AEPD (Spain) - E/12707/2022

From GDPRhub
AEPD - E/12707/2022
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 5(1)(f) GDPR
Article 32(1) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published: 13.10.2023
Fine: n/a
Parties: Consellería del Mar
A.A.A
National Case Number/Name: E/12707/2022
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Spanish
Original Source: AEPD Decisions (in ES)
Initial Contributor: Genoveva Gil

Consellería del Mar sent a notification containing third parties’ personal data. The breach was due to a human error, and the Spanish DPA concluded that there was an infringement of Articles 5(1)(f) and 32(1) of the GDPR.

English Summary

Facts

The complainant received a notification from Consellería del Mar containing a list of names and surnames corresponding to 17 different people. Moreover, the complainant’s personal data was sent to another data subject. The origin of this data breach was a human error during the printing process of the different documentation.

Holding

The Spanish DPA concluded that there was a breach of Article 5(1)(f) and 32(1) of the GDPR. The access to the third parties’ personal data constituted a breach of the principle of confidentiality. The DPA issued a reprimand to Consellería del Mar.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

 File No.: EXP202212707
RESOLUTION OF SANCTIONING PROCEDURE
From the procedure instructed by the Spanish Data Protection Agency and based on the following
BACKGROUND
FIRST: D. A.A.A. (hereinafter the claimant) on 10/06/2022 filed a claim with the Spanish Data Protection Agency. The claim is directed against CONSELLERÍA DEL MAR with NIF S1511001H (hereinafter the defendant). The reasons on which the claim is based are the following: the defendant notified the affected party of the report of a complaint. Along with the report of his complaint (380/21/C), 17 more reports containing data from third parties were attached. According to him, a colleague informed him that he had received at his home the record containing the claimant's details and those of other members of the Cabo de Cruz Brotherhood.
Along with the claim, the notification provided by the claimed party is provided.
SECOND: In accordance with article 65.4 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and guarantee of digital rights (hereinafter LOPDGDD), said claim was reported on 11/29/2022 to the claimed party, so that it could proceed with its analysis and inform this Agency within a period of one month, of the actions carried out to adapt to the requirements provided for in the data protection regulations.
The transfer, which was carried out in accordance with the rules established in Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP), was collected on 11/30/2022 as stated in the acknowledgment of receipt that is in the file.
The respondent in writing dated 12/28/2022 has stated, in summary, that the General Technical Secretariat of the Conselleria do Mar holds the status of responsible with respect to the processing of personal data that arises from the initiation of sanctioning procedures in fishing matter; that upon receipt of the claim, the DPD began investigation work into the facts complained of; that the notification of the agreement to initiate the sanctioning procedures initiated was carried out by postal mail, attaching to each of them, in accordance with the provisions of current legislation, a copy of the corresponding minutes; that at the time of photocopying and enveloping the documentation of the files for sending them to the affected people, an error occurred that resulted in said sending including, in one case, a list of minutes, which in reality are from an Official Letter sent by the Fish Guard to the Territorial Headquarters of A Coruña of the Conselleria itself and which should not have been included in the documentation sent together with the Agreement to initiate the sanctioning procedure and, in another case, it was sent to one of the interested parties the first page of the report of the complaint corresponding to another interested party, although, in no case and contrary to what was stated by the claimant, were attached to the report of his complaint another 17 reports corresponding to third parties but rather a list of associated names and surnames. to a record number, without containing any other personal data. Nor was the complete record corresponding to the claimant sent to any third party, but rather, due to an error when photocopying the file, a page of the claimant's record was also photocopied on the front of one of the pages of the notification addressed to this third party.
C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es
1/11
   
2/11
 Provides the Record of Treatment Activities and the Impact Evaluation Report.
THIRD: On 01/06/2023, in accordance with article 65 of the LOPDGDD, the claim presented by the complaining party was admitted for processing.
FOURTH: On 05/03/2023, the Director of the Spanish Data Protection Agency agreed to initiate a sanctioning procedure against the complainant, for the alleged infringement of articles 5.1.f) and 32.1 of the RGPD, typified in the articles 83.5.a) and 83.4.a) of the aforementioned RGPD and sanctioned in accordance with the provisions of article 77 of the LOPDGDD.
FIFTH: Once the initiation agreement was notified, the defendant on 12/28/2022 presented a written statement of allegations stating, in summary, the following: that within the functions of the brotherhoods in defense of the interests of the professionals that comprise them, the brotherhoods are responsible for the surveillance of the maritime and maritime-terrestrial public domain areas that were entrusted to them for their use; that the functions of fishing and shellfish inspection and surveillance are carried out by the brotherhoods through the figure of maritime fish guards, duly authorized in accordance with their specific regulations; that, likewise, the General Technical Secretariat of the Conselleria do Mar holds the status of responsible with respect to the processing of personal data that arises from the initiation of procedures of a sanctioning nature in matters of fishing, for which it has the collaboration of the brotherhoods; Having received the claim, the DPD began the corresponding investigation work into the facts stated, gathering information from the different technical units that could be involved, requesting a report from the Territorial Headquarters of A Coruña, where the events that gave rise to the claim, and from whose analysis it is concluded that:
• The complaint reports prepared against said interested parties gave rise to the corresponding sanctioning procedures.
• The notification of the initiation agreement was carried out through postal mail, attaching to each of them a copy of the corresponding minutes.
• However, in view of the information transferred, at the time of photocopying and covering the documentation in the files for sending to the affected people, an error occurred that resulted in said shipment including a list of minutes that should not have been included in the documentation sent together with the agreement to initiate the sanctioning procedure and, in another case, the first page of the complaint report corresponding to another interested party was sent to one of those affected.
In no case were the other 17 minutes corresponding to interested third parties attached to the report of the complaint, but instead, by mistake, a list of names and surnames associated with a record number was photocopied and included in the postal notification sent to the claimant, without contain any other personal data.
That the incident was appropriately analyzed and recorded once the DPD of the Conselleria do Mar had effective knowledge of it, it was decided to adopt a series of measures to avoid incidents such as the one that gave rise to the claim.
SIXTH: On 05/17/2023, a test practice period began, agreeing to the following
- Consider reproduced for evidentiary purposes the claim filed by the claimant and its documentation, the documents obtained and generated that are part of the procedure.
- Consider reproduced for evidentiary purposes, the allegations to the agreement to initiate the referenced sanctioning procedure, presented by the defendant and the documentation provided.
C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es

SEVENTH: On 07/06/2023, a Proposal for Resolution was issued in the sense that the Director of the Spanish Data Protection Agency would sanction the person complained of for violating articles 6.1 and 32.1 of the RGPD, typified in article 83.5. a) and article 83.4.a) of the aforementioned RGPD.
The aforementioned Proposal was notified to the respondent on 07/11/2023. After the legally stipulated period had elapsed, the defendant did not present a written statement of allegations.
EIGHTH: Of the actions carried out in this procedure, the following have been accredited:
PROVEN FACTS
FIRST. On 10/06/2022, the Spanish Data Protection Agency received a written entry from the complainant stating that the defendant notified him of a report of a complaint and, along with it (380/21/C), 17 more minutes were attached in which the third party data; He also points out that a colleague informed him that he had received at his home the record containing the data of the claimant and those of other members of the Brotherhood of Cabo de Cruz, considering that the regulations on data protection had been violated. of a personal nature.
SECOND. The notification of the official letter sent to the claimant by the “Virgen del Carmen” Fishermen's Guild, subject: sending infringement records regarding shellfish harvesting, to which is attached a list of minutes in which the names and surnames of interested parties appear (17 ) and the corresponding record number.
THIRD. The defendant, in writing dated 12/28/2022, stated that everything was due to “a regrettable human error at the time of photocopying the documents that should be accompanied by the notifications of the agreement to initiate the different sanctioning procedures.”
And that error caused the notification sent to the claimant to “include a list of names and surnames of 17 other people... associated with record numbers” and also “to send the first page of the record to one of the interested parties.” complaint corresponding to the claimant, which includes the identifying data of the interested party and the vessel.”
ROOM. The documents Record of Processing Activities and Impact Assessment Report relating to Data Protection are provided by the defendant.
FOUNDATIONS OF LAW
Yo
In accordance with the powers that article 58.2 of Regulation (EU) 2016/679
(General Data Protection Regulation, hereinafter RGPD), grants each control authority and as established in articles 47, 48.1, 64.2 and 68.1 of Organic Law 3/2018, of December 5, on Data Protection Personal Rights and Guarantee of Digital Rights (hereinafter, LOPDGDD), the Director of the Spanish Data Protection Agency is competent to initiate and resolve this procedure.
Likewise, article 63.2 of the LOPDGDD determines that: "The procedures processed by the Spanish Data Protection Agency will be governed by the provisions of Regulation (EU) 2016/679, in this organic law, by the regulatory provisions issued in its development and, insofar as they do not contradict them, on a subsidiary basis, by the general rules on administrative procedures."
C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es
3/11
   
4/11
 II
The reported facts materialize in that the notification carried out was
considers that it has violated the regulations on the protection of personal data by containing, together with the report of the complaint relating to the accused, a document containing third-party data.
Article 58 of the GDPR, Powers, states:
"2. Each supervisory authority will have all of the following corrective powers
indicated below:
(...)
b) sanction any person responsible or in charge of processing with a warning when processing operations have infringed the provisions of this Regulation;
(...).”
III
Firstly, such processing could constitute a violation of article
5, Principles relating to processing, of the GDPR which establishes that: “1. The personal data will be:
(...)
f) processed in such a way as to ensure adequate security of personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, through the application of appropriate technical or organizational measures ("integrity and confidentiality»).
(...)”
IV
Article 83.5 a) of the RGPD considers that the violation of “the basic principles for
The treatment, including the conditions for consent under articles 5, 6, 7 and 9” is punishable.
For its part, the LOPDGDD in its article 71, Infringements, states that: “The acts and conduct referred to in sections 4, 5 and 6 of article 83 of Regulation (EU) 2016/679 constitute infringements, as well as the that are contrary to this organic law.”
Also the LOPDGDD, for the purposes of prescription, in its article 72 indicates: “Infringements considered very serious:
1. Based on what is established in article 83.5 of Regulation (EU) 2016/679, infractions that involve a substantial violation of the articles mentioned therein and, in particular, the following, are considered very serious and will expire after three years:
a) The processing of personal data violating the principles and guarantees established in article 5 of Regulation (EU) 2016/679.
(...)”
V
1. The documentation in the file offers clear indications that the
claimed, violated article 5 of the RGPD, principles relating to processing, by allowing the
C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es

5/11
 access to personal data belonging to third parties by sending attached to the notification of the report of the complaint a list of names and surnames of 17 interested parties along with the corresponding record number.
The duty of confidentiality must be understood as having the purpose of preventing data leaks not permitted by the data owners.
The defendant himself has stated that the cause of the incident was “a regrettable human error at the time of photocopying the documents that should accompany the notifications of agreement to initiate the different sanctioning procedures. Obviously, the intention of the staff of this Department was in no case to reveal personal data to third parties not interested in each of the notified sanctioning procedures, nor to cause any harm to those affected, but only to comply with the obligations derived from the administrative procedure. correspondent".
This error caused the notification sent to the claimant to include “a list of names and surnames of 17 other people,..., associated with record numbers...also resulted in the first being sent to one of the interested parties. page of the complaint report corresponding to the claimant, which includes the identifying data of the interested party and the vessel.”
Therefore, the conduct of the defendant is considered to violate the principle of confidentiality, in accordance with the provisions of article 5.1.f) of the RGPD, typified in article 83.5.a) of the aforementioned Regulation.
SAW
Secondly, the defendant is attributed with the violation of article 32 of the RGPD
“Safety of treatment” establishes that:
"1. Taking into account the state of the art, the costs of application, and the nature, scope, context and purposes of the processing, as well as risks of varying probability and severity for the rights and freedoms of natural persons, the controller and The person in charge of the treatment will apply appropriate technical and organizational measures to guarantee a level of security appropriate to the risk, which, where appropriate, includes, among others:
a) pseudonymization and encryption of personal data;
b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
c) the ability to quickly restore availability and access to personal data in the event of a physical or technical incident;
d) a process of regular verification, evaluation and assessment of the effectiveness of technical and organizational measures to ensure the security of processing.
2. When assessing the adequacy of the level of security, particular account will be taken of the risks presented by data processing, in particular as a consequence of accidental or unlawful destruction, loss or alteration of personal data transmitted, stored or otherwise processed, or unauthorized communication or access to said data.
3. Adherence to a code of conduct approved pursuant to Article 40 or to a certification mechanism approved pursuant to Article 42 may serve as an element to demonstrate compliance with the requirements set out in paragraph 1 of this Article.
4. The controller and the processor will take measures to ensure that any person acting under the authority of the controller or the processor and has access
C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es

6/11
 to personal data may only process such data following instructions from the controller, unless it is obliged to do so under Union or Member State law.
VII
The violation of article 32 of the RGPD is classified in article 83.4.a)
of the aforementioned RGPD in the following terms:
"4. Infringements of the following provisions shall be punished, in accordance with paragraph 2, with administrative fines of a maximum of EUR 10 000 000 or, in the case of a company, an amount equivalent to a maximum of 2% of the total annual overall turnover of the previous financial year, opting for the highest amount:
a) the obligations of the controller and the processor in accordance with articles 8, 11, 25 to 39, 42 and 43.
(...)”
For its part, the LOPDGDD in its article 71, Infringements, states that: “The acts and conduct referred to in sections 4, 5 and 6 of article 83 of Regulation (EU) 2016/679 constitute infringements, as well as the that are contrary to this organic law.”
And in its article 73, for the purposes of prescription, it qualifies as “Infringements considered serious”:
“Based on what is established in article 83.4 of Regulation (EU) 2016/679, infractions that involve a substantial violation of the articles mentioned therein and, in particular, the following, are considered serious and will expire after two years:
(...)
g) The failure, as a consequence of the lack of due diligence, of the technical and organizational measures that had been implemented in accordance with the requirements of article 32.1 of Regulation (EU) 2016/679.”
(...)”
VIII
1. The GDPR defines personal data security breaches as “any
those security violations that cause the accidental or unlawful destruction, loss or alteration of personal data transmitted, preserved or otherwise processed, or unauthorized communication or access to said data.
The documentation in the file offers clear indications that the defendant has violated article 32.1 of the RGPD, when a security incident occurred, violating the established technical and organizational measures.
It should be noted that the RGPD in the aforementioned precept does not establish a list of the security measures that are applicable according to the data that are subject to processing, but rather establishes that the person responsible and the person in charge of the treatment will apply technical and organizational measures. that are appropriate to the risk involved in the processing, taking into account the state of the art, the costs of application, the nature, scope, context and purposes of the processing, the probability and seriousness of the risks for the rights and freedoms of the interested parties. .
Likewise, security measures must be appropriate and proportionate to the risk detected, noting that the determination of technical and organizational measures must be carried out taking into account: pseudonymization and encryption, the ability to
C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es

7/11
 guarantee confidentiality, integrity, availability and resilience, the ability to restore availability and access to data after an incident, verification process (not audit), evaluation and assessment of the effectiveness of the measures.
In any case, when evaluating the adequacy of the level of security, particular consideration will be given to the risks presented by data processing, as a consequence of the accidental or unlawful destruction, loss or alteration of personal data transmitted, preserved or otherwise processed. or unauthorized communication or access to said data that could cause physical, material or immaterial damage.
In this same sense, recital 83 of the GDPR states that:
“(83) In order to maintain security and prevent processing from violating the provisions of this Regulation, the controller or processor must assess the risks inherent in the processing and implement measures to mitigate them, such as encryption. These measures must ensure an appropriate level of security, including confidentiality, taking into account the state of the art and the cost of their implementation with respect to the risks and the nature of the personal data to be protected. When assessing risk in relation to data security, you should take into account the risks arising from the processing of personal data, such as accidental or unlawful destruction, loss or alteration of personal data transmitted, stored or otherwise processed. form, or unauthorized communication or access to said data, which may in particular cause physical, material or immaterial damage and harm.”
2. In the present case, as recorded in the file, the AEPD transferred the claim presented to the defendant so that he could proceed with its analysis and inform this Agency of the actions carried out to adapt to the requirements set forth in the regulations for the protection of data.
The defendant, as already indicated in the previous basis, has confirmed that due to a regrettable human error at the time of photocopying the documents that should accompany the notifications of agreement to initiate the different sanctioning procedures, the following occurred:
“- in one case, a list of minutes that should not have been included in the documentation sent together with the Agreement to initiate the sanctioning procedure and
- in another case, the first page of the report corresponding to another interested party was sent to one of the interested parties.”
It should be noted that the responsibility of the claimant is determined by the security incident revealed by the claimant, as no measures have been adopted to avoid errors such as the one produced, since he is responsible for making decisions aimed at effectively implementing and adapting the appropriate technical and organizational measures in order to guarantee a level of security appropriate to the risk, ensuring the confidentiality of the data, restoring its availability and preventing access to it in the event of a physical or technical incident.
In accordance with the above, it is estimated that the defendant would be allegedly responsible for the violation of the RGPD: the violation of article 32, an infringement classified in article 83.4.a).
IX
The LOPDGDD in its article 77, Regime applicable to certain categories of
responsible or in charge of the treatment, establishes the following:
C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es

8/11
 "1. The regime established in this article will apply to the treatments for which they are responsible or in charge:
a) Constitutional bodies or bodies with constitutional relevance and the institutions of the autonomous communities analogous to them.
b) The jurisdictional bodies.
c) The General Administration of the State, the Administrations of the autonomous communities and the entities that make up the Local Administration.
d) Public bodies and public law entities linked to or dependent on Public Administrations.
e) Independent administrative authorities.
f) The Bank of Spain.
g) Public law corporations when the purposes of the processing are related to the exercise of public law powers.
h) Public sector foundations.
i) Public Universities.
j) The consortia.
k) The parliamentary groups of the Cortes Generales and the autonomous Legislative Assemblies, as well as the political groups of the Local Corporations.
2. When the persons responsible or in charge listed in section 1 commit any of the infractions referred to in articles 72 to 74 of this organic law, the competent data protection authority will issue a resolution sanctioning them with a warning. The resolution will also establish the measures that should be adopted to stop the conduct or correct the effects of the infraction that has been committed.
The resolution will be notified to the person responsible or in charge of the treatment, to the body on which it depends hierarchically, if applicable, and to those affected who have the status of interested party, if applicable.
3. Without prejudice to what is established in the previous section, the data protection authority will also propose the initiation of disciplinary actions when there is sufficient evidence to do so. In this case, the procedure and sanctions to be applied will be those established in the legislation on the disciplinary or sanctioning regime that is applicable.
Likewise, when the infractions are attributable to authorities and managers, and the existence of technical reports or recommendations for treatment that have not been duly attended to is proven, the resolution in which the sanction is imposed will include a reprimand with the name of the position. responsible and publication will be ordered in the corresponding Official State or Regional Gazette.
4. The resolutions issued in relation to the measures and actions referred to in the previous sections must be communicated to the data protection authority.
5. The actions carried out and the resolutions issued under this article will be communicated to the Ombudsman or, where appropriate, to the analogous institutions of the autonomous communities.
6. When the competent authority is the Spanish Data Protection Agency, it will publish on its website with due separation the resolutions referring to the entities in section 1 of this article, with express indication of the identity of the person responsible or in charge of the treatment. who had committed the infraction.
C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es

9/11
 When the jurisdiction corresponds to a regional data protection authority, the publicity of these resolutions will be subject to the provisions of its specific regulations.
In the case examined, the sanctioning procedure results from the fact that the defendant, as established in the proven facts, has violated the regulations on the protection of personal data, both the principle of data confidentiality and the technical measures. and organizational structures implemented.
Such conduct constitutes, on the part of the defendant, a violation of the provisions of articles 5.1.f) and 32.1 of the RGPD.
It should be noted that the RGPD, without prejudice to the provisions of its article 83, contemplates in its article 77 the possibility of resorting to the sanction of warning to correct the processing of personal data that does not comply with its provisions, when those responsible or managers listed in section 1 commit any of the infractions referred to in articles 72 to 74 of this organic law.
Additionally, article 58 of the RGPD contemplates, in section 2 d) that each supervisory authority may “order the person responsible or in charge of processing that the processing operations comply with the provisions of this Regulation, where appropriate, in a certain way.” and within a specified period...".
However, the defendant has stated that, once the incident occurred was analyzed, it was decided to adopt a series of measures in order to prevent this type of situation from occurring in the future:
“• Address all units of this Department, whether or not involved in the events that are the subject of the claim, in order to expressly reiterate aspects such as the following:
- The obligation to previously review any documentation that is provided
send by postal mail or personally deliver those affected, in order to detect possible errors in its content in advance.
- Recall again in general terms the main rules and good practices to be taken into account to protect documentation in paper format that contains personal data, in order to guarantee its security and prevent unauthorized access to it, its theft or manipulation of the data. information by third parties.
- Reiterate again in writing to users their security obligations and the consequences of non-compliance. Among these obligations, special emphasis will be placed on communicating to the Ministry's data protection delegate any incident of which they are aware and that could affect the security of personal data or information in general, through the appropriate channels.
For these purposes, a communication was prepared addressed to the staff of the
Conselleria do Mar, which is planned to be sent via email once the current Christmas holiday period has ended, in order to capture the maximum
possible attention from the recipients.
• Maintain within the Staff Training and Awareness Plan, the user training and awareness actions carried out to date and which are mentioned in the following section of this document.
In any case, this Department expresses its full collaboration when establishing any measures or actions that the Spanish Data Protection Agency deems appropriate to implement."
C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es

And, furthermore, that both the defendant and the Xunta “are fully aware of the need to respect the fundamental right to data protection and are aware of the special sensitivity of the personal data processed by some of its services, and in especially those related to the most vulnerable groups. This is why, since the entry into force of the General Data Protection Regulation, it has been carrying out exhaustive work to adapt all its personal data processing to current regulations.
That, among said adaptation works, the following should be highlighted:
1. Review and analysis of each of the treatments carried out, their purposes and bases of treatment, ...
2. Review and update of information clauses for interested parties (adequacy of the legitimizing bases of the treatment, especially with regard to the applicability of consent) and those necessary to regulate the relationship responsible-processor or between joint controllers, where applicable.
3. Within the Risk Treatment Action Plan, carrying out the corresponding risk analyzes and impact assessments on data protection.
4. Within the training and awareness work, different training sessions have recently been given on the protection of personal data aimed at the Ministry's staff, both general and specialized,...
Likewise, through the Intranet of the Xunta de Galicia, users of the information system of this Department have permanently at their disposal, among other things, the following information:
◦ Personal data protection regulations (general, regional and most relevant reports from the control authorities – AEPD).
◦ Regulations and policies on information security and cybersecurity.
◦ Models and procedures for adaptation to data protection regulations.
◦ Training and dissemination channel: offer of courses and conferences on data protection and information security and associated documentation. Among these courses and conferences you can find training activities at different levels: Introduction; Advanced; Higher course in data protection and Higher course in cybersecurity among others.
Etc etc.
Therefore, in accordance with the applicable legislation and having assessed the criteria for grading the sanctions whose existence has been proven,
The Director of the Spanish Data Protection Agency RESOLVES:
FIRST: IMPOSE on the CONSELLERÍA DEL MAR, with NIF S1511001H, for violations of articles 5.1.f) and 32.1 of the RGPD, typified in articles 83.5.a) and 83.4.a) of the RGPD, a sanction of warning for each one of the aforementioned violations.
SECOND: NOTIFY this resolution to the CONSELLERÍA DEL MAR.
THIRD: COMMUNICATE this resolution to the Ombudsman, in accordance with the provisions of article 77.5 of the LOPDGDD.
In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties.
Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the interested parties
C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es
10/11
  
They may optionally file a reconsideration appeal before the Director of the Spanish Data Protection Agency within a period of one month from the day following notification of this resolution or directly file a contentious-administrative appeal before the Contentious-Administrative Chamber. of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-Administrative Jurisdiction, within a period of two months starting from the day following notification of this act, as provided for in article 46.1 of the aforementioned Law.
Finally, it is noted that in accordance with the provisions of art. 90.3 a) of the LPACAP, the final resolution may be provisionally suspended through administrative channels if the interested party expresses his intention to file a contentious-administrative appeal. If this is the case, the interested party must formally communicate this fact by writing to the Spanish Data Protection Agency, presenting it through the Agency's Electronic Registry [https://sedeagpd.gob.es/sede-electronica-web /], or through any of the other records provided for in art. 16.4 of the aforementioned Law 39/2015, of October 1. You must also transfer to the Agency the documentation that proves the effective filing of the contentious-administrative appeal. If the Agency were not aware of the filing of the contentious-administrative appeal within a period of two months from the day following notification of this resolution, it would terminate the precautionary suspension.
Mar España Martí Director of the Spanish Data Protection Agency
C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es
11/11