all those that identify or allow the identification of the person, tending to serve for the preparation of their ideological, racial, sexual, economic or any other nature, or that serve for any other use than in certain circumstances circumstances constitutes a threat to the individual.” III The data included in the URL of the claimed correspond to a process of the Galician Health Service, although the complainant includes it in a URL own, on which he carries out a selected own elaboration to order by surnames and punctuation order, within the turn (...). The RGPD maintains the principle that all data processing needs to be supported by a legal basis that legitimizes it points establish the inverse legitimating causes of the treatment as the consent mode does not operate as the only possible one. In any case, from the entry into force of the RGPD, it cannot be spoken of a legal concept of “sources accessible to the public” such as the one that existed in the LOPD, nor nor can we understand that the fact that the data appears in this type of sources legitimizes the treatment without further ado, specifying in any case a legitimate basis for your treatment. The RGPD only talks about public access sources when regulating the right to information, if the data has not been collected from the interested party. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 13/23 The mention of the validity of the RLOPD has no effect, as the data is not in any case contained in a source of public access a legitimizing base, requiring the coverage of any of the circumstances as a legitimate basis in article 6.1 of the GDPR. The exposed facts may imply, on the part of the defendant, the commission of a violation of article 6.1 of the RGPD that indicates: a) the interested party gave his consent for the processing of his personal data for one or more specific purposes; b) the treatment is necessary for the execution of a contract in which the interested party is part or for the application at the request of the latter of pre-contractual measures; c) the treatment is necessary for the fulfillment of a legal obligation applicable to the data controller; d) the treatment is necessary to protect the vital interests of the interested party or another Physical person; e) the treatment is necessary for the fulfillment of a mission carried out in the interest public or in the exercise of public powers vested in the data controller; a) the treatment is necessary for the satisfaction of legitimate interests pursued by the data controller or by a third party, provided that said interests are not prevail the interests or the fundamental rights and freedoms of the interested party that require the protection of personal data, in particular when the interested party is a little boy." Contrary to what was stated by the respondent, the lists are not published in the Diario Official, but in this it is indicated that it be published on the SERGAS website, to which it has been to go for viewing and in the manner indicated. Based on the alleged legitimate interest, much of it is limited to stating that are data of public access due to the fact that the opponents by legal norm related to nothing with public employment and transparency, they must submit to the exposure of their data as a guarantee of objectivity, reinforcing his thesis that due to the fact that his data on an open web, can be found within said treatment scheme. unto However, the listings are not exposed in any official bulletin or newspaper, but in the SERGAS website, no longer fulfilling one of the requirements so that in the past it could to be considered a source of public access. "Establishes recital (47):" The legitimate interest of a data controller, including that of a person in charge to whom personal data may be communicated, or of a third, it can constitute a legal basis for the treatment, provided that it does not prevail the interests or the rights and freedoms of the interested party, taking into account the reasonable expectations of data subjects based on their relationship with the responsible. Such legitimate interest could occur, for example, when there is a relationship relevant and appropriate relationship between the data subject and the controller, such as in situations where C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 14/23 that the interested party is a client or is at the service of the person in charge. In any case, the existence of a legitimate interest would require careful assessment, even if a interested party can reasonably foresee, at the time and in the context of the collection of personal data, which may be processed for this purpose. In In particular, the interests and fundamental rights of the interested party may prevail on the interests of the person in charge of the treatment when proceeding to the treatment of personal data in circumstances in which the data subject does not expect reasonably for further processing to take place. Since it corresponds to legislator establish by law the legal basis for the processing of personal data by part of public authorities, this legal basis should not apply to the processing made by public authorities in the exercise of their functions. The tratment of personal data strictly necessary for the prevention of fraud it also constitutes a legitimate interest of the controller in question. The processing of personal data for direct marketing purposes can be considered carried out for legitimate interest.” Regarding the content of the legitimate interest of article 6.1.f) of the RGPD alleged as legitimizing base, it is necessary to go for its interpretation and content to Opinion 6/2014 of Working Group 29 (advisory body created by virtue of Article 29 of Directive 95/46/CE, which with the entry into force of article 94.2 of the RGPD that repeals the directive 95/46 is changed to European Data Protection Committee (CEPD) dated 04/09/2014, that contemplates the diverse factors that can be valued when carrying out the mandatory weighting of the rights and interests at stake. Although Opinion 6/2014 was issued to favor a uniform interpretation of the Di- Directive 95/46 then in force, repealed by the RGPD, given the almost total identity between its article 7.f) and article 6.1.f) of the RGPD Article 7, letter f) of said Directive indicated: “Member States shall provide for the processing of personal data only to be carried out act if: it is necessary to satisfy the legitimate interest pursued by the person responsible or by the third party or third parties to whom the data is communicated, provided that they do not present the interest for the fundamental rights and freedoms of the interested party that requires are protected under Article 1(1) of this Directive”. Article 6.1.f) of the RGPD indicates: "1. The treatment will only be lawful if at least one of the following is met conditions: f) the treatment is necessary for the satisfaction of legitimate interests pursued by the data controller or by a third party, provided that said interests are not prevail the interests or the fundamental rights and freedoms of the interested party that require the protection of personal data, in particular when the interested party is a little boy." The Opinion underlines, first of all, that the implication that the data controller ment may have in the data processing carried out is that of "interest", which is a broader concept than that of fundamental rights and freedoms, hence with respect to those affected are weighed not only their fundamental rights and freedoms but also C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 15/23 well their “interests”. The "interest" of the person responsible for the treatment -according to the ar- article 6.1.f) of the RGPD and before article 7.f) of the Directive- must be "legitimate", which means, says the Opinion, that it must be respectful of national legislation and of the EU. In addition, the treatment must be the necessary one, so that they are always preferred. pre less invasive means to serve the same end. If the respondent has had students us who have taken courses that can be counted in the training section, about those people could establish an information mechanism for calls, but that is not the case, what it establishes is in general, the information for any person access your website. On the impact that data processing has on the interested parties, the Opinion that the more “negative” or “uncertain” the impact of the treatment may be, the more important it is likely that the processing as a whole can be considered legitimate. It fits here the assessment of the nature of the personal data that have been processed process, if the data has been made available to the public by the interested party or by a third party. zero, a fact -says the Opinion- that can be an evaluation factor especially if the publication was carried out with a reasonable expectation of data reuse for certain purposes. Reuse that, by the way, has its specific rules and re- references to data protection. The way in which the person in charge treats the data; whether they have been disclosed to the public or made available to a large number of people or if large amounts of data are process or combine with other data creating profiles must also be taken into account. The Opinion also considers it pertinent when evaluating the impact of the treatment to analyze the pos- tion of the person in charge of the treatment and of the interested party; their position may be more or less us dominant with respect to the interested party depending on whether the data controller you are a person, a small organization or a large company, even a company multinational. So that section f) of article 6.1. RGPD may constitute the legitimizing basis of the processing of personal data that is carried out, mandatory, and on a pre- saw the treatment, a weighting of the rights and interests at stake must be made: the legitimate interest of the data controller, on the one hand, and on the other, both the rights and fundamental freedoms of those affected. weighting that it is essential because only when as a result of it prevails the legitimate interest of the person in charge of the treatment on the rights or interests of the owners of the data. The aforementioned interest may operate as a legal basis for the treatment. The aforementioned Opinion refers to the multiple factors that can operate in the weighting of the interests at stake and groups them into these categories: (a) The evaluation of the legitimate interest of the data controller; (b) the impact on data subjects, emphasizing that the claim is not that the treatment processing of data carried out by the person in charge does not have any negative impact on the stakeholders but to prevent the impact from being “disproportionate”; (c) the provisional balance and (d) additional guarantees. In light of the elements that affect the interests and the rights and freedoms in conflict, it is not appreciated in the processing of personal data on which the claim deals. mation, as it is proposed, and with the elements that make it up, can be considered C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 16/23 as a prevailing legitimate interest of the person in charge over those affected that may operate rar as legitimizing cause of the treatment, for: -The treatment carried out is not usual in the claimed, which casts doubt on whether necessary, since it is usual to indicate the reference and a link in the news section. She herself declares that she is not part of the records of treatment activities that develops, being an exceptional case. It doesn't seem very normal for development occasional treatment that goes beyond what is usually carried out, go to a basis on which a balance of rights and risks of those affected must be made. -The origin of the data is not informed, especially those affected, its origin, its purpose, its legitimizing basis. For the people included in the list, who gave their data based on legal and specific expectations regarding the selection process, it can suppose a surprising treatment the fact of going out in lists to which it is not difficult to access on GOOGLE, and that they do not know anything and may not find out when regard. -The treatment carried out that has been revealed at least was that of an exclusive listing on duty (...) and that is published under the generic formula that some people have made training courses that could count in said call. -In addition, the revelation remained for an excessive time, which is not justified given which was a provisional score, being withdrawn in January 2022, having started to end of 2019, deducing that the principle of data conservation was not followed properly analyzed. -The respondent states that the impact on the rights of the affected party is different if their data is exposed on a website, but this could only be related to one aspect of the risk, without indicating the different risks and impacts to be considered, nor details or describes the impact derived from the publication on its website, without accrediting that the claimant had any relationship with her, neither describes nor relates it to its effects, or details the probability of its occurrence. -Finally, the guarantee of the right to oppose the treatment that must be include any legal basis that is based on said alleged interest. (21.1. RGPD). Regarding the allegation that his explanation of the concurrence of the legitimate interest is well-founded and plausible, to point out in addition to all of the above, that the treatment that carries out the claimed is different from that of the entity convening the tests selective not only because of the different legal basis for collecting health data such as data disabled, and purpose, but because the treatment of the claimed is a reworking of the original source, presenting the information in a different way than It is for informational purposes, and also contains the aforementioned health information. IV Article 83.5.a) of the RGPD refers to this infringement, which indicates: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 17/23 “The infractions of the following dispositions will be sanctioned, in accordance with the section 2, with administrative fines of a maximum of EUR 20,000,000 or, in the case of of a company, of an amount equivalent to a maximum of 4% of the volume of Total annual global business of the previous financial year, opting for the one with the highest amount: a) the basic principles for the treatment, including the conditions for the consent tion under articles 5, 6, 7 and 9;” The LOPDGDD indicates in its article 72: "1. Based on the provisions of article 83.5 of Regulation (EU) 2016/679, considered very serious and will prescribe after three years the infractions that suppose a substantial violation of the articles mentioned therein and, in particular, the following: b) The processing of personal data without the concurrence of any of the conditions of legality of the treatment established in article 6 of Regulation (EU) 2016/679. In addition, among the corrective powers contemplated in article 58 of the RGPD, in its section 2, it is determined that “each control authority may”: “d) order the person responsible or in charge of the treatment that the operations of treatment comply with the provisions of this Regulation, where appropriate, in accordance with a certain way and within a specified period…”. i) impose an administrative fine under article 83, in addition to or instead of the measures mentioned in this section, according to the circumstances of each case particular;" The complainant requested the elimination of the URL in which her data appears, which appears along with those of other candidates in the same circumstances. Article 17 of the GDPR indicates: “The interested party shall have the right to obtain, without undue delay, from the person responsible for treatment the deletion of personal data that concerns you, which will be obliged to delete personal data without undue delay when any of the the following circumstances: a) the personal data is no longer necessary in relation to the purposes for which were collected or otherwise treated; […]” d) the personal data has been illicitly processed;” In this case, the respondent has not given any explanation about the claim and the Data is treated outside of the expectations that candidates have when participating in a selection process, being data related to health, of a therefore, the imposition of an administrative fine is considered appropriate. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 18/23 v The determination of the sanctions that should be imposed in this case requires observing var the provisions of articles 83.1 and 2 of the RGPD, precepts that, respectively, have the following: "1. Each control authority will guarantee that the imposition of administrative fines under this article for infringements of this Regulation indicated in sections 4, 9 and 6 are in each individual case effective, proportionate and di- persuasive.” "two. Administrative fines will be imposed, depending on the circumstances of each individual case, in addition to or as a substitute for the measures referred to in article 58, section 2, letters a) to h) and j). When deciding to impose an administrative fine and its amount in each individual case shall be duly taken into account: a) the nature, seriousness and duration of the offence, taking into account the nature, scope or purpose of the treatment operation in question, as well as the number of interested parties affected and the level of damages they have suffered; b) intentionality or negligence in the infringement; c) any measure taken by the controller or processor to alleviate the damages suffered by the interested parties; d) the degree of responsibility of the person in charge or of the person in charge of the treatment, account of the technical or organizational measures that they have applied under the articles titles 25 and 32; e) any previous infringement committed by the person in charge or the person in charge of the treatment; f) the degree of cooperation with the supervisory authority in order to remedy the infringement and mitigate the possible adverse effects of the infringement; g) the categories of personal data affected by the infringement; h) the way in which the supervisory authority became aware of the infringement, in particular whether the controller or processor reported the breach and, if so, to what extent; i) when the measures indicated in article 58, section 2, have been ordered prior to directly against the person in charge or the person in charge in question in relation to the same matter, compliance with said measures; j) adherence to codes of conduct under article 40 or certification mechanisms cation approved under article 42, and k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits obtained or losses avoided, directly or indirectly. you, through the infraction.” Within this section, the LOPDGDD contemplates in its Article 76, entitled “Sanctions and corrective measures”: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 19/23 "1. The penalties provided for in sections 4, 5 and 6 of article 83 of the Regulation (EU) 2016/679 will be applied taking into account the graduation criteria established in section 2 of the aforementioned article. 2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679 may also be taken into account: a) The continuing nature of the offence. b) The link between the activity of the offender and the performance of data processing personal. c) The profits obtained as a result of committing the offence. d) The possibility that the conduct of the affected party could have induced the commission of the offence. e) The existence of a merger by absorption process subsequent to the commission of the infringement, which cannot be attributed to the absorbing entity. f) Affectation of the rights of minors. g) Have, when not mandatory, a data protection delegate. h) Submission by the person in charge or person in charge, on a voluntary basis, to alternative conflict resolution mechanisms, in those cases in which there are disputes between them and any interested party. The defendant in her allegations considers the amount disproportionate, considering: -It is a micro-enterprise, -the purpose of the treatment was to improve access to information, having a not alphabetical order of the interested parties, but by punctuation. -It would advocate the dissolution of the entity, for which it does not provide figures. -Considers that the infringement cannot be described as "continued", as it still appears the "same information" on the SERGAS website. -The damage to the claimant is not credited. -There is no intentionality. -There are no benefits. In accordance with the precepts transcribed, in order to set the amount of the sanction of fine to be imposed in the present case for the infraction in article 83.5.a) of the RGPD, of which the defendant is held responsible, are considered concurrent as aggravating circumstances C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 20/23 the following factors that reveal greater unlawfulness and/or culpability in the defendant's conduct: -Article 83.2.a) RGPD: “Nature, seriousness and duration of the infraction taking into account account the nature, scope or purpose of the processing operation in question as well as the number of interested parties affected and the level of damages that have suffered." These are treatments related to selective processes, and data that were provided at the time for a specific purpose in a process determined, not collecting directly from the claimed data, processed on a website, their own, so that it is difficult for those affected to find out, amounting to data from 95 people, identifying them by name and surname. -Article 83.2.b) GDPR. “Intentionality or negligence in the infringement”: Aspect that relates the execution of the action to the subject, in the sense of not only imputability of the infraction to its responsible, but the fact of being able to aggravate or reduce the sanction depending on the degree of guilt. Regarding the imputability to the responsible subject, the principle of culpability, prevents the admission in the sanctioning administrative law of strict liability, although it is also true that the absence of intentionality It is secondary since this type of infraction is normally committed by a guilty or negligent action, which is sufficient to integrate the subjective element of the blame. What is valued in this section is its analysis for the graduation of the sanction (art 40 LRJPAC), observing the specific diligence displayed in the action by responsible, which excludes the imposition of a sanction, solely based on the mere result, that is to say to the principle of strict liability. In this specific case, it produces a lack of diligence that means that when handling data, extreme care must be taken precautions, and here it does not seem that it has been taken into account, therefore it is not considered that the intentional element intervenes. -Article 83.2.d) GDPR. “Degree of responsibility of the person in charge”: The degree of responsibility of the person in charge is relevant, being the owner of a web page in which offers services, has created a list incorporating data from the official headquarters that treats them, with its own purpose for its services, being its full responsibility. -Article 83.2.g) GDPR. “Categories of personal data affected by the infringement”: The data is health data, "special", by reference to the key, which is not difficult to interpret since the link also carries the description. -article 76.2.a) LOPDGDD: “The continuing nature of the infraction”, estimation of more of a year and a half, the treatment begins on 12/2/2019, the complaint is from July 21, predictably, the damage to the legal asset may continue, in this case it does so until receive the initial agreement, constituting what diverse and repeated sentences identified as a "permanent violation". (- which are characterized because the conduct constituting a single offense is maintained for a prolonged period of time (SAN, September 21, 2001 (Rec 95/2000), Supreme Court, Third Chamber, of the Contentious-administrative, Section 3, Judgment 978/2020 of July 9, 2020, Rec. 4700/2019). In addition, it must be added that the claimed party receives in the transfer of the claim the facts and knowing them, could then act, not proceeding to this but after receiving the start agreement, January 2022, dilating the treatment period of data. On the other hand, the fact that the SERGAS website continues to be exposed or not, It does not serve as a mitigating factor for the claim. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 21/23 The fact that the claimed party was not sanctioned previously, that is, not being a repeat offender. The sentence of the AN, of 05/05/2021, Rec. 1437/2020, indicates: "It considers, on the other hand, that it should be appreciated as extenuating the non-commission of a previous infraction. Well, article 83.2 of the RGPD establishes that it must be taken into account for the imposition of the administrative fine, among others, the circumstance "e) any previous infraction committed by the person in charge or the in charge of the treatment". This is an aggravating circumstance, the fact that concurrence of the budget for its application entails that it cannot be taken into consideration, but does not imply or allow, as claimed by the plaintiff, its application as extenuating." Nor is the lack of benefits obtained that is deduced from a incorrect interpretation of article 76.2.c) of the LOPDGDD, incardinated as a reference of 83.2.k) of the RGPD: "any other aggravating or mitigating factor applicable to the circumstances of the case, such as the financial benefits obtained or the losses avoided, directly or indirectly, through the infraction”, when indicating as such: “The benefits obtained as a result of the commission of the infraction. This, for several reasons. -The literal of the article refers not to the benefits not obtained, but to "The benefits obtained as a consequence of committing the infraction” (76.2.c LOPDGDD). -In any case, the administrative fines established in the RGPD, in accordance with the established in its article 83.2, are imposed based on the circumstances of each individual case and, at present, the absence of benefits is not considered to be a adequate and decisive grading factor to assess the seriousness of the behavior offending Only in the event that this absence of benefits is relevant to determine the degree of illegality and guilt present in the specific action infringer may be considered as a mitigating circumstance. -If to this we add that the sanctions must be effective "in each individual case", proportionate and dissuasive, in accordance with the provisions of article 83.1 of the RGPD, admitting the absence of benefits as a mitigating factor is not only contrary to the presuppositions of facts contemplated in article 76.2.c), but also contrary to what established in article 83.2.k) of the RGPD and the indicated principles. Thus, assessing the absence of benefits as a mitigating factor would nullify the dissuasive effect of the fine, to the extent that it reduces the effect of the circumstances that affect effectively in its quantification, reporting to the person in charge a benefit that is not has made worthy. It would be an artificial reduction of the sanction that can lead to understand that violating the norm without obtaining benefits, financial or of any kind, does not will produce a negative effect proportional to the seriousness of the infringing act nor is it a reprehensible conduct. Considering the exposed factors, the valuation that reaches the fine for the infraction imputed is 12,000 euros. Therefore, in accordance with the applicable legislation and having assessed the criteria for graduation of sanctions whose existence has been proven, C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 22/23 the Director of the Spanish Data Protection Agency RESOLVES: FIRST: IMPOSE SEAN SERIOS S.L., with NIF B70528989, for an infringement of the article 6.1 of the RGPD, typified in article 83.5 a) of the RGPD, and for the purposes of prescription in article 72.1.b) of the LOPDGDD, a fine of 12,000 euros, of in accordance with articles 83.2 a), b) d) of the RGPD and 76.2.a) of the LOPDGDD. SECOND: NOTIFY this resolution to SEAN SERIOS S.L. THIRD: Warn the sanctioned party that he must make the imposed sanction effective once Once this resolution is enforceable, in accordance with the provisions of art. 98.1.b) of Law 39/2015, of 1/10, of the Common Administrative Procedure of the Public Administrations (hereinafter LPACAP), within the voluntary payment period established in art. 68 of the General Collection Regulations, approved by Real Decree 939/2005, of 07/29, in relation to art. 62 of Law 58/2003, of 12/17, by entering, indicating the NIF of the sanctioned person and the number of the procedure that appears at the top of this document, in the restricted account number ES00 0000 0000 0000 0000 0000, opened on behalf of the Spanish Data Protection Agency in the banking entity CAIXABANK, S.A.. Otherwise, it will be processed collection in executive period. Received the notification and once executed, if the date of execution is between on the 1st and 15th of each month, both inclusive, the deadline to make the voluntary payment will be until the 20th day of the following month or immediately after, and if it is between On the 16th and last day of each month, both inclusive, the payment term will be until the 5th of second following business month or immediately following. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the Interested parties may optionally file an appeal for reconsideration before the Director of the Spanish Agency for Data Protection within a period of one month from the day following the notification of this resolution or directly contentious appeal before the Contentious-Administrative Chamber of the National High Court, in accordance with the provisions of article 25 and paragraph 5 of the additional provision fourth of Law 29/1998, of 13/07, regulating the Contentious Jurisdiction- administrative, within a period of two months from the day following the notification of this act, as provided for in article 46.1 of the aforementioned Law. Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP, may provisionally suspend the firm resolution in administrative proceedings if the interested party states its intention to file a contentious-administrative appeal. If this is the In this case, the interested party must formally communicate this fact in writing addressed to the Spanish Agency for Data Protection, presenting it through the Registry Electronic Agency [https://sedeagpd.gob.es/sede-electronica-web/], or through any of the other records provided for in art. 16.4 of the aforementioned LPCAP. Also C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 23/23 must transfer to the Agency the documentation that accredits the effective filing of the Sponsored links. If the Agency were not aware of the filing of the contentious-administrative appeal within two months from the day following the notification of this resolution, the suspension would end precautionary 938-120722 Sea Spain Marti Director of the Spanish Data Protection Agency C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es