AEPD (Spain) - EXP202201608
AEPD - EXP202201608 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 6(1) GDPR Article 9(2) GDPR Article 14 GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | 29.01.2022 |
Decided: | |
Published: | 31.05.2024 |
Fine: | 600,000 EUR |
Parties: | GSMA Limited |
National Case Number/Name: | EXP202201608 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | lm |
The DPA found that a controller lacked a legal basis to require employees at an event to provide documentation concerning their COVID-19 health or vaccination status. It fined the controller €600,000.
English Summary
Facts
GSMA Limited (the controller) is a mobile phone company that organises the annual Mobile World Congress (MWC) in Barcelona. The MWC is hosted at the Fira de Barcelona (an event space that acts as a processor for the controller). During the MWC in 2022, the controller required employees organising the Congress, which were provided by the controller’s suppliers and not hired by the controller directly, to register on Fira’s online portal. Employees were then required to upload a COVID passport or equivalent documentation such as a negative result to the platform of Quironprevención, a sub-processor of Fira. Employees then received an email from Quironprevención of confirmation or rejection. This processing affected 11,970 data subjects.
On 29 January 2022, an employee (the data subject) filed a complaint with the Spanish DPA (AEPD) against the controller. The data subject argued that neither the controller nor Fira had a legal basis to solicit information about vaccination or health status, and to deny entry or work without such documentation.
The controller claimed that it had a legal basis to process the health data under Article 6(1)(c) GDPR, citing necessity to fulfil a legal obligation, as well as Article 9(2)(g) GDPR, citing an essential public interest. It cited Ley de Salud Pública 18/2009 of Cataluña, which permits sanitary authorities to interfere with private activities to protect the public health. The controller considered that its ‘Plan for Health and Security for the MWC22’ constituted such a permitted intervention -- however, this Plan was never provided to the AEPD. The controller emphasised that its Plan was developed in collaboration with, and approved by, Catalan authorities. The competent authorities considered that the Plan’s anticipated measures were appropriate to manage the pandemic, taking into account the international nature of the Congress, the large size of the event with 61,000 people attending or working the Congress, and the public health concerns related with the pandemic.
The controller added that even if article 6(1)(c) GDPR was not a sufficient legal basis, it was also justified by Article 6(1)(d) GDPR, claiming an obligation to protect the vital interests of the attendees, employees and organisers of the Congress. The controller also noted that the COVID data was only conserved during the event period and was erased upon the event’s closure.
On 5 June 2023, the AEPD initiated sanctioning proceedings against the controller.
Holding
The AEPD found that the controller infringed Articles 6(1), 9(2) and 14 GDPR. It issued a fine of €600,000.
Article 9(2) GDPR: Given that processing in this case could impact the fundamental right to health and physical integrity of workers, the AEPD considered that Article 9(2) exceptions permitting processing of such data should be interpreted restrictively. While the AEPD recognised that the GDPR permits processing of health data that is necessary to avoid the spread of illness in emergency situations and in the interest of public health or vital interests of the data subjects, the AEPD rejected the controller’s claims that it had a legal basis to process this data under Article 9(2)(g), (h) and (i) GDPR. The AEPD emphasised that the restriction to data protection rights cannot be based, on its own, on an indeterminate invocation of ‘public interest’ and that the legislator must determine when a good or right justifying restriction of the right to the protection of personal data exists and in what circumstances. None of the materials it cited, however – including the ‘Plan’ which was not provided to the controller – here constituted a rule of European or national law with the necessary guarantees.
In addition, the AEPD noted that less intrusive means were available in this case to protect workers and attendees, such as ensuring proper protective gear. The controller thus lacks a legal basis to process health data under Article 9(2)(g) and (h) GDPR.
Article 6(1) GDPR: With regard to the controller’s reliance on Article 6(1)(c) GDPR (legal obligation), the AEPD observed that processing can only be considered to be ‘based’ on the fulfilment of a legal obligation when it is established a European or national law or by a rule having the force of law which can determine the general conditions of processing and data involved (citing Article 8 of the LOPDGDD, a national law concerning the protection of personal data). Reliance on Article 6(1)(c) would thus need to be based on a rule with a force of law that imposes a specific obligation on the controller. This was not the case here. A plan, even if collaborated with public authorities, is not a law nor does it derive such a binding effect. The AEPD noted that resolutions by public health authorities called for the adoption of hygienic and organisational measures to prevent risks of contagion, and at times required precise measures such as the use of face masks, cleaning and ventilation of enclosed spaces – but at no point did they oblige the use of vaccination cards. With regard to Article 6(1)(d) GDPR, the AEPD notes that Article 6(1)(d) GDPR is not enough to justify the processing of sensitive data because it does not limit the legal basis to situations “where the data subject is physically or legally incapable of giving consent”, as Article 9(2)(c) GDPR does.
The controller also did not at any point consider the necessity of that data (in comparison to alternatives) nor the risks of the processing. It also failed to conduct any sort of data protection impact assessment.
For all of these reasons, Article 6(1) GDPR could not justify requiring vaccinations or certificates of recovery from the disease or COVID tests indiscriminately for all workers, nor could it justify requiring the data of employees of suppliers with whom the respondent has no relationship whatsoever. Ultimately, this processing could only be realized with the consent of the employees.
Article 14: The various employers (the controller’s service providers) provide the data to the controller in an application which is implemented by a sub-processor. The AEPD noted that it was the employers, not the controller itself, which communicated the need to register and upload COVID documentation to the app. The controller argued that it provided information to employees via the suppliers using a ‘privacy notice’ that appeared on the controller’s website, and that the suppliers were contractually obligated to comply with transparency obligations before sharing employee data with the controller, including the provision of the privacy notice. However, the AEPD found that this did not absolve them of their responsibility to inform the data subjects. Once the data was sent by the providers, the defendant had them at its disposal and could have informed them of the collection and processing in the first contact it has with them -- but it did not demonstrate any such information. The AEPD ultimately found that the controller had not demonstrated that it complied with its obligation to inform the data subjects in violation of Article 14 GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/96 File No.: EXP202201608 Contents BACKGROUND..........................................................................................................2 FIRST: Filing of the claim...........................................................................2 SECOND: Evidence obtained for admissibility analysis.......................................3 THIRD: Transfer of the claim................................................................................3 FOURTH: Admission to processing of 04/29/2022..............................................................13 FIFTH: Consultation of the commercial report of the defendant company................................13 SIXTH: Recorded background of the defendant in the AEPD SIGRID file management application.................................................................................................13 SEVENTH: Agreement to initiate sanctioning proceedings, dated 06/05/2023................................14 EIGHTH: Allegations of the defendant of 27/06/2023.................................................14 NINTH: First extension of allegations, dated 11/10/2023.................................26 TENTH: Second extension of allegations, dated 21/11/2023................................30 ELEVENTH: Issuance of the resolution proposal dated 12/03/2024................32 TWELFTH: Allegations to the resolution proposal presented on 04/08/2024................................................................................................................32 PROVEN FACTS........................................................................................................38 LEGAL BASIS........................................................................................................48 I Jurisdiction........................................................................................................48 II Preliminary issues.................................................................................................49 III On the processing of health data.................................................................................52 IV On the allegations to the resolution proposal resolution.................................................59 V Unfulfilled obligation under art. 9 GDPR............................................................63 VI Unfulfilled obligation under art. 6.1 GDPR..................................................................70 VII Unfulfilled obligation of art. 14 of the GDPR...........................................................78 VIII Classification and qualification of infringements.................................................................84 IX Determination of the sanction................................................................................85 RESOLVES:...................................................................................................................92 C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 2/96 SANCTIONING PROCEDURE RESOLUTION From the procedure instructed by the Spanish Data Protection Agency and based on the following BACKGROUND FIRST: Filing of the claim A.A.A., (hereinafter, the complaining party) on 29/01/2022, filed a claim with the Spanish Data Protection Agency. The claim is directed against GSMA LIMITED with NIF N4004237F (hereinafter, the respondent party). The grounds on which the claim is based are the following: The claimant states that the workers of the companies that have to carry out work at the FIRA de Barcelona venue, during the MOBILE WORLD CONGRESS (MWC 2022), have received instructions from the organizing company, GSMA, and FIRA DE BARCELONA, that they must register in a computer application in order to access it. In this regard, the respondent entity sent an email on 01/20/2022 to the MWC 2022 suppliers, to inform them that their workers must upload their COVID passport or equivalent to the system. The claimant indicates that neither the respondent nor FIRA are entitled to request health information from third parties regarding their vaccination or health status, which if not provided would mean not being able to enter and, therefore, not being able to carry out their work. Along with the claim, please provide two copies of the email: 1) Email dated 01/20/2022, from a person with a domain name for FIRA Barcelona (hereinafter FIRA), addressed to suppliers, subject: “instructions for registering FIRA Barcelona suppliers for MWC 2022”, “using this email we want to inform you that the accreditation system for MWC22 is now active for all FIRA BARCELONA suppliers”, “with the same digital pass platform as last year”, therefore: - “There will be a web system where each supplier will be created an account by FIRA, where they must self-manage their passes”, to do so, the data of the person who will manage the account must be sent to a FIRA email address. That person will be the contact for “passes for all employees registered in the system on behalf of their company”. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 3/96 There is a section referring to “COVID passport and antigen tests”, which indicates that: “when your workers log in for the first time, they will have to create a password, and then upload one of the following documents for validation: -COVID 19 vaccination certificate -COVID 19 recovery certificate -Negative proof of a valid COVID 19 test, carried out in the last 72 hours in any of the periods (set-up, celebration & dismantling). 2) Email dated 01/21/2022, sent by a person from an address with the domain”firabarcelona.com”, addressed to a team with the same domain, subject:”GV access anticipation MWC”. It informs about access through gate 4, to the Gran Vía venue, between 23/01 and 7/02, of different groups of people, visitors and vehicles, including FIRA employees, collaborators and holders of permanent and annual access to the FIRA venues. It refers to a “health control to access MWC stands under construction”, which identifies, “by presenting a COVID passport or, failing that, a negative COVID test endorsed by an authorized laboratory”. “As of February 8, the security perimeters are advanced and the health and access measures to MWC established by GSMA are adopted for the entire Gran Vía venue. Which are similar to those of the previous edition, documentation must be uploaded to a digital platform to obtain the access pass to the event in all its periods until March 8. We will receive detailed information on how to manage the MWC pass.” SECOND: Evidence obtained for admissibility analysis. The AEPD has collected the following evidence: -PRIVACY POLICY GSMA/MWC BARCELONA 2022-Last updated 04/29/2021, which, as indicated, applies to the processing of personal data of participants in the Congress. -Privacy policy of FIRA DE BARCELONA, and its participating companies, obtained on its website. Employees of suppliers are not mentioned. THIRD: Transfer of the claim. In accordance with article 65.4 of Organic Law 3/2018, of 5/12, on the Protection of Personal Data and the Guarantee of Digital Rights (hereinafter LOPDGDD), this claim was transferred to GSMC EVENT PROJECT MANAGEMENT SL - B64828973, a subsidiary of the respondent, so that it could proceed with its analysis and inform this Agency within one month of the actions carried out to comply with the requirements provided for in the data protection regulations, regarding the claim in which it is stated that the workers of the companies that have to carry out work during the celebration of the Mobile World Congress (MWC) 2022 at the Fira de Barcelona premises must obtain accreditations to be able to access it, providing health data (COVID 19), giving notice of the emails of the first antecedent. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 4/96 The transfer that was carried out in accordance with the rules established in Law 39/2015, of 1/10, of the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP), was not collected by the person responsible within the period of availability, being understood to be rejected in accordance with the provisions of art. 43.2 of the LPACAP, on 03/05/2022. Although the notification was validly carried out by electronic means, the procedure being considered to have been carried out in accordance with the provisions of article 41.5 of the LPACAP, for information purposes a copy was sent by postal mail, which was duly notified on 03/21/2022. In this notification, he was reminded of his obligation to interact electronically with the Administration, and he was informed of the means of access to such notifications, reiterating that, from now on, he would be notified exclusively by electronic means. - On 04/25/2022, GSMC EVENT PROJECT MANAGEMENT, S.L. responds to the following questions: 1. “Name and surname or company name of the person responsible for the processing of health data related to the COVID passport and antigen tests requested within the framework of the Mobile World Congress Barcelona 2022, as well as the NIF and contact address of said person responsible.” It responds that “The person responsible for the processing of personal data related to MWC22 attendees, including health data that, exceptionally, due to COVID19, were requested during MWC22, is the entity: GSMA Ltd. Armour Yards, 165 Ottley Drive, Suite 203 Atlanta, GA, 30324 USA EIN (Employer Identification Number): 20-4991061. It also provides its contact email address. 2.“If the controller is established outside the EEA, the postal address of its representative in the European Union.” It responds that:” GSMA Ltd. (hereinafter, “GSMA” or “Organization”) is established in the United States. GSMC is a Spanish company, 100% owned by GSMA, created specifically to provide services related to the management of GSMA events, including the MWC in Barcelona (for example, translation services, stays, etc.). The data processing carried out by GSMA is inextricably linked to the processing carried out by GSMC. Therefore, GSMA processes personal data in the context of the activities of an establishment in the European Union and is therefore subject to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27/04/2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (hereinafter, “General Data Protection Regulation” or “RGPD”) under Article 3.1 thereof and therefore, the establishment of a representative in the European Union is not required.” 3.”Indicate whether there is any relationship of controller or joint controller and processor between GSMA LTD, GSMA Event Project Management, S.L. and FIRA C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 5/96 INTERNACIONAL DE BARCELONA, within the framework of the Mobile World Congress Barcelona 2022.” Responds: GSMA Ltd. is the data controller of the data of MWC22 attendees. GSMC does not have the status of controller or processor in relation to the data that are the subject of this claim. FIRA is the main and, in many cases, exclusive contractor vis-à-vis GSMA for many of the services and supplies that must be provided within the framework of the MWC. Consequently, within the framework of this “client - supplier” relationship, from the point of view of the regulations on the protection of personal data, FIRA acts as a data processor on behalf of and on behalf of GSMA Ltd., which acts as the controller, for which purpose both parties have signed the corresponding data processing contract under the provisions of article 28 of the RGPD.” “It is necessary to introduce a fourth agent, not mentioned in the claim, whose intervention in the MWC22 edition has been of vital importance to guarantee the health and safety of all those involved in the MWC after the appearance of COVID-19 (hereinafter, "COVID-19" or "the pandemic"). We refer to the company QUIRONPREVENCIÓN (QP hereinafter). QP, GSMA's medical services provider for MWC, is considered sub-processor of personal data under the data processing agreement signed with FIRA. The reason why GSMA partnered with a leading medical services provider in its sector was to ensure that such an important, unique and organizationally complex event as MWC was carried out with the maximum security measures and taking into account that this company was the one that was applying the necessary health controls during the pandemic at Barcelona airport itself, as well as at other previous fairs, such as FITUR. The decision to count on QP was agreed with the Department of Public Health of the Spanish Ministry of Health itself, with whom GSMA held multiple working and coordination meetings in the framework of the preparation of MWC22. In fact, QUIRONPREVENCIÓN was an entity approved by the Department of Public Health for the purposes of being able to report possible positive cases that occurred during the MWC.” 4. “The legal basis that enables the processing of the aforementioned health data and the circumstance that lifts the prohibition to process special categories of data, according to article 9 of the GDPR.” The company responds that they will carry out an analysis of how the situation was on previous dates. On 1/12/2021, GSMA officially presented its HEALTH AND SAFETY PLAN FOR THE MWC22 IN BARCELONA (the “Plan”). The press releases can be consulted at the URL addresses ***URL.1 and ***URL.2.” C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 6/96 Clicking on the first one takes you to another GSMA page from 1/12/2021, which is a news item reporting on the security plan for the 2022 event, in which health and safety will be the priority, mentioning, among others, attendees or visitors, workers at the venue, for all of whom “must certify their vaccination status, provide a negative test or a certification of recovery from COVID 19, to gain access to the venue, as in the 2021 edition, proof of compliance with the protocols will be stored and displayed in the official application of the event”. It is also reported that QUIRONPREVENCIÓN will be the medical partner that will validate these documents. The respondent states that the HEALTH AND SAFETY PLAN presented is an update of the plan presented in March 2021, which was prepared in coordination with the Catalan health authorities responsible for the regulations that governed MWC21, including the Department of Business and Knowledge of the Generalitat de Catalunya, and the PROCICAT TECHNICAL COMMITTEE that approved it -Committee attached to the Department of the Interior of the Generalitat de Catalunya that manages the management of the pandemic in Catalonia within the Territorial Civil Protection Plan of the Department of the Interior of the Generalitat de Catalunya. • The Plan also complied with the guidelines and recommendations for event organizers included in the SECTORIAL PLAN FOR FAIRS AND CONGRESSES. • The Plan involves all participants in the MWC, as it was designed with a layered approach that allowed for the creation of a safe environment for staff, workers, exhibitors, visitors, suppliers, partners and the local community. These levels included frequent testing, contact tracing, contactless environments, catering renovation, occupancy control, improvements to the infrastructure of the facilities, medical staff and personal commitments such as maintaining social distancing, as well as the collection of COVID data by GSMA, in particular, data relating to the vaccination certificate; recovery certificate or negative diagnostic test result. In addition, the Plan was based on the SAFETY AND PREVENTION PROTOCOL AGAINST COVID-19 that FIRA was applying at that time. • During the months prior to the celebration of MWC22, GSMA had to take into account on an almost weekly basis, the different resolutions that emanated not only from the Departament de Salut de la Generalitat de Catalunya but also from the Spanish Ministry of Health itself, with whom it held coordination meetings on a regular basis, including the Security Forces and Corps. Regarding the legal basis that enables the processing of data, the respondent states that Article 6.1.c) of the GDPR, “necessary for the fulfillment of a legal obligation applicable to the data controller”. In implementing the Plan, “GSMA must, therefore, comply with the mandate of the Catalan authorities in relation to the collection of data to minimize the risk of contagion of those attending the event.” C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 7/96 “Under Public Health Law 18/2009, of the Autonomous Community of Catalonia, health authorities may interfere in private activities for the purposes of protecting the health of citizens and preventing diseases. GSMA considers the Plan as such intervention agreed and approved by the Catalan authorities as a mandate to implement the measures mentioned above, including the collection of COVID Data.” “In the event that the legal basis indicated above does not apply, GSMA would rely on its obligation to protect the vital interest of event attendees (including workers and suppliers) Article 6.1 d) GDPR, protection of the vital interest of attendants as the legal basis for the processing of their data.” Recital 46 of the GDPR establishes the possibility of processing data based on this legal basis in the context of pandemic monitoring, understanding it as “its obligation to protect the vital interest of event attendees – including workers.” -Article 9.2 g) of the GDPR, essential public interest. Responds that: "the objective of the Organization is the creation, in coordination with the health authorities, of a safe environment for staff, workers, exhibitors, visitors, suppliers, partners and the local community taking into account the characteristics of the event and the pandemic situation. The same legislation cited in the previous paragraphs would apply to justify the processing of health data under article 9.2 g) of the GDPR regarding the protection of the essential public interest. 5. “The purpose of the processing” The answer is that the purpose of the processing of health data by QUIRONPREVENCIÓN was limited to verifying “whether or not the information contained in the health certificates complied with the requirements for access to the event established by the Organisation, although the true purpose of the processing of this data, from the GSMA's perspective, was none other than to protect the attendees of MWC22 and their workers, guaranteeing a safe and healthy environment for all of them, and, ultimately, to prevent the spread of the pandemic as a serious cross-border threat to public health in the manner required in accordance with the Plan agreed upon and approved by the health authorities.“ 6. “The appropriate guarantees implemented for the protection of the rights and freedoms of individuals, including the security measures adopted to protect the confidentiality of personal data.” She replied that “a certificate regarding the security measures applied by QUIRONPREVENCIÓN is attached as ANNEX NUMBER 2” It consists of a letter from QP, signed on 04/20/2022 by the Data Protection Committee, which certifies compliance with the Data Protection regulations in all data processing carried out for the development of the corporate purpose and adopts the legal, technical and organizational measures necessary to guarantee the security of the aforementioned processing. There is no reference to the specific processing commissioned, nor is any party involved in the matter listed. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 8/96 The respondent adds that: “Regarding the processing of COVID Data, neither GSMA nor FIRA have had access to this data. These were collected directly by QUIRONPREVENCIÓN, which analysed them and confirmed whether the individual was 'FIT' or 'UNFIT' for the purposes of accessing the event.” 7.“The categories of interested parties (workers, clients, users, etc.) and the information provided on the processing of these health data.” Responds that: “The categories of interested parties are all those persons who, for whatever reason, had to access the perimeter of the event venue, that is, the attendees, the exhibitors and the suppliers (contractors and subcontractors). Regarding the information provided on the processing of these data, and in relation to the data processing subject to this claim, it is provided by the supplier/employer directly as GSMA does not have direct contact with the workers. The contract between GSMA and the supplier requires the supplier to comply with applicable data protection laws, including compliance with the transparency and legality requirements of the same for the purposes of transferring the data of its employees to GSMA or its data processors, including the provision of the GSMA privacy policy (the specific privacy policy is provided to the supplier) to its employees whose data is provided to GSMA. The privacy policy complies with the requirements established in the GDPR and includes information regarding the processing of health data of attendees, including the processing of data provided by third parties, making specific reference to the case at hand, in particular, to the circumstance in which the supplier provides the employee data to GSMA.” 8.“Where applicable, order that contemplates the sanitary measure for the containment and control of the epidemic caused by the SARS CoV-2 virus, as well as justification of the need and proportionality of the application of this measure to the event.” He replied that “The mandate was given to GSMA through the Plan, which was developed in collaboration with (and approved by) the Catalan authorities”, as explained above. The competent authorities considered at the time that the measures approved in the Plan were appropriate to manage the pandemic at the time the event was held. Likewise, the justification of the need and proportionality of the application of these access requirements to the event takes into account three reasons, largely related to the nature of the MWC itself: a. The first of these is the international nature of the Congress. In the MWC22 edition a total of 183 countries out of the 195 countries in the world were represented. Due to the health crisis caused by COVID-19 and the temporary restrictions on non-essential travel from third countries – some of which are at risk or even very high risk –, GSMA had to adapt its Health and Safety Plan for the event to the provisions of Order INT/657/2020, of 17/07, which modifies the criteria for the application of a temporary restriction on non-essential travel from third countries to the European Union and Schengen associated countries for reasons of public order and public health due to the health crisis caused by COVID-19, whose criteria were modified monthly to respond to a change in circumstances or new recommendations in the EU, as well as to the Resolution of June 4. (it is unknown which resolution the quote refers to). C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 9/96 b. The second of these is the multitudinous nature of the Congress. The MWC22 edition welcomed a total of 61,000 people during the four days of the event, which represents a very high volume of attendees which, in a pandemic context and taking into account the high concentration of individuals in the same space, requires the adoption of measures to ensure that all attendees are in possession of the appropriate health credentials and to reduce the probability of contagion and/or spread of the virus to a minimum. c. The third is for public health reasons closely related to the context and the evolution of the pandemic during the dates prior to the MWC, and the mortality and contagion indicators, in the months prior to the MWC, "were anything but hopeful and justified the adoption of such measures, which we endorse." 9. "Please report whether only the exhibition of the certificate or negative proof of an antigen test is requested, or whether the information contained therein is recorded or kept, and in this case, justification of the need for its registration and location of the servers in which it is stored." He responded that: "As indicated, MWC22 attendees send ("upload") their health certificates directly to the QUIRONPREVENCIÓN platform, where they are recorded and stored on their own servers, located in Spanish territory, until the last day of the event's dismantling, at which time they are destroyed." The justification for recording and retaining this data is very simple. QUIRONPREVENCIÓN needs to access this data in advance and remotely (since thousands of attendees must be accredited, including workers) in order to be able to carry out its verification function, which is necessary for attendees to obtain the pass to access the premises (and thus comply with the requirements of the Plan). In addition, these certificates must be kept in case a positive case arises during the event, which would invalidate the pass and would be communicated to the Health Authorities through the appropriate channels. Managing access to an event of these characteristics requires the conservation of the data in order to facilitate access to the event on the days of its celebration and to avoid crowds at the entrance. The COVID data was only kept during the period of the event and was deleted once the dismantling of the event was completed. The MWC ended on 03/03/2022, and QUIRONPREVENCIÓN destroyed all data on 03/08/2022, which was the date of completion of the dismantling. 10.“If applicable, details of the procedure established for workers to register the documentation on the platform.” He responded that:” The procedure is as follows: Step 1. The supplier registers each of its workers on the GSMA platform. Step 2. Once registered, each worker receives a confirmation email from GSMA with a link that provides access to their account. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 10/96 Step 3. Each worker directly provides the COVID Information through the QUIRONPREVENCIÓN platform. Step 4. Each worker receives a confirmation/rejection email for the completion of the registration process on the GSMA platform.” 11.“Recipients of the registered or stored information.” He responded that: “The recipient of the registered or stored health data is QUIRONPREVENCIÓN since it is the entity that, in accordance with its status as sub-processor, must check whether the form and content of the health certificates comply with the access criteria established by the Organization. Neither GSMA nor FIRA ”have had access to the registered health data.” 12.“Report on whether international transfers are carried out and, if applicable, identification of the data importers, country of destination of the transfer, and if there is, adequacy decision or adequate guarantees regarding international data transfers.” He responded that: “There is no international transfer of data. Health data is stored on the servers that QUIRONPREVENCIÓN has in Spain.” 13.“The Impact Assessment carried out or reasons why it has not been carried out.” He replied that it is attached as ANNEX NUMBER 3, in whose title, it expressly refers to the treatment of COVID 19 related to health data of “the employees of GSMA suppliers” who “provide the services agreed between GSMA and its suppliers” for the holding of MWC Barcelona 2022, alluding to the fact that the data is uploaded to “a platform provided by GSMA's sub-contractor, QUIRON PREVENCION (QP), “and that no other party than QP has access to that platform”, and reiterates that the purpose is to ensure secure access. It can be seen that the date of the EIPD that appears at the end of the document is 02/22/2022, when the data of the employees for access to the assembly facilities, according to the email provided by the complainant of 01/20 and 21/2022 where it was indicated that the collection of COVID 19 health data would be from 01/23/2022 to 03/08/2022. “The processing activities are in accordance with the measures implemented by the GSMA “Committed Community” Plan that has been developed and approved by Catalan and Spanish authorities, including those of health.” In the section on what is the source of the data?: “Those of employers, that is, GSMA suppliers; and those interested directly.” In “What is the nature of the relationship with the interested parties?”, it is indicated that “the interested parties are the employees of the GSMA suppliers engaged, or linked with FIRA or with GSMA to provide services at the MWC event venue”. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 11/96 In “description of the treatment”, it is specified in the data collection process that: “The COVID information is uploaded to the platform directly by the employees”. The registration process is as explained in the previous point 10, adding that it is indicated that: “GSMA is only notified about whether the person is able to access the venue or not.” It is indicated that health data is of a special category and that employees, due to the imbalance of power in the contractual employment relationship, constitute a vulnerable group. “- What do you want to achieve? “Comply with the Plan agreed with the Spanish/Catalan health authorities to ensure that the MWC event is a COVID-19 safe environment for all attendants. Comply with the sectoral requirements regarding the organization of Congresses, in particular the Catalan COVID Action Plans for Exhibition Venues and Congresses (Congress Action Plan and Exhibition Venue Action Plan).” “Is it appropriate to consult other internal stakeholders and, if so, who? “The processing of COVID Information is mandatory under the Plan that has been drafted in coordination with the Catalan health authorities, the Department of Business and Knowledge of the Generalitat de Catalunya, PROCICAT (Commission of the Ministry of the Interior of the Generalitat de Catalunya) as well as the Public Health Agency of Barcelona and the Department of Public Health of the Spanish Health Service. The Plan has been approved by PROCICAT.” -It affects 11,970 people. -It is indicated in “treatment context”, that the relationship with the interested parties is that they are employees of GSMA suppliers and provide their services at the MWC event venue. On “how much control will they have?”, it is indicated that: “Individuals are informed about their rights in relation to the treatment through the Privacy Notice provided by their employer on behalf of the GSMA. In accordance with the Contractor Registration Terms and Conditions between the GSMA and the suppliers, the suppliers contractually commit to comply with all transparency and legality obligations before sharing employee data with the GSMA, including the provision of the GSMA Privacy Notice to all relevant employees.” In the same point it is indicated: “Would they expect you to use their data in this way?” “Yes. Please see the answer above regarding how individuals were informed about processing activities. In addition, the COVID-19 measures carried out at the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 12/96 MWC are in line with measures taken at similar events, as they are agreed with health authorities who set out these requirements in general (for example, similar measures would be required to access other crowded spaces).” Also under “processing context” it says: “Are there any previous concerns about this type of processing or security breaches?” “No. Any measures implemented by GSMA (including the processing of COVID information) are discussed and agreed with the relevant health authorities.” QUIRONPREVENCIÓN has security certifications (ISO 27001:2013 certification and certification according to the Spanish National Security Scheme). In section step 4 “Assessment of necessity and proportionality” the bases of legitimacy for data processing are referred to, including article 6.1 c): “The Committed Community Plan.” (CCP) was prepared in collaboration with the Catalan health authorities and approved by PROCICAT, and is aligned with the Catalonia COVID Action Plans for Fairs and Congresses applicable to GSMA and FIRA. The “Committed Community Plan included the requirement to request COVID information.” The CCP then reiterates the citation of Law 18/2009, of 22/10, on public health, in the area of the CCAA of Catalonia, as a regulation that may affect citizens in the area of health to prevent diseases, and GSMA considers that the CCP constitutes this authorization, being approved by the Catalan health authorities as a mandate to implement COVID 19 measures in the MWC to prevent the spread of COVID 19, including the collection of COVID information that is required by and to comply with the instructions of the health authorities. It also cites as a legitimizing basis, apart from article 6.1.c), article 6.1.d), and article 9.2.g) of the GDPR. It specifies this 9.2.g) in that "a substantial public interest occurs in accordance with Union law or Spanish law. GSMA was required by law to comply with health instructions from health authorities and develop and comply with the “Committed Community Plan.” In the same section, the following is answered: “Can the same result be obtained with less data processing?” How is transparency provided to interested parties? reiterating that the privacy notice was provided by its employees on behalf of GSMA, before their data was shared by the employer with GSMA…” How is the exercise of rights made possible for interested parties? indicating, in accordance with the “privacy notice.” -In step 5, “risk assessment, identification, assessment and mitigation of risks” there is a table with five columns called: “Source of risk and probable consequences” “Severity of risk” “probability of risk” “general risk”. They appear in this table, among others: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 13/96 -“Failure to provide sufficient information to individuals”,” GSMA ensures that suppliers’ employees are provided with the Privacy Notice before their data is shared by their employer with GSMA. In accordance with the Contractor Registration Terms and Conditions, suppliers are contractually required to comply with all transparency and lawfulness obligations before sharing their employees’ data with GSMA, including the provision of the GSMA Privacy Notice to all employees before sharing.” It is classified as: high in risk severity, remote in probability and overall risk: low. Information on rights is also included in the Privacy Policy.” “The rights of data subjects and the way in which they can be exercised are detailed in the Privacy Notice.” In the risk assessment, it is indicated: - as a “remote” probability, that of a complaint about the decision to deny access to a supplier employee based on COVID information, despite being classified as “risk severity, high”, it is classified as “overall risk: low”, and in mitigation measures it is indicated that “GSMA guarantees a consistent approach to determine whether a person can be granted entry to the MWC event venue based on COVID-19 information and in light of the Plan. Complaint levels were low at MWC 21”, concluding that people “have the three options, vaccination certificate, negative PCR test valid for 72 hours, or medical certificate of recovery from the disease.” -In “errors in complying with requests from interested parties”, it is indicated that the rights of individuals are included in the “privacy notice” provided to the employees of the providers, with “low overall risk”. The intervention of the DPO is not mentioned at any point in the DPIA, but in the section "link to advice from DPO (if any)" it says N/A. Nor does it appear that the affected parties were consulted. 14. "The decision taken regarding this claim." It indicates that no decision has been taken regarding this claim since all the actions carried out by GSMA in the field of personal data protection have shown the utmost respect for the current obligations, without considering that any incident has occurred, so it has not adopted any measure. FOURTH: Admission for processing on 04/29/2022 On 04/29/2022, in accordance with article 65 of the LOPDGDD, the claim submitted by the complaining party was admitted for processing. FIFTH: Consultation to the Commercial Report of the company being sued In the consultation carried out in the “monitoring report of the non-commercial company GSMA LTD”, with the NIF that appears in this agreement, as a non-resident entity, the “estimated financial figures” table shows a “net amount of the turnover”: from 2021 of XXXXXXXX, and from the previous year: XXXXXXXXX. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 14/96 SIXTH: Recorded background of the respondent in the AEPD SIGRID file management application It is recorded in the SIGRID registry, the AEPD file management information system, that the respondent was sanctioned in procedure EXP202100603, PS/00553/2021, with a financial penalty of 200,000 euros imposed in a resolution of 24/02/2023, for an infringement of article 35 of the GDPR, classified in article 83.4 a) of the GDPR, and for the purposes of prescription, classified as serious in article 73.t) of the LOPDGDD, stating that the appeal was filed in reinstatement, being dismissed on 04/28/2023. SEVENTH: Agreement to initiate sanctioning procedure, dated 06/05/2023. On 06/05/2023, the Director of the AEPD agreed: -“INITIATING SANCTIONING PROCEDURE to GSMA LIMITED, with NIF N4004237F, for the alleged infringement of the GDPR, articles: - 14 of the GDPR, in accordance with article 83.5.b), classified as very serious for the purposes of prescription in article 72.1.h) of the LOPDGDD, with a fine of 100,000 euros. -9.2 of the GDPR, in accordance with article 83.5.a), classified as very serious for the purposes of prescription in article 72.1.e) of the LOPDGDD, with a fine of 300,000 euros. - 6.1 of the GDPR, in accordance with article 83.5.a), classified as very serious for the purposes of prescription in article 72.1.b) of the LOPDGDD, with a fine of 200,000 euros.” EIGHTH: Claims of the respondent dated 06/27/2023 On 06/27/2023, the respondent made the following claims: -As the start agreement was also notified to its participating entity GSMC, it reiterates the distinction between the respondent and defendant and GSMC, which has no role in the processing of data at MWC Barcelona. 1- It sets out the number of attendees in 2019 (110,000) and in 2023 (88,500) and that it occupies a space of 240,000 square meters, equivalent to about forty soccer fields, in the "FIRA de Gran Vía" venue, having cancelled the February 2020 edition, due to the spread of the virus when the pandemic had not yet been declared. He states that in this case this proves the criteria of prudence required by health legislation and the preventive measures that govern his actions, limiting himself to complying with public health regulations. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 15/96 2-Regarding FIRA DE BARCELONA, he clarifies that it is a public entity with an associative base and consortium character of promotion, made up of the Generalitat, Barcelona City City and the Official Chamber of Commerce, Industry and Navigation of Barcelona. From the point of view of regulations on data protection, FIRA and QUIRONPREVENCIÓN (hereinafter QP) - as subcontractor - signed the corresponding contract for the provision of health services for the MWC22 of treatment. FIRA acts as GSMA's data processor. The contract between FIRA and QP (supplier), dated 21/02/2022, has been provided as DOCUMENT 4, although in the duration section it indicates that “it will be valid from the month of January 2022”, highlighting: -“The MWC 2022 event organized by GSMA Ltd. will be held at the FIRA DE BARCELONA exhibition facilities, Gran Vía venue.” -“FIRA, by mandate of GSMA Ltd., and in its capacity as main contractor, is responsible for managing and coordinating with the supplier previously designated by GSMA the provision of services related to the validation of COVID certificates.” -“FIRA and QP have defined the minimum requirements for the provision of such services and the conditions of their contracting, with the supplier having submitted an offer. The parties express their agreement and acceptance with the offer of services for the MWC BCNA 2022, which includes the offer of the supplier and the requirements of FIRA and GSMA.” As part of the contract, up to SIX ANNEXES are included The clauses follow, including the communication of results and validation of the tests/vaccination certificates in ANNEX 1B, “Systems integration”, which states that the results will be communicated to FIRA, only negative tests, “through an API that FIRA will provide through which it will indicate the participant's identifier and the validity of the test so that the participant is marked as “verified for access” in the access control systems to the event.” There is a confidentiality clause of the information between the supplier and FIRA, considering confidential any information received from the organizer of the event, which will be used by the supplier for the sole purpose of providing the service for which it has been required. As an annex to the contract, there is a specific “data processor contract”, ANNEX VI, which regulates the conditions under which QUIRON PREVENCION SLU, as sub-processor, will carry out the processing of data necessary for the provision of the service, in accordance with Article 28 of the GDPR. It indicates, among other contents, that GSMA is the controller of the processing and FIRA holds the position of data processor. In point 1.3, regarding the group of interested parties affected, it is only indicated that: “For the execution of the services, the data controller makes available to the subcontractor the information described regarding the participants in the event: “Identification data, name, surname, government identification number: DNI, NIE-passport), contact data - telephone number, electronic C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 16/96 address, health data (vaccination certificates, recovery and diagnostic tests against COVID 19). In point 2.2, it is indicated as a guarantee and commitment of the subcontractor, to treat the data in accordance with the instructions of the person in charge.” Among the obligations of the data controller, point 8, is that of “providing information to interested parties about the processing of their personal data” The requested copy is provided, in DOCUMENT 3A AND 3B, of the framework contract between FIRA and GSMA in English. The first, dated 11/22/2019, FIRA as the owner of the facilities - service provider- and the organizer of the MWC Barcelona, GSMA, agree on additional services to those signed on 07/14/2011, known as “HOST CITY PARTIES”, in which other public entities are included (City Council, Generalitat, etc.). Section 5, “Data Protection and Information Security,” states that: “The provider must comply with the provisions of the data protection annex included in Annex 1, Part A of this agreement, which appears in the agreement in which the provider is configured as the data processor and GSMA as the data controller.” The second, DOCUMENT, 3B, reflects an amendment to the contract dated 11/22/2019, in order to extend its validity until 2030, and updates the aforementioned Annex 1, Part A, mentioned above. 3-Attached, as DOCUMENT number 7 bis, is a certificate of destruction issued by the entity QP. The MWC ended on March 3/03/2022 and QP destroyed all the data on 03/08/2022, which was the date of completion of the dismantling. QP has ISO 27001:2013 certification, accredited under ENAC criteria, as well as certification of compliance with the National Security Scheme that provides the appropriate security controls to protect the organization's information assets. 4-Mentions the various regulations that may generally enable restrictive actions and intervention by the State health authorities (LO 3/1986 of 4/04, on special measures in public health and Law 14/1986 of 25/04, General Health. In the area of Catalonia, it reiterates the aforementioned Law 18/2009 of 22/10 on public health, in compliance with which, the Department of Health of the Generalitat de Catalunya (GC) periodically approved resolutions in line with the state of the pandemic and established measures, in a coordinated manner with the Territorial Plan for Civil Protection in Catalonia (PROCICAT). It considers that the legal framework applicable to the organization of MWC 22 was formed by the compliance with the applicable conditions in accordance with the basic legislation, Law 2/2021 of 29/03, urgent measures for prevention, containment and coordination to deal with the health crisis caused by COVID 19, and the measures and restrictions approved by the Department of Health of the Generalitat de Catalunya. It adds that it had to take its organizational actions under the principle of precaution and duty of caution. In DOCUMENT 5, a copy of the resolutions issued by the aforementioned Department of Health, from 7/12/2021 to 2/03/2022, comprising a total of five resolutions that have a similar scheme in common, in which: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 17/96 Each of them establishes, with temporary validity, the measures in matters of public health for the containment of the epidemic outbreak of the COVID 19 pandemic in the territory of Catalonia, indicating the alert level according to the four existing phases, reporting on the epidemiological and care indicators, with reports such as that of the Scientific Advisory Committee, or the director of the Agència de Salut Pública de Catalunya (ASPCAT). After indicating various regulatory provisions that relate to the field of public health, in which the competent health authorities can adopt various measures, it is indicated that “the administrative intervention in public and private activities necessary to address the health crisis situation caused by COVID-19, protected by the aforementioned legislative framework, subjects the measures that affect fundamental rights to the additional guarantee of judicial control with respect to the judgment of proportionality in its triple aspect: suitability, necessity and proportionality.” As references to measures affecting fundamental rights, the requirement of the COVID certificate is cited for access to certain non-essential activities in closed spaces (restaurants, physical and/or sports activity rooms, gyms and permitted musical recreational activities: concert halls, theatre cafes, concert cafes and musical restaurants), and it is also included for visits to residential centers for the elderly and people with disabilities, which are mentioned for the first time in resolution SLT/3512/2021 of 25/11, remain in that of 7/12/2021, and are reiterated, for example, in resolution SLT8/2022 of 4/01/2022, which is valid for 14 days, from 7/01/2022, and which also, for the area of interest here, establishes: In its “introduction” part …”in accordance with the position of the Scientific Advisory Committee on COVID-19, of November 18, 2021 contained in the document entitled Proposal to consider the use of the COVID certificate in other areas of Catalonia, among the measures that limit fundamental rights, proposes maintaining the requirement of the COVID certificate for access to those non-essential activities that take place in closed spaces with higher risk due to the conditions of main transmission of the virus by aerosols and where there is more vulnerability and, therefore, more need for protection. These activities are limited to the catering sector, halls and gyms where physical and/or sports activities are carried out and concert halls, theatre cafés, concert cafés and musical restaurants - (later referred to in section 3.4: "use of COVID certificate") - In all these activities, the layer of health protection is established which supposes as a requirement for access the presentation of the certificate issued by a public health service accrediting one of the following circumstances: that the person has the complete vaccination schedule against COVID-19, that the person has a negative diagnostic test COVID-19 ─PCR or antigen test─ with a certain validity, or that the person has recovered from the disease in the last six months (COVID certificate). Persons under 13 years of age who do not have limited access to the premises, establishments, equipment or corresponding spaces due to age are exempt from the condition of presenting the COVID certificate. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 18/96 The measure represents an impact, albeit slight, on equality and privacy in the terms of Judgment 1112/2021, of September 14, of the Contentious-Administrative Chamber of the Supreme Court, adopted under the legal cover of Organic Law 3/1986, of April 14, on special measures in matters of public health, in coherence with other health laws, with the aim of reducing the risk that an infected person comes into contact with other non-infected and unprotected persons and can transmit the infection to them. The suitability and necessity of the measure in terms of the objective of protecting health and life is justified by the effectiveness of vaccination as a preventive action, as accredited by scientific studies on the reduction of infections, hospitalizations and deaths. Likewise, there are several factors that increase the risk of transmission of SARS-CoV-2 in activities subject to this measure, especially in the current context, where there is greater circulation of more contagious SARS-CoV-2 variants.” -In its section 3.4 for access to the aforementioned spaces it is indicated: “For these purposes: the owners or persons responsible for the premises, establishment, equipment or space must establish the access control system that allows the verification of any of the planned certificates presented by the people who want to access as users, without keeping the data they contain and without using them for any other purpose than the aforementioned access control. In addition, affected persons must be notified with a sign in a visible area of the non-conservation of the accredited personal data.” This provision for providing health documentation does not survive after the successive approval of the aforementioned resolutions, since the SLT 99/2022, dated 26/01, which comes into force on 28/01/2022. -Regarding the “Congresses, conventions, trade fairs and major festivals” sector, it appears, for example, mentioned for the first time in SLT/3652/2021 of 7/12, and reiterated in subsequent resolutions, with the following wording: “1. The holding of congresses, conventions, trade fairs and similar activities, as well as professional events by telematic means, is recommended. The in-person holding of congresses, conventions, trade fairs and similar activities in closed spaces requires that the minimum ventilation established in the current regulations on thermal installations in buildings be guaranteed. When more than 1,000 people may be concentrated in the development of these activities, it is recommended that the reinforced ventilation and air quality conditions indicated in Annex 4 be complied with in closed spaces and, both in closed and open spaces, compliance with the organizational measures for crowd control indicated in Annex 3 must be guaranteed.” -The respondent goes on to summarise the main conditions that were set out in these resolutions, which are divided into: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 19/96 1 “general measures for individual and collective protection: distance and mask” Contemplated in Law 2/2021, use of individual masks (art. 6.1) “in any closed space for public use or that will be open to the public and in mass events that take place in open-air spaces, when attendees are standing. If they are seated, it was mandatory when a safety distance of at least 1.5 m between people could not be maintained”, and a distance of 1.5 metres between people,” and which would not have been possible to comply with, if the COVID-19 documentation had not been required electronically for verification and validation.” 2”Use of the COVID certificate” It states that “the regulations referred to required the presentation of a COVID certificate to access halls and gyms where sports activities were practiced, concert halls, cafes, theatre, concert cafés and catering activities. “These measures remained in force during the months of preparation and organisation of the MWC22, that is, from November until the end of January, although as of Resolution SLT/99/2022, dated 26/01, the provision of COVID-19 certificates was no longer mandatory to access these activities (halls and gyms where sports activities were practiced, concert halls, theatre cafés, concert cafés, and catering activities).” “However, the claim and the sanctioning procedure improperly initiated by the AEPD, refers to the documentation that GSMA required prior to Resolution SLT/99/2022, dated 26/01 and this apart from the fact that, as will be noted, it was the documentation required for the organization of an event that anticipated the attendance of 61,000 people (beyond the activities for which the certificate had been provided as mandatory until 26/01/2022) and in view of the existing pandemic situation” Regarding the holding of congresses, it was required that the minimum ventilation established in the current regulations be guaranteed. “However, the truth is that in no way did the Resolutions of the Department of Health foresee an organization of the dimensions of the MWC22”. “Therefore, the measures provided for in the resolutions of the Department of Health for congresses and fairs did not provide clear coverage for an event such as MWC22, which was to bring together 61,000 attendees and involve the participation of 11,900 workers and suppliers; a situation that highlighted the need to require the provision of COVID-19 certificates.” The measures taken by GSMA are the result of the evolving pandemic situation during the preparation and celebration phase of MWC 22, based on data from the Department of Health and previous reports from the Public Health Agency of Catalonia (ASPC) approved in accordance with article 55 bis of Law 19/2009, provided in DOCUMENT 5, and under the protection of the precautionary principle in terms of C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 20/96 public health. It examines the situation outlined in the resolution of 12/23/2021, in alert phase 4 out of a total of 4 phases, and details reports from the ASPC Director of 12/23/2021 on the omicron variant, with an expected increase to more than 50,000 cases per day by mid-February 2022. In short, the months of preparation and celebration of MWC22 were characterized at a pandemic level as a phase of maximum alert and very high risk, to which had to be added the uncertainty and alarm regarding the impact that the Omicron variant could imply. In this context, GSMA, in coordination with the Catalan and Spanish health authorities, chose to require COVID-19 certificates in the framework of the suppliers and workers of MWC22 (who are more than 11,000) and articulated the strategy called "Committed Community Plan", which refers - not to a specific and written protocol that can be provided - but to the measures that were being established in response to the unpredictable evolution of the pandemic and the uniqueness of an event such as MWC. In fact, the measures were set out in all the Resolutions and reports provided as DOCUMENT 5. It indicates the 17 meetings that were held with health authorities from October 2021 until the end of February 2022, and that “in these meetings the action finally carried out specified in the document “MWC22 ACTION PROTOCOLS” was examined and validated, which is attached as DOCUMENT 6 prepared by FIRA and GSMA jointly, as can be seen in said document, which was presented to the Catalan and state health authorities for their approval, which established that the registration process required assemblers and participants to upload their COVID data. It states that: “Thus, in accordance with the precautionary principle, it was decided to require COVID Certificates, in the same way that it was required until 26/01/2022 for bars, restaurants or gyms. This requirement is clearly proportionate and appropriate, if we take into account the size of the event. In this regard, let us remember that the organization of MWC22 required the intervention of 11,900 workers and suppliers. ”“GSMA has limited itself to complying with the regulations on public health, and the measures decreed by the health authorities. And all this always based on the precautionary principle provided for in art. 3 of Law 33/2011 and the precautionary principle required by article 4 of Law 2/21.” DOCUMENT 6 is a graph entitled: “health requirements to access MWC 2022 protocol 1”, 01/27/2022, version 2.0, which indicates that the assemblers/registration must upload the COVID passport, PCR-TAR, which is verified by QUIRON, plus a subsequent self-declaration of accepted health to obtain access control, with additional protocols for positive cases, criteria and isolation cases in the event of a positive case, and action in the event of illness of an attendee 5-There has been no violation of article 9.2 of the GDPR because the action is covered by the exceptions contemplated in sections g) and i) C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 21/96 “g) the treatment is necessary for reasons of public interest essential, on the basis of Union or Member State law, which must be proportionate to the objective pursued, substantially respect the right to data protection and provide for appropriate and specific measures to protect the interests and fundamental rights of the data subject; (…) “i) the processing is necessary for reasons of public interest in the area of public health, such as protection against serious cross-border threats to health, or to ensure high levels of quality and safety of healthcare and medicines or medical devices, on the basis of Union or Member State law which provides for appropriate and specific measures to protect the rights and freedoms of the data subject, in particular professional secrecy” It should be clarified first of all that, in line with what was analysed in the previous allegation, GSMA applied the measures and limitations on the protection of public health provided for in the Resolutions of the Department of Health attached as DOCUMENT number 5 and which GSMA, in a coordinated manner with the health authorities, interpreted and applied, in accordance with the details set out. The common denominator of the aforementioned articles is that the treatment is necessary for reasons of public interest, and GSMA has acted for reasons of public interest on the basis of the principles of prudence and caution and the health regulations issued by the various Administrations, in order to establish the necessary health measures to protect the health of workers and suppliers, as well as attendees. Furthermore, the right to data protection is not unlimited, and finds its limits in other fundamental rights such as the right to life and health. It cites the Supreme Court ruling number 1112/2021 of 09/14/2021 referring to measures consisting of the requirement to display the COVID 19 passport in public establishments. The ruling assesses the impact on privacy in relation to life and public health. It concludes by stating that “the processing of sensitive data carried out, which referred to the data required under health legislation and the Resolutions issued by the Department of Health, respond to an indisputable essential public interest, such as the protection of the people who were going to participate in the MWC22 in a pandemic context such as the one described.” “The SC supports the sufficient coverage of the health regulations of Galicia (in relation to the case tried in the Sentence) to impose identical measures as those agreed by the Catalan health authorities; measures that, as we have seen, GSMA had the legal obligation to interpret and apply within the framework of the organization of the MWC22 and that required it, in view of the magnitude of the event, the telematic treatment.” The measures and the processing of personal data carried out are covered by public health legislation. The processing is required to be dictated on the basis of the law of the Member States, and in turn, it cannot be ignored that art. 9.2 of the LOPDGDD specifies: “2. The data processing contemplated in letters g), h) and i) of article 9.2 of Regulation (EU) 2016/679 based on Spanish law must be covered by a law, which may establish additional requirements relating to its security and confidentiality.” Well, as has been widely analyzed, the measures applied by GSMA are supported by regulations C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 22/96 with the rank of law, both state and regional: LO 3/1986, Law 14/1986, Law 2/2021 and Catalan Law 18/2009. "Under the protection of said legislation and the Resolutions approved by the Department of Health, GSMA has implemented the data registration and processing measures, in order to effectively comply with the measures required by the legislator and the health authorities. “It should be recalled that the sufficiency of this regulatory framework to agree on limiting measures in the context of the prevention of the COVID-19 pandemic, and specifically, the requirement for COVID-19 Certificates has been confirmed by Judgment 1112/2021.” The processing has been proportionate and adequate, regarding COVID 19 health data, electronically and for the duration of the event. Pursuant to Article 9.2.i) of the GDPR, GSMA adopted appropriate and specific measures to protect rights and freedoms, without having had access to the data. -Article 6.1 of the GDPR has not been violated. It reiterates that the action would be covered by Articles 6.1.c) and 6.1.d) of the GDPR. The processing of personal data carried out by GSMA was carried out in compliance with the legal obligations imposed by public health legislation and the measures applied by the health authorities. The legal basis of the specific measures required by the health authorities and applied by GSMA regarding data processing and the requirement of a COVID-19 passport, is provided as DOCUMENT number 5. In order to prove which is the legal obligation that GSMA was applying and complying with based on the requirement of COVID-19 certificates, in accordance with the provisions of art. 6.1.c) RGPD, it is appropriate to remember: "That LO 3/1986, and Law 14/1986 cover all those preventive and restrictive measures agreed by the health authorities to control transmissible diseases in the face of an imminent and extraordinary risk to health. - Furthermore, in compliance with basic state legislation, Catalan Law 18/2009, reiterates that in accordance with said Resolutions of the Department of Health, a COVID-19 certificate was required to access any public place (bars, restaurants, gyms, etc.): interpreting and applying said Resolutions of the Department of Health in accordance with the precautionary principle, GSMA required the Covid-19 Certificate from all MWC22 suppliers, as well as attendees. And all of this, in accordance with the criteria and authorization obtained from the health authorities.” As the GDPR recognizes, the legal basis for the treatments can be multiple. Thus, in this case, the processing of data is based on a double legal basis, also applying article 6.1.d) of the GDPR, taking into account Recital (46) of the GDPR recognizing those emergency situations, stating that the processing of personal data will be lawful when it is necessary for humanitarian purposes, including the control of epidemics, as reflected in the AEPD report 17/2020, which specifies that art.6.1.d) GDPR is a sufficient legal basis and can be used for the processing of personal data aimed at protecting all those persons susceptible to being infected in the spread of an epidemic:” Art. 6.1, d) GDPR considers not only that vital interest is a sufficient legal basis for processing to protect the “interested party” (as this is a term defined in art. 4.1 GDPR as an identified or identifiable natural person), but that said legal basis can be used to protect the vital interests “of another natural person”, which by extension means that said natural persons may even be unidentified or identifiable; that is, said legal basis for the treatment (vital interest) may be sufficient for the processing of personal data aimed at protecting all those persons susceptible to being infected in the spread of an epidemic, which would justify, from the point of view of the processing of personal data, in the broadest possible way, the measures adopted for this purpose, even if they are aimed at protecting unnamed persons or in principle not identified or identifiable, since the vital interests of said natural persons must be safeguarded, and this is recognized by the regulations on the protection of personal data. It states that “In these situations of health emergency, it allows those responsible for the treatment to adopt the necessary measures to safeguard the health of people, said necessary measures being those determined by the health authorities, and those taken by the respondent were in application of the administrative resolutions of the Department of Health and the requirement of COVID certificates from electronic means, was agreed with the health authorities.” -Article 14 of the GDPR has not been violated, the obligation has been fulfilled. It states first of all the lack of legitimacy of the AEPD since the claim does not refer to the information provided by GSMA being deficient, it only focuses on health data. The Court alleges the application of the judgment of the National Court of 23/12/2022, BBVA, considering that in this case the imputation of said infringement of article 14 of the RGPD is totally disconnected from the claim filed, so that in no way can the AEPD use the present procedure to impute infringement of the duty of transparency. In addition, it indicates that the information provided by GSMA complies with the provisions of article 14 of the RGPD. It indicates that in the privacy policy provided by GSMA dated 04/29/2021, reference is made to third parties and suppliers with the terms that it applies to, among others, “third party personnel and other persons participating in the event” explaining the literal content below: “This Privacy Notice applies to the processing of personal data of MWC Barcelona participants, including attendees, exhibitors, sponsors, speakers, partners, third party personnel and other persons participating in the event. This includes personal data obtained through the attendee registration system, the Event application, the partner program registration system, the exhibitor and partner registration system, digital and/or printed scanning of credentials and/or facial recognition (at access points, for sessions or for participation in closed meeting spaces) at the Event, and the bulk upload system of contractors.” Additionally, the information in the section “Information obtained from third parties” states: “From time to time, the GSMA receives personal information from third parties. This may occur, for example, if your employer is a GSMA member and registers you for an event or training or if your employer (or entity by which you are employed as a contractor or temporary staff member) provides services to the GSMA and you are involved in the provision of these services.”, clearly indicating in the clause on the origin of the data that employers will provide their employees’ data. It considers that the content of said information is sufficient, deducing it from the statement of the AEPD in the start agreement when stating the “privacy policy of the respondent's website”, the content of which does not refer to the employees of the suppliers, but to the attendees/participants in the event, understanding that in the agreement it considers that it is not in accordance with article 14 of the GDPR, assuming the aforementioned start agreement and C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 24/96 recognizing that the rest of the information has been provided in an appropriate manner, with the information in the privacy policy being sufficient. She adds that the privacy policy was also contained in the registration application, providing a screenshot of a registration: “Contractor accreditation-system login” to fill in email and password, with a “Sign in” tab, a section to link with the text: “legal” at the bottom left, next to another “contact us” that leads to the next screen, where on the same screen 6, there are links with various information, to mention a few, about cookies, the terms and conditions of the event, or “privacy” in which if you click on the link the “privacy policy” appears. She provides another screenshot in which it does not explain how to get to it, showing “health declaration” (and a link for more information www.mwcbarcelona.com/atttend/safety) with the “send” button. The respondent states that “it is clear in this section that employees are informed of the data provided by suppliers.” It states that they provide in DOCUMENT 9 the text of the privacy policy of the version applicable to the celebration of MWC 22, of which it is worth highlighting: -last update 04/29/2021 -Sections are shown in which, under the title that they offer about the information they contain, it can be accessed by clicking on any of them, being able to differentiate: When is this privacy policy applied?, which states "This Privacy Notice applies to the processing of personal data of MWC Barcelona participants, including attendees, exhibitors, sponsors, speakers, partners, third-party personnel and other people who participate in the event. This includes personal data obtained through the attendee registration system, the Event application, the partner program registration system, the exhibitor and partner registration system, digital and/or printed scanning of credentials and/or facial recognition (at access points, for sessions or for participation in closed meeting spaces) at the Event, and the bulk upload system for contractors.” [English translation] In the “information you voluntarily provide” section, among others, it states: “COVID 19 As set out in our Committed Community plan, you will be required to undergo Covid-19 testing at regular intervals during the Event. Information about your test results will be processed for the sole purpose of access control, tracking and tracing as required by local health authorities, in their relevant event regulation and protocol. Under “Information we obtain from third parties” it states: “From time to time, the GSMA receives personal information from third parties. This may occur, for example, if your employer is a GSMA member and registers you for an event or training or if your employer (or entity by which you are engaged as a contractor or temporary staff member) provides services to the GSMA and you are involved in the provision of these services.” [Spanish translation] C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 25/96 In the section on “Legitimate bases for the processing of personal information”, it is indicated, among other things, that: “In some cases, we may also have a legal obligation to collect personal information about you, we may be required to do so for reasons of public interest or we may otherwise need the personal information to protect your vital interests or those of another person, for example, in the event of a medical emergency during the Event.” Alternatively, it considers the infringement prescribed by its classification as minor, since it does not consider it an omission, since the privacy policy was duly provided, and if the AEPD considers it incomplete, the infringement would become minor, such as a formal breach of the 74.a) of the GDPR. Eventually, upon notification of the initiation agreement, dated 06/05/2023, and the claim having been filed on 01/29/2022, the expiration of the statute of limitations for the prosecution of the infringements classified as minor would have elapsed. 7- It alleges the demandability of liability on the basis of intent or fault, (art. 28 of law 40/2015) which excludes objective liability, taking into account what is set forth by the judgment of the Supreme Court, administrative litigation chamber, section 3, no. 1456/2021 of 12/13, and in the absence of culpability, which should lead to the consequence that it cannot be sanctioned. In addition, in the hypothetical case that it should be sanctioned, "the inadmissibility of the resolution is evident since in no case are there aggravating circumstances." It considers that there is no culpability in the facts imputed to GSMA, due to: “The intention of processing sensitive data was solely and exclusively to guarantee the health of workers, suppliers and ultimately of attendees and participants in MWC22”, in a temporal context, December 21-March 22, on maximum alert, with approval by the Catalan authorities of changing restrictive measures, measures that “required the provision of COVID 19 certificates in any establishment or event open to the public”. Once the objective of holding MWC 2022 was achieved, it did not have any negative impact on the pandemic situation. Given the high number of participants, suppliers and workers, the company acted from the “precautionary principle” (art. 3 of Law 33/2011 of 4/10, General Public Health), in a coordinated and agreed manner with the health authorities. Acted diligently by placing the order on QP. Subsidiarily, and stated in dialectical terms, the principle of proportionality is violated, as it attributes excessive amounts that do not correspond to the concurrent facts and circumstances. It is considered that the aggravating circumstance of recidivism in file PS/00553/2021, resolved on 02/24/2023, in the framework of the MWC of the previous year, would not be present, even less so for the three infractions that are charged, when the recidivism according to Law 40/2015 in its article 29 refers to an “infraction of the same nature”, considering the TS in its judgment of 03/23/2005 (without further identifying elements) that it would occur “with respect to the same type of offender”. It considers that recidivism is only applicable when the same type of infringement occurs It considers that the infringement of the aforementioned PS, for not having carried out an impact assessment on C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 26/96 of biometric data for access to the MWC, in breach of article 35 of the RGPD, is not of the same nature as the three infringements charged in the present procedure, one of which consists of the processing of health data. The nature, scope and purpose of the operation of article 83.2.a) of the RGPD should have been assessed as an attenuating, not aggravating circumstance in the three infringements charged, since it is proven that the only purpose of its action was to ensure the health of the workers and suppliers of the MWC22, “in line with the measures shared with and agreed upon by the health authorities”. Inappropriate application of article 83.2 b) of the GDPR as an aggravating factor, in relation to the breach of article 14 of the GDPR, which should be considered as an attenuating factor due to the objective pursued of collaborating with the health authorities in compliance with the legislation on public health and in the measures and restrictions applicable to the control of COVID 19 and the diligence in its actions, which involves not accessing the data through the hiring of QP. -Inadmissibility of the application of the aggravating factor of article 83.2.k) of the GDPR, in relation to article 9.2 of the GDPR, considering the AEPD that given the need to regularly process data for the organization of the event, it has been doing so in successive editions. It considers that its activity is to develop events related to the promotion of mobile telephony and is carried out with the collaboration of the public organization FIRA, considering that the business activity of the respondent has no special link with the health data of its participants and collaborators. - It requests that, if it is not archived, as provided for in article 77 of the LPACAP "this Instructor will proceed to agree to open a trial period and grant process to this party to propose the corresponding means of proof. In this regard, and apart from the documents provided with this document and which will be proposed as documentary evidence, the corresponding documents of QP, the Agència de Salut Pública de Catalunya, the General Directorate of Public Health of the Ministry of Health, and the Management of Fira de Barcelona, involved in the procedure followed to protect public health in the organization of MWC22, will be proposed to the Instructor; and this without prejudice to the other evidence that may be proposed.” NINTH: First extension of allegations, dated 10/11/2023 On 10/11/2023, the respondent expanded the allegations in the following aspects: It states that after the date of submission of the previous allegations it has had access to additional documentation that in its opinion would confirm the inadmissibility of the sanctioning file, specifically of the violations of 9.2 and 6.1 of the GDPR. It reiterates that the respondent, in a coordinated manner with the Catalan and Spanish health authorities, chose to interpret and apply the resolutions of the Department of Health of the Generalitat in accordance with the principle of precaution and prevention required by public health regulations and the evolution of the Omicron variant. Consequently, COVID-19 certificates were required for MWC suppliers and workers C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 27/96 2022, and this has been accredited by the resolutions of the Department of Health and other documentation provided in the previous statement of allegations. It reiterates that the task of evaluating and validating the COVID certificates not only of the workers, 11,000, but also of the attendees, 61,000 people, presented a complexity and magnitude that can only be carried out electronically due to the respect for the safety distance and the prevention measures required by the applicable health legislation. It provides reports issued by the COVID-19 Scientific Advisory Council (CCAC), (DOCUMENT 1) advisory body attached to the Secretariat of Public Health of the Department of Health, created "based on resolution SLT/2917/2021 of 29/09, reports that are configured as the scientific basis used by the periodic resolutions issued by the aforementioned Department." Its reports issued during the months of November and December 2021 would confirm that the measure adopted by the respondent - in collaboration with the health authorities- of requiring a COVID 19 certificate "from the people entering the FIRA premises" was in accordance with the regulations on public health. DOCUMENT 1 contains the CCA report entitled "proposal to consider the use of the COVID certificate in other areas of Catalonia", dated 11/18/2021, which, according to the respondent, shows that the requirements for COVID- 19 certificates at events both outdoors and indoors were unanimous in most European countries. In summary, it says: The EU COVID 19 certificate came into force on 07/01/2021 and certifies a person's health information regarding COVID 19. After explaining its content and that it was created to facilitate travel between EU countries, colloquially known as "COVID passport", it indicates that "its use can facilitate access to services beyond the possibility of traveling" and prefers to call it "COVID certificate", as graphically shown in a table-graph 1, on access to certain places and events in the EU, and explains, for example, the implementation in Belgium of the "COVID SAFE TICKET" to access events attended by more than 5,000 people (approved by the Belgian authorities as can be seen from the link that connects) The graph titles "areas where the COVID certificate or equivalent is requested in other European countries" by type of activity and coincides with events in outdoor spaces as well as in the interiors (without indicating capacity), it is required in the 10 countries that it cites, the source coming from the Scottish Government. It also explains that, in some countries, in some cases "the vaccination certificate or the obligation of vaccination is required, these initiatives being effective to increase vaccination coverage." It mentions that currently it is required to access the interior of certain establishments, "for which it is required to show the certificate, although it is not allowed to collect data from attendees" It explains the reasons for considering the extension of the COVID certificate in Catalonia, differentiating the essential activities in which "it is reasonable to facilitate without impediments the activities - work, education - from the non-essential ones. He adds that, although discrimination in access implies the limitation of an individual right, it is a consequence of the choice not to be vaccinated, this limitation in certain spaces occurs to guarantee the right to the protection of the health of others and people C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 28/96 who do not provide the documents will not be able to access, adding that they only have to be presented, files cannot be created. "The COVID certificate is emerging as the most efficient measure to avoid the closure or limitation of hours of non-essential services. It brings benefits and does not pose any potential risk to individual or population health” This document aimed to gather the technical criteria of the aforementioned Council regarding when and in which areas it is appropriate to extend the COVID certificate based on data and indicators, and served as the basis for the issuance of the resolution of 7/12 of the Department of Health SLT/3652/2021. In this resolution, a system of four risk bands is indicated to act as an alert for a possible increase in cases and to activate and deactivate the requirement for the COVID 19 certificate in Catalonia, also containing criteria and proposals to determine in which areas the extension of the COVID certificate should be considered in each risk band. It cites environments with high epidemiological risk (especially in closed environments where there may be mask removal and/or where the minimum safety distance cannot be maintained), or the minimization of the risk of contagion in the case of people who present a high risk of serious complications. He acknowledges that “Although the COVID certificate does not fully guarantee that a person is not infectious and does not replace other non-pharmacological measures, it does reduce the probability of contagion significantly. On the other hand, in consideration of the common good in a context of limited resources in the health system, he points out that it is configured as a mechanism to avoid overloading primary and hospital care.” In accordance with the proposals of the Scientific Advisory Committee, the report of the director of the Public Health Agency of Catalonia prioritizes maintaining the requirement of the COVID certificate for access to non-essential activities that take place in closed spaces with a higher risk due to the conditions of main transmission of the virus by aerosols and where there is greater vulnerability and, therefore, greater need for protection. These are: both ordinary (nightlife) and extraordinary musical recreational activities (music festivals, concerts at major festivals, popular festivals, street parties and other cultural events with standing and the possibility of dancing), the hotel and restaurant sector where social events with dancing are offered; restaurants, and halls and gyms where physical and/or sports activity is done. For greater legal certainty, it is specified that the concept of closed spaces corresponds, for these purposes, to interior spaces and exterior spaces that are covered and laterally surrounded by more than two walls, walls or parameters. “In all these activities, the layer of health protection is established, which supposes as a requirement for access the presentation of the certificate issued by a public health service that accredits one of the following circumstances: that the complete vaccination schedule against COVID-19 is available, that a negative COVID-19 diagnostic test is available -PCR or antigen test-with a certain validity, or that the disease has been recovered in the last six months (COVID certificate). Persons under 13 years of age who do not have limited access to the premises, establishments, equipment or corresponding spaces due to age are exempt from the condition of presenting the COVID certificate. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 29/96 The COVID certificate measure, adopted under the legal cover of Organic Law 3/1986, of April 14, on special measures in matters of public health, in coherence with the other health laws, represents an affectation of the fundamental rights to equality (article 14 CE) and privacy (article 18 CE) of a tenuous nature, in the terms of Judgment 1112/2021, of September 14, of the Contentious-Administrative Chamber of the Supreme Court, confronted with the powerful presence of the fundamental rights to life and physical integrity (article 15 CE) and with the protection of health (article 43 CE), which defends the general interest of all in surviving COVID-19. The aforementioned ruling has also established the parameters that the measure, insofar as it affects fundamental rights, must comply with in order to overcome, subject to the guarantee of judicial control, the proportionality judgment in its triple aspect: suitability, necessity and proportionality of the measure.” The aforementioned report also argues that the use of the COVID certificate should be extended to more areas than those required up to that time, considering it: - an ideal measure: “The COVID certificate is proposed as a measure to live with COVID-19 and reduce the risk of transmission in environments of high epidemiological risk (especially in closed environments where there may be removal of masks and/where the minimum safety distance cannot be maintained)” The respondent considers that the scope of the MWC22 with the degree of participation described was an environment of this type, and deduces that the requirement of the COVID certificate was ideal. - a proportional measure, considering that "it is a temporary, proportional and balanced measure to make the protection of public health compatible with the performance of certain activities and thus avoid the closure of non-essential services. - It is a non-discriminatory measure because the veto of access of the person who does not present it, although it represents a limitation to an individual right, occurs to guarantee the right to health protection of the rest The CCAC document of 11/18/2021, (not the resolutions of the health authorities issued) provides for the need to require (request) the COVID- 19 certificate for congresses of more than 500 people and in any event that brings together more than 10,000, including in the document the reference to the phenomena of super contagion in indoor spaces and also where in large outdoor events with a large concentration of people and the minimum interpersonal safety distance could not be ensured. It provides a table of what would be required for large events such as, for example, congresses, indoors with an attendance of more than 500 people, or in venues of any type with a capacity of more than 10,000 people, for example, the Camp Nou football stadium. -Another document, such as the “preparation and response to the Omicron variant of the SARS-CoV-2 Coronavirus in Catalonia”, dated 12/19/2021, which was taken into account in the resolution of 12/23 SLT 3787/2021, the scenario of this being that of “very high risk”, and which meant: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 30/96 “The preliminary data generated by different laboratories confirm the worrying antibody resistance of the Omicron variant. In principle, previous infection or initial vaccine regimens do not seem sufficient to guarantee a sufficient neutralizing response against Omicron, while third doses have a positive impact of increasing neutralizing antibody titers. It is suggested (based on the available scientific evidence) that there may be a more than possible reduction in the effectiveness of the different vaccines against infection. The epidemiological impact of this variant in the short, medium and long term will be very significant. The simulation results of possible scenarios show that an increase in incidence is expected, which, in the absence of additional measures, could lead to more than 50,000 cases per day by mid-February 2022. The respondent points out that, consequently, the CCAC reports confirm that the requirement for a COVID-19 certificate for access to the premises is configured as a measure required by public health legislation and the resolutions approved by the Department of Health. It details the workload and volume of work involved in the validation by electronic means of the three modalities for accessing the event by QP attendees (it does not point out any aspect regarding the employees of the suppliers) who also came from different nationalities, such as the vaccine being listed as authorized, the certificate issued by the competent authority, the validity of the vaccination certificate, the dates from which the COVID-19 recovery certificate was valid. It provides a table of the volume of reports processed in previous days, from 02/21/2022 to 03/02/2022, and reiterates that the only way to comply with the sanitary measures required and mandated by the health authorities and maintain the minimum distance was the prior presentation of these certificates by electronic means. In conclusion, it considers that there has been no breach of art. 9.2 of the GDPR because the processing of health data, the COVID-19 certificates, were covered by the exceptions in article 9.2.g) and i) of the GDPR, as it was necessary for reasons of an “essential public interest”, and for “reasons of public interest” in the field of public health. Likewise, the processing of personal data carried out by GSMA was carried out in compliance with the legal obligations imposed by public health legislation and the measures applied by the health authorities. 7-If a sanction were to be imposed, it requests that the sanction be imposed at its minimum level for violations of article 6 and 9, considering the concurrent circumstances and the principle of proportionality. TENTH: Second extension of allegations, dated 11/21/2023 On 11/21/2023, other allegations were received. The respondent states that the documentation that she now provides, together with the one that already exists before it, confirms her thesis that article 9.2 or 6.1 of the RGPD has not been violated, and that the measures applied were agreed and authorized in a coordinated manner with FIRA and the health authorities in compliance with the legislation on public health and COVID 19 prevention. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 31/96 She provides a letter from FIRA DE BARCELONA, dated 31/10/2023, contractor and person in charge of the respondent's treatment, which was sent to request confirmation on the process that they carried out within the framework of the celebration of the MWC 2022 in conditions of health safety, going on to relate the following explanatory context: -“Taking into account the experience carried out carried out in 2021, it was agreed to create a working group made up of professionals from the Public Health Agency of Catalonia, FIRA DE BARCELONA and GSMA”, to “establish and implement an ad-hoc health plan, which would mitigate the risk of generating an epidemic outbreak in the development environment within the fairgrounds”. -“The precedent of the success of the Health Plan defined and executed for MWC21 will be taken as an example,” which had as its fundamental pillar the performance of rapid antigen tests as a previous step to authorizing visitors to enter the fairgrounds. -Explains the environment in which MWC 22 was to take place and the previous preparations, considering the “proposal to consider the use of the COVID certificate in other areas in Catalonia,” from the CCAC of 11/18/2021, in the face of an alert situation in phase 4 and the size of the event together with the variation in epidemiological conditions. -Reiterates that one resolution among the several issued, required the presentation of a COVID certificate in certain activities as access requirements,” until 01/26/2022.” -“FIRA and GSMA, in coordination in various meetings with the management and the Public Health team of the Public Health Agency of Catalonia of the Generalitat of Catalonia, will follow what the CCAC recommended and the situation of continuity of requiring the COVID certificate in other European countries as the CCAC itself said in its report of 21/01/2022”. -“For all the above, it is for this reason that the management of the Public Health Agency of Catalonia of the Generalitat of Catalonia communicated to the organizers of the MWC22 its agreement with the “Mitigation Plan” that we proposed, considering the scientific evidence, the requirement of the COVID 19 vaccination certificate, and in the event of not having it, the performance of TAR carried out by a health partner as a previous step to the authorization of the access of visitors and staff to the fairgrounds.” It ends with: “Awaiting your confirmation that this has been the way it has been acted upon, or if not, your comments or clarifications. The letter is answered by an email dated 11/7/2023, with the signature of the Deputy Director General of Public Health Coordination, Secretariat of Public Health, according to the respondent on which the ASPC depends, which indicates: “in relation to the letter received on the process followed by COVID control measures at the MWC held from 02/28/2022 to 03/03/2022, ”I confirm that I agree with the content expressed in said letter”. According to what was stated by the respondent, this Deputy Director held the position during the months of preparation for MWC22. The respondent explains the role of the Catalan Public Health Agency, with its Director having the status of public health authority (art. 5 Law 18/2009) competent to decide and propose the measures and restrictions to be adopted regarding the control of the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 32/96 pandemic. And that the ASPC has, among others, the functions of issuing a prior and mandatory report to the resolutions issued by the Department of Health every two weeks in care aspects and in epidemiological and public health aspects in order to certify the updated situation of contagion risk, the situation of control of the pandemic, and the sufficiency of the measures and proposal of measures to be adopted (art. 55 bis Law 18/2009). The respondent reiterates that the measures were agreed by GSMA in a coordinated manner with the health authorities at a declared level of very high risk by resolution of 23/12/2021, SLT/3787/2021 of 23/12. The respondent points out that, within the working group composed of ASPCAT, FIRA and GSMA, for the celebration of the MWC 2022, they proposed to the ASPC “the requirement by telematic means of COVD 19 certificates for anyone who intended to access the FIRA premises during the preparation and celebration of the MWC 222, which had the consent of the ASPCAT, in accordance with the response to the letter from FIRA”, specifying: “It is for all the above that the management of the Public Health Agency of Catalonia of the Generalitat de Catalunya communicated to the organizers of the MWC22 its conformity with the proposed mitigation plan”, in 17 working meetings from October 21 to February 22. The ASPCAT was the competent health authority to propose the measures and restrictions to be adopted by the Department of Health in order to control the pandemic.” “The health authorities and FIRA validated and authorized both the mandatory requirement of COVID-19 certificates for entry to the FIRA premises, as well as the provision and management of said data by electronic means, as the only viable solution in compliance with the legal requirements in matters of public health.” It concludes by indicating that this documentation confirms that it has acted within the framework of compliance with legal obligations in matters of public health, with the inappropriateness of the violations of articles 9.2 and 6.1 of the GDPR, reiterating that the processing of health data, that is, COVID-19 certificates were covered by the exceptions provided for in art. 9.2.g) and i) of the GDPR because it was necessary for reasons of “an essential public interest” and “for reasons of public interest in the field of public health.” ELEVENTH: Issuance of a resolution proposal dated 03/12/2024. On 03/12/2024, a resolution proposal was issued with the following literal: “That the Director of the Spanish Data Protection Agency impose an administrative fine on GSMA LIMITED, with NIF N4004237F, for the following GDPR violations: -a violation of article 9.2 of the GDPR in accordance with article 83.5.a) of the GDPR, and for the purposes of prescription, classified as very serious in article 72.1.e) of the LOPDGDD, with a fine of 300,000 euros. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 33/96 -an infringement of article 6.1 of the GDPR, in accordance with article 83.5.a) of the GDPR, and for the purposes of prescription, classified as very serious in article 72.1.b) of the LOPDGDD, with a fine of 200,000 euros. -an infringement of article 14 of the GDPR, in accordance with article 83.5.b) of the GDPR, and for the purposes of prescription, classified as very serious in article 72.1.h) of the LOPDGDD, with a fine of 100,000 euros.” On 20/03/2024, an extension of the deadline for making allegations was requested, which was granted. TWELFTH: Allegations to the resolution proposal presented on 04/08/2024. On 04/08/2024, the respondent presented the following allegations: 1-It states that document 4 provided in its allegations actually contains two contracts, one the MAIN one and the other the SUB-CONTROLLER of treatment, and that the first one contained broader elements than the sub-processor one. It states that the sub-processor contract was limited to the administrative validation of the health documentation related to COVID, provided by the visitors and “workers” of MWC 22, “in order to grant them the condition of fit or not for access and to work in it, before, during and after the event”. Based on this, as a new allegation not previously made, it points out that “the services provided for in the main contract and not contemplated in the contract of subcontractor of the treatment”, included: -“Medical or health validation of the COVID certificates by medical or health personnel of QUIRÓNPREVENCIÓN.” “Assuming the decision and the medical risk of declaring FIT to enter to work in the fairgrounds a person who could be infected with Covid. Neither GSMA Ltd. nor FIRA were authorized to make this decision due to the lack of medical or health personnel.” - “Contact and medical examination of the worker or visitor in the event that it was necessary”. -“Hospital care service (24/7) through the network of Quirón Salud centers for all participants in the MWC22.” -“Performance, if necessary, of antigen tests by health personnel.” With regard to them, it is noted that they must be understood as corresponding to the provision of medical or health services that they provide as data controllers, because: -There is direct treatment with the interested party, C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 34/96 -These medical services, like their professionals, have a legal and deontological obligation of independence, direct relationship with the patient, medical responsibility, management and conservation of clinical records, management and conservation of health data, which obliges them to be responsible for both medical decisions and the treatments carried out, and this is included in the Code of Medical Ethics of the General Council of Official Colleges of Physicians of Spain. 2- He also states that, as the “main” contract established in the section “statements”, that “the parties were not prevented from reaching agreements regarding aspects not contemplated in the offer, or from incorporating or modifying at the request of their organizer any aspect of the service provided it was reasonable”, QUIRONPREVENCIÓN performed services related to support for the coordination of business activities, which pursued the ultimate goal of preventing occupational risks, based on considering each of the workers who provided their services at MWC 22 as fit or unfit, and that “in practice, the services of medical or health validation of the documents provided by the visitors were also extended to the workers who provided their services at the exhibition grounds where MWC22 would take place”, “taking into account that the visitors represented a biological risk for the workers and the workplace”. He points out that all these services were not included in the subcontractor contract. He states that given the number of countries that would visit the event and that the vast majority of exhibitors represented at the event hire their own workers “in their country of origin or through specialized agencies”, with “thousands of workers from countries around the world attending, many considered high or very high risk” by the Spanish health authorities, and given the profile of the workers, “resistant to following a safety protocol”, “it demanded the application of a sanctioning protocol that would ensure compliance with health regulations, which included the expulsion from the premises of workers who did not comply with the regulations”. It indicates that the workers who provided their services for the assembly, including the provision of their services for the exhibitors, “were going to be exposed to an obvious biological risk threat”, and that “The legal obligations of employers in terms of prevention of occupational risks derived from biological risk are provided for in Royal Decree 664/1997 of 12/05 on the protection of workers against risks related to exposure to biological agents during work”. It adds that “assistance was requested from the immigration authorities and it was agreed to apply the same measures imposed at the border, especially in airports managed by AENA, where QUIRONPREVENCIÓN provided this same service”, and that: “in order to determine the sanitary measures and reduce the biological risk, various authorities were consulted”, drawing up “safety and health guidelines” and FAQs, which the respondent published on its website and gave to its exhibitors and suppliers. The URL that indicates that it leads to said content ***URL.3, is an informative note to access MWC22, indicating for example that “before traveling, consult the protocols in force to enter Spain”, and it details that to access FIRA, all attendees, including staff and exhibitors, must prove: vaccination against Covid-19, valid recovery certificate, or negative diagnostic test (PCR or rapid antigen test is accepted). C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 35/96 “Documents proving Covid-19 status must be sent through the official MWC22 application or the registration page on the conference website. These will then be reviewed by the event's medical partner, Quironprevención; If there is any issue with something submitted, the healthcare company will contact the individual via email. Once the test has been accepted, a digital entry credential will be activated and attendees will receive a confirmation via text message. Those taking an entry test will be required to take one every 72 hours. Each result is only valid if the 72-hour period after the test is taken covers the entire day of the event. If it expires during the day, the individual will be denied entry. The app will notify delegates whose entry certificates are expiring in advance and the expiration date will be displayed on attendees' digital credentials. Those using fully vaccinated status for entry must have received their final dose at least 15 days before the event. Vaccination certificates and approved proof of recovery documents are valid for the entire event. There will be no testing available on-site. In addition to proof of Covid-19 status, attendees must submit a daily health questionnaire and declaration in the application. The FAQ section mentions the GSMA Health and Safety Plan for Committed Community and other information, only referring to attendees. It states that “if you are going to fly to Barcelona, check with your company the requirements for COVID-19 to understand the specificities for health and safety measures”. “For general information on health and safety you can visit the website of the Spanish Ministry of Health” It is reiterated that to access the venue, visitors once registered, must validate their vaccinations, their tests for recovery from the disease, valid for the entire duration of the event, or take tests valid for 72 hours, and complete a daily health declaration in any of the three cases. It is also reported that the validation is carried out by a medical associate. 3-It indicates that QUIRONPREVENCIÓN acted as a partner for the employees of “any supplier, including those of more than 1,500 exhibitors as well as the suppliers who provided their services to GSMA, FIRA and their exhibitors”, and that in practice it also “carried out the medical or health validation of the documents provided by the workers of the different employers attending the fairgrounds and supported the coordination of business activities and the prevention of occupational risks with the aim of protecting the approximately 10,000 active workers in the grounds from the biological risk derived from COVID”. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 36/96 “QUIRONPREVENCIÓN's role as support in the coordination of business activities and the prevention of occupational risks was regulated by the regulations on occupational risks and the specific regulations that govern the coordination of business activities In this type of service, QUIRONPREVENCIÓN determined whether the workers were fit or not fit to work in the fairgrounds The ephemeral nature of the MWC, as well as the precise regulation of the coordination of business activities in article 24 of the law on the prevention of occupational risks make the measures consisting of providing a special contractual framework for this service disproportionate, with the regulations that govern its activity being applicable.” QUIRONPREVENCIÓN has platforms for the management of companies that contract its services and its suppliers, which may be due to the purposes of coordinating business activities, regulated by article 24 of the Law on the prevention of occupational risks and RD 171/2004 of 30/01 that develops said article, reiterating that it includes the provision of medical or health validation of the documents delivered by the workers of client companies by health teams with an obligation of professional secrecy, to which the General Law of Health and the Law of Patient Autonomy apply, as well as the regulations on occupational risk prevention services, which establish obligations for health personnel that prevail over the contracts that QUIRONPREVENCIÓN may have with client companies as they derive directly from the Law. “This is a health activity associated with legal obligations that establish a direct relationship between QUIRONPREVENCIÓN and the worker of the client company or from their suppliers, health professionals carry out analyses of the documentation provided by the worker and reach the conclusion of whether or not he is fit for work, this conclusion being the only information provided to their clients.” He stresses that Annex VI of the contract, which also governs the same, entitled “treatment commissioner contract” “was not applied in practice since all the COVID documentation was delivered by the attendees and workers to QUIRONPREVENCIÓN through its platform, in accordance with what is indicated in ANNEX 1B”, also of the contract entitled: “systems integration”, in which it is established that “The provider, QUIRONPREVENCIÓN, will have an information system necessary for the management of COVID tests,” detailing the functionalities, depending on whether it is: - “Validation of test results”, “website for sending previous tests” which is specified in that QP “will make available to the event a website - not from FIRA or GSMA - through which the visitor can indicate their data and upload a document or photo of a PCR/antigen result or vaccination/recovery card previously made. This website will be called through a parameter with the identifier of the participant. QUIRONPREVENCIÓN will use the identifier to call the API that FIRA will provide and extract the data from the accreditation of the visitor/contractor, and thus verify that it is a participant in the event. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 37/96 Upon receiving a document and when a registration is validated/rejected, FIRA will be notified through the API that FIRA will enable” but not the documents themselves. “The sending of an email to the interested party directly by QUIRONPREVENCIÓN and not by FIRA or GSMA regarding the validation or rejection of the documents provided.” In the section “checking results and verification statuses”, it is indicated that “QP will enable a feature in its systems that will allow a FIRA user to search for an accredited person and check if they have a valid negative test or if a previous test has been validated” 5- It states that the role played by QUIRONPREVENCIÓN was that of coordinator of business activities when talking about data processing linked to the prevention of occupational risks, such as the communication of data that is necessary to comply with coordination obligations when workers from several companies carry out their activity in the same workplace, in the terms of article 24 of the Occupational Risk Prevention Act (LPRL). In the assembly phases of the event, there was a concurrence of companies with workers who shared the same workplace. QUIRONPREVENCIÓN, as the exclusive medical partner of MWC 22, performed this function of coordinating business activities, contributing to making the venue a safe work space by carrying out medical validation of the health status of attendees and workers, and the communication of conclusions was limited to indicating whether the examined worker was fit or unfit for work at the fairgrounds. 6-It is now stated that the legal basis for the processing of health data that were processed before, during and after the event, referring to the assembly of the facilities for the holding of the event, carried out by the employees of the GSMA suppliers, was compliance with legal obligations regarding the prevention of occupational risks. “Health monitoring is mandatory in accordance with Title 22.1 of the law on the prevention of occupational risks in the following cases that were present at the holding of the Barcelona MWC 22: -Verification of whether the health status of the worker may constitute a danger to him/herself, to other workers or to others related to the company -Legal obligation in relation to the protection of specific risks, such as the biological risk produced by the COVID virus.” The occupational risk prevention regulations offer a double legitimation to request health data from visitors and workers who provide services at the fairgrounds: “1-It grants the company and especially its internal and external prevention service the power to decide the most appropriate measures to comply with the obligation that the workplace be a safe place to work. This obligation is recognized in the AEPD guidelines. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 38/96 2-It contemplates the specific case of biological risk in which the verification of the health status of the worker and visitors to the workplace is expressly provided for to confirm that it does not pose a threat to the rest of the workers. This obligation is recognized by the AEPD guidelines In the case of Barcelona MWC 22, these decisions were adopted at the time of the adoption of the applicable health measures in collaboration with the health authorities” It states in the document entitled on the coronavirus prepared by the AEPD that, in application of the occupational health regulations for the prevention of occupational risks, employers may process, in accordance with said regulations and with the guarantees they establish, the personnel data necessary to guarantee their health and adopt the necessary measures by the competent authorities. 7- As a new allegation made in this procedure, it indicates that the processing of the health data of visitors, workers of exhibitors, workers of suppliers and workers of the organization were necessary for the purposes of preventive or occupational medicine, evaluation of the worker's work capacity and medical diagnosis in accordance with article 9.2 h of the RGPD”. 8-Regarding the obligation to inform interested parties, a violation of article 14 would be the application of 14.5 of the GDPR, since the wide dissemination of the measures that were to be applied to prevent the spread of COVID allows us to accept and affirm that the interested party had the information regarding the data that was to be requested, as well as the different compilations of press news and dossiers that appeared in the media. 9-He states that he has proven that there is no guilt or lack of diligence essential for being sanctioned. 10-He states that the right to evidence has been violated since in his allegations he indicated that, if not archived, a trial period would be opened now stating that testimonial evidence would be proposed from relevant agents involved in the organization, such as different public authorities and there is an obligation to open said trial period. PROVEN FACTS FIRST: The respondent, GSMA LIMITED, is a company in the mobile telephony industry that groups as members more than 750 operators and more than 400 Companies, being the organizing entity every year in Barcelona since 2006, of the Mobile World Congress, "MOBILE WORLD CONGRESS (MWC)". The one that took place in the year 2022, was held for the attending public, between 02/28/2022 and 03/03/2022. In 2020, due to the spread of the coronavirus outbreak, it was cancelled SECOND: For the celebration of the MWC 2022, the respondent established an access system for employees of suppliers who carry out assembly work on the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 39/96 facilities during the celebration of the Congress, which required the registration of data on a “digital pass platform” owned by the respondent. The venue where the MWC is held is called FIRA Gran Vía because it is located on this street and is owned by the FIRA DE BARCELONA consortium (hereinafter FIRA). The defendant's instructions for access to the MWC 2022 facilities by the employees of the suppliers for the assembly of the facilities where the event would be held, involved the collection and processing of COVID 19 data, which would be managed by QUIRON PREVENCION SLU (QUIRONPREVENCIÓN) as FIRA's sub-processor, in charge of processing on behalf of the defendant. THIRD: According to the emails of 20 and 21/01/2022 provided by the claimant, FIRA DE BARCELONA issues instructions for access to the MWC 22 facilities (access pass), informing of the system that will be required, from 23/01/2022 to 8/03/2022, affecting, among others, in this case, the employees of the suppliers dedicated to the assembly (stands) of the facilities. The system starts with the creation of an account by FIRA for each supplier, from where the passes will be self-managed with a collaborating manager for the passes of all the employees of each supplier. Once the names have been loaded into the system, each collaborator will receive an email with a link to complete the registration. It is indicated in the email of 01/20/2022, that when they log in for the first time “your workers will have to create a password. Once this is done, they must upload one of the following documents to the system: - COVID-19 vaccination certificate (complete schedule), or - COVID-19 recovery certificate, or - negative proof of a valid COVID-19 test (negative antigen test performed in the last 72 hours in any of the periods-setup, celebration, dismantling.” In addition, it is reported that these documents “must be uploaded to the registration system website by each worker for validation.” Also, suppliers are informed that they can easily view and generate reports of workers who have not yet uploaded their documents, in order to follow up with them. FOURTH: FIRA INTERNACIONAL DE BARCELONA, with CIF Q-0873006-A, (FIRA) owner of the facilities where the event is held (DOCUMENT 3 a) is, as stated in its privacy policy, an associative-based entity consortium for development, made up of the Generalitat de Catalunya, the Barcelona City Council and the Official Chamber of Commerce, Industry and Navigation of Barcelona. FIRA provides services for the MWC Barcelona of which the respondent is the organizer. In many cases, FIRA has the status of contractor of the respondent for services and supplies provided within the framework of the MWC. GSMA LIMITED provides a copy of a framework contract dated 22/11/2019, DOCUMENT 3 a, signed with FIRA INTERNACIONAL DE BARCELONA to provide services C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 40/96 related to MWC Barcelona, according to the various work order declarations in force from 2020 to 2023. The respondent attaches in annexes the descriptions where the types of data service to be processed specifically by FIRA and the purpose of the data processing assignment are stated. In the allegations to the start agreement, the existence of a contract signed on 21/02/2022 by FIRA DE BARCELONA as the defendant's manager, with QUIRONPREVENCIÓN SLU for the MWC 22, organized by GSMA and that FIRA, by mandate of the latter, coordinates and manages with the supplier designated by GSMA (QUIRONPREVENCIÓN) for the provision of services related to the validation of COVID certificates is accredited. Among other services, the integration and communication of results and validation of certified vaccination tests is included. The contract includes a part with the data processor clauses. FIFTH: The defendant has stated that the procedure established for workers to register the documentation on the platform would be: Step 1. The supplier registers each of its workers on the GSMA platform. The data entered, according to the respondent, appearing in its Data Protection Impact Assessment, would be for each employee: email, name and surname. Furthermore, regarding groups of affected interested parties, only the following data appear in the FIRA-QUIRONPREVENCIÓN data processing contract, which the respondent makes available, regarding the “participants”,: “government identification number: DNI, NIE-passport), contact details - telephone number” (1.3 of the data processing contract) Step 2. Once registered, each employee receives a confirmation email from GSMA with a link that provides access to their account on the QUIRONPREVENCIÓN platform. Step 3. Each employee directly provides COVID-19 information through the QUIRONPREVENCIÓN platform. Step 4. Each employee receives a confirmation/rejection email from QUIRONPREVENCIÓN for the completion of the registration process on the GSMA platform. “GSMA IS NOTIFIED whether the person is qualified to access the office or not.” SIXTH: When explaining the legal basis for legitimizing the processing of personal data of the suppliers' employees, the subject of the claim, the respondent details that given the situation of the spread of the epidemic shown by the indicators, it began to foresee the scenario of the holding of the event from the fall of 2021, and it had to pay attention to the successive resolutions that established temporary measures in public health matters for the containment of the epidemic outbreak of the COVID 19 pandemic in the territory of Catalonia (resolutions of the health authority, signed by the Minister of Health and by the Minister of the Interior) that usually had a validity of 14 days. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 41/96 The respondent stated in the transfer of the claim that on ***DATE.1, it had a Health and Safety Plan for MWC22, sending a notice on its website in which it reports that in execution of said Plan, it reiterates that “the attendees” and “the workers in the premises” must provide some of the medical documentation that coincides with that recorded in the third proven fact, adding “… the proof of compliance with the protocols will be stored and displayed in the official application of the event.” The respondent has not provided a copy of the aforementioned PLAN, which it states in its response to the transfer of the claim that it was approved in coordination with Catalan health authorities and that it “required it to collect personal data such as those that are the subject of the claim.” SEVENTH: The respondent reports that the basis that legitimizes the processing of the data of the employees of the suppliers who set up the facilities for the celebration of the MWC 22 in the facilities where it was to be held, is article 6.1.c), which legitimizes the processing when “it is necessary” “for the fulfillment of a legal obligation applicable to the data controller”, stating that this legal norm is the Health and Safety Plan for the MWC22, developed in collaboration with the authorities, which has not been provided at any stage of the procedure, and the legal obligations imposed by public health legislation and the measures adopted by the health authorities. It also considers that the aforementioned treatment would be protected, "if it were not justified by Article 6.1.c) of the GDPR", by Article 6.1.d) of the GDPR, since "it is necessary ""to protect the vital interests of the interested party or of another natural person", understanding the situation as an emergency, being necessary for humanitarian purposes, including the control of epidemics. EIGHTH: Regarding the exception to the prohibition of processing health data that the respondent, as data controller, manages for the employees of the suppliers who carry out the assembly of the facilities, the respondent stated in the response to the transfer, only, that article 9.2.g) of the GDPR is applicable, considering that the treatment “is necessary for reasons of an essential public interest on the basis of the law of the Union or of the Member States, which must be proportionate to the objective pursued, essentially respect the right to data protection and establish appropriate and specific measures to protect the interests and fundamental rights of the interested party”, on the basis of the aforementioned Health and Safety Plan for the MWC22 and by the Public Health Law 18/2009, of 22/10, applicable to the territorial scope of Catalonia, which provides for the possibility of administrative intervention in health protection and disease prevention, both in public and private areas. On the other hand, the respondent stated that, from October 2021 until the end of 2022, it had meetings with the health authorities examining the situation of the evolution of the pandemic and, as a result, it provides DOCUMENT 6, health requirements to access the MWC22 protocol 1, dated 01/27/2022, which is a graph that indicates the process in which the assemblers must upload the COVID data. The respondent also supports the lifting of the prohibition on the processing of employees' health data, in its allegations to the start agreement, in article 9.2.i) C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 42/96 of the GDPR (although it does not appear in the EIPD dated 04/22/2022); This is: “data processing necessary for reasons of public interest in the field of public health, such as the protection of serious cross-border threats to health, on the basis of Union or Member State law that establishes appropriate and specific measures to protect the rights and freedoms of the interested party, in particular professional secrecy”, under the protection, according to the respondent, of the resolutions of the Department of Health that it attached as DOCUMENT 5, “which establish public health measures to contain the epidemic outbreak of the COVID 19 pandemic in the territory of Catalonia”. The respondent reiterates that it has limited itself to complying with public health regulations and the measures decreed by the health authorities, and also within the framework of the principle of prudence required by health legislation. NINTH: The Health and Safety Plan for MWC22 cited, allegedly negotiated with the health authorities, has not been provided by the respondent and its content and date are unknown. MWC22 was held for attendees from 02/28/2022 to 03/03/2022. The instructions for access to their workplace by employees of suppliers, such as the complainant, were applied between 01/23/2022 and 03/08/2022. The respondent has provided a certificate issued by the entity QUIRONPREVENCIÓN, on 3/10/2023, which provides a summary of the days prior to the start of the event, as well as the first days of the event, and provides information on the reports received from 21/02/202 to 02/03/2022 with a total of 54,779 reports. TENTH The resolutions of the health authority applicable between 23/01/2022 and 08/03/2022 were the following: RESOLUTION SLT/99/2022, of 26/01, which establishes the measures in terms of public health for the containment of the epidemic outbreak of the COVID-19 pandemic in the territory of Catalonia. This resolution lifts the restrictive measures on fundamental rights that were still in force, that is, “the limitation of meetings and social gatherings to a maximum of ten people, the limitation on the capacity of religious activities, and the requirement of the COVID certificate for access to certain non-essential activities in closed spaces (restaurants, physical and/or sports activity rooms, gyms and permitted musical recreational activities: concert halls, theatre cafes, concert cafes and musical restaurants)”. In section 2.1 “Individual and collective protection measures” it is established that “(…) Both in closed and open spaces, except for groups of cohabiting people, the interpersonal physical safety distance is set at 1.5 m, in general, with the equivalent of a safety space of 2.5 m2 per person, unless more restrictive values are in force for the type of activity. When the development of the activity does not allow maintaining the interpersonal physical safety distance, C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 43/96 appropriate hygiene and organizational measures must be adopted to prevent the risks of contagion. In open-air spaces where due to the agglomeration of people it is not possible to maintain the interpersonal physical safety distance, the use of a mask is mandatory in the terms established in section 2.3 of this Resolution.” Regarding the “Prevention and hygiene measures in workplaces” in point 3.4, section 2, it is determined “Without prejudice to compliance with the regulations on prevention of occupational risks and other applicable labor regulations, the owners of public and private workplaces must adopt, in the workplaces, among others, the following measures: a) Adopt organizational measures in the working conditions, so that the maintenance of the minimum interpersonal safety distance is guaranteed. And, when this is not possible, workers must be provided with protective equipment appropriate to the level of risk. (…)” RESOLUTION SLT/177/2022, of 2/02, establishing the public health measures for the containment of the epidemic outbreak of the COVID-19 pandemic in the territory of Catalonia, In relation to the “Individual and collective protection measures” it indicates in its point 2.1 “1. (…) Both in closed and open spaces, except for groups of people cohabiting, the safety distance is established at 1.5 meters, in general, with the equivalent to a safety space of 2.5 square meters per person, unless more restrictive values are in force for the type of activity. When the development of the activity does not allow maintaining the safety distance, the appropriate hygiene and organizational measures must be adopted to prevent the risks of contagion. 2. The duty of protection established in section 1 is also enforceable for the owners of any economic or business activity or establishment for public use or that is open to the public, in accordance with the organizational, hygiene and prevention standards established in this Resolution and, where applicable, in the corresponding sector plan or organizational protocol. (…)” In point 3.4, it adds: “Prevention and hygiene measures in workplaces” “(…) “2. Without prejudice to compliance with the regulations on the prevention of occupational risks and other applicable labor regulations, the owners of public and private workplaces must adopt, in the workplaces, among others, the following measures: a) Adopt organizational measures in the working conditions, so that the maintenance of the minimum interpersonal safety distance is guaranteed. And, when C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 44/96 this is not possible, workers must be provided with protective equipment appropriate to the level of risk.” (…)” RESOLUTION SLT/254/2022, of 9/02, which modifies Resolution SLT/177/2022, of 2 February, which establishes the public health measures for the containment of the epidemic outbreak of the COVID-19 pandemic in the territory of Catalonia It also includes”2.1 Individual and collective protection measures 1. Citizens must adopt the necessary measures to avoid the generation of risks of spreading the SARS-CoV-2 infection, as well as the same exposure to these risks, and must adopt individual and collective protection measures based on: frequent hand hygiene; hygiene of respiratory symptoms (avoid coughing directly into the air, cover your mouth with the inside of your forearm in these cases and avoid touching your face, nose and eyes); safety distance; the use of a mask in the terms established in section 2.3 of this Resolution; the preference for outdoor spaces for carrying out activities; the correct ventilation of closed spaces, and the cleaning and disinfection of surfaces. Both in closed and open spaces, except for groups of people living together, the safety distance is set at 1.5 meters, in general, with the equivalent to a safety space of 2.5 square meters per person, unless more restrictive values are in force for the type of activity. When the development of the activity does not allow maintaining the safety distance, appropriate hygiene and organizational measures must be adopted to prevent the risks of contagion.» This resolution does not modify the specific prevention and hygiene measures in work centers of RESOLUTION SLT/177/2022, of 2/02. RESOLUTION SLT/342/2022, of 16/02, establishing the public health measures for the containment of the epidemic outbreak of the COVID-19 pandemic in the territory of Catalonia It also includes in point 2.1 “Individual and collective protection measures 1. Citizens must adopt the necessary measures to avoid the generation of risks of spreading infection by SARS-CoV-2, as well as their own exposure to these risks, and must adopt individual and collective protection measures based on: frequent hand hygiene; hygiene of respiratory symptoms (avoid coughing directly into the air, cover your mouth with the inside of your forearm in these cases and avoid touching your face, nose and eyes); safety distance; the use of a mask in the terms established in section 2.3 of this Resolution; the preference for outdoor spaces for carrying out activities; the correct ventilation of closed spaces, and the cleaning and disinfection of surfaces. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 45/96 Both indoors and outdoors, except for groups of people living together, the safety distance is set at 1.5 metres, generally, with the equivalent to a safety space of 2.5 square metres per person, unless more restrictive values are in force for the type of activity. When the development of the activity does not allow the safety distance to be maintained, appropriate hygiene and organisational measures must be adopted to prevent the risk of contagion.” RESOLUTION SLT/541/2022, of 2/03, establishing public health measures for the containment of the epidemic outbreak of the COVID-19 pandemic in the territory of Catalonia It establishes in its point 2.1 “Individual and collective protection measures 1. Citizens must adopt the necessary measures to avoid the generation of risks of spreading infection by SARS-CoV-2, as well as their own exposure to these risks, and must adopt individual and collective protection measures based on: frequent hand hygiene; hygiene of respiratory symptoms (avoid coughing directly into the air, cover your mouth with the inside of your forearm in these cases and avoid touching your face, nose and eyes); safety distance; the use of a mask in the terms established in section 2.3 of this Resolution; the preference for outdoor spaces for carrying out activities; the correct ventilation of closed spaces, and the cleaning and disinfection of surfaces. Both in closed and open spaces, except for groups of people cohabiting, the safety distance is set at 1.5 meters, generally, with the equivalent to a safety space of 2.5 square meters per person, unless more restrictive values are in force for the type of activity. When the development of the activity does not allow maintaining the safety distance, appropriate hygiene and organizational measures must be adopted to prevent the risk of contagion. (…)” And 3.4”Prevention and hygiene measures in workplaces (…) 2. Without prejudice to compliance with occupational risk prevention regulations and other applicable labor regulations, the owners of public and private workplaces must adopt, in the workplaces, among others, the following measures: a) Adopt organizational measures in working conditions, so that the maintenance of the safety distance is guaranteed. And, when this is not possible, workers must be provided with protective equipment appropriate to the level of risk. (…)” None of the aforementioned resolutions provides for the provision of COVID certification for any group or sector of activity. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 46/96 ELEVENTH: The respondent has provided in English a Data Protection Impact Assessment on “Processing of Covid-19-related health data of suppliers’ employees” that must be on-site at the MWC Barcelona 2022 headquarters to provide services, dated 04/22/2022, so that it is not proven that it was approved before the affected treatments were carried out (data collection, from 01/23/2022 to 03/08/2022). In Step 4: “Assess the need and proportionality”, the aforementioned impact assessment states the following: What legal basis will you rely on to process the data? “Article 6 of the GDPR Article 6.1 c) — compliance with a legal obligation The Committed Community Plan was developed in collaboration with the Catalan public authorities (Catalan Government departments, including the Catalan Health Authorities and Procicat) and approved by Procicat. The Plan is also aligned with the Catalan Covid Action Plans for Trade Fairs and Congresses (Congress Action Plan and Trade Fair Action Plan) applicable to GSMA and FIRA, respectively. The Committed Community Plan includes a requirement for GSMA to request Covid Information. Under Public Health Law 18/2009, health authorities may interfere in public and private activities in order to protect the health of citizens and prevent disease. GSMA considers that the Committed Community Plan constituted such interference and GSMA considers the Plan as agreed and approved by the Catalan Health Authorities as a mandate to implement Covid-19 measures at the MWC Event in order to prevent the spread of Covid-19, including the collection of information on COVID-19. GSMA is obliged by law to comply with the instructions of the health authorities and, therefore, Article 6, letter d), vital interest of the interested party. To the extent that the above reason is not applicable, GSMA relies on this legal basis for the processing of Covid information. We consider i) Recital 46 of the GDPR, which explicitly states that organisations may rely on this legal basis for processing when it is necessary to protect the vital interests of a person or a group, including monitoring epidemics and their spread; and ii) the recognition by the Spanish DPA that this legal basis can be used for the processing of personal data related to Covid-19. Article 9 GDPR Article 9(2)(q): substantial public interest on the basis of Union or Spanish law. GSMA was required by law to comply with the instructions of health authorities and therefore to develop and comply with the Committed Community Plan (see references above). Can the desired result be achieved by processing less data? C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 47/96 No. GSMA has committed to process the minimum amount of personal data necessary to achieve the purposes of the processing. The scope of the data as well as the processing activities (i.e. GSMA did not have access to the Covid Information which was only accessed by its sub-processor, QUIRONPREVENCIÓN, and processed entirely on the Platform) have been established in accordance with the principle of data minimisation. How will you provide transparency to individuals? Privacy Notice provided to individuals by their employer on behalf of GSMA before their data is shared by the employer with the GSMA/GSMA processor. According to the Contractor Registration Terms and Conditions, suppliers are required to contractually commit to comply with all transparency and lawfulness obligations before sharing their employees' data with GSMA, including providing the Privacy Notice to all relevant employees before sharing. How will you enable data subjects to exercise their rights? The rights of data subjects and how they can be exercised are detailed in the Privacy Notice. How will you ensure data protection compliance by suppliers? Contractual commitments in relevant data processing agreements, including provisions required by Article 28 GDPR. What steps will you take to ensure compliance with data export rules? (unofficial translation) This section assesses the following risks: (i) Unauthorised disclosure of sensitive personal data of employees by the subprocessor QUIRONPREVENTION (ii) Collection of more sensitive personal data than required (iii) Personal data will be retained for longer than necessary (iv) Reliance on the identified legal basis of legitimate interest for processing (v) Complaint over decision to deny entry to a supplier's employee, based on Covid information. (vi) Failure to provide sufficient information to individuals (vii) Failure to comply sufficiently with a request from interested parties (DSR (viii) Creep scope: the risk that Covid Information is used for any purpose beyond what is provided for in this DPIA (ix) Processing of excessive personal data (unofficial translation) TWELFTH Regarding the purpose of the processing, the respondent indicated that it was to protect attendees and employees by guaranteeing a safe and healthy environment for all of them, preventing the spread of the virus, "as a serious cross-border threat to public health in the manner required under the Plan agreed upon and approved by the health authorities", indicating that during the four days of the Congress, 61,000 people accessed as attendees, and 11,970 people as employees, recognizing that all of them were required to use the COVID certificate system. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 48/96 The processing and conservation of the data collected is necessary, according to the respondent, because after the collection of the data from the employees, the subcontractor, QUIRONPREVENCIÓN, must analyze whether the documentation they provide regarding COVID 19 is valid, since the information must be verified. For example: if all the doses are available, if the vaccine is within the effective time, or if the certificate was issued by an officially recognized authority. In addition, the collection and conservation of the data is carried out because it serves as a pass to the facility, facilitating access, with the respondent acknowledging that if a positive case emerges, the pass could be invalidated. THIRTEENTH: Regarding the guarantees for the protection of the rights and freedoms of individuals, the respondent attached: - the security measures applied by QUIRONPREVENCIÓN, stating that the data controller did not have access to the data, which were collected directly by QUIRONPREVENCIÓN, which analyzed them and confirmed whether they were suitable or not suitable for access, a fact that was communicated to the controller, the organizer of the access system for attendees and employees of suppliers. It is also proven that the respondent had registered the data of the suppliers' employees (at least name and surname, supplier, ID-NIF, email) before the health data registered in relation to COVID 19) - A DPIA that it provides, dated 04/22/2022, when the data of the employees began to be required from 01/23/2022, in which it is not proven that the action of the Data Protection Delegation had been taken into account, and it is not stated that one of the points to be covered was the risk assessment for the rights and freedoms of the interested parties, as well as the necessity and proportionality of the health data processing operations with respect to their purpose, nor is it related to the employees of the suppliers who carry out the assembly of the facilities where the event is held, any aspect is mentioned regarding the right to work as an affected right, and the eventual prohibition of access to the workplace or the relation to the right to prevention of occupational risks. FOURTEENTH: Regarding the information provided on the processing of data of the employees of the suppliers, and of the complainant, in particular, that requested in his response to the transfer and also as stated in the EIPD, he indicated that it is the responsibility of the employer supplier, "since GSMA has no direct contact with the workers," adding that "the contract between GSMA and the supplier (which is also not provided) requires compliance with the applicable laws on data protection, including transparency and legality for the purposes of transferring the data of its workers to GSMA or its data processors, including the provision of GSMA's privacy policy to its workers, which is provided to the suppliers." In the DPIA, the following risk assessment is also added: “Not providing sufficient information to individuals”, “GSMA ensures that suppliers’ employees are provided with the Privacy Notice before their data is shared by their employer with the GSMA. In accordance with the Contractor Registration Terms and Conditions, suppliers are contractually required to comply with all transparency and legality obligations before sharing their employees’ data with the GSMA, including the provision of the GSMA Privacy Notice to all employees before sharing.” C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 49/96 it is classified as: high in risk severity, remote in probability and overall risk: low. Information on rights is also included in the Privacy Policy.” “The rights of data subjects and how they can be exercised are detailed in the Privacy Notice” It should be mentioned that although the privacy policy on the respondent's website, version 22 04 2021, lists as a group to which data processing is applied: among others, third parties, or third party personnel and other persons participating in the event or “the contractor bulk upload system”, it is specified in another clause “Information obtained from third parties”, which reads: “From time to time, the GSMA receives personal information from third parties. This may occur, for example, if your employer is a GSMA member and registers you for an event or training or if your employer (or entity by which you are engaged as a contractor or temporary staff member) provides services to the GSMA and you are involved in the provision of these services.” Although it is true that the data of the claimant and the employees of the suppliers were entered by the employers, suppliers of the defendant, into an application of the latter, and that the latter then contacted each employee by email, there is no record that at either time or subsequently, the defendant informed those affected in compliance with the obligation provided for in article 14 of the GDPR. Furthermore, it is observed that in the privacy policy, being comprehensive of various subjects participating in the event, in "Data Retention", the conservation of the data collected from the employees of the suppliers is not detailed, urging them to contact them for more information and it does not foresee what legitimizing basis corresponds specifically to the treatment of each type of attendee/employee, indicating it in a general and abstract way without identifying the groups to which it refers, nor the right to file a claim before a control authority, as well as the source from which the data comes, nor the contact details of the Data Protection Officer. In addition, under “information you voluntarily provide,” there is “COVID-19 testing: As stated in our Engaged Community Plan, you will be required to undergo COVID-19 testing at regular intervals during the event. Information about your test results will be treated for the sole purpose of access control,” making no mention of the requirement for vaccination or a COVID certificate, which was also not voluntary for employees to provide. BASIS OF LAW I Competence In accordance with the powers granted to each supervisory authority by article 58.2 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter RGPD) and as established in articles 47, 48.1, 64.2 and 68.1 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and Guarantee of Digital Rights (hereinafter LOPDGDD), the Director of the Spanish Data Protection Agency is competent to initiate and resolve this procedure. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 50/96 Likewise, article 63.2 of the LOPDGDD determines that: “The procedures processed by the Spanish Data Protection Agency shall be governed by the provisions of Regulation (EU) 2016/679, in this organic law, by the regulatory provisions issued in its development and, insofar as they do not contradict them, on a subsidiary basis, by the general rules on administrative procedures." II Preliminary issues Based on the GDPR, article 4 of the GDPR states: “the following shall be understood as: “1) “personal data” means any information relating to an identified or identifiable natural person (“the data subject”); an identifiable natural person shall be considered to be any person whose identity can be determined, directly or indirectly, in particular by means of an identifier, such as a (e.g. a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person; 2) "processing" means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction; 7) "controller" or "controller" means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing; if Union or Member State law determines the purposes and means of processing, the controller or the specific criteria for its nomination may be determined by Union or Member State law;” (8) ‘processor’ or ‘processor’ means the natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller” … “(15) data relating to health means personal data relating to the physical or mental health of a natural person, including for the provision of health care services, which reveal information about his or her health status;” Recital 35 of the GDPR refers to health data in the following terms: “Personal data relating to health should include all data relating to the health status of the data subject which give information about his or her past, present or future physical or mental health status. This includes information on a natural person collected on the occasion of his or her registration for healthcare purposes, or on the occasion of the provision of such care, in accordance with Directive 2011/24/EU of the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 51/96 European Parliament and of the Council (1); any number, symbol or data assigned to a natural person that uniquely identifies him or her for healthcare purposes; information obtained from tests or examinations of a body part or substance, including information from genetic data and biological samples, and any information regarding, for example, a disease, a disability, the risk of disease, the medical history, clinical treatment or the physiological or biomedical condition of the data subject, regardless of its source, for example a doctor or other healthcare professional, a hospital, a medical device, or an in vitro diagnostic test” In short, recital 35 of the GDPR determines that “information about a natural person collected on the occasion of his or her registration for the purposes of healthcare, or on the occasion of the provision of such healthcare, in accordance with Directive 2011/24/EU of the European Parliament and of the Council” falls within the special category of health data. Directive 2011/24/EU, to which we are referred in recital 35, indicates in its article 3, “Definitions”, what is meant by: “a) <healthcare>: health-related services provided by a healthcare professional to patients for the purpose of assessing, maintaining or restoring their state of health, including the prescribing, dispensing and supplying medicines and medical devices;”. Article 3 of Directive 2011/24/EU also determines, paragraphs f) and i), respectively, what is meant by “healthcare professional” and “medicines”. Paragraph (f) defines “healthcare professional” as “any medical doctor, nurse responsible for general care, dental practitioner, midwife or pharmacist within the meaning of Directive 2005/36/EC or any other professional who carries out activities in the healthcare sector which are restricted to a regulated profession as defined in Article 3(1)(a) of Directive 2005/36/EC, or any person who is considered a healthcare professional under the legislation of the Member State of treatment;” In line with the above, it should be noted that Law 44/2003, of 21/11, on the regulation of the health profession, classifies as “health professionals”, among other professionals, Nursing Graduates (article 2) and Nursing Auxiliary Care Technicians (article 3) And section i) of article 3 of Directive 2011/24/EU understands “medicine” as “any medicine as defined in Directive 2001/83/EC”. In turn, Directive 2001/83/EC of the European Parliament and of the Council of 6/11/2001 on the Community code relating to medicinal products for human use, in its article 1.2, defines “medicinal product” as “a) any substance or combination of substances which is presented as having properties for the treatment or prevention of diseases in human beings, or b) any substance or combination of substances which can be used in, or administered to, human beings for the purpose of restoring, correcting or modifying physiological functions by exerting a pharmacological, immunological or metabolic action, or of establishing a medical diagnosis”. In light of the provisions cited, the vaccination of a person against COVID- 19 implies the provision of a health care service; a service provided by C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 52/96 who, according to Spanish legislation, Law 44/2003, are considered to be health professionals and through which a medicine is dispensed, as defined in article 1.2 of Directive 2001/83/EC. Consequently, the information about whether or not an identified natural person has received the Covid-19 vaccine is in the nature of personal data relating to health Thus, the information collected and kept by the respondent about the vaccination against COVID-19 of workers or about the result of a PCR test or the certificate of recovery from the disease, constitutes a “processing” of “personal data” relating to the “health” of a natural person. On the other hand, it is appropriate to point out here in relation to the defendant's allegation that the instructor should have opened a period of evidence since the defendant proposed the following: “in the hypothetical case that the administrative sanctioning file initiated is not immediately archived, and in accordance with the provisions of article 77 of Law 39/2015, this Instructor will proceed to agree to open a period of evidence and grant this party the opportunity to propose the corresponding means”, indicating in his second and third allegations to the initiation agreement that “the documents attached here will be proposed…”. Regarding this issue, it should be noted that article 77 of the LPACAP states: “1. The facts relevant to the decision of a procedure may be accredited by any means of evidence admissible in law, the assessment of which will be carried out in accordance with the criteria established in Law 1/2000, of January 7, on Civil Procedure. 2. When the Administration does not consider the facts alleged by the interested parties to be certain or the nature of the procedure so requires, the instructor of the proceeding will agree to the opening of a trial period for a period not exceeding thirty days nor less than ten, so that as many as he deems pertinent may be carried out. Likewise, when he deems it necessary, the instructor, at the request of the interested parties, may decide to open an extraordinary trial period for a period not exceeding ten days. 3. The instructor of the procedure may only reject the evidence proposed by the interested parties when it is manifestly inappropriate or unnecessary, by means of a reasoned resolution.” Article 78 states: “1. The Administration will notify the interested parties, with sufficient advance notice, of the beginning of the necessary actions for the performance of the tests that have been admitted. 2. The notification will indicate the place, date and time in which the test will be performed, with the warning, if applicable, that the interested party can appoint technicians to assist him.” -The documents and allegations presented by the respondent have been considered and assessed in the drafting of the resolution proposal, they have not been rejected. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 53/96 The respondent did not specifically request that any specific test be carried out or its purpose, nor did she add in this regard that a third party be asked to carry out or request that this test be carried out specifically. -Furthermore, the respondent did not specifically request that any test be carried out, either during the period for allegations, or after it had elapsed, and in any case before the proposed resolution in which the facts must be assessed, in accordance with article 89.3 of the LPACAP. Once the resolution proposal has been issued, it is not possible to propose evidence. The respondent in each allegation that it made, in fact presented the documents that it considered appropriate, and it could have presented those that it considered appropriate to its right. The specification of the proposal for evidence, if it had occurred, would have allowed the assessment of the relevance for the case, not being necessary to open a period of evidence collection only to incorporate the documentation that the respondent stated should be taken into account. The Instructor did not appreciate any element that occurred within those indicated in article 77.2 of the LPCAP to open a period of evidence collection, therefore, there is no communication to the respondent that would motivate why said period of evidence is not opened. The elements that were taken into account in the proposal only relate to the actions of the respondent, the documents that she herself provided without considering that facts and allegations of third parties appear in the procedure. Once the proposed resolution was issued, the respondent has not requested the production of any evidence. The fact that no period of evidence was opened does not appear to have resulted in a lack of defence for the respondent, who has been able to allege what she has considered appropriate to her rights throughout the entire procedure. III Regarding the processing of health data According to recital 1 of the GDPR: “the protection of natural persons in relation to the processing of personal data is a fundamental right. Article 8, paragraph 1, of the Charter of Fundamental Rights of the European Union […] and Article 16, paragraph 1, of the Treaty on the Functioning of the European Union (TFEU) establish that everyone has the right to the protection of personal data concerning him or her.” As indicated in recital 53, health-related data deserve greater protection, since the use of such sensitive data may have significant negative repercussions for the data subjects. In light of the above and the relevant case law of the Court of Justice of the European Union (CJEU), it considers that the term “health-related data” should be interpreted broadly. Health-related data can be obtained from various sources, from a medical history, a “self-assessment” survey, in which data subjects answer questions related to their health (for example, declaration of symptoms), vaccination or the result of a PCR test, data relating to the health of the individual, which in this case are requested from the data subject with the collaboration of the provider of the requested data. The consequences of not providing such data could be that access to the place of service provision, facilities where the respondent is organizing MWC 2022, would not be permitted. Any processing of personal data relating to health must comply with the relevant principles set out in Article 5 of the GDPR, comply with one of the legal bases set out in Article 6 and one of the specific exceptions listed, respectively, in Article 9 of the GDPR, for the lawfulness of the processing of this special category of personal data. This was already indicated by the Article 29 Working Party (whose functions have been assumed by the European Data Protection Board) in the “Guidelines on automated individual decisions and profiling for the purposes of Regulation 2016/679” adopted on 3/10/2017, revised on 6/02/2018, by indicating that (…) “Data controllers may only process special category personal data if one of the conditions set out in Article 9, paragraph 2, as well as a condition of Article 6 are met.(…), and more recently, the European Data Protection Board in its “Guidelines 03/2020 on the processing of health-related data for scientific research purposes in the context of the COVID-19 outbreak, adopted on 21 April 2020”. A criterion, moreover, endorsed by the judgment of the CJEU, of 21/12/2023, case C- 667/21, for a case in which an exception to the application of article 9 of the GDPR was examined, in the judgment, point 1.3, with the literal “Articles 9, paragraph 2, letter h), and 6, paragraph 1, of Regulation 2016/679 must be interpreted as meaning that a processing of data relating to health based on this first provision must, in order to be lawful, not only comply with the requirements that derive from it, but also, at least, one of the conditions of lawfulness set out in that article 6, paragraph 1, according to the analysis carried out in paragraphs 71 to 78.” The GDPR dedicates article 5 to the principles that govern the processing of personal data and establishes in paragraph 1: “1. Personal data will be: a) processed in a lawful, fair and transparent manner with the interested party (<<lawfulness, loyalty and transparency>>. (...)” Article 5.2 indicates that:” The data controller will be responsible for compliance with the provisions of section 1 and able to demonstrate it (<<proactive responsibility>>)” Article 70 of the LOPDGDD establishes the responsible subjects, indicating: “1. They are subject to the sanctioning regime established in Regulation (EU) 2016/679 and in this organic law: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 55/96 a) Those responsible for the treatments. (…)” The GDPR, article 9.1, prohibits, in general, the processing of “special data”, among which it mentions those related to health. However, section 2 of the provision introduces ten exceptions; ten cases in which the prohibition of treatment can be lifted if any of them occurs. These circumstances that except the general rule of prohibition are connected with “some” of the legal bases that, in accordance with article 6.1 of the GDPR, legitimize the processing of data. The Report of the Legal Office of the AEPD 0017/2020 states that “in general, it must be clarified that the regulations on the protection of personal data, insofar as they are aimed at safeguarding a fundamental right, apply in their entirety to the current situation, given that there is no reason that determines the suspension of fundamental rights, nor has such a measure been adopted.” and “recognizes that, in exceptional situations, such as an epidemic, the legal basis for the treatments may be multiple, based both on the public interest and on the vital interest of the interested party or another natural person.” This, “Without prejudice to the fact that there may be other bases, -such as compliance with a legal obligation, art. 6.1.c) RGPD (for the employer in the prevention of occupational risks of its employees)” Regarding the exceptions of article 9.2 RGPD, the aforementioned report after its analysis determines that:” Consequently, in a situation of health emergency […] the application of the personal data protection regulations would allow the data controller to adopt those decisions that are necessary to safeguard the vital interests of natural persons, the fulfillment of legal obligations or the safeguarding of essential interests in the field of public health, within what is established by the applicable material regulations.” And finally, it reasons the following: “But the data controllers, when acting to safeguard said interests, must act in accordance with what the authorities established in the regulations of the corresponding Member State, in this case Spain, establish.” Thus, the Spanish legislator has provided itself with the necessary legal measures to deal with situations of health risk, such as Organic Law 3/1986, of 14/04, on Special Measures in Public Health Matters (modified by Royal Decree-Law 6/2020, of 10/03, by which certain urgent measures are adopted in the economic field and for the protection of public health, published in the Official Gazette of the State on 11/03/2020) or Law 33/2011, of 4/10, General Public Health. Article 3 of the first of these regulations states that: “In order to control communicable diseases, the health authority, in addition to carrying out general preventive actions, may adopt appropriate measures to control the sick, the people who are or have been in contact with them and the immediate environment, as well as those considered necessary in the event of a risk of a communicable nature.” C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 56/96 Similarly, articles 5 and 84 of Law 33/2011, of 4/10, General Public Health, refer to the previous Organic Law 3/1986, and to the possibility of adopting additional measures in the event of a risk of disease transmission. Therefore, in terms of the risk of disease transmission, epidemics, health crises, etc., the applicable regulations have granted “the health authorities of the various public administrations” (art. 1 Organic Law 3/1986, of 14/04) the powers to adopt the necessary measures provided for in said laws when this is required for reasons of health urgency or necessity. Consequently, from the point of view of the processing of personal data, the safeguarding of essential interests in the field of public health corresponds to the various health authorities of the different public administrations, who may adopt the necessary measures to safeguard said essential public interests in situations of public health emergency. These competent health authorities of the different public administrations will be the ones to adopt the necessary decisions, and the various persons responsible for the processing of personal data must follow said instructions, even when this involves the processing of personal health data of natural persons. The above refers, expressly, to the possibility of processing the personal health data of certain individuals by the data controllers, when, at the request of the competent health authorities, it is necessary to inform other persons with whom said individual has been in contact of the circumstance of his or her contagion, in order to safeguard both said individuals from the possibility of contagion (vital interests of said individuals) and to prevent said individuals, through ignorance of their contact with an infected person, from spreading the disease to other third parties (vital interests of third parties and essential and/or qualified public interest in the field of public health). However, as indicated in the aforementioned report, the processing of personal data in these health emergency situations continues to be treated in accordance with the personal data protection regulations (RGPD and Organic Law 3/2018, of 5/12, on Personal Data Protection and Guarantee of Digital Rights, LOPDGDD), so all its principles, contained in article 5 RGPD, apply, and among them the processing of personal data with legality, loyalty and transparency, limitation of purpose (in this case, safeguarding the vital/essential interests of natural persons), the principle of accuracy, and of course, and special emphasis must be placed on this, the principle of data minimization. Regarding this last aspect, it must be expressly stated that the data processed must be exclusively limited to those necessary for the intended purpose, without being able to extend said processing to any other personal data not strictly necessary for said purpose. Therefore, data protection regulations (such as the GDPR) do not hinder the measures adopted to combat the COVID-19 pandemic. The GDPR is a far-reaching legislative act and includes various provisions that allow the management of the processing of C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 57/96 personal data related to the COVID-19 pandemic without prejudice to fundamental rights and the protection of personal data. Therefore, when applying these provisions provided for these cases in the GDPR, in consistent with the sectorial regulations applicable in the field of public health, the considerations related to data protection - within the limits provided by law - should not be used to hinder or limit the effectiveness of the measures adopted by the authorities, especially the health authorities, in the fight against the epidemic. Royal Decree 463/2020, dated 14/03, and the measures contained therein, as well as those established in the successive royal decrees extending the state of alarm, have constituted the basic regulatory framework of the regulations adopted to deal with the health emergency caused by the pandemic. In Spain, it must be assumed that the vaccine against Covid-19 is not mandatory and that its establishment as mandatory could violate constitutionally recognized rights. The COVID certificate was not established as mandatory for workers and it has not been proven that the health authorities have established that a certain group is required to take the measures adopted by the respondent that could lead to mandatory vaccination, in this case, for the employees of the assembly of the MWC22 Congress. As an example of a similar assumption to what is stated, it is worth highlighting the judgment of the Supreme Court, Fourth Chamber, Social, Plenary Section, judgment 562/2021, of 05/20/2021, rec 130/2020, which establishes the lack of regulatory obligation to require rapid antibody detection tests for technical personnel of sanitary transport and drivers who have been in direct or indirect contact with COVID patients On the other hand, regarding the allegations of the respondent after the proposal, it must be indicated that in terms of prevention of occupational risks, it is the employer who is obliged to ensure the physical integrity of the workers, in accordance with the specific parameters in each risk situation in the scenario of the Coronavirus pandemic, and in this case, the supplier companies have not played any role in this sense, as the organizer and respondent imposed on them the requirement to register their employees in order to raise the health documentation so that they could access the workplaces. The data controller also does not record that it carried out any coordination of the actions of the various suppliers who used its employees in the premises where the data controller would carry out the activity. In order to access their workplace, which coincides with the place where the event is held, these workers had to be in possession of the COVID certificate or, failing that, provide a certificate of recovery from the disease or a PCR test, which has a limited temporary validity and which would require the worker to provide several PCR tests, which could affect their fundamental rights to work, physical integrity and health and data protection. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 58/96 Organic Law 3/1986 of 14/04, on special measures in matters of public health establishes: “Article one. In order to protect public health and prevent its loss or deterioration, the health authorities of the different Public Administrations may, within the scope of their powers, adopt the measures provided for in this Law when urgent or necessary health reasons so require.” … “Article three. In order to control communicable diseases, the health authority, in addition to carrying out general preventive actions, may adopt the appropriate measures for the control of the sick, of the people who are or have been in contact with them and of the immediate environment, as well as those that are considered necessary in the event of a risk of a communicable nature.” In addition, the COVID-19 vaccination strategy of 2/12/2020 is the rule that develops the coordination between health authorities and reinforces the operation of the entire national health system and does not provide for vaccination against COVID-19 as mandatory. Order SND/344/2020, dated 13/04, which establishes exceptional measures for the reinforcement of the National Health System and the containment of the health crisis caused by COVID‐19, establishes that the indication for carrying out diagnostic tests for the detection of COVID‐19 must be prescribed by a physician in accordance with the guidelines, instructions and criteria agreed for this purpose by the competent health authority. Decree 63/2020 of 06/18, on the new governance of the health emergency caused by COVID-19 and the beginning of the resumption phase in the territory of Catalonia, DOGC of 19, determines in its article 1, with effect from 06/19/2020, the completion of phase III of the Plan for the de-escalation of the extraordinary measures adopted to deal with the pandemic generated by COVID-19 for the entire territory of Catalonia. In its article 5, it empowers the "Minister of Health and the Minister of Interior, in their capacity as authorities comprising the Steering Committee of the PROCICAT action plan for emergencies associated with emerging communicable diseases with high-risk potential, to adopt the necessary resolutions to make effective the measures that must govern the new stage that begins." On 18/06/2020, RESOLUTION SLT/1429/2020, dated 18/06, was issued, by which basic protection and organizational measures are adopted to prevent the risk of transmission and favor the containment of SARS-CoV-2 infection. (DOGC 19-06- 2020). This rule states in its explanatory statement that it aims to ensure that activities that may generate a greater risk of community transmission are developed under conditions that allow preventing the risks of contagion and possible outbreaks, associating risk factors in transmission, development in activities in closed spaces, participation in high density of people and long extension in time. The resolution establishes general measures. In its article 1.2, it indicates that the measures of the resolution have to be completed with sectoral plans of activities, among other sectors, it cites that of Fairs, Congresses and other temporary activities with a large influx of public. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 59/96 At the time of the MWC 22, the Special Plan for Pandemic Emergencies in Catalonia was in force, approved by Government agreement 40/2020 of 3/03. This provision establishes as a public area the following: Congresses, Conventions and Trade Fairs, in which measures must be taken according to the evolution of the emergency, and it may be necessary to consider the partial restriction or suspension of some activities in places of public attendance. The resolutions issued successively in matters of public health for the containment of the epidemic outbreak of the COVID 19 pandemic in the territory of Catalonia indicate that “The administrative intervention in public and private activities necessary to address the health crisis situation caused by COVID-19 is justified in the cited framework of health and civil protection laws, subject to the additional guarantee of judicial control with respect to the judgment of proportionality as regards the measures that have an impact on fundamental rights”. According to Auto TSJ CAT 869/2021, of 11/25/2021, rec 509/2021: "The Judicial Authorization-Ratification System of Administrative Public Health Measures, modified by Law 3/2020, of September 18, on procedural and organizational measures to deal with COVID-19 in the field of the Administration of Justice, gave a new wording to article 8.6 of the LJCA and introduced into said Law articles 10.8 and 11.1.i), characterized by a procedure that is not of a contradictory nature, since it does not involve opposing procedural parties, but rather operates as a procedure of limited, preferential and summary knowledge, embedded in the scope of the jurisdictional protection of fundamental rights, which aims at the judicial authorization or ratification of measures limiting fundamental rights, adopted for reasons of public health. This Order ratifies the measures contained in resolution SLT/3512/2021, of 25/11, for the requirement of COVID documents in the circumstances contained and the scope of activities expressly provided for in the regulation, which does not include Congresses. This regulation contemplates the display of documentation, without referring to the conservation of the data of the COVID certificates. The aforementioned Order reiterates what was reproduced in the judgment of the TS 1112/2021, of 14/09 that “the right to data protection protects any information related to the person, and may be concerned if we understood that the circumstance of having been vaccinated or not, was a personal data, which, although it does not belong to the intimate sphere of the person, it is a data related to privacy, which is especially protected when it is the object of treatment” Furthermore, the Order makes the triple judgment of proportionality of the measures contained in the administrative resolution in relation to the fundamental rights that are considered compromised, and authorizes the measures, not without first indicating that "it is not superfluous to leave on record that the accentuated and unchecked addition of more and more activities is reaching a height that will require at least greater motivation and reinforced justification within the framework of the doctrine that has been related." However, in RESOLUTION SLT/99/2022, dated 26/01, the restrictive measures on fundamental rights that were still in force were lifted, including the requirement of a COVID certificate for access to certain non-essential activities in closed spaces (restaurants, physical and/or sports activity rooms, gyms and C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 60/96 musical recreational activities permitted: concert halls, theatre cafés, concert cafés and The resolutions issued by the Catalan health authorities in their explanatory statement indicated: “The adoption of these measures by the competent authorities is covered by Organic Law 3/1986, of April 14, on special measures in matters of public health, in the rest of health and public health legislation, in civil protection legislation and, specifically, in Decree Law 27/2020, of July 13, amending Law 18/2009, of October 22, on public health and the adoption of urgent measures to address the risk of outbreaks of COVID-19. By Decree Law 27/2020, of July 13, the administrative intervention measures that can be adopted in pandemic situations to guarantee the control of contagions were specified and the procedure to be followed to adopt them was delimited. Specifically, a letter k) was added to article 55 of Law 18/2009, of October 22, on public health, which provides that, in situations of pandemic or epidemic declared by the competent authorities, the competent health authorities may adopt measures to limit activity, the movement of persons and the provision of services in certain territorial areas provided for in Annex 3, in accordance with the procedure provided for in article 55 bis. The administrative intervention in public and private activities necessary to address the health crisis situation caused by COVID-19 is justified in the cited framework of health and civil protection laws, subject to the additional guarantee of judicial control with respect to the judgment of proportionality as regards the measures that have an impact on fundamental rights. Decree Law 27/2020 establishes in article 55 bis 2 that “In the event that mandatory measures are established, this obligation must be expressly warned of, which will be based on the reports issued” The resolutions in force during the event did not contemplate an event such as MWC 22, nor was any reference to COVID certificates established or included for access to establishments. In the present case, various types of data have been collected from the suppliers' employees, some initials of first and last names, ID/NIF, email provided by their employers, suppliers of the respondent, and others of a special nature referring to health data related to COVID 19 provided by the workers themselves. Both data were processed by the respondent, responsible for the processing. The respondent did not assess the restriction that the imposed measure represents for the rights of workers and this measure must be differentiated from the measure imposed on those attending MWC22, since the impact on rights is different. However, the respondent did not even analyse this issue in due depth in its EIPD. IV Regarding the allegations to the proposed resolution C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 61/96 Regarding the respondent's allegation formulated after the proposal, referring to the intended differentiation also in its contents, between a main contract and another of a subcontractor of treatment, it must be clarified and based on the fact that the cited document 4 that the respondent provided constitutes a unit of act in which the object is expressly declared in its first clause, and in the second, the application of the ANNEXES that form part of the contract. These six ANNEXES, among which are the SIXTH: "treatment manager contract", but referring to the object that is set in the first clause of the contract. The respondent points out that the contract of assignment with QP would cover only the validation of COVID certificates (including here, vaccination, recovery or tests), and, punctually, the performance of "rapid antigen test / PCR in the event of being requested by FIRA". Naturally, each of the documents to be validated had to meet certain requirements, for example, the vaccination had to have been given on a certain date for its validity, approved, as well as for the documentation of the recovery from the disease. To this end, ANNEX 1B of the contract: “system integration”, states that “The supplier will have an information system necessary for the management of COVID tests”, differentiating TWO functionalities, that of “on-site testing”, which is not stated to be applied as a general rule to employees of assembly suppliers, and that of “validation of test results”. The documentation was incorporated through, according to the claimant, a “website (adapted to mobile phones) for sending previous tests”, through which the visitor can indicate their data and upload a document or photo of a PCR/antigen result or vaccination/recovery card previously carried out. The respondent has stated that, in addition to this service, the so-called "main contract" "includes" a series of services listed in the same point 1.1 of the object of the contract, which would be the following: -The medical validation of the COVID certificates (it seems that it is reiterated since it is contained in the contract of assignment), -The contact and "medical examination of the worker" (it is not contained in the object of the contract, which also uses the terminology "participant in the event", nothing related to the worker) and the -"Hospital care service (24/7) through the network of Quirón Salud centers for all participants in the MWC22.", which apart from not mentioning the employees, Services for which the respondent states that QUIRONPREVENCIÓN would be the responsible for the treatment. According to the respondent, QUIRONPREVENCIÓN would act in compliance with a legal obligation and would be responsible for its medical decisions, when granting approval or not, for access to the workplace or for those attending the premises. In this regard, it should be noted that, in order for QUIRONPREVENCIÓN to issue this result, the respondent has previously carried out personal data processing operations, since it has collected the data and established that its owners provide C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 62/96 their health data to its sub-processor who has their consent in the services offered. The responsible party knows the decision of approval or not, because the contract establishes its communication from QUIRONPREVENCIÓN to its manager, FIRA, which acts on behalf of the responsible party. Thus, the respondent is the one who decided that the data should be collected and kept to facilitate the respective access throughout the duration of the event (attendees in case of vaccination) or the assembly (employees in case of vaccination), and similarly regarding the certificates of recovery from the disease. Thus, even if the respondent's argument that QUIRONPREVENCIÓN is responsible for the medical treatments were successful, it is the respondent who made the decision on which medical data should be collected and for what purpose and who contracted the processing of such health data of the workers with QUIRONPREVENCION, and is therefore responsible for the infringements that are charged. On the other hand, arguing that QUIRONPREVENCIÓN is responsible for the processing, also because it would feed the clinical history of each affected person, fulfilling a deontological duty when dealing directly with those affected, clashes with the fact that the task is limited to a verification or verification of documents, sent by mobile phone through a QUIRONPREVENCIÓN platform, it not being clear that the employees of the suppliers who carry out the assembly of the facilities, nor by extension the assistants, are patients or users of the aforementioned QUIRONPREVENCIÓN, without which, moreover, includes the provision of any type of medical assistance to these employees, and therefore without performing any medical test on those affected. Regarding the claim made after the proposal that the open content of the contract allowed QUIRONPREVENCIÓN to include the performance of tasks or services related to support for the coordination of business activities that pursued the prevention of occupational risks, not included in the contract for the assignment of treatment, it should be noted that in addition to not expressly or specifically stating any aspect in the contract signed with QUIRONPREVENCIÓN or its annexes on such an aspect, said coordination work does not appear to be real, since not only would it be necessary to prove the participation of the companies that are being coordinated, but it does not adapt to the operating scheme that the LPRL and its implementing regulations provide for the prevention of occupational risks. The Law on the Prevention of Occupational Risks, as can be seen from reading article 24 of Law 31/1985, of 8/11, on the Prevention of Occupational Risks, states: “1. When workers from two or more companies carry out activities in the same workplace, they must cooperate in the application of the regulations on the prevention of occupational risks. To this end, they will establish the means of coordination that are necessary in terms of the protection and prevention of occupational risks and the information about them to their respective workers, in the terms provided in section 1 of article 18 of this law. 2. The employer who owns the workplace will adopt the necessary measures so that other employers who carry out activities in their workplace receive the appropriate information and instructions regarding the risks existing in the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 63/96 workplace and the corresponding protection and prevention measures, as well as the emergency measures to be applied, for their transfer to their respective workers. 3. Companies that contract or subcontract with other companies the execution of works or services corresponding to their own activity and that are carried out in their own workplaces must monitor compliance by said contractors and subcontractors with the regulations on prevention of occupational risks. 4. The obligations set forth in the last paragraph of section 1 of article 41 of this Law shall also apply, with respect to contracted operations, in cases where the workers of the contractor or subcontractor company do not provide services in the workplaces of the main company, provided that such workers must operate with machinery, equipment, products, raw materials or tools provided by the main company.” The information on vaccines and the rest of the COVID documents that the employees had to provide or are proven to be the product of this coordination activity, and if it is proven that they were provided by the employees if they wanted to provide their services, exercise their right to work at the physical location where the event was to be held. On the other hand, the role of coordinator of business activities cannot include individual decision-making on prevention measures to be adopted, as clarified by the provision of article 24 of the LPRL, which provides for actions by those involved to “cooperate”, “establish means of coordination” by the employer who owns the workplace and the companies that are present in the same space of the workplace. Thus, this thesis that coordination actions were carried out in the matter of occupational risks that involved the treatment under discussion cannot be accepted. On the other hand, regarding the allegation that “the regulations on prevention of occupational risks offer a double legitimacy to request health data from visitors and from workers who provide services at the fairgrounds”, it is not supported by any regulation. The regulations on prevention of occupational risks in no way enable the obtaining and keeping of health data from people who are not employees of the employer. As regards the processing of employee data, the position defended by the respondent in its allegations, claiming that the processing of workers' health data is justified in compliance with occupational risk prevention, is also based on several serious errors. Thus, with regard to the obligation of "health monitoring", article 22 of the LPRL states: "1. The employer shall guarantee that the workers in his service are periodically monitored for their health status based on the risks inherent to the work. This monitoring may only be carried out when the worker gives his consent. The only exceptions to this voluntary nature, subject to a report from the workers' representatives, are those cases in which the performance of the examinations is C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 64/96 essential to assess the effects of the working conditions on the health of the workers or to verify whether the health status of the worker may constitute a danger to the worker, to other workers or to other persons related to the company or when this is established in a legal provision in relation to the protection of specific risks and activities of special danger. In any case, the performance of those examinations or tests that cause the least discomfort to the worker and that are proportional to the risk should be chosen. 2. The measures for monitoring and controlling the health of workers shall be carried out always respecting the right to privacy and dignity of the worker and the confidentiality of all information related to his or her state of health. 3. The results of the monitoring referred to in the previous section shall be communicated to the affected workers. 4. The data relating to the monitoring of workers' health may not be used for discriminatory purposes or to the detriment of the worker. Access to personal medical information shall be limited to medical personnel and health authorities carrying out the monitoring of workers' health, and may not be provided to the employer or other persons without the express consent of the worker. Notwithstanding the above, the employer and the persons or bodies with responsibilities in matters of prevention will be informed of the conclusions arising from the examinations carried out in relation to the worker's aptitude for the performance of the job or with the need to introduce or improve the protection and prevention measures, so that they can correctly carry out their functions in preventive matters. 4. In cases where the nature of the risks inherent to work makes it necessary, the right of workers to periodic monitoring of their state of health should be extended beyond the end of the employment relationship, in the terms determined by regulation. 6. The measures for monitoring and controlling the health of workers shall be carried out by health personnel with technical competence, training and accredited capacity.” (The underlining is ours) The principles that inform this provision are applicable to the case at hand. In accordance with this provision, the respondent could have easily concluded that the LPRL did not enable it to obtain the information requested from employees. From the examination of this article it is clear that health monitoring by prevention services is, in general, voluntary, except in the cases set out. The exceptions to voluntariness must be interpreted strictly and limited to those exclusive and particular cases in which health monitoring is strictly necessary. The mandatory health examination must be essential to safeguard the health of workers, which in this case did not occur because there were other prevention measures that entailed less interference in workers' rights. To which C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 65/96 it must be added that the health examination of all workers cannot be established in a general and indiscriminate manner as a mandatory preventive measure. On this last issue, it should be noted that it is not proven that any company of the supplier categories that used their employees to set up the FIRA site did not have any type of prevention service arranged for their employees, directed or focused on access to the site and COVID-19. In short, the LPRL offered sufficient information to the respondent to know that the treatment it intended to carry out was not in accordance with its allegations. The LPRL offered sufficient information to the respondent to know that the treatment it intended to carry out was not in accordance with its provisions. V Unfulfilled obligation of art. 9 GDPR Recital 51 of the GDPR expressly indicates that, “in addition to the specific requirements” applicable to the processing of “particularly sensitive” data, set out in Article 9, paragraphs two and three, of that regulation, without prejudice to any measures that a Member State may adopt on the basis of paragraph four of this Article, the “general principles and other rules of that regulation, in particular as regards the conditions for the lawfulness of processing”, as they arise from Article 6 of the same regulation, must also apply to such processing. In this case, as already indicated, since the health data being processed are considered to be of a special nature, they require a relevant cause to lift the prohibition in order to enable their processing. Therefore, in addition to the legitimation of article 6.1 of the GDPR, there must be coverage in article 9.2 of the GDPR that saves the general prohibition provided for in article 9.1. Article 9 of the GDPR, “Processing of special categories of personal data,” provides: “1. The processing of personal data that reveal ethnic or racial origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data aimed at uniquely identifying a natural person, data relating to health or data relating to the sexual life or sexual orientations of a natural person is prohibited. 2. Paragraph 1 shall not apply where one of the following circumstances applies (only those that may be related to the purpose or activity of processing in this case are mentioned): “a) the data subject has given explicit consent to the processing of such personal data for one or more of the specified purposes, except where Union or Member State law provides that the prohibition referred to in paragraph 1 cannot be lifted by the data subject; C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 66/96 a) the processing is necessary for the fulfilment of obligations and the exercise of specific rights of the controller or of the data subject in the field of labour law and social security and protection, insofar as this is authorised by Union law, by Member State law or by a collective agreement under Member State law which provides for appropriate safeguards regarding the fundamental rights and interests of the data subject; b) the processing is necessary to protect the vital interests of the data subject or of another natural person, where the data subject is not physically or legally capable of giving consent; […] (g) processing is necessary for reasons of essential public interest, on the basis of Union or Member State law, which must be proportionate to the objective pursued, substantially respect the right to data protection and laid down appropriate and specific measures to protect the interests and fundamental rights of the data subject; (h) processing is necessary for the purposes of preventive or occupational medicine, assessment of the worker's working capacity, medical diagnosis, the provision of health care or treatment or the management of health care and social care systems and services, on the basis of Union or Member State law or under a contract with a health care professional and without prejudice to the conditions and safeguards referred to in paragraph 3; (i) the processing is necessary for reasons of public interest in the area of public health, such as protection against serious cross-border threats to health, or to ensure high standards of quality and safety of healthcare and medicines or medical devices, on the basis of Union or Member State law which provides for appropriate and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy, […] 3. The personal data referred to in paragraph 1 may be processed for the purposes referred to in paragraph 2(h) where the processing is carried out by a professional subject to an obligation of professional secrecy, or under his responsibility, in accordance with Union or Member State law or rules laid down by competent national bodies, or by any other person also subject to an obligation of secrecy under Union or Member State law or rules laid down by competent national bodies. 4. Member States may maintain or introduce additional conditions, including limitations, with regard to the processing of genetic data, biometric data or data relating to health.” The exceptional cases contemplated in art. 9 of the GDPR provide strict requirements to finally enable the implementation of the treatment, due to the risks that the affectation of fundamental rights and freedoms C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 67/96 their processing may entail. In this case, it could affect the fundamental right to health and the physical integrity of workers. These circumstances must be interpreted restrictively, since the processing of special data is prohibited, and like any exception it must be interpreted strictly. [judgment of 4/07/2023, MetaPlatforms and Others (General terms and conditions of service of a social network), C- 252/21, EU:C:2023:537, paragraph 76]. The Legal Office report 17/2020, dated 03/12/2020, indicated: “Without prejudice to the above, the personal data protection regulations themselves (Regulation (EU) 2016/679 of the European Parliament and of the Council of 04/27/2016, on the protection of natural persons with regard to the processing of personal data and on the free circulation of such data and repealing Directive 95/46 / EC (General Data Protection Regulation, RGPD) contains the necessary safeguards and rules to legitimately allow the processing of personal data in situations, such as the present one, in which there is a general health emergency. Therefore, when applying these provisions provided for these cases in the RGPD, in accordance with the applicable sectoral regulations in the field of public health, the considerations related to data protection -within the limits of the General Data Protection Regulation, the General Data Protection Regulation, GDPR) are subject to the following conditions: provided for by law - should not be used to hinder or limit the effectiveness of the measures adopted by the authorities, especially the health authorities, in the fight against the epidemic, since the personal data protection regulations already contain a regulation for such cases that makes compatible and weighs the interests and rights at stake for the common good." The personal data protection regulations themselves allow that, in emergency situations, for the protection of essential public health interests and/or the vital interests of natural persons, the health data necessary to prevent the spread of the disease that caused the health emergency may be processed. Recitals 10, 52 to 54 of the GDPR regarding the processing of special categories of data provide as follows: (10) (…). This Regulation also recognises a margin for manoeuvre for Member States to specify their rules, including for the processing of special categories of personal data ('sensitive data'). In this respect, this Regulation does not preclude the law of Member States determining the circumstances relating to specific processing situations, including the detailed indication of the conditions under which the processing of personal data is lawful. (52) Derogations from the prohibition of processing special categories of personal data should also be allowed where provided for by Union or Member State law and provided that appropriate safeguards are in place, in order to protect personal data and other fundamental rights, where this is in the public interest, in particular the processing of personal data in the field of labour law, social protection legislation, including pensions, and for the purposes of security, health monitoring and alerting, the prevention or control of communicable diseases and other serious threats to health. Such an exception is possible for purposes in the field of health, including public health and the management of health care services, in particular in order to ensure the quality and cost-effectiveness of the procedures used to resolve claims for benefits and services under the health insurance scheme, or for archiving purposes in the public interest, scientific and historical research purposes or statistical purposes. The processing of such personal data should also be authorised on an exceptional basis when it is necessary for the formulation, exercise or defence of claims, whether by judicial procedure or by administrative or extrajudicial procedure. (53) Special categories of personal data deserving enhanced protection should only be processed for health-related purposes where necessary to achieve those purposes for the benefit of natural persons and society as a whole, in particular in the context of the management of health or social protection services and systems, including the processing of such data by managing health authorities and central national health authorities for the purposes of quality control, information management and general national and local oversight of the health or social protection system, and ensuring the continuity of health care or social protection and cross-border health care or for health safety, surveillance and alert purposes, or for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, based on Union or Member State law which are to fulfil an objective of public interest, as well as for studies carried out in the public interest in the field of public health. This Regulation should therefore lay down harmonised conditions for the processing of special categories of personal data relating to health, in relation to specific needs, in particular where the processing of such data is carried out for health-related purposes by persons subject to a legal obligation of professional secrecy. Union or Member State law should provide for specific and appropriate measures to protect the fundamental rights and personal data of natural persons. Member States should be able to maintain or introduce other conditions, including limitations, with regard to the processing of genetic data, biometric data or data relating to health. (…) (54) The processing of special categories of personal data, without the consent of the data subject, may be necessary for reasons of public interest in the area of public health. Such processing should be subject to appropriate and specific measures in order to protect the rights and freedoms of natural persons. In that context, ‘public health’ should be interpreted as defined in Regulation (EC) No 1338/2008 of the European Parliament and of the Council (11), namely all elements related to health, namely health status, including morbidity and disability, determinants influencing health status, health care needs, resources allocated to health care, the availability of and universal access to health care, as well as health care expenditure and financing, and causes of mortality. (…) Therefore, from the above, as stated in legal report 0055/2023, “the conclusion is drawn that although the GDPR establishes some cases that exempt the prohibition of processing special categories of data, through the law of the Member States, ad hoc regulations can be introduced in order to adapt the reality of the sectors involved to guarantee effective protection of the rights of citizens of the Union”. To the above must be added the provisions of article 9.2 of the LOPDGDD, which indicates the following: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 69/96 “2. The data processing contemplated in letters g), h) and i) of article 9.2 of Regulation (EU) 2016/679 based on Spanish law must be covered by a law, which may establish additional requirements regarding its security and confidentiality. In particular, said law may cover the processing of data in the field of health when required by the management of public and private health and social care systems and services, or the execution of an insurance contract to which the affected party is a party.” The requirement that any limitation on the exercise of fundamental rights as indicated in section 175 of the ECJ of 16/07/2020, case C-311/20, “Schrems 2” must be established by law, “implies that the legal basis that allows interference in said rights must itself define the scope of the limitation on the exercise of the right in question.” It is the law, therefore, that must establish the scope of interference in the fundamental right to Data Protection, as well as the guarantees that protect the rights and freedoms of individuals. Having said that, it is necessary to analyze each of the exceptions to the prohibition of processing health data that, according to the respondent, would be present in the treatment under review. The respondent considers that the exception provided for in article 9.2.g) of the RGPD is present. For the activation of the exception raised in article 9.2.g) of the RGPD, the respondent refers to the HEALTH AND SAFETY PLAN FOR MWC 2022, as the one that contains the need for processing for reasons of essential public interest, and to the resolutions issued by the health authorities. The exception provided for in Article 9.2.g) of the GDPR requires that the rule declaring the essential public interest comes from the Member States or from Union law, and, in addition: - it must be proportional to the objective pursued, - essentially respect the right to data protection, - establish appropriate and specific measures to protect the interests and fundamental rights of the interested party. Recital (54) GDPR is clear, when it establishes that: “The processing of special categories of personal data, without the consent of the interested party, may be necessary for reasons of public interest in the field of public health. This treatment must be subject to appropriate and specific measures in order to protect the rights and freedoms of natural persons” Regarding the Plan referred to by the respondent, it is different from the SECTORIAL PLAN FOR FAIRS AND CONFERENCES, and it does not seem to consist of or coincide with the measures implemented by the GSMA Plan “Committed Community” that has been developed and approved by Catalan and Spanish authorities, including those of health. In any case, no Plan that the respondent had agreed with the authorities has been provided, so its content is not known, but it is known that it would not be a rule with the rank of Law or derived from powers attributed by a Law, binding on the recipients of the same. According to the respondent, the Plan “requires GSMA to collect the personal data that is the subject of the claim, including vaccination certificates or diagnostic tests,” “COVID data,” and was “prepared in coordination with health authorities,” which also does not identify its regulatory status. Considering that the restriction of the fundamental right to the protection of personal data cannot be based, by itself, on the generic invocation of an undetermined “public interest”, and that “It is the legislator who must determine when that good or right that justifies the restriction of the right to the protection of personal data occurs and in what circumstances it can be limited and, furthermore, it is he who must do so by means of precise rules that make the imposition of such limitation and its consequences foreseeable to the interested party” (Constitutional Court judgment 292/2000), it must be concluded that in addition to contradictory statements about the aforementioned Plan or Plans, since on the one hand it cites the “Health and Safety Plan for MWC22” that is announced and developed over time, and the “Committed Community Plan” (“Committed Community Plan”), it being unknown whether they are the same, since both refer to the fact that they have been developed and approved by health authorities, neither of them would constitute a standard of European or national law and with the necessary guarantees. Consequently, the respondent would not be authorised to process health data through the vaccination data of the suppliers' employees. In short, it is considered that the circumstances of article 9.2.g) of the RGPD alleged by the respondent for the processing of the health data of the employees of the assembly of MWC 22 do not exist. The other circumstance alleged, although not contained in the DPIA of 22/04/2022, would be the one provided for in article 9.2.i) of the GDPR, which also refers to a public interest “in the area of public health, such as protection against serious cross-border threats to health”, it is also added that it must be “on the basis of Union or Member State law, which establishes appropriate and specific measures to protect the rights and freedoms of the interested party”. For this specific case, the basis of the law that would support the aforementioned public interest in the area of public health is not mentioned either, and the Plans agreed with the public authorities do not cover this requirement. It is also not included in the resolutions of the health authorities in force during the processing of the data, so that there is no rule that expresses a public interest in the field of public health or that establishes the aforementioned processing of personal data of vaccination, negative PCR or certificate of recovery from the disease. In the allegations to the proposal, the respondent integrates a new cause of exception to the prohibition with which it intends, through its application, to enable the processing of these health data, citing article 9.2.h) of the GDPR. However, it is not stated that, in this case, the health data will be processed for the purposes of prevention of occupational health risks, as the companies that contracted the employees, which were the ones that carried out assembly work in the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 71/96 venue of the event organized by the respondent, are not involved. As already noted, the services contracted by the respondent, through its representative FIRA, were limited to QUIRONPREVENCIÓN verifying the documentation provided by the employees, without providing medical assistance of any kind and without the workers giving their consent. Therefore, it cannot be classified as either preventive medicine or occupational medicine, since the providers were not the ones who made the decision regarding the communication of their employees' data, nor did the employees give their consent., Furthermore, it must be taken into account that article 9.2. h) of the GDPR, refers to “necessary” treatment for the purposes of preventive or occupational medicine, assessment of the worker’s work capacity, medical diagnosis, provision of health or social care or treatment, or management of health and social care systems and services, on the basis of Union or Member State law, or under a contract with a health professional and without prejudice to the conditions and guarantees provided for in paragraph 3. The term “necessary” used in the GDPR has, in the opinion of the CJEU, a meaning of its own and independent in Community law. It is, says the court, an autonomous concept of Community law (CJEU of 16/12/2008, case C-524/06, paragraph 52). On the other hand, the European Court of Human Rights (ECHR) has also provided guidelines for interpreting the concept of necessity. In paragraph 27 of its judgment of 25/03/1983, it states that the “adjective necessary is not synonymous with indispensable, nor does it have the flexibility of the expressions admissible, ordinary, useful, reasonable or desirable.” When evaluating what is “necessary,” an assessment must be made based on the objective being pursued, evaluating whether there are less intrusive treatments to achieve the same objective. If there are other realistic and less intrusive alternatives, the treatment is not “necessary.” In this case, it must be concluded that the processing was not necessary for the purposes pursued for the prevention of workers' health, as there were other less intrusive alternatives that did not put workers' rights and freedoms at risk such as providing workers with protective equipment appropriate to the level of risk For this reason, none of the exceptions cited is considered sufficient to lift the prohibition on the processing of special health data, and therefore Article 9 of the GDPR is considered to be infringed. VI Unfulfilled obligation of art. 6.1 GDPR It is worth remembering that all processing of personal data must comply, on the one hand, with the principles relating to data processing set out in Article 5 of the GDPR and, on the other, with one of the bases for the lawfulness of processing listed in Article 6 of that Regulation (see, to this effect, judgment of 16 January 2019, Deutsche Post, C-496/17, EU:C:2019:26, paragraph 57 and the case-law cited). C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 72/96 The purpose of the collection and processing of the data plays a decisive role, as Article 5.1 b) of the GDPR states that “Personal data shall be: collected for specific, explicit and legitimate purposes” “… and shall not be further processed in a manner incompatible with those purposes”. Article 6 of the GDPR, under the heading “Lawfulness of processing”, specifies in its section 1 the cases in which the processing of personal data is considered lawful: “1. Processing shall only be lawful if it meets at least one of the following conditions: a) the data subject has given consent for the processing of his or her personal data for one or more specific purposes; b) the processing is necessary for the performance of a contract to which the data subject is a party or for the implementation at the request of the data subject of pre-contractual measures; (c) the processing is necessary for compliance with a legal obligation to which the controller is subject; (d) the processing is necessary to protect the vital interests of the data subject or of another natural person; (e) the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; (f) the processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. The provisions of point (f) of the first paragraph shall not apply to processing carried out by public authorities in the exercise of their functions.” The respondent has stated that there may be two grounds for the processing in question. On the one hand, Article 6.1.c) of the GDPR, which is related to the following two recitals: “(41) Where this Regulation refers to a legal basis or a legislative measure, this does not necessarily require a legislative act adopted by a parliament, without prejudice to the requirements of compliance with the constitutional order of the Member State concerned. However, such a legal basis or legislative measure must be clear and precise and its application predictable for its addressees, in accordance with the case-law of the Court of Justice of the European Union […] and the European Court of Human Rights. (45) Where it is carried out in compliance with a legal obligation applicable to the controller, or if it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority, the processing must have a basis in Union or Member State law.” The legal obligation according to the respondent is contained in the Plan developed in collaboration with health authorities, a Plan that the respondent has not provided, despite being the one who must prove that the treatment that it carries out has a basis of legitimacy. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 73/96 It also adds that the Public Health Law of the Autonomous Community of Catalonia, 18/2009, "may interfere with the protection of health", although it is not proven that in application of the aforementioned law binding measures applicable to the specific case had been decreed, such as those that the respondent states it was obliged to implement by requesting health data from the employees of the suppliers. In this regard, it should be noted that the LOPDGDD establishes in its article 8, under the heading: Data processing due to legal obligation, public interest or exercise of public powers”, the following: “1. The processing of personal data may only be considered based on compliance with a legal obligation enforceable by the controller, in the terms provided for in article 6.1.c) of Regulation (EU) 2016/679, when provided for by a rule of European Union Law or a law, which may determine the general conditions of the processing and the types of data subject to it as well as the transfers that proceed as a consequence of compliance with the legal obligation. Said rule may also impose special conditions on the processing, such as the adoption of additional security measures or others established in chapter IV of Regulation (EU) 2016/679. 2. The processing of personal data may only be considered to be based on the performance of a task carried out in the public interest or in the exercise of public powers conferred on the controller, in accordance with Article 6.1 e) of Regulation (EU) 2016/679, when it derives from a competence conferred by a legislative regulation.” Therefore, for the application of the basis of legitimacy provided for in Art. 6.1.c) of the RGPD, it will be necessary for a regulation with the rank of Law to impose on the controller a specific obligation that must be fulfilled and that cannot be evaded. It follows from the above that the legal basis indicated by the respondent does not comply with the requirements demanded by the application of article 6.1.c) and must be rejected, because: -A Plan or an agreement between parties, even if one of them were with a public entity is not a Law nor does it derive from it because it is not an instrument with a binding profile. It is still a conventional agreement between parties that does not find a place in administrative law to bind the affected party. The obligation as such must be expressly contained in a regulation with the rank of Law, which must meet all the relevant conditions for the obligation to be valid and binding, including complying with data legislation in terms of meeting the requirement of necessity, proportionality and limitation of purpose. -The relationship that the respondent has with the employees is not a direct relationship but mediated by the employer, the respondent's supplier, so that, in any case, the compliance with the obligations legally imposed on the employer would be the responsibility of the supplier and not the respondent, as there is no direct link between the employee and the respondent. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 74/96 -The data controller should not be able to choose whether or not to comply with this obligation; any agreements between the parties, or unilateral commitments, would not be covered by this basis of legitimacy. In addition, article 6.3 of the GDPR specifies in this case that the processing must be based on Union law or on the law of the Member States that applies to the data controller, and the purpose of the processing must be determined on this legal basis. The law of the Union or of the Member States must fulfil an objective of public interest and be proportional to the legitimate aim pursued. The Plan or agreement mentioned by the respondent that is not provided, would have to be part of the law, not an agreement or Convention that would only bind the parties in this case. Regarding the resolutions of the administrative authorities, it should be noted that MWC22 was held for attendees from 02/28/2022 to 03/03/2022 and that the health data of the employees was probably collected between 01/23/2022 and 03/08/2022, although the contract signed with QUIRONPREVENCIÓN SLU is dated 02/21/2022. According to the tenth proven fact, the resolutions of the health authority applicable between 01/23/2022 and 03/08/2022 were the following: RESOLUTION SLT/99/2022, of 01/26, establishing the measures in terms of public health for the containment of the epidemic outbreak of the COVID-19 pandemic in the territory of Catalonia. This resolution lifts the restrictive measures of fundamental rights that were still in force, that is” the limitation of meetings and social gatherings to a maximum of ten people, the limitation on the capacity of religious activities, and the requirement of the COVID certificate for access to certain non-essential activities in closed spaces (restaurants, physical and/or sports activity rooms, gyms and permitted musical recreational activities: concert halls, theatre cafes, concert cafes and musical restaurants).” In section 2.1 “Individual and collective protection measures” it is established that “(…)”Both in closed and open spaces, except for groups of cohabiting people, the interpersonal physical safety distance is set at 1.5 m, in general, with the equivalent to a safety space of 2.5 m2 per person, unless more restrictive values are in force for the type of activity. When the development of the activity does not allow maintaining the interpersonal physical safety distance, appropriate hygiene and organizational measures must be adopted to prevent the risks of contagion. In open-air spaces where due to the agglomeration of people it is not possible to maintain the interpersonal physical safety distance, the use of a mask is mandatory in the terms established in section 2.3 of this Resolution”. Regarding the “Prevention and hygiene measures in workplaces” in point 3.4, section 2, it is determined “Without prejudice to compliance with the regulations on prevention of occupational risks and other applicable labor regulations, the owners of public and private workplaces must adopt, in the workplaces, among others, the following measures: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 75/96 a) Adopt organizational measures in the working conditions, so that the maintenance of the minimum interpersonal safety distance is guaranteed. And, when this is not possible, workers must be provided with protective equipment appropriate to the level of risk.” (…)” RESOLUTION SLT/177/2022, of 2/02, establishing the public health measures for the containment of the epidemic outbreak of the COVID-19 pandemic in the territory of Catalonia, In relation to the “Individual and collective protection measures” it indicates in its point 2.1 “1. (…) Both in closed and open spaces, except for groups of people cohabiting, the safety distance is set at 1.5 meters, in general, with the equivalent to a safety space of 2.5 square meters per person, unless more restrictive values are in force for the type of activity. When the development of the activity does not allow maintaining the safety distance, the appropriate hygiene and organizational measures must be adopted to prevent the risks of contagion. 2. The duty of protection established in section 1 is also applicable to the holders of any economic or business activity or establishment for public use or that is open to the public, in accordance with the organizational, hygiene and prevention standards established in this Resolution and, where applicable, of the corresponding sector plan or organizational protocol. (…)” RESOLUTION SLT/254/2022, of 9/02, which modifies Resolution SLT/177/2022, of 2/02, which establishes the public health measures for the containment of the epidemic outbreak of the COVID-19 pandemic in the territory of Catalonia It also includes “2.1 Individual and collective protection measures 1. Citizens must adopt the necessary measures to avoid the generation of risks of spreading infection by SARS-CoV-2, as well as the exposure to these risks, and must adopt individual and collective protection measures based on: frequent hand hygiene; hygiene of respiratory symptoms (avoid coughing directly into the air, cover your mouth with the inside of your forearm in these cases and avoid touching your face, nose and eyes); safety distance; the use of a mask in the terms established in section 2.3 of this Resolution; the preference for outdoor spaces for carrying out activities; the correct ventilation of closed spaces, and the cleaning and disinfection of surfaces. Both in closed and open spaces, except for groups of people cohabiting, the safety distance is set at 1.5 meters, in general, with the equivalent to a safety space of 2.5 square meters per person, unless more restrictive values are in force for the type of activity. When the development of the activity does not allow maintaining the safety distance, the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 76/96 appropriate hygiene and organizational measures must be adopted to prevent the risks of contagion.» This resolution does not modify the specific prevention and hygiene measures in work centers of RESOLUTION SLT/177/2022, of 2/02. RESOLUTION SLT/342/2022, of 16/02, which establishes the public health measures for the containment of the epidemic outbreak of the COVID-19 pandemic in the territory of Catalonia It also includes in point 2.1 “Individual and collective protection measures 1. Citizens must adopt the necessary measures to avoid the generation of risks of spreading infection by SARS-CoV-2, as well as their own exposure to these risks, and must adopt individual and collective protection measures based on: frequent hand hygiene; hygiene of respiratory symptoms (avoid coughing directly into the air, cover your mouth with the inside of your forearm in these cases and avoid touching your face, nose and eyes); safety distance; the use of a mask in the terms established in section 2.3 of this Resolution; the preference for open-air spaces for carrying out activities; the correct ventilation of closed spaces, and the cleaning and disinfection of surfaces. Both in closed and open-air spaces, except for groups of people cohabiting, the safety distance is set at 1.5 meters, generally, with the equivalent to a safety space of 2.5 square meters per person, unless more restrictive values are in force for the type of activity. When the development of the activity does not allow maintaining the safety distance, appropriate hygiene and organizational measures must be adopted to prevent the risk of contagion. RESOLUTION SLT/541/2022, of 2/03, establishing public health measures for the containment of the epidemic outbreak of the COVID-19 pandemic in the territory of Catalonia It establishes in its point 2.1 “Individual and collective protection measures 1. Citizens must adopt the necessary measures to avoid the generation of risks of spreading infection by SARS-CoV-2, as well as their own exposure to these risks, and must adopt individual and collective protection measures based on: frequent hand hygiene; hygiene of respiratory symptoms (avoid coughing directly into the air, cover your mouth with the inside of your forearm in these cases and avoid touching your face, nose and eyes); safety distance; the use of a mask in the terms established in section 2.3 of this Resolution; the preference for outdoor spaces for carrying out activities; proper ventilation of closed spaces, and cleaning and disinfection of surfaces. Both indoors and outdoors, except for groups of people living together, the safety distance is set at 1.5 meters, generally, with the equivalent to a safety space of 2.5 square meters per person, unless more restrictive values are in force for the type of activity. When the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 77/96 development of the activity does not allow maintaining the safety distance, appropriate hygiene and organizational measures must be adopted to prevent the risk of contagion. (…)” Therefore, taking into account what has just been indicated, the legal basis for carrying out the processing of workers' health data cannot be that provided for in art. 6.1.c) RGPD, since there was no rule that imposed on the respondent the obligation to process such health data. Moreover, the provisions contained in regarding the prevention of occupational risks already included the appropriate measure to be adopted: providing workers with protective equipment appropriate to the level of risk. On the other hand, the respondent also considers the basis of article 6.1 d) to be applicable: “necessary to protect the vital interests of the interested party or of another natural person”. This basis covers situations in which the processing is necessary to protect an essential interest for the life of the interested party or of another natural person, who could be the attendants of the event, including workers. Recital (46) states: “The processing of personal data should also be considered lawful when it is necessary to protect an essential interest for the life of the interested party or of another natural person. In principle, personal data should only be processed on the basis of the vital interest of another natural person when the processing cannot manifestly be based on a different legal basis. Certain types of processing may serve both important reasons of public interest and the vital interests of the data subject, such as when processing is necessary for humanitarian purposes, including the control of epidemics and their spread, or in humanitarian emergency situations, in particular in the event of natural or man-made disasters. The concept of “vital interest” appears to limit the application of this legal basis to questions of life or death, or at least to threats posing a risk of injury or other harm to the health of the data subject, as indicated in section III.2.4 of Opinion 6/2014 on the concept of the legitimate interest of the data controller under Article 7 of Directive 95/46/EC, Article 7.d) of which was equivalent to Article 6.1.d) of the GDPR: “the purpose of this legal basis is to “protect an essential interest for the life of the data subject”. However, the Directive does not specify precisely whether the threat must be immediate. This raises questions regarding the scope of the data collection, for example, whether it is a preventive measure or on a large scale, such as the collection of data from airline passengers when there is a risk of epidemiological disease or a security incident has been detected.” On the other hand, it must be taken into account that article 9.2 c) of the GDPR is applicable to lift the prohibition of processing special data, such as health data, when “the processing is necessary to protect the vital interests of the data subject or another natural person, in the event that the data subject is not physically or legally capable of giving consent;”. Therefore, Article 6.1.d) of the GDPR is not C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 78/96 sufficient for the processing of health data, and it is necessary that this exception of Article 9.2.c) of the GDPR also applies. Although Article 6.1.d) of the GDPR does not limit the use of the legal basis to situations in which consent cannot be given, as specified in Article 9.2.c) of Recital 46 of the GDPR, it follows that in situations in which there is the possibility of giving valid consent, this must be requested. Therefore, the application of this provision would be limited to cases in which the processing cannot manifestly be based on a different legal basis without it being used to legitimize any mass collection or processing of personal data. The ECJ of 4/07/2023, case C-252/21, states on this basis: “135 Secondly, Article 6, paragraph 1, first subparagraph, letter d), of the GDPR establishes that the processing of personal data shall be lawful when it is necessary to protect the vital interests of the data subject or of another natural person. 136 As is clear from recital 46 of the aforementioned Regulation, this provision contemplates the particular situation in which the processing of personal data is necessary to protect an essential interest for the life of the data subject or of another natural person. In this regard, said recital cites in particular, as an example, humanitarian purposes, such as the control of epidemics and their spread, or in situations of humanitarian emergency, in particular in the event of natural or man-made disasters. 137 It follows from these examples and from the strict interpretation to be applied to Article 6(1)(d) of the GDPR that, in view of the nature of the services provided by the operator of an online social network, such an operator, whose activity is essentially economic and commercial in nature, cannot rely on the protection of an essential interest in the life of its users or of another person in order to justify, in absolute terms and in a purely abstract and preventive manner, the lawfulness of data processing such as that at issue in the main proceedings. (…) 139 Article 6(1), first subparagraph, points (d) and (e) of the GDPR must be interpreted as meaning that such processing of personal data cannot, in principle and without prejudice to the verification to be carried out by the referring court, be considered necessary in order to protect the vital interests of the data subject or of another natural person, pursuant to point (d), or for the performance of a task carried out in the public interest or in the exercise of official authority conferred on the controller, pursuant to point (e). Accordingly, the Court considers that this basis for legitimation must be applied in the strict sense and only when the processing is necessary to protect vital interests. The requirement of necessity is analysed in recital 39 of the GDPR, and it follows from it that it is met when the objective of general interest pursued cannot be reasonably achieved with equal effectiveness by other means that are less detrimental to the fundamental rights of the interested parties, in particular with respect to the rights to respect for private life and protection of personal data. On the other hand, considering that there is a generalised processing of employee data, which, although they are not the data of the respondent, but of its suppliers, Article 14 of Law 31/1995 of 8/11 on the Prevention of Occupational Risks (LPRL) could be applied, which provides for an employer's duty to protect workers against occupational risks. The LPRL provides for coordination by the employer who owns the workplace, when workers from two or more companies carry out activities in the same workplace. However, in the EIPD of 22/04/2022, no aspect of the treatment based on the prevention of occupational risks is assessed in terms of its necessity and proportionality. As in any sector of activity, on the dates on which the MWC 2022 was to be held, there were vital interests of groups to be protected, or of third parties, but as the CJEU indicates in the aforementioned ruling, it is not possible to invoke the protection of an essential interest for life to justify, in absolute terms and in a purely abstract and preventive manner, the legality of data processing without proving the need for that treatment. In addition, in the health emergency situation, it was the health authorities that were establishing the need for the treatments, taking into account the change in circumstances over time. At any given time, depending on the health circumstances, the health authorities determined the applicable measures and the sectors of activity to which they applied, without these being applicable to any sector or event. It was the health authorities that implemented the necessary measures to prevent the spread of the pandemic without establishing during the processing of the disputed data the need to obtain and retain the COVID documentation. Furthermore, on the dates on which the need to check the COVID documentation was established, it was sufficient to exhibit the documents relating to the health data without establishing the need to retain them. Considering that all processing involves an interference in the rights of its owners, the employees, the respondent does not prove the essential need to protect the vital interest, of the obligation to register the vaccination certificate or PCRs. Regarding this alternative, which required the employee to pay for the PCR tests, since they are only valid for 72 hours, the respondent has not provided any consideration of their necessity and the risks of the measure in relation to the rights and freedoms of the interested parties. Finally, it should be noted that, in general, the judgment of necessity is justified in the Impact Assessment. However, in this case, there is no analysis of necessity, proportionality and suitability of this measure, as nothing is stated in this regard, not even minimally proving that the measure is necessary to achieve the purpose pursued, as such an assessment has not been carried out. The necessity must be interpreted in the sense that the treatment is indispensable to protect the vital interest of the people who attended the event or of the workers because there is no other measure less restrictive of rights. In addition, they must justify that the treatment operations that were carried out – the collection, registration and keeping of certificates – are indispensable instead of their mere display. The processing of personal data in these health emergency situations, as mentioned, must still be carried out in accordance with the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 80/96 personal data protection regulations (RGPD and LOPDGDD). The specific regulation of health emergencies constitutes special legislation that results from the need, in certain circumstances, to adopt specific measures to preserve public health and protect the rights to life, physical integrity and health of people, guaranteed by art. 15 and 43 of the Constitution, and may, in a proportionate manner, justify certain limitations on the exercise of fundamental rights. In this case, the regulation was materialized through public health regulations that provided for safeguards of the essential interests affected, with those responsible having to act in accordance with what was indicated therein. Alternatively, the respondent has added in its allegations to the proposal a new legal basis for the processing of data of employees of suppliers who carry out the assembly of the facilities of the venue where the congress is held, citing article 6.1.c) of the GDPR “the processing is necessary for compliance with a legal obligation applicable to the data controller”, now considering “compliance with legal obligations in the field of prevention of occupational risks”, considering that health surveillance was mandatory in accordance with article 22 of the LPRL, and that it was carried out by QUIRONPREVENCIÓN. However, as has been pointed out, this activity cannot be carried out without the consent of the workers. It is also estimated that this legal obligation would correspond, where appropriate, to the employers, suppliers, whose employees have as a counterweight the right against the obligation of those. However, in no case can this lead to requiring vaccination or the provision of a certificate of recovery from the disease or PCR indiscriminately for all workers, nor does it therefore justify requiring the data of employees of suppliers with whom the respondent has no relationship. This means that in this case the legitimate bases set out by the respondent for the processing of data of the suppliers' employees during the event and presumably in advance for the preparation of the assembly of the facilities are not accredited, so the infringement of this article 6.1 of the RGPD must be considered as proven. VII Unfulfilled obligation of art. 14 of the GDPR In this case, the data of the employees of the defendant's suppliers are being processed, dedicated to the assembly of the facilities for the MWC 2022 event. The employers (suppliers of the defendant GSMA) provide the data to GSMA in an application that the latter, as the organizer of the MWC 22, has for this purpose of controlling safe, COVID-free access to its facilities where the Congress is held annually. The defendant is responsible for the processing of the data carried out on the employees of the suppliers, complying with the requirements for determining the purposes and means of the processing of data of the employees of the suppliers, establishing the reason for the processing and how it will be carried out, complying with the requirements of the GDPR to be qualified as such responsible party. After receiving the employee data entered by the suppliers, the employees receive a first email from the respondent requesting that they send C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 81/96 the COVID data to the QP sub-processor, with whom they link to send the vaccination certificates or tests to her. The first statement made in the response to the transfer indicated: “Regarding the information provided on the processing of this data, and in relation to the data processing subject to this claim, it is provided by the supplier/employer directly as GSMA has no direct contact with the workers. The contract between GSMA and the provider requires the provider to comply with the applicable laws regarding data protection, including compliance with the transparency and legality requirements of the same for the purposes of transferring the data of its employees to GSMA or its data processors, including the provision of the GSMA privacy policy.” Therefore, it is the data controller, the respondent, that is subject to a series of obligations under the RGPD and the LOPDGDD, including the processing of personal data in a fair, lawful, and transparent manner (art. 5.1.a of the RGPD). Transparency is intrinsically linked to fairness and the principle of accountability under the RGPD. From article 5.2 of the RGPD, it also follows that the data controller must always be able to demonstrate that personal data is processed in a transparent manner in relation to the interested party. In line with this point, the principle of accountability requires transparency of processing operations so that data controllers can demonstrate compliance with their obligations under the GDPR. The respondent, in addition to the statement made in its response to the transfer, has stated in its DPIA that the information to the employees was provided by the suppliers via the “privacy notice” that appeared on the respondent's website, provided to them by their employer on behalf of GSMA, under the literal in the DPIA “In accordance with the terms and conditions of the contractor registration between GSMA and the suppliers, the latter contractually agree to comply with the transparency obligations before sharing the employees' data with GSMA, including the provision of the ”GSMA privacy notice to all its employees” Thus, according to the respondent's initial statements before the transfer, in the contracts signed with the suppliers, the transfer of the obligation to inform the processing of the data to the suppliers is established, associating them with the “privacy policy of the respondent's website”. Article 14 of the GDPR states: “1. Where the personal data have not been obtained from the data subject, the controller shall provide the data subject with the following information: a) the identity and contact details of the controller and, where applicable, of his or her representative; C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 82/96 b) the contact details of the data protection officer, where applicable; c) the purposes for which the personal data are processed, as well as the legal basis for the processing; d) the categories of personal data in question; e) the recipients or categories of recipients of the personal data, where applicable; (f) Where applicable, the intention of the controller to transfer personal data to a recipient in a third country or international organisation and the existence or absence of an adequacy decision by the Commission, or, in the case of transfers referred to in Articles 46 or 47 or the second subparagraph of Article 49(1), a reference to adequate or appropriate safeguards and the means of obtaining a copy of those safeguards or the place where they have been made available. 2. In addition to the information referred to in paragraph 1, the controller shall provide the data subject with the following information necessary to ensure fair and transparent processing of the data in relation to the data subject: (a) the period for which the personal data will be stored, or, where that is not possible, the criteria used to determine that period; (b) where the processing is based on Article 6(1)(f), the legitimate interests of the controller or of a third party; (c) the existence of the right to request from the controller access to personal data concerning the data subject, rectification or erasure thereof, or restriction of processing thereof, and to object to processing, as well as the right to data portability; (d) where processing is based on Article 6(1)(a) or Article 9(2)(a), the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent prior to its withdrawal; (e) the right to lodge a complaint with a supervisory authority; (f) the source from which the personal data originate and, where applicable, whether they originate from publicly available sources; (g) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4), and, at least in such cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject. 3. The controller shall provide the information referred to in paragraphs 1 and 2: a) within a reasonable period of time after obtaining the personal data and no later than one month, taking into account the specific circumstances in which the data are processed; b) if the personal data are to be used for communication with the data subject, no later than the time of the first communication to the data subject, or c) if the personal data are intended to be communicated to another recipient, no later than the time when the personal data are first communicated. 4. Where the controller intends to process personal data further for a purpose other than that for which they were obtained, he shall, before such further processing, provide the data subject with information about that other purpose and with any other relevant information referred to in paragraph 2. 5. Paragraphs 1 to 4 shall not apply where and to the extent that: a) the data subject already has the information; b) the provision of that information would be impossible or would involve a disproportionate effort, in particular for processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, subject to the conditions and safeguards referred to in Article 89(1), or insofar as the obligation referred to in paragraph 1 of this Article would render impossible or seriously impede the achievement of the objectives of such processing. In such cases, the controller shall take appropriate measures to protect the rights, freedoms and legitimate interests of the data subject, including by making the information public; c) the collection or communication is expressly provided for by Union or Member State law to which the controller is subject and which provides for appropriate measures to protect the legitimate interests of the data subject, or d) where the personal data must remain confidential on the basis of an obligation of professional secrecy governed by Union or Member State law, including an obligation of secrecy of a legal nature.” The obligation to inform is enforceable on the controller, in this case, in the first instance it is the suppliers who enter the data of their employees in the application of the respondent, it therefore follows that the data collected by the respondent are not provided by the interested parties, i.e. by the employees themselves, but by the GSMA supplier, employer of the affected parties (data on name, surname, email, etc.). Subsequently, the COVID health data required for the pass are entered into the application by the employees themselves, through email contact and following the instructions of the respondent. The legal obligation established by the RGPD and the LOPDGDD that the data controller must comply with, implies its enforceability to said controller, in this case the respondent, without the mere particular agreement of wills, which is not documented but simply stated, being able to have the effect that the respondent intends, and which would render ineffective the high degree of protection and guarantees that C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 84/96 the RGPD offers. The responsibility will always be demanded from the person who the law indicates as obliged, and in the case of the obligation to inform, it falls on the person responsible for the treatment, so it will be necessary, as it is a functional concept, to be the one who decides on the purposes and means of the treatment. In this case, the respondent decided to carry out the treatment and determined the means of the treatment, therefore, it is responsible for compliance with the obligation to inform. The ultimate objective of attributing the obligation to the person responsible for the treatment is to guarantee its compliance and an effective and comprehensive protection of the right to data protection. Recital 39 of the GDPR states in this regard: "All processing of personal data must be lawful and fair. It must be perfectly clear to natural persons that personal data concerning them are being collected, used, consulted or otherwise processed, as well as the extent to which such data are or will be processed." The transfer of this legal responsibility established by the GDPR is not possible, regardless of the agreements that the parties may reach, which are unrelated to this procedure. Nor is this obligation replaced by the dissemination of press releases or knowledge in the media, since it is an individual right and must occur when the data of the affected party is collected, as a guarantee and safeguard of the rights of those affected. In contrast to the informative content of the privacy policy that the respondent considers sufficient, it must be noted that in order to understand that compliance with the obligation to provide information to the employees who own the data that have been collected, not only health data but also basic data: name, surname, email, the content of the information and the time at which the information is provided must be accredited. This obligation cannot be replaced by merely posting the privacy policy on the website, since the information must be provided directly to the person whose data is requested, whether the data is collected from the interested party directly by the controller, or if it is not collected directly by the controller. The privacy policy could be a means of complying with the obligation to inform, provided that the controller directly communicates to the interested party the basic information and the location where the complete information is located. On the other hand, the respondent's claim that after the start agreement the AEPD assumes that information has been provided is unfounded, since Article 14 of the GDPR is reproduced in the complete start agreement, and it is meant that the information has not been provided. The claim that the application provided information on the privacy policy cannot be accepted either, since from the printout of the accompanying screen: “Contractor accreditation-system login”, it can be deduced that the uploading of personal data is the responsibility of the supplier, who is the only one who interacts with GSMA, so that in any case the supplier would be informed and not the employees who own the data. The link that appears on the screen under “legal” does not lead directly to the privacy policy, but to a screen in which there are various options, this being only one of them. It should be remembered C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 85/96 that the respondent’s first and only contact with the complainant (with the employees) as she herself explained, occurred following the sending of an email from GSMA to the employee in which it indicated a link to upload the vaccination data. Additionally, it is noted that, as the privacy policy is comprehensive for various subjects participating in the event, it has certain shortcomings, so in the section “Data Retention”, the conservation of the data collected from the suppliers’ employees is not detailed, urging them to contact them for more information. Nor is the legitimizing basis that specifically corresponds to the treatment of the data of each category of attendee/employee provided, indicating it in a general and abstract way without identifying the groups to which it refers. The right to file a claim with a control authority is not stated, as well as the source from which the data comes, or the contact details of the Data Protection Officer. Finally, in the section “information that you voluntarily provide”, there is “COVID 19 tests: As indicated in our Community Committed Plan, you will be required to undergo COVID 19 tests at regular intervals during the event. The information about your test results will be processed for the sole purpose of access control." In short, the respondent did not provide the interested parties with the information required by art. 14 of the GDPR and the information in its privacy policy is not complete, which does not mean that the present procedure is directed against the respondent because its privacy policy is incomplete but because no information was provided to the interested parties. Therefore, this allegation cannot be upheld, as the respondent's duty to inform has been breached. The information that the controller must provide must be provided regardless of whether or not the controller has access to the data about which it has finally decided for what purpose it will process them and how the processing will be carried out, establishing ends and means for this. Although it is also appreciated that the respondent is aware of the result because QP communicates it to her when informed of the decision of whether she is fit or not, which is incorporated in the vaccine certificate provided by each employee, and is stored and preserved in order to be able to access the facility every day, in this case the place of work. The truth is that, once the data has been sent by the suppliers, the respondent has them at his disposal, and could have informed them of the collection and processing in the first contact he has with them, however, there is no evidence that he did so. As clarified by the Guidelines on transparency under Regulation (EU) 2016/679 Adopted on 29/11/2017 Last revised and adopted on 11/04/2018: “27. As regards the timing of providing this information, doing so in a timely manner is a fundamental aspect of the obligation of transparency and the obligation of fair processing of data. Where Article 13 is applicable, paragraph 1 of that article provides that the information must be provided “at the time when [the personal data] are obtained”. In the case of personal data obtained indirectly under Article 14, the time limits within which the necessary information must be provided to the data subject are set out in Article 14(3)(a) to (c), namely: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 86/96 • the general requirement is that the information must be provided within a “reasonable period” after the personal data have been obtained, and at the latest within one month, “taking into account the particular circumstances in which the data are processed” [Article 14(3)(a)]; • the general maximum period of one month referred to in Article 14(3)(a) may be reduced under Article 14(3)(b)31, which covers situations in which the data are used to communicate with the data subject. In such a case, the information must be provided at the latest at the time of the first communication with the data subject. If the first communication takes place before the latest period of one month after the personal data were obtained, the information must be provided "at the latest" at the time of the first communication with the data subject, provided that one month has not elapsed since the time when the data were obtained. If the first communication with a data subject takes place after one month has elapsed since the personal data were obtained, Article 14(3)(a) continues to apply, and the information referred to in Article 14 must therefore be provided to the data subject no later than within one month of its obtaining; • the general maximum period of one month referred to in Article 14(3)(a) may also be reduced pursuant to Article 14(3)(c), which covers situations where the data are communicated to another recipient (whether a third party or not). In such a case, the information must be provided at the latest at the time of the first communication. In this situation, if the communication takes place before the maximum period of one month, the information must be provided "at the latest" at the time of that communication, provided that one month has not elapsed since the time at which the data were obtained. Similarly to the position with regard to Article 14, paragraph 3, letter b), if any communication of personal data occurs after one month has elapsed since the personal data were obtained, Article 14, paragraph 3, letter a) continues to apply, so that the information referred to in Article 14 must be provided to the interested party no later than one month after its collection.” However, in this case, there is no record that the respondent provided information, therefore the allegation of having committed an infringement of the aforementioned article remains. The respondent claims that these facts had not initially been the subject of a complaint and that no proceedings can be initiated for this reason. However, at the stage of transferring the complaint, the respondent points out in its response that it is noted as a failure to comply with its obligation to inform about the data it collects through employers (suppliers of the respondent). This obligation affects a right of the interested parties and the claimant directly related to the collection of data as sensitive as health data. In the face of such an obvious breach, also related to the design of the treatment, the AEPD cannot omit the demand for responsibility for this clear unlawfulness, simply because it was not specifically expressed in the claim. The respondent had not proven that it had complied with the obligation to inform the affected parties, which is why the sanctioning procedure was also initiated for this C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 87/96 fact. VIII Classification and qualification of infringements It is considered that the facts set forth could violate the provisions of articles: 14, 9.2 and 6.1 of the GDPR, with the scope expressed in the Legal Basis previous, which implies the commission of the infringements classified in article 83 section 5.a) and 5.b) of the GDPR which under the heading “General conditions for the imposition of administrative fines” provides that: “5. Infringements of the following provisions shall be punishable, in accordance with paragraph 2, by administrative fines of not more than EUR 20 000 000 or, in the case of an undertaking, not more than 4 % of the total annual turnover of the preceding financial year, whichever is higher: a) the basic principles for processing, including the conditions for consent pursuant to Articles 5, 6, 7 and 9; b) the rights of data subjects pursuant to Articles 12 to 22; In this regard, the LOPDGDD, in its article 71 establishes that “The acts and conduct referred to in sections 4, 5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that are contrary to this organic law, constitute infringements.” For the purposes of the limitation period, article 72 of the LOPDGDD indicates: “Infringements considered very serious. “1. According to the provisions of article 83.5 of Regulation (EU) 2016/679, infringements that constitute a substantial violation of the articles mentioned therein and, in particular, the following are considered very serious and will be subject to a three-year statute of limitations: […] “b) The processing of personal data without any of the conditions for legality of the processing established in article 6 of Regulation (EU) 2016/679 being met.” […] “e) The processing of personal data of the categories referred to in article 9 of Regulation (EU) 2016/679, without any of the circumstances provided for in said provision and in article 9 of this organic law being met.” […] C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 88/96 “h) The failure to inform the affected party about the processing of their personal data in accordance with the provisions of articles 13 and 14 of Regulation (EU) 2016/679 and 12 of this organic law.” IX Determination of the sanction The fines imposed must be, in each case, individual, effective, proportionate and dissuasive, in accordance with article 83.1 of the GDPR. In order to determine the administrative fine to be imposed, the provisions of Article 83.2 of the GDPR must be observed, which states: “Administrative fines shall be imposed, depending on the circumstances of each individual case, as an additional or alternative measure to the measures referred to in Article 58, paragraph 2, letters a) to h) and j). When deciding on the imposition of an administrative fine and its amount in each individual case, due account shall be taken of: a) the nature, seriousness and duration of the infringement, taking into account the nature, scope or purpose of the processing operation in question, as well as the number of data subjects affected and the level of damage suffered by them; b) the intentionality or negligence of the infringement; c) any measures taken by the controller or processor to mitigate the damage suffered by the data subjects; (d) the degree of responsibility of the controller or processor, taking into account any technical or organisational measures they have implemented pursuant to Articles 25 and 32; (e) any previous infringement committed by the controller or processor; (f) the degree of cooperation with the supervisory authority in order to remedy the infringement and mitigate any adverse effects of the infringement; (g) the categories of personal data affected by the infringement; (h) the manner in which the supervisory authority became aware of the infringement, in particular whether and, if so, to what extent the controller or processor notified the infringement; (i) where measures referred to in Article 58(2) have been previously ordered against the controller or processor concerned in relation to the same matter, compliance with those measures; j) adherence to codes of conduct pursuant to Article 40 or to certification mechanisms approved pursuant to Article 42, C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 89/96 k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits obtained or losses avoided, directly or indirectly, through the infringement.” On the other hand, in relation to letter k) of article 83.2 of the GDPR, the LOPDGDD, in its article 76, “Sanctions and corrective measures”, provides: “1. The sanctions provided for in sections 4, 5 and 6 of article 83 of Regulation (EU) 2016/679 will be applied taking into account the graduation criteria established in section 2 of the aforementioned article. 2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679, the following may also be taken into account: a) The continued nature of the infringement. b) The connection between the offender's activity and the processing of personal data. c) The benefits obtained as a result of the commission of the infringement. d) The possibility that the conduct of the affected party could have included the commission of the infringement. e) The existence of a merger process after the commission of the infringement, which cannot be attributed to the absorbing entity f) The impact on the rights of minors g) Having, when not mandatory, a data protection officer. h) The voluntary submission by the controller or processor to alternative dispute resolution mechanisms, in those cases in which there are disputes between them and any interested party.” Letter e) of article 83.2 refers to “any previous infringement committed by the controller or processor;” It is applicable to the respondent, since a sanction classified as serious was imposed recently, on 02/24/2023, in procedure EXP202100603, PS/00553/2021, for a violation of article 35 of the RGPD, by not having a valid Data Protection Impact Assessment for the processing of biometric data as part of the means of access provided to the MWC venue of the previous year 2021, then it is highly relevant in all the infractions that are now being assessed, since the present infractions correspond to the event of the following year and are also related in one way or another to the instruments implemented to allow access to the event, taking into account the measures to stop the spread of the COVID-19 disease. In addition, in both cases referring to data of special category, in 2021: biometric data, now, health data. The provision, which is directly applicable, does not distinguish between the infringement being of the same type or nature, and in this case, it is clearly related to special categories of data. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 90/96 The judgment of the CJEU of 5/12/2023, case C-807/21, indicates in its section 45: “The material requirements that a supervisory authority must respect when imposing such a fine are established, in sections 1 to 6 of article 83 of the GDPR, in a precise manner and without leaving the Member States any margin of appreciation.” Article 83.2.e) of the GDPR considers that when deciding the amount of the administrative fine, "Any previous infringement committed by the person responsible" must be considered, so it would be applicable as an aggravating factor to all the infringements that are charged, given the link between the conducts that are charged as a unit of action in the performance of the data processing of the group of employees of suppliers. The respondent alleged that for all infringements the purpose that guided it in ensuring the health of the workers should be considered as an attenuating factor. However, along with this concern, the variable of the protection of the data of those affected as their own right and their self-determination to be managed in accordance with the regulations and with the guarantees and safeguards that the RGPD and the LOPDGDD establish, not being in any way incompatible, must also be considered. Thus, having made the above assessment, the circumstances that must be taken into account for the imposition of a fine for the infringement of article 14 of the GDPR are analyzed. For the purposes of setting the amount of the penalty to be imposed in the present case, it is considered that the penalty should be graduated in accordance with the following circumstances included in article 83.2 of the GDPR: - From article 83.2.a) "the nature, seriousness and duration of the infringement, taking into account the nature, scope or purpose of the processing operation in question, as well as the number of interested parties affected and the level of damages they have suffered." The processing carried out is by all employees of the providers, without knowing all the elements of the processing of their data, which represents an aggravation of the conduct that prevents them from controlling their personal data. - From article 83.2.b) "the intentionality or negligence in the infringement." In compliance with its legal obligations, the respondent intends to transfer the claim to the supplier, the employer of the workers, when it is the latter who must respond legally without being able to be delegated. In addition, it has the means to be able to inform, therefore there is no reasonable diligence to comply with the legal obligation, which reveals a lack of diligence in the fulfillment of this obligation. The ruling of the National Court, of 17/10/2007, appeal 63/2006, indicates that the Supreme Court "has understood that there is imprudence whenever a legal duty of care is disregarded, that is, when the offender does not behave with the required diligence. And in the assessment of the degree of diligence, special consideration must be given to the professionalism or otherwise of the subject, and there is no doubt that, in the case now examined, when the activity of the respondent is one of constant and abundant handling of personal data in the organization of events with massive attendance, the rigor and exquisite care to comply with the legal provisions in this regard must be insisted on.” C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 91/96 The respondent, regarding this aggravating circumstance, alleged that it should be considered an attenuating circumstance due to the objective pursued and the collaboration with the health authorities to comply with the regulations on public health and the applicable restrictions, and the diligence for not having had access to the data. This claim, which has already been partially answered in the general claim, must be rejected, and also because it has nothing to do with the aggravating factor that is being analyzed in relation to the circumstances that occur in the conduct described, the access to the data by the respondent, since informing does not depend on access to the data. These circumstances are considered to aggravate the infringement, and a fine of 100,000 euros should be imposed. Regarding the infringement of article 9.2, it is considered that in addition to the already indicated application of the cause contained in article 83.2.e) of the GDPR, the following circumstance occurs: -- article 83.2.a) “the nature, seriousness and duration of the infringement, taking into account the nature, scope or purpose of the processing operation in question, as well as the number of interested parties affected and the level of damages and losses they have suffered.” The collection and processing of data took place at a private event, processing that is not merely incidental or accessory, which involves the recording of health data in an application and its storage for the duration of the event, expected to begin on 21/01/2022, until 08/03/2022, without employees having the option not to provide health data, in a situation of imbalance between the parties, affecting the freedom of the interested parties who cannot stop providing such data, if they want to go to work, all of which are aggravating elements of the infringement, affecting several thousand employees. Circumstances that constitute this aggravating circumstance of the infringement. - article 83.2.k) RGPD in relation to article 76.2.b) LOPDGDD: The link between the business activity of the respondent and the processing of personal data. The respondent, in the development of its own event organizing activity, related to the development of some of the emerging technologies, needs to regularly process personal data and has been doing so in successive editions in an innovative field in terms of technologies as has been said. As a counterpart, this fact affects the diligence required of it in compliance with the principles that govern the processing of personal data and the quality and effectiveness of the technical and organizational measures that it must have implemented to guarantee respect for this fundamental right, in this case of employees. Aggravating elements of the infringement. The respondent alleged for this aggravating circumstance that its business is in fact the promotion of mobile telephony that it carries out in collaboration with FIRA and that its commercial activity has no special relationship with the processing of health data. In this sense, their claim cannot be upheld, given that the respondent processes the data of employees in each event call by itself or through managers C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 92/96 and decides, in this case, to implement, partly due to the pandemic, contactless technological means, which imply providing personal data in order to access work. The high number of attendees and employees needed to set up the facilities and their duration, mean that significant data processing must be taken into account at each annual congress it holds. The balance of the circumstances considered, with respect to the infringement committed, by violating the provisions of article 9.2 of the GDPR, leads to setting a fine of 300,000 euros. As regards the infringement of article 6.1 of the GDPR, also considering the already indicated occurrence of the cause contained in article 83.2.e) of the GDPR, the following circumstances must also be taken into account for the grading of the sanction: - article 83.2.a) "the nature, seriousness and duration of the infringement, taking into account the nature, scope or purpose of the processing operation in question, as well as the number of interested parties affected and the level of damages and losses they have suffered". The processing falls mainly on a group of employees of suppliers who do not expect that their data will be processed by a third party, as they do not have a direct relationship with said entity. The duration of this treatment is longer than that of the attendees, as they have to go to work before, during and after the event. It applies to all employees of the suppliers who either undergo vaccination or provide a PCR test, which is not recorded as paid for by anyone other than the employee themselves, and which, due to its validity, must be repeated during the period in which they must access the premises to carry out their work, or provide a certificate of recovery from the disease, elements that influence the aggravation of the sanction. The sanction is stipulated in this case at 200,000 euros. Finally, the respondent argued that, for all the violations, there was no element of guilt in her conduct, due to her desire to guarantee the health of the workers, considering the context and the changing measures, and that there was no negative impact on the pandemic situation, acting diligently by having a person in charge, acting from the precautionary principle of article 3 of Law 33/2011 of 4/10 on public health. The Supreme Court, in line with that of the Constitutional Court, has established that the sanctioning power of the Administration, as a manifestation of the ius puniendi of the State, is governed by the principles of criminal law, with the basic structural principle being that of guilt, incompatible with a regime of objective liability, without fault. The Supreme Court (Judgments of 16 and 22/04/1991) considers that the element of guilt implies that “the action or omission, classified as an administratively punishable offense, must, in any case, be imputable to its author, due to intent or imprudence, negligence or inexcusable ignorance.” C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 93/96 This requirement of guilt in the field of administrative offenses has been reiterated ad nauseum by the jurisprudence of the Supreme Court. Thus, the SSTS of 12 (féc. 388/1994) and 19/05/1998, Section Six, state that in the area of sanctions “any attempt to construct an objective responsibility is prohibited” and that “in the area of administrative responsibility it is not enough that the conduct is unlawful and typical, but it is also necessary that it be culpable, that is, a consequence of an action or omission imputable to its author due to malice or imprudence, negligence or inexcusable ignorance (...) that is, as a requirement derived from article 25.1 of the Constitution, no one can be condemned or punished except for acts that can be imputed to him as deceit or fault (principle of culpability)". In view of the jurisprudence set forth above, it is appropriate to conclude that when an act occurs that could incur an administrative offence, the culpability must be examined in order not to proceed to initiate a sanctioning procedure automatically. It is not necessary to have wilful intent in the commission of an offence, mere negligence is sufficient to be able to demand liability from the offender, as stated by the Constitutional Court "beyond simple negligence, the acts cannot be sanctioned". The National Court's ruling of 25/03/2003 also indicates that "As regards guilt, it must be said that generally this type of conduct does not have a wilful component, and most of it occurs without malice or intention. Simple negligence or failure to comply with the duties imposed by law on the persons responsible for files or data processing to exercise extreme diligence is sufficient to avoid, as in the case at hand, the processing of personal data without the consent of the affected person, which denotes an evident lack of compliance with these duties that clearly violate the principles and guarantees established in Organic Law 15/1999, of December 13 (LA LEY 4633/1999), on the Protection of Personal Data, specifically that of the consent of the affected party. The Supreme Court (STS 16/04/91 and STS 22/04/91) considers that from the element of culpability it follows that "the action or omission, qualified as an administratively sanctionable infringement, must be, in any case, imputable to its author, due to intent or imprudence, negligence or inexcusable ignorance." Furthermore, the National Court on the subject of personal data protection has declared that "simple negligence or failure to comply with the duties that the Law imposes on persons responsible for files or the processing of data to exercise extreme diligence is sufficient..." (SAN 26/06/01). The judgment of the CJEU of 5/12/2023, case C-807/21 states in point 75 “Consequently, it must be declared that article 83 of the GDPR does not allow the imposition of an administrative fine for an infringement referred to in its paragraphs 4 to 6 without proving that said infringement was committed intentionally or negligently by the data controller and that, therefore, culpability in the commission of the infringement constitutes a requirement for the imposition of the fine.” In the present case, the respondent knew that only certain sectors were subject to the requirement of COVID certification documentation, and only for a certain period of time. The access policy to the MWC 22 facilities began to be planned well in advance, in the fall of 2021, taking into account the point of view of health authorities, sufficient time to evaluate all the variables that affected the risks of the processing of personal data for the rights and freedoms of the interested parties that C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 94/96 must be applied to any treatment, regardless of the type, and in this case with greater rigor when dealing with special data. The respondent should have known that vaccination was not mandatory. The respondent has acknowledged that in this case there is no Law that establishes this measure of application to its sector, nor administrative provisions, recognizing that those issued in the area of Catalonia did not contemplate this assumption. Despite this, the data of the employees' health was processed, which shows a lack of diligence when considering the legitimising basis for the processing carried out, and the information collected, which constitutes and proves the guilt of the defendant as a way of undertaking a deficient data protection governance. Furthermore, the way in which the processing was carried out or its purpose is not an obstacle to considering said lack of diligence and unlawfulness. As regards the application of mitigating factors, it considers that it should be taken into account as related to the purpose of the processing operation, that the purpose was to ensure health, in line with the measures agreed by the health authority. However, although the purpose may be legitimate, it was not necessary and proportional, since, in this case, the risks of non-compliance with regulations and the impact that the measure could have on the interested parties were not assessed. It also considers that the defendant is not a professional in data processing. However, the application of the aggravating circumstance of 83.2.k) of the GDPR does not require this professionalism. The entity has been holding the event since 2006, which has been attended and continues to be attended by a significant number of thousands of people, which implies a professionalized processing of personal data, and therefore requires special diligence in compliance with the legislation on data protection and the principle of accountability, which requires the assessment of the risks involved in the processing of personal data, and the establishment of guarantees to ensure a high level of protection of their rights. Therefore, the reasons given do not justify the reduction of the penalties. Therefore, in accordance with applicable legislation and having assessed the criteria for graduating sanctions whose existence has been proven, the Director of the Spanish Data Protection Agency RESOLVES: FIRST: TO IMPOSE GSMA LIMITED with NIF N4004237F for the alleged infringement of the following articles of the GDPR -9.2 of the GDPR in accordance with article 83.5.a) of the GDPR, and for the purposes of prescription classified as very serious in article 72.1.e) of the LOPDGDD, with a fine of 300,000 euros. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 95/96 --6.1 of the GDPR, in accordance with article 83.5.a) of the GDPR, and for the purposes of prescription classified as very serious in article 72.1.b) of the LOPDGDD, with a fine of 200,000 euros. -14 of the GDPR, in accordance with article 83.5.b) of the GDPR, and for the purposes of prescription classified as very serious in article 72.1.h) of the LOPDGDD, with a fine of 100,000 euros. SECOND: NOTIFY this resolution to GSMA LIMITED and GSMC EVENT PROJECT MANAGEMENT, S.L. THIRD: This resolution will be enforceable once the deadline for filing the optional appeal for reconsideration ends (one month from the day following the notification of this resolution) without the interested party having made use of this faculty. The sanctioned party is warned that he must pay the imposed sanction once this resolution is enforceable, in accordance with the provisions of art. 98.1.b) of the LPACAP, within the voluntary payment period established in art. 68 of the General Regulations for Collection, approved by Royal Decree 939/2005, dated 29/07, in relation to art. 62 of Law 58/2003, dated 17/12, by means of its payment, indicating the NIF of the sanctioned party and the procedure number that appears in the heading of this document, in the restricted account number IBAN: ES00 0000 0000 0000 0000 0000 (BIC/SWIFT Code: XXXXXXXXXXX), opened in the name of the Spanish Data Protection Agency in the banking entity CAIXABANK, S.A.. Otherwise, it will be collected in an enforcement period. Once the notification has been received and has been enforced, if the date of enforceability is between the 1st and 15th of each month, both inclusive, the deadline for making the voluntary payment will be until the 20th of the following month or the next business day thereafter, and if it is between the 16th and last day of each month, both inclusive, the payment deadline will be until the 5th of the second following month or the next business day thereafter. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which ends the administrative procedure in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, interested parties may, at their discretion, lodge an appeal for reconsideration before the Director of the Spanish Data Protection Agency within one month from the day following the notification of this resolution or directly an administrative appeal before the Administrative Litigation Division of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of 13/07, regulating the Administrative Litigation Jurisdiction, within two months from the day following the notification of this act, as provided for in article 46.1 of the aforementioned Law. Finally, it is noted that in accordance with the provisions of art. 90.3 a) of the LPACAP, the final decision in administrative proceedings may be provisionally suspended if the interested party C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 96/96 expresses his intention to lodge an administrative appeal. If this is the case, the interested party must formally communicate this fact by means of a letter addressed to the Spanish Data Protection Agency, presenting it through the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica-web/], or through any of the other registries provided for in art. 16.4 of the aforementioned LPACAP. He must also transfer to the Agency the documentation that proves the effective filing of the administrative appeal. If the Agency is not aware of the filing of the administrative appeal within two months from the day following notification of this resolution, it will consider the precautionary suspension to be terminated. 938-16012024 Mar España Martí Director of the Spanish Data Protection Agency C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es