AEPD (Spain) - PS/00117/2022
AEPD - PS-00117-2022 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 4(11) GDPR Article 6 GDPR Article 9 GDPR Article 9 GDPR Article 57(1) GDPR Article 58(1) GDPR Article 83(1) GDPR Article 83(2) GDPR Article 83(5) GDPR Article 6(1) LOPDGDD Article 63 LPACAP Article 64 LPACAP Article 65(4) LOPDGDD Article 73(1)(b) LOPDGDD Article 76 LOPDGDD |
Type: | Complaint |
Outcome: | Upheld |
Started: | 10.09.2016 |
Decided: | |
Published: | 14.04.2027 |
Fine: | 2000 EUR |
Parties: | Data subject Data controller |
National Case Number/Name: | PS-00117-2022 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | isabela.maria.rosal |
Spanish DPA fines controller for continuous sending of emails containing personal data for members and non-members of a Personnel Board. The DPA ruled that there is no legal basis for this processing, especially after the data subject's opposition.
English Summary
Facts
The data subject made a complaint regarding the ongoing processing of their personal data via email messages where their email address was available for members and non-members of the Personnel Board which both the data controller and the data subject are part of. Being part of the same labour group could justify processing personal data from the data subject. However, the data controller has shared personal data with various persons, including people outside of the Board. Even after the data subject requested that the information processing stopped, the emails with personal data continued to be sent. Even without the data subject's consent, the data controller justified the processing for laboural reasons, based on Article 9 of the GDPR, which is highlighted by the fact that the email with personal data is a corporate one.
Holding
The DPA understood that the processing of the data subject was abusive, especially because personal data as the email of the data subject was processed without their consent. In discordance with the GDPR, even after the request of the data subject to not have their email processed and shared with other people anymore, the activity continued without considering simple features such as "hidden copy" for sending emails that would mitigate risks. Thus, the DPA ruled that the processing was illegal, not complying with Article 6 of the GDPR, since there is no legal basis for the processing. The fact that both the data subject and the data controller were part of the same Personnel Board did not change the outcome, since the email address, reveling personal information was sent for non-members, so the Article 9 of the GDPR does not apply.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/11 File No.: PS/00117/2022 RESOLUTION OF SANCTIONING PROCEDURE From the procedure instructed by the Spanish Data Protection Agency and based to the following BACKGROUND FIRST: A.A.A. (hereinafter, the complaining party) dated March 11, 2021 filed a claim with the Spanish Data Protection Agency. The claim is directed against B.B.B. with NIF ***NIF.1 (hereinafter, the part claimed). The reasons on which the claim is based are the following: Both the complaining party and the claimed party are members of the same personnel meeting, and the claimant states that the claimant has forwarded emails emails to other members and non-members of this staff board and to corporate emails from unions and groups without legitimacy to do so. The emails that do not belong to the personnel meeting are the following: ***EMAIL.1, ***EMAIL.2, ***EMAIL.3, ***EMAIL.4, ***EMAIL.5, ***EMAIL.6 and ***EMAIL.7; (in forward, reported email addresses), In that email, information about the claimant also appears, such as his name and address. work email. The complainant sent an email on January 22, 2021 to members of the staff meeting in which he requested that they stop forwarding his email address electronic to third parties; but the defendant again forwarded emails from the claimant to people from outside the personnel meeting on February 16 and 17, 2021 and 16 March 2021. Relevant documentation provided by the complaining party: - Printout of email dated January 20, 2021 sent by ***EMAIL.8 to multiple emails including email work of the claimant and the reported email addresses indicated in his claim among others. In this email, we request that they be included among the recipients of staff board emails to a new board member and to the delegate of the STAS-CLM union section. - Printout of email dated January 22, 2021 in which the claimant responds to the recipients of the previous email, except for the addresses of mail reported. In this email you request that your email not be sent C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 2/11 or other information from the personnel board to the reported email addresses due to because they do not belong to the personnel board. - Printout of email dated January 28, 2021 in which the complainant reiterates that he does not want his name or email to be sent to Other email addresses that do not correspond to board members of personal. - Printout of email dated February 16, 2021 sent by the claimed to multiple email addresses that include the email address claimant's work email and the following addresses that the claimant indicates that they do not belong to the personnel board: ***EMAIL.4, ***EMAIL.5, ***EMAIL.9, ***EMAIL.2, ***EMAIL.10 and ***EMAIL.11. The content of this email is an attachment with the subject “exit minutes and documents”. - Printout of email dated February 17, 2021 sent by the claimed to multiple email addresses that include the email address claimant's work email and the following addresses that the claimant indicates that they do not belong to the personnel board: ***EMAIL.4, ***EMAIL.5, ***EMAIL.9, ***EMAIL.2, ***EMAIL.10 and ***EMAIL.11. The content of this email There are three attachments and the content indicates that they contain FeSP-UGT proposals for a staff board meeting. - Printout of email dated February 18, 2021 in which the complainant responds to the previous email of February 17, 2021 reiterates that no you want those emails to be sent to other email addresses that are not correspond to members of the personnel board, and indicate which email addresses email are the ones that should not have been in the “To” of the email of December 17 February 2021. This claim was complemented by a document presented by the complainant before the Spanish Data Protection Agency (hereinafter, AEPD) and entry date on March 26, 2021, in which, among other things, the following is provided documentation: - Printout of email dated March 16, 2021 sent by the claimed to multiple email addresses that include the email address the claimant's work email address and, among other addresses, the following: ***EMAIL.12, ***EMAIL.2, ***EMAIL.13 and ***EMAIL.9. This email It contains an attachment and its content is “attachment registered writings.” - Indication that the emails ***EMAIL.12, ***EMAIL.2, ***EMAIL.13 and ***EMAIL.9 correspond to CCOO affiliates not belonging to the board of staff. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 3/11 SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5 December, Protection of Personal Data and guarantee of digital rights (in hereinafter LOPDGDD), said claim was transferred to the claimed party, to to proceed with its analysis and inform this Agency within a period of one month, of the actions carried out to adapt to the requirements provided for in the regulations of Data Protection. The transfer, which was carried out in accordance with the rules established in Law 39/2015, of October 1, of the Common Administrative Procedure of Administrations Public (hereinafter, LPACAP), was collected on April 19, 2021 as It appears in the acknowledgment of receipt that is in the file. The background information contained in the information systems is as follows: On May 11, 2021, within procedure E/04149/2021, it has entry in the AEPD, a document presented on behalf of FSP-UGT, in which provides, among other things, the following information: - Allegation that the email address has been used in a way legitimate because it has been used by the union and the claimant is a delegate of staff and member of the staff board. - Allegation that the defendant understood that, from his actions, no no infringement regarding the protection of personal data due to the following reasons: “- The corporate nature of that email account (***EMAIL.14), - Its use strictly related to the professional field of the board of directors “work center staff” - Allegation that the emails reported by the claimant have been sent from an email account (***EMAIL.15) that is not owned of FeSP-UGT, and it is indicated that this aspect had already been warned to the UGT workers. And the impression of a “Reminder to workers” is provided. dated January 15, 2020, which indicates, among other things, the following: “Therefore, any email that is sent by any of the workers of this Federation from an unauthorized or unofficial address not will be considered the responsibility of this body, and the particular measures that correspond against the issuers.” THIRD: On August 12, 2021, in accordance with article 65 of the LOPDGDD, the claim presented by the complaining party was admitted for processing. FOURTH: The General Subdirectorate of Data Inspection proceeded to carry out of previous investigative actions to clarify the facts in issue, by virtue of the functions assigned to the control authorities in the article 57.1 and the powers granted in article 58.1 of the Regulation (EU) C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 4/11 2016/679 (General Data Protection Regulation, hereinafter GDPR), and in accordance with the provisions of Title VII, Chapter I, Second Section, of the LOPDGDD, having knowledge of the following points: The list of members of the personnel board and the motivation for sending the emails to email addresses that did not belong to members of that board of directors personnel could not be verified after having sent a request for information to the claimant at the address ***ADDRESS.1. It is clear that this information request was notified on February 2, 2022, upon being collected by C.C.C. with NIF ***NIF.2 in ***ADDRESS.1, without has received a response to this information request from the AEPD. FIFTH: On June 9, 2022, the Director of the Spanish Agency for Data Protection agreed to initiate sanctioning proceedings against the complainant, with in accordance with the provisions of articles 63 and 64 of Law 39/2015, of October 1, of the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP), for the alleged violation of article 6 of the RGPD, typified in article 83.5 of the GDPR. SIXTH: On June 30, 2022, the claimed party presented a written allegations in which, in summary, he stated that the address to which he was sent The initial agreement is not your address, but that of the UGT union in your location, the which is not authorized to collect notifications in your name, which is why it is not was able to respond to the request carried out on February 2, 2022, causing absolute helplessness, which is why he requests that the actions be taken back to said date. In relation to your address, you state that your address for notification purposes is ***ADDRESS.2. The defendant considers that the email addresses sent are from representatives of workers or union organizations with representation at the Personnel Board. The defendant alleges the non-existence of the infringement under Article 9 of the GDPR, by the claimant belongs to a union organization, and said emails are processed workplace electronics. It is alleged that all Board workers have access to the employee portal with a directory where you can access the name, job, destination, email electronic and telephone. SEVENTH: On July 7, 2022, the instructor of the procedure agreed to terminate reproduced for evidentiary purposes the claim filed by A.A.A. and his documentation, the documents obtained and generated during the admission phase to processing of the claim, and the report of previous investigation actions that They are part of procedure E/08764/2021. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 5/11 Likewise, it is considered reproduced for evidentiary purposes, the allegations to the agreement of initiation of the referenced sanctioning procedure, presented by B.B.B., and the documentation that accompanies them. EIGHTH: On July 19, 2022, a proposed resolution was formulated, proposing that the Director of the Spanish Data Protection Agency sanction B.B.B., with NIF ***NIF.1, for a violation of article 6 of the RGPD, typified in article 83.5 of the RGPD, with a fine of €2,000 (two thousand euros) NINTH: On August 19, 2022, allegations were presented to the proposal resolution, reiterating those already indicated on June 30, 2022 Of the actions carried out in this procedure and the documentation recorded in the file, the following have been accredited: PROVEN FACTS FIRST: Dissemination of the email addresses of each member of the personnel meeting of the claimant's workplace, by sending emails with the minutes of board meetings to corporate emails from unions and groups without legitimation for its reception, as well as to third parties who do not belong to the board of staff. SECOND: The defendant alleges the non-existence of the infringement as the complainant to a union organization, and said emails be treated as labor sphere. FOUNDATIONS OF LAW Yo Article 4.11 of the GDPR defines the consent of the interested party as “any manifestation of free, specific, informed and unequivocal will by which the interested party accepts, either by a declaration or a clear affirmative action, the processing of personal data that concerns you.” In this sense, article 6.1 of the LOPDGDD establishes that “in accordance with the provided in article 4.11 of Regulation (EU) 2016/679, consent is understood to be ment of the affected person any manifestation of free, specific, informed and ineligible will. ambiguity by which he accepts, either through a statement or a clear action “Yes, the processing of personal data that concerns you.” For its part, article 6 of the RGPD establishes the following: "1. The treatment will only be legal if at least one of the following conditions is met: nes: a) the interested party gave his consent for the processing of his personal data for one or more specific purposes; b) the processing is necessary for the execution of a contract in which the interested party is part of or for the application at his request of pre-contractual measures; C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 6/11 c) the processing is necessary for compliance with a legal obligation applicable to the responsible for the treatment; d) the processing is necessary to protect vital interests of the interested party or another Physical person; e) the processing is necessary for the fulfillment of a mission carried out in the interest public or in the exercise of public powers conferred on the controller; f) the processing is necessary for the satisfaction of legitimate interests pursued by the person responsible for the treatment or by a third party, provided that on said interests interests or fundamental rights and freedoms of the interest do not prevail. s that require the protection of personal data, particularly when the interest sado be a child. The provisions of letter f) of the first paragraph will not apply to the treatment carried out by public authorities in the exercise of their functions.” III In the present case, the complaining party denounces the claimed party because Emails have been repeatedly forwarded to other members and non-members of the personnel board of which he is a member and to corporate emails of unions and groups without legitimacy or consent on the part of the claimant. A document submitted on behalf of FSP-UGT has been entered into the AEPD, where two aspects are revealed, on the one hand the corporate nature of the email account object of this assumption (***EMAIL.14), which makes its use is strictly related to the professional field of the personnel board of the workplace.” Secondly, it is alleged that the emails reported by the claimant have been sent from an email account (***EMAIL.15) that is not property of FeSP-UGT, and it is indicated that this aspect had already been warned to the UGT workers. Print is provided of a “Reminder to workers” dated January 15, 2020 which indicates, among other things, the following: “Therefore, any email that is sent by any of the workers of this Federation from an unauthorized or unofficial address not will be considered the responsibility of this body, and measures may be adopted individuals that correspond against the issuers.” Thus, it seems that FSP-UGT is exempt from all responsibility, but not the defendant, since the issuance of emails on the 16th and 17th of February 2021 and March 16, 2021, despite the claimant's request that stop forwarding your email address to third parties. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 7/11 The defendant, in a written statement of allegations dated June 30, 2022, requests feedback from the actions for not having received the information request dated 2 February 2022. In this sense we must indicate that the actions carried out in the month of February They are prior actions that are carried out in accordance with article 65.4 of the LOPDGDD, carried out prior to the start of the sanctioning procedure. Therefore, defenselessness can only be considered in the event that once the initiation agreement, and not before, the defendant would not have been able to exercise the rights that law 39/2015 on common administrative procedure confers in all sanctioning procedure, such as the right to know the facts that are accused and be able to present allegations and evidence, or exercise their right to audience. Since we are not in any of these cases, retroaction does not apply. of the performances. Secondly, the defendant resorts to article 9 of the RGPD, justifying that the The data processed is about union membership and was disseminated in a work environment. However, it is considered that the processing of the claimant's personal data has been excessive because the emails subject to this complaint were They also referred people outside the personnel board, and more so when possible its omission with the use of tools such as blind copy, when required by the owner of that personal data that it is not used when expressing expressly that you do not consent to the processing of your email, in the exercise of your right to object. Therefore, it is considered that we are dealing with illegal processing of personal data, by sending emails to other members and non-members of the board of directors personnel of which the claimant is a member, and to corporate emails of unions and collectives, incurring a violation of article 6 of the RGPD, indicated in the legal basis II, since the personal data have been processed without counting with any type of legitimation. IV In accordance with the transcribed precepts, in order to set the amount of the sanction of fine to impose we must take into account article 83.5.a) of the RGPD, where indicates that “violations of the following provisions will be sanctioned, in accordance with in accordance with paragraph 2, with administrative fines of EUR 20 000 000 as maximum or, in the case of a company, an amount equivalent to 4% as maximum of the total global annual turnover of the previous financial year, opting for the highest amount: a) the basic principles for the treatment, including the conditions for the consent in accordance with articles 5, 6, 7 and 9;” C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 8/11 Article 72.1 b) of the LOPDGDD states that “based on what is established by the article 83.5 of Regulation (EU) 2016/679, are considered very serious and will prescribe after three years, infractions that involve a substantial violation of the articles mentioned in that and in particular, the following: b) The processing of personal data without any of the conditions of legality of the treatment established in article 6 of Regulation (EU) 2016/679.” V In order to determine the administrative fine to impose, the following must be observed: provisions of articles 83.1 and 83.2 of the RGPD, provisions that indicate: “Each control authority will guarantee that the imposition of administrative fines under this Article for infringements of this Regulation indicated in sections 4, 5 and 6 are effective in each individual case, proportionate and dissuasive.” “Administrative fines will be imposed, depending on the circumstances of each individual case, as an additional or substitute for the measures contemplated in the Article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine administrative and its amount in each individual case will be duly taken into account: a) the nature, severity and duration of the infringement, taking into account the nature, scope or purpose of the processing operation in question such as the number of interested parties affected and the level of damages that have suffered; b) intentionality or negligence in the infringement; c) any measure taken by the person responsible or in charge of the treatment to alleviate the damages and losses suffered by the interested parties; d) the degree of responsibility of the person responsible or in charge of the treatment, taking into account the technical or organizational measures that have been applied under of articles 25 and 32; e) any previous infringement committed by the controller or processor; f) the degree of cooperation with the supervisory authority in order to remedy the infringement and mitigate the possible adverse effects of the infringement; g) the categories of personal data affected by the infringement; h) the way in which the supervisory authority became aware of the infringement, in particular whether the controller or processor notified the infringement and, if so, in what extent; i) when the measures indicated in Article 58, paragraph 2, have been ordered previously against the person responsible or the person in charge in question in relation to the same matter, compliance with said measures; C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 9/11 j) adherence to codes of conduct under Article 40 or to mechanisms of certification approved in accordance with Article 42, and k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits obtained or losses avoided, direct or indirectly, through infringement.” Regarding section k) of article 83.2 of the RGPD, the LOPDGDD, article 76, “Sanctions and corrective measures” provides: "2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679 may also be taken into account: a) The continuous nature of the infringement. b) The linking of the offender's activity with the performance of medical treatments. personal information. c) The benefits obtained as a consequence of the commission of the infraction. d) The possibility that the conduct of the affected person could have induced the commission of the infringement. e) The existence of a merger by absorption process subsequent to the commission of the infringement, which cannot be attributed to the absorbing entity. f) The impact on the rights of minors. g) Have, when not mandatory, a data protection delegate. h) The submission by the person responsible or in charge, on a voluntary basis, to alternative conflict resolution mechanisms, in those cases in which "There are disputes between them and any interested party." In accordance with the transcribed precepts, in order to set the amount of the sanction of fine to be imposed on B.B.B. with NIF ***NIF.1, as responsible for an infringement typified in article 83.5.a) of the RGPD, are considered concurrent in this case, as aggravating factors, the following factors: Intentionality or negligence in the infringement, since given the activity Greater care is required from the claimant in the processing of the data. (83.2.b) GDPR) Therefore, in accordance with the applicable legislation and evaluated the criteria of graduation of sanctions whose existence has been proven, the Director of the Spanish Data Protection Agency RESOLVES: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 10/11 FIRST: IMPOSE B.B.B., with NIF ***NIF.1, for a violation of article 6 of the RGPD, typified in article 83.5 of the RGPD, a fine of €2,000 (two thousand euros). SECOND: NOTIFY this resolution to B.B.B.. THIRD: Warn the sanctioned person that he must make the sanction imposed effective once this resolution is executive, in accordance with the provisions of the art. 98.1.b) of Law 39/2015, of October 1, on Administrative Procedure Common Public Administrations (hereinafter LPACAP), within the payment period voluntary established in art. 68 of the General Collection Regulations, approved by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003, of December 17, by entering it, indicating the NIF of the sanctioned person and the number of procedure that appears in the heading of this document, in the account restricted number ES00 0000 0000 0000 0000 0000, opened in the name of the Agency Spanish Data Protection in the banking entity CAIXABANK, S.A.. In case Otherwise, it will be collected during the executive period. Once the notification is received and once enforceable, if the enforceable date is between the 1st and 15th of each month, both inclusive, the deadline to make the payment voluntary will be until the 20th of the following month or immediately following business month, and if The payment period is between the 16th and last day of each month, both inclusive. It will be until the 5th of the second following or immediately following business month. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the Interested parties may optionally file an appeal for reconsideration before the Director of the Spanish Data Protection Agency within a period of one month to count from the day following the notification of this resolution or directly contentious-administrative appeal before the Contentious-administrative Chamber of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-administrative Jurisdiction, within a period of two months from the day following the notification of this act, as provided for in article 46.1 of the referred Law. Finally, it is noted that in accordance with the provisions of art. 90.3 a) of the LPACAP, may provisionally suspend the final resolution through administrative channels if the interested party expresses his intention to file a contentious-administrative appeal. If this is the case, the interested party must formally communicate this fact through writing addressed to the Spanish Data Protection Agency, presenting it through of the Agency's Electronic Registry [https://sedeagpd.gob.es/sede-electronica- web/], or through any of the other registries provided for in art. 16.4 of the cited Law 39/2015, of October 1. You must also transfer to the Agency the documentation that proves the effective filing of the contentious appeal administrative. If the Agency was not aware of the filing of the appeal contentious-administrative within a period of two months from the day following the notification of this resolution would terminate the precautionary suspension. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 11/11 938-120722 Sea Spain Martí Director of the Spanish Data Protection Agency C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es