AEPD (Spain) - EXP202204501
From GDPRhub
| AEPD - EXP202204501 | |
|---|---|
 | |
| Authority: | AEPD (Spain) |
| Jurisdiction: | Spain |
| Relevant Law: | Article 5(1)(f) GDPR Article 32 GDPR Article 37 GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | 22.03.2022 |
| Decided: | 29.01.2024 |
| Published: | |
| Fine: | n/a |
| Parties: | Ayuntamiento de Llucmajor |
| National Case Number/Name: | EXP202204501 |
| European Case Law Identifier: | n/a |
| Appeal: | Not appealed |
| Original Language(s): | Spanish |
| Original Source: | AEPD (in ES) |
| Initial Contributor: | lm |
A public institution improperly stored a document with employees' personal data on its intranet. The DPA found violations of the principle of confidentiality, security measure requirements, and the obligation to designate a data protection officer.
English Summary
Facts
On 1 December 2021, a PDF was created by the resource management department of the local police of Llucmajor (the controller). The document contained the personal data of 47 police agents, including their first names, surnames, agent numbers, and sick leave information. On 12 January 2022, the document was posted on the intranet of the Llucmajor government in the ‘local police’ folder, within a subfolder labeled ‘photocopier.’ A complaint was filed with the DPA on 22 March 2022, and the DPA subsequently conducted an investigation. The controller reported that access to the document was meant to be restricted to the police headquarters and their staff, but due to an error, it was not deleted and remained in the ‘photocopier’ folder for several days. The controller also noted that the document was accessed by individuals who were not its intended recipients. In its investigation, the DPA also noted that there is no evidence the controller had a designated data protection officer.
Holding
The DPA held that the controller violated Articles 5(1)(f), 32, and 37 GDPR. Pursuant to Article 58(2)(d), it ordered the controller to bring processing operations into compliance within 6 months. No other corrective measures were issued. First, the DPA found that the controller violated the principle of confidentiality guarded by Article 5(1)(f) GDPR because, by keeping the document containing personal data in the ‘photocopier’ folder for a number of days rather than being immediately deleted, the personal data was exposed to unauthorised third parties. Second, the DPA held that the controller lacked appropriate security measures to protect against data breaches pursuant to Article 32 GDPR. The DPA noted that there was no measure to ensure that documents placed in the ‘photocopier’ folder were properly deleted. In addition, the folder granted access to a number of users beyond the intended recipients. Finally, the controller violated Article 37 GDPR because it did not have a designated data protection officer or, if it did, failed to communicate the officer to the DPA.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/20
File No.: EXP202204501
RESOLUTION OF SANCTIONING PROCEDURE
From the procedure instructed by the Spanish Data Protection Agency and based
to the following
BACKGROUND
FIRST: A.A.A. (hereinafter, the complaining party) dated March 22, 2022
filed a claim with the Spanish Data Protection Agency. The
claim is directed against LLUCMAJOR CITY COUNCIL with NIF P0703100H
(hereinafter, the claimed party or the City Council). The reasons on which the
claim are the following:
The complaining party, local police from the LLUCMAJOR CITY COUNCIL, states that,
In December 2021, a PDF document has been published on the intranet with the
name "Unsubscriptions until 11/30/21", available to all users, which contains the
names and surnames of 47 agents, agent number, position, sick leave days of each
one and the percentage of annual work absenteeism it represents. Consider that they are
data that should only be accessed by STAFF members, the Chief of Police
Local and human resources members.
It indicates that, on January 12, 2022, the Local Police Chief published a circular, with
the title "Dismissals and illnesses", congratulating the agents who had not
state of discharge and recriminating and questioning the discharge of the remaining agents. HE
They provide the two documents referred to, as well as evidence of publication.
The complaining party also states that, after consulting the Agency, it invites it
to raise the issue with the Data Protection Officer (hereinafter, DPD) of the
City Council, confirming that the claimed party has not proceeded to its
appointment despite legal obligation since May 2018.
Lastly, he stated that on the date of presentation of the claim the document
was still published.
SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5
December, Protection of Personal Data and guarantee of digital rights (in
hereinafter LOPDGDD), said claim was transferred to the City Council of
Llucmajor, so that it could proceed with its analysis and inform this Agency within the period of
one month, of the actions carried out to adapt to the requirements provided in
data protection regulations.
The transfer, which was carried out in accordance with the rules established in Law 39/2015, of
October 1, of the Common Administrative Procedure of Administrations
Public (hereinafter, LPACAP), was collected on April 21, 2022 as
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/20
It appears in the acknowledgment of receipt that is in the file. Dated June 24,
2022 the City Council requested an extension of the deadline to respond to the letter
of transfer, which was granted.
On July 6, 2022, this Agency received a response letter sent
by the City Council. The same sends a report from the City Council of July 1, 2022,
which, among other aspects, highlights the following:
"3. It is not true that a PDF document was published on the Police intranet, when
reach all users, with personal data referring to the days of
dismissal of agents.
4. That it was verified how the controversial document, at the time, was
saved in a temporary folder for printing, named “
photocopier”, where documents are stored before being printed on the
photocopier. Evidently the report had restricted access to the Headquarters
and his Staff. Resulting in that after its edition, by mistake, it was not
deleted, as is usually done with this type of files. Being
deleted days later, when checking how the writing was still in the folder
mentioned and that had been consulted by people who were not the
recipients thereof.
5. That the document is not still published nor was it published at any time in the
Police intranet.
6. Indeed, the Headquarters published a circular, in which and in a manner
generic, the workforce was informed of the global absenteeism data.
We understand that this information is relevant and that it should be known by
all the workers of the department, since as a public service that
we are, high levels of absenteeism make it difficult to provide a satisfactory response to
the needs of citizens, while affecting the conditions of
work of the entire group, by causing, in some cases, the denial
of permits and licenses provided for in the legislation, due to the obligation to
“prioritize service needs that would otherwise not be met.”
THIRD: On June 22, 2022, in accordance with article 65 of the
LOPDGDD, the claim presented by the complaining party was admitted for processing.
FOURTH: ON July 13, 2022, after having analyzed the documentation that
appeared in the file, a resolution was issued by the Director of the Spanish Agency
of Data Protection, agreeing to file the claim. The resolution was
notified to the claimant, on July 27, 2022, as evidenced in the
proceedings.
FIFTH: On August 9, 2022, the complaining party filed an appeal
optional replacement through the Electronic Registry of the AEPD, against the
resolution relapsed into the file, in which he showed his disagreement with the
contested resolution and requested that the processing of the claim continue
initial presented.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/20
SIXTH: On February 23, 2023, the appeal filed was sent to the party
claimed within the framework of the provisions of article 118.1 of Law 39/2015, of 1
October, of the Common Administrative Procedure of Public Administrations
(hereinafter, LPACAP) for the purposes of formulating the allegations and presenting
the documents and supporting documents that it considers appropriate, which has been verified
by written response dated May 3, 2023.
SEVENTH: On May 31, 2023, it was issued by the Director of the Agency
Spanish Data Protection Authority estimating the appeal for reconsideration filed by the
claimant.
The second legal basis of said resolution states:
“
II
Response to the allegations presented
"In the appeal for reconsideration, he alleges that it is not true that the document was not published
on the intranet, since the “photocopier” folder mentioned is precisely
on the service's intranet, its use being unnecessary to send a file to print
or photocopy.
Likewise, it considers that, although the document has been withdrawn, the infringement has already been
has occurred and sanctioning proceedings should be initiated.
Finally, it highlights that the requested party has still not been appointed DPD despite
to have a legal obligation to do so, which leaves citizens in a situation of
helplessness.
In relation to these allegations, the claimed party has informed, in the response
upon initial transfer, that the document was placed in a folder accessible to
third parties prior to sending it to print, remaining in the same for
mistake. No representations are made in relation to the lack of appointment of
DPD.
In accordance with article 5.1.f) of the RGPD:
f) treated in such a way as to ensure adequate safety of the
personal data, including protection against unauthorized processing or
unlawful and against its loss, destruction or accidental damage, through the application
of appropriate technical or organizational measures ("integrity and
confidentiality»).
Likewise, article 32 provides:
1. Taking into account the state of the art, the application costs, and the
nature, scope, context and purposes of the processing, as well as risks
of varying probability and severity for the rights and freedoms of
natural persons, the person responsible and the person in charge of the treatment will apply
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/20
appropriate technical and organizational measures to ensure a level of
security appropriate to the risk, which, where appropriate, includes, among others:
a) pseudonymization and encryption of personal data;
b) the ability to guarantee the confidentiality, integrity,
permanent availability and resilience of security systems and services
treatment;
c) the ability to restore availability and access to data
personnel quickly in the event of a physical or technical incident;
d) a process of regular verification, evaluation and assessment of the
effectiveness of technical and organizational measures to ensure the
safety of treatment.
2. When evaluating the adequacy of the security level, particular consideration will be given to
take into account the risks presented by data processing, in particular as
consequence of the accidental or unlawful destruction, loss or alteration of
personal data transmitted, stored or otherwise processed, or the
unauthorized communication or access to said data.
3. Adherence to a code of conduct approved pursuant to Article 40 or to a
certification mechanism approved pursuant to Article 42 may serve as a
element to demonstrate compliance with the requirements established in the
section 1 of this article.
4. The controller and the person in charge of the treatment will take measures to
ensure that any person acting under the authority of the person responsible or
of the person in charge and has access to personal data can only process said
data following instructions from the person responsible, unless obliged to do so
under Union or Member State law.
On the other hand, with respect to the appointment of the Data Protection Officer, the
Article 37 of the GDPR provides:
1. The person responsible and the person in charge of the treatment will designate a delegate of
data protection provided that:
a) the treatment is carried out by a public authority or body,
except courts acting in the exercise of their judicial function; […]
In response to the hearing process, the claimed party has stated the following:
“That is ratified in the entire content of the report signed on the day
07/01/2022.
Interesting to state a new point […] the content of the file
called by the appellant as “Baixes fins el 30-11-2021” as the
generic information contained in the Headquarters circular, which does not contain
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/20
personal data, could be obtained by reviewing the data sheets
“Daily Service” mentioned.”
Without making any statement regarding the lack of appointment of DPD.
Therefore, in the present case, the appeal filed is upheld.”
EIGHTH: On November 15, 2023, the Director of the Spanish Agency for
Data Protection agreed to initiate sanctioning proceedings against the claimed party,
by:
-The alleged violation of Article 5.1.f) of the RGPD, typified in the article
83.5.a), and classified as very serious for the purposes of prescription in the article
72.1 a) of the LOPDGDD.
-The alleged violation of Article 32 of the RGPD, typified in article 83.4
a), and classified as serious for the purposes of prescription in article 73 f) of the
LOPDGDD.
-The alleged violation of Article 37 of the RGPD, typified in article 83.4
a), and classified as serious for the purposes of prescription in article 73 v) of the
LOPDGDD.
NINTH: The aforementioned initiation agreement has been notified in accordance with the established rules
in Law 39/2015, of October 1, on the Common Administrative Procedure of the
Public Administrations (hereinafter, LPACAP) and after the period granted
for the formulation of allegations, it has been verified that no allegation has been received
any by the claimed party.
Article 64.2.f) of the LPACAP - provision of which the claimed party was informed
in the agreement to open the procedure - establishes that if no
allegations within the stipulated period regarding the content of the initiation agreement, when
This contains a precise statement about the imputed responsibility,
may be considered a proposal for a resolution. In the present case, the agreement
beginning of the sanctioning file determined the facts in which the
imputation, the violation of the RGPD attributed to the person complained of and the sanction that could be
impose Therefore, taking into consideration that the claimed party has not
made allegations to the agreement to initiate the file and in response to what
established in article 64.2.f) of the LPACAP, the aforementioned initial agreement is
considered in the present case proposed resolution.
In view of everything that has been done, by the Spanish Data Protection Agency
In this procedure, the following are considered proven facts:
PROVEN FACTS
FIRST: On December 1, 2021, in the resource management department of
the Local Police of the Llucmajor City Council, a PDF document called-
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/20
do “baixes fins a 30-11-2021” (Discharges until 30-11-2021), which contained the names and
surnames of 47 agents, as well as other personal data relating to said agents
agents (agent number, position, sick days, and absenteeism percentage
labor), which was published on the intranet of the Llucmajor City Council.
In several of the screenshots provided by the claimant along with his writing
of claim, there is the document called “baixes fins a 30-11-2021” (Baixes fins a 30-11-2021)
until 11-30-2021) was created on December 1, 2021 at 9:38.
Likewise, these screenshots show that the document called
“Baixes fins a 30-11-2021” (Baixes fins a 30-11-2021) was located in the folder
called “Plocal” (Local Police) on the Intranet of the Llucmajor City Council, some
Some of these screenshots show the access path to said folder.
SECOND: The document “baixes fins a 30-11-2021” (Deregistrations until 30-11-2021), in
At first, it was housed in the folder called “photocopier”.
The Llucmajor City Council recognizes that the document called “baixes fins a
11-30-2021” (Unsubscribes until 11-30-2021), by mistake, was not eliminated and remained in
the temporary folder called “photocopier” for several days,
In the City Council report dated July 1, 2022, it stands out:
"4. That it was proven how the controversial document, at the time, was
saved in a temporary folder for printing, named “photocopier”,
where documents are stored before being printed on the photocopier.
Evidently the report had restricted access to the Headquarters and its Staff.
Resulting in that after its edition, by mistake, it was not deleted, as
usually does with this type of files. Being eliminated days later,
upon checking how the writing was still in the mentioned folder and that there had been
“has been consulted by people who were not its recipients.” (the su-
brayado is ours).
THIRD: The Llucmajor City Council recognizes that, when the document denotes
mined “baixes fins a 30-11-2021” (Baixes fins a 30-11-2021) was housed in the
photocopier folder, people who were not recipients of said document, had
ron access to its content:
This is recognized by the City Council in its report of July 1, 2022:
"4. That it was proven how the controversial document, at the time, was
saved in a temporary folder for printing, named “photocopier”,
where documents are stored before being printed on the photocopier.
Evidently the report had restricted access to the Headquarters and its Staff.
Resulting in that after its edition, by mistake, it was not deleted, as
usually does with this type of files. Being eliminated days later,
upon checking how the writing was still in the mentioned folder and that there had been
“has been consulted by people who were not its recipients.” (the su-
brayado is ours).
FOURTH: When the document called “baixes fins a 30-11-2021” (Deregistrations until
on 11-30-2021) was hosted in the folder called “Plocal” of said intranet, possibly
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/20
The personnel of the Local Police of the City Council, among others, could have access to it.
I lie.
This is shown in the screenshot called Annex 2, sent to the AEPD along with
with the claim, showing the user groups that had access to
said document:
Computer science
Local Police
Local Police Staff
Administrator
Administrators
FIFTH: There is no evidence that the Llucmajor City Council has appointed a
Data Protection Officer and has communicated it to the AEPD.
In the file, there is a verification carried out by AEPD personnel on 8
April 2022 at 2:40 p.m. in the Electronic Headquarters section of this Agency called
mined “DPD Consultation”, in which it is verified that the Llucmajor City Council has not
communicated to this Agency the contact details of your DPO.
FOUNDATIONS OF LAW
Yo
Competence
In accordance with the powers that article 58.2 of Regulation (EU) 2016/679
(General Data Protection Regulation, hereinafter RGPD), grants each
control authority and as established in articles 47 and 48.1 of the Law
Organic 3/2018, of December 5, Protection of Personal Data and guarantee of
digital rights (hereinafter, LOPDGDD), is competent to initiate and resolve
this procedure the Director of the Spanish Data Protection Agency.
Likewise, article 63.2 of the LOPDGDD determines that: "The procedures
processed by the Spanish Data Protection Agency will be governed by the provisions
in Regulation (EU) 2016/679, in this organic law, by the provisions
regulations dictated in its development and, insofar as they do not contradict them, with a
subsidiary, by the general rules on administrative procedures."
II
Previous issues
The Llucmajor City Council, like any other public entity, is obliged to
compliance with Regulation (EU) 2016/679 of the European Parliament and of the Council,
of April 27, 2016, relating to the protection of natural persons in relation to
concerns the processing of personal data and the free circulation of these data
-RGPD-, and LO 3/2018, of December 5, on Protection of Personal Data and
Guarantee of Digital Rights -LOPDGDD- with respect to the processing of
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 8/20
personal data that they make, understanding personal data,
“any information about an identified or identifiable natural person.”
An identifiable natural person is considered one whose identity can be determined,
directly or indirectly, in particular through an identifier, such as a
name, an identification number, location data, an online identifier or
one or more elements of the physical, physiological, genetic, psychological identity,
economic, cultural or social of said person.
Likewise, treatment should be understood as “any operation or set of operations”.
rations made on personal data or sets of personal data, whether
by automated or non-automated procedures, such as collection, registration, organization, es-
structuring, conservation, adaptation or modification, extraction, consultation, use-
tion, communication by transmission, dissemination or any other form of enabling
access, collation or interconnection, limitation, deletion or destruction.”
Taking into account the above, the Llucmajor City Council would have processed the data
of a personal nature of 47 local police officers in the document with the title
“baixes fins a 30-11-2021” (Discharges until 30-11-2021) about which the claim relates.
tion that has given rise to this sanctioning file.
You carry out this activity in your capacity as data controller, given that it is
who determines the ends and means of such activity, pursuant to article 4.7 of the
GDPR:
"responsible for the treatment" or "responsible": the natural or legal person, authority
public, service or other body that, alone or together with others, determines the purposes and
means of treatment; whether the law of the Union or of the Member States determines
the purposes and means of the treatment, the person responsible for the treatment or the criteria es-
Specific conditions for his appointment may be established by the Law of the Union or of the
Member states.
Article 4 section 12 of the GDPR broadly defines “violations of
security of personal data” (hereinafter security breach or data breach).
personal cough) as “all those security violations that cause the
accidental or unlawful destruction, loss or alteration of transmitted personal data,
preserved or otherwise processed, or unauthorized communication or access to
said data.”
III
Violation of article 5.1 f) of the GDPR
Article 5.1.f) of the GDPR, Principles relating to processing, states the following:
"1. The personal data will be:
(…)
f) treated in such a way as to ensure adequate safety of the
personal data, including protection against unauthorized processing or
unlawful and against its loss, destruction or accidental damage, through the application
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 9/20
of appropriate technical or organizational measures ("integrity and
confidentiality»)”.
In the case examined in this sanctioning file, the claimant affirms that in
In December, a PDF document was published on the City Council's intranet with the title
“Baixes fins a 30-11-2021” (Discharges until 30-11-2021).
Along with your claim, you have provided the aforementioned document, consisting of two pages.
nas, which includes the casualties of local police officers related to the period
lit between January 1 and November 30, 2021. Likewise, the si-
following personal data relating to 47 police officers (the agent number, the
position, the first and both surnames, the days of sick leave and the percentage of absenteeism
boral).
Along with his claim, he has also sent several screenshots. In the same
but you can see images from the City Council intranet, folder called
“Plocal” (Local Police), which includes the PDF document called “baixes fins a
11-30-2021” (Unsubscription until 11-30-2021), created on December 1, 2021.
In the report of the Llucmajor City Council dated July 1, 2022, prepared in
response to the transfer of the AEPD, it stood out:
"3. It is not true that a PDF document was published on the Police intranet, when
reach all users, with personal data referring to the days of
dismissal of agents.
4. That it was verified how the controversial document, at the time, was
saved in a temporary folder for printing, named “
photocopier”, where documents are stored before being printed on the
photocopier. Evidently the report had restricted access to the Headquarters
and his Staff. Resulting in that after its edition, by mistake, it was not deleted.
do, as is usually done with this type of files. being eliminated
days later, upon seeing how the writing was still in the aforementioned folder and
that had been consulted by people who were not the recipients of the same
mo.
5. That the document is not still published nor was it published at any time in the
Police intranet.
6. Indeed, the Headquarters published a circular, in which and in a general manner
ca, the staff was informed of the global absenteeism data. Understand-
We believe that this information is relevant and that it should be known by all
department workers, since as a public service that we are, we
high levels of absenteeism make it difficult to respond satisfactorily to the needs
citizens, while affecting the working conditions of
the entire group, by causing, in some cases, the denial of permissions.
rights and licenses provided for in the legislation, due to the obligation to prioritize the
service needs that would otherwise not be met.”
Therefore, in said report, the City Council recognizes that the document
ment called “baixes fins a 30-11-2021” (Withdrawals until 30-11-2021), by mistake,
was not deleted and remained in the temporary folder called “copier” for the duration.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 10/20
for several days, being consulted by people who were not recipients of the same.
mo.
From the information in the file, it appears that the aforementioned document,
“baixes fins a 30-11-2021” (Discharges until 30-11-2021), at first, was
housed in the folder called “photocopier”.
Subsequently, at the time the claimant took the image captures
that accompany his statement of claim, appeared in the folder called “Plo-
cal” on the City Council intranet.
In the present case, the personal data breach must be classified as confidential.
ity, given that as a consequence of the same the data of 47 police officers
premises would have been unduly exposed to third parties, violating the principle
of confidentiality. Circumstance that constitutes a violation of the provisions of the
article 5.1.f) of the RGPD.
IV
Classification and classification of the violation of article 5.1 f) of the RGPD
The aforementioned violation of article 5.1 f) of the RGPD implies the commission of one of the
violations classified in article 83.5 of the RGPD that under the heading “Conditions
general rules for the imposition of administrative fines” provides:
"5. Violations of the following provisions will be sanctioned, according to
with paragraph 2, with administrative fines of EUR 20 000 000 as
maximum or, in the case of a company, an amount equivalent to 4%
maximum of the overall total annual turnover of the financial year
above, opting for the highest amount:
a) the basic principles for the treatment, including the conditions for the
consent in accordance with articles 5, 6, 7 and 9;”
In this regard, the LOPDGDD, in its article 71 “Infringements” establishes that
“The acts and conduct referred to in sections 4,
5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that result
contrary to this organic law.”
For the purposes of the limitation period, article 72 “Infringements considered very
“serious” of the LOPDGDD indicates:
"1. Based on what is established in article 83.5 of the Regulation (EU)
2016/679 are considered very serious and will expire after three years.
infractions that involve a substantial violation of the articles
mentioned in that and, in particular, the following:
a) The processing of personal data violating the principles and guarantees
established in article 5 of Regulation (EU) 2016/679.”
V
Penalty for violation of article 5.1 f) of the GDPR
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 11/20
Article 83 “General conditions for the imposition of administrative fines” of the
GDPR section 7 states:
“Without prejudice to the corrective powers of the supervisory authorities under
of Article 58(2), each Member State may establish rules
whether it is possible, and to what extent, to impose administrative fines on authorities
public entities and bodies established in said Member State.”
Likewise, article 77 “Regime applicable to certain categories of
responsible or in charge of processing” of the LOPDGDD provides the following:
"1. The regime established in this article will apply to the treatments
of those who are responsible or in charge:
c) The General Administration of the State, the Administrations of the
autonomous communities and the entities that make up the Local Administration
(…)
2. When the persons responsible or in charge listed in section 1
commit any of the infractions referred to in articles 72 to
74 of this organic law, the data protection authority that results
competent authority will issue a resolution declaring the infraction and establishing, in its
case, the measures that should be adopted to stop the conduct or correct it.
the effects of the infraction that has been committed, with the exception of the
provided for in article 58.2.i of Regulation (EU) 2016/679 of the Parliament
European Parliament and of the Council, April 27, 2016.
The resolution will be notified to the person responsible or in charge of the treatment, to the
body on which it depends hierarchically, if applicable, and to those affected who
had the status of interested party, if applicable.
(…)
4. The data protection authority must be informed of the
resolutions that fall in relation to the measures and actions to which
refer to the previous sections.
5. They will be communicated to the Ombudsman or, where appropriate, to the institutions
analogous of the autonomous communities the actions carried out and the
resolutions issued under this article.
6. When the competent authority is the Spanish Agency for the Protection of
Data, it will publish on its website with due separation the
resolutions referring to the entities of section 1 of this article, with
expresses indication of the identity of the person responsible or in charge of the treatment
who had committed the infraction.
(…)”
It is understood that a violation of article 5.1 f) of the RGPD has been committed, and it is necessary to declare
the infringement of the Llucmajor City Council.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 12/20
SAW
Violation of article 32 of the GDPR
Article 32 of the GDPR, security of processing, establishes the following:
"1. Taking into account the state of the art, the application costs, and the
nature, scope, context and purposes of the processing, as well as risks of
variable probability and severity for people's rights and freedoms
physical, the person responsible and the person in charge of the treatment will apply technical and
appropriate organizational measures to guarantee a level of security appropriate to the risk,
which, if applicable, includes, among others:
a) pseudonymization and encryption of personal data;
b) the ability to guarantee the confidentiality, integrity, availability and
permanent resilience of treatment systems and services;
c) the ability to restore availability and access to data
personnel quickly in the event of a physical or technical incident;
d) a process of regular verification, evaluation and assessment of effectiveness
of the technical and organizational measures to guarantee the security of the
treatment.
2. When evaluating the adequacy of the security level, particular consideration will be given to
take into account the risks presented by data processing, in particular as
consequence of the accidental or unlawful destruction, loss or alteration of
personal data transmitted, stored or otherwise processed, or the
unauthorized communication or access to said data (The emphasis is
our).
(…)
4. The controller and the person in charge of the treatment will take measures to
ensure that any person acting under the authority of the person responsible or
of the person in charge and has access to personal data can only process said
data following the instructions of the person responsible, unless required to
this by virtue of the law of the Union or of the Member States.”
For its part, recital 74 of the GDPR provides the following:
“The responsibility of the person responsible for the treatment must be established
for any processing of personal data carried out by himself or his
account. In particular, the person responsible must be obliged to apply measures
timely and effective and must be able to demonstrate the conformity of the
processing activities with this Regulation, including the effectiveness of
measures. These measures must take into account the nature, scope,
context and purposes of the processing as well as the risk to the rights and
freedoms of natural persons.”
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 13/20
In this sense, recital 75 of the GDPR lists a series of factors or
assumptions associated with risks to the rights and freedoms of the interested parties: (the
emphasis is ours)
“The risks to the rights and freedoms of natural persons, of
variable severity and probability, may be due to data processing that
could cause physical, material or immaterial damage and harm, in
particularly in cases where treatment may give rise to problems
of discrimination, identity theft or fraud, financial loss, harm
for reputation, loss of confidentiality of data subject to secrecy
professional, unauthorized reversal of pseudonymization or any other
significant economic or social harm; In cases where the
interested parties of their rights and freedoms or are prevented from exercising control
about your personal data; in cases where personal data
treaties reveal ethnic or racial origin, political opinions, religion or
philosophical beliefs, militancy in unions and data processing
genetic data, data relating to health or data on sexual life, or the
criminal convictions and offenses or related security measures; in the
cases in which personal aspects are evaluated, in particular the analysis or
prediction of aspects related to performance at work, situation
economic, health, personal preferences or interests, reliability or
behavior, situation or movements, in order to create or use profiles
personal; in cases in which personal data of people are processed
vulnerable, particularly children; or in cases where the treatment
involves a large amount of personal data and affects a large number of
interested.” (emphasis is ours)
In the case analyzed in this file, the processing of data of a nature
personnel of the 47 local police officers would not have been accompanied by some
appropriate security measures.
The Llucmajor City Council has not provided documentation that proves the
existence of appropriate security measures intended to prevent a breach of
personal data such as the one analyzed in this file may occur.
As has been highlighted in the foundation of law III, the City Council of
Llucmajor, in its report of July 1, 2022, prepared in response to the transfer
of the AEPD recognized that the document “baixes fins a 30-11-2021” (Baixes fins a 30-11-2021)
11-2021), by mistake, it was not deleted and remained in the temporary folder named
“photocopier” for several days, being consulted by people who were not
recipients thereof.
On the other hand, when the document was located in the folder called
“Plocal” (Local Police), one of the screenshots sent along with the
claim shows the user groups that had access to said document:
Computer science
Local Police
Local Police Staff
Administrator
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 14/20
Administrators
It is considered that the known facts constitute an infringement, attributable
to the Llucmajor City Council, for violation of article 32 of the RGPD.
VII
Classification and classification of the violation of article 32 of the RGPD
The aforementioned violation of article 32 of the RGPD implies the commission of one of the
violations classified in article 83.4 of the RGPD that under the heading “Conditions
general rules for the imposition of administrative fines” provides:
“Infringements of the following provisions will be sanctioned, according to
with paragraph 2, with administrative fines of EUR 10 000 000 as
maximum or, in the case of a company, an amount equivalent to 2%
maximum of the overall total annual turnover of the financial year
above, opting for the highest amount:
a) the obligations of the controller and the processor pursuant to Articles 8,
11, 25 to 39, 42 and 43; (…)”
In this regard, the LOPDGDD, in its article 71 “Infringements” establishes that
“The acts and conduct referred to in sections 4,
5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that result
contrary to this organic law.”
For the purposes of the limitation period, article 73 “Infringements considered serious”
of the LOPDGDD indicates:
“Based on what is established in article 83.4 of Regulation (EU) 2016/679
are considered serious and will prescribe after two years the infractions that
involve a substantial violation of the articles mentioned therein and,
in particular, the following:
(…)
f) The lack of adoption of those technical and organizational measures that
are appropriate to guarantee a level of security appropriate to the risk
of the treatment, in the terms required by article 32.1 of the Regulation
(EU) 2016/679.(…)”
VIII
Penalty for violation of article 32 of the GDPR
Article 83 “General conditions for the imposition of administrative fines” of the
GDPR section 7 states:
“Without prejudice to the corrective powers of the supervisory authorities under
of Article 58(2), each Member State may establish rules
whether it is possible, and to what extent, to impose administrative fines on authorities
public entities and bodies established in said Member State.”
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 15/20
Likewise, article 77 “Regime applicable to certain categories of
responsible or in charge of processing” of the LOPDGDD provides the following:
"1. The regime established in this article will apply to the treatments
of those who are responsible or in charge:
c) The General Administration of the State, the Administrations of the
autonomous communities and the entities that make up the Local Administration
(…)
2. When the persons responsible or in charge listed in section 1
commit any of the infractions referred to in articles 72 to
74 of this organic law, the data protection authority that results
competent authority will issue a resolution declaring the infraction and establishing, in its
case, the measures that should be adopted to stop the conduct or correct it.
the effects of the infraction that has been committed, with the exception of the
provided for in article 58.2.i of Regulation (EU) 2016/679 of the Parliament
European Parliament and of the Council, April 27, 2016.
The resolution will be notified to the person responsible or in charge of the treatment, to the
body on which it depends hierarchically, if applicable, and to those affected who
had the status of interested party, if applicable.
(…)
4. The data protection authority must be informed of the
resolutions that fall in relation to the measures and actions to which
refer to the previous sections.
5. They will be communicated to the Ombudsman or, where appropriate, to the institutions
analogous of the autonomous communities the actions carried out and the
resolutions issued under this article.
6. When the competent authority is the Spanish Agency for the Protection of
Data, it will publish on its website with due separation the
resolutions referring to the entities of section 1 of this article, with
expresses indication of the identity of the person responsible or in charge of the treatment
who had committed the infraction.
(…)”
It is understood that a violation of article 32 of the RGPD has been committed, and the
violation of the Llucmajor City Council.
IX
Violation of article 37 of the GDPR
Public Administrations act as data controllers responsible for
personal nature and, sometimes, they perform the functions of those in charge of the treatment
for what corresponds to them, following the principle of proactive responsibility,
meet the obligations that the RGPD details, which includes that of appointing
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 16/20
a data protection officer, make their contact details public and
communicate it to the AEPD.
Sections 1 and 7 of Article 37 of the GDPR refer to these obligations and
establish, respectively:
"1. The person responsible and the person in charge of the treatment will appoint a delegate of
data protection provided that:
a) the treatment is carried out by a public authority or body, except for
courts acting in the exercise of their judicial function;
(…)
7. The person responsible or the person in charge of processing will publish the data of
contact the data protection officer and will communicate them to the authority
of control."
Regarding the appointment of the data protection officer, sections 3 and 5
article 37 of the GDPR point out that:
"3. When the person responsible or in charge of the treatment is an authority or
public body, a single delegate for the protection of
data for several of these authorities or bodies, taking into account their
organizational structure and size.
(…)
5. The data protection officer will be appointed based on his or her
professional qualities and, in particular, their specialized knowledge
of the law and practice regarding data protection and its capacity
to perform the functions indicated in article 39.
6. The data protection officer may be part of the staff of the
responsible or the person in charge of the treatment or perform their functions in the
framework of a service contract.”
For its part, the LOPDGDD dedicates article 34 to the “Designation of a delegate of
data protection”, provision that provides:
"1. Those responsible and in charge of the treatment must designate a
data protection delegate in the cases provided for in article 37.1
of Regulation (EU) 2016/679 (...)
3. Those responsible and in charge of the treatment will communicate within the period of
ten days to the Spanish Data Protection Agency or, where appropriate, to the
autonomous data protection authorities, designations,
appointments and dismissals of data protection officers both in the
cases in which they are obliged to be appointed, such as in the
case in which it is voluntary.”
The file contains a verification carried out by AEPD personnel on 8
April 2022 at 2:40 p.m. in the Electronic Headquarters section of this Agency
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 17/20
called “DPD Consultation”. It verifies that the City Council of
Llucmajor has not communicated the contact details of its DPO to this Agency.
It is considered that the Llucmajor City Council does not have a DPD designated as there is no
notification of your appointment or designation in this Agency, being mandatory
do it.
As indicated, the GDPR provides that the person responsible and in charge of
treatment must designate a DPO in the event that “the treatment is carried out
an authority or public body”, as well as “they will publish the contact details of the
data protection delegate and will communicate them to the supervisory authority.”
The known facts constitute an infraction, attributable to the City Council
of Llucmajor for violation of article 37 of the RGPD, “Designation of the delegate of
Data Protection".
x
Classification and classification of the offense
The aforementioned violation of article 37 of the RGPD implies the commission of the violations
typified in article 83.4 of the RGPD that under the heading “General conditions
for the imposition of administrative fines” provides:
“Infringements of the following provisions will be sanctioned, according to
with paragraph 2, with administrative fines of EUR 10 000 000 as
maximum or, in the case of a company, an amount equivalent to 2%
maximum of the overall total annual turnover of the financial year
above, opting for the highest amount:
a) the obligations of the controller and the processor pursuant to Articles 8,
11, 25 to 39, 42 and 43; (…)”
In this regard, the LOPDGDD, in its article 71 “Infringements” establishes that
“The acts and conduct referred to in sections 4,
5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that result
contrary to this organic law.”
For the purposes of the limitation period, article 73 “Infringements considered serious”
of the LOPDGDD indicates:
“Based on what is established in article 83.4 of Regulation (EU) 2016/679
are considered serious and will prescribe after two years the infractions that
involve a substantial violation of the articles mentioned therein and,
in particular, the following:
v) Failure to comply with the obligation to designate a data protection delegate.
data when their appointment is required in accordance with article 37 of the
Regulation (EU) 2016/679 and article 34 of this organic law.”
XI
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 18/20
Penalty for violation of article 37 of the GDPR
Article 83 “General conditions for the imposition of administrative fines” of the
GDPR section 7 states:
“Without prejudice to the corrective powers of the supervisory authorities under
of Article 58(2), each Member State may establish rules
whether it is possible, and to what extent, to impose administrative fines on authorities
public entities and bodies established in said Member State.”
Likewise, article 77 “Regime applicable to certain categories of
responsible or in charge of processing” of the LOPDGDD provides the following:
"1. The regime established in this article will apply to the treatments
of those who are responsible or in charge:
c) The General Administration of the State, the Administrations of the
autonomous communities and the entities that make up the Local Administration
(…)
2. When the persons responsible or in charge listed in section 1
commit any of the infractions referred to in articles 72 to
74 of this organic law, the data protection authority that results
The competent authority will issue a resolution declaring the infraction and establishing, in its
case, the measures that should be adopted to stop the conduct or correct it.
the effects of the infraction that has been committed, with the exception of the
provided for in article 58.2.i of Regulation (EU) 2016/679 of the Parliament
European Parliament and of the Council, April 27, 2016.
The resolution will be notified to the person responsible or in charge of the treatment, to the
body on which it depends hierarchically, if applicable, and to those affected who
had the status of interested party, if applicable.
(…)
4. The data protection authority must be informed of the
resolutions that fall in relation to the measures and actions to which
refer to the previous sections.
5. They will be communicated to the Ombudsman or, where appropriate, to the institutions
analogous of the autonomous communities the actions carried out and the
resolutions issued under this article.
6. When the competent authority is the Spanish Agency for the Protection of
Data, it will publish on its website with due separation the
resolutions referring to the entities of section 1 of this article, with
expresses indication of the identity of the person responsible or in charge of the treatment
who had committed the infraction.
(…)”
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 19/20
It is understood that a violation of article 37 of the RGPD has been committed, and it is necessary to declare the
violation of the Llucmajor City Council.
XII
Once the violations have been confirmed, it is appropriate to impose the adoption of the
of appropriate measures to adjust its actions to the regulations mentioned in this
act, in accordance with the provisions of the aforementioned article 58.2 d) of the RGPD, according to the
which each control authority may “d) order the person responsible or in charge of the
treatment that the processing operations comply with the provisions of the
this Regulation, where appropriate, in a certain manner and within a
specified period.”
It is warned that failure to comply with the order to adopt measures imposed by this
body in the sanctioning resolution may be considered as an infraction
administrative in accordance with the provisions of the RGPD, classified as an infringement in its
article 83.5 and 83.6, such conduct may motivate the opening of a subsequent
administrative sanctioning procedure.
Therefore, in accordance with the applicable legislation and evaluated the criteria of
graduation of sanctions whose existence has been proven,
the Director of the Spanish Data Protection Agency
RESOLVES:
FIRST: DECLARE that LLUCMAJOR CITY COUNCIL, with NIF P0703100H:
-Has violated the provisions of Article 5.1.f) of the RGPD, an offense classified in the
Article 83.5 of the GDPR.
- Has violated the provisions of Article 32 of the RGPD, an offense classified in the
Article 83.4 of the GDPR.
- Has violated the provisions of Article 37 of the RGPD, an offense classified in the
Article 83.4 of the GDPR.
SECOND: ORDER to LLUCMAJOR CITY COUNCIL, with NIF P0703100H,
that by virtue of article 58.2.d) of the RGPD, within a period of six months, proves that
proceeded to comply with the following measures:
1. The appointment of a Data Protection Officer and communication
of said appointment to the AEPD.
2. The adoption by the City Council of management measures for the
information systems designed to prevent improper dissemination of data
personal.
THIRD: NOTIFY this resolution to the LLUCMAJOR CITY COUNCIL.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 20/20
FOURTH: COMMUNICATE this resolution to the Ombudsman,
in accordance with the provisions of article 77.5 of the LOPDGDD.
In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.
Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the
LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the
Interested parties may optionally file an appeal for reconsideration before the
Director of the Spanish Data Protection Agency within a period of one month to
count from the day following the notification of this resolution or directly
contentious-administrative appeal before the Contentious-administrative Chamber of the
National Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-administrative Jurisdiction, within a period of two months from the
day following the notification of this act, as provided for in article 46.1 of the
referred Law.
Finally, it is noted that in accordance with the provisions of art. 90.3 a) of the LPACAP,
may provisionally suspend the final resolution through administrative channels if the
interested party expresses his intention to file a contentious-administrative appeal.
If this is the case, the interested party must formally communicate this fact through
writing addressed to the Spanish Data Protection Agency, presenting it through
of the Agency's Electronic Registry [https://sedeagpd.gob.es/sede-electronica-
web/], or through any of the other registries provided for in art. 16.4 of the
cited Law 39/2015, of October 1. You must also transfer to the Agency the
documentation that proves the effective filing of the contentious appeal
administrative. If the Agency was not aware of the filing of the appeal
contentious-administrative within a period of two months from the day following the
notification of this resolution would terminate the precautionary suspension.
938-21112023
Sea Spain Martí
Director of the Spanish Data Protection Agency
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es
