AEPD (Spain) - EXP202201608

AEPD - EXP202201608
Authority:	AEPD (Spain)
Jurisdiction:	Spain
Relevant Law:	Article 6(1) GDPR Article 9(2) GDPR Article 14 GDPR
Type:	Complaint
Outcome:	Upheld
Started:	29.01.2022
Decided:
Published:	31.05.2024
Fine:	600,000 EUR
Parties:	GSMA Limited
National Case Number/Name:	EXP202201608
European Case Law Identifier:	n/a
Appeal:	Unknown
Original Language(s):	Spanish
Original Source:	AEPD (in ES)
Initial Contributor:	lm

The DPA found that a controller lacked a legal basis to require employees at an event to provide documentation concerning their COVID-19 health or vaccination status. It fined the controller €600,000.

English Summary

Facts

GSMA Limited (the controller) is a mobile phone company that organises the annual Mobile World Congress (MWC) in Barcelona. The MWC is hosted at the Fira de Barcelona (an event space that acts as a processor for the controller). During the MWC in 2022, the controller required employees organising the Congress, which were provided by the controller’s suppliers and not hired by the controller directly, to register on Fira’s (the event space) online portal. Employees were then required to upload a COVID passport or equivalent documentation such as a negative result to the platform of Quironprevención, a sub-processor of Fira. Employees then received an email from Quironprevención of confirmation or rejection. This processing affected 11,970 data subjects.

On 29 January 2022, an employee (the data subject) filed a complaint with the Spanish DPA (AEPD) against the controller. The data subject argued that neither the controller nor Fira had a legal basis to solicit information about vaccination or health status, and to deny entry or work without such documentation.

The controller claimed that it had a legal basis to process the health data under Article 6(1)(c) GDPR, citing necessity to fulfil a legal obligation, as well as Article 9(2)(g) GDPR, citing an essential public interest. It cited Ley de Salud Pública 18/2009 of Catalonia, which permits sanitary authorities to interfere with private activities to protect the public health. The controller considered that its ‘Plan for Health and Security for the MWC22’ constituted such a permitted intervention - however, this Plan was never provided to the AEPD. The controller emphasised that its Plan was developed in collaboration with, and approved by, Catalan authorities, which considered that the measures were appropriate to manage the pandemic given the international nature of the Congress, the large size of the event (approximately 61,000 people) and the public health concerns related with the pandemic.

The controller added that even if Article 6(1)(c) GDPR was not a sufficient legal basis, it was also justified by Article 6(1)(d) GDPR, claiming an obligation to protect the vital interests of the attendees, employees and organisers of the Congress. The controller also noted that the COVID data was only conserved during the event period and was erased upon the event’s closure.

On 5 June 2023, the AEPD initiated sanctioning proceedings against the controller.

Holding

The AEPD found that the controller infringed Articles 6(1), 9(2) and 14 GDPR. It issued a fine of €600,000.

Article 9(2) GDPR: Given that processing in this case could impact the fundamental right to health and physical integrity of workers, the AEPD considered that Article 9(2) GDPR exceptions permitting processing of such data should be interpreted restrictively. While the AEPD recognised that the GDPR permits processing of health data that is necessary to avoid the spread of illness in emergency situations and in the interest of public health or vital interests of the data subjects, the AEPD rejected the controller’s claims that it had a legal basis to process this data under Article 9(2)(g), (h) and (i) GDPR. The AEPD emphasised that the restriction to data protection rights cannot be based, on its own, on an indeterminate invocation of ‘public interest’ and that the legislator must determine when a good or right justifying restriction of the right to the protection of personal data exists and in what circumstances. None of the materials it cited, however – including the ‘Plan’ which was not provided to the controller – here constituted a rule of European or national law with the necessary guarantees.

In addition, the AEPD noted that less intrusive means were available in this case to protect workers and attendees, such as ensuring proper protective gear. The controller thus lacked a legal basis to process health data under Article 9(2)(g), (h) and (i) GDPR.

Article 6(1) GDPR: With regard to the controller’s reliance on Article 6(1)(c) GDPR (legal obligation), the AEPD observed that processing can only be considered to be ‘based’ on the fulfilment of a legal obligation when it is established a European or national law or by a rule having the force of law which can determine the general conditions of processing and data involved (citing Article 8 of the LOPDGDD, a national law concerning the protection of personal data). Reliance on Article 6(1)(c) would thus need to be based on a rule with a force of law that imposes a specific obligation on the controller. This was not the case here. A plan, even if collaborated with public authorities, is not a law nor does it derive such a binding effect. The AEPD noted that resolutions by public health authorities called for the adoption of hygienic and organisational measures to prevent risks of contagion, and at times required precise measures such as the use of face masks, cleaning and ventilation of enclosed spaces – but at no point did they oblige the use of vaccination cards. With regard to Article 6(1)(d) GDPR, the AEPD notes that Article 6(1)(d) GDPR is not enough to justify the processing of sensitive data because it does not limit the legal basis to situations “where the data subject is physically or legally incapable of giving consent”, as Article 9(2)(c) GDPR does. The controller also did not at any point consider the necessity of that data (in comparison to alternatives) nor the risks of the processing. It also failed to conduct any sort of data protection impact assessment.

For all of these reasons, Article 6(1) GDPR could not justify requiring vaccinations or certificates of recovery from the disease or COVID tests indiscriminately for all workers, nor could it justify requiring the data of employees of suppliers with whom the respondent has no relationship whatsoever. Ultimately, this processing could only be based on the consent of the employees.

Article 14 GDPR: The various employers (the controller’s service providers) provide the data to the controller in an application which is implemented by a sub-processor. The AEPD noted that it was the employers, not the controller itself, which communicated the need to register and upload COVID documentation to the app. The controller argued that it provided information to employees via the suppliers using a ‘privacy notice’ that appeared on the controller’s website, and that the suppliers were contractually obligated to comply with transparency obligations before sharing employee data with the controller, including the provision of the privacy notice. However, the AEPD found that this did not absolve them of their responsibility to inform the data subjects. Once the data was sent by the providers, the controller had them at its disposal and could have informed them of the collection and processing in the first contact it has with them - but it did not demonstrate any such information. The AEPD ultimately found that the controller had not demonstrated that it complied with its obligation to inform the data subjects in violation of Article 14 GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

1/96

File No.: EXP202201608

Contents

BACKGROUND..........................................................................................................2

FIRST: Filing of the claim...........................................................................2
SECOND: Evidence obtained for admissibility analysis.......................................3

THIRD: Transfer of the claim................................................................................3

FOURTH: Admission to processing of 04/29/2022..............................................................13

FIFTH: Consultation of the commercial report of the defendant company................................13

SIXTH: Recorded background of the defendant in the AEPD SIGRID file management application.................................................................................................13

SEVENTH: Agreement to initiate sanctioning proceedings, dated 06/05/2023................................14

EIGHTH: Allegations of the defendant of 27/06/2023.................................................14

NINTH: First extension of allegations, dated 11/10/2023.................................26

TENTH: Second extension of allegations, dated 21/11/2023................................30
ELEVENTH: Issuance of the resolution proposal dated 12/03/2024................32

TWELFTH: Allegations to the resolution proposal presented on

04/08/2024................................................................................................................32

PROVEN FACTS........................................................................................................38
LEGAL BASIS........................................................................................................48

I Jurisdiction........................................................................................................48

II Preliminary issues.................................................................................................49

III On the processing of health data.................................................................................52

IV On the allegations to the resolution proposal resolution.................................................59

V Unfulfilled obligation under art. 9 GDPR............................................................63
VI Unfulfilled obligation under art. 6.1 GDPR..................................................................70

VII Unfulfilled obligation of art. 14 of the GDPR...........................................................78

VIII Classification and qualification of infringements.................................................................84

IX Determination of the sanction................................................................................85

RESOLVES:...................................................................................................................92

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/96

SANCTIONING PROCEDURE RESOLUTION

From the procedure instructed by the Spanish Data Protection Agency and based on

the following

BACKGROUND

FIRST: Filing of the claim

A.A.A., (hereinafter, the complaining party) on 29/01/2022, filed a claim
with the Spanish Data Protection Agency. The claim is directed against GSMA

LIMITED with NIF N4004237F (hereinafter, the respondent party). The grounds on which the claim is based are the following:

The claimant states that the workers of the companies that have to carry out
work at the FIRA de Barcelona venue, during the MOBILE

WORLD CONGRESS (MWC 2022), have received instructions from the organizing company,
GSMA, and FIRA DE BARCELONA, that they must register in a computer application
in order to access it. In this regard, the respondent entity sent an email on
01/20/2022 to the MWC 2022 suppliers, to inform them that
their workers must upload their COVID passport or equivalent to the system.

The claimant indicates that neither the respondent nor FIRA are entitled to
request health information from third parties regarding their vaccination or health status, which if not provided would mean not being able to enter and, therefore, not being able to carry out their
work. Along with the claim, please provide two copies of the email:

1) Email dated 01/20/2022, from a person with a domain name for FIRA Barcelona
(hereinafter FIRA), addressed to suppliers, subject: “instructions for

registering FIRA Barcelona suppliers for MWC 2022”, “using this email we
want to inform you that the accreditation system for MWC22 is now
active for all FIRA BARCELONA suppliers”, “with the same digital
pass platform as last year”, therefore:

- “There will be a web system where each supplier will be created an account
by FIRA, where they must self-manage their passes”, to do so, the data of the
person who will manage the account must be sent to a FIRA email address.

That person will be the contact for “passes for all employees registered in the

system on behalf of their company”.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/96

There is a section referring to “COVID passport and antigen tests”, which indicates that:
“when your workers log in for the first time, they will have to create a
password, and then upload one of the following documents for validation:

-COVID 19 vaccination certificate
-COVID 19 recovery certificate
-Negative proof of a valid COVID 19 test, carried out in the last 72 hours in
any of the periods (set-up, celebration & dismantling).

2) Email dated 01/21/2022, sent by a person from an address with
the domain”firabarcelona.com”, addressed to a team with the same domain, subject:”GV access
anticipation MWC”. It informs about access through gate 4, to the Gran Vía venue, between
23/01 and 7/02, of different groups of people, visitors and vehicles, including

FIRA employees, collaborators and holders of permanent and annual access to the FIRA venues. It refers to a “health control to access MWC stands under
construction”, which identifies, “by presenting a COVID passport or, failing that,
a negative COVID test endorsed by an authorized laboratory”.

“As of February 8, the security perimeters are advanced and the health and access measures to MWC established by
GSMA are adopted for the entire Gran Vía venue. Which are similar to those of the previous edition, documentation must be uploaded to a
digital platform to obtain the access pass to the event in all its periods
until March 8. We will receive detailed information on how to manage the
MWC pass.”

SECOND: Evidence obtained for admissibility analysis.

The AEPD has collected the following evidence:

-PRIVACY POLICY GSMA/MWC BARCELONA 2022-Last updated
04/29/2021, which, as indicated, applies to the processing of personal data of participants in the Congress.

-Privacy policy of FIRA DE BARCELONA, and its participating companies,

obtained on its website. Employees of suppliers are not mentioned.

THIRD: Transfer of the claim.

In accordance with article 65.4 of Organic Law 3/2018, of 5/12, on the Protection of Personal Data and the Guarantee of Digital Rights (hereinafter LOPDGDD), this claim was transferred to GSMC EVENT PROJECT MANAGEMENT SL -
B64828973, a subsidiary of the respondent, so that it could proceed with its analysis and inform this Agency within one month of the actions carried out to comply with the

requirements provided for in the data protection regulations, regarding the claim in which it is stated that the workers of the companies that have to carry out work
during the celebration of the Mobile World Congress (MWC) 2022 at the Fira de Barcelona
premises must obtain accreditations to be able to access it,
providing health data (COVID 19), giving notice of the emails of the first antecedent.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/96

The transfer that was carried out in accordance with the rules established in Law 39/2015, of
1/10, of the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP), was not collected by the person responsible within the period of availability, being understood to be rejected in accordance with the provisions of art. 43.2 of the
LPACAP, on 03/05/2022.

Although the notification was validly carried out by electronic means, the procedure being considered
to have been carried out in accordance with the provisions of article 41.5 of the LPACAP, for information purposes
a copy was sent by postal mail, which was duly notified on 03/21/2022. In this notification, he was reminded of his obligation to interact
electronically with the Administration, and he was informed of the means of access to
such notifications, reiterating that, from now on, he would be notified exclusively by
electronic means.

- On 04/25/2022, GSMC EVENT PROJECT MANAGEMENT, S.L. responds to the following questions:

1. “Name and surname or company name of the person responsible for the processing of health data related to the COVID passport and antigen tests requested within the framework of the Mobile World Congress Barcelona 2022, as well as the NIF and contact address of said person responsible.”

It responds that “The person responsible for the processing of personal data related to MWC22 attendees, including health data that, exceptionally, due to COVID19, were requested during MWC22, is the entity: GSMA Ltd.
Armour Yards, 165 Ottley Drive, Suite 203 Atlanta, GA, 30324 USA EIN (Employer
Identification Number): 20-4991061. It also provides its contact email address.

2.“If the controller is established outside the EEA, the postal address of its
representative in the European Union.”

It responds that:” GSMA Ltd. (hereinafter, “GSMA” or “Organization”) is
established in the United States. GSMC is a Spanish company, 100% owned by
GSMA, created specifically to provide services related to the management of
GSMA events, including the MWC in Barcelona (for example, translation services,
stays, etc.). The data processing carried out by GSMA is
inextricably linked to the processing carried out by GSMC. Therefore,
GSMA processes personal data in the context of the activities of an establishment in the
European Union and is therefore subject to Regulation (EU) 2016/679 of the

European Parliament and of the Council of 27/04/2016 on the protection of
natural persons with regard to the processing of personal data and on the free movement of
such data and repealing Directive 95/46/EC (hereinafter, “General Data Protection Regulation” or “RGPD”) under Article 3.1 thereof and
therefore, the establishment of a representative in the European Union is not required.”

3.”Indicate whether there is any relationship of controller or joint controller and processor
between GSMA LTD, GSMA Event Project Management, S.L. and FIRA

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/96

INTERNACIONAL DE BARCELONA, within the framework of the Mobile World Congress
Barcelona 2022.”

Responds:

GSMA Ltd. is the data controller of the data of MWC22 attendees. GSMC does not have the status of controller or processor in relation to the data that are the subject of this claim.

FIRA is the main and, in many cases, exclusive contractor vis-à-vis GSMA for many of the services and supplies that must be provided within the framework of the
MWC. Consequently, within the framework of this “client - supplier” relationship, from the
point of view of the regulations on the protection of personal data,
FIRA acts as a data processor on behalf of and on behalf of GSMA Ltd., which

acts as the controller, for which purpose both parties have signed the corresponding
data processing contract under the provisions of article 28 of the
RGPD.”

“It is necessary to introduce a fourth agent, not mentioned in the claim, whose
intervention in the MWC22 edition has been of vital importance to guarantee the

health and safety of all those involved in the MWC after the appearance of COVID-19 (hereinafter, "COVID-19" or "the pandemic"). We refer to the
company QUIRONPREVENCIÓN (QP hereinafter). QP, GSMA's medical services provider for MWC, is considered sub-processor of personal data under the data processing agreement signed with FIRA. The reason why GSMA partnered with a leading medical services provider in its sector was to ensure that such an important, unique and organizationally complex event as MWC was carried out with the maximum security measures and taking into account that this company was the one that was applying the necessary health controls during the pandemic at Barcelona airport itself, as well as at other previous fairs, such as FITUR. The decision to count on QP was agreed with the Department of Public Health of the Spanish Ministry of Health itself, with whom GSMA held multiple working and coordination meetings in the framework of the preparation of MWC22. In fact, QUIRONPREVENCIÓN was an entity approved by the
Department of Public Health for the purposes of being able to report possible positive cases

that occurred during the MWC.”

4. “The legal basis that enables the processing of the aforementioned health data and
the circumstance that lifts the prohibition to process special categories of data, according to
article 9 of the GDPR.”

The company responds that they will carry out an analysis of how the situation was on previous
dates.

On 1/12/2021, GSMA officially presented its HEALTH AND SAFETY PLAN

FOR THE MWC22 IN BARCELONA (the “Plan”). The press releases can be consulted
at the URL addresses ***URL.1 and ***URL.2.”

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/96

Clicking on the first one takes you to another GSMA page from 1/12/2021, which is a
news item reporting on the security plan for the 2022 event, in which health
and safety will be the priority, mentioning, among others, attendees or visitors,
workers at the venue, for all of whom “must certify their vaccination status,
provide a negative test or a certification of recovery from COVID
19, to gain access to the venue, as in the 2021 edition, proof of
compliance with the protocols will be stored and displayed in the official application of the
event”.

It is also reported that QUIRONPREVENCIÓN will be the medical partner that will
validate these documents.

The respondent states that the HEALTH AND SAFETY PLAN presented is an
update of the plan presented in March 2021, which was prepared in
coordination with the Catalan health authorities responsible for the regulations that
governed MWC21, including the Department of Business and Knowledge of the

Generalitat de Catalunya, and the PROCICAT TECHNICAL COMMITTEE that approved it
-Committee attached to the Department of the Interior of the Generalitat de Catalunya that manages
the management of the pandemic in Catalonia within the Territorial Civil Protection Plan
of the Department of the Interior of the Generalitat de Catalunya.

• The Plan also complied with the guidelines and recommendations for event

organizers included in the SECTORIAL PLAN FOR FAIRS AND CONGRESSES.

• The Plan involves all participants in the MWC, as it was designed with a
layered approach that allowed for the creation of a safe environment for staff, workers,
exhibitors, visitors, suppliers, partners and the local community. These levels
included frequent testing, contact tracing, contactless environments,

catering renovation, occupancy control, improvements to the infrastructure of the
facilities, medical staff and personal commitments such as maintaining social
distancing, as well as the collection of COVID data by GSMA, in particular, data relating to the
vaccination certificate; recovery certificate or negative diagnostic test result. In addition, the Plan was based on the SAFETY AND
PREVENTION PROTOCOL AGAINST COVID-19 that FIRA was applying at that time.

• During the months prior to the celebration of MWC22, GSMA had to take into account
on an almost weekly basis, the different resolutions that emanated not only from the
Departament de Salut de la Generalitat de Catalunya but also from the Spanish Ministry of Health itself, with whom it held coordination meetings on a
regular basis, including the Security Forces and Corps.

Regarding the legal basis that enables the processing of data, the respondent states that
Article 6.1.c) of the GDPR, “necessary for the fulfillment of a legal obligation
applicable to the data controller”.

In implementing the Plan, “GSMA must, therefore, comply with the mandate of the
Catalan authorities in relation to the collection of data to minimize the risk of
contagion of those attending the event.”

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/96

“Under Public Health Law 18/2009, of the Autonomous Community of Catalonia,
health authorities may interfere in private activities for the purposes of
protecting the health of citizens and preventing diseases. GSMA considers the Plan

as such intervention agreed and approved by the Catalan authorities as a
mandate to implement the measures mentioned above, including the collection of
COVID Data.”

“In the event that the legal basis indicated above does not apply, GSMA would rely
on its obligation to protect the vital interest of event attendees (including

workers and suppliers) Article 6.1 d) GDPR, protection of the vital interest of
attendants as the legal basis for the processing of their data.” Recital 46 of the
GDPR establishes the possibility of processing data based on this legal basis in the
context of pandemic monitoring, understanding it as “its obligation to
protect the vital interest of event attendees – including workers.”

-Article 9.2 g) of the GDPR, essential public interest.

Responds that: "the objective of the Organization is the creation, in coordination with the
health authorities, of a safe environment for staff, workers, exhibitors,
visitors, suppliers, partners and the local community taking into account the characteristics

of the event and the pandemic situation. The same legislation cited in the previous paragraphs
would apply to justify the processing of health data under article
9.2 g) of the GDPR regarding the protection of the essential public interest.

5. “The purpose of the processing”

The answer is that the purpose of the processing of health data by
QUIRONPREVENCIÓN was limited to verifying “whether or not the information contained in the
health certificates complied with the requirements for access to the event
established by the Organisation, although the true purpose of the processing

of this data, from the GSMA's perspective, was none other than to protect the attendees of
MWC22 and their workers, guaranteeing a safe and healthy environment for all of them, and, ultimately, to prevent the spread of the pandemic as a serious cross-border threat to
public health in the manner required in accordance with the Plan agreed upon and
approved by the health authorities.“

6. “The appropriate guarantees implemented for the protection of the rights and
freedoms of individuals, including the security measures adopted to protect
the confidentiality of personal data.”

She replied that “a certificate regarding the security measures applied by

QUIRONPREVENCIÓN is attached as ANNEX NUMBER 2”

It consists of a letter from QP, signed on 04/20/2022 by the Data Protection Committee, which certifies compliance with the Data Protection regulations in all data processing carried out for the development of the corporate purpose and adopts the legal, technical and organizational measures necessary to guarantee the security of the aforementioned processing. There is no reference to the specific processing commissioned, nor is any party involved in the matter listed.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 8/96

The respondent adds that: “Regarding the processing of COVID Data, neither GSMA nor FIRA have had access to this data. These were collected directly by
QUIRONPREVENCIÓN, which analysed them and confirmed whether the individual was 'FIT' or 'UNFIT'
for the purposes of accessing the event.”

7.“The categories of interested parties (workers, clients, users, etc.) and the information
provided on the processing of these health data.”

Responds that: “The categories of interested parties are all those persons who, for

whatever reason, had to access the perimeter of the event venue, that is, the
attendees, the exhibitors and the suppliers (contractors and subcontractors). Regarding
the information provided on the processing of these data, and in relation to the
data processing subject to this claim, it is provided by the
supplier/employer directly as GSMA does not have direct contact with the

workers. The contract between GSMA and the supplier requires the supplier to
comply with applicable data protection laws, including
compliance with the transparency and legality requirements of the same for the purposes
of transferring the data of its employees to GSMA or its data processors,
including the provision of the GSMA privacy policy (the specific privacy policy is provided to the supplier) to its employees whose data is provided to GSMA.

The privacy policy complies with the requirements established in the GDPR and includes
information regarding the processing of health data of attendees, including the
processing of data provided by third parties, making specific reference to the case at hand, in particular, to the circumstance in which the supplier provides the employee data to GSMA.”

8.“Where applicable, order that contemplates the sanitary measure for the containment and control of the
epidemic caused by the SARS CoV-2 virus, as well as justification of the need
and proportionality of the application of this measure to the event.”

He replied that “The mandate was given to GSMA through the Plan, which was
developed in collaboration with (and approved by) the Catalan authorities”, as
explained above. The competent authorities considered at the time
that the measures approved in the Plan were appropriate to manage the pandemic
at the time the event was held. Likewise, the justification of the need and
proportionality of the application of these access requirements to the event takes into account

three reasons, largely related to the nature of the MWC itself:

a. The first of these is the international nature of the Congress. In the MWC22 edition
a total of 183 countries out of the 195 countries in the world were represented.
Due to the health crisis caused by COVID-19 and the temporary restrictions

on non-essential travel from third countries – some of which are at risk or even very high
risk –, GSMA had to adapt its Health and Safety Plan for the event to the
provisions of Order INT/657/2020, of 17/07, which modifies the criteria for
the application of a temporary restriction on non-essential travel from third countries to the
European Union and Schengen associated countries for reasons of public order and

public health due to the health crisis caused by COVID-19, whose criteria were modified monthly to respond to a change in
circumstances or new recommendations in the EU, as well as to the
Resolution of June 4. (it is unknown which resolution the quote refers to).

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 9/96

b. The second of these is the multitudinous nature of the Congress. The MWC22 edition
welcomed a total of 61,000 people during the four days of the event, which represents

a very high volume of attendees which, in a pandemic context and taking into account
the high concentration of individuals in the same space, requires the adoption of measures to
ensure that all attendees are in possession of the appropriate health credentials and
to reduce the probability of contagion and/or spread of the virus to a minimum.

c. The third is for public health reasons closely related to the context and

the evolution of the pandemic during the dates prior to the MWC, and the
mortality and contagion indicators, in the months prior to the MWC,
"were anything but hopeful and justified the adoption of such measures, which
we endorse."

9. "Please report whether only the exhibition of the certificate or negative proof of an
antigen test is requested, or whether the information contained therein is recorded or kept, and in this
case, justification of the need for its registration and location of the servers in which
it is stored."

He responded that: "As indicated, MWC22 attendees send ("upload")

their health certificates directly to the QUIRONPREVENCIÓN platform, where
they are recorded and stored on their own servers, located in Spanish territory,
until the last day of the event's dismantling, at which time they are destroyed."

The justification for recording and retaining this data is very simple.

QUIRONPREVENCIÓN needs to access this data in advance and remotely
(since thousands of attendees must be accredited, including workers) in order
to be able to carry out its verification function, which is necessary for attendees to obtain the
pass to access the premises (and thus comply with the requirements of the Plan).

In addition, these certificates must be kept in case a positive case arises during the event,
which would invalidate the pass and would be communicated to the Health Authorities through
the appropriate channels.

Managing access to an event of these characteristics requires the conservation
of the data in order to facilitate access to the event on the days of its celebration and

to avoid crowds at the entrance. The COVID data was only kept during
the period of the event and was deleted once the dismantling of the event was completed.

The MWC ended on 03/03/2022, and QUIRONPREVENCIÓN destroyed all data on 03/08/2022, which was the date of completion of the dismantling.

10.“If applicable, details of the procedure established for workers to register
the documentation on the platform.” He responded that:” The procedure is as follows:

Step 1. The supplier registers each of its workers on the GSMA platform.

Step 2. Once registered, each worker receives a confirmation email from
GSMA with a link that provides access to their account.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 10/96

Step 3. Each worker directly provides the COVID Information through the QUIRONPREVENCIÓN
platform.

Step 4. Each worker receives a confirmation/rejection email for the
completion of the registration process on the GSMA platform.”

11.“Recipients of the registered or stored information.”

He responded that: “The recipient of the registered or stored health data is
QUIRONPREVENCIÓN since it is the entity that, in accordance with its status as
sub-processor, must check whether the form and content of the
health certificates comply with the access criteria established by the
Organization. Neither GSMA nor FIRA ”have had access to the registered health data.”

12.“Report on whether international transfers are carried out and, if applicable,
identification of the data importers, country of destination of the transfer, and if
there is, adequacy decision or adequate guarantees regarding international data transfers.”

He responded that: “There is no international transfer of data. Health data is
stored on the servers that QUIRONPREVENCIÓN has in Spain.”

13.“The Impact Assessment carried out or reasons why it has not been carried out.”

He replied that it is attached as ANNEX NUMBER 3, in whose title, it expressly refers
to the treatment of COVID 19 related to health data of “the employees of
GSMA suppliers” who “provide the services agreed between GSMA and its
suppliers” for the holding of MWC Barcelona 2022, alluding to the fact that the data is

uploaded to “a platform provided by GSMA's sub-contractor, QUIRON
PREVENCION (QP), “and that no other party than QP has access to that
platform”, and reiterates that the purpose is to ensure secure access. It can be seen that the date of the EIPD that appears at the end of the document is 02/22/2022, when the data of the employees for access to the assembly facilities, according to the email
provided by the complainant of 01/20 and 21/2022 where it was indicated that the collection of
COVID 19 health data would be from 01/23/2022 to 03/08/2022.

“The processing activities are in accordance with the measures implemented by
the GSMA “Committed Community” Plan that has been developed and approved by
Catalan and Spanish authorities, including those of health.”

In the section on what is the source of the data?:

“Those of employers, that is, GSMA suppliers; and those interested
directly.”

In “What is the nature of the relationship with the interested parties?”, it is indicated that “the interested parties are the employees of the GSMA suppliers engaged, or linked
with FIRA or with GSMA to provide services at the MWC event venue”.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 11/96

In “description of the treatment”, it is specified in the data collection process that:

“The COVID information is uploaded to the platform directly by the
employees”.

The registration process is as explained in the previous point 10, adding
that it is indicated that:

“GSMA is only notified about whether the person is able to access the
venue or not.”

It is indicated that health data is of a special category and that employees, due
to the imbalance of power in the contractual employment relationship, constitute a
vulnerable group.

“- What do you want to achieve?

“Comply with the Plan agreed with the Spanish/Catalan health authorities to
ensure that the MWC event is a COVID-19 safe environment for all

attendants. Comply with the sectoral requirements regarding the organization of
Congresses, in particular the Catalan COVID Action Plans for Exhibition Venues and
Congresses (Congress Action Plan and Exhibition Venue Action Plan).”

“Is it appropriate to consult other internal stakeholders and, if so, who?

“The processing of COVID Information is mandatory under the Plan that has been
drafted in coordination with the Catalan health authorities, the Department of
Business and Knowledge of the Generalitat de Catalunya, PROCICAT (Commission of the
Ministry of the Interior of the Generalitat de Catalunya) as well as the Public Health

Agency of Barcelona and the Department of Public Health of the Spanish Health Service. The
Plan has been approved by PROCICAT.”

-It affects 11,970 people.

-It is indicated in “treatment context”, that the relationship with the interested parties is that they are

employees of GSMA suppliers and provide their services at the MWC event venue. On “how much control will they have?”, it is indicated that:
“Individuals are informed about their rights in relation to the treatment through the Privacy Notice provided by their employer on behalf of the GSMA. In accordance with the
Contractor Registration Terms and Conditions between the GSMA and the suppliers, the

suppliers contractually commit to comply with all transparency and legality obligations before sharing employee data with the GSMA,
including the provision of the GSMA Privacy Notice to all relevant employees.”

In the same point it is indicated: “Would they expect you to use their data in this way?”

“Yes. Please see the answer above regarding how individuals were informed about
processing activities. In addition, the COVID-19 measures carried out at the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 12/96

MWC are in line with measures taken at similar events, as they are
agreed with health authorities who set out these requirements in general (for
example, similar measures would be required to access other crowded spaces).”

Also under “processing context” it says: “Are there any previous concerns about
this type of processing or security breaches?”

“No. Any measures implemented by GSMA (including the processing of
COVID information) are discussed and agreed with the relevant health authorities.”

QUIRONPREVENCIÓN has security certifications (ISO 27001:2013 certification and certification according to the Spanish National Security Scheme).

In section step 4 “Assessment of necessity and proportionality” the bases of legitimacy for data processing are referred to, including article 6.1 c):

“The Committed Community Plan.” (CCP) was prepared in collaboration with the Catalan health authorities and approved by PROCICAT, and is aligned with the Catalonia COVID Action Plans for Fairs and Congresses applicable to GSMA and FIRA. The
“Committed Community Plan included the requirement to request COVID information.”

The CCP then reiterates the citation of Law 18/2009, of 22/10, on public health, in the area of the CCAA of Catalonia, as a regulation that may affect citizens in the area of health to prevent diseases, and GSMA considers that the CCP constitutes this authorization, being approved by the Catalan health authorities as a mandate to implement COVID 19 measures in the MWC to prevent the spread of COVID 19, including the collection of COVID information that is required by and to comply with the instructions of the health authorities.

It also cites as a legitimizing basis, apart from article 6.1.c), article 6.1.d), and article 9.2.g) of the GDPR. It specifies this 9.2.g) in that "a substantial public interest occurs in accordance with Union law or Spanish law. GSMA was required
by law to comply with health instructions from health authorities and
develop and comply with the “Committed Community Plan.”

In the same section, the following is answered: “Can the same result be obtained with
less data processing?” How is transparency provided to interested parties?

reiterating that the privacy notice was provided by its employees
on behalf of GSMA, before their data was shared by the
employer with GSMA…” How is the exercise of rights made possible for interested parties?
indicating, in accordance with the “privacy notice.”

-In step 5, “risk assessment, identification, assessment and mitigation of risks” there is
a table with five columns called:

“Source of risk and probable consequences”
“Severity of risk”

“probability of risk”
“general risk”.

They appear in this table, among others:

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 13/96

-“Failure to provide sufficient information to individuals”,” GSMA ensures that
suppliers’ employees are provided with the Privacy Notice before
their data is shared by their employer with GSMA. In accordance with the Contractor Registration Terms
and Conditions, suppliers are contractually required to comply with all transparency and
lawfulness obligations before sharing their employees’ data with GSMA, including the provision of the GSMA Privacy
Notice to all employees before sharing.” It is classified as:
high in risk severity, remote in probability and overall risk: low.
Information on rights is also included in the Privacy Policy.”

“The rights of data subjects and the way in which they can be exercised are detailed in the
Privacy Notice.” In the risk assessment, it is indicated:

- as a “remote” probability, that of a complaint about the decision to deny access to a supplier employee based on COVID information, despite being classified

as “risk severity, high”, it is classified as “overall risk: low”, and in mitigation measures it is indicated that “GSMA guarantees a consistent approach to determine whether a person can be granted entry to the MWC event venue based on
COVID-19 information and in light of the Plan. Complaint levels were
low at MWC 21”, concluding that people “have the three options, vaccination certificate,
negative PCR test valid for 72 hours, or medical certificate of

recovery from the disease.”

-In “errors in complying with requests from interested parties”, it is indicated that the rights of individuals are included in the “privacy notice” provided to the employees of the providers, with “low overall risk”.

The intervention of the DPO is not mentioned at any point in the DPIA, but in the section "link to advice from DPO (if any)" it says N/A. Nor does it appear that the affected parties were consulted.

14. "The decision taken regarding this claim." It indicates that no decision has been taken regarding this claim since all the actions carried out by GSMA in the field of personal data protection have shown the utmost respect for the current obligations, without considering that any incident has occurred, so it has not adopted any measure.

FOURTH: Admission for processing on 04/29/2022

On 04/29/2022, in accordance with article 65 of the LOPDGDD, the claim submitted by the complaining party was admitted for processing.

FIFTH: Consultation to the Commercial Report of the company being sued

In the consultation carried out in the “monitoring report of the non-commercial company GSMA
LTD”, with the NIF that appears in this agreement, as a non-resident entity, the “estimated financial figures” table shows a “net amount of the turnover”:

from 2021 of XXXXXXXX, and from the previous year: XXXXXXXXX. C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 14/96

SIXTH: Recorded background of the respondent in the AEPD SIGRID file management application

It is recorded in the SIGRID registry, the AEPD file management information system, that the respondent was sanctioned in procedure EXP202100603,
PS/00553/2021, with a financial penalty of 200,000 euros imposed in
a resolution of 24/02/2023, for an infringement of article 35 of the GDPR, classified in

article 83.4 a) of the GDPR, and for the purposes of prescription, classified as serious in
article 73.t) of the LOPDGDD, stating that the appeal was filed in reinstatement, being
dismissed on 04/28/2023.

SEVENTH: Agreement to initiate sanctioning procedure, dated 06/05/2023.

On 06/05/2023, the Director of the AEPD agreed:

-“INITIATING SANCTIONING PROCEDURE to GSMA LIMITED, with NIF N4004237F,
for the alleged infringement of the GDPR, articles:

- 14 of the GDPR, in accordance with article 83.5.b), classified as very serious for
the purposes of prescription in article 72.1.h) of the LOPDGDD, with a fine of 100,000
euros.

-9.2 of the GDPR, in accordance with article 83.5.a), classified as very serious for
the purposes of prescription in article 72.1.e) of the LOPDGDD, with a fine of 300,000
euros.

- 6.1 of the GDPR, in accordance with article 83.5.a), classified as very serious for
the purposes of prescription in article 72.1.b) of the LOPDGDD, with a fine of 200,000
euros.”

EIGHTH: Claims of the respondent dated 06/27/2023

On 06/27/2023, the respondent made the following claims:

-As the start agreement was also notified to its participating entity GSMC,
it reiterates the distinction between the respondent and defendant and GSMC, which has no role in
the processing of data at MWC Barcelona.

1- It sets out the number of attendees in 2019 (110,000) and in 2023 (88,500) and that
it occupies a space of 240,000 square meters, equivalent to about forty soccer fields,
in the "FIRA de Gran Vía" venue, having cancelled the February 2020 edition,
due to the spread of the virus when the pandemic had not yet been declared. He states that
in this case this proves the criteria of prudence required by health legislation and the

preventive measures that govern his actions, limiting himself to complying with
public health regulations.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 15/96

2-Regarding FIRA DE BARCELONA, he clarifies that it is a public entity with an associative
base and consortium character of promotion, made up of the Generalitat, Barcelona City
City and the Official Chamber of Commerce, Industry and Navigation of Barcelona.

From the point of view of regulations on data protection, FIRA and

QUIRONPREVENCIÓN (hereinafter QP) - as subcontractor - signed the
corresponding contract for the provision of health services for the MWC22 of
treatment. FIRA acts as GSMA's data processor. The contract between FIRA and QP (supplier), dated 21/02/2022, has been provided as
DOCUMENT 4, although
in the duration section it indicates that “it will be valid from the month of
January 2022”, highlighting:

-“The MWC 2022 event organized by GSMA Ltd. will be held at the FIRA DE BARCELONA
exhibition facilities, Gran Vía venue.”

-“FIRA, by mandate of GSMA Ltd., and in its capacity as main contractor, is responsible for
managing and coordinating with the supplier previously designated by GSMA the provision

of services related to the validation of COVID certificates.”

-“FIRA and QP have defined the minimum requirements for the provision of such services
and the conditions of their contracting, with the supplier having submitted an offer. The parties
express their agreement and acceptance with the offer of services for the MWC BCNA
2022, which includes the offer of the supplier and the requirements of FIRA and GSMA.”

As part of the contract, up to SIX ANNEXES are included

The clauses follow, including the communication of results and validation of the tests/vaccination certificates in ANNEX 1B,
“Systems integration”, which states that the results will be communicated to FIRA,

only negative tests, “through an API that FIRA will provide through which it will
indicate the participant's identifier and the validity of the test so that the participant
is marked as “verified for access” in the access control systems to the
event.”

There is a confidentiality clause of the information between the supplier and FIRA,

considering confidential any information received from the organizer of the
event, which will be used by the supplier for the sole purpose of providing the service for which it has been
required.

As an annex to the contract, there is a specific “data processor contract”, ANNEX VI, which regulates the conditions under which

QUIRON PREVENCION SLU, as sub-processor, will carry out the processing of data necessary for the provision of the service, in accordance with
Article 28 of the GDPR. It indicates, among other contents, that GSMA is the controller of the
processing and FIRA holds the position of data processor. In point 1.3, regarding the group of interested parties affected, it is only indicated that: “For the execution of the

services, the data controller makes available to the subcontractor the
information described regarding the participants in the event:

“Identification data, name, surname, government identification number:
DNI, NIE-passport), contact data - telephone number, electronic

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 16/96

address, health data (vaccination certificates, recovery and diagnostic tests against

COVID 19). In point 2.2, it is indicated as a guarantee and commitment
of the subcontractor, to treat the data in accordance with the instructions of the person in charge.”

Among the obligations of the data controller, point 8, is that of “providing information to interested parties about the processing of their personal data”

The requested copy is provided, in DOCUMENT 3A AND 3B, of the framework contract between FIRA and
GSMA in English. The first, dated 11/22/2019, FIRA as the owner of the facilities -
service provider- and the organizer of the MWC Barcelona, GSMA, agree on additional

services to those signed on 07/14/2011, known as “HOST CITY
PARTIES”, in which other public entities are included (City Council,
Generalitat, etc.). Section 5, “Data Protection and Information Security,” states that: “The provider must comply with the provisions of the data protection annex included in Annex 1, Part A of this agreement, which appears in

the agreement in which the provider is configured as the data processor and
GSMA as the data controller.”

The second, DOCUMENT, 3B, reflects an amendment to the contract dated 11/22/2019, in
order to extend its validity until 2030, and updates the aforementioned Annex 1, Part A,
mentioned above.

3-Attached, as DOCUMENT number 7 bis, is a certificate of destruction issued by the
entity QP. The MWC ended on March 3/03/2022 and QP destroyed all the data on
03/08/2022, which was the date of completion of the dismantling.

QP has ISO 27001:2013 certification, accredited under ENAC criteria, as well as
certification of compliance with the National Security Scheme that provides the
appropriate security controls to protect the organization's information assets.

4-Mentions the various regulations that may generally enable restrictive actions and intervention by the State health authorities (LO 3/1986 of 4/04, on special measures in public health and Law 14/1986 of 25/04, General Health. In the area of Catalonia, it reiterates the aforementioned Law 18/2009 of 22/10 on public health, in compliance with which, the Department of Health of the Generalitat de Catalunya (GC) periodically approved resolutions in line with the state of the pandemic and established measures, in a coordinated manner with the Territorial Plan for Civil Protection in Catalonia (PROCICAT).

It considers that the legal framework applicable to the organization of MWC 22 was formed by the

compliance with the applicable conditions in accordance with the basic legislation, Law 2/2021
of 29/03, urgent measures for prevention, containment and coordination to
deal with the health crisis caused by COVID 19, and the measures and restrictions
approved by the Department of Health of the Generalitat de Catalunya. It adds that it
had to take its organizational actions under the principle of precaution and duty of

caution. In DOCUMENT 5, a copy of the resolutions issued by the aforementioned Department of Health, from 7/12/2021 to 2/03/2022, comprising a total of five resolutions that have a similar scheme in common, in which:

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 17/96

 Each of them establishes, with temporary validity, the measures in matters of public health for the containment of the epidemic outbreak of the COVID 19 pandemic in the territory of Catalonia, indicating the alert level according to the four existing phases,

reporting on the epidemiological and care indicators, with reports
such as that of the Scientific Advisory Committee, or the director of the Agència de Salut Pública de
Catalunya (ASPCAT).

 After indicating various regulatory provisions that relate to the field of

public health, in which the competent health authorities can adopt various
measures, it is indicated that “the administrative intervention in public and
private activities necessary to address the health crisis situation caused by COVID-19, protected by the aforementioned legislative framework, subjects the measures that affect fundamental rights to the additional guarantee of judicial control with respect to the judgment of

proportionality in its triple aspect: suitability, necessity and proportionality.”

 As references to measures affecting fundamental rights, the requirement of the COVID certificate is cited for access to certain non-essential activities
in closed spaces (restaurants, physical and/or sports activity rooms, gyms and

permitted musical recreational activities: concert halls, theatre cafes, concert cafes and musical restaurants), and it is also included for visits to residential centers for the
elderly and people with disabilities, which are mentioned for the first time in resolution SLT/3512/2021 of 25/11, remain in that of
7/12/2021, and are reiterated, for example, in resolution SLT8/2022 of 4/01/2022, which
is valid for 14 days, from 7/01/2022, and which also, for the area of interest

here, establishes:

In its “introduction” part
…”in accordance with the position of the Scientific Advisory Committee on COVID-19, of

November 18, 2021 contained in the document entitled Proposal to consider
the use of the COVID certificate in other areas of Catalonia, among the measures that limit
fundamental rights, proposes maintaining the requirement of the COVID certificate for
access to those non-essential activities that take place in closed spaces with
higher risk due to the conditions of main transmission of the virus by aerosols and
where there is more vulnerability and, therefore, more need for protection.

These activities are limited to the catering sector, halls and gyms where physical and/or sports activities are carried out and concert halls, theatre cafés, concert cafés and

musical restaurants - (later referred to in section 3.4: "use of COVID certificate") -
In all these activities, the layer of health protection is established which supposes

as a requirement for access the presentation of the certificate issued by a public health service
accrediting one of the following circumstances: that the person has the complete vaccination schedule against COVID-19, that the person has a negative diagnostic test
COVID-19 ─PCR or antigen test─ with a certain validity, or that the person has
recovered from the disease in the last six months (COVID certificate). Persons under 13 years of age who do not have limited access to the premises,
establishments, equipment or corresponding spaces due to age are exempt from the condition of presenting the COVID certificate.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 18/96

The measure represents an impact, albeit slight, on equality and privacy in the terms of Judgment 1112/2021, of September 14, of the Contentious-Administrative Chamber of the Supreme Court, adopted under the legal cover of Organic Law 3/1986, of April 14, on special measures in matters of public health, in
coherence with other health laws, with the aim of reducing the risk that an infected person comes into contact with other non-infected and unprotected persons and can transmit the infection to them.

The suitability and necessity of the measure in terms of the objective of protecting health and life is justified by the effectiveness of vaccination as a preventive action, as accredited by scientific studies on the reduction of infections, hospitalizations and deaths. Likewise, there are several factors that increase the risk of transmission of

SARS-CoV-2 in activities subject to this measure, especially in the
current context, where there is greater circulation of more contagious SARS-CoV-2
variants.”

-In its section 3.4 for access to the aforementioned spaces it is indicated:

“For these purposes: the owners or persons responsible for the premises, establishment,
equipment or space must establish the access control system that
allows the verification of any of the planned certificates presented
by the people who want to access as users, without keeping the data they

contain and without using them for any other purpose than the aforementioned access control. In addition, affected persons must be notified with a sign in a visible area
of the non-conservation of the accredited personal data.”

This provision for providing health documentation does not survive after the successive
approval of the aforementioned resolutions, since the SLT 99/2022, dated 26/01, which

comes into force on 28/01/2022.

-Regarding the “Congresses, conventions, trade fairs and major festivals” sector,
it appears, for example, mentioned for the first time in SLT/3652/2021 of 7/12, and
reiterated in subsequent resolutions, with the following wording:

“1. The holding of congresses, conventions, trade fairs and
similar activities, as well as professional events by telematic means, is recommended.

The in-person holding of congresses, conventions, trade fairs and
similar activities in closed spaces requires that the minimum ventilation established in the current regulations on thermal installations in buildings be guaranteed.

When more than 1,000 people may be concentrated in the development of these activities, it is recommended that the
reinforced ventilation and air quality conditions indicated in Annex 4 be complied with in closed spaces and, both

in closed and open spaces, compliance with the organizational measures for crowd control indicated in Annex 3 must be guaranteed.”

-The respondent goes on to summarise the main conditions that were set out in these resolutions, which are divided into:
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 19/96

1 “general measures for individual and collective protection: distance and mask”

Contemplated in Law 2/2021, use of individual masks (art. 6.1) “in any closed space for public use or that will be open to the public and in mass events that take place in open-air spaces, when attendees are standing. If they are seated, it was mandatory when a safety distance of at least 1.5 m between people could not be maintained”, and a distance of 1.5 metres between people,”
and which would not have been possible to comply with, if the COVID-19 documentation had not been required electronically for verification and validation.”

2”Use of the COVID certificate”

It states that “the regulations referred to required the presentation of a COVID certificate to
access halls and gyms where sports activities were practiced, concert halls,
cafes, theatre, concert cafés and catering activities.

“These measures remained in force during the months of preparation and
organisation of the MWC22, that is, from November until the end of January, although

as of Resolution SLT/99/2022, dated 26/01, the provision of
COVID-19 certificates was no longer mandatory to access these activities (halls and gyms where
sports activities were practiced, concert halls, theatre cafés, concert cafés, and
catering activities).”

“However, the claim and the sanctioning procedure improperly initiated
by the AEPD, refers to the documentation that GSMA required prior to
Resolution SLT/99/2022, dated 26/01 and this apart from the fact that, as will be noted, it was
the documentation required for the organization of an event that anticipated the attendance
of 61,000 people (beyond the activities for which the certificate had been
provided as mandatory until 26/01/2022) and in view of the existing
pandemic situation”

Regarding the holding of congresses, it was required that the minimum ventilation
established in the current regulations be guaranteed.

“However, the truth is that in no way did the Resolutions of the Department of Health
foresee an organization of the dimensions of the MWC22”.

“Therefore, the measures provided for in the resolutions of the Department of Health for
congresses and fairs did not provide clear coverage for an event such as MWC22, which was to

bring together 61,000 attendees and involve the participation of 11,900 workers and
suppliers; a situation that highlighted the need to require the provision of
COVID-19 certificates.”

The measures taken by GSMA are the result of the evolving pandemic situation

during the preparation and celebration phase of MWC 22, based on data from the Department of Health and previous reports from the Public Health Agency of Catalonia
(ASPC) approved in accordance with article 55 bis of Law 19/2009,
provided in DOCUMENT 5, and under the protection of the precautionary principle in terms of

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 20/96

public health. It examines the situation outlined in the resolution of 12/23/2021, in alert phase 4 out of a total of 4 phases, and details reports from the ASPC Director of 12/23/2021 on the omicron variant, with an expected increase to more than 50,000 cases per day by mid-February 2022.

In short, the months of preparation and celebration of MWC22 were characterized at a
pandemic level as a phase of maximum alert and very high risk, to which
had to be added the uncertainty and alarm regarding the impact that the Omicron variant
could imply.

In this context, GSMA, in coordination with the Catalan and Spanish
health authorities, chose to require COVID-19 certificates in the framework of the suppliers and
workers of MWC22 (who are more than 11,000) and articulated the strategy called
"Committed Community Plan", which refers - not to a specific and written protocol that

can be provided - but to the measures that were being established in response to the
unpredictable evolution of the pandemic and the uniqueness of an event such as MWC. In
fact, the measures were set out in all the Resolutions and reports provided
as DOCUMENT 5.

It indicates the 17 meetings that were held with health authorities from October 2021

until the end of February 2022, and that “in these meetings the action finally carried out specified in the document “MWC22 ACTION PROTOCOLS” was examined and validated, which is attached as DOCUMENT 6 prepared by FIRA and
GSMA jointly, as can be seen in said document, which was presented to
the Catalan and state health authorities for their approval, which established that

the registration process required assemblers and participants to upload their COVID
data.

It states that: “Thus, in accordance with the precautionary principle, it was decided
to require COVID Certificates, in the same way that it was required until 26/01/2022 for

bars, restaurants or gyms. This requirement is clearly proportionate and
appropriate, if we take into account the size of the event. In this regard,
let us remember that the organization of MWC22 required the intervention of 11,900
workers and suppliers. ”“GSMA has limited itself to complying with the regulations on
public health, and the measures decreed by the health authorities. And all
this always based on the precautionary principle provided for in art. 3 of Law 33/2011 and

the precautionary principle required by article 4 of Law 2/21.”

DOCUMENT 6 is a graph entitled: “health requirements to access MWC 2022 protocol 1”, 01/27/2022, version 2.0, which indicates that the assemblers/registration must upload the COVID passport, PCR-TAR, which is

verified by QUIRON, plus a subsequent self-declaration of accepted health to
obtain access control, with additional protocols for positive cases, criteria and
isolation cases in the event of a positive case, and action in the event of illness of
an attendee

5-There has been no violation of article 9.2 of the GDPR because the action is
covered by the exceptions contemplated in sections g) and i)

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 21/96

“g) the treatment is necessary for reasons of public interest essential, on the basis of Union or Member State law, which must be proportionate to the
objective pursued, substantially respect the right to data protection and

provide for appropriate and specific measures to protect the interests and fundamental rights of the data subject; (…)

“i) the processing is necessary for reasons of public interest in the area of public health,
such as protection against serious cross-border threats to health, or
to ensure high levels of quality and safety of healthcare and
medicines or medical devices, on the basis of Union or Member State law
which provides for appropriate and specific measures to protect the rights and freedoms of the
data subject, in particular professional secrecy”

It should be clarified first of all that, in line with what was analysed in the previous allegation,

GSMA applied the measures and limitations on the protection of public health
provided for in the Resolutions of the Department of Health attached as
DOCUMENT number 5 and which GSMA, in a coordinated manner with the health
authorities, interpreted and applied, in accordance with the details set out.

The common denominator of the aforementioned articles is that the treatment is necessary

for reasons of public interest, and GSMA has acted for reasons of public interest on the basis of the principles of prudence and caution and the health regulations issued by
the various Administrations, in order to establish the necessary health measures
to protect the health of workers and suppliers, as well as attendees.

Furthermore, the right to data protection is not unlimited, and finds its limits in
other fundamental rights such as the right to life and health. It cites the Supreme Court ruling number 1112/2021 of 09/14/2021 referring to measures consisting
of the requirement to display the COVID 19 passport in public establishments.

The ruling assesses the impact on privacy in relation to life and public health. It concludes by stating that “the processing of sensitive data carried out, which referred to the data required under health legislation and the
Resolutions issued by the Department of Health, respond to an indisputable essential public interest, such as the protection of the people who were going to participate in the MWC22 in a pandemic context such as the one described.” “The SC supports the sufficient coverage

of the health regulations of Galicia (in relation to the case tried in the Sentence)
to impose identical measures as those agreed by the Catalan health authorities; measures that, as we have seen, GSMA had the legal obligation to interpret
and apply within the framework of the organization of the MWC22 and that required it, in view of the
magnitude of the event, the telematic treatment.”

The measures and the processing of personal data carried out are covered
by public health legislation. The processing is required to be dictated on the basis of the law of the Member States, and in turn, it cannot be ignored that art. 9.2 of the LOPDGDD specifies: “2. The data processing contemplated in letters g), h) and i)

of article 9.2 of Regulation (EU) 2016/679 based on Spanish law must be covered by a law, which may establish additional requirements
relating to its security and confidentiality.” Well, as has been
widely analyzed, the measures applied by GSMA are supported by regulations

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 22/96

with the rank of law, both state and regional: LO 3/1986, Law 14/1986, Law 2/2021
and Catalan Law 18/2009. "Under the protection of said legislation and the Resolutions approved

by the Department of Health, GSMA has implemented the data registration and

processing measures, in order to effectively comply with the measures required by the
legislator and the health authorities. “It should be recalled that the sufficiency of this regulatory framework to agree on limiting measures in the context of the prevention of the COVID-19 pandemic, and specifically, the requirement for COVID-19 Certificates has been confirmed by Judgment 1112/2021.”

The processing has been proportionate and adequate, regarding COVID 19 health data, electronically and for the duration of the event.

Pursuant to Article 9.2.i) of the GDPR, GSMA adopted appropriate and specific measures to protect rights and freedoms, without having had access to the data.

-Article 6.1 of the GDPR has not been violated. It reiterates that the action would be covered by Articles 6.1.c) and 6.1.d) of the GDPR. The processing of personal data carried out by
GSMA was carried out in compliance with the legal obligations imposed by public health
legislation and the measures applied by the health authorities. The
legal basis of the specific measures required by the health authorities and
applied by GSMA regarding data processing and the requirement of a COVID-19 passport, is
provided as DOCUMENT number 5. In order to prove which is the
legal obligation that GSMA was applying and complying with based on the
requirement of COVID-19 certificates, in accordance with the provisions of art. 6.1.c) RGPD,
it is appropriate to remember: "That LO 3/1986, and Law 14/1986 cover all those
preventive and restrictive measures agreed by the health authorities to control
transmissible diseases in the face of an imminent and extraordinary risk to health. -
Furthermore, in compliance with basic state legislation, Catalan Law 18/2009,
reiterates that in accordance with said Resolutions of the Department of Health, a
COVID-19 certificate was required to access any public place (bars,

restaurants, gyms, etc.): interpreting and applying said Resolutions of the
Department of Health in accordance with the precautionary principle, GSMA required the
Covid-19 Certificate from all MWC22 suppliers, as well as attendees. And
all of this, in accordance with the criteria and authorization obtained from the
health authorities.”

As the GDPR recognizes, the legal basis for the treatments can be multiple.
Thus, in this case, the processing of data is based on a double legal basis, also
applying article 6.1.d) of the GDPR, taking into account Recital (46) of the
GDPR recognizing those emergency situations, stating that the
processing of personal data will be lawful when it is necessary for humanitarian purposes, including

the control of epidemics, as reflected in the AEPD report 17/2020, which specifies that
art.6.1.d) GDPR is a sufficient legal basis and can be used for the processing of personal data aimed at protecting all those persons susceptible to being infected in the spread of an epidemic:” Art. 6.1, d) GDPR considers not only
that vital interest is a sufficient legal basis for processing to protect the “interested party”

(as this is a term defined in art. 4.1 GDPR as an identified or identifiable natural person), but that said legal basis can be used to protect
the vital interests “of another natural person”, which by extension means that said natural persons may even be unidentified or identifiable; that is, said legal basis for the treatment (vital interest) may be sufficient for the processing of personal data aimed at protecting all those persons susceptible to being infected in the spread of an epidemic, which would justify, from the point of view of the processing of personal data, in the broadest possible way, the measures adopted for this purpose, even if they are aimed at protecting unnamed persons or in principle not identified or identifiable, since the vital interests of said natural persons must be safeguarded, and this is recognized by the regulations on the protection of personal data. It states that “In these situations of health emergency, it allows those responsible for the treatment to adopt the necessary measures

to safeguard the health of people, said necessary measures being those determined by
the health authorities, and those taken by the respondent were in
application of the administrative resolutions of the Department of Health and the requirement of
COVID certificates from electronic means, was agreed with the health authorities.”

-Article 14 of the GDPR has not been violated, the obligation has been fulfilled. It
states first of all the lack of legitimacy of the AEPD since the claim does not
refer to the information provided by GSMA being deficient, it only focuses on health data. The Court alleges the application of the judgment of the National Court of 23/12/2022, BBVA,
considering that in this case the imputation of said infringement of article 14 of the

RGPD is totally disconnected from the claim filed, so that in no way can the AEPD use the present procedure to impute infringement of the
duty of transparency. In addition, it indicates that the information provided by GSMA complies with the provisions of
article 14 of the RGPD. It indicates that in the privacy policy provided by
GSMA dated 04/29/2021, reference is made to third parties and suppliers with the terms that

it applies to, among others, “third party personnel and other persons participating in
the event” explaining the literal content below:

“This Privacy Notice applies to the processing of personal data of MWC Barcelona participants,
including attendees, exhibitors, sponsors, speakers, partners, third party personnel and other persons participating in the event. This
includes personal data obtained through the attendee registration system, the
Event application, the partner program registration system, the exhibitor and partner registration
system, digital and/or printed scanning of credentials and/or facial recognition
(at access points, for sessions or for participation in closed meeting spaces) at the Event, and the bulk upload system of

contractors.”

Additionally, the information in the section “Information obtained from third parties” states: “From time to time, the GSMA receives personal information
from third parties. This may occur, for example, if your employer is a GSMA member and

registers you for an event or training or if your employer (or entity by which you are employed
as a contractor or temporary staff member) provides services to the GSMA and you
are involved in the provision of these services.”, clearly indicating in the clause on
the origin of the data that employers will provide their employees’ data. It considers that the content of said information is sufficient, deducing it from the

statement of the AEPD in the start agreement when stating the “privacy policy of the
respondent's website”, the content of which does not refer to the employees of the suppliers, but
to the attendees/participants in the event, understanding that in the agreement it considers that it is
not in accordance with article 14 of the GDPR, assuming the aforementioned start agreement and

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 24/96

recognizing that the rest of the information has been provided in an appropriate manner,
with the information in the privacy policy being sufficient.

She adds that the privacy policy was also contained in the registration application,
providing a screenshot of a registration: “Contractor accreditation-system login” to
fill in email and password, with a “Sign in” tab, a section to link
with the text: “legal” at the bottom left, next to another “contact us” that leads to
the next screen, where on the same screen 6, there are links with various
information, to mention a few, about cookies, the terms and conditions of the

event, or “privacy” in which if you click on the link the “privacy policy” appears. She
provides another screenshot in which it does not explain how to get to it, showing “health
declaration” (and a link for more information www.mwcbarcelona.com/atttend/safety) with the
“send” button. The respondent states that “it is clear in this section that
employees are informed of the data provided by suppliers.” It states that

they provide in DOCUMENT 9 the text of the privacy policy of the version applicable to
the celebration of MWC 22, of which it is worth highlighting:

-last update 04/29/2021

-Sections are shown in which, under the title that they offer about the information they

contain, it can be accessed by clicking on any of them, being able to differentiate:

When is this privacy policy applied?, which states "This Privacy Notice applies to the processing of personal data of MWC
Barcelona participants, including attendees, exhibitors, sponsors, speakers, partners,
third-party personnel and other people who participate in the event. This includes personal data obtained through the attendee registration system, the Event application, the partner program registration system, the exhibitor and partner registration system, digital and/or printed scanning of credentials and/or facial recognition (at access points, for sessions or for participation in closed meeting spaces) at the Event, and the bulk upload system for contractors.”

[English translation]

In the “information you voluntarily provide” section, among others, it states:
“COVID 19

As set out in our Committed Community plan, you will be required to undergo Covid-19 testing at regular intervals during the Event. Information about your test results will be processed for the sole purpose of access control, tracking and tracing as required by local health authorities, in their relevant event regulation and protocol.

Under “Information we obtain from third parties” it states:
“From time to time, the GSMA receives personal information from third parties. This may occur,
for example, if your employer is a GSMA member and registers you for an event or
training or if your employer (or entity by which you are engaged as a contractor or
temporary staff member) provides services to the GSMA and you are involved in the
provision of these services.” [Spanish translation]

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 25/96

In the section on “Legitimate bases for the processing of personal information”, it is
indicated, among other things, that: “In some cases, we may also have a legal
obligation to collect personal information about you, we may be required to do so for reasons of
public interest or we may otherwise need the personal information to protect your
vital interests or those of another person, for example, in the event of a medical emergency during the Event.”

Alternatively, it considers the infringement prescribed by its classification as minor, since it does
not consider it an omission, since the privacy policy was duly provided, and if the AEPD

considers it incomplete, the infringement would become minor, such as a formal breach of
the 74.a) of the GDPR.

Eventually, upon notification of the initiation agreement, dated 06/05/2023, and the claim having been filed on 01/29/2022, the expiration of the statute of limitations for the prosecution of the infringements classified as minor would have elapsed.

7- It alleges the demandability of liability on the basis of intent or fault, (art. 28 of law
40/2015) which excludes objective liability, taking into account what is set forth by the
judgment of the Supreme Court, administrative litigation chamber, section 3, no.
1456/2021 of 12/13, and in the absence of culpability, which should lead to

the consequence that it cannot be sanctioned. In addition, in the hypothetical case that
it should be sanctioned, "the inadmissibility of the resolution is evident since in
no case are there aggravating circumstances." It considers that there is no culpability in the facts imputed to GSMA, due to:

 “The intention of processing sensitive data was solely and exclusively to
guarantee the health of workers, suppliers and ultimately of attendees and
participants in MWC22”, in a temporal context, December 21-March 22, on maximum
alert, with approval by the Catalan authorities of changing restrictive measures,
measures that “required the provision of COVID 19 certificates in any

establishment or event open to the public”. Once the objective of
holding MWC 2022 was achieved, it did not have any negative impact on the
pandemic situation.

 Given the high number of participants, suppliers and workers, the company acted from the

“precautionary principle” (art. 3 of Law 33/2011 of 4/10, General Public Health), in
a coordinated and agreed manner with the health authorities.

 Acted diligently by placing the order on QP.

Subsidiarily, and stated in dialectical terms, the principle of
proportionality is violated, as it attributes excessive amounts that do not correspond
to the concurrent facts and circumstances. It is considered that the aggravating circumstance of
recidivism in file PS/00553/2021, resolved on 02/24/2023, in the framework of the
MWC of the previous year, would not be present, even less so for the three infractions that are

charged, when the recidivism according to Law 40/2015 in its article 29 refers to an

“infraction of the same nature”, considering the TS in its judgment of 03/23/2005 (without
further identifying elements) that it would occur “with respect to the same type of offender”. It considers
that recidivism is only applicable when the same type of infringement occurs
It considers that the infringement of the aforementioned PS, for not having carried out an impact assessment on

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 26/96

of biometric data for access to the MWC, in breach of article 35 of the
RGPD, is not of the same nature as the three infringements charged in the present
procedure, one of which consists of the processing of health data.

The nature, scope and purpose of the operation of article
83.2.a) of the RGPD should have been assessed as an attenuating, not aggravating circumstance in the three infringements charged,
since it is proven that the only purpose of its action was to ensure the
health of the workers and suppliers of the MWC22, “in line with the measures
shared with and agreed upon by the health authorities”.

Inappropriate application of article 83.2 b) of the GDPR as an aggravating factor, in relation to
the breach of article 14 of the GDPR, which should be considered as an attenuating factor due to
the objective pursued of collaborating with the health authorities in compliance with
the legislation on public health and in the measures and restrictions applicable to

the control of COVID 19 and the diligence in its actions, which involves not accessing the
data through the hiring of QP.

-Inadmissibility of the application of the aggravating factor of article 83.2.k) of the GDPR, in
relation to article 9.2 of the GDPR, considering the AEPD that given the need to
regularly process data for the organization of the event, it has been doing so in

successive editions. It considers that its activity is to develop events related to the
promotion of mobile telephony and is carried out with the collaboration of the public organization
FIRA, considering that the business activity of the respondent has no
special link with the health data of its participants and collaborators.

- It requests that, if it is not archived, as provided for in article 77 of the LPACAP
"this Instructor will proceed to agree to open a trial period and grant
process to this party to propose the corresponding means of proof. In this regard, and
apart from the documents provided with this document and which will be proposed as
documentary evidence, the corresponding documents of QP, the

Agència de Salut Pública de Catalunya, the General Directorate of Public Health of the
Ministry of Health, and the Management of Fira de Barcelona, involved in the
procedure followed to protect public health in the organization of MWC22, will be proposed to the Instructor;
and this without prejudice to the other evidence that may be proposed.”

NINTH: First extension of allegations, dated 10/11/2023

On 10/11/2023, the respondent expanded the allegations in the following aspects:

It states that after the date of submission of the previous allegations
it has had access to additional documentation that in its opinion would confirm the inadmissibility
of the sanctioning file, specifically of the violations of 9.2 and 6.1 of the GDPR.

It reiterates that the respondent, in a coordinated manner with the Catalan and Spanish health authorities,
chose to interpret and apply the resolutions of the Department of Health of the
Generalitat in accordance with the principle of precaution and prevention required by public health
regulations and the evolution of the Omicron variant. Consequently, COVID-19 certificates were required for MWC suppliers and workers

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 27/96

2022, and this has been accredited by the resolutions of the Department of Health and other documentation provided in the previous statement of allegations.

It reiterates that the task of evaluating and validating the COVID certificates not only of the workers, 11,000, but also of the attendees, 61,000 people, presented a complexity and magnitude that can only be carried out electronically due to the
respect for the safety distance and the prevention measures required by the applicable health legislation.

It provides reports issued by the COVID-19 Scientific Advisory Council (CCAC),
(DOCUMENT 1) advisory body attached to the Secretariat of Public Health of the
Department of Health, created "based on resolution SLT/2917/2021 of 29/09,
reports that are configured as the scientific basis used by the periodic
resolutions issued by the aforementioned Department." Its reports issued during the months

of November and December 2021 would confirm that the measure adopted by the respondent -
in collaboration with the health authorities- of requiring a COVID 19 certificate "from the
people entering the FIRA premises" was in accordance with the regulations on public
health. DOCUMENT 1 contains the CCA report entitled "proposal to
consider the use of the COVID certificate in other areas of Catalonia", dated 11/18/2021,
which, according to the respondent, shows that the requirements for COVID-

19 certificates at events both outdoors and indoors were unanimous in most European

countries. In summary, it says:

The EU COVID 19 certificate came into force on 07/01/2021 and certifies a person's health information regarding COVID 19. After explaining its content and that it was created
to facilitate travel between EU countries, colloquially known as
"COVID passport", it indicates that "its use can facilitate access to services beyond the
possibility of traveling" and prefers to call it "COVID certificate", as graphically

shown in a table-graph 1, on access to certain places and events in the EU,
and explains, for example, the implementation in Belgium of the "COVID SAFE TICKET" to
access events attended by more than 5,000 people (approved by the Belgian authorities
as can be seen from the link that connects) The graph titles "areas where the COVID certificate or equivalent is
requested in other European countries" by type of
activity and coincides with events in outdoor spaces as well as in the

interiors (without indicating capacity), it is required in the 10 countries that it cites, the
source coming from the Scottish Government. It also explains that, in some countries, in some cases
"the vaccination certificate or the obligation of vaccination is required,
these initiatives being effective to increase vaccination coverage." It mentions that
currently it is required to access the interior of certain establishments,

"for which it is required to show the certificate, although it is not allowed to collect data
from attendees"

It explains the reasons for considering the extension of the COVID certificate in Catalonia,
differentiating the essential activities in which "it is reasonable to facilitate without

impediments the activities - work, education - from the non-essential ones. He adds that, although discrimination in access implies the limitation of an individual right, it is
a consequence of the choice not to be vaccinated, this limitation in certain spaces occurs
to guarantee the right to the protection of the health of others and people

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 28/96

who do not provide the documents will not be able to access, adding that they only have to
be presented, files cannot be created. "The COVID certificate is emerging as the most
efficient measure to avoid the closure or limitation of hours of non-essential services.

It brings benefits and does not pose any potential risk to individual or population health”

This document aimed to gather the technical criteria of the aforementioned Council regarding
when and in which areas it is appropriate to extend the COVID certificate based on data
and indicators, and served as the basis for the issuance of the resolution of 7/12 of the Department of

Health SLT/3652/2021. In this resolution, a system of four risk bands is indicated to
act as an alert for a possible increase in cases and to activate and
deactivate the requirement for the COVID 19 certificate in Catalonia, also containing
criteria and proposals to determine in which areas the extension of the COVID certificate should be
considered in each risk band. It cites environments with high
epidemiological risk (especially in closed environments where there may be
mask removal and/or where the minimum safety distance cannot be maintained), or the
minimization of the risk of contagion in the case of people who present a high risk of
serious complications. He acknowledges that “Although the COVID certificate does not fully guarantee that a person is not infectious and does not replace other non-pharmacological measures, it does reduce the probability of contagion significantly. On the other hand, in consideration of the common good in a context of limited resources in the health system, he points out that it is configured as a mechanism to avoid overloading primary and hospital care.”

In accordance with the proposals of the Scientific Advisory Committee, the report of the director of the
Public Health Agency of Catalonia prioritizes maintaining the requirement of the
COVID certificate for access to non-essential activities that take place in

closed spaces with a higher risk due to the conditions of main transmission of the virus
by aerosols and where there is greater vulnerability and, therefore, greater need for
protection.

These are: both ordinary (nightlife) and
extraordinary musical recreational activities (music festivals, concerts at major festivals, popular festivals,
street parties and other cultural events with standing and the possibility of dancing), the hotel and
restaurant sector where social events with dancing are offered; restaurants,
and halls and gyms where physical and/or sports activity is
done. For greater legal certainty, it is specified that the concept of closed spaces corresponds, for these purposes, to interior spaces and exterior spaces that are covered and laterally surrounded by more than two walls, walls or
parameters.

“In all these activities, the layer of health protection is established, which supposes
as a requirement for access the presentation of the certificate issued by a public health service
that accredits one of the following circumstances: that the complete vaccination schedule against COVID-19 is available, that a negative COVID-19 diagnostic test is available
-PCR or antigen test-with a certain validity, or that the disease has been
recovered in the last six months (COVID certificate). Persons under 13 years of age who do not have limited access to the premises,
establishments, equipment or corresponding spaces due to age are exempt from the condition of presenting the COVID certificate.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 29/96

The COVID certificate measure, adopted under the legal cover of Organic Law 3/1986, of April 14, on special measures in matters of public health, in coherence
with the other health laws, represents an affectation of the fundamental rights to
equality (article 14 CE) and privacy (article 18 CE) of a tenuous nature, in the
terms of Judgment 1112/2021, of September 14, of the Contentious-Administrative
Chamber of the Supreme Court, confronted with the powerful presence of the
fundamental rights to life and physical integrity (article 15 CE) and with the
protection of health (article 43 CE), which defends the general interest of all in
surviving COVID-19. The aforementioned ruling has also established the

parameters that the measure, insofar as it affects fundamental rights, must
comply with in order to overcome, subject to the guarantee of judicial control, the
proportionality judgment in its triple aspect: suitability, necessity and proportionality of
the measure.”

The aforementioned report also argues that the use of the COVID certificate should be extended to
more areas than those required up to that time, considering it:

- an ideal measure: “The COVID certificate is proposed as a measure to
live with COVID-19 and reduce the risk of transmission in environments of high
epidemiological risk (especially in closed environments where there may be removal of

masks and/where the minimum safety distance cannot be maintained)” The
respondent considers that the scope of the MWC22 with the degree of participation described
was an environment of this type, and deduces that the requirement of the COVID certificate was ideal.

- a proportional measure, considering that "it is a temporary, proportional and balanced measure to

make the protection of public health compatible with the performance of certain activities and thus avoid the closure of non-essential

services.

- It is a non-discriminatory measure because the veto of access of the person

who does not present it, although it represents a limitation to an individual right, occurs

to guarantee the right to health protection of the rest

The CCAC document of 11/18/2021, (not the resolutions of the health authorities issued) provides for the need to require (request) the COVID-

19 certificate for congresses of more than 500 people and in any event that brings together more than

10,000, including in the document the reference to the phenomena of super contagion in
indoor spaces and also where in large outdoor events with a large

concentration of people and the minimum interpersonal safety distance could not be ensured. It provides a table of what would be required for large events such as, for example,

congresses, indoors with an attendance of more than 500 people, or in
venues of any type with a capacity of more than 10,000 people, for example, the Camp Nou
football stadium.

-Another document, such as the “preparation and response to the

Omicron variant of the SARS-CoV-2 Coronavirus in Catalonia”, dated 12/19/2021, which was taken into

account in the resolution of 12/23 SLT 3787/2021, the scenario of this being that of

“very high risk”, and which meant:

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 30/96

“The preliminary data generated by different laboratories confirm the worrying
antibody resistance of the Omicron variant. In principle, previous infection or initial vaccine regimens do not seem sufficient to guarantee a sufficient neutralizing response against Omicron, while third doses have a positive impact of increasing neutralizing antibody titers. It is suggested (based on the available scientific evidence) that there may be a more than possible reduction in the effectiveness of the different vaccines against infection. The epidemiological impact of this variant in the short, medium and long term will be very significant. The simulation results of possible scenarios show that an increase in incidence is expected, which, in the absence of additional measures, could lead to more than 50,000 cases per day by mid-February 2022.

The respondent points out that, consequently, the CCAC reports confirm that the requirement for a COVID-19 certificate for access to the premises is configured as a measure required by public health legislation and the resolutions approved by the Department of Health.

It details the workload and volume of work involved in the validation by electronic means of the three modalities for accessing the event by QP attendees (it does not point out any aspect regarding the employees of the suppliers) who also came from different nationalities, such as the vaccine being listed as authorized, the certificate issued by the competent authority, the validity of the vaccination certificate, the dates from which the COVID-19 recovery certificate was valid. It provides a table of the volume of reports processed in previous days, from 02/21/2022
to 03/02/2022, and reiterates that the only way to comply with the sanitary measures required and

mandated by the health authorities and maintain the minimum distance was the prior presentation of these certificates by electronic means.

In conclusion, it considers that there has been no breach of art. 9.2 of the GDPR because the processing of health data, the COVID-19 certificates, were covered by the exceptions

in article 9.2.g) and i) of the GDPR, as it was necessary for reasons of an “essential public interest”, and for “reasons of public interest” in the field of public health.

Likewise, the processing of personal data carried out by GSMA was carried out in
compliance with the legal obligations imposed by public health legislation and
the measures applied by the health authorities.

7-If a sanction were to be imposed, it requests that the sanction be imposed at its
minimum level for violations of article 6 and 9, considering the concurrent
circumstances and the principle of proportionality.

TENTH: Second extension of allegations, dated 11/21/2023

On 11/21/2023, other allegations were received.

The respondent states that the documentation that she now provides, together with the one that already exists
before it, confirms her thesis that article 9.2 or 6.1 of the

RGPD has not been violated, and that the measures applied were agreed and authorized in a coordinated manner
with FIRA and the health authorities in compliance with the legislation on public health and
COVID 19 prevention.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 31/96

She provides a letter from FIRA DE BARCELONA, dated 31/10/2023, contractor and person in charge of
the respondent's treatment, which was sent to request confirmation on the process that
they carried out within the framework of the celebration of the MWC 2022 in conditions of

health safety, going on to relate the following explanatory context:

-“Taking into account the experience carried out carried out in 2021, it was agreed to create a
working group made up of professionals from the Public Health Agency of
Catalonia, FIRA DE BARCELONA and GSMA”, to “establish and implement an ad-hoc
health plan, which would mitigate the risk of generating an epidemic outbreak in the

development environment within the fairgrounds”.

-“The precedent of the success of the Health Plan defined and executed for MWC21 will be taken as an example,” which had as its fundamental pillar the performance of rapid antigen tests
as a previous step to authorizing visitors to enter the fairgrounds.

-Explains the environment in which MWC 22 was to take place and the previous preparations,
considering the “proposal to consider the use of the COVID certificate in other areas
in Catalonia,” from the CCAC of 11/18/2021, in the face of an alert situation in phase 4 and the
size of the event together with the variation in epidemiological conditions.

-Reiterates that one resolution among the several issued, required the presentation of a COVID certificate
in certain activities as access requirements,” until 01/26/2022.”

-“FIRA and GSMA, in coordination in various meetings with the management and the Public Health team of the Public Health Agency of Catalonia of the Generalitat of Catalonia,

will follow what the CCAC recommended and the situation of continuity of requiring the
COVID certificate in other European countries as the CCAC itself said in its
report of 21/01/2022”.

-“For all the above, it is for this reason that the management of the Public Health Agency of
Catalonia of the Generalitat of Catalonia communicated to the organizers of the MWC22 its
agreement with the “Mitigation Plan” that we proposed, considering the scientific
evidence, the requirement of the COVID 19 vaccination certificate, and in the event of not
having it, the performance of TAR carried out by a health partner as a previous step to the
authorization of the access of visitors and staff to the fairgrounds.”

It ends with: “Awaiting your confirmation that this has been the way it has been acted upon, or
if not, your comments or clarifications.

The letter is answered by an email dated 11/7/2023, with the signature of the
Deputy Director General of Public Health Coordination, Secretariat of Public Health,

according to the respondent on which the ASPC depends, which indicates: “in relation to the letter
received on the process followed by COVID control measures at the MWC held
from 02/28/2022 to 03/03/2022, ”I confirm that I agree with the content expressed
in said letter”. According to what was stated by the respondent, this Deputy Director
held the position during the months of preparation for MWC22.

The respondent explains the role of the Catalan Public Health Agency, with its
Director having the status of public health authority (art. 5 Law 18/2009) competent to
decide and propose the measures and restrictions to be adopted regarding the control of the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 32/96

pandemic. And that the ASPC has, among others, the functions of issuing a prior and
mandatory report to the resolutions issued by the Department of Health every two weeks in
care aspects and in epidemiological and public health aspects in order to

certify the updated situation of contagion risk, the situation of control of the
pandemic, and the sufficiency of the measures and proposal of measures to be adopted (art. 55 bis
Law 18/2009).

The respondent reiterates that the measures were agreed by GSMA in a coordinated manner
with the health authorities at a declared level of very high risk by resolution of

23/12/2021, SLT/3787/2021 of 23/12.

The respondent points out that, within the working group composed of ASPCAT, FIRA and
GSMA, for the celebration of the MWC 2022, they proposed to the ASPC “the requirement by
telematic means of COVD 19 certificates for anyone who intended to
access the FIRA premises during the preparation and celebration of the MWC 222, which had the
consent of the ASPCAT, in accordance with the response to the letter from FIRA”,

specifying:

“It is for all the above that the management of the Public Health Agency of
Catalonia of the Generalitat de Catalunya communicated to the organizers of the MWC22 its
conformity with the proposed mitigation plan”, in 17 working meetings from
October 21 to February 22. The ASPCAT was the competent health authority to

propose the measures and restrictions to be adopted by the Department of Health in order to
control the pandemic.”

“The health authorities and FIRA validated and authorized both the mandatory requirement
of COVID-19 certificates for entry to the FIRA premises, as well as the provision and
management of said data by electronic means, as the only viable solution in compliance
with the legal requirements in matters of public health.”

It concludes by indicating that this documentation confirms that it has acted within the framework of
compliance with legal obligations in matters of public health, with the
inappropriateness of the violations of articles 9.2 and 6.1 of the GDPR, reiterating that the
processing of health data, that is, COVID-19 certificates were
covered by the exceptions provided for in art. 9.2.g) and i) of the GDPR because it was
necessary for reasons of “an essential public interest” and “for reasons of public interest

in the field of public health.”

ELEVENTH: Issuance of a resolution proposal dated 03/12/2024.

On 03/12/2024, a resolution proposal was issued with the following literal:

“That the Director of the Spanish Data Protection Agency impose an administrative fine on GSMA LIMITED, with NIF N4004237F, for the following GDPR violations:

-a violation of article 9.2 of the GDPR in accordance with article 83.5.a) of the

GDPR, and for the purposes of prescription, classified as very serious in article 72.1.e) of the
LOPDGDD, with a fine of 300,000 euros.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 33/96

-an infringement of article 6.1 of the GDPR, in accordance with article 83.5.a) of the
GDPR, and for the purposes of prescription, classified as very serious in article 72.1.b) of the
LOPDGDD, with a fine of 200,000 euros.

-an infringement of article 14 of the GDPR, in accordance with article 83.5.b) of the
GDPR, and for the purposes of prescription, classified as very serious in article 72.1.h) of the
LOPDGDD, with a fine of 100,000 euros.”

On 20/03/2024, an extension of the deadline for making allegations was requested, which

was granted.

TWELFTH: Allegations to the resolution proposal presented on 04/08/2024.

On 04/08/2024, the respondent presented the following allegations:

1-It states that document 4 provided in its allegations actually contains two
contracts, one the MAIN one and the other the SUB-CONTROLLER of treatment, and that the
first one contained broader elements than the sub-processor one.

It states that the sub-processor contract was limited to the
administrative validation of the health documentation related to COVID, provided by the
visitors and “workers” of MWC 22, “in order to grant them the condition of fit or
not for access and to work in it, before, during and after the
event”.

Based on this, as a new allegation not previously made, it points out that “the
services provided for in the main contract and not contemplated in the contract of
subcontractor of the treatment”, included:

-“Medical or health validation of the COVID certificates by medical or
health personnel of QUIRÓNPREVENCIÓN.”

“Assuming the decision and the medical risk of declaring FIT to enter to work in the
fairgrounds a person who could be infected with Covid. Neither GSMA Ltd. nor FIRA
were authorized to make this decision due to the lack of medical or health personnel.”

- “Contact and medical examination of the worker or visitor in the event that
it was necessary”.

-“Hospital care service (24/7) through the network of Quirón Salud centers

for all participants in the MWC22.”

-“Performance, if necessary, of antigen tests by health personnel.”

With regard to them, it is noted that they must be understood as corresponding to the provision of

medical or health services that they provide as data controllers,
because:

-There is direct treatment with the interested party,

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 34/96

-These medical services, like their professionals, have a legal and
deontological obligation of independence, direct relationship with the patient, medical responsibility,
management and conservation of clinical records, management and conservation of health data,

which obliges them to be responsible for both medical decisions and the
treatments carried out, and this is included in the Code of Medical Ethics of the General
Council of Official Colleges of Physicians of Spain.

2- He also states that, as the “main” contract established in the section

“statements”, that “the parties were not prevented from reaching agreements
regarding aspects not contemplated in the offer, or from incorporating or modifying at the request of
their organizer any aspect of the service provided it was reasonable”,
QUIRONPREVENCIÓN performed services related to support for the coordination of
business activities, which pursued the ultimate goal of preventing occupational
risks, based on considering each of the workers who provided their services at MWC 22 as fit or unfit, and that “in practice, the services of
medical or health validation of the documents provided by the visitors were also extended
to the workers who provided their services at the exhibition grounds where MWC22 would take place”,
“taking into account that the visitors represented a biological risk for the workers and the workplace”. He points out that all these services were not

included in the subcontractor contract.

He states that given the number of countries that would visit the event and that the vast majority
of exhibitors represented at the event hire their own workers “in their
country of origin or through specialized agencies”, with “thousands of

workers from countries around the world attending, many considered high or
very high risk” by the Spanish health authorities, and given the profile of the
workers, “resistant to following a safety protocol”, “it demanded the application of a
sanctioning protocol that would ensure compliance with health regulations, which included the expulsion from the
premises of workers who did not comply with the regulations”. It indicates that the workers who

provided their services for the assembly, including the provision of their services for the
exhibitors, “were going to be exposed to an obvious biological risk threat”, and
that “The legal obligations of employers in terms of prevention of occupational risks
derived from biological risk are provided for in Royal Decree 664/1997 of
12/05 on the protection of workers against risks related to exposure to
biological agents during work”.

It adds that “assistance was requested from the immigration authorities and it was agreed to apply the
same measures imposed at the border, especially in airports managed by
AENA, where QUIRONPREVENCIÓN provided this same service”, and that: “in
order to determine the sanitary measures and reduce the biological risk, various

authorities were consulted”, drawing up “safety and health guidelines” and FAQs, which the
respondent published on its website and gave to its exhibitors and suppliers.
The URL that indicates that it leads to said content ***URL.3, is an informative note to
access MWC22, indicating for example that “before traveling, consult the protocols in force
to enter Spain”, and it details that to access FIRA, all attendees, including staff and exhibitors, must prove: vaccination against
Covid-19, valid recovery certificate, or negative diagnostic test (PCR or rapid antigen test is accepted).

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 35/96

“Documents proving Covid-19 status must be sent through the
official MWC22 application or the registration page on the conference website.
These will then be reviewed by the event's medical partner, Quironprevención; If there is

any issue with something submitted, the healthcare company will contact the
individual via email.

Once the test has been accepted, a digital entry credential will be activated and
attendees will receive a confirmation via text message.

Those taking an entry test will be required to take one every 72 hours. Each
result is only valid if the 72-hour period after the test is taken
covers the entire day of the event. If it expires during the day, the individual will be denied entry.

The app will notify delegates whose entry certificates
are expiring in advance and the expiration date will be displayed on attendees' digital credentials.

Those using fully vaccinated status for entry must have
received their final dose at least 15 days before the event. Vaccination certificates
and approved proof of recovery documents are valid for the entire event.

There will be no testing available on-site.

In addition to proof of Covid-19 status, attendees must submit a daily health questionnaire and declaration in the application.

The FAQ section mentions the GSMA Health and Safety Plan for
Committed Community and other information, only referring to attendees.

It states that “if you are going to fly to Barcelona, check with your company the requirements

for COVID-19 to understand the specificities for health and safety measures”.

“For general information on health and safety you can visit the website of the
Spanish Ministry of Health”

It is reiterated that to access the venue, visitors once registered, must validate
their vaccinations, their tests for recovery from the disease, valid for the entire duration

of the event, or take tests valid for 72 hours, and complete a daily health declaration
in any of the three cases. It is also reported that the validation is carried out
by a medical associate.

3-It indicates that QUIRONPREVENCIÓN acted as a partner for the employees of
“any supplier, including those of more than 1,500 exhibitors as well as the
suppliers who provided their services to GSMA, FIRA and their exhibitors”, and that in

practice it also “carried out the medical or health validation of the documents provided
by the workers of the different employers attending the fairgrounds and
supported the coordination of business activities and the prevention of occupational
risks with the aim of protecting the approximately 10,000 active workers
in the grounds from the biological risk derived from COVID”.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 36/96

“QUIRONPREVENCIÓN's role as support in the coordination of business activities
and the prevention of occupational risks was regulated by the regulations on
occupational risks and the specific regulations that govern the coordination of business activities

In this type of service, QUIRONPREVENCIÓN determined whether the workers were fit or not
fit to work in the fairgrounds

The ephemeral nature of the MWC, as well as the precise regulation of the coordination of business activities in article 24 of the law on the prevention of occupational risks
make the measures consisting of providing a special contractual framework for this service
disproportionate, with the regulations that govern its activity being applicable.”

QUIRONPREVENCIÓN has platforms for the management of companies that

contract its services and its suppliers, which may be due to the purposes of
coordinating business activities, regulated by article 24 of the Law on
the prevention of occupational risks and RD 171/2004 of 30/01 that develops said article,
reiterating that it includes the provision of medical or health validation of the documents
delivered by the workers of client companies by health teams with an obligation of professional secrecy, to which the General Law of

Health and the Law of Patient Autonomy apply, as well as the regulations on occupational risk prevention services, which establish obligations for health personnel
that prevail over the contracts that QUIRONPREVENCIÓN may have with
client companies as they derive directly from the Law.

“This is a health activity associated with legal obligations that establish a
direct relationship between QUIRONPREVENCIÓN and the worker of the client company or

from their suppliers, health professionals carry out analyses of the documentation
provided by the worker and reach the conclusion of whether or not he is fit for work,
this conclusion being the only information provided to their clients.”

He stresses that Annex VI of the contract, which also governs the same, entitled
“treatment commissioner contract” “was not applied in practice since all the
COVID documentation was delivered by the attendees and workers to

QUIRONPREVENCIÓN through its platform, in accordance with what is indicated in
ANNEX 1B”, also of the contract entitled: “systems integration”, in which
it is established that “The provider, QUIRONPREVENCIÓN, will have an information system
necessary for the management of COVID tests,” detailing the
functionalities, depending on whether it is:

- “Validation of test results”, “website for sending previous tests”

which is specified in that QP “will make available to the event a website - not from FIRA or
GSMA - through which the visitor can indicate their data and upload a document or photo
of a PCR/antigen result or vaccination/recovery card previously made.

This website will be called through a parameter with the identifier of the participant. QUIRONPREVENCIÓN will use the identifier to call the API that FIRA will provide and extract the data from the accreditation of the visitor/contractor, and thus

verify that it is a participant in the event.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 37/96

Upon receiving a document and when a registration is validated/rejected, FIRA will be notified
through the API that FIRA will enable” but not the documents themselves.

“The sending of an email to the interested party directly by
QUIRONPREVENCIÓN and not by FIRA or GSMA regarding the validation or rejection of the

documents provided.”

In the section “checking results and verification statuses”, it is indicated that “QP
will enable a feature in its systems that will allow a FIRA user to
search for an accredited person and check if they have a valid negative test or if a
previous test has been validated”

5- It states that the role played by QUIRONPREVENCIÓN was that of coordinator of

business activities when talking about data processing linked to the
prevention of occupational risks, such as the communication of data that is
necessary to comply with coordination obligations when workers from several companies
carry out their activity in the same workplace, in the terms of article 24 of the Occupational Risk Prevention Act (LPRL).

In the assembly phases of the event, there was a concurrence of companies with workers who
shared the same workplace. QUIRONPREVENCIÓN, as the
exclusive medical partner of MWC 22, performed this function of coordinating business
activities, contributing to making the venue a safe work space
by carrying out medical validation of the health status of attendees and workers, and the communication of conclusions was limited to indicating whether the
examined worker was fit or unfit for work at the fairgrounds.

6-It is now stated that the legal basis for the processing of health data that were processed before, during and after the event, referring to the assembly of the facilities for the holding of the event, carried out by the employees of the GSMA suppliers, was compliance with legal obligations regarding the prevention of occupational risks.

“Health monitoring is mandatory in accordance with Title 22.1 of the law on the prevention of occupational risks in the following cases that were present at the holding of the Barcelona MWC 22:

-Verification of whether the health status of the worker may constitute a danger to him/herself, to other workers or to others related to the company

-Legal obligation in relation to the protection of specific risks, such as the biological risk produced by the COVID virus.”

The occupational risk prevention regulations offer a double legitimation to
request health data from visitors and workers who provide services at the
fairgrounds:

“1-It grants the company and especially its internal and

external prevention service the power to decide the most appropriate measures to comply with the obligation
that the workplace be a safe place to work. This obligation is
recognized in the AEPD guidelines.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 38/96

2-It contemplates the specific case of biological risk in which
the verification of the health status of the worker and visitors to the workplace is expressly
provided for to confirm that it does not pose a threat to the rest of the workers.

This obligation is recognized by the AEPD guidelines

In the case of Barcelona MWC 22, these decisions were adopted at the time of the
adoption of the applicable health measures in collaboration with the health
authorities”

It states in the document entitled on the coronavirus prepared by the AEPD that, in
application of the occupational health regulations for the prevention of occupational risks,

employers may process, in accordance with said regulations and with the guarantees they
establish, the personnel data necessary to guarantee their health and adopt the
necessary measures by the competent authorities.

7- As a new allegation made in this procedure, it indicates that the processing of the
health data of visitors, workers of exhibitors, workers of suppliers and workers of the organization were necessary for the purposes of

preventive or occupational medicine, evaluation of the worker's work capacity and
medical diagnosis in accordance with article 9.2 h of the RGPD”.

8-Regarding the obligation to inform interested parties, a violation of article 14 would be
the application of 14.5 of the GDPR, since the wide dissemination of the measures that were to be applied
to prevent the spread of COVID allows us to accept and affirm that the interested party
had the information regarding the data that was to be requested, as well as the

different compilations of press news and dossiers that appeared in the media.

9-He states that he has proven that there is no guilt or lack of diligence
essential for being sanctioned.

10-He states that the right to evidence has been violated since in his allegations
he indicated that, if not archived, a trial period would be opened

now stating that testimonial evidence would be proposed from relevant agents
involved in the organization, such as different public authorities and there is an obligation
to open said trial period.

PROVEN FACTS

FIRST: The respondent, GSMA LIMITED, is a company in the mobile telephony industry that groups as members more than 750 operators and more than 400
Companies, being the organizing entity every year in Barcelona since 2006, of the
Mobile World Congress, "MOBILE WORLD CONGRESS (MWC)". The one that took place

in the year 2022, was held for the attending public, between 02/28/2022 and 03/03/2022.
In 2020, due to the spread of the coronavirus outbreak, it was cancelled

SECOND: For the celebration of the MWC 2022, the respondent established an access system
for employees of suppliers who carry out assembly work on the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 39/96

facilities during the celebration of the Congress, which required the registration of data on
a “digital pass platform” owned by the respondent.

The venue where the MWC is held is called FIRA Gran Vía because it is located on
this street and is owned by the FIRA DE BARCELONA consortium (hereinafter FIRA).

The defendant's instructions for access to the MWC 2022 facilities by
the employees of the suppliers for the assembly of the facilities where the event would be held, involved the collection and processing of COVID 19 data, which

would be managed by QUIRON PREVENCION SLU (QUIRONPREVENCIÓN) as FIRA's sub-processor, in charge of processing on behalf of the defendant.

THIRD: According to the emails of 20 and 21/01/2022 provided by the
claimant, FIRA DE BARCELONA issues instructions for access to the MWC 22

facilities (access pass), informing of the system that will be required, from 23/01/2022 to 8/03/2022, affecting, among others, in this case, the employees of the
suppliers dedicated to the assembly (stands) of the facilities.

The system starts with the creation of an account by FIRA for each supplier, from
where the passes will be self-managed with a collaborating manager for the passes of all

the employees of each supplier. Once the names have been loaded into the system, each
collaborator will receive an email with a link to complete the registration. It is indicated
in the email of 01/20/2022, that when they log in for the first time
“your workers will have to create a password. Once this is done, they must upload one of the following documents to the system:

- COVID-19 vaccination certificate (complete schedule), or
- COVID-19 recovery certificate, or
- negative proof of a valid COVID-19 test (negative antigen test performed
in the last 72 hours in any of the periods-setup, celebration, dismantling.”

In addition, it is reported that these documents “must be uploaded to the registration system website by
each worker for validation.”

Also, suppliers are informed that they can easily view and generate reports of
workers who have not yet uploaded their documents, in order to follow up with

them.

FOURTH: FIRA INTERNACIONAL DE BARCELONA, with CIF Q-0873006-A, (FIRA)
owner of the facilities where the event is held (DOCUMENT 3 a) is, as stated in

its privacy policy, an associative-based entity consortium for development,
made up of the Generalitat de Catalunya, the Barcelona City Council and the Official Chamber of Commerce, Industry and Navigation of Barcelona.

FIRA provides services for the MWC Barcelona of which the respondent is the organizer.
In many cases, FIRA has the status of contractor of the respondent for services
and supplies provided within the framework of the MWC.

GSMA LIMITED provides a copy of a framework contract dated 22/11/2019, DOCUMENT 3 a,
signed with FIRA INTERNACIONAL DE BARCELONA to provide services
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 40/96

related to MWC Barcelona, according to the various work order declarations
in force from 2020 to 2023. The respondent attaches in annexes the
descriptions where the types of data service to be processed

specifically by FIRA and the purpose of the data processing assignment are stated.

In the allegations to the start agreement, the existence of a contract signed on
21/02/2022 by FIRA DE BARCELONA as the defendant's manager, with
QUIRONPREVENCIÓN SLU for the MWC 22, organized by GSMA and that FIRA, by
mandate of the latter, coordinates and manages with the supplier designated by GSMA

(QUIRONPREVENCIÓN) for the provision of services related to the validation of
COVID certificates is accredited. Among other services, the integration and communication of
results and validation of certified vaccination tests is included. The contract includes a
part with the data processor clauses.

FIFTH: The defendant has stated that the procedure established for workers to
register the documentation on the platform would be:

Step 1. The supplier registers each of its workers on the GSMA platform.
The data entered, according to the respondent, appearing in its Data Protection Impact Assessment, would be for each employee: email, name and surname.

Furthermore, regarding groups of affected interested parties, only the following data appear in the FIRA-QUIRONPREVENCIÓN data processing contract, which the respondent makes available,
regarding the “participants”,: “government identification number: DNI, NIE-passport), contact details - telephone number” (1.3 of the

data processing contract)

Step 2. Once registered, each employee receives a confirmation email from GSMA
with a link that provides access to their account on the QUIRONPREVENCIÓN
platform.

Step 3. Each employee directly provides COVID-19 information through the QUIRONPREVENCIÓN
platform.

Step 4. Each employee receives a confirmation/rejection email from QUIRONPREVENCIÓN
for the completion of the registration process on the GSMA
platform.

“GSMA IS NOTIFIED whether the person is qualified to access the
office or not.”

SIXTH: When explaining the legal basis for legitimizing the processing of personal data of the suppliers' employees, the subject of the claim, the respondent
details that given the situation of the spread of the epidemic shown by the indicators,
it began to foresee the scenario of the holding of the event from the fall of 2021, and
it had to pay attention to the successive resolutions that established temporary measures in public health matters

for the containment of the epidemic outbreak of the COVID 19 pandemic in the territory of Catalonia (resolutions of the health authority,
signed by the Minister of Health and by the Minister of the Interior) that usually had a validity of 14 days.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 41/96

The respondent stated in the transfer of the claim that on ***DATE.1, it had a Health and Safety Plan for MWC22, sending a notice on its website in which it

reports that in execution of said Plan, it reiterates that “the attendees” and “the workers in
the premises” must provide some of the medical documentation that coincides with that
recorded in the third proven fact, adding “… the proof of compliance with the
protocols will be stored and displayed in the official application of the event.”

The respondent has not provided a copy of the aforementioned PLAN, which it states in its response to the
transfer of the claim that it was approved in coordination with Catalan health
authorities and that it “required it to collect personal data such as those that are the subject of the
claim.”

SEVENTH: The respondent reports that the basis that legitimizes the processing of the data of

the employees of the suppliers who set up the facilities for the celebration of the
MWC 22 in the facilities where it was to be held, is article 6.1.c), which legitimizes the
processing when “it is necessary” “for the fulfillment of a legal obligation applicable
to the data controller”, stating that this legal norm is the Health and Safety Plan for the
MWC22, developed in collaboration with the authorities, which has not
been provided at any stage of the procedure, and the legal obligations imposed by

public health legislation and the measures adopted by the health authorities.

It also considers that the aforementioned treatment would be protected, "if it were not justified by
Article 6.1.c) of the GDPR", by Article 6.1.d) of the GDPR, since "it is necessary
""to protect the vital interests of the interested party or of another natural person", understanding the

situation as an emergency, being necessary for humanitarian purposes, including the
control of epidemics.

EIGHTH: Regarding the exception to the prohibition of processing health data that the respondent, as data controller, manages for the employees of the

suppliers who carry out the assembly of the facilities, the respondent stated in the
response to the transfer, only, that article 9.2.g) of the GDPR is applicable, considering that the treatment “is necessary for reasons of an essential public interest
on the basis of the law of the Union or of the Member States, which must be
proportionate to the objective pursued, essentially respect the right to data protection and establish appropriate and specific measures to protect the interests and
fundamental rights of the interested party”, on the basis of the aforementioned Health and
Safety Plan for the MWC22 and by the Public Health Law 18/2009, of 22/10, applicable to the territorial scope of Catalonia, which provides for the possibility of administrative intervention in
health protection and disease prevention, both in public and private areas.

On the other hand, the respondent stated that, from October 2021 until the end of 2022, it had
meetings with the health authorities examining the situation of the evolution of the
pandemic and, as a result, it provides DOCUMENT 6, health requirements to
access the MWC22 protocol 1, dated 01/27/2022, which is a graph that indicates the process

in which the assemblers must upload the COVID data.

The respondent also supports the lifting of the prohibition on the processing of employees'
health data, in its allegations to the start agreement, in article 9.2.i)

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 42/96

of the GDPR (although it does not appear in the EIPD dated 04/22/2022); This is: “data processing necessary for reasons of public interest in the field of public health, such as the
protection of serious cross-border threats to health, on the basis of Union or Member State law that establishes appropriate and specific measures
to protect the rights and freedoms of the interested party, in particular professional
secrecy”, under the protection, according to the respondent, of the resolutions of the Department of Health that it attached as DOCUMENT 5, “which establish public health measures to contain the epidemic outbreak of the
COVID 19 pandemic in the territory of Catalonia”.

The respondent reiterates that it has limited itself to complying with public health regulations and the measures decreed by the health authorities, and also within the framework of the principle of prudence required by health legislation.

NINTH: The Health and Safety Plan for MWC22 cited, allegedly
negotiated with the health authorities, has not been provided by the respondent and its
content and date are unknown.

MWC22 was held for attendees from 02/28/2022 to 03/03/2022. The instructions for
access to their workplace by employees of suppliers, such as the

complainant, were applied between 01/23/2022 and 03/08/2022.

The respondent has provided a certificate issued by the entity QUIRONPREVENCIÓN, on
3/10/2023, which provides a summary of the days prior to the start of the
event, as well as the first days of the event, and provides information on the

reports received from 21/02/202 to 02/03/2022 with a total of
54,779 reports.

TENTH The resolutions of the health authority applicable between 23/01/2022 and
08/03/2022 were the following:

RESOLUTION SLT/99/2022, of 26/01, which establishes the measures in terms of
public health for the containment of the epidemic outbreak of the COVID-19 pandemic in
the territory of Catalonia.

This resolution lifts the restrictive measures on fundamental rights that

were still in force, that is, “the limitation of meetings and social gatherings to
a maximum of ten people, the limitation on the capacity of religious activities, and the
requirement of the COVID certificate for access to certain non-essential activities
in closed spaces (restaurants, physical and/or sports activity rooms, gyms and
permitted musical recreational activities: concert halls, theatre cafes, concert cafes

and musical restaurants)”.

In section 2.1 “Individual and collective protection measures” it is established that “(…)
Both in closed and open spaces, except for groups of cohabiting people,
the interpersonal physical safety distance is set at 1.5 m, in general, with the
equivalent of a safety space of 2.5 m2 per person, unless more restrictive values

are in force for the type of activity. When the development of
the activity does not allow maintaining the interpersonal physical safety distance,

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 43/96

appropriate hygiene and organizational measures must be adopted to prevent the risks of
contagion.

In open-air spaces where due to the agglomeration of people it is not possible
to maintain the interpersonal physical safety distance, the use of a
mask is mandatory in the terms established in section 2.3 of this Resolution.”

Regarding the “Prevention and hygiene measures in workplaces” in point 3.4,
section 2, it is determined “Without prejudice to compliance with the regulations on prevention of

occupational risks and other applicable labor regulations, the owners of
public and private workplaces must adopt, in the workplaces,
among others, the following measures:

a) Adopt organizational measures in the working conditions, so that

the maintenance of the minimum interpersonal safety distance is guaranteed. And, when
this is not possible, workers must be provided with protective
equipment appropriate to the level of risk.
(…)”

RESOLUTION SLT/177/2022, of 2/02, establishing the public health measures

for the containment of the epidemic outbreak of the COVID-19 pandemic in
the territory of Catalonia,

In relation to the “Individual and collective protection measures” it indicates in its point 2.1

“1. (…) Both in closed and open spaces, except for groups of people
cohabiting, the safety distance is established at 1.5 meters, in general, with the
equivalent to a safety space of 2.5 square meters per person, unless
more restrictive values are in force for the type of activity. When the
development of the activity does not allow maintaining the safety distance, the appropriate

hygiene and organizational measures must be adopted to prevent the risks of
contagion.

2. The duty of protection established in section 1 is also enforceable for the owners of any economic or business activity or establishment for public use or that is open to the public, in accordance with the organizational, hygiene and prevention standards established in this Resolution and, where applicable, in the corresponding sector plan or organizational protocol. (…)”

In point 3.4, it adds: “Prevention and hygiene measures in workplaces”

“(…)

“2. Without prejudice to compliance with the regulations on the prevention of occupational risks and other applicable labor regulations, the owners of public and private workplaces must adopt, in the workplaces, among others, the following measures:

a) Adopt organizational measures in the working conditions, so that the maintenance of the minimum interpersonal safety distance is guaranteed. And, when

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 44/96

this is not possible, workers must be provided with protective equipment appropriate to the level of risk.”

(…)”

RESOLUTION SLT/254/2022, of 9/02, which modifies Resolution SLT/177/2022, of 2 February, which establishes the public health measures for the containment of the epidemic outbreak of the COVID-19 pandemic in the territory of Catalonia

It also includes”2.1 Individual and collective protection measures

1. Citizens must adopt the necessary measures to avoid the generation of risks of spreading the SARS-CoV-2 infection, as well as the same

exposure to these risks, and must adopt individual and collective protection measures based on: frequent hand hygiene; hygiene of respiratory symptoms (avoid coughing directly into the air, cover your mouth with the inside of your forearm in these cases and avoid touching your face, nose and eyes); safety distance; the use of a mask in the terms established in section 2.3 of this
Resolution; the preference for outdoor spaces for carrying out activities;

the correct ventilation of closed spaces, and the cleaning and disinfection of
surfaces.

Both in closed and open spaces, except for groups of people living
together, the safety distance is set at 1.5 meters, in general, with the

equivalent to a safety space of 2.5 square meters per person, unless more restrictive values are in force for the type of activity. When the
development of the activity does not allow maintaining the safety distance, appropriate hygiene and organizational
measures must be adopted to prevent the risks of
contagion.»

This resolution does not modify the specific prevention and hygiene measures in work
centers of RESOLUTION SLT/177/2022, of 2/02.

RESOLUTION SLT/342/2022, of 16/02, establishing the public health measures for the containment of the epidemic outbreak of the COVID-19 pandemic in

the territory of Catalonia

It also includes in point 2.1 “Individual and collective protection measures

1. Citizens must adopt the necessary measures to avoid the generation of

risks of spreading infection by SARS-CoV-2, as well as their own exposure

to these risks, and must adopt individual and collective protection measures
based on: frequent hand hygiene; hygiene of respiratory symptoms

(avoid coughing directly into the air, cover your mouth with the inside of your forearm in

these cases and avoid touching your face, nose and eyes); safety distance; the use

of a mask in the terms established in section 2.3 of this Resolution; the
preference for outdoor spaces for carrying out activities; the correct
ventilation of closed spaces, and the cleaning and disinfection of surfaces.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 45/96

Both indoors and outdoors, except for groups of people living
together, the safety distance is set at 1.5 metres, generally, with the
equivalent to a safety space of 2.5 square metres per person, unless

more restrictive values are in force for the type of activity. When the
development of the activity does not allow the safety distance to be maintained,
appropriate hygiene and organisational measures must be adopted to prevent the risk of contagion.”

RESOLUTION SLT/541/2022, of 2/03, establishing public health measures

for the containment of the epidemic outbreak of the COVID-19 pandemic in
the territory of Catalonia

It establishes in its point 2.1 “Individual and collective protection measures

1. Citizens must adopt the necessary measures to avoid the generation of
risks of spreading infection by SARS-CoV-2, as well as their own exposure
to these risks, and must adopt individual and collective protection measures
based on: frequent hand hygiene; hygiene of respiratory symptoms
(avoid coughing directly into the air, cover your mouth with the inside of your forearm in
these cases and avoid touching your face, nose and eyes); safety distance; the use

of a mask in the terms established in section 2.3 of this Resolution; the
preference for outdoor spaces for carrying out activities; the correct
ventilation of closed spaces, and the cleaning and disinfection of surfaces.

Both in closed and open spaces, except for groups of people

cohabiting, the safety distance is set at 1.5 meters, generally, with the
equivalent to a safety space of 2.5 square meters per person, unless
more restrictive values are in force for the type of activity. When the
development of the activity does not allow maintaining the safety distance, appropriate
hygiene and organizational measures must be adopted to prevent the risk of contagion.

(…)”

And 3.4”Prevention and hygiene measures in workplaces

(…)

2. Without prejudice to compliance with occupational risk prevention regulations and other applicable labor regulations, the owners of public and private workplaces must adopt, in the workplaces, among others, the following measures:

a) Adopt organizational measures in working conditions, so that the maintenance of the safety distance is

guaranteed. And, when this is not possible, workers must be provided with protective equipment appropriate to the level of risk. (…)”

None of the aforementioned resolutions provides for the provision of COVID certification for any group or sector of activity.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 46/96

ELEVENTH: The respondent has provided in English a Data Protection Impact Assessment on “Processing of Covid-19-related health data of suppliers’ employees” that must be on-site at the MWC Barcelona 2022 headquarters to provide services, dated 04/22/2022, so that it is not proven that it was approved before the affected treatments were carried out (data collection, from 01/23/2022 to 03/08/2022).

In Step 4: “Assess the need and proportionality”, the aforementioned impact assessment
states the following:

What legal basis will you rely on to process the data?

“Article 6 of the GDPR

Article 6.1 c) — compliance with a legal obligation

The Committed Community Plan was developed in collaboration with the Catalan
public authorities (Catalan Government departments, including the Catalan
Health Authorities and Procicat) and approved by Procicat.

The Plan is also aligned with the Catalan Covid Action Plans for Trade Fairs and
Congresses (Congress Action Plan and Trade Fair Action Plan) applicable to

GSMA and FIRA, respectively.
The Committed Community Plan includes a requirement for GSMA to request
Covid Information.

Under Public Health Law 18/2009, health authorities may interfere
in public and private activities in order to protect the health of citizens and
prevent disease. GSMA considers that the Committed Community Plan

constituted such interference and GSMA considers the Plan as agreed and
approved by the Catalan Health Authorities as a mandate to implement
Covid-19 measures at the MWC Event in order to prevent the spread of
Covid-19, including the collection of information on COVID-19. GSMA is
obliged by law to comply with the instructions of the health authorities and, therefore,

Article 6, letter d), vital interest of the interested party. To the extent that the above reason is not
applicable, GSMA relies on this legal basis for the processing of Covid
information. We consider i) Recital 46 of the GDPR, which explicitly states that

organisations may rely on this legal basis for processing when it is
necessary to protect the vital interests of a person or a group, including
monitoring epidemics and their spread; and ii) the recognition by the Spanish DPA
that this legal basis can be used for the processing of personal data
related to Covid-19.

Article 9 GDPR

Article 9(2)(q): substantial public interest on the basis of Union or Spanish law. GSMA was required by law to comply with the instructions of

health authorities and therefore to develop and comply with the Committed Community Plan (see references above).

Can the desired result be achieved by processing less data?

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 47/96

No. GSMA has committed to process the minimum amount of personal data necessary
to achieve the purposes of the processing. The scope of the data as well as the
processing activities (i.e. GSMA did not have access to the Covid Information which was
only accessed by its sub-processor, QUIRONPREVENCIÓN, and processed
entirely on the Platform) have been established in accordance with the principle of

data minimisation.

How will you provide transparency to individuals?

Privacy Notice provided to individuals by their employer on behalf of GSMA
before their data is shared by the employer with the GSMA/GSMA processor.

According to the Contractor Registration Terms and Conditions,
suppliers are required to contractually commit to comply with all

transparency and lawfulness obligations before sharing their employees' data
with GSMA, including providing the Privacy Notice to all relevant employees
before sharing.

How will you enable data subjects to exercise their rights?

The rights of data subjects and how they can be exercised are detailed in the
Privacy Notice.

How will you ensure data protection compliance by suppliers?

Contractual commitments in relevant data processing agreements,
including provisions required by Article 28 GDPR.

What steps will you take to ensure compliance with data export rules?

(unofficial translation)

This section assesses the following risks: (i) Unauthorised disclosure of
sensitive personal data of employees by the subprocessor
QUIRONPREVENTION (ii) Collection of more sensitive personal data than

required (iii) Personal data will be retained for longer than necessary
(iv) Reliance on the identified legal basis of legitimate interest for processing (v)
Complaint over decision to deny entry to a supplier's employee, based
on Covid information. (vi) Failure to provide sufficient information to individuals (vii)
Failure to comply sufficiently with a request from interested parties (DSR (viii) Creep scope: the

risk that Covid Information is used for any purpose beyond what is
provided for in this DPIA (ix) Processing of excessive personal data (unofficial
translation)

TWELFTH Regarding the purpose of the processing, the respondent indicated that it was
to protect attendees and employees by guaranteeing a safe and healthy
environment for all of them, preventing the spread of the virus, "as a serious cross-border threat
to public health in the manner required under the Plan agreed upon and approved by

the health authorities", indicating that during the four days of the
Congress, 61,000 people accessed as attendees, and 11,970
people as employees, recognizing that all of them were required to use the
COVID certificate system.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 48/96

The processing and conservation of the data collected is necessary, according to the respondent,
because after the collection of the data from the employees, the subcontractor, QUIRONPREVENCIÓN, must analyze whether the documentation they provide regarding

COVID 19 is valid, since the information must be verified. For example:
if all the doses are available, if the vaccine is within the effective time, or if the certificate
was issued by an officially recognized authority. In addition, the collection and
conservation of the data is carried out because it serves as a pass to the facility, facilitating
access, with the respondent acknowledging that if a positive case emerges, the pass could be invalidated.

THIRTEENTH: Regarding the guarantees for the protection of the rights and freedoms of individuals, the respondent attached:

- the security measures applied by QUIRONPREVENCIÓN, stating that the data controller did not

have access to the data, which were collected directly by QUIRONPREVENCIÓN, which analyzed them and confirmed whether they were suitable or not suitable for
access, a fact that was communicated to the controller, the organizer of the access system for attendees and employees of suppliers.

It is also proven that the respondent had registered the data of the suppliers' employees (at least name and surname, supplier, ID-NIF, email) before the health data registered in

relation to COVID 19)

- A DPIA that it provides, dated 04/22/2022, when the data of the employees
began to be required from 01/23/2022, in which it is not proven that the action of the Data Protection Delegation had been

taken into account, and it is not stated that one of the points to be covered was the risk assessment for the rights and freedoms of the interested parties, as well as the necessity and proportionality of the health data processing operations with respect to their purpose, nor is it related to the employees of the
suppliers who carry out the assembly of the facilities where the event is held,

any aspect is mentioned regarding the right to work as an affected right, and the eventual
prohibition of access to the workplace or the relation to the right to prevention of occupational risks.

FOURTEENTH: Regarding the information provided on the processing of data of the

employees of the suppliers, and of the complainant, in particular, that requested in his

response to the transfer and also as stated in the EIPD, he indicated that it is the responsibility of the

employer supplier, "since GSMA has no direct contact with the workers,"
adding that "the contract between GSMA and the supplier (which is also not provided)
requires compliance with the applicable laws on data protection,
including transparency and legality for the purposes of transferring the data of its workers to

GSMA or its data processors, including the provision of GSMA's privacy policy to its workers, which is provided to the suppliers." In the DPIA,
the following risk assessment is also added: “Not providing sufficient information
to individuals”, “GSMA ensures that suppliers’ employees are provided with the
Privacy Notice before their data is shared by their employer with the GSMA. In accordance with the Contractor Registration Terms and Conditions, suppliers are contractually required to comply with all
transparency and legality obligations before sharing their employees’ data
with the GSMA, including the provision of the GSMA Privacy Notice to all employees before sharing.”

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 49/96

it is classified as: high in risk severity, remote in probability and overall risk: low. Information on rights is also
included in the Privacy Policy.”

“The rights of data subjects and how they can be exercised are detailed in the
Privacy Notice”

It should be mentioned that although the privacy policy on the respondent's website, version 22 04 2021, lists as a group to which data processing is applied:

among others, third parties, or third party personnel and other persons participating
in the event or “the contractor bulk upload system”, it is specified in another clause

“Information obtained from third parties”, which reads: “From time to time, the GSMA receives
personal information from third parties. This may occur, for example, if your employer is

a GSMA member and registers you for an event or training or if your employer (or entity
by which you are engaged as a contractor or temporary staff member) provides
services to the GSMA and you are involved in the provision of these services.”

Although it is true that the data of the claimant and the employees of the suppliers were
entered by the employers, suppliers of the defendant, into an application of

the latter, and that the latter then contacted each employee by email, there is no
record that at either time or subsequently, the defendant informed
those affected in compliance with the obligation provided for in article 14 of the GDPR.

Furthermore, it is observed that in the privacy policy, being comprehensive of various subjects participating in the event, in "Data Retention", the conservation of the data collected from the employees of the suppliers is not detailed, urging them to contact them for

more information and it does not foresee what legitimizing basis corresponds specifically to the treatment of each type of attendee/employee, indicating it in a general and abstract way without identifying the groups to which it refers, nor the right to
file a claim before a control authority, as well as the source from which the data
comes, nor the contact details of the Data Protection Officer.
In addition, under “information you voluntarily provide,” there is “COVID-19 testing:

As stated in our Engaged Community Plan, you will be required to undergo
COVID-19 testing at regular intervals during the event. Information about
your test results will be treated for the sole purpose of access control,” making
no mention of the requirement for vaccination or a COVID certificate, which was also
not voluntary for employees to provide. BASIS OF LAW

I Competence

In accordance with the powers granted to each supervisory authority by article 58.2 of Regulation (EU) 2016/679
(General Data Protection Regulation, hereinafter RGPD) and as established in articles 47, 48.1, 64.2 and 68.1 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and Guarantee of Digital Rights (hereinafter LOPDGDD), the Director of the Spanish Data Protection Agency is competent to initiate and resolve this procedure.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 50/96

Likewise, article 63.2 of the LOPDGDD determines that: “The procedures
processed by the Spanish Data Protection Agency shall be governed by the provisions
of Regulation (EU) 2016/679, in this organic law, by the
regulatory provisions issued in its development and, insofar as they do not contradict them,
on a subsidiary basis, by the general rules on administrative procedures."

II Preliminary issues

Based on the GDPR, article 4 of the GDPR states: “the following shall be understood as:

“1) “personal data” means any information relating to an identified or
identifiable natural person (“the data subject”); an identifiable natural person shall be considered to be any person
whose identity can be determined, directly or indirectly, in particular by means of an

identifier, such as a (e.g. a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person;

2) "processing" means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

7) "controller" or "controller" means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing; if Union or Member State law determines the purposes and means of processing, the controller or the specific criteria for its nomination may be determined by Union or Member State law;”

(8) ‘processor’ or ‘processor’ means the natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”

…

“(15) data relating to health means personal data relating to the physical or mental health of a natural person, including for the provision of health care services, which reveal information about his or her health status;”

Recital 35 of the GDPR refers to health data in the following terms:

“Personal data relating to health should include all data relating to the health status of the data subject which give information about his or her past, present or future physical or mental health status. This includes information on a natural person
collected on the occasion of his or her registration for healthcare purposes, or on the occasion of
the provision of such care, in accordance with Directive 2011/24/EU of the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 51/96

European Parliament and of the Council (1); any number, symbol or data assigned to a
natural person that uniquely identifies him or her for healthcare purposes; information
obtained from tests or examinations of a body part or substance,

including information from genetic data and biological samples, and any information
regarding, for example, a disease, a disability, the risk of disease, the medical history, clinical treatment or the physiological or biomedical condition of the data subject, regardless of its source, for example a doctor or other healthcare professional, a hospital, a medical device, or an in vitro diagnostic test”

In short, recital 35 of the GDPR determines that “information about a natural person collected on the occasion of his or her registration for the purposes of healthcare, or
on the occasion of the provision of such healthcare, in accordance with Directive
2011/24/EU of the European Parliament and of the Council” falls within the special category
of health data.

Directive 2011/24/EU, to which we are referred in recital 35, indicates in its article 3, “Definitions”, what is meant by: “a) <healthcare>: health-related services provided by a healthcare professional to patients for the purpose of assessing,
maintaining or restoring their state of health, including the prescribing, dispensing and supplying

medicines and medical devices;”.

Article 3 of Directive 2011/24/EU also determines, paragraphs f) and i),
respectively, what is meant by “healthcare professional” and “medicines”.

Paragraph (f) defines “healthcare professional” as “any medical doctor, nurse responsible for general care, dental practitioner, midwife or pharmacist within the meaning of Directive 2005/36/EC or any other professional who carries out activities in the healthcare sector which are restricted to a regulated profession as defined in Article 3(1)(a) of Directive 2005/36/EC, or any person who is considered a healthcare professional under the legislation of the Member State of treatment;”

In line with the above, it should be noted that Law 44/2003, of 21/11, on the regulation of the
health profession, classifies as “health professionals”, among other professionals,
Nursing Graduates (article 2) and Nursing Auxiliary Care Technicians (article 3)

And section i) of article 3 of Directive 2011/24/EU understands “medicine” as “any medicine as defined in Directive 2001/83/EC”. In turn, Directive 2001/83/EC of the European Parliament and of the Council of 6/11/2001 on the Community code relating to medicinal products for human use, in its article 1.2, defines “medicinal product” as “a) any substance or combination of substances which is presented

as having properties for the treatment or prevention of diseases in human beings, or b) any substance or combination of substances which can be used in, or
administered to, human beings for the purpose of restoring, correcting or modifying physiological functions by exerting a pharmacological, immunological or metabolic action, or of
establishing a medical diagnosis”.

In light of the provisions cited, the vaccination of a person against COVID-
19 implies the provision of a health care service; a service provided by
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 52/96

who, according to Spanish legislation, Law 44/2003, are considered to be
health professionals and through which a medicine is dispensed, as defined in
article 1.2 of Directive 2001/83/EC.

Consequently, the information about whether or not an identified natural person has received the
Covid-19 vaccine is in the nature of personal data relating to health

Thus, the information collected and kept by the respondent about the vaccination against
COVID-19 of workers or about the result of a PCR test or the

certificate of recovery from the disease, constitutes a “processing” of “personal data” relating to the
“health” of a natural person.

On the other hand, it is appropriate to point out here in relation to the defendant's allegation that
the instructor should have opened a period of evidence since the defendant proposed the following:
“in the hypothetical case that the administrative sanctioning file initiated is not immediately archived, and in accordance with the provisions of article 77 of Law 39/2015, this Instructor will proceed to agree to open
a period of evidence and grant this party the opportunity to propose the corresponding
means”, indicating in his second and third allegations to the initiation agreement that “the documents attached here will be
proposed…”. Regarding this issue, it should be noted
that article 77 of the LPACAP states:

“1. The facts relevant to the decision of a procedure may be accredited by
any means of evidence admissible in law, the assessment of which will be carried out in
accordance with the criteria established in Law 1/2000, of January 7, on
Civil Procedure.

2. When the Administration does not consider the facts alleged by the

interested parties to be certain or the nature of the procedure so requires, the instructor of the

proceeding will agree to
the opening of a trial period for a period not exceeding thirty days nor less than
ten, so that as many as he deems pertinent may be carried out. Likewise, when he
deems it necessary, the instructor, at the request of the interested parties, may decide to
open an extraordinary trial period for a period not exceeding ten days.

3. The instructor of the procedure may only reject the evidence proposed by the interested parties when it is manifestly inappropriate or unnecessary, by means of a reasoned resolution.”

Article 78 states:

“1. The Administration will notify the interested parties, with sufficient advance notice, of the beginning of the necessary
actions for the performance of the tests that have been admitted.

2. The notification will indicate the place, date and time in which the test will be performed,
with the warning, if applicable, that the interested party can appoint technicians to assist him.”

-The documents and allegations presented by the respondent have been considered and

assessed in the drafting of the resolution proposal, they have not been rejected.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 53/96

The respondent did not specifically request that any specific test be carried out or its
purpose, nor did she add in this regard that a third party be asked to carry out or request that
this test be carried out specifically.

-Furthermore, the respondent did not specifically request that any test be carried out, either during the
period for allegations, or after it had elapsed, and in any case before the proposed
resolution in which the facts must be assessed, in accordance with article 89.3
of the LPACAP. Once the resolution proposal has been issued, it is not possible to propose evidence. The respondent
in each allegation that it made, in fact presented the documents that it considered appropriate, and it could have presented those that it considered appropriate to its right. The specification of the proposal for evidence, if it had occurred, would have allowed the assessment of
the relevance for the case, not being necessary to open a period of evidence collection
only to incorporate the documentation that the respondent stated should be taken into account.

The Instructor did not appreciate any element that occurred within those indicated in
article 77.2 of the LPCAP to open a period of evidence collection, therefore, there is no
communication to the respondent that would motivate why said period of evidence is not opened.

The elements that were taken into account in the proposal only relate to the

actions of the respondent, the documents that she herself provided without considering that
facts and allegations of third parties appear in the procedure. Once the
proposed resolution was issued, the respondent has not requested the production of any evidence.

The fact that no period of evidence was opened does not appear to have resulted in a lack of defence for the respondent, who has been able to allege what she has considered appropriate to her rights throughout the entire procedure.

III Regarding the processing of health data

According to recital 1 of the GDPR: “the protection of natural persons in relation to the processing of personal data is a fundamental right. Article 8,
paragraph 1, of the Charter of Fundamental Rights of the European Union […] and

Article 16, paragraph 1, of the Treaty on the Functioning of the European Union
(TFEU) establish that everyone has the right to the protection of personal data concerning him or her.”

As indicated in recital 53, health-related data deserve greater protection,

since the use of such sensitive data may have significant negative repercussions for the data subjects. In light of the above and the relevant case law
of the Court of Justice of the European Union (CJEU), it considers that the term “health-related data” should be interpreted broadly.

Health-related data can be obtained from various sources, from a medical history, a “self-assessment”
survey, in which data subjects answer questions related to their health (for example,
declaration of symptoms), vaccination or the result of a PCR test, data relating to the health of the individual,
which in this case are requested from the data subject with the collaboration of the provider of the
requested data. The consequences of not providing such data could be that access to the place of service provision, facilities where the respondent is organizing MWC 2022, would not be permitted.

Any processing of personal data relating to health must comply with the relevant principles set out in Article 5 of the GDPR, comply with one of the legal bases set out in Article 6 and one of the specific exceptions listed,
respectively, in Article 9 of the GDPR, for the lawfulness of the processing of this special category of personal data.

This was already indicated by the Article 29 Working Party (whose functions have been assumed
by the European Data Protection Board) in the “Guidelines on automated individual
decisions and profiling for the purposes of Regulation 2016/679” adopted on 3/10/2017, revised on 6/02/2018, by indicating that (…)
“Data controllers may only process special category personal data
if one of the conditions set out in Article 9, paragraph 2, as well as a

condition of Article 6 are met.(…), and more recently, the European Data Protection Board in its “Guidelines 03/2020 on the processing of health-related data for
scientific research purposes in the context of the COVID-19 outbreak, adopted on 21
April 2020”.

A criterion, moreover, endorsed by the judgment of the CJEU, of 21/12/2023, case C-
667/21, for a case in which an exception to the application of article 9 of the GDPR was examined, in the judgment, point 1.3, with the literal “Articles 9, paragraph 2, letter h), and 6,
paragraph 1, of Regulation 2016/679 must be interpreted as meaning that a
processing of data relating to health based on this first provision must, in order

to be lawful, not only comply with the requirements that derive from it, but also, at least,
one of the conditions of lawfulness set out in that article 6, paragraph 1, according to the
analysis carried out in paragraphs 71 to 78.”

The GDPR dedicates article 5 to the principles that govern the processing of personal data and establishes in paragraph 1:

“1. Personal data will be:
a) processed in a lawful, fair and transparent manner with the interested party (<<lawfulness, loyalty and
transparency>>.
(...)”

Article 5.2 indicates that:” The data controller will be responsible for

compliance with the provisions of section 1 and able to demonstrate it
(<<proactive responsibility>>)”

Article 70 of the LOPDGDD establishes the responsible subjects, indicating:

“1. They are subject to the sanctioning regime established in Regulation (EU) 2016/679 and
in this organic law:
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 55/96

a) Those responsible for the treatments.
(…)”

The GDPR, article 9.1, prohibits, in general, the processing of “special data”, among which it mentions those related to health. However, section 2
of the provision introduces ten exceptions; ten cases in which the prohibition of
treatment can be lifted if any of them occurs. These circumstances that
except the general rule of prohibition are connected with “some” of the legal

bases that, in accordance with article 6.1 of the GDPR, legitimize the processing of data.

The Report of the Legal Office of the AEPD 0017/2020 states that “in general, it must be clarified that the regulations on the protection of personal data, insofar as
they are aimed at safeguarding a fundamental right, apply in their entirety to the
current situation, given that there is no reason that determines the suspension of
fundamental rights, nor has such a measure been adopted.” and “recognizes that, in
exceptional situations, such as an epidemic, the legal basis for the
treatments may be multiple, based both on the public interest and on the vital interest of the
interested party or another natural person.” This, “Without prejudice to the fact that there may be other bases,
-such as compliance with a legal obligation, art. 6.1.c) RGPD (for the

employer in the prevention of occupational risks of its employees)”

Regarding the exceptions of article 9.2 RGPD, the aforementioned report after its analysis
determines that:” Consequently, in a situation of health emergency […] the
application of the personal data protection regulations would allow the

data controller to adopt those decisions that are necessary to safeguard
the vital interests of natural persons, the fulfillment of legal obligations or the
safeguarding of essential interests in the field of public health, within what is
established by the applicable material regulations.”

And finally, it reasons the following:

“But the data controllers, when acting to safeguard said
interests, must act in accordance with what the authorities established in the regulations
of the corresponding Member State, in this case Spain, establish.”

Thus, the Spanish legislator has provided itself with the necessary legal measures to
deal with situations of health risk, such as Organic Law 3/1986, of 14/04, on
Special Measures in Public Health Matters (modified by Royal Decree-Law
6/2020, of 10/03, by which certain urgent measures are adopted in the
economic field and for the protection of public health, published in the Official Gazette of

the State on 11/03/2020) or Law 33/2011, of 4/10, General Public Health.

Article 3 of the first of these regulations states that:

“In order to control communicable diseases, the health authority, in addition to

carrying out general preventive actions, may adopt appropriate measures to

control the sick, the people who are or have been in contact with them and the immediate

environment, as well as those considered necessary in the event of a risk of a
communicable nature.”

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 56/96

Similarly, articles 5 and 84 of Law 33/2011, of 4/10, General Public Health,
refer to the previous Organic Law 3/1986, and to the possibility of adopting

additional measures in the event of a risk of disease transmission.

Therefore, in terms of the risk of disease transmission, epidemics, health crises, etc., the applicable regulations have granted “the health authorities of the various public administrations” (art. 1 Organic Law 3/1986, of 14/04) the powers to adopt the necessary measures provided for in said laws when this is required

for reasons of health urgency or necessity.

Consequently, from the point of view of the processing of personal data, the
safeguarding of essential interests in the field of public health corresponds to the
various health authorities of the different public administrations, who

may adopt the necessary measures to safeguard said essential public interests in situations of public health emergency.

These competent health authorities of the different public administrations will be the ones to adopt the necessary decisions, and the various persons responsible
for the processing of personal data must follow said instructions, even

when this involves the processing of personal health data of natural persons. The
above refers, expressly, to the possibility of processing the personal health data of certain individuals by the data controllers, when, at the request of the competent health authorities, it is
necessary to inform other persons with whom said individual has been in

contact of the circumstance of his or her contagion, in order to safeguard both said individuals from the possibility of contagion (vital interests of said individuals) and to prevent said individuals, through ignorance of their contact with an infected person, from spreading the disease to other third parties (vital interests of third parties and essential and/or qualified public interest in the field of public health).

However, as indicated in the aforementioned report, the processing of personal data in
these health emergency situations continues to be treated in accordance with the
personal data protection regulations (RGPD and Organic Law 3/2018, of 5/12, on
Personal Data Protection and Guarantee of Digital Rights, LOPDGDD), so
all its principles, contained in article 5 RGPD, apply, and among them the
processing of personal data with legality, loyalty and transparency, limitation of purpose
(in this case, safeguarding the vital/essential interests of natural persons), the principle of accuracy, and of course, and special emphasis must be placed on this,
the principle of data minimization.

Regarding this last aspect, it must be expressly stated that the data processed
must be exclusively limited to those necessary for the intended purpose,
without being able to extend said processing to any other personal data not
strictly necessary for said purpose.

Therefore, data protection regulations (such as the GDPR) do not hinder the measures
adopted to combat the COVID-19 pandemic. The GDPR is a far-reaching legislative act
and includes various provisions that allow the management of the processing of

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 57/96

personal data related to the COVID-19 pandemic without prejudice to fundamental rights and the protection of personal data.

Therefore, when applying these provisions provided for these cases in the GDPR, in
consistent with the sectorial regulations applicable in the field of public health, the
considerations related to data protection - within the limits provided
by law - should not be used to hinder or limit the effectiveness of the
measures adopted by the authorities, especially the health authorities, in the fight against the
epidemic.

Royal Decree 463/2020, dated 14/03, and the measures contained therein, as well as those

established in the successive royal decrees extending the state of alarm, have
constituted the basic regulatory framework of the regulations adopted to deal with the
health emergency caused by the pandemic.

In Spain, it must be assumed that the vaccine against Covid-19 is not
mandatory and that its establishment as mandatory could violate constitutionally
recognized rights. The COVID certificate was not established as mandatory
for workers and it has not been proven that the health authorities have

established that a certain group is required to take the measures adopted by the
respondent that could lead to mandatory vaccination, in this case, for the
employees of the assembly of the MWC22 Congress. As an example of a similar assumption to what is stated, it is worth highlighting the judgment of the Supreme Court, Fourth Chamber, Social, Plenary Section, judgment 562/2021, of 05/20/2021, rec 130/2020, which establishes the

lack of regulatory obligation to require rapid antibody detection tests for technical personnel of sanitary transport
and drivers who have been in direct or indirect contact with COVID patients

On the other hand, regarding the allegations of the respondent after the proposal, it must be indicated that in terms of prevention of occupational risks, it is the employer who is

obliged to ensure the physical integrity of the workers, in accordance with the
specific parameters in each risk situation in the scenario of the Coronavirus pandemic, and in this case, the supplier companies have not played any role in
this sense, as the organizer and respondent imposed on them the requirement to register
their employees in order to raise the health documentation so that

they could access the workplaces.

The data controller also does not record that it carried out any coordination
of the actions of the various suppliers who used its employees in the
premises where the data controller would carry out the activity.

In order to access their workplace, which coincides with the place where the
event is held, these workers had to be in possession of the COVID certificate or, failing that, provide a certificate of recovery from the disease or a PCR test, which has
a limited temporary validity and which would require the worker to provide several PCR tests, which
could affect their fundamental rights to work, physical integrity and health and data
protection.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 58/96

Organic Law 3/1986 of 14/04, on special measures in matters of public health
establishes:

“Article one. In order to protect public health and prevent its loss or deterioration,
the health authorities of the different Public Administrations may, within the scope of their powers, adopt the measures provided for in this Law when
urgent or necessary health reasons so require.”

…
“Article three. In order to control communicable diseases, the health

authority, in addition to carrying out general preventive actions, may adopt the
appropriate measures for the control of the sick, of the people who are or have been in
contact with them and of the immediate environment, as well as those that are
considered necessary in the event of a risk of a communicable nature.”

In addition, the COVID-19 vaccination strategy of 2/12/2020 is the rule that develops
the coordination between health authorities and reinforces the operation of the entire
national health system and does not provide for vaccination against COVID-19 as mandatory.

Order SND/344/2020, dated 13/04, which establishes exceptional measures for
the reinforcement of the National Health System and the containment of the health crisis

caused by COVID‐19, establishes that the indication for carrying out diagnostic tests
for the detection of COVID‐19 must be prescribed by a physician in
accordance with the guidelines, instructions and criteria agreed for this purpose by the competent
health authority. Decree 63/2020 of 06/18, on the new governance of the health emergency

caused by COVID-19 and the beginning of the resumption phase in the territory of
Catalonia, DOGC of 19, determines in its article 1, with effect from 06/19/2020, the
completion of phase III of the Plan for the de-escalation of the extraordinary measures
adopted to deal with the pandemic generated by COVID-19 for the entire
territory of Catalonia. In its article 5, it empowers the "Minister of Health and the Minister of

Interior, in their capacity as authorities comprising the Steering Committee of the PROCICAT
action plan for emergencies associated with emerging communicable diseases
with high-risk potential, to adopt the necessary resolutions
to make effective the measures that must govern the new stage that begins."

On 18/06/2020, RESOLUTION SLT/1429/2020, dated 18/06, was issued, by which basic protection and organizational measures are

adopted to prevent the risk of transmission and favor the containment of SARS-CoV-2 infection. (DOGC 19-06-
2020). This rule states in its explanatory statement that it aims to ensure that activities that may generate a greater risk of community transmission are
developed under conditions that allow preventing the risks of contagion and possible outbreaks,
associating risk factors in transmission, development in activities in closed spaces, participation in high density of people and long extension in time. The resolution establishes general measures. In its article 1.2, it indicates that the
measures of the resolution have to be completed with sectoral plans of activities, among other sectors, it cites that of Fairs, Congresses and other temporary activities

with a large influx of public.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 59/96

At the time of the MWC 22, the Special Plan for Pandemic Emergencies in Catalonia was in force, approved by Government agreement 40/2020 of
3/03. This provision establishes as a public area the following:

Congresses, Conventions and Trade Fairs, in which measures must be taken
according to the evolution of the emergency, and it may be necessary to consider the partial restriction
or suspension of some activities in places of public attendance.

The resolutions issued successively in matters of public health for the containment of
the epidemic outbreak of the COVID 19 pandemic in the territory of Catalonia indicate that

“The administrative intervention in public and private activities necessary to

address the health crisis situation caused by COVID-19 is justified in the
cited framework of health and civil protection laws, subject to the additional guarantee of
judicial control with respect to the judgment of proportionality as regards the measures that
have an impact on fundamental rights”.

According to Auto TSJ CAT 869/2021, of 11/25/2021, rec 509/2021: "The Judicial Authorization-Ratification System of Administrative Public Health Measures, modified by Law 3/2020, of September 18, on procedural and organizational measures to deal with COVID-19 in the field of the Administration of Justice, gave a new wording to article 8.6 of the LJCA and introduced into said Law articles 10.8 and 11.1.i), characterized by a procedure that is not of a contradictory nature, since it does not involve opposing procedural parties, but rather operates as a procedure of limited, preferential and summary knowledge, embedded in the scope of the jurisdictional protection of fundamental rights, which aims at the judicial authorization or ratification of measures limiting fundamental rights, adopted for reasons of public health.

This Order ratifies the measures contained in resolution SLT/3512/2021, of 25/11, for
the requirement of COVID documents in the circumstances contained and the scope of

activities expressly provided for in the regulation, which does not include Congresses. This
regulation contemplates the display of documentation, without referring to the conservation
of the data of the COVID certificates.

The aforementioned Order reiterates what was reproduced in the judgment of the TS 1112/2021, of 14/09 that
“the right to data protection protects any information related to the person, and
may be concerned if we understood that the circumstance of having been vaccinated or
not, was a personal data, which, although it does not belong to the intimate sphere of the person,
it is a data related to privacy, which is especially protected when it is the object of

treatment”
Furthermore, the Order makes the triple judgment of proportionality of the measures

contained in the administrative resolution in relation to the fundamental rights
that are considered compromised, and authorizes the measures, not without first indicating that "it is
not superfluous to leave on record that the accentuated and unchecked addition of more and more activities
is reaching a height that will require at least greater motivation and
reinforced justification within the framework of the doctrine that has been related."

However, in RESOLUTION SLT/99/2022, dated 26/01, the restrictive measures on fundamental rights that were still in force were lifted, including the
requirement of a COVID certificate for access to certain non-essential activities
in closed spaces (restaurants, physical and/or sports activity rooms, gyms and

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 60/96

musical recreational activities permitted: concert halls, theatre cafés, concert cafés and

The resolutions issued by the Catalan health authorities in their explanatory statement indicated:

“The adoption of these measures by the competent authorities is covered by Organic Law 3/1986, of April 14, on special measures in matters of public health, in the
rest of health and public health legislation, in civil protection legislation and,

specifically, in Decree Law 27/2020, of July 13, amending Law 18/2009, of October 22, on public health and the adoption of urgent measures to
address the risk of outbreaks of COVID-19.

By Decree Law 27/2020, of July 13, the administrative intervention measures that can be adopted in pandemic situations to
guarantee the control of contagions were specified and the procedure to be followed to adopt them was delimited.
Specifically, a letter k) was added to article 55 of Law 18/2009, of October 22, on public health, which provides that, in situations of pandemic or epidemic declared

by the competent authorities, the competent health authorities may adopt measures to limit activity, the movement of persons and the provision of
services in certain territorial areas provided for in Annex 3, in accordance with the procedure provided for in article 55 bis.

The administrative intervention in public and private activities necessary to
address the health crisis situation caused by COVID-19 is justified in the
cited framework of health and civil protection laws, subject to the additional guarantee of
judicial control with respect to the judgment of proportionality as regards the measures that

have an impact on fundamental rights. Decree Law 27/2020 establishes in article 55 bis 2 that “In the event that

mandatory measures are established, this obligation must be expressly warned of, which will be based on the reports issued”

The resolutions in force during the event did not contemplate an event such as
MWC 22, nor was any reference to COVID certificates established or included for access to
establishments.

In the present case, various types of data have been collected from the
suppliers' employees, some initials of first and last names, ID/NIF, email

provided by their employers, suppliers of the respondent, and others of a
special nature referring to health data related to COVID 19 provided by the
workers themselves. Both data were processed by the respondent, responsible
for the processing.

The respondent did not assess the restriction that the imposed measure represents for the
rights of workers and this measure must be differentiated from the measure imposed on
those attending MWC22, since the impact on rights is different. However, the
respondent did not even analyse this issue in due depth in its EIPD.

IV Regarding the allegations to the proposed resolution

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 61/96

Regarding the respondent's allegation formulated after the proposal, referring to the intended
differentiation also in its contents, between a main contract and another of
a subcontractor of treatment, it must be clarified and based on the fact that the
cited document 4 that the respondent provided constitutes a unit of act in which
the object is expressly declared in its first clause, and in the second, the application
of the ANNEXES that form part of the contract. These six ANNEXES, among which are
the SIXTH: "treatment manager contract", but referring to the object that is
set in the first clause of the contract.

The respondent points out that the contract of assignment with QP would cover only the validation of

COVID certificates (including here, vaccination, recovery or tests), and, punctually,
the performance of "rapid antigen test / PCR in the event of being requested by FIRA".
Naturally, each of the documents to be validated had to meet certain requirements,
for example, the vaccination had to have been given on a certain date for its
validity, approved, as well as for the documentation of the recovery from the disease.

To this end, ANNEX 1B of the contract: “system integration”, states that “The
supplier will have an information system necessary for the management of COVID
tests”, differentiating TWO functionalities, that of “on-site testing”, which
is not stated to be applied as a general rule to employees of assembly suppliers, and
that of “validation of test results”. The documentation was incorporated

through, according to the claimant, a “website (adapted to mobile phones) for sending previous
tests”, through which the visitor can indicate their data and upload a document or photo
of a PCR/antigen result or vaccination/recovery card previously carried out.

The respondent has stated that, in addition to this service, the so-called "main contract" "includes" a series of services listed in the same

point 1.1 of the object of the contract, which would be the following:

-The medical validation of the COVID certificates (it seems that it is reiterated since it is

contained in the contract of assignment),

-The contact and "medical examination of the worker" (it is not contained in the object

of the contract, which also uses the terminology "participant in the event", nothing related

to the worker) and the

-"Hospital care service (24/7) through the network of Quirón Salud centers for all participants in the MWC22.", which apart from not mentioning the
employees,

Services for which the respondent states that QUIRONPREVENCIÓN would be the
responsible for the treatment.

According to the respondent, QUIRONPREVENCIÓN would act in compliance with a

legal obligation and would be responsible for its medical decisions, when granting approval or not, for
access to the workplace or for those attending the premises.

In this regard, it should be noted that, in order for QUIRONPREVENCIÓN to issue this
result, the respondent has previously carried out personal data processing operations,
since it has collected the data and established that its owners provide

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 62/96

their health data to its sub-processor who has their consent in
the services offered. The responsible party knows the decision of approval or not, because the
contract establishes its communication from QUIRONPREVENCIÓN to its manager, FIRA,
which acts on behalf of the responsible party. Thus, the respondent is the one who decided that
the data should be collected and kept to facilitate the respective access throughout

the duration of the event (attendees in case of vaccination) or the assembly (employees in
case of vaccination), and similarly regarding the certificates of recovery from the
disease. Thus, even if the respondent's argument that QUIRONPREVENCIÓN is responsible for the medical treatments were successful, it is the respondent who made the
decision on which medical data should be collected and for what purpose and who

contracted the processing of such health data of the workers with
QUIRONPREVENCION, and is therefore responsible for the infringements that are
charged.

On the other hand, arguing that QUIRONPREVENCIÓN is responsible for the processing,
also because it would feed the clinical history of each affected person, fulfilling a deontological duty
when dealing directly with those affected, clashes with the fact that the task is limited to

a verification or verification of documents, sent by mobile phone through a
QUIRONPREVENCIÓN platform, it not being clear that the employees of the
suppliers who carry out the assembly of the facilities, nor by extension the assistants,
are patients or users of the aforementioned QUIRONPREVENCIÓN, without which, moreover,
includes the provision of any type of medical assistance to these employees, and therefore without
performing any medical test on those affected.

Regarding the claim made after the proposal that the open content of the contract
allowed QUIRONPREVENCIÓN to include the performance of tasks or services
related to support for the coordination of business activities that pursued
the prevention of occupational risks, not included in the contract for the assignment of treatment,
it should be noted that in addition to not expressly or specifically stating any aspect in
the contract signed with QUIRONPREVENCIÓN or its annexes on such an aspect, said coordination work does not
appear to be real, since not only would it be necessary to prove the participation of
the companies that are being coordinated, but it does not adapt to the operating scheme that the LPRL and its implementing regulations
provide for the prevention of occupational risks.

The Law on the Prevention of Occupational Risks, as can be seen from reading article
24 of Law 31/1985, of 8/11, on the Prevention of Occupational Risks, states:

“1. When workers from two or more companies carry out activities in the same workplace, they must cooperate in the application of the regulations on the prevention of occupational risks. To this end, they will establish the means of coordination that are necessary
in terms of the protection and prevention of occupational risks and the
information about them to their respective workers, in the terms provided

in section 1 of article 18 of this law.

2. The employer who owns the workplace will adopt the necessary measures so that
other employers who carry out activities in their workplace receive the
appropriate information and instructions regarding the risks existing in the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 63/96

workplace and the corresponding protection and prevention measures, as well as the emergency measures to be applied, for their transfer to their respective
workers.

3. Companies that contract or subcontract with other companies the execution of works or
services corresponding to their own activity and that are carried out in their
own workplaces must monitor compliance by said contractors and
subcontractors with the regulations on prevention of occupational risks.

4. The obligations set forth in the last paragraph of section 1 of article 41 of
this Law shall also apply, with respect to contracted operations, in cases where the workers of the contractor or subcontractor company do not
provide services in the workplaces of the main company, provided that such workers must operate with machinery, equipment, products, raw materials or tools

provided by the main company.”

The information on vaccines and the rest of the COVID documents that the employees had to provide or are proven to be the product of this coordination activity, and if it is proven that they were provided by the employees if they wanted to
provide their services, exercise their right to work at the physical location where the event was to

be held. On the other hand, the role of coordinator of business activities cannot
include individual decision-making on prevention measures to be adopted, as clarified by the provision of article 24 of the LPRL, which provides for actions
by those involved to “cooperate”, “establish means of coordination” by
the employer who owns the workplace and the companies that are present in the same
space of the workplace.

Thus, this thesis that coordination actions were carried out in the matter of
occupational risks that involved the treatment under discussion cannot be accepted.

On the other hand, regarding the allegation that “the regulations on prevention of occupational risks
offer a double legitimacy to request health data from visitors and from
workers who provide services at the fairgrounds”, it is not supported by any regulation.
The regulations on prevention of occupational risks in no way enable the obtaining and
keeping of health data from people who are not employees of the employer.

As regards the processing of employee data, the position defended by the

respondent in its allegations, claiming that the processing of workers' health data is
justified in compliance with occupational risk prevention, is also based on several serious errors.

Thus, with regard to the obligation of "health monitoring", article 22 of the

LPRL states:

"1. The employer shall guarantee that the workers in his service are periodically monitored for their
health status based on the risks inherent to the work.

This monitoring may only be carried out when the worker gives his consent.

The only exceptions to this voluntary nature, subject to a report from the workers' representatives, are those cases in which the performance of the examinations is
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 64/96

essential to assess the effects of the working conditions on the health of the workers or to verify whether the health status of the worker may constitute a
danger to the worker, to other workers or to other persons related to the company or when this is established in a legal provision in relation to the
protection of specific risks and activities of special danger.
In any case, the performance of those examinations or tests that cause the least discomfort to the worker and that are proportional to the risk should be chosen.

2. The measures for monitoring and controlling the health of workers shall be carried out

always respecting the right to privacy and dignity of the worker
and the confidentiality of all information related to his or her state of health.

3. The results of the monitoring referred to in the previous section shall be communicated
to the affected workers.

4. The data relating to the monitoring of workers' health may not be used
for discriminatory purposes or to the detriment of the worker.

Access to personal medical information shall be limited to medical personnel and
health authorities carrying out the monitoring of workers' health,

and may not be provided to the employer or other persons without the express consent of the
worker.

Notwithstanding the above, the employer and the persons or bodies with responsibilities
in matters of prevention will be informed of the conclusions arising from the

examinations carried out in relation to the worker's aptitude for the performance
of the job or with the need to introduce or improve the protection and prevention measures, so that they can correctly carry out their functions in
preventive matters.

4. In cases where the nature of the risks inherent to work makes it
necessary, the right of workers to periodic monitoring of their state of health
should be extended beyond the end of the employment relationship, in the terms
determined by regulation.

6. The measures for monitoring and controlling the health of workers shall be carried out

by health personnel with technical competence, training and accredited capacity.” (The
underlining is ours)

The principles that inform this provision are applicable to the case at hand. In accordance
with this provision, the respondent could have easily concluded that the LPRL did not

enable it to obtain the information requested from employees. From the examination of this
article it is clear that health monitoring by prevention services is, in general, voluntary, except in the cases
set out.

The exceptions to voluntariness must be interpreted strictly and limited

to those exclusive and particular cases in which health monitoring is strictly
necessary. The mandatory health examination must be essential to safeguard the
health of workers, which in this case did not occur because there were other prevention
measures that entailed less interference in workers' rights. To which

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 65/96

it must be added that the health examination of all workers cannot be established in a general and indiscriminate manner as a mandatory preventive measure.

On this last issue, it should be noted that it is not proven that any company
of the supplier categories that used their employees to set up the FIRA site did not have any type of prevention service arranged for their employees, directed or focused on access to the site and COVID-19.

In short, the LPRL offered sufficient information to the respondent to know that the
treatment it intended to carry out was not in accordance with its allegations.

The LPRL offered sufficient information to the respondent to know that the treatment it intended to carry out was not in accordance with its provisions. V Unfulfilled obligation of art. 9 GDPR

Recital 51 of the GDPR expressly indicates that, “in addition to the specific requirements” applicable to the processing of “particularly sensitive” data, set out in

Article 9, paragraphs two and three, of that regulation, without prejudice to any measures that a Member State may adopt on the basis of paragraph four of this
Article, the “general principles and other rules of that regulation, in particular as regards the conditions for the lawfulness
of processing”, as they arise from Article 6 of the same regulation, must also apply to such processing.

In this case, as already indicated, since the health data being processed are

considered to be of a special nature, they require a relevant cause to lift the
prohibition in order to enable their processing. Therefore, in addition to the legitimation of article 6.1 of the GDPR, there must be coverage in article 9.2 of the GDPR that saves the general prohibition provided for in article 9.1.

Article 9 of the GDPR, “Processing of special categories of personal data,”
provides:

“1. The processing of personal data that reveal ethnic or racial origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data aimed at uniquely identifying a natural person, data relating to health or data relating to the sexual life or sexual orientations of a natural person is prohibited.

2. Paragraph 1 shall not apply where one of the following circumstances applies (only those that may be related to the purpose or activity of processing in this case are mentioned):

“a) the data subject has given explicit consent to the processing of such personal data for one or more of the specified purposes, except where Union or Member State law provides that the prohibition referred to in paragraph 1 cannot be lifted by the data subject;

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 66/96

a) the processing is necessary for the fulfilment of obligations and the exercise of
specific rights of the controller or of the data subject in the field of
labour law and social security and protection, insofar as this is authorised

by Union law, by Member State law or by a collective agreement under
Member State law which provides for appropriate safeguards regarding the
fundamental rights and interests of the data subject;

b) the processing is necessary to protect the vital interests of the data subject or of another
natural person, where the data subject is not physically or legally capable of giving consent;

[…]

(g) processing is necessary for reasons of essential public interest, on the basis of Union or Member State law, which must be proportionate to the
objective pursued, substantially respect the right to data protection and
laid down appropriate and specific measures to protect the interests and
fundamental rights of the data subject;

(h) processing is necessary for the purposes of preventive or occupational medicine, assessment of

the worker's working capacity, medical diagnosis, the provision of health care or
treatment or the management of health care and social care systems and
services, on the basis of Union or Member State law or under a contract with a health care
professional and without prejudice to the conditions and safeguards referred to in paragraph 3;

(i) the processing is necessary for reasons of public interest in the area of public health, such as
protection against serious cross-border threats to health, or
to ensure high standards of quality and safety of healthcare and
medicines or medical devices, on the basis of Union or Member State law which
provides for appropriate and specific measures to safeguard the
rights and freedoms of the data subject, in particular professional
secrecy,

[…]

3. The personal data referred to in paragraph 1 may be processed for the purposes
referred to in paragraph 2(h) where the processing is carried out by a professional subject to an
obligation of professional secrecy, or under his responsibility, in accordance with
Union or Member State law or rules laid down by competent national bodies, or by any other person also subject to an
obligation of secrecy under Union or Member State law or rules laid down by competent national bodies.

4. Member States may maintain or introduce additional conditions, including
limitations, with regard to the processing of genetic data, biometric data or data
relating to health.”

The exceptional cases contemplated in art. 9 of the GDPR provide
strict requirements to finally enable the implementation of the treatment,
due to the risks that the affectation of fundamental rights and freedoms

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 67/96

their processing may entail. In this case, it could affect the fundamental right to health and
the physical integrity of workers. These circumstances must be interpreted
restrictively, since the processing of special data is prohibited, and like any

exception it must be interpreted strictly. [judgment of 4/07/2023, MetaPlatforms and Others (General terms and conditions of service of a social network), C-
252/21, EU:C:2023:537, paragraph 76].

The Legal Office report 17/2020, dated 03/12/2020, indicated: “Without prejudice to the
above, the personal data protection regulations themselves (Regulation (EU)

2016/679 of the European Parliament and of the Council of 04/27/2016, on the protection of
natural persons with regard to the processing of personal data and on the free
circulation of such data and repealing Directive 95/46 / EC (General Data Protection Regulation,
RGPD) contains the necessary safeguards and rules
to legitimately allow the processing of personal data in situations, such as the

present one, in which there is a general health emergency. Therefore, when
applying these provisions provided for these cases in the RGPD, in accordance with
the applicable sectoral regulations in the field of public health, the considerations
related to data protection -within the limits of the General Data Protection Regulation,
the General Data Protection Regulation, GDPR) are subject to the following conditions: provided for by law - should not
be used to hinder or limit the effectiveness of the measures adopted by the authorities, especially the health authorities, in the fight against the epidemic, since

the personal data protection regulations already contain a regulation for such cases that makes compatible and weighs the interests and rights at stake for the common good."

The personal data protection regulations themselves allow that, in emergency situations, for the protection of essential public health interests and/or the vital interests of natural persons, the health data necessary to prevent the
spread of the disease that caused the health emergency may be processed.

Recitals 10, 52 to 54 of the GDPR regarding the processing of special categories of data provide as follows:

(10) (…). This Regulation also recognises a margin for manoeuvre for Member States to specify their rules, including for the processing of special categories of personal data ('sensitive data'). In this respect,
this Regulation does not preclude the law of Member States determining the
circumstances relating to specific processing situations, including the

detailed indication of the conditions under which the processing of personal data is lawful.

(52) Derogations from the prohibition of processing special categories of personal data should also be allowed where provided for by Union or
Member State law and provided that appropriate safeguards are in place, in order to protect
personal data and other fundamental rights, where this is in the public interest, in

particular the processing of personal data in the field of labour law, social protection
legislation, including pensions, and for the purposes of security,
health monitoring and alerting, the prevention or control of communicable diseases and
other serious threats to health. Such an exception is possible for purposes in the field of
health, including public health and the management of health care services,

in particular in order to ensure the quality and cost-effectiveness of the procedures
used to resolve claims for benefits and services under the health insurance scheme, or for archiving purposes in the public interest, scientific and historical
research purposes or statistical purposes. The processing of such personal data should also be
authorised on an exceptional basis when it is necessary for the formulation, exercise or defence of claims, whether by judicial
procedure or by administrative or extrajudicial procedure.

(53) Special categories of personal data deserving enhanced protection should only be processed for health-related purposes where necessary to achieve those purposes for the benefit of natural persons and society as a whole, in particular in the context of the management of health or social protection services and systems, including the processing of such data by managing health authorities and central national health authorities for the purposes of quality control, information management and general national and local oversight of the health or social protection system, and ensuring the continuity of health care or social protection and cross-border health care or for health safety, surveillance and alert purposes, or for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, based on Union or Member State law which are to fulfil an objective of public interest, as well as for studies carried out in the public interest in the field of public health. This Regulation should therefore lay down harmonised conditions for the processing of special categories of personal data relating to health, in relation to specific needs, in particular where the processing of such data is carried out for health-related purposes by persons subject to a legal obligation of professional secrecy. Union or Member State law should provide for specific and appropriate measures to protect the fundamental rights and personal data of natural persons. Member States should be able to maintain or introduce other conditions, including limitations, with regard to the processing of genetic data, biometric data or data relating to health. (…)

(54) The processing of special categories of personal data, without the consent of the data subject, may be necessary for reasons of public interest in the area of public health. Such processing should be subject to appropriate and specific measures in order to protect the rights and freedoms of natural persons. In that context, ‘public health’ should be interpreted as defined in Regulation (EC) No 1338/2008 of the
European Parliament and of the Council (11), namely all elements related to health, namely health status, including morbidity and
disability, determinants influencing health status, health care needs, resources allocated to health care, the availability of and universal access to health care, as well as health care expenditure and financing, and causes of mortality. (…)

Therefore, from the above, as stated in legal report 0055/2023, “the conclusion is drawn that although the GDPR establishes some cases that exempt the
prohibition of processing special categories of data, through the law of the Member States, ad hoc regulations can be introduced in order to adapt the
reality of the sectors involved to guarantee effective protection of the
rights of citizens of the Union”.

To the above must be added the provisions of article 9.2 of the LOPDGDD, which indicates the
following:

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 69/96

“2. The data processing contemplated in letters g), h) and i) of article 9.2 of
Regulation (EU) 2016/679 based on Spanish law must be covered

by a law, which may establish additional requirements regarding its
security and confidentiality.

In particular, said law may cover the processing of data in the field of health
when required by the management of public and private health and social care systems and services,
or the execution of an insurance contract to which the affected party is a party.”

The requirement that any limitation on the exercise of fundamental rights as indicated
in section 175 of the ECJ of 16/07/2020, case C-311/20, “Schrems 2” must
be established by law, “implies that the legal basis that allows interference in said
rights must itself define the scope of the limitation on the exercise of the right in question.” It is the law, therefore, that must establish the scope of interference in the
fundamental right to Data Protection, as well as the guarantees that protect the
rights and freedoms of individuals.

Having said that, it is necessary to analyze each of the exceptions to the prohibition of processing
health data that, according to the respondent, would be present in the treatment under review.

The respondent considers that the exception provided for in article 9.2.g) of the
RGPD is present.

For the activation of the exception raised in article 9.2.g) of the RGPD, the respondent

refers to the HEALTH AND SAFETY PLAN FOR MWC 2022, as the one that contains the
need for processing for reasons of essential public interest, and to the resolutions
issued by the health authorities.

The exception provided for in Article 9.2.g) of the GDPR requires that the rule declaring the

essential public interest comes from the Member States or from Union law, and,
in addition:

- it must be proportional to the objective pursued,
- essentially respect the right to data protection,
- establish appropriate and specific measures to protect the interests and

fundamental rights of the interested party.

Recital (54) GDPR is clear, when it establishes that:

“The processing of special categories of personal data, without the consent of the

interested party, may be necessary for reasons of public interest in the field of

public health. This treatment must be subject to appropriate and specific measures in order to
protect the rights and freedoms of natural persons”

Regarding the Plan referred to by the respondent, it is different from the SECTORIAL PLAN FOR FAIRS AND
CONFERENCES, and it does not seem to consist of or coincide with the measures implemented by the
GSMA Plan “Committed Community” that has been developed and approved by

Catalan and Spanish authorities, including those of health. In any case, no Plan that the respondent had agreed with the authorities has been
provided, so its content is not known, but it is known that it would not be a rule with the rank of

Law or derived from powers attributed by a Law, binding on the recipients of the same.

According to the respondent, the Plan “requires GSMA to collect the personal data that is the subject of the claim, including vaccination certificates or diagnostic tests,” “COVID data,” and was “prepared in coordination with health authorities,” which
also does not identify its regulatory status.

Considering that the restriction of the fundamental right to the protection of personal data cannot be based, by itself, on the generic invocation of an

undetermined “public interest”, and that “It is the legislator who must determine when
that good or right that justifies the restriction of the right to the protection of personal data occurs and in what circumstances it can be limited and, furthermore, it is he who must
do so by means of precise rules that make the imposition of such limitation and its consequences foreseeable to the interested party” (Constitutional Court judgment 292/2000), it must be
concluded that in addition to contradictory statements about the aforementioned Plan or Plans, since
on the one hand it cites the “Health and Safety Plan for MWC22” that is announced and
developed over time, and the “Committed Community Plan” (“Committed Community
Plan”), it being unknown whether they are the same, since both refer to the fact that they have been
developed and approved by health authorities, neither of them would constitute a

standard of European or national law and with the necessary guarantees. Consequently,
the respondent would not be authorised to process health data through the
vaccination data of the suppliers' employees.

In short, it is considered that the circumstances of article 9.2.g) of the

RGPD alleged by the respondent for the processing of the health data of the employees of the assembly of MWC 22 do not exist.

The other circumstance alleged, although not contained in the DPIA of 22/04/2022, would be the one provided for in article 9.2.i) of the GDPR, which also refers to a public interest “in the area of public health, such as protection against serious cross-border threats to health”, it is also added that it must be “on the basis of Union or Member State law, which establishes appropriate and specific measures to protect the rights and freedoms of the interested party”.

For this specific case, the basis of the law that would support the aforementioned public interest in the area of public health is not mentioned either, and the Plans agreed with the public authorities do not cover this requirement. It is also not included in the resolutions
of the health authorities in force during the processing of the data, so that
there is no rule that expresses a public interest in the field of public health or
that establishes the aforementioned processing of personal data of vaccination, negative PCR

or certificate of recovery from the disease.

In the allegations to the proposal, the respondent integrates a new cause of exception to
the prohibition with which it intends, through its application, to enable the processing of
these health data, citing article 9.2.h) of the GDPR.

However, it is not stated that, in this case, the health data will be processed for the purposes of
prevention of occupational health risks, as the companies that
contracted the employees, which were the ones that carried out assembly work in the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 71/96

venue of the event organized by the respondent, are not involved. As already noted, the services
contracted by the respondent, through its representative FIRA, were limited to
QUIRONPREVENCIÓN verifying the documentation provided by the employees, without

providing medical assistance of any kind and without the workers giving their
consent. Therefore, it cannot be classified as either preventive medicine or
occupational medicine, since the providers were not the ones who made the decision regarding
the communication of their employees' data, nor did the employees give their
consent.,

Furthermore, it must be taken into account that article 9.2. h) of the GDPR, refers to “necessary” treatment for the purposes of preventive or occupational medicine, assessment of the worker’s work capacity, medical diagnosis, provision of health or social care or treatment, or management of health and social care systems and services, on the basis of Union or Member State law, or under a contract with a health professional and without prejudice to the conditions and guarantees provided for in paragraph 3.

The term “necessary” used in the GDPR has, in the opinion of the CJEU, a meaning of its own and
independent in Community law. It is, says the court, an autonomous concept of Community law (CJEU of 16/12/2008, case C-524/06, paragraph

52). On the other hand, the European Court of Human Rights (ECHR) has also
provided guidelines for interpreting the concept of necessity. In paragraph 27 of its
judgment of 25/03/1983, it states that the “adjective necessary is not synonymous with
indispensable, nor does it have the flexibility of the expressions admissible, ordinary, useful,
reasonable or desirable.”

When evaluating what is “necessary,” an assessment must be made based on the objective
being pursued, evaluating whether there are less intrusive treatments to achieve the
same objective. If there are other realistic and less intrusive alternatives, the treatment is
not “necessary.”

In this case, it must be concluded that the processing was not necessary for the purposes pursued
for the prevention of workers' health, as there were other less intrusive alternatives that did not put workers' rights and freedoms at risk
such as providing workers with protective equipment appropriate to the level of risk

For this reason, none of the exceptions cited is considered sufficient to lift the
prohibition on the processing of special health data, and therefore Article 9 of the GDPR is considered to be
infringed.

VI Unfulfilled obligation of art. 6.1 GDPR

It is worth remembering that all processing of personal data must comply, on the one hand, with the principles relating to data processing set out
in Article 5 of the GDPR and, on the other, with one of the bases for the lawfulness of processing

listed in Article 6 of that Regulation (see, to this effect, judgment
of 16 January 2019, Deutsche Post, C-496/17, EU:C:2019:26, paragraph 57 and
the case-law cited).

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 72/96

The purpose of the collection and processing of the data plays a decisive role, as Article 5.1
b) of the GDPR states that “Personal data shall be: collected for specific,
explicit and legitimate purposes” “… and shall not be further processed in a manner incompatible

with those purposes”.

Article 6 of the GDPR, under the heading “Lawfulness of processing”, specifies in its section 1
the cases in which the processing of personal data is considered lawful:

“1. Processing shall only be lawful if it meets at least one of the following conditions:

a) the data subject has given consent for the processing of his or her personal data for
one or more specific purposes;
b) the processing is necessary for the performance of a contract to which the data subject is a
party or for the implementation at the request of the data subject of pre-contractual measures;
(c) the processing is necessary for compliance with a legal obligation to which the controller is subject;

(d) the processing is necessary to protect the vital interests of the data subject or of another
natural person;
(e) the processing is necessary for the performance of a task carried out in the
public interest or in the exercise of official authority vested in the controller;
(f) the processing is necessary for the purposes of the legitimate interests pursued by the
controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which
require protection of personal data, in particular where the data subject is a
child.
The provisions of point (f) of the first paragraph shall not apply to processing

carried out by public authorities in the exercise of their functions.”

The respondent has stated that there may be two grounds for the processing in question. On the one hand, Article 6.1.c) of the GDPR, which is
related to the following two recitals:

“(41) Where this Regulation refers to a legal basis or a
legislative measure, this does not necessarily require a legislative act adopted by a
parliament, without prejudice to the requirements of compliance with the constitutional
order of the Member State concerned. However, such a legal basis or
legislative measure must be clear and precise and its application
predictable for its addressees, in accordance with the case-law of the Court of Justice of the
European Union […] and the European Court of Human Rights.

(45) Where it is carried out in compliance with a legal obligation applicable to the
controller, or if it is necessary for the performance of a task carried out in the
public interest or in the exercise of official authority, the processing must have a basis in
Union or Member State law.”

The legal obligation according to the respondent is contained in the Plan developed in

collaboration with health authorities, a Plan that the respondent has not provided, despite
being the one who must prove that the treatment that it carries out has a basis of
legitimacy.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 73/96

It also adds that the Public Health Law of the Autonomous Community of Catalonia,
18/2009, "may interfere with the protection of health", although it is not proven that in application

of the aforementioned law binding measures applicable to the specific case had been decreed, such as those that the respondent states it was obliged to implement by requesting
health data from the employees of the suppliers.

In this regard, it should be noted that the LOPDGDD establishes in its article
8, under the heading: Data processing due to legal obligation, public interest or

exercise of public powers”, the following:

“1. The processing of personal data may only be considered based on
compliance with a legal obligation enforceable by the controller, in the terms provided for in
article 6.1.c) of Regulation (EU) 2016/679, when provided for by a rule of

European Union Law or a law, which may determine the
general conditions of the processing and the types of data subject to it as well as the
transfers that proceed as a consequence of compliance with the legal obligation.
Said rule may also impose special conditions on the processing, such as
the adoption of additional security measures or others established in chapter IV
of Regulation (EU) 2016/679.

2. The processing of personal data may only be considered to be based on the
performance of a task carried out in the public interest or in the exercise of public powers
conferred on the controller, in accordance with Article 6.1 e) of
Regulation (EU) 2016/679, when it derives from a competence conferred by a
legislative regulation.”

Therefore, for the application of the basis of legitimacy provided for in Art. 6.1.c) of the
RGPD, it will be necessary for a regulation with the rank of Law to impose on the controller a
specific obligation that must be fulfilled and that cannot be evaded.

It follows from the above that the legal basis indicated by the respondent does not comply with
the requirements demanded by the application of article 6.1.c) and must be rejected, because:

-A Plan or an agreement between parties, even if one of them were with a public entity
is not a Law nor does it derive from it because it is not an instrument with a binding profile. It is

still a conventional agreement between parties that does not find a place in administrative law to bind the affected party. The obligation as such must be
expressly contained in a regulation with the rank of Law, which must meet all the
relevant conditions for the obligation to be valid and binding, including complying
with data legislation in terms of meeting the requirement of necessity, proportionality and

limitation of purpose.

-The relationship that the respondent has with the employees is not a direct relationship but
mediated by the employer, the respondent's supplier, so that, in any case, the
compliance with the obligations legally imposed on the employer would be the responsibility of the

supplier and not the respondent, as there is no direct link between the employee and the respondent.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 74/96

-The data controller should not be able to choose whether or not to comply with this obligation;

any agreements between the parties, or unilateral commitments, would not be
covered by this basis of legitimacy.

In addition, article 6.3 of the GDPR specifies in this case that the processing must be based
on Union law or on the law of the Member States that applies to the
data controller, and the purpose of the processing must be determined on
this legal basis. The law of the Union or of the Member States must fulfil an objective of
public interest and be proportional to the legitimate aim pursued. The Plan or agreement

mentioned by the respondent that is not provided, would have to be part of the law, not an
agreement or Convention that would only bind the parties in this case.

Regarding the resolutions of the administrative authorities, it should be noted that
MWC22 was held for attendees from 02/28/2022 to 03/03/2022 and that the health data

of the employees was probably collected between 01/23/2022 and 03/08/2022,
although the contract signed with QUIRONPREVENCIÓN SLU is dated 02/21/2022.

According to the tenth proven fact, the resolutions of the health authority
applicable between 01/23/2022 and 03/08/2022 were the following:

RESOLUTION SLT/99/2022, of 01/26, establishing the measures in terms of
public health for the containment of the epidemic outbreak of the COVID-19 pandemic in
the territory of Catalonia.

This resolution lifts the restrictive measures of fundamental rights that

were still in force, that is” the limitation of meetings and social gatherings to
a maximum of ten people, the limitation on the capacity of religious activities, and the
requirement of the COVID certificate for access to certain non-essential activities
in closed spaces (restaurants, physical and/or sports activity rooms, gyms and
permitted musical recreational activities: concert halls, theatre cafes, concert

cafes and musical restaurants).”

In section 2.1 “Individual and collective protection measures” it is established that “(…)”Both
in closed and open spaces, except for groups of cohabiting people,
the interpersonal physical safety distance is set at 1.5 m, in general, with the
equivalent to a safety space of 2.5 m2 per person, unless more restrictive values are
in force for the type of activity. When the development of
the activity does not allow maintaining the interpersonal physical safety distance, appropriate hygiene and organizational measures must be adopted to prevent the risks of
contagion.

In open-air spaces where due to the agglomeration of people it is not possible
to maintain the interpersonal physical safety distance, the use of a
mask is mandatory in the terms established in section 2.3 of this Resolution”.

Regarding the “Prevention and hygiene measures in workplaces” in point 3.4,

section 2, it is determined “Without prejudice to compliance with the regulations on prevention of occupational risks
and other applicable labor regulations, the owners of public and private workplaces must adopt, in the workplaces,
among others, the following measures:

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 75/96

a) Adopt organizational measures in the working conditions, so that the maintenance of the minimum interpersonal safety distance is
guaranteed. And, when

this is not possible, workers must be provided with protective equipment
appropriate to the level of risk.”
(…)”

RESOLUTION SLT/177/2022, of 2/02, establishing the public health measures for the containment of the epidemic outbreak of the COVID-19 pandemic in

the territory of Catalonia,

In relation to the “Individual and collective protection measures” it indicates in its point 2.1

“1. (…) Both in closed and open spaces, except for groups of people

cohabiting, the safety distance is set at 1.5 meters, in general, with the
equivalent to a safety space of 2.5 square meters per person, unless
more restrictive values are in force for the type of activity. When the
development of the activity does not allow maintaining the safety distance, the appropriate hygiene and organizational
measures must be adopted to prevent the risks of
contagion.

2. The duty of protection established in section 1 is also applicable to the
holders of any economic or business activity or establishment for
public use or that is open to the public, in accordance with the organizational,
hygiene and prevention standards established in this Resolution and, where applicable,

of the corresponding sector plan or organizational protocol. (…)”

RESOLUTION SLT/254/2022, of 9/02, which modifies Resolution
SLT/177/2022, of 2/02, which establishes the public health measures
for the containment of the epidemic outbreak of the COVID-19 pandemic in the territory of

Catalonia

It also includes “2.1 Individual and collective protection measures

1. Citizens must adopt the necessary measures to avoid the generation of
risks of spreading infection by SARS-CoV-2, as well as the

exposure to these risks, and must adopt individual and collective protection
measures based on: frequent hand hygiene; hygiene of respiratory
symptoms (avoid coughing directly into the air, cover your mouth with the inside of your
forearm in these cases and avoid touching your face, nose and eyes);
safety distance; the use of a mask in the terms established in section 2.3 of this

Resolution; the preference for outdoor spaces for carrying out activities;
the correct ventilation of closed spaces, and the cleaning and disinfection of
surfaces.

Both in closed and open spaces, except for groups of people

cohabiting, the safety distance is set at 1.5 meters, in general, with the
equivalent to a safety space of 2.5 square meters per person, unless
more restrictive values are in force for the type of activity. When the
development of the activity does not allow maintaining the safety distance, the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 76/96

appropriate hygiene and organizational measures must be adopted to prevent the risks of
contagion.»

This resolution does not modify the specific prevention and hygiene measures in work centers of RESOLUTION SLT/177/2022, of 2/02.

RESOLUTION SLT/342/2022, of 16/02, which establishes the public health measures for the containment of the epidemic outbreak of the COVID-19 pandemic in the territory of Catalonia

It also includes in point 2.1 “Individual and collective protection measures

1. Citizens must adopt the necessary measures to avoid the generation of risks of spreading infection by SARS-CoV-2, as well as their own exposure

to these risks, and must adopt individual and collective protection measures
based on: frequent hand hygiene; hygiene of respiratory symptoms
(avoid coughing directly into the air, cover your mouth with the inside of your forearm in these cases and avoid touching your face, nose and eyes); safety distance; the use
of a mask in the terms established in section 2.3 of this Resolution; the
preference for open-air spaces for carrying out activities; the correct

ventilation of closed spaces, and the cleaning and disinfection of surfaces.

Both in closed and open-air spaces, except for groups of people
cohabiting, the safety distance is set at 1.5 meters, generally, with the
equivalent to a safety space of 2.5 square meters per person, unless

more restrictive values are in force for the type of activity. When the
development of the activity does not allow maintaining the safety distance, appropriate

hygiene and organizational measures must be adopted to prevent the risk of contagion.

RESOLUTION SLT/541/2022, of 2/03, establishing public health measures

for the containment of the epidemic outbreak of the COVID-19 pandemic in
the territory of Catalonia

It establishes in its point 2.1 “Individual and collective protection measures

1. Citizens must adopt the necessary measures to avoid the generation of

risks of spreading infection by SARS-CoV-2, as well as their own exposure

to these risks, and must adopt individual and collective protection measures
based on: frequent hand hygiene; hygiene of respiratory symptoms

(avoid coughing directly into the air, cover your mouth with the inside of your forearm in
these cases and avoid touching your face, nose and eyes); safety distance; the use

of a mask in the terms established in section 2.3 of this Resolution; the
preference for outdoor spaces for carrying out activities; proper ventilation of closed spaces, and cleaning and disinfection of surfaces.

Both indoors and outdoors, except for groups of people living together, the safety distance is set at 1.5 meters, generally, with the
equivalent to a safety space of 2.5 square meters per person, unless
more restrictive values are in force for the type of activity. When the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 77/96

development of the activity does not allow maintaining the safety distance, appropriate hygiene and organizational
measures must be adopted to prevent the risk of contagion.
(…)”

Therefore, taking into account what has just been indicated, the legal basis for carrying out the
processing of workers' health data cannot be that provided for in
art. 6.1.c) RGPD, since there was no rule that imposed on the respondent the
obligation to process such health data. Moreover, the provisions contained in
regarding the prevention of occupational risks already included the appropriate measure to be

adopted: providing workers with protective equipment appropriate to the level of risk.

On the other hand, the respondent also considers the basis of article 6.1
d) to be applicable: “necessary to protect the vital interests of the interested party or of another natural person”.

This basis covers situations in which the processing is necessary to protect an

essential interest for the life of the interested party or of another natural person, who could be the
attendants of the event, including workers.

Recital (46) states: “The processing of personal data should also
be considered lawful when it is necessary to protect an essential interest for the life
of the interested party or of another natural person. In principle, personal data should only
be processed on the basis of the vital interest of another natural person when the processing
cannot manifestly be based on a different legal basis. Certain types of

processing may serve both important reasons of public interest and the
vital interests of the data subject, such as when processing is necessary
for humanitarian purposes, including the control of epidemics and their spread, or in
humanitarian emergency situations, in particular in the event of natural or
man-made disasters.

The concept of “vital interest” appears to limit the application of this legal basis to
questions of life or death, or at least to threats posing a risk of

injury or other harm to the health of the data subject, as indicated in section III.2.4
of Opinion 6/2014 on the concept of the legitimate interest of the data controller under
Article 7 of Directive 95/46/EC, Article 7.d) of which was
equivalent to Article 6.1.d) of the GDPR: “the purpose of this legal basis is to “protect
an essential interest for the life of the data subject”. However, the Directive does not specify

precisely whether the threat must be immediate. This raises questions regarding the
scope of the data collection, for example, whether it is a preventive measure
or on a large scale, such as the collection of data from airline passengers
when there is a risk of epidemiological disease or a security incident has been
detected.”

On the other hand, it must be taken into account that article 9.2 c) of the GDPR is applicable
to lift the prohibition of processing special data, such as health data,
when “the processing is necessary to protect the vital interests of the data subject or
another natural person, in the event that the data subject is not physically or

legally capable of giving consent;”. Therefore, Article 6.1.d) of the GDPR is not

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 78/96

sufficient for the processing of health data, and it is necessary that this exception of Article 9.2.c) of the GDPR also applies.

Although Article 6.1.d) of the GDPR does not limit the use of the legal basis to situations
in which consent cannot be given, as specified in Article 9.2.c)

of Recital 46 of the GDPR, it follows that in situations in which there is the
possibility of giving valid consent, this must be requested. Therefore, the
application of this provision would be limited to cases in which the processing
cannot manifestly be based on a different legal basis without it being used
to legitimize any mass collection or processing of personal data.

The ECJ of 4/07/2023, case C-252/21, states on this basis:

“135 Secondly, Article 6, paragraph 1, first subparagraph, letter d), of the GDPR
establishes that the processing of personal data shall be lawful when it is necessary to
protect the vital interests of the data subject or of another natural person.

136 As is clear from recital 46 of the aforementioned Regulation, this provision
contemplates the particular situation in which the processing of personal data is

necessary to protect an essential interest for the life of the data subject or of another
natural person. In this regard, said recital cites in particular, as an example, humanitarian
purposes, such as the control of epidemics and their spread, or in situations of
humanitarian emergency, in particular in the event of natural or man-made disasters.

137 It follows from these examples and from the strict interpretation to be applied to Article 6(1)(d)

of the GDPR that, in view of the nature of the services provided by the operator of an online social network, such an operator, whose activity is essentially economic and commercial in nature, cannot rely on the protection of an essential interest in the life of its users or of another person in order to justify, in absolute terms and in a purely abstract and preventive manner, the lawfulness of data processing such as that at issue in the main proceedings.

(…)

139 Article 6(1), first subparagraph, points (d) and (e) of the GDPR must be interpreted
as meaning that such processing of personal data cannot, in principle and without prejudice to the verification to be carried out by the referring court,

be considered necessary in order to protect the vital interests of the data subject or of another natural person, pursuant to point (d), or for the performance of a task carried out in the public interest or in the exercise of official authority conferred on the controller, pursuant to point (e).

Accordingly, the Court considers that this basis for legitimation must be applied in the strict sense and only when the processing is necessary to protect vital interests. The requirement of necessity is analysed in recital 39 of the GDPR, and it follows from it that it is met when the objective of general interest pursued cannot be reasonably achieved with equal effectiveness by other means that are less detrimental to the fundamental rights of the interested parties, in particular with respect to the rights to respect for private life and protection of personal data.

On the other hand, considering that there is a generalised processing of employee data, which, although they are not the data of the respondent, but of its suppliers,

Article 14 of Law 31/1995 of 8/11 on the Prevention of Occupational Risks (LPRL) could be applied, which provides for an employer's duty to protect workers against occupational risks.

The LPRL provides for coordination by the employer who owns the workplace,

when workers from two or more companies carry out activities in the same workplace. However, in the EIPD of 22/04/2022, no aspect of the
treatment based on the prevention of occupational risks is assessed in terms of its necessity and
proportionality.

As in any sector of activity, on the dates on which the MWC 2022 was to be held,

there were vital interests of groups to be protected, or of third parties, but as the CJEU

indicates in the aforementioned ruling, it is not possible to invoke the protection of an essential interest for life to

justify, in absolute terms and in a purely abstract and preventive manner, the legality of data processing without proving the need for that
treatment. In addition, in the health emergency situation, it was the health
authorities that were establishing the need for the treatments, taking into account

the change in circumstances over time. At any given time, depending on the health circumstances, the health authorities determined the
applicable measures and the sectors of activity to which they applied, without
these being applicable to any sector or event. It was the health authorities
that implemented the necessary measures to prevent the spread of the pandemic

without establishing during the processing of the disputed data the need to
obtain and retain the COVID documentation. Furthermore, on the dates on which
the need to check the COVID documentation was established, it was sufficient
to exhibit the documents relating to the health data without establishing
the need to retain them. Considering that all processing involves
an interference in the rights of its owners, the employees, the respondent does not prove the
essential need to protect the vital interest, of the obligation to register the
vaccination certificate or PCRs. Regarding this alternative, which required the employee to pay for the PCR tests, since they are only valid for 72 hours, the respondent has not provided any consideration of their necessity and the risks of the measure in relation to the rights and freedoms of the interested parties.

Finally, it should be noted that, in general, the judgment of necessity is justified
in the Impact Assessment. However, in this case, there is no analysis of
necessity, proportionality and suitability of this measure, as nothing is stated in this regard,

not even minimally proving that the measure is necessary to achieve the
purpose pursued, as such an assessment has not been carried out. The necessity must be interpreted in the
sense that the treatment is indispensable to protect the vital interest of the
people who attended the event or of the workers because there is no other measure
less restrictive of rights. In addition, they must justify that the
treatment operations that were carried out – the collection, registration and
keeping of certificates – are indispensable instead of their mere display.

The processing of personal data in these health emergency situations,
as mentioned, must still be carried out in accordance with the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 80/96

personal data protection regulations (RGPD and LOPDGDD). The specific regulation of health emergencies constitutes special legislation that results
from the need, in certain circumstances, to adopt specific measures to

preserve public health and protect the rights to life, physical integrity and health of people, guaranteed by art. 15 and 43 of the Constitution, and may, in a proportionate manner, justify certain limitations on the exercise of fundamental rights. In this case, the regulation was materialized through public health regulations that provided for safeguards of the essential interests affected, with those responsible having to act in accordance with what was indicated therein.

Alternatively, the respondent has added in its allegations to the proposal a new
legal basis for the processing of data of employees of suppliers who
carry out the assembly of the facilities of the venue where the congress is held, citing
article 6.1.c) of the GDPR “the processing is necessary for compliance with a
legal obligation applicable to the data controller”, now considering “compliance with legal obligations in the field of prevention of occupational risks”,

considering that health surveillance was mandatory in accordance with article 22 of the LPRL,
and that it was carried out by QUIRONPREVENCIÓN.

However, as has been pointed out, this activity cannot be carried out without the consent
of the workers. It is also estimated that this legal obligation would correspond, where appropriate, to the employers, suppliers, whose employees have as a counterweight the
right against the obligation of those. However, in no case can this lead to requiring vaccination or the provision of a certificate of recovery from the disease or PCR indiscriminately for all workers, nor does it therefore justify requiring the data of employees of suppliers with whom the respondent has no relationship.

This means that in this case the legitimate bases set out by the respondent for the processing of data of the suppliers' employees during the event and presumably in advance for the preparation of the assembly of the facilities are not accredited, so the infringement of this article 6.1 of the
RGPD must be considered as proven.

VII Unfulfilled obligation of art. 14 of the GDPR

In this case, the data of the employees of the defendant's suppliers are being processed,
dedicated to the assembly of the facilities for the MWC 2022 event. The
employers (suppliers of the defendant GSMA) provide the data to GSMA in an

application that the latter, as the organizer of the MWC 22, has for this purpose of controlling
safe, COVID-free access to its facilities where the Congress is held annually.

The defendant is responsible for the processing of the data carried out on the

employees of the suppliers, complying with the requirements for determining the purposes and
means of the processing of data of the employees of the suppliers, establishing the reason for the
processing and how it will be carried out, complying with the requirements of the GDPR to be
qualified as such responsible party.

After receiving the employee data entered by the suppliers, the employees receive a first email from the respondent requesting that they send

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 81/96

the COVID data to the QP sub-processor, with whom they link to send the vaccination certificates or tests to her.

The first statement made in the response to the transfer indicated:

“Regarding the information provided on the processing of this data, and in relation
to the data processing subject to this claim, it is provided by
the supplier/employer directly as GSMA has no direct contact with the
workers. The contract between GSMA and the provider requires the provider to

comply with the applicable laws regarding data protection, including
compliance with the transparency and legality requirements of the same for the purposes
of transferring the data of its employees to GSMA or its data processors,
including the provision of the GSMA privacy policy.”

Therefore, it is the data controller, the respondent, that is subject to a series of obligations under the RGPD and the
LOPDGDD, including the processing of personal data in a fair, lawful, and transparent manner (art. 5.1.a of the RGPD).

Transparency is intrinsically linked to fairness and the principle of

accountability under the RGPD.
From article 5.2 of the RGPD, it also follows that the data controller
must always be able to demonstrate that personal data is processed in a
transparent manner in relation to the interested party. In line with this point, the principle of

accountability requires transparency of processing operations so that
data controllers can demonstrate compliance with their obligations
under the GDPR.

The respondent, in addition to the statement made in its response to the transfer, has
stated in its DPIA that the information to the employees was provided by the suppliers
via the “privacy notice” that appeared on the respondent's website, provided to them by their
employer on behalf of GSMA, under the literal in the DPIA “In accordance with
the terms and conditions of the contractor registration between GSMA and the suppliers,

the latter contractually agree to comply with the transparency obligations
before sharing the employees' data with GSMA, including the provision of the
”GSMA privacy notice to all its employees”

Thus, according to the respondent's initial statements before the transfer, in the
contracts signed with the suppliers, the transfer of the obligation to
inform the processing of the data to the suppliers is established, associating them with the “privacy policy of the respondent's website”.

Article 14 of the GDPR states:

“1. Where the personal data have not been obtained from the data subject, the controller shall provide the data subject with the following information:

a) the identity and contact details of the controller and, where applicable, of his or her
representative;

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 82/96

b) the contact details of the data protection officer, where applicable;

c) the purposes for which the personal data are processed, as well as the legal basis for the processing;

d) the categories of personal data in question;

e) the recipients or categories of recipients of the personal data, where applicable;

(f) Where applicable, the intention of the controller to transfer personal data to a recipient in a third country or international organisation and the existence or absence of an adequacy decision by the Commission, or, in the case of transfers referred to in Articles 46 or 47 or the second subparagraph of Article 49(1), a reference to adequate or appropriate safeguards and the means of obtaining a copy of those safeguards or the place where they have been made available.

2. In addition to the information referred to in paragraph 1, the controller shall provide the data subject with the following information necessary to ensure fair and transparent processing of the data in relation to the data subject:

(a) the period for which the personal data will be stored, or, where that is not possible, the criteria used to determine that period;

(b) where the processing is based on Article 6(1)(f), the legitimate interests of the controller or of a third party;

(c) the existence of the right to request from the controller access to personal data concerning the data subject, rectification or erasure thereof, or restriction of processing thereof, and to object to processing, as well as the right to data portability;

(d) where processing is based on Article 6(1)(a) or Article 9(2)(a), the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent prior to its withdrawal;

(e) the right to lodge a complaint with a supervisory authority;

(f) the source from which the personal data originate and, where applicable, whether they originate from publicly available sources;

(g) the existence of automated decision-making, including profiling, referred to in
Article 22(1) and (4), and, at least in such cases, meaningful information
about the logic involved, as well as the significance and the envisaged consequences

of such processing for the data subject.

3. The controller shall provide the information referred to in paragraphs 1 and 2:

a) within a reasonable period of time after obtaining the personal data and no later than one month, taking into account the specific circumstances in which the data are processed;

b) if the personal data are to be used for communication with the data subject, no later than the time of the first communication to the data subject, or

c) if the personal data are intended to be communicated to another recipient, no later than the time when the personal data are first communicated.

4. Where the controller intends to process personal data further for a purpose other than that for which they were obtained, he shall, before such further processing, provide the data subject with information about that other purpose and with any other relevant information referred to in paragraph 2.

5. Paragraphs 1 to 4 shall not apply where and to the extent that:

a) the data subject already has the information;

b) the provision of that information would be impossible or would involve a disproportionate effort, in particular for processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, subject to the conditions and safeguards referred to in Article 89(1), or insofar as the obligation referred to in paragraph 1 of this Article would render impossible or seriously impede the achievement of the objectives of such processing. In such cases, the controller shall take appropriate measures to protect the rights, freedoms and
legitimate interests of the data subject, including by making the information public;

c) the collection or communication is expressly provided for by Union or Member State law to which the controller is subject and which
provides for appropriate measures to protect the legitimate interests of the data subject, or

d) where the personal data must remain confidential on the basis of an obligation of professional secrecy governed by Union or Member State law, including an obligation of secrecy of a legal nature.”

The obligation to inform is enforceable on the controller, in this case, in the
first instance it is the suppliers who enter the data of their employees in
the application of the respondent, it therefore follows that the data collected by the respondent are
not provided by the interested parties, i.e. by the employees themselves, but by the
GSMA supplier, employer of the affected parties (data on name, surname, email, etc.). Subsequently, the COVID health data required for the pass are
entered into the application by the employees themselves, through email contact and
following the instructions of the respondent.

The legal obligation established by the RGPD and the LOPDGDD that the
data controller must comply with, implies its enforceability to said controller, in this case the
respondent, without the mere particular agreement of wills, which is not documented but simply stated, being able to have the effect that the
respondent intends, and which would render ineffective the high degree of protection and guarantees that
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 84/96

the RGPD offers.

The responsibility will always be demanded from the person who the law indicates as obliged, and in the

case of the obligation to inform, it falls on the person responsible for the treatment, so
it will be necessary, as it is a functional concept, to be the one who decides on the purposes and means of the treatment. In this case, the respondent decided to carry out the treatment and
determined the means of the treatment, therefore, it is responsible for compliance with the
obligation to inform. The ultimate objective of attributing the obligation to the person responsible

for the treatment is to guarantee its compliance and an effective and comprehensive protection of the
right to data protection.

Recital 39 of the GDPR states in this regard: "All processing of personal

data must be lawful and fair. It must be perfectly clear to natural persons
that personal data concerning them are being collected, used, consulted or otherwise
processed, as well as the extent to which such data are or will be
processed."

The transfer of this legal responsibility established by the GDPR is not possible,
regardless of the agreements that the parties may reach, which are unrelated to
this procedure.

Nor is this obligation replaced by the dissemination of press releases or knowledge in

the media, since it is an individual right and must occur when the data of the affected party is collected, as a guarantee and safeguard of the rights of those affected.

In contrast to the informative content of the privacy policy that the respondent considers
sufficient, it must be noted that in order to understand that compliance with the obligation to provide information to the employees who own the data that have been collected, not
only health data but also basic data: name, surname, email, the content of the information and the time at which the information is provided must be accredited.

This obligation cannot be replaced by merely posting the privacy policy on the website, since the information must be provided directly to the person whose data is requested, whether the data is collected from the interested party directly by the controller, or if it is not collected directly by the controller. The privacy policy could be a means of complying with the obligation to inform, provided that the controller directly communicates to the interested party the basic information and the location where the complete information is located.

On the other hand, the respondent's claim that after the start agreement the AEPD assumes that information has been provided is unfounded, since Article 14 of the GDPR is reproduced in the complete start agreement, and it is meant that the information has not been provided.

The claim that the application provided information on the privacy policy cannot be accepted either, since from the printout of the accompanying screen: “Contractor
accreditation-system login”, it can be deduced that the uploading of personal data is the responsibility of the supplier, who is the only one who interacts with GSMA, so that in any case the supplier would be informed and not the employees who own the data. The link that appears on the screen under “legal” does not lead directly to the privacy policy, but to a screen in which there are various options, this being only one of them. It should be remembered

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 85/96

that the respondent’s first and only contact with the complainant (with the employees)
as she herself explained, occurred following the sending of an email from GSMA
to the employee in which it indicated a link to upload the vaccination data.

Additionally, it is noted that, as the privacy policy is comprehensive for various subjects participating in the event, it has certain shortcomings, so in the section “Data Retention”, the conservation of the data collected from the suppliers’ employees is not detailed, urging them to contact them for more information.
Nor is the legitimizing basis that specifically corresponds to the treatment of the data of each category of attendee/employee provided, indicating it in a general and
abstract way without identifying the groups to which it refers. The right to file a claim with a control authority is not stated, as well as the source from which
the data comes, or the contact details of the Data Protection Officer.
Finally, in the section “information that you voluntarily provide”, there is
“COVID 19 tests: As indicated in our Community Committed Plan, you will be

required to undergo COVID 19 tests at regular intervals during the event. The
information about your test results will be processed for the sole purpose of access control."

In short, the respondent did not provide the interested parties with the information required by art.

14 of the GDPR and the information in its privacy policy is not complete, which does not
mean that the present procedure is directed against the respondent because its privacy
policy is incomplete but because no information was provided to the interested parties.

Therefore, this allegation cannot be upheld, as the respondent's duty to

inform has been breached.

The information that the controller must provide must be provided regardless of
whether or not the controller has access to the data about which it has
finally decided for what purpose it will process them and how the processing will be carried
out, establishing ends and means for this. Although it is also appreciated that the respondent is aware of the

result because QP communicates it to her when informed of the decision of whether she is fit or not, which is
incorporated in the vaccine certificate provided by each employee, and is stored and preserved
in order to be able to access the facility every day, in this case the place of work.

The truth is that, once the data has been sent by the suppliers, the respondent has them at his disposal, and could have informed them of the collection and processing in the first contact he has with them, however, there is no evidence that he did so.

As clarified by the Guidelines on transparency under Regulation (EU) 2016/679
Adopted on 29/11/2017 Last revised and adopted on 11/04/2018:

“27. As regards the timing of providing this information, doing so in a timely manner is a fundamental aspect of the obligation of transparency and the obligation of
fair processing of data. Where Article 13 is applicable, paragraph 1 of that article provides that the information must be provided “at the time when [the personal data] are obtained”. In the case of personal data obtained indirectly

under Article 14, the time limits within which the necessary information must be provided to the data subject are set out in Article 14(3)(a) to (c), namely:
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 86/96

• the general requirement is that the information must be provided within a “reasonable period” after the personal data have been obtained, and at the latest within one month,
“taking into account the particular circumstances in which the data are processed”

[Article 14(3)(a)];

• the general maximum period of one month referred to in Article 14(3)(a)
may be reduced under Article 14(3)(b)31, which covers situations in which the data are used to communicate with the data subject. In such a case,
the information must be provided at the latest at the time of the first communication

with the data subject. If the first communication takes place before the latest period of one
month after the personal data were obtained, the information must be provided "at the latest" at the time of the first communication with the data subject, provided
that one month has not elapsed since the time when the data were obtained.
If the first communication with a data subject takes place after one month has elapsed since the personal data were obtained, Article 14(3)(a)

continues to apply, and the information referred to in Article 14 must therefore be provided to the data subject
no later than within one month of its obtaining;

• the general maximum period of one month referred to in Article 14(3)(a)

may also be reduced pursuant to Article 14(3)(c), which
covers situations where the data are communicated to another recipient (whether a third party or not). In such a case, the information must be provided at the latest at the time of
the first communication. In this situation, if the communication takes place before the
maximum period of one month, the information must be provided "at the latest" at the time of
that communication, provided that one month has not elapsed since the

time at which the data were obtained. Similarly to the position with regard to Article 14, paragraph 3, letter b), if any communication of personal data occurs after one month has elapsed since the personal data were obtained, Article 14, paragraph 3, letter a) continues to apply, so that the information referred to in Article 14 must be provided to the interested party no later than one month after its collection.”

However, in this case, there is no record that the respondent provided information, therefore the allegation of having committed an infringement of the aforementioned article remains.

The respondent claims that these facts had not initially been the subject of a complaint

and that no proceedings can be initiated for this reason.

However, at the stage of transferring the complaint, the respondent points out in its
response that it is noted as a failure to comply with its obligation to
inform about the data it collects through employers (suppliers of the respondent). This obligation affects a right of the interested parties and the claimant

directly related to the collection of data as sensitive as health data. In the face of such an obvious breach, also related to the
design of the treatment, the AEPD cannot omit the demand for responsibility for this
clear unlawfulness, simply because it was not specifically expressed
in the claim.

The respondent had not proven that it had complied with the obligation to inform the
affected parties, which is why the sanctioning procedure was also initiated for this

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 87/96

fact.

VIII Classification and qualification of infringements

It is considered that the facts set forth could violate the provisions of articles: 14,
9.2 and 6.1 of the GDPR, with the scope expressed in the Legal Basis

previous, which implies the commission of the infringements classified in article 83
section 5.a) and 5.b) of the GDPR which under the heading “General conditions for the
imposition of administrative fines” provides that:

“5. Infringements of the following provisions shall be punishable, in accordance with paragraph 2, by administrative fines of not more than EUR 20 000 000 or, in the case of an undertaking, not more than 4 % of the total annual turnover of the preceding financial year, whichever is higher:

a) the basic principles for processing, including the conditions for consent pursuant to Articles 5, 6, 7 and 9;

b) the rights of data subjects pursuant to Articles 12 to 22;

In this regard, the LOPDGDD, in its article 71 establishes that “The acts and conduct referred to in sections 4, 5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that are contrary to this organic law, constitute infringements.”

For the purposes of the limitation period, article 72 of the LOPDGDD indicates:

“Infringements considered very serious.

“1. According to the provisions of article 83.5 of Regulation (EU) 2016/679, infringements that constitute a
substantial violation of the articles mentioned therein and, in particular, the

following are considered very serious and will be subject to a three-year statute of limitations:

[…]

“b) The processing of personal data without any of the conditions for

legality of the processing established in article 6 of Regulation (EU) 2016/679 being met.”

[…]

“e) The processing of personal data of the categories referred to in article 9

of Regulation (EU) 2016/679, without any of the circumstances provided for

in said provision and in article 9 of this organic law being met.”

[…]

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 88/96

“h) The failure to inform the affected party about the processing of their personal

data in accordance with the provisions of articles 13 and 14 of Regulation (EU)
2016/679 and 12 of this organic law.”

IX Determination of the sanction

The fines imposed must be, in each case, individual, effective,
proportionate and dissuasive, in accordance with article 83.1 of the GDPR.

In order to determine the administrative fine to be imposed, the provisions of

Article 83.2 of the GDPR must be observed, which states:

“Administrative fines shall be imposed, depending on the circumstances of each individual case,
as an additional or alternative measure to the measures referred to in Article 58,
paragraph 2, letters a) to h) and j). When deciding on the imposition of an administrative fine and its

amount in each individual case, due account shall be taken of:

a) the nature, seriousness and duration of the infringement, taking into account the nature,
scope or purpose of the processing operation in question, as well as the number
of data subjects affected and the level of damage suffered by them;

b) the intentionality or negligence of the infringement;

c) any measures taken by the controller or processor to mitigate
the damage suffered by the data subjects;

(d) the degree of responsibility of the controller or processor, taking into account any technical or organisational measures they have implemented pursuant to Articles 25 and 32;

(e) any previous infringement committed by the controller or processor;

(f) the degree of cooperation with the supervisory authority in order to remedy the infringement and mitigate any adverse effects of the infringement;

(g) the categories of personal data affected by the infringement;

(h) the manner in which the supervisory authority became aware of the infringement, in particular whether and, if so, to what extent the controller or processor notified the infringement;

(i) where measures referred to in Article 58(2) have been previously ordered against the controller or processor concerned in relation to the same matter, compliance with those measures;

j) adherence to codes of conduct pursuant to Article 40 or to certification mechanisms

approved pursuant to Article 42,

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 89/96

k) any other aggravating or mitigating factor applicable to the circumstances of the case,
such as financial benefits obtained or losses avoided, directly or
indirectly, through the infringement.”

On the other hand, in relation to letter k) of article 83.2 of the GDPR, the LOPDGDD, in its
article 76, “Sanctions and corrective measures”, provides:

“1. The sanctions provided for in sections 4, 5 and 6 of article 83 of Regulation (EU)
2016/679 will be applied taking into account the graduation criteria established in

section 2 of the aforementioned article.

2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679, the following may also
be taken into account:

a) The continued nature of the infringement.

b) The connection between the offender's activity and the processing of personal
data.

c) The benefits obtained as a result of the commission of the infringement.

d) The possibility that the conduct of the affected party could have included the commission of
the infringement.

e) The existence of a merger process after the commission of the

infringement, which cannot be attributed to the absorbing entity

f) The impact on the rights of minors

g) Having, when not mandatory, a data protection officer.

h) The voluntary submission by the controller or processor to
alternative dispute resolution mechanisms, in those cases in which
there are disputes between them and any interested party.”

Letter e) of article 83.2 refers to “any previous infringement committed by the

controller or processor;” It is applicable to the respondent, since
a sanction classified as serious was imposed recently, on 02/24/2023, in
procedure EXP202100603, PS/00553/2021, for a violation of article 35 of the
RGPD, by not having a valid Data Protection Impact Assessment for
the processing of biometric data as part of the means of access provided to the

MWC venue of the previous year 2021, then it is highly relevant in all the
infractions that are now being assessed, since the present infractions correspond to the event
of the following year and are also related in one way or another to the instruments
implemented to allow access to the event, taking into account the measures to stop the
spread of the COVID-19 disease. In addition, in both cases referring to data of

special category, in 2021: biometric data, now, health data. The provision, which is directly applicable, does not distinguish between the infringement being of the same type or nature, and in this case, it is clearly related to special categories of data.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 90/96

The judgment of the CJEU of 5/12/2023, case C-807/21, indicates in its section 45: “The
material requirements that a supervisory authority must respect when imposing such a fine
are established, in sections 1 to 6 of article 83 of the GDPR, in a precise manner and

without leaving the Member States any margin of appreciation.”

Article 83.2.e) of the GDPR considers that when deciding the amount of the administrative fine, "Any previous infringement committed by the person responsible" must be considered,
so it would be applicable as an aggravating factor to all the infringements that are charged,
given the link between the conducts that are charged as a unit of action in the

performance of the data processing of the group of employees of suppliers.

The respondent alleged that for all infringements the purpose that guided it in ensuring the health of the workers should be considered as
an attenuating factor. However, along with this concern, the variable of
the protection of the data of those affected as their own right and their self-determination to

be managed in accordance with the regulations and with the guarantees and safeguards that the
RGPD and the LOPDGDD establish, not being in any way incompatible, must also be considered.

Thus, having made the above assessment, the circumstances that must be taken into account for the imposition of a fine for the infringement of article 14 of the GDPR are analyzed. For the purposes of

setting the amount of the penalty to be imposed in the present case, it is considered that
the penalty should be graduated in accordance with the following circumstances included in
article 83.2 of the GDPR:

- From article 83.2.a) "the nature, seriousness and duration of the infringement, taking into account

the nature, scope or purpose of the processing operation in question, as well as the number of interested parties affected and the level of damages they have
suffered."

The processing carried out is by all employees of the providers,
without knowing all the elements of the processing of their data, which represents an

aggravation of the conduct that prevents them from controlling their personal data.

- From article 83.2.b) "the intentionality or negligence in the infringement." In compliance with
its legal obligations, the respondent intends to transfer the claim to the supplier,
the employer of the workers, when it is the latter who must respond legally without

being able to be delegated. In addition, it has the means to be able to inform, therefore there is no
reasonable diligence to comply with the legal obligation, which reveals a lack of
diligence in the fulfillment of this obligation.

The ruling of the National Court, of 17/10/2007, appeal 63/2006, indicates that the

Supreme Court "has understood that there is imprudence whenever a legal duty of care is disregarded, that is, when the offender does not behave with the
required diligence. And in the assessment of the degree of diligence, special consideration must be given to the
professionalism or otherwise of the subject, and there is no doubt that, in the case now examined,
when the activity of the respondent is one of constant and abundant handling of personal data
in the organization of events with massive attendance, the rigor and exquisite care to comply with the legal provisions in this regard must be insisted

on.”

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 91/96

The respondent, regarding this aggravating circumstance, alleged that it should be considered an attenuating circumstance due to the
objective pursued and the collaboration with the health authorities to comply with the
regulations on public health and the applicable restrictions, and the diligence for

not having had access to the data.

This claim, which has already been partially answered in the general claim, must be rejected, and
also because it has nothing to do with the aggravating factor that is being analyzed in relation to the
circumstances that occur in the conduct described, the access to the data by the respondent, since informing does not depend on access to the data.

These circumstances are considered to aggravate the infringement, and a fine of 100,000 euros should be imposed.

Regarding the infringement of article 9.2, it is considered that in addition to the already indicated
application of the cause contained in article 83.2.e) of the GDPR, the following
circumstance occurs:

-- article 83.2.a) “the nature, seriousness and duration of the infringement, taking into account
the nature, scope or purpose of the processing operation in question, as well as
the number of interested parties affected and the level of damages and losses they have

suffered.”

The collection and processing of data took place at a private event, processing that is not
merely incidental or accessory, which involves the recording of health data in an
application and its storage for the duration of the event, expected to

begin on 21/01/2022, until 08/03/2022, without employees having the option
not to provide health data, in a situation of imbalance between the parties, affecting
the freedom of the interested parties who cannot stop providing such data, if they want
to go to work, all of which are aggravating elements of the infringement, affecting several
thousand employees. Circumstances that constitute this aggravating circumstance of the infringement.

- article 83.2.k) RGPD in relation to article 76.2.b) LOPDGDD: The link
between the business activity of the respondent and the processing of personal data.

The respondent, in the development of its own event organizing activity,
related to the development of some of the emerging technologies, needs to

regularly process personal data and has been doing so in successive editions
in an innovative field in terms of technologies as has been said. As a counterpart,
this fact affects the diligence required of it in compliance with the
principles that govern the processing of personal data and the quality and
effectiveness of the technical and organizational measures that it must have implemented to

guarantee respect for this fundamental right, in this case of employees.
Aggravating elements of the infringement.

The respondent alleged for this aggravating circumstance that its business is in fact the promotion
of mobile telephony that it carries out in collaboration with FIRA and that its commercial activity
has no special relationship with the processing of health data.

In this sense, their claim cannot be upheld, given that the respondent processes the
data of employees in each event call by itself or through managers

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 92/96

and decides, in this case, to implement, partly due to the pandemic, contactless technological means, which imply providing personal data in order to access work. The
high number of attendees and employees needed to set up the facilities and their

duration, mean that significant data processing must be taken into account at each annual congress it holds.

The balance of the circumstances considered, with respect to the infringement committed, by
violating the provisions of article 9.2 of the GDPR, leads to setting a fine of
300,000 euros.

As regards the infringement of article 6.1 of the GDPR, also considering the
already indicated occurrence of the cause contained in article 83.2.e) of the GDPR, the following circumstances must also be taken into account for the grading of the sanction:

- article 83.2.a) "the nature, seriousness and duration of the infringement, taking into account
the nature, scope or purpose of the processing operation in question, as well as
the number of interested parties affected and the level of damages and losses they have
suffered".

The processing falls mainly on a group of employees of suppliers who do not

expect that their data will be processed by a third party, as they do not have a
direct relationship with said entity. The duration of this treatment is longer than that of the attendees, as they have to go to work before, during and after the event. It applies to all employees of the suppliers who either undergo vaccination or provide a PCR test, which is not recorded as paid for by anyone other than the employee themselves, and which, due to its validity, must be repeated during the period in which they must access the premises to carry out their work, or provide a certificate of recovery from the disease, elements that influence the aggravation of the sanction.

The sanction is stipulated in this case at 200,000 euros.

Finally, the respondent argued that, for all the violations, there was no element of guilt in her conduct, due to her desire to guarantee the health of the workers, considering the context and the changing measures, and that there was no negative impact on the pandemic situation, acting diligently by having a person in charge, acting from the precautionary principle of article 3 of Law 33/2011 of 4/10 on public health.

The Supreme Court, in line with that of the Constitutional Court, has established that the sanctioning power of the Administration, as a manifestation of the ius

puniendi of the State, is governed by the principles of criminal law, with the basic structural principle being that of guilt, incompatible with a regime of objective liability, without fault.

The Supreme Court (Judgments of 16 and 22/04/1991) considers that the element of guilt implies that “the action or omission, classified as an administratively punishable offense, must, in any case, be imputable to its author, due to intent or

imprudence, negligence or inexcusable ignorance.”

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 93/96

This requirement of guilt in the field of administrative offenses has been reiterated
ad nauseum by the jurisprudence of the Supreme Court. Thus, the SSTS of 12 (féc.
388/1994) and 19/05/1998, Section Six, state that in the area of sanctions “any attempt to construct an objective responsibility is

prohibited” and that “in the area of administrative responsibility it is not enough that the conduct is unlawful and
typical, but it is also necessary that it be culpable, that is, a consequence of an
action or omission imputable to its author due to malice or imprudence, negligence or
inexcusable ignorance (...) that is, as a requirement derived from article 25.1 of the Constitution,
no one can be condemned or punished except for acts that can be imputed to him

as deceit or fault (principle of culpability)".
In view of the jurisprudence set forth above, it is appropriate to conclude that when an act occurs that

could incur an administrative offence, the culpability must be examined in order not to proceed to initiate a sanctioning procedure
automatically. It is not necessary to have wilful intent in the commission of an offence, mere
negligence is sufficient to be able to demand liability from the offender, as stated by the
Constitutional Court "beyond simple negligence, the acts cannot be
sanctioned".

The National Court's ruling of 25/03/2003 also indicates that "As regards
guilt, it must be said that generally this type of conduct does not have
a wilful component, and most of it occurs without malice or intention. Simple negligence or failure to comply with the duties imposed by law on the persons responsible for files or data processing to exercise extreme diligence is sufficient to avoid, as in the case at hand, the processing of personal data without the consent of the affected person, which denotes an evident lack of compliance with these duties that clearly violate the principles and guarantees established in Organic Law 15/1999, of December 13 (LA LEY 4633/1999), on the Protection of Personal Data, specifically that of the consent of the affected party. The Supreme Court (STS 16/04/91 and STS 22/04/91) considers that from the
element of culpability it follows that "the action or omission, qualified as an administratively
sanctionable infringement, must be, in any case, imputable to its author, due to intent
or imprudence, negligence or inexcusable ignorance."

Furthermore, the National Court on the subject of personal data protection has
declared that "simple negligence or failure to comply with the duties that the Law imposes on persons responsible for files or the
processing of data to exercise extreme diligence is sufficient..." (SAN 26/06/01).
The judgment of the CJEU of 5/12/2023, case C-807/21 states in point 75 “Consequently, it must be declared that article 83 of the GDPR does not allow the imposition of an

administrative fine for an infringement referred to in its paragraphs 4 to 6 without proving that said infringement was committed intentionally or negligently by the
data controller and that, therefore, culpability in the commission of the infringement
constitutes a requirement for the imposition of the fine.”

In the present case, the respondent knew that only certain sectors were subject to the
requirement of COVID certification documentation, and only for a certain period of time. The

access policy to the MWC 22 facilities began to be planned well in advance, in the fall of 2021, taking into account the point of view of health authorities, sufficient time to evaluate all the variables that affected the risks of
the processing of personal data for the rights and freedoms of the interested parties that
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 94/96

must be applied to any treatment, regardless of the type, and in this case with
greater rigor when dealing with special data. The respondent should have known that
vaccination was not mandatory. The respondent has acknowledged that in this case there is

no Law that establishes this measure of application to its sector, nor administrative
provisions, recognizing that those issued in the area of Catalonia did not contemplate
this assumption. Despite this, the data of the employees' health was processed, which shows a lack of diligence when considering the legitimising basis for the processing carried out, and the information collected, which constitutes and proves the guilt of the defendant as a way of undertaking a deficient data protection governance.

Furthermore, the way in which the processing was carried out or its purpose is not an obstacle to considering said lack of diligence and unlawfulness.

As regards the application of mitigating factors, it considers that it should be taken into account as related

to the purpose of the processing operation, that the purpose was to ensure health, in
line with the measures agreed by the health authority. However, although the
purpose may be legitimate, it was not necessary and proportional, since, in this case, the risks of non-compliance with regulations and the impact that the measure could have on the interested parties were not
assessed.

It also considers that the defendant is not a professional in data processing. However, the
application of the aggravating circumstance of 83.2.k) of the GDPR does not require this professionalism. The
entity has been holding the event since 2006, which has been attended and continues to be attended
by a significant number of thousands of people, which implies a professionalized
processing of personal data, and therefore requires special diligence in compliance
with the legislation on data protection and the principle of accountability, which requires the assessment of the risks involved in the
processing of personal data, and the establishment of guarantees to ensure a high level of
protection of their rights.

Therefore, the reasons given do not justify the reduction of the
penalties.

Therefore, in accordance with applicable legislation and having assessed the criteria for
graduating sanctions whose existence has been proven,

the Director of the Spanish Data Protection Agency

RESOLVES:

FIRST: TO IMPOSE GSMA LIMITED with NIF N4004237F for the alleged infringement
of the following articles of the GDPR

-9.2 of the GDPR in accordance with article 83.5.a) of the GDPR, and for the purposes of
prescription classified as very serious in article 72.1.e) of the LOPDGDD, with a

fine of 300,000 euros.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 95/96

--6.1 of the GDPR, in accordance with article 83.5.a) of the GDPR, and for the purposes of
prescription classified as very serious in article 72.1.b) of the LOPDGDD, with a
fine of 200,000 euros.

-14 of the GDPR, in accordance with article 83.5.b) of the GDPR, and for the purposes of
prescription classified as very serious in article 72.1.h) of the LOPDGDD, with a
fine of 100,000 euros.

SECOND: NOTIFY this resolution to GSMA LIMITED and GSMC EVENT
PROJECT MANAGEMENT, S.L.

THIRD: This resolution will be enforceable once the deadline for filing the
optional appeal for reconsideration ends (one month from the day following the notification
of this resolution) without the interested party having made use of this faculty. The
sanctioned party is warned that he must pay the imposed sanction once this
resolution is enforceable, in accordance with the provisions of art. 98.1.b) of the LPACAP,
within the voluntary payment period established in art. 68 of the General Regulations for

Collection, approved by Royal Decree 939/2005, dated 29/07, in relation to art. 62
of Law 58/2003, dated 17/12, by means of its payment, indicating the NIF of the sanctioned party and the
procedure number that appears in the heading of this document, in the
restricted account number IBAN: ES00 0000 0000 0000 0000 0000 (BIC/SWIFT Code:
XXXXXXXXXXX), opened in the name of the Spanish Data Protection Agency in the
banking entity CAIXABANK, S.A.. Otherwise, it will be collected in
an enforcement period.

Once the notification has been received and has been enforced, if the date of enforceability is between
the 1st and 15th of each month, both inclusive, the deadline for making the voluntary payment

will be until the 20th of the following month or the next business day thereafter, and if it is between
the 16th and last day of each month, both inclusive, the payment deadline will be until the 5th of the
second following month or the next business day thereafter.

In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.

Against this resolution, which ends the administrative procedure in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, interested parties may, at their discretion, lodge an appeal for reconsideration before the Director of the Spanish Data Protection Agency within one month from the day following the notification of this resolution or directly an administrative appeal before the Administrative Litigation Division of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of 13/07, regulating the Administrative Litigation Jurisdiction, within two months from the day following the notification of this act, as provided for in article 46.1 of the aforementioned Law.

Finally, it is noted that in accordance with the provisions of art. 90.3 a) of the LPACAP, the final decision in administrative proceedings may be provisionally suspended if the interested party

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 96/96

expresses his intention to lodge an administrative appeal. If this is the
case, the interested party must formally communicate this fact by means of a letter addressed to
the Spanish Data Protection Agency, presenting it through the Electronic

Registry of the Agency [https://sedeagpd.gob.es/sede-electronica-web/], or through
any of the other registries provided for in art. 16.4 of the aforementioned LPACAP. He must
also transfer to the Agency the documentation that proves the effective filing of the
administrative appeal. If the Agency is not aware of the

filing of the administrative appeal within two months from the
day following notification of this resolution, it will consider the precautionary suspension to be terminated.

938-16012024
Mar España Martí
Director of the Spanish Data Protection Agency

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es