AEPD (Spain) - EXP202303130
AEPD - EXP202303130 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 5(1)(f) GDPR Article 32 GDPR Article 58(2)(d) GDPR Article 83(4) GDPR Article 83(5) GDPR Article 64.2(b) LPACAP Article 65.4 LOPDGDD |
Type: | Complaint |
Outcome: | Upheld |
Started: | 25.01.2023 |
Decided: | |
Published: | 10.10.2023 |
Fine: | n/a |
Parties: | A.A.A Zaragoza City Council |
National Case Number/Name: | EXP202303130 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | R_e_ |
Spanish DPA reprimanded the City Council of Zaragoza for sending health data of an employee without adequate security measures, violating Article 5(1)f GDPR and Article 32 GDPR.
English Summary
Facts
The data subject had health problems arising from conflicts in the workplace in the City Council of Zaragoza (the controller). The Prevention and Occupational Safety Service of the City Council of Zaragoza, issued a medical report recommending that she contact the Health Monitoring Unit to assess an adaptation or change of job. The Health Surveillance Unit issued a decision to adapt the tasks of her post along with an attached document containing the data subject's medical report. This e-mail was sent without a seal or indication marking the information as confidential. This was different to standard procedure for confidential e-mails at the City Council of Zaragoza, who usually use nominal corporate e-mail accounts and an Internal Communications Service (SIC).
When the AEPD began its sanctioning procedures, the controller sent a letter to the DPA admitting a personal data breach. However, they made the point that it was an isolated event. Additionally, they claimed adequate security measures had been taken because only "authorised personell" are permitted to open emails. Nonetheless, this does not mean that the email access was limited as anyone within the City Council could have opened it.
Holding
The DPA held that the controller violated Article 5(1)(f) GDPR by not using the security measures available to the controller, and by allowing unauthorised persons to access the data. The controller also violated Article 32 GDPR by failing to have reasonable security measures on place based on the possible estimated risks. In particular, a messaging system should have been used that guaranteed delivery only to the person/s in positions who must have access to the documents in order to carry out their functions.
The AEPD declined to fine the controller, instead ordering the controller to adopt security measures to prevent the dissemination of health data via email so that processing is carried out with complete security.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/13 File No.: EXP202303130 RESOLUTION OF SANCTIONING PROCEDURE From the procedure instructed by the Spanish Data Protection Agency and based to the following BACKGROUND FIRST: On January 25, 2023, A.A.A. (hereinafter, the complaining party) filed a claim with the Spanish Data Protection Agency. The claim is directed against ZARAGOZA CITY COUNCIL with NIF P5030300G (hereinafter, the claimed part). The grounds on which the claim is based are the dissemination of your health data through email "without any type of seal or indication that marked it as confidential". According to what he explains, he had health problems derived from conflicts in the workplace and went to the City Council's Occupational Safety and Prevention Service, which issued a medical report that recommended he go to the Health Surveillance Unit to assess an adaptation or a change of job. Provide a copy of the medical report, dated August 13, 2021. Said Surveillance Unit ruled, on August 17, 2021, the adaptation of the tasks of your job (attach the document). It states that said opinion, which had to be notified to the interested party and the ***POSITION.1, was sent on August 28, 2021, along with the medical report of the Prevention and Occupational Safety Service of the City Council, without adopting safety measures adequate security, allowing ***POSTO.2 to access his personal data. health. Specifies that the Zaragoza City Council, in order to carry out communications confidential, has nominal corporate email accounts and a Internal Communications Service -SIC-, but in its case, no use was made of the email, nor the SIC, and it was decided to notify the opinion, with both reports, by internal mail without any type of seal or indication that marked it as confidential. Along with the statement of claim, a copy of the reports and opinions referred to is provided. You also provide a copy of the emails that contain your health data, where the following text can be seen in each communication: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 2/13 "Legal warning: THIS EMAIL MAY CONTAIN CONFIDENTIAL INFORMATION REFERRING TO NATURAL PERSONS." The medical report of the Prevention and Prevention Service is attached as attached data. City Council Job Security. SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5 December, Protection of Personal Data and guarantee of digital rights (in hereinafter LOPDGDD), said claim was communicated to the claimed party, on 10 March 2023, so that it could proceed with its analysis and inform this Agency in the within one month, of the actions carried out to adapt to the requirements provided for in the data protection regulations. The transfer, which was carried out in accordance with the rules established in Law 39/2015, of October 1, of the Common Administrative Procedure of Administrations Public (hereinafter, LPACAP), was collected on March 13, 2023 as It appears in the acknowledgment of receipt that is in the file. On April 11, 2023, this Agency received a response letter indicating the following: The Head of the Sports Service of the Zaragoza city council held a meeting at the beginning of 2021 with the Municipal Data Protection Delegate, of the which resulted in subsequent joint work to update regulations current in this matter in such a way that the activity sheets of processing of data that pertains to the Service for subsequent registration and the rest of the measures recommended by the Municipal Delegate responsible for the protection, including those related to the transfer of documentation by mail electronic. On August 18, 2021, the report issued to ***POSITION.1 by (…) in relation to the worker D. A.A.A., is transferred - in an email attachment - to the directly responsible for said worker, the (…) Mr. B.B.B.. In relation to the report that was transferred, it is necessary to highlight that the Service of Prevention and Occupational Health, responsible for the processing of health data of the workers, does not issue medical reports or data to this or any other municipal service of workers' health. The document transferred contained the opinion of the Prevention and Health Service Labor on measures to adapt the functions to be performed by the worker D. A.A.A., measures that had to be known and applied by their immediate superior D. B.B.B.. Although the nominal account was not used for this transfer of documentation D.B.B.B. corporate nor the Internal Communications Service -SIC-, the account used ***EMAIL.1 is the priority use of the person in charge of the center, Mr. B.B.B. and In his absence, only the personnel in whom he specifically delegate. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 3/13 Despite this, the message contained all the guarantees of security and protection of data, this is not only the name of your recipient and the content of the file you was transferred but the legal warning/clause that both the Protection Regulation of Data such as the Data Protection Law establish with all the information necessary both to guarantee confidentiality and, where appropriate, to be able to exercise the rights of access/rectification, cancellation and opposition at any time. moment, a copy of the message sent is attached THIRD: On April 25, 2023, in accordance with article 65 of the LOPDGDD, the claim presented by the complaining party was admitted for processing. FOURTH: On June 27, 2023, the Director of the Spanish Agency for Data Protection agreed to initiate sanctioning proceedings against the claimed party, for the alleged violation of article 5.1.f) of the RGPD and article 32 of the RGPD, typified in article 83.5 of the RGPD and article 83.4 of the RGPD. FIFTH: On July 10, 2023, this Agency receives a letter in response to the agreement to initiate this sanctioning procedure, where the claimed states the following: “In the opinion of the AEPD, a personal data security breach is evident that consisted of having transferred on August 18, 2021 to (…) Mr. B.B.B. -in document attached by email - the report issued by the Municipal Service of Prevention and Occupational Health in relation to the D.A.A.A. worker. Although it is true that the account used ***EMAIL.1 for the transfer of the documentation is the priority use of the person in charge of the center, Mr. B.B.B., and in his absence is only suitable to open it the personnel to whom he specifically delegates, We inform you that at the time the incident occurred, this Service was was in the process of implementing the measures indicated by the Delegate Municipal Data Protection, at that time D. C.C.C., and there may be still some imbalances such as not using, in the case that is the subject of the claim of D. A.A.A., the safest measures for the transfer of documentation such as the Internal Communications System (SIC) or email accounts corporate nominals. This Service does not hesitate to affirm that this was an isolated event from which took the appropriate measures, designating the means and authorized personnel that I would carry out this type of documentation transfer with complete security by delegation express of the Service Headquarters.” SIXTH: On July 24, 2023, a proposed resolution was formulated, proposing that by the Director of the Spanish Data Protection Agency: It is declared that ZARAGOZA CITY COUNCIL, with NIF P5030300G has violated the provisions of article 5.1.f) of the RGPD and article 32 of the RGPD, typified in article 83.5 of the RGPD and article 83.4 of the RGPD. The CITY COUNCIL OF ZARAGOZA, with NIF P5030300G, is ordered to Pursuant to article 58.2.d) of the RGPD, within 10 days, prove that your C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 4/13 action has been adapted to the indicated data protection regulations, so such measures prevent the dissemination of health data through email, and it is proven that the appropriate measures have been adopted for the processing of these personal data to be carried out with complete security. SEVENTH: On July 27, 2023, the claimed party, in response to the proposal of indicated resolution, states the following: “We reiterate what was already expressed by ***POS.1 in its report of July 6, 2023, which was transferred on July 10, 2023 to that agency, in which the error committed and it is indicated that the necessary measures have been taken so that said situation could be repeated, designating the means and authorized personnel that would transfer documentation with total security by express delegation of said Service Headquarters.” In view of everything that has been done, by the Spanish Data Protection Agency In this procedure, the following are considered proven facts: PROVEN FACTS FIRST: On August 28, 2021, the dissemination of health data from the claimant by the Occupational Prevention and Safety Service of the City Council of Zaragoza using an email "without any type of seal or indication that marked it as confidential", despite the existence of an email corporate or internal communications service, for the submission of this type of information, which allowed ***POSITION.2 to access the health data of the claimant. SECOND: The city council recognizes the reported facts, but affirms that This is an isolated incident from which appropriate measures were taken. designating the means and authorized personnel who would carry out this type of transfer of documentation with total security by express delegation of the Service Headquarters. FOUNDATIONS OF LAW Yo In accordance with the powers that article 58.2 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter RGPD), grants each control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the Organic Law 3/2018, of December 5, on Protection of Personal Data and guarantee of digital rights (hereinafter, LOPDGDD), is competent to initiate and resolve this procedure the Director of the Spanish Protection Agency of data. Likewise, article 63.2 of the LOPDGDD determines that: "The procedures processed by the Spanish Data Protection Agency will be governed by the provisions in Regulation (EU) 2016/679, in this organic law, by the provisions C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 5/13 regulations dictated in its development and, insofar as they do not contradict them, with a subsidiary, by the general rules on administrative procedures." II In the present case, in accordance with the provisions of article 4.1 of the RGPD, there is the processing of personal data, since AYUNTACIÓN carries out, among other treatments, the collection, conservation, use and dissemination of data. personal details of the residents of the municipality, such as: name and surname and address email…etc. The CITY COUNCIL carries out this activity in its capacity as responsible for the treatment. ment, given that he is the one who determines the ends and means of such activity, by virtue of the cited article 4.7 of the RGPD. Article 4 section 12 of the GDPR broadly defines “violations of security”. security of personal data” (hereinafter security breach) as “all those security violations that cause the destruction, loss or alteration accidental or unlawful personal data transmitted, preserved or otherwise processed form, or unauthorized communication or access to said data.” In the present case, there is a personal data security breach dated 18 August 2021, through the report issued to ***POSITION.1 by (…) in relation to the worker D. A.A.A., where he is transferred - in an email attachment - to the direct manager of said worker, (…) Mr. B.B.B.. The document transferred contained the opinion of the Prevention and Health Service Labor on measures to adapt the functions to be performed by the worker D. A.A.A., measures that had to be known and applied by their immediate superior D. B.B.B.. In its defense, the city council has indicated that although for this transfer of documentation was not used the corporate nominal account of D. B.B.B. nor the Service Communications Internal -SIC-, the account used ***EMAIL.1 is priority use of the person in charge of the center, Mr. B.B.B. and in its absence it is only suitable to open it the personnel to whom he specifically delegates. It should be noted that the receipt of a complaint about a security breach does not imply the imposition of a sanction directly, since it is necessary to analyze the diligence of those responsible and in charge and the security measures applied, in accordance with the provisions of article 32 of the GDPR. III Article 5.1.f) “Principles relating to processing” of the GDPR establishes: "1. The personal data will be: (…) C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 6/13 f) processed in such a way as to ensure adequate security of personal data. sonals, including protection against unauthorized or unlawful processing and against its accidental loss, destruction or damage, through the application of technical measures or appropriate organizational measures (“integrity and confidentiality”).” In this case, a claim is filed because on August 18, 2021, A report has been issued to ***POSAL.1 by (…) Mr. A.A.A., via email electronic "without any type of seal or indication that marked it as confidential." In this sense, the Zaragoza city council responds that although for this transfer of documentation, the corporate nominal account of D. B.B.B. was not used. neither him Internal Communications Service -SIC-, the account used ***EMAIL.1 is for use priority of the person in charge of the center, Mr. B.B.B. and in its absence it is only suitable to open it the personnel to whom he specifically delegates, so the Zaragoza city council considers that the message contained all the guarantees of security and data protection, this is not only the name of your recipient and the content of the file that was being transferred but the legal warning/clause that both the Data Protection Regulations such as the Data Protection Law establish with all the information necessary both to guarantee confidentiality and, in where appropriate, to be able to exercise the rights of access/rectification, cancellation and opposition at any time. Despite such statements, it has been found that the city council has been trying the following personal data of the complaining party: the name and surname, as well as as personal health data, without respecting the principle of integrity and confidentiality in your treatment. These facts imply that the claimed party is violating article 5.1 f) of the GDPR, indicated in legal basis II for violating the duty of confidentiality of the personal data it processes when it was confirmed that a message to the address ***EMAIL.1, which according to the City Council is a priority use of the responsible for the center, Mr. B.B.B. and in its absence only the personnel to whom he specifically delegates. Although they report “that at the time the incident occurred this Service was was in the process of implementing the measures indicated by the Delegate Municipal Data Protection, at that time D.C.C.C., and there may be still some imbalances such as not using, in the case object of the claim of D. A.A.A., the safest measures for the transfer of documentation such as Internal Communications System (SIC) or email accounts corporate nominals. Therefore, this Agency considers that making the data available to unauthorized persons constitutes a violation of art. 5.1.f) of the RGPD attributable to this case to the ZARAGOZA CITY COUNCIL. IV C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 7/13 The aforementioned violation of article 5.1.f) of the RGPD implies the commission of the violations typified in article 83.5 of the RGPD that under the heading “General conditions for the imposition of administrative fines” provides: “Infringements of the following provisions will be sanctioned, in accordance with the section 2, with administrative fines of a maximum of EUR 20 000 000 or, trying- of a company, of an amount equivalent to a maximum of 4% of the volume of global annual total business of the previous financial year, opting for the highest amount: a) the basic principles for the treatment, including the conditions for consent ment under articles 5, 6, 7 and 9; (…)” In this regard, the LOPDGDD, in its article 71 “Infringements” establishes that: “The acts and conduct referred to in sections 4, 5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that are contra- rias to this organic law.” For the purposes of the limitation period, article 72 “Infringements considered very serious” you see” of the LOPDGDD indicates: "1. Based on what is established in article 83.5 of Regulation (EU) 2016/679, considered very serious and will prescribe after three years the infractions that involve a substantial violation of the articles mentioned therein and, in particular, the following: a) The processing of personal data violating the principles and guarantees established two in article 5 of Regulation (EU) 2016/679. (…)” V Article 83 “General conditions for the imposition of administrative fines” of the GDPR section 7 states: “Without prejudice to the corrective powers of the supervisory authorities under the art. Article 58(2), each Member State may lay down rules on whether of, and to what extent, imposing administrative fines on authorities and public bodies “warfare establishments established in that Member State.” Likewise, article 77 “Regime applicable to certain categories of liability” bles or those in charge of treatment” of the LOPDGDD provides the following: "1. The regime established in this article will apply to the treatments of who are responsible or in charge: ... c) The General Administration of the State, the Administrations of the autonomous communities tonomas and the entities that make up the Local Administration… C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 8/13 2. When the persons responsible or in charge listed in section 1 commit any of the infractions referred to in articles 72 to 74 of this organizational law. only, the competent data protection authority will issue a resolution declaring the infringement and establishing, where appropriate, the appropriate measures adopted. to stop the conduct or correct the effects of the infraction that has occurred. committed, with the exception of that provided for in article 58.2.i of the Regulation (EU) 2016/679 of the European Parliament and of the Council, of April 27, 2016. The resolution will be notified to the person responsible or in charge of the treatment, to the body of the that depends hierarchically, if applicable, and to those affected who have the condition of interested party, if applicable. 3. Without prejudice to what is established in the previous section, the authority for the protection of data will also propose the initiation of disciplinary actions when there are sufficient evidence for this. In this case, the procedure and sanctions to apply will be those established in the legislation on disciplinary or sanctioning regime that results of application. Likewise, when the infractions are attributable to authorities and managers, and are prove the existence of technical reports or recommendations for the treatment that had not been duly attended to, in the resolution in which the sanction will include a reprimand with the name of the responsible position and will order the publication in the Official State or autonomous Gazette that correspond. 4. The resolutions that fall in relation to the measures and actions referred to in the sections previous. 5. They will be communicated to the Ombudsman or, where appropriate, to similar institutions of the autonomous communities the actions carried out and the resolutions issued under this article. (…)” For the purposes specified in the art. 64.2 b) of law 39/2015, of October 1, of the Common Administrative Procedure of Public Administrations, the sanction It would be an administrative fine. Therefore, the aforementioned violation of article 5.1.f) of the RGPD, in accordance with art. 83.7 of the RGPD, and the provisions of article 77.2 of the LOPDGDD, by the category of the subject allegedly responsible for the infringement, is replaced by the declaration of infringement of the ZARAGOZA CITY COUNCIL. SAW Article 32 “Security of processing” of the GDPR establishes: "1. Taking into account the state of the art, the application costs, and the nature za, the scope, context and purposes of the processing, as well as probability risks and severity for the rights and freedoms of natural persons, the responsibility sable and the person in charge of the treatment will apply appropriate technical and organizational measures. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 9/13 measures to guarantee a level of security appropriate to the risk, which, where appropriate, includes already, among others: a) pseudonymization and encryption of personal data; b) the ability to guarantee confidentiality, integrity, availability and resilience permanent treatment systems and services; c) the ability to restore the availability and access to personal data permanently. quick response in the event of a physical or technical incident; d) a process of regular verification, evaluation and assessment of the effectiveness of the technical and organizational measures to guarantee the security of the treatment. 2. When evaluating the adequacy of the security level, particular consideration will be given to ta the risks presented by data processing, in particular as a consequence of the accidental or unlawful destruction, loss or alteration of personal data transmitted stored, preserved or otherwise processed, or unauthorized communication or access. two to said data. 3. Adherence to a code of conduct approved under Article 40 or to a mechanism Certification system approved in accordance with Article 42 may serve as an element for demonstrate compliance with the requirements established in section 1 of this article. 4. The controller and the person in charge of the treatment will take measures to ensure that any person acting under the authority of the person in charge or in charge and having ga access to personal data can only process said data following instructions of the controller, unless it is obliged to do so by virtue of Union law or Member States”. In the present case, at the time of the security breach, there is no evidence that the ZARAGOZA CITY COUNCIL had reasonable security measures bles based on the estimated possible risks. This is so, since the CITY COUNCIL has not taken into account basic aspects such as the use of registered corporate accounts and also sending through a courier system that guarantees that delivery is made only at charge who, due to their functions, must have access to the documentation. Therefore, it is considered that the known facts constitute an infringement. tion, attributable to the ZARAGOZA CITY COUNCIL, for violation of article 32 of the GDPR. VII The aforementioned violation of article 32 of the RGPD implies the commission of typical violations. pified in article 83.4 of the RGPD that under the heading “General conditions for the imposition of administrative fines” provides: “Infringements of the following provisions will be sanctioned, in accordance with the section 2, with administrative fines of a maximum of EUR 10 000 000 or, trying- of a company, of an amount equivalent to a maximum of 2% of the volume of C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 10/13 global annual total business of the previous financial year, opting for the highest amount: 5) the obligations of the controller and the processor in accordance with articles 8, 11, 25 to 39, 42 and 43; (…)” In this regard, the LOPDGDD, in its article 71 “Infringements” establishes that “Consti- The acts and conduct referred to in sections 4, 5 and 6 are considered infractions. of article 83 of Regulation (EU) 2016/679, as well as those that are contrary to this organic law.” For the purposes of the limitation period, article 73 “Infringements considered serious” of the LOPDGDD indicates: “Based on what is established in article 83.4 of Regulation (EU) 2016/679, considered serious and will prescribe after two years the infractions that involve a violation. substantial portion of the articles mentioned therein and, in particular, the following: … f) The lack of adoption of those technical and organizational measures that result appropriate to guarantee a level of security appropriate to the risk of the treatment, in the terms required by article 32.1 of Regulation (EU) 2016/679.” (…) VIII Article 83 “General conditions for the imposition of administrative fines” of the GDPR section 7 states: “Without prejudice to the corrective powers of the supervisory authorities under the art. Article 58(2), each Member State may lay down rules on whether of, and to what extent, imposing administrative fines on authorities and public bodies “warfare establishments established in that Member State.” Likewise, article 77 “Regime applicable to certain categories of liability” bles or those in charge of treatment” of the LOPDGDD provides the following: "1. The regime established in this article will apply to the treatments of who are responsible or in charge: … c) The General Administration of the State, the Administrations of the autonomous communities tonomas and the entities that make up the Local Administration… 2. When the persons responsible or in charge listed in section 1 commit any of the infractions referred to in articles 72 to 74 of this organizational law. only, the competent data protection authority will issue a resolution sanctioning them with a warning. The resolution will also establish the measures that should be adopted to stop the conduct or correct the effects of the infraction that has been committed. 3. Without prejudice to what is established in the previous section, the authority for the protection of data will also propose the initiation of disciplinary actions when there are C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 11/13 sufficient evidence for this. In this case, the procedure and sanctions to apply will be those established in the legislation on disciplinary or sanctioning regime that results of application. Likewise, when the infractions are attributable to authorities and managers, and are prove the existence of technical reports or recommendations for the treatment that had not been duly attended to, in the resolution in which the sanction will include a reprimand with the name of the responsible position and will order the publication in the Official State or autonomous Gazette that correspond. 4. The resolutions that fall in relation to the measures and actions referred to in the sections previous. 5. They will be communicated to the Ombudsman or, where appropriate, to similar institutions of the autonomous communities the actions carried out and the resolutions issued under the protection of this article.” For the purposes provided for in article 64.2 b) of law 39/2015, of October 1, of the Common Administrative Procedure of Public Administrations, the sanction that It corresponds to an administrative fine. Therefore, the aforementioned violation of article 32 of the RGPD, in accordance with article 83.7 of the RGPD, and the provisions of article 77.2 of the LOPDGDD, by the category of the subject allegedly responsible for the infraction, said sanction is replaced by the declaration of violation to the CITY COUNCIL. IX In accordance with the provisions of the aforementioned article 58.2 d) of the RGPD, according to which Each control authority may “order the person responsible or in charge of the treatment that the processing operations comply with the provisions of this Regulation, where appropriate, in a certain manner and within a period specified…". Specifically, it will be required to prove that their actions have been adapted to the data protection regulations indicated in the legal foundations, so that such measures prevent the dissemination of health data via email, and it is proven that the appropriate measures have been adopted so that the treatment of These personal data are carried out with total security and in accordance with the regulations of data protection indicated above. The imposition of this measure is compatible with the sanction consisting of a declaration of administrative infringement, in accordance with the provisions of article 83.2 of the RGPD. The claimed party states that at the time the incident occurred, was in the process of implementing the measures indicated by the Delegate Municipal Data Protection, and there may still be some imbalances, as use safer measures for the transfer of documentation such as the System C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 12/13 Internal Communications (SIC) or nominal email accounts corporate. Likewise, the claimed party acknowledges the error committed and indicates that appropriate measures have been taken. the necessary measures so that this situation could not be repeated, designating the means and authorized personnel who would carry out the transfer of documentation with total security by express delegation of said Service Headquarters. However, in the allegations presented throughout the procedure, no provided documents that allow verifying the adoption of these new measures of security that prevents the repetition of the reported events. It is warned that failure to comply with the order to adopt measures imposed by this body in the sanctioning resolution may be considered as an infraction administrative in accordance with the provisions of the RGPD, classified as an infringement in its article 83.5 and 83.6, such conduct may motivate the opening of a subsequent administrative sanctioning procedure. Therefore, in accordance with the applicable legislation and evaluated the criteria of graduation of sanctions whose existence has been proven, the Director of the Spanish Data Protection Agency RESOLVES: FIRST: DECLARE that the CITY COUNCIL OF ZARAGOZA, with NIF P5030300G, has violated the provisions of article 5.1.f) of the RGPD and article 32 of the GDPR, violations classified in article 83.5 of the GDPR and article 83.4 of the GDPR respectively. SECOND: ORDER to the CITY COUNCIL OF ZARAGOZA, with NIF P5030300G, that under article 58.2.d) of the RGPD, within a period of 3 months, proves that your action has been adapted to the indicated data protection regulations, so that such measures prevent the dissemination of health data via email, and it is proven that the appropriate measures have been adopted so that the treatment of These personal data are carried out with complete security. THIRD: NOTIFY this resolution to the CITY COUNCIL OF ZARAGOZA. FOURTH: COMMUNICATE this resolution to the Ombudsman, in accordance with the provisions of article 77.5 of the LOPDGDD. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the Interested parties may optionally file an appeal for reconsideration before the Director of the Spanish Data Protection Agency within a period of one month to count from the day following the notification of this resolution or directly contentious-administrative appeal before the Contentious-administrative Chamber of the National Court, in accordance with the provisions of article 25 and section 5 of C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 13/13 the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-administrative Jurisdiction, within a period of two months from the day following the notification of this act, as provided for in article 46.1 of the referred Law. Finally, it is noted that in accordance with the provisions of art. 90.3 a) of the LPACAP, may provisionally suspend the final resolution through administrative channels if the interested party expresses his intention to file a contentious-administrative appeal. If this is the case, the interested party must formally communicate this fact through writing addressed to the Spanish Data Protection Agency, presenting it through of the Agency's Electronic Registry [https://sedeagpd.gob.es/sede-electronica- web/], or through any of the other registries provided for in art. 16.4 of the cited Law 39/2015, of October 1. You must also transfer to the Agency the documentation that proves the effective filing of the contentious appeal administrative. If the Agency was not aware of the filing of the appeal contentious-administrative within a period of two months from the day following the notification of this resolution would terminate the precautionary suspension. 938-010623 Sea Spain Martí Director of the Spanish Data Protection Agency C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es