AEPD (Spain) - PS/00024/2019

From GDPRhub
AEPD (Spain) - PS/00024/2019
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 5(1)(f) GDPR
Article 5(2) GDPR
Article 32(2) GDPR
Article 55(1) GDPR
Article 57(1) GDPR
Article 58(2) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published: 03.02.2020
Fine: None
Parties: The Department of Education, University and Vocational Training
Anonymous
National Case Number/Name: PS/00024/2019
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: n/a

The AEPD found that the dissemination of student’s personal data on a list made available to the public offline and online was contrary to the principles of confidentiality and security of processing.

English Summary

Facts

The complainant filed a complaint against the EEIM School with the AEPD regarding the disclosure to the public off and online of the final list of the 100 admitted students containing their personal data.  Indeed, the list was made available to the public on the outside school’s facade, as well as on the school’s website.

The complainant claimed that the data controller violated the principle of confidentiality, namely Article 5(1)(f) GDPR, and thus, it did not comply with Article 5(2) GDPR referred as the principle of "proactive responsibility". In addition, it claimed that the data controller did not assess adequately the level of risks that are present in the processing and thus, violated Article 32(2) GDPR. Finally, the complainant argued that Article 5 of the National data protection law called “LOPDGG” has been infringed.

By virtue of Articles 55(1), 57(1) and 58(2) GDPR, the AEPD issued the following decision.

Dispute

Does the open dissemination of student’s personal data on a school’s facade, as well as on the school’s website contrary to the principles of confidentiality and security of processing?

Holding

The AEPD pointed out the absence of claims concerning the lawfulness of the processing and focused on the confidentiality principle. Indeed, it found that the open dissemination of all student’s personal data was contrary to the principle of confidentiality and security of processing, within the meaning of Articles 5(1)(f) and 32(2) GDPR. It underlined that the data controller did not taken previous technical or organizational measures aimed at guaranteeing an adequate level of security that would prevent the communication of and/or indiscriminate access to this personal information by third parties disconnected from the selection procedure. The AEPD ordered to the data controller to adopt appropriate and adequate safety measures in order to comply with the GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the original. Please refer to the Spanish original for more details.

Procedure Nº: PS/00024/2019938-051119Sanctioning procedure resolution of the procedure instructed by the Spanish Data Protection Agency and based on the following
BACKGROUND

FIRST: On September 12, 2018 Mrs. A.A.A. (hereinafter, the complainant) filed a complaint with the Spanish Data Protection Agency against the SCHOOL OF CHILDREN'S EDUCATION OF MILLADOIRO (AMES), (hereinafter, School or EEI), on the occasion of the presentation of the final list of students admitted for the 2018/2019 academic year, dated May 14, 2018, on the main facade and glass of the center, so that it is accessible from the outside to any passerby or neighbor. The above-mentioned list, of which the claimant has provided a copy, contains a detailed list of the order number, names, surnames and marks of a total of 100 students admitted for the said school year in the aforementioned Centre, which is dependent on the COUNSELING OF EDUCATION, UNIVERSITY AND VOCATIONAL TRAINING OF THE BOARD OF GALICIA (hereinafter, the Council or the claimant).The Complainant also states that the school provided all the families of the class of her youngest daughter with a list of the identification data of the students in the group, a copy of which is attached.

SECOND: On October 11, 2018, in accordance with Article 9.4 of Royal Decree-Law 5/2018, the complaint presented by the complainant was transferred to the aforementioned school so that within a period of one month this Agency could be informed of the causes that had motivated the facts of the complaint and inform the measures adopted to avoid similar incidents.In response to this request for information, on November 28, 2018, the complainant was registered in writing, indicating the following with respect to the list of admitted students: "That the process of admitting students to public schools is a competitive process, and that in these competitive procedures the most absolute transparency must govern, so that the lists of admitted students are always made public.It should also be pointed out that Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations, provides in Article 45 for the possibility of replacing individualized notification with publication of certain procedures. 
Specifically, this provision includes "acts that are part of a selective or competitive procedure of any kind. In this case, the notice of the procedure must indicate the medium in which the successive publications are to be made; those made in different places are not valid."As it is a competitive procedure, there is a legal authorization to proceed with the publication of these lists of admitted persons, which has been specified in the Order of March 12, 2013 by which the procedure for the admission of students to teaching centers supported by public funds that provide 2nd cycle of infant education is developed,   of primary education, compulsory secondary education and high school regulated by Organic Law 2/2006 of 3 May on education (DOG 15/03/2013), recently amended by the Order of 25 January 2017 amending the Order of 12 March 2013 (...) (DOG01/02/2017).
Article 30 of the Order of 12 March 2013 (...) establishes the following: "Article 30. Publication of the provisional list of admitted and non-admitted students and complaints1. In view of the applications for admission presented, and once the score resulting from the application of the scale criteria has been determined, if applicable, the centre will publish on its notice board and website the nominal list of all admitted and non-admitted students per course, in order of the total score obtained."Likewise, article 31 establishes that: "2. The management of the public centres and the ownership of the private centres involved will publish on their notice board and on their web page, before May 15th of each year, the definitive lists of persons admitted and not admitted (...) "Therefore, as a first premise it must be pointed out that publication both on the centre's web page and on the notice board is expressly authorised by current regulations. It should also be taken into account that the third additional provision of said Order of 12 March 2013, in its wording given by the Order of 25 January 2017, establishes the following<< In accordance with Organic Law 15/1999, of 13 December, on the protection of personal data, the personal data collected in the course of this procedure, the processing and publication of which is authorised by the interested parties through the submission of applications, will be included in a file called "Administrative relations with citizens and entities" for the purpose of managing this procedure, as well as to inform interested parties of its processing. The body responsible for this file is the Regional Ministry of Culture, Education and University Organisation of the Xunta de Galicia. (...)>>It is particularly important that the order regulating the procedure states that the processing and publication of personal data are authorised by the interested parties themselves by means of the presentation of the application.The claimant also manifests her disagreement with the fact that the publication on the board is made in the window of the educational centre, in this respect it should be noted that, having consulted the situation, the centre does not have a notice board as such, but rather the windows of the school are used to transmit information to families in which the information on the centre, the ANPA (extracurricular activities, etc.) and the educational and teaching activities of the Ames City Council are posted.During the admission period, and since a lot of documentation must be published (instructions from the council, data from the centre, provisional lists, definitive lists, etc.) the window in front of the school is used, as it is wider and allows a correct view of all the documentation.It should be noted that, as already indicated, the order regulating the admission procedure provides for publication not only on the school's notice board, but also on its web page, thus including an alternative means of publication that implies much greater publicity than the school's notice board.Therefore, it cannot be argued that the complainant did not know that the information that would be published would be accessible to persons outside the educational centre, since the announcement itself indicated that the lists would be published on the notice board and on the web page, a provision that makes it irrelevant that the notice board is accessible from the street, since the centre's web page is accessible by any person from any computer in the world.Thirdly, the complainant alleges that the centre provides a list of the members of the school group corresponding to the minor to all the families in the class.(...)Therefore, it is intended to explain that the elaboration of these lists and their delivery does not respond to the arbitrariness of the centre, but to the will to provide a better service that facilitates the adaptation period for the families. However, with a view to future school years, the General Technical Secretariat has informed the school that in order to continue using this system, they must obtain authorisation from the students' legal representatives to distribute the list to the other families in the classroom. If the appropriate authorisation is not available, a different system will have to be implemented that does not involve such delivery".

THIRD: On December 2, 2018, the claimant presented an extension of the claim, attaching the following documentation: -Printing of a document, dated November 30, 2018, for the attention of the General Technical Secretary of the Ministry, one of whose sections indicates that "Upon the election of the members of the School Council, the list of parents that make up the educational community is published in the window and outwards, associating their complete ID card to each name and surname, without any pixelation".  The claimant does not accredit the origin, authorship or nature of this document. Partial capture of a sheet of the list "Censo de Responsables" of theEEI do Milladoiro, Academic Year 2018/2019, which contains the names, surnames and NICs of the responsible detailed in the numbers 288 to 311 of the Census.   This document does not prove, by itself, the exact place of placement of this list.Two photographs showing a window with exposed documentation, but which do not allow us to know the content or nature of the documents exposed in said window.With regard to the lack of pixelation of the DNI contained in the "Census of Persons Responsible" supposedly published in the aforementioned window, it should be noted that on the date of presentation of the extension of the claim, which necessarily follows the date of issue of the aforementioned census, Organic Law 3/2018 of 5 December was not in force,   The additional provision contained in that regulation, concerning the "Identification of interested parties in notifications by means of announcements and publications of administrative acts", paragraph 1 of which provides, therefore, was not applicable:“1.   Where it is necessary to publish an administrative act containing personal data on the person concerned, that person shall be identified by his name and surname, with the addition of four random digit numbers from the national identity document, alien identity number, passport or equivalent document. When the publication refers to a plurality of affected persons, these random numbers must be alternated. When the notification is made by means of announcements, particularly in the cases referred to in Article 44 of Law 39/2015 of 1 October, on the Common Administrative Procedure of Public Administrations, the affected person will be identified exclusively by the complete number of his or her national identity card, foreigner's identity number, passport or equivalent document. When the affected person lacks any of the documents mentioned in the two previous paragraphs, he or she will be identified only by his or her name and surname(s). Under no circumstances must the name and surname be published together with the full number of the national identity card, alien's identity number, passport or equivalent document.

FOURTH: On May 10, 2019, the Director of the Spanish Agency of Data Protection agreed to initiate sanctioning proceedings against the claimed party, in accordance with the provisions of article 58.2 of the RGPD, for the alleged infringement of article 5.1.f) of the RGPD, typified in article 83.5.a) of the RGPD.
In that agreement it was stated "That, if the existence of the described infringements is confirmed, for the purposes provided for in Article 58.2 of the RGPD the corrective measures that could be imposed on the COUNCIL OF EDUCATION, UNIVERSITY AND VOCATIONAL TRAINING OF THE BOARD OF GALICIA, in the resolution, would consist, in view of the elements of judgment available at this time, in ORDERING it to adopt technical and organisational measures adapted to guarantee the principle of confidentiality in order to avoid third parties not interested in accessing the personal information in administrative acts referred to,   Both to those who participate in selective procedures or competitive tenders that must be notified through publication on bulletin boards or web pages, as well as to personal data concerning interested parties whose identification must include administrative acts to be published in the manner indicated, avoiding, in any case, that these data are accessible indiscriminately from the public highway or open from the websites, in addition to the fact that the published data respond to the principle of minimizing data with respect to the purposes for which they are treated.Such measures should be adopted, where appropriate, within the time limit specified from the date on which the decision imposing the penalty is notified to you, and evidence should be provided to show that it has been complied with".

FIFTH: Once the aforementioned agreement was notified, the respondent presented a written delegation in which, in summary, the statements made in the response to the request for information made together with the transfer of the claim were ratified. -With regard to the publication of the lists of students admitted on the website of the School and on the glass facade of the same, visible from the outside, it is reiterated that the process of admission of students to public schools constitutes a competitive procedure, governed by the principle of transparency, and these lists are published under the protection of the provisions of Article 45 of the LPACAP and in accordance with the Order of March 12, 2013.  It argues that such publication is based on two legitimate grounds provided for in the RGPD and the LOPDGDD. The first basis of legitimacy corresponds to the provisions of Article 6.1.e) of the RGPD, as there is a rule that expressly authorizes the administration to carry out such publication.   In this regard, it is pointed out that the schooling process corresponds to the fulfilment of a public interest mission attributed to the education administration by Organic Law 2/2006, of 3 May, on education. With respect to the specific method of notification of the resolution of said process, article 45.1.b) of the LPACAP establishes the legal obligation for the administration responsible for processing to substitute individualized notification of the resolution with publication in selective or competitive procedures.  In addition, Articles 30 and 31 of the Order of March 12, 2013, the transcription of which appears in the second precedent above, expressly authorize the publication of the lists of persons admitted and not admitted on the center's website and on the bulletin board.   The second basis of legitimacy, responds to the provisions of article 6.1.a) of the RGPD, while in accordance with the provisions of the third additional provision of the aforementioned Order of 12 March, the consent of the affected person would be required for the processing and publication of the personal data collected in the processing of this procedure, as it has been authorised by "the interested persons by means of the presentation of the applications".   Therefore, by signing and submitting the applications for the release of her daughters, a copy of which is provided by the claimant, the claimant consented to such publication. -As for the complainant's disagreement with the fact that the publication on the board is made in the window of the educational centre, the Regional Ministry stated that "the centre does not have a notice board as such, using the windows that are in front of the school to transmit different information to families" and to publish the documentation referred to during the period of admission, given that its scope allows a correct view of all the documentation.   The publication of the census lists is necessary for the procedure for holding elections to the School Board, as established in article 44 of Decree 92/1988, which regulates the governing bodies of public educational centres, that "The electoral census must be displayed on the school's notice board at least ten days before the date set for the election, for verification and possible claims by the parents and legal guardians of the students". It is noted that the objective of publishing the lists on the window in such a way that they are accessible from the outside is an attempt to make it easier for parents to consult the census, since in this way they can consult it even when the school is closed. - They communicate the adoption of measures to comply with the seventh additional provision of the LOPDGDD and to publish the electoral rolls on the internal board of the school.

SIXTH: On 15 November 2019 a proposal for a resolution was made, in the sense that the Director of the Spanish Data Protection Agency should impose on the person claimed, in accordance with the provisions of article 58.2.b) of the RGPD, a warning sanction for an infringement of article 5.1.f) of the RGPD, typified in article 83.5.a) of the RGPD.Likewise, it was proposed that, if the rectification of the irregular situation described above had not been accredited prior to the issue of the resolution that might be agreed upon, the Director of the Spanish Data Protection Agency should order the respondent, in accordance with the provisions of Article 58.2.d) of theRGPD, "the adoption of appropriate technical and organisational measures to guarantee the principle of confidentiality, which, as far as the School under study is concerned, will tend to prevent the publication of administrative acts containing personal data on the glass façade, and to the outside, of the School that we are concerned with. In general, these measures will be extended to prevent the information of a personal nature contained in this type of administrative acts that are subject to publication in the means established for this purpose from being visible and/or accessible from the outside of the schools, and mechanisms must also be implemented to guarantee that access to the content of these administrative acts published on the website of the schools will be available to the persons interested in the procedures (participants)".  It was also indicated that such corrective measures would have to be taken, in their In this case, within one month from the day following the date on which the sanctioning resolution was notified, the means of proof of its compliance within the same period must be provided.

SEVENTH: Having been notified of the aforementioned proposal for a resolution, the respondent presented a written statement expressing his disagreement with the alleged violation, based on the following arguments:- According to the proposal of resolution, any publication made by a public administration under the protection of the LPACAP or in accordance with the provisions of Article 20 of Law 38/2003, of November 17, 2003, on General Subsidies, "would be contrary to the principle of confidentiality, since a publication that not only has a legitimate basis that is not controversial, but also in its formal elements is in accordance with the provisions of the LOPDGDD.”     .   It reiterates that the admission of students to public schools is a competitive procedure in which it is necessary to replace individualized notification by publication in application of a regulation with the status of law (Article 45 of the LPACAP).-Since the seventh additional provision of the LOPDGDD includes the specific safeguards that apply in the publications of the administrations, it is stated that "a sensu contrario" it can be understood that "in the other aspects relating to publication, no other type of precaution that is legally necessary is established, how to avoid open publication through the conclave and password access suggested by the AEPD, but, as has been pointed out, the correct way to materialize the obligatory publication of the administrative act is provided, which is respectful, at the same time, of the normative limits referred to the protection of personal data.”. It adds that these precautions are designed, inter alia, for cases in which publication must have the effect of notification, mainly through official bulletins which, on the date of entry into force of the LOPDGDD, were mostly of an electronic nature, thus enabling maximum publicity among the public of the acts published through free access on the Internet.   In line with this, the claimant argues that "nothing prevents the conformity with the law and the legal validity of the administrative acts that follow the guidelines defined in the seventh additional provision of the LOPDGDD and are published in official electronic bulletins, extending those whose publicity is made through other electronic sites or websites that are enabled for this purpose through the respective calls.  And if the publication in those terms is adjusted to the right when it is done through electronic means of free access, with equal reason it will be when it is done in paper format". -Accessibility of information by an indeterminate number of individuals is inherent to the publication of administrative acts required by Article 45 of the LPACAP. -In the case analyzed it is considered that the technical and organizational measures adopted have been adequate, while the publication has affected the minimum identifying data, essential and appropriate to achieve, through the administrative procedure promoted, the purpose provided for in the educational regulations.   It is noted that there is no legal obligation to adopt measures to ensure that the provisional and final lists of students admitted and not admitted are published only on the school's internal bulletin board.  

The Regional Ministry considers that the public interest prevails in the effectiveness of the notification through publication and in the guarantee of the exercise of the right to defend legitimate interests, directly or through associations that protect collective interests that may appear a posteriori, as opposed to the rights of the persons involved, whose privacy is affected at a minimum level.   It maintains that taking into account the indications contained in the LOPDGDD regarding the form of publication of administrative acts, the possibility of access with a password is merely a suggestion by the AEPD, and therefore non-compliance would not constitute a breach of any legal obligation applicable to the case under analysis,

FACTS
First: On September 12, 2018, the claimant filed a complaint with the Spanish Data Protection Agency against the Centro EducativoESCUELA EDUCACION INFANTIL DE MILLADOIRO (hereinafter, EEIM School), on the occasion of the publication of the final lists of students admitted for the 2018/2019 school year, on the main and glass façade of the School, which were visible from outside the School to any person passing through. The complainant added that these lists were also published on the school's website.

Second: The final list of students admitted to the 4th grade of Early Childhood Education (continuous day), academic year 2018/2019 of the EEIM, lists, in order of importance, the names and surnames of the 100 students admitted for that year in that school, which depends on the Department of Education, University and Professional Training of the Galician Government (hereinafter, the Department or the complainant).

Third: On September 12, 2018, the claimant extended her claim to the publication of the census list required for the elections to the School Council on the main and glazed facade of the School, also towards the outside.

Fourth: The "Census of Heads" of the "Academic year: 2018/2019" published on the glass facade of the EEIM contains the name, surname and complete ID of the parents and guardians of the students.

Fifth: The Regional Ministry has acknowledged in the writings presented to this Agency the use of these windows to publish the provisional and final lists of students admitted in the following terms: "During the period of admission, and since it must publish a lot of documentation (instructions from the Regional Ministry, data from the centre, provisional lists, final lists, etc.) the window in front of the school is used, as it is wider and allows a correct view of all the documentation".

Sixth: The Regional Ministry has stated that the objective of publishing the electoral census lists "in the window so that they are accessible from the outside is an attempt to facilitate consultation of the census by parents, since in this way they can consult it even when the school is closed". 

LEGAL FOUNDATIONS
I
By virtue of the powers conferred on each supervisory authority by Articles 55.1 and 2, 57.1 and 58.2 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (hereinafter referred to as "GPRD"), and in accordance with the provisions of Articles  47 and 48.1, 77.1.c) and 2 of the Organic Law 3/2018, of December 5, on the Protection of Personal Data and the Guarantee of Digital Rights (hereinafter LOPDGDD), the Director of the Spanish Data Protection Agency is competent to resolve this procedure.

II
This Regulation lays down the rules relating to the protection of individuals with regard to the processing of personal data and the rules relating to the free movement of such data.2 This Regulation protects the fundamental rights and freedoms of natural persons, and in particular their right to the protection of personal data.3The free movement of personal data within the Union may not be restricted or prohibited on grounds relating to the protection of individuals with regard to the processing of personal data. "To this end, it is recalled that Article 4 of the GPRS, under the heading 'Definitions', provides that: 'For the purposes of this Regulation  any information relating to an identified or identifiable natural person ('the data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person  any operation or set of operations which is performed upon personal data or upon sets of personal data, whether or not by automatic means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destructionthe natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing; where the purposes and means of the processing are determined by the law of the Union or of the Member States, the controller or the specific criteria for his nomination may determine them by the law of the Union or of the Member States;"In accordance with the definitions given in the above-mentioned Article 4(1), (2) and (7) of the RGPD, the dissemination on the glass façade, towards the outside, and on the website of the EEIM educational establishment of the identification data (name and surname) contained in the provisional and definitive lists of pupils admitted and not admitted for the 2018/2019 school year,     as well as the exhibition in the glass facade of the electoral census (census of responsible) of the academic year 2018/2019 with the identification data (name, surname and complete ID card) of the parents and legal guardians of the students on the occasion of the election of the members of the School Council of the Centre, constitutes a processing of personal data by the claimant, in his capacity as the person responsible for such processing.

III
The defendant is accused of committing a breach of the principle of confidentiality set out in Article 5.1.f) of the RGPD, which, under the heading "Principles relating to processing", states that: "1.) "f) processed in such a way as to ensure adequate security of personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, through the application of appropriate technical or organizational measures (<<integrity and confidentiality>>) "For its part, paragraph 2 of the aforementioned Article 5 of the RGPD establishes that: "2. The data controller shall be responsible for compliance with the provisions of paragraph 1 and shall be able to prove it (<<proactive responsibility>>)", which must be linked to the provisions of Article 32.2 of the same Regulation, which in terms of "Security of the processing, establishes that: "To increase the adequacy of the level of security, particular account shall be taken of the risks presented by the processing of data, especially as a result of the accidental or unlawful destruction, loss or alteration of personal data transmitted, stored or otherwise processed, or the unauthorized communication of or access to such data".5 of the LOPDGDD, in terms of "Data Protection Principles", establishes: "Article 5.
1. Data controllers and processors as well as all persons involved at any stage of the processing shall be subject to the duty of confidentiality referred to in Article 5.1.f) of Regulation (EU) 2016/679.
11/182. The general obligation indicated in the previous paragraph shall be complementary to the duties of professional secrecy in accordance with the applicable regulations.3. The obligations established in the previous paragraphs shall be maintained even when the relationship of the data subject with the data controller or processor has ended".

2. The general obligation indicated in the previous paragraph shall be complementary to the duties of professional secrecy in accordance with the applicable regulations.
3. The obligations established in the previous paragraphs shall be maintained even when the relationship of the data subject with the controller or processor has ended.

IV
In the present case, of all the evidence available in the proceedings, in particular the documentation provided by the complainant and the representations made by the respondent in the pleadings submitted during the proceedings,      it is estimated that the display of the identification data contained on the window on the exterior facade of the school, instead of on the notice board inside the school, is not only the provisional and definitive lists of students admitted and not admitted for the 2018/2019 school year (names and surnames),   but also of the identification data (names, surnames and complete ID cards) of the parents and legal guardians of the students included in the electoral census of the 2018/2019 academic year, as well as the unrestricted and open dissemination on the website of the school of the personal information collected in the aforementioned provisional and definitive lists, constitutes the processing of personal data by the person claimed, in his or her capacity as the person responsible for such processing, which violates the principle of confidentiality provided for in Article 5.1.f) of the aforementioned Regulation, the respondent has justified his conduct by defending that the publication of the aforementioned final lists of admitted and non-admitted students is legitimate in the fulfilment of a legal obligation applicable to the person responsible for the processing (Article 6.1.c RGPD), since these are competitive procedures, which is specified in the provisions of Article 45.1.b) of the LPACAP and articles 30 and 31 of the Order of 12 March 2013, which develops the procedure for the admission of students to educational centres supported by public funds that teach the second cycle of infant education, primary education, compulsory secondary education and high school regulated by Organic Law 2/2006, of 3 May, of education, (hereinafter, Order of 12 March 2013), in addition to the consent given by the interested parties at the time of submitting applications for admission to the processing and publication of the personal data collected in the processing of this type of procedure, as well as to manage the procedure and inform the interested parties about its processing (Article 6.1.a) of the RGPD). Article 45.1. of the LPACAP, under the heading "Publication", states: "1. Administrative acts shall be published when so established by the rules governing each procedure or when it is advisable for reasons of public interest as assessed by the competent body.In any case, administrative acts shall be subject to publication, with the effects of notification, in the following cases: a) When the act is addressed to an indeterminate number of persons or when the Administration considers that notification made to a single interested party is insufficient to guarantee notification to all, in the latter case being additional to the notification made individually.b) When the acts are part of a selective procedure or competitive competition of any kind.   In this case, the notice of the procedure must indicate the means by which the successive publications will be made, those carried out in different places not being valid". Articles 30.1 and 31.2 and 3 of the Order of 12 March 2013 establish the following: "Article 30.In view of the applications for admission presented, and once the score resulting from the application of the scale criteria has been determined, if applicable, the centre will publish on its notice board and on its web page the nominal list of all the students admitted and not admitted per course, in order of the total score obtained: "The underlining is from the AEPD) "Article 31. Publication of the definitive list of persons admitted and not admitted: 1. 2. The management of the public centres and the owners of the private centres involved will publish on their notice board and on their web page, before the 15th of May each year, the definitive lists of persons admitted and not admitted, ordered according to the total score, expressly indicating the specific form for contesting them, the competent body and the deadline, in accordance with the following article. (...) "The undersigned is from the AEPD". However, at no time during the procedure has the conduct that is the object of the infringement been associated with the violation of the principle of the lawfulness of the processing of personal data used in the publication of the lists of students or of the electoral roll, but rather, since its inception, it has been based on the violation of the principle of confidentiality of the processing set out in Article 5.1.f) of the aforementioned RGPD, materialized in an indiscriminate exhibition of the published personal information (identification data) to non interested third parties.  It is not disputed that the student lists studied should be subject to depublication in accordance with the provisions of article 45.1.b) of the LPACAP.   The claimant has published the personal information contained in the lists studied and has exposed the identifying data contained in the electoral roll without respecting the principle of confidentiality that applies to the treatment of such personal information.Thus, it is proven in the procedure that the claimed party has failed to comply with the duty of confidentiality that is required of him/her as he/she has not taken previous technical or organisational measures aimed at guaranteeing an adequate level of security that would prevent the communication of and/or indiscriminate access to this personal information by third parties not interested in the competitive procedure for the admission of students or in the process of electing parent representatives to the School Board. 
Thus, the display of the above-mentioned documents through the windows of the school's façade, placed in such a way that the personal data contained therein can be viewed from the outside, contravenes the means of publication determined by Article 31.2 and 3 of theOrder of 12 March 2013 for the provisional and definitive lists of pupils admitted and not admitted, where the school's notice board is set up as such, which is the same medium as that appearing in article 41 of Decree 92/1988, of 28 April, for the publication of the electoral roll list. The publication of said documents with identification data of the interested parties on the windows of the facade of the school centre instead of on the notice board inside the school premises, where they should have been displayed in accordance with the provisions of article 45.1.b) of the LPACAP and the above-mentioned provisions of the Order of 12 March 2013 and Decree 92/1988, has led to the disclosure of this personal information to third parties unconnected with the processes in question, since it has allowed its display and indiscriminate access by uninterested third parties unconnected with the procedures for the admission of students or the holding of elections to the school board. It should be noted that the personal information collected in these lists was accessible without any kind of restriction to any person passing through the exterior area of the school to which the glass façade led. For its part, the publication on the website of the school, in open form and without any type of restriction, of the aforementioned provisional and definitive lists of students has meant indiscriminate access to the information of a personal nature contained in these documents, given that access had not been limited to the interested parties who requested to participate in the admission procedures of the students in question, which are the participants in the competitive procedures.Therefore, the disclosure of personal data to third parties who are not interested in the publication and/or dissemination of the content of the documents under study, mentioned above, in an indiscriminate manner, constitutes a breach of the principle of confidentiality in relation to the processing, having therefore violated Article 5.1.f) of the RGPD. As the data controller, the data subject should have proactively adopted and implemented the appropriate technical and organisational measures to assess and guarantee a level of security appropriate to the probable risks of a different nature and severity associated with the processing of data that may be involved, Among others, the principle of confidentiality, establishing for this purpose the security measures necessary to avoid the dissemination of personal data to third parties not interested in the procedures of competitive competition and selection of members of the School Council in whose framework the facts that are the object of the infringement have occurred.To this effect, it is recalled that article 24.2 of the RGPD, in line with the provisions of articles 5.2 and 32.2 transcribed in the Fundamento de Derechoanterior, establishes the following with respect to the obligations to be fulfilled by the person responsible for the processing in relation to the "Protection of data from the design and by default": "2. This obligation shall apply to the amount of personal data collected, to the extent of their processing, to their retention period and to their accessibility. Such measures shall ensure in particular that, by default, personal data are not accessible, without the intervention of the person, to an indeterminate number of natural persons. (Emphasis added by the AEPD) In view of the above, the argument that the only precaution to be taken in relation to publications by public administrations is that provided for in the seventh additional provision of the AEPD must be rejected, since that provision is limited to determining the manner in which the "Identification of interested parties in notifications by means of advertisements and publications of administrative acts" must be carried out,     This matter is not subject to analysis in these proceedings as has been justified in the Factual Background to this resolution and, in any case, it would not prevent us from analysing the case in question in relation to the breach of the principle of confidentiality set out in Article 5.1.f) RGPD and based on the facts that have been proven.  As regards the argument that, in weighing up the interests involved, the public interest should take precedence over the effectiveness of notification through publication and the guarantee of the exercise of the right to defend legitimate interests, either directly or through associations for the protection of collective interests that may appear subsequently, The rights of the persons involved, whose privacy is affected at a minimum level, in addition to reiterating the arguments set out with regard to the applicability of the duty of confidentiality to the case under study, in the case indicated by the respondent, these associations could exercise their right of access to this information with justification of their status as interested parties.

V 
Article 58(2)(b), (d) and (i) of the GPMR, "Powers", provides as follows: "2 Each supervisory authority shall have all the following corrective powers: (' ) (b) to impose penalties on any controller or processor who has been found in breach of this Regulation;" (' ) (d) to order the controller or processor to bring processing operations into conformity with this Regulation, where appropriate, in a particular manner and within a specified time limit
For the purposes of determining the penalty that may be attached to the infringement, the following provisions must be taken into account: Article 83 of the RGPD, under the heading "General conditions for the imposition of administrative fines", provides in paragraph 5.a) that: "5.   Infringements of the following provisions shall be punishable, in accordance with paragraph 2, by administrative fines of a maximum of EUR 20 000 000 or, in the case of an undertaking, of a maximum of 4 % of its total annual turnover in the preceding business year, whichever is the greater1.a) of the LOPDGDD, under the heading "Infractions considered very serious", provides: "1.5 of Regulation (EU) 2016/679 are considered very serious and shall be subject to a three-year limitation period for offences involving a substantial breach of the articles referred to therein, and in particular the following: a) Processing of personal data in breach of the principles and guarantees laid down in Article 5 of Regulation (EU) 2016/679.7 of the GPRS provides that: 'Without prejudice to the corrective powers of the supervisory authorities under Article 58(2), each Member State may lay down rules on whether and to what extent administrative fines may be imposed on public authorities and bodies established in that Member State'.c), 2, 4 and 5 of Article 77 of the LOPDGDD, under the heading "Rules applicable to certain categories of controllers or persons responsible for processing", provide that: "1.   When the controllers or agents listed in section 1 commit any of the infringements to which Articles 72 to 74 of this Organic Law refer, the competent data protection authority shall issue a ruling sanctioning the same with a warning. The resolution shall also establish the measures that should be adopted so that the conduct ceases or the effects of the infringement committed are corrected. The resolution shall be notified to the data controller or person responsible for the processing, the body on which he depends hierarchically, if appropriate, and to the data subjects who are data subjects, if appropriate. The actions taken and the resolutions issued under this article shall be notified to the Ombudsman or, as the case may be, to the autonomous community institutions. In accordance with the above, the defendant is responsible for the commission of an infringement of the provisions of Article 5.1.f) of the RGPD, typified in Article 83.5.a) of the aforementioned legal text and qualified as very serious for the purposes of the statute of limitations in Article 72.1.a) of the LOPDGDD, and may be sanctioned, in accordance with the provisions of Article 58.2.b) of the RGPD, with a warning. In this case, the Regional Ministry communicated in its brief of allegations to the agreement of initiation the adoption of the following measures:  a) In future elections to the School Council, the criterion will be adopted that the census lists will only be published on the internal board of the centre; b) The implementation of the relevant measures so that each time it is necessary to carry out a publication with complete names and NICs, the computer system itself generates the documents in compliance with the provisions of the seventh additional provision of the LOPDGDD and, particularly, the guidelines issued by the AEPD regarding the NIC digits that must be eliminated from the publications.   Subsequently, in the letter of refusal to the proposal of resolution I indicate that the publications framed in the process of competitive competition will be made, as a proactive measure, in a part of the web page of the educational centres that does not allow the indexation by automated search engines.However, in none of the pleadings presented, has the Ministry made reference to the adoption of measures tending to prevent the use of the glass façade of the school to advertise, in such a way that the aforementioned provisional and final lists of students admitted and not admitted by year are visible from outside the school.   On the contrary, in the allegations to the motion for resolution, the respondent stated that "no legal obligation is identified" for said lists to be published on the school's internal bulletin board since it is a competitive admission process, ignoring that the school's bulletin board is one of the places established by articles 30.1 and 31.2 and 3 of the Order of March 12, 2013 to publish said lists. Nor has it indicated the establishment of security mechanisms aimed at preventing indiscriminate access by non-interested third parties to the personal information contained in the provisional and definitive lists of students published on the websites of schools. To this end, the complainant should implement a system that would ensure limited and exclusive access to the personal information published on the web pages to the persons interested in these procedures.   As a suggestion, a system of access with a key and a password could be enabled that would only allow participants interested in selective or competitive procedures to access the acts published by that means. Based on the above, it is considered convenient to apply what is established in article 58.2.d) of the RGPD, ordering the respondent to carry out a series of specific actions to adapt the operations of the type of processing studied to the provisions of article 5.1.f) of the RGPD that has been violated, applying the necessary technical and organisational measures to guarantee the due adaptation between the principle of confidentiality in the processing of personal data and the publicity of certain administrative acts that contain personal data.Such measures must be adopted by the respondent within ONE MONTH, calculated from the day following the notification of this resolution, and the respondent must prove that they have been complied with in the same period of time by providing documentation or any other legally valid means to verify their adoption and effective implementation. Therefore, in accordance with the applicable legislation and after evaluating the criteria for the downgrading of the sanctions whose existence has been accredited, 

The Director of the Spanish Data Protection Agency RESOLVES:

FIRST: TO IMPOSE ON THE COUNCIL OF EDUCATION, UNIVERSITY AND PROFESSIONAL TRAINING, with NIF S1511001H, in accordance with the provisions of article 58.2.b) of the RGPD, a penalty of APPENDIX for an infringement of article 5.1.f) of the RGPD, typified in article 83.5.a) of the RGPD.

SECOND: TO ORDER THE COUNCIL OF EDUCATION, UNIVERSITY AND PROFESSIONAL TRAINING, with NIF S1511001H, in accordance with the provisions of article 58.2.d) of the RGPD, the adoption of appropriate technical and organisational measures to guarantee the principle of confidentiality, which in relation to the School under study will focus on preventing the publication of administrative acts containing personal data on the glass façade, and towards the outside, of the school under study, using the notice board inside the school.   In general, these measures will be extended to prevent the information of a personal nature contained in administrative acts that are subject to publication in the means established by the regulations applicable to the alleged case from being visible and/or accessible from the outside of the schools, and mechanisms must also be implemented to guarantee that access to the content of these administrative acts published on the website of the schools will be available to people interested in the selection or public procedures in question. These measures must be adopted, where appropriate, within a period of one month from the day following notification of this decision, and evidence must be provided to show that they have been complied with in the same period.

THIRD:TO NOTIFY this resolution to the COUNCIL OF EDUCATION, UNIVERSITY AND VOCATIONAL TRAINING, with NIF S1511001H

FOURTH: TO COMMUNICATE this resolution to the Ombudsman, in accordance with the provisions of article 77.5 of the LOPDGDD. In accordance with the provisions of article 50 of the LOPDGDD, this resolution will be made public once it has been notified to the interested parties..6 of the LOPDGDD, and in accordance with the provisions of Article 123 of the LPACAP, the interested parties may, optionally, lodge an appeal for reversal with the Director of the Spanish Data Protection Agency within a period of one month starting from the day following notification of this resolution or the address of the contentious-administrative proceedings before the Contentious-Administrative Chamber of the National Court, in accordance with the provisions of Article 25 and paragraph 5 of the fourth additional provision of Law 29/1998 of 13 July, regulating the Contentious-Administrative Jurisdiction, within a period of two months from the day following notification of this act, as provided for in Article 46.Finally, it is noted that in accordance with the provisions of article 90.3 a) of the LPACAP, the final resolution may be suspended in administrative proceedings if the interested party expresses its intention to file a contentious-administrative appeal. If this is the case, the interested party must formally communicate this fact in writing addressed to the Spanish Data Protection Agency, presenting it through the Electronic Register of the Agency [https://sedeagpd.gob.es/sede-electronica-web/], or through any of the other registers provided for in art. 16.4 of the aforementioned Law 39/2015, of 1 October. He will also have to send to the Agency the documentation that accredits the effective lodging of the contentious-administrative appeal.   If the Agency were not aware of the lodging of the contentious-administrative appeal within the period of two months from the day following the notification of the present resolution, it would terminate the precautionary suspension.