AEPD (Spain) - EXP202303130

From GDPRhub
Revision as of 14:16, 18 October 2023 by Aa (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
AEPD - EXP202303130
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 5(1)(f) GDPR
Article 32 GDPR
Type: Complaint
Outcome: Upheld
Started: 25.01.2023
Decided:
Published: 10.10.2023
Fine: n/a
Parties: A.A.A
Zaragoza City Council
National Case Number/Name: EXP202303130
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: R_e_

The Spanish DPA reprimanded the City Council of Zaragoza for sharing an employee's health data without implementing adequate security measures, violating Article 5(1)f GDPR and Article 32 GDPR.

English Summary

Facts

The data subject had health problems arising from conflicts in the workplace in the City Council of Zaragoza (the controller). The Prevention and Occupational Safety Service of the City Council of Zaragoza, issued a medical report recommending that she contact the Health Monitoring Unit to assess an adaptation or change of job. The Health Surveillance Unit issued a decision to adapt the tasks of her post along with an attached document containing the data subject's medical report. This e-mail was sent without a seal or indication marking the information as confidential. This was different to standard procedure for confidential e-mails at the City Council of Zaragoza, who usually use nominal corporate e-mail accounts and an Internal Communications Service (SIC).

When the AEPD began its sanctioning procedures, the controller sent a letter to the DPA admitting a personal data breach. However, they made the point that it was an isolated event. Additionally, they claimed adequate security measures had been taken because only "authorised personell" are permitted to open emails. Nonetheless, this does not mean that the email access was limited as anyone within the City Council could have opened it.

Holding

The DPA held that the controller violated Article 5(1)(f) GDPR by not using the security measures available to the controller, and by allowing unauthorised persons to access the data. The controller also violated Article 32 GDPR by failing to have reasonable security measures on place based on the possible estimated risks. In particular, a messaging system should have been used that guaranteed delivery only to the person/s in positions who must have access to the documents in order to carry out their functions.

The AEPD declined to fine the controller, instead ordering the controller to adopt security measures to prevent the dissemination of health data via email so that processing is carried out with complete security.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

1/13










     File No.: EXP202303130



                RESOLUTION OF SANCTIONING PROCEDURE

From the procedure instructed by the Spanish Data Protection Agency and based

to the following

                                   BACKGROUND

FIRST: On January 25, 2023, A.A.A. (hereinafter, the complaining party)
filed a claim with the Spanish Data Protection Agency.


The claim is directed against ZARAGOZA CITY COUNCIL with NIF
P5030300G (hereinafter, the claimed part).

The grounds on which the claim is based are the dissemination of your health data through

email "without any type of seal or indication that marked it as
confidential".

According to what he explains, he had health problems derived from conflicts in the workplace and
went to the City Council's Occupational Safety and Prevention Service, which issued a

medical report that recommended he go to the Health Surveillance Unit
to assess an adaptation or a change of job.

Provide a copy of the medical report, dated August 13, 2021.

Said Surveillance Unit ruled, on August 17, 2021, the adaptation

of the tasks of your job (attach the document).

It states that said opinion, which had to be notified to the interested party and the
***POSITION.1, was sent on August 28, 2021, along with the medical report of the
Prevention and Occupational Safety Service of the City Council, without adopting safety measures

adequate security, allowing ***POSTO.2 to access his personal data.
health.

Specifies that the Zaragoza City Council, in order to carry out communications
confidential, has nominal corporate email accounts and a

Internal Communications Service -SIC-, but in its case, no use was made of the
email, nor the SIC, and it was decided to notify the opinion, with both reports,
by internal mail without any type of seal or indication that marked it as
confidential.

Along with the statement of claim, a copy of the reports and opinions referred to is provided.


You also provide a copy of the emails that contain your health data,
where the following text can be seen in each communication:


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/13








"Legal warning: THIS EMAIL MAY CONTAIN
CONFIDENTIAL INFORMATION REFERRING TO NATURAL PERSONS."


The medical report of the Prevention and Prevention Service is attached as attached data.
City Council Job Security.

SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5
December, Protection of Personal Data and guarantee of digital rights (in
hereinafter LOPDGDD), said claim was communicated to the claimed party, on 10

March 2023, so that it could proceed with its analysis and inform this Agency in the
within one month, of the actions carried out to adapt to the requirements
provided for in the data protection regulations.

The transfer, which was carried out in accordance with the rules established in Law 39/2015, of

October 1, of the Common Administrative Procedure of Administrations
Public (hereinafter, LPACAP), was collected on March 13, 2023 as
It appears in the acknowledgment of receipt that is in the file.

On April 11, 2023, this Agency received a response letter
indicating the following:


The Head of the Sports Service of the Zaragoza city council held a meeting
at the beginning of 2021 with the Municipal Data Protection Delegate, of the
which resulted in subsequent joint work to update regulations
current in this matter in such a way that the activity sheets of

processing of data that pertains to the Service for subsequent registration and the
rest of the measures recommended by the Municipal Delegate responsible for the
protection, including those related to the transfer of documentation by mail
electronic.


On August 18, 2021, the report issued to ***POSITION.1 by (…) in relation
to the worker D. A.A.A., is transferred - in an email attachment - to the
directly responsible for said worker, the (…) Mr. B.B.B..

In relation to the report that was transferred, it is necessary to highlight that the Service of
Prevention and Occupational Health, responsible for the processing of health data of the

workers, does not issue medical reports or data to this or any other municipal service
of workers' health.

The document transferred contained the opinion of the Prevention and Health Service
Labor on measures to adapt the functions to be performed by the

worker D. A.A.A., measures that had to be known and applied by their
immediate superior D. B.B.B..

Although the nominal account was not used for this transfer of documentation
D.B.B.B. corporate nor the Internal Communications Service -SIC-, the account

used ***EMAIL.1 is the priority use of the person in charge of the center, Mr. B.B.B. and
In his absence, only the personnel in whom he specifically
delegate.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/13








Despite this, the message contained all the guarantees of security and protection
of data, this is not only the name of your recipient and the content of the file you
was transferred but the legal warning/clause that both the Protection Regulation

of Data such as the Data Protection Law establish with all the information
necessary both to guarantee confidentiality and, where appropriate, to be able to
exercise the rights of access/rectification, cancellation and opposition at any time.
moment, a copy of the message sent is attached

THIRD: On April 25, 2023, in accordance with article 65 of the

LOPDGDD, the claim presented by the complaining party was admitted for processing.

FOURTH: On June 27, 2023, the Director of the Spanish Agency for
Data Protection agreed to initiate sanctioning proceedings against the claimed party,
for the alleged violation of article 5.1.f) of the RGPD and article 32 of the RGPD,

typified in article 83.5 of the RGPD and article 83.4 of the RGPD.

FIFTH: On July 10, 2023, this Agency receives a letter in
response to the agreement to initiate this sanctioning procedure, where the
claimed states the following:


“In the opinion of the AEPD, a personal data security breach is evident that
consisted of having transferred on August 18, 2021 to (…) Mr. B.B.B. -in
document attached by email - the report issued by the Municipal Service
of Prevention and Occupational Health in relation to the D.A.A.A. worker.


Although it is true that the account used ***EMAIL.1 for the transfer of the
documentation is the priority use of the person in charge of the center, Mr. B.B.B., and in his
absence is only suitable to open it the personnel to whom he specifically delegates,
We inform you that at the time the incident occurred, this Service was
was in the process of implementing the measures indicated by the Delegate

Municipal Data Protection, at that time D. C.C.C., and there may be
still some imbalances such as not using, in the case that is the subject of the claim
of D. A.A.A., the safest measures for the transfer of documentation such as
the Internal Communications System (SIC) or email accounts
corporate nominals.


This Service does not hesitate to affirm that this was an isolated event from which
took the appropriate measures, designating the means and authorized personnel that
I would carry out this type of documentation transfer with complete security by delegation
express of the Service Headquarters.”



SIXTH: On July 24, 2023, a proposed resolution was formulated,
proposing that by the Director of the Spanish Data Protection Agency:

     It is declared that ZARAGOZA CITY COUNCIL, with NIF P5030300G has

        violated the provisions of article 5.1.f) of the RGPD and article 32 of the RGPD,
        typified in article 83.5 of the RGPD and article 83.4 of the RGPD.
     The CITY COUNCIL OF ZARAGOZA, with NIF P5030300G, is ordered to
        Pursuant to article 58.2.d) of the RGPD, within 10 days, prove that your

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/13








        action has been adapted to the indicated data protection regulations, so
        such measures prevent the dissemination of health data through
        email, and it is proven that the appropriate measures have been adopted

        for the processing of these personal data to be carried out with complete security.

SEVENTH: On July 27, 2023, the claimed party, in response to the proposal of
indicated resolution, states the following:

“We reiterate what was already expressed by ***POS.1 in its report of July 6, 2023,

which was transferred on July 10, 2023 to that agency, in which the
error committed and it is indicated that the necessary measures have been taken so that
said situation could be repeated, designating the means and authorized personnel that
would transfer documentation with total security by express delegation of
said Service Headquarters.”



In view of everything that has been done, by the Spanish Data Protection Agency
In this procedure, the following are considered proven facts:

                                PROVEN FACTS


FIRST: On August 28, 2021, the dissemination of health data from the
claimant by the Occupational Prevention and Safety Service of the City Council of
Zaragoza using an email "without any type of seal or indication that
marked it as confidential", despite the existence of an email

corporate or internal communications service, for the submission of this type of
information, which allowed ***POSITION.2 to access the health data of the
claimant.

SECOND: The city council recognizes the reported facts, but affirms that
This is an isolated incident from which appropriate measures were taken.

designating the means and authorized personnel who would carry out this type of transfer of
documentation with total security by express delegation of the Service Headquarters.

                           FOUNDATIONS OF LAW


                                           Yo

In accordance with the powers that article 58.2 of Regulation (EU) 2016/679
(General Data Protection Regulation, hereinafter RGPD), grants each
control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the
Organic Law 3/2018, of December 5, on Protection of Personal Data and

guarantee of digital rights (hereinafter, LOPDGDD), is competent to
initiate and resolve this procedure the Director of the Spanish Protection Agency
of data.

Likewise, article 63.2 of the LOPDGDD determines that: "The procedures

processed by the Spanish Data Protection Agency will be governed by the provisions
in Regulation (EU) 2016/679, in this organic law, by the provisions


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/13








regulations dictated in its development and, insofar as they do not contradict them, with a
subsidiary, by the general rules on administrative procedures."


                                            II

In the present case, in accordance with the provisions of article 4.1 of the RGPD, there is
the processing of personal data, since AYUNTACIÓN
carries out, among other treatments, the collection, conservation, use and dissemination of data.
personal details of the residents of the municipality, such as: name and surname and address

email…etc.

The CITY COUNCIL carries out this activity in its capacity as responsible for the treatment.
ment, given that he is the one who determines the ends and means of such activity, by virtue of the
cited article 4.7 of the RGPD.


Article 4 section 12 of the GDPR broadly defines “violations of security”.
security of personal data” (hereinafter security breach) as “all
those security violations that cause the destruction, loss or alteration
accidental or unlawful personal data transmitted, preserved or otherwise processed
form, or unauthorized communication or access to said data.”


In the present case, there is a personal data security breach dated 18
August 2021, through the report issued to ***POSITION.1 by (…) in relation
to the worker D. A.A.A., where he is transferred - in an email attachment -
to the direct manager of said worker, (…) Mr. B.B.B..


The document transferred contained the opinion of the Prevention and Health Service
Labor on measures to adapt the functions to be performed by the
worker D. A.A.A., measures that had to be known and applied by their
immediate superior D. B.B.B..


In its defense, the city council has indicated that although for this transfer of
documentation was not used the corporate nominal account of D. B.B.B. nor the Service
Communications Internal -SIC-, the account used ***EMAIL.1 is priority use
of the person in charge of the center, Mr. B.B.B. and in its absence it is only suitable to open it
the personnel to whom he specifically delegates.


It should be noted that the receipt of a complaint about a security breach
does not imply the imposition of a sanction directly, since it is necessary to analyze
the diligence of those responsible and in charge and the security measures applied,
in accordance with the provisions of article 32 of the GDPR.


                                            III

Article 5.1.f) “Principles relating to processing” of the GDPR establishes:


"1. The personal data will be:
(…)



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/13








f) processed in such a way as to ensure adequate security of personal data.
sonals, including protection against unauthorized or unlawful processing and against its
accidental loss, destruction or damage, through the application of technical measures or

appropriate organizational measures (“integrity and confidentiality”).”

In this case, a claim is filed because on August 18, 2021,
A report has been issued to ***POSAL.1 by (…) Mr. A.A.A., via email
electronic "without any type of seal or indication that marked it as confidential."


In this sense, the Zaragoza city council responds that although for this transfer
of documentation, the corporate nominal account of D. B.B.B. was not used. neither him
Internal Communications Service -SIC-, the account used ***EMAIL.1 is for use
priority of the person in charge of the center, Mr. B.B.B. and in its absence it is only suitable
to open it the personnel to whom he specifically delegates, so the

Zaragoza city council considers that the message contained all the guarantees of
security and data protection, this is not only the name of your recipient and the
content of the file that was being transferred but the legal warning/clause that both the
Data Protection Regulations such as the Data Protection Law establish
with all the information necessary both to guarantee confidentiality and, in
where appropriate, to be able to exercise the rights of access/rectification, cancellation and

opposition at any time.

Despite such statements, it has been found that the city council has been trying
the following personal data of the complaining party: the name and surname, as well as
as personal health data, without respecting the principle of integrity and

confidentiality in your treatment.

These facts imply that the claimed party is violating article 5.1 f) of the
GDPR, indicated in legal basis II for violating the duty of
confidentiality of the personal data it processes when it was confirmed that a

message to the address ***EMAIL.1, which according to the City Council is a priority use of the
responsible for the center, Mr. B.B.B. and in its absence only the
personnel to whom he specifically delegates.

Although they report “that at the time the incident occurred this Service was
was in the process of implementing the measures indicated by the Delegate

Municipal Data Protection, at that time D.C.C.C., and there may be
still some imbalances such as not using, in the case object of the claim of
D. A.A.A., the safest measures for the transfer of documentation such as
Internal Communications System (SIC) or email accounts
corporate nominals.


Therefore, this Agency considers that making the data available to
unauthorized persons constitutes a violation of art. 5.1.f) of the RGPD attributable to
this case to the ZARAGOZA CITY COUNCIL.


                                           IV




C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/13








The aforementioned violation of article 5.1.f) of the RGPD implies the commission of the violations
typified in article 83.5 of the RGPD that under the heading “General conditions
for the imposition of administrative fines” provides:


“Infringements of the following provisions will be sanctioned, in accordance with the
section 2, with administrative fines of a maximum of EUR 20 000 000 or, trying-
of a company, of an amount equivalent to a maximum of 4% of the volume of
global annual total business of the previous financial year, opting for the highest
amount:


a) the basic principles for the treatment, including the conditions for consent
ment under articles 5, 6, 7 and 9; (…)”

In this regard, the LOPDGDD, in its article 71 “Infringements” establishes that:


“The acts and conduct referred to in sections 4,
5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that are contra-
rias to this organic law.”

For the purposes of the limitation period, article 72 “Infringements considered very serious”

you see” of the LOPDGDD indicates:

"1. Based on what is established in article 83.5 of Regulation (EU) 2016/679,
considered very serious and will prescribe after three years the infractions that involve
a substantial violation of the articles mentioned therein and, in particular, the

following:

a) The processing of personal data violating the principles and guarantees established
two in article 5 of Regulation (EU) 2016/679. (…)”


                                            V

Article 83 “General conditions for the imposition of administrative fines” of the
GDPR section 7 states:

“Without prejudice to the corrective powers of the supervisory authorities under the art.

Article 58(2), each Member State may lay down rules on whether
of, and to what extent, imposing administrative fines on authorities and public bodies
“warfare establishments established in that Member State.”

Likewise, article 77 “Regime applicable to certain categories of liability”

bles or those in charge of treatment” of the LOPDGDD provides the following:

"1. The regime established in this article will apply to the treatments of
who are responsible or in charge: ...


c) The General Administration of the State, the Administrations of the autonomous communities
tonomas and the entities that make up the Local Administration…



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 8/13








2. When the persons responsible or in charge listed in section 1 commit
any of the infractions referred to in articles 72 to 74 of this organizational law.
only, the competent data protection authority will issue a resolution

declaring the infringement and establishing, where appropriate, the appropriate measures adopted.
to stop the conduct or correct the effects of the infraction that has occurred.
committed, with the exception of that provided for in article 58.2.i of the Regulation (EU)
2016/679 of the European Parliament and of the Council, of April 27, 2016.

The resolution will be notified to the person responsible or in charge of the treatment, to the body of the

that depends hierarchically, if applicable, and to those affected who have the condition
of interested party, if applicable.

3. Without prejudice to what is established in the previous section, the authority for the protection of
data will also propose the initiation of disciplinary actions when there are

sufficient evidence for this. In this case, the procedure and sanctions to apply
will be those established in the legislation on disciplinary or sanctioning regime that
results of application.

Likewise, when the infractions are attributable to authorities and managers, and are
prove the existence of technical reports or recommendations for the treatment that

had not been duly attended to, in the resolution in which the
sanction will include a reprimand with the name of the responsible position and
will order the publication in the Official State or autonomous Gazette that
correspond.


4. The resolutions that
fall in relation to the measures and actions referred to in the sections
previous.

5. They will be communicated to the Ombudsman or, where appropriate, to similar institutions

of the autonomous communities the actions carried out and the resolutions issued
under this article. (…)”

For the purposes specified in the art. 64.2 b) of law 39/2015, of October 1, of the
Common Administrative Procedure of Public Administrations, the sanction
It would be an administrative fine.


Therefore, the aforementioned violation of article 5.1.f) of the RGPD, in accordance with art. 83.7
of the RGPD, and the provisions of article 77.2 of the LOPDGDD, by the category of the
subject allegedly responsible for the infringement, is replaced by the declaration of
infringement of the ZARAGOZA CITY COUNCIL.


                                            SAW

Article 32 “Security of processing” of the GDPR establishes:


"1. Taking into account the state of the art, the application costs, and the nature
za, the scope, context and purposes of the processing, as well as probability risks
and severity for the rights and freedoms of natural persons, the responsibility
sable and the person in charge of the treatment will apply appropriate technical and organizational measures.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 9/13








measures to guarantee a level of security appropriate to the risk, which, where appropriate, includes
already, among others:


a) pseudonymization and encryption of personal data;
b) the ability to guarantee confidentiality, integrity, availability and resilience
permanent treatment systems and services;
c) the ability to restore the availability and access to personal data permanently.
quick response in the event of a physical or technical incident;
d) a process of regular verification, evaluation and assessment of the effectiveness of the

technical and organizational measures to guarantee the security of the treatment.

2. When evaluating the adequacy of the security level, particular consideration will be given to
ta the risks presented by data processing, in particular as a consequence
of the accidental or unlawful destruction, loss or alteration of personal data transmitted

stored, preserved or otherwise processed, or unauthorized communication or access.
two to said data.

3. Adherence to a code of conduct approved under Article 40 or to a mechanism
Certification system approved in accordance with Article 42 may serve as an element for
demonstrate compliance with the requirements established in section 1 of this

article.

4. The controller and the person in charge of the treatment will take measures to ensure that
any person acting under the authority of the person in charge or in charge and having
ga access to personal data can only process said data following instructions

of the controller, unless it is obliged to do so by virtue of Union law or
Member States”.

In the present case, at the time of the security breach, there is no evidence
that the ZARAGOZA CITY COUNCIL had reasonable security measures

bles based on the estimated possible risks.

This is so, since the CITY COUNCIL has not taken into account basic aspects
such as the use of registered corporate accounts and also sending through
a courier system that guarantees that delivery is made only at charge
who, due to their functions, must have access to the documentation.


Therefore, it is considered that the known facts constitute an infringement.
tion, attributable to the ZARAGOZA CITY COUNCIL, for violation of article 32
of the GDPR.


                                            VII

The aforementioned violation of article 32 of the RGPD implies the commission of typical violations.
pified in article 83.4 of the RGPD that under the heading “General conditions for
the imposition of administrative fines” provides:


“Infringements of the following provisions will be sanctioned, in accordance with the
section 2, with administrative fines of a maximum of EUR 10 000 000 or, trying-
of a company, of an amount equivalent to a maximum of 2% of the volume of

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 10/13








global annual total business of the previous financial year, opting for the highest
amount:


5) the obligations of the controller and the processor in accordance with articles 8, 11,
25 to 39, 42 and 43; (…)”

In this regard, the LOPDGDD, in its article 71 “Infringements” establishes that “Consti-
The acts and conduct referred to in sections 4, 5 and 6 are considered infractions.
of article 83 of Regulation (EU) 2016/679, as well as those that are contrary to

this organic law.”

For the purposes of the limitation period, article 73 “Infringements considered serious”
of the LOPDGDD indicates:


“Based on what is established in article 83.4 of Regulation (EU) 2016/679,
considered serious and will prescribe after two years the infractions that involve a violation.
substantial portion of the articles mentioned therein and, in particular, the following:
…
f) The lack of adoption of those technical and organizational measures that result
appropriate to guarantee a level of security appropriate to the risk of the treatment,

in the terms required by article 32.1 of Regulation (EU) 2016/679.” (…)

                                           VIII

Article 83 “General conditions for the imposition of administrative fines” of the

GDPR section 7 states:

“Without prejudice to the corrective powers of the supervisory authorities under the art.
Article 58(2), each Member State may lay down rules on whether
of, and to what extent, imposing administrative fines on authorities and public bodies

“warfare establishments established in that Member State.”

Likewise, article 77 “Regime applicable to certain categories of liability”
bles or those in charge of treatment” of the LOPDGDD provides the following:

"1. The regime established in this article will apply to the treatments of

who are responsible or in charge: …

c) The General Administration of the State, the Administrations of the autonomous communities
tonomas and the entities that make up the Local Administration…


2. When the persons responsible or in charge listed in section 1 commit
any of the infractions referred to in articles 72 to 74 of this organizational law.
only, the competent data protection authority will issue a resolution
sanctioning them with a warning. The resolution will also establish the
measures that should be adopted to stop the conduct or correct the effects of the

infraction that has been committed.

3. Without prejudice to what is established in the previous section, the authority for the protection of
data will also propose the initiation of disciplinary actions when there are

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 11/13








sufficient evidence for this. In this case, the procedure and sanctions to apply
will be those established in the legislation on disciplinary or sanctioning regime that
results of application.


Likewise, when the infractions are attributable to authorities and managers, and are
prove the existence of technical reports or recommendations for the treatment that
had not been duly attended to, in the resolution in which the
sanction will include a reprimand with the name of the responsible position and
will order the publication in the Official State or autonomous Gazette that

correspond.

4. The resolutions that
fall in relation to the measures and actions referred to in the sections
previous.


5. They will be communicated to the Ombudsman or, where appropriate, to similar institutions
of the autonomous communities the actions carried out and the resolutions issued
under the protection of this article.”

For the purposes provided for in article 64.2 b) of law 39/2015, of October 1, of the

Common Administrative Procedure of Public Administrations, the sanction that
It corresponds to an administrative fine.

Therefore, the aforementioned violation of article 32 of the RGPD, in accordance with article 83.7
of the RGPD, and the provisions of article 77.2 of the LOPDGDD, by the category of the

subject allegedly responsible for the infraction, said sanction is replaced by the
declaration of violation to the CITY COUNCIL.

                                           IX


In accordance with the provisions of the aforementioned article 58.2 d) of the RGPD, according to which
Each control authority may “order the person responsible or in charge of the treatment
that the processing operations comply with the provisions of this
Regulation, where appropriate, in a certain manner and within a period
specified…".


Specifically, it will be required to prove that their actions have been adapted to the
data protection regulations indicated in the legal foundations, so
that such measures prevent the dissemination of health data via email,
and it is proven that the appropriate measures have been adopted so that the treatment of
These personal data are carried out with total security and in accordance with the regulations of

data protection indicated above.

The imposition of this measure is compatible with the sanction consisting of a declaration
of administrative infringement, in accordance with the provisions of article 83.2 of the RGPD.


The claimed party states that at the time the incident occurred,
was in the process of implementing the measures indicated by the Delegate
Municipal Data Protection, and there may still be some imbalances, as
use safer measures for the transfer of documentation such as the System

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 12/13








Internal Communications (SIC) or nominal email accounts
corporate.


Likewise, the claimed party acknowledges the error committed and indicates that appropriate measures have been taken.
the necessary measures so that this situation could not be repeated, designating the
means and authorized personnel who would carry out the transfer of documentation with total
security by express delegation of said Service Headquarters.

However, in the allegations presented throughout the procedure, no

provided documents that allow verifying the adoption of these new measures of
security that prevents the repetition of the reported events.

It is warned that failure to comply with the order to adopt measures imposed by this
body in the sanctioning resolution may be considered as an infraction

administrative in accordance with the provisions of the RGPD, classified as an infringement in its
article 83.5 and 83.6, such conduct may motivate the opening of a subsequent
administrative sanctioning procedure.

Therefore, in accordance with the applicable legislation and evaluated the criteria of
graduation of sanctions whose existence has been proven,


the Director of the Spanish Data Protection Agency RESOLVES:

FIRST: DECLARE that the CITY COUNCIL OF ZARAGOZA, with NIF
P5030300G, has violated the provisions of article 5.1.f) of the RGPD and article 32 of the

GDPR, violations classified in article 83.5 of the GDPR and article 83.4 of the GDPR
respectively.

SECOND: ORDER to the CITY COUNCIL OF ZARAGOZA, with NIF P5030300G,
that under article 58.2.d) of the RGPD, within a period of 3 months, proves that your

action has been adapted to the indicated data protection regulations, so
that such measures prevent the dissemination of health data via email,
and it is proven that the appropriate measures have been adopted so that the treatment of
These personal data are carried out with complete security.


THIRD: NOTIFY this resolution to the CITY COUNCIL OF ZARAGOZA.

FOURTH: COMMUNICATE this resolution to the Ombudsman,
in accordance with the provisions of article 77.5 of the LOPDGDD.


In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.

Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the
LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the
Interested parties may optionally file an appeal for reconsideration before the

Director of the Spanish Data Protection Agency within a period of one month to
count from the day following the notification of this resolution or directly
contentious-administrative appeal before the Contentious-administrative Chamber of the
National Court, in accordance with the provisions of article 25 and section 5 of

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 13/13









the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-administrative Jurisdiction, within a period of two months from the
day following the notification of this act, as provided for in article 46.1 of the
referred Law.


Finally, it is noted that in accordance with the provisions of art. 90.3 a) of the LPACAP,
may provisionally suspend the final resolution through administrative channels if the
interested party expresses his intention to file a contentious-administrative appeal.

If this is the case, the interested party must formally communicate this fact through
writing addressed to the Spanish Data Protection Agency, presenting it through
of the Agency's Electronic Registry [https://sedeagpd.gob.es/sede-electronica-
web/], or through any of the other registries provided for in art. 16.4 of the

cited Law 39/2015, of October 1. You must also transfer to the Agency the
documentation that proves the effective filing of the contentious appeal
administrative. If the Agency was not aware of the filing of the appeal
contentious-administrative within a period of two months from the day following the

notification of this resolution would terminate the precautionary suspension.


                                                                                938-010623
Sea Spain Martí
Director of the Spanish Data Protection Agency





































C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es