AEPD (Spain) - PS/00068/2021

From GDPRhub
AEPD (Spain) - PS/00068/2021
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 5(1)(c) GDPR
Article 58(2)(b) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published:
Fine: None
Parties: URBAN PLANET
National Case Number/Name: PS/00068/2021
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: n/a

The Spanish DPA issued a reprimand to URBAN PLANET trampoline park for asking customers to provide photos at the entrance to the park with every visit.

English Summary

Facts

A complaint was filed against URBAN PLANET (a trampoline park) for asking a disproportionate amount of data in order to access its premises. Specifically, the user must fill in a registration form with: name and surname, ID number, address, telephone number, e-mail address, date of birth and photograph. URBAN PLANET explained that the identity verification was put in place as a cost effective way to verify the identity of the visitors. The Spanish DPA (AEPD) assessed whether the criteria of data minimisation as per Article 5(1)(c) GDPR was met in the case.

Holding

The AEPD recalled that the necessity test for any limitation of data protection rights should be strict, and processing should be carried out only where strictly necessary. Any data processing operation (such as collection, storage, use, disclosure of data) provided for by law limits the right to the protection of personal data, irrespective of whether such a limitation may be justified or not. The AEPD considered that the purpose underlying the taking of photographs for visitor's access to the park in this case was neither covered by the processing purposes, nor was it necessary or proportionate. The AEPD stated that the photos requested to access the park and to confirm knowledge of the park's rules of use are not adequate, pertinent and relevant data according to these purposes. Therefor, the AEPD held that Article 5(1)(c) GDPR was infringed, and issued a reprimand to URBAN PLANET as per Article 58(2)(b) GDPR.


Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

                                                                             1/16











 File No.: PS / 00068/2021

                  RESOLUTION OF SANCTIONING PROCEDURE

Of the procedure instructed by the Spanish Agency for Data Protection and based on the

following

                                    BACKGROUND

FIRST: On 09/10/2019, A.A.A. (hereinafter, the claimant) completed a

claim sheet and at the request of the Consumer Service is transferred to this AEPD,
having entry on 10/23/2019. The reasons on which you base the claim are that for
access the leisure area, with mats, trampolines and trampolines "URBAN
PLANET ”, Vigo, (activity according to the park website located in different towns of
Spain) a disproportionate amount of data, ID and photography are requested.


Along with the claim, it provides:

-Copy of claims sheet dated 09/10/2019 in which TURIA OCIO Y COMERCIO SL
(CIF B 88334222) noted as allegations that the person who enters URBAN PLANET

must be previously registered with the data requested for the security of each
one of the users. “We always offer the possibility that, when leaving our facilities,
tions, all the data provided is deleted ”.

-Screen printing (data platform) of the registration sheet and personal data collection

sonals in which at first glance the ownership of the person in charge is not seen, appearing in two
tados, to mark, one of "I have read and accept the privacy policy, read", and another of "I have
read and accepted the waiver ”. In the collection, the fields with asteris-
following: name and surname, ID, date of birth, address, postal code, city
province, mobile phone, email, password and photo (“use the camera or add a

picture of your face from your device ”). In the upper left, the form bears the literal
"Your data", in the one below "finish registration".

-Ticket of the service, of 09/10/2019, with data from URBAN PLANET, address c Miradoiro, at
the one that appears the same CIF as that of TURIA OCIO Y COMERCIO SL.,

shop.urbanplanetjump.es/online.


SECOND: In view of the facts reported in the claim and the documents
provided by the claimant in accordance with the provisions of Title VII, Chapter I,

Second section, of the Organic Law 3/2018, of 5/12, of Protection of Personal Data and
guarantee of digital rights (hereinafter LOPDGDD), the claim is transferred to
TURIA OCIO Y COMERCIO S.L. and URBAN PLANET ENTERTAINMENT SL, both of which are
Accessed submission content on 12/4/2019.


THIRD: On 01/02/2020 TURIA OCIO Y COMERCIO S.L., from the address c / Ra-
Fael Botí 2 of Madrid, states that they have received “two letters attached to the registered office
of URBAN PLANET ENTERTAINMENT SL and TURIA OCIO Y COMERCIO SL but both

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 2/16








they derive from the same in reference number and for the same facts ”.

In the answer that is given, it carries the literal URBAN PLANET ENTERTAINTMENT SL, and below

the web address www.urbanplanet.es, responds the legal representative of URBAN PLANET
ENTERTAINMENT SL, with a CIF different from that of TURIA OCIO, and head office calle Rafael
Boti, 2 de Madrid, “and its branch TURIA OCIO Y COMERCIO SL whose administrative headquarters
It is located in the Gran Vía de Vigo shopping center, floor two, local 226, Rúa Miradoiro 2
of Vigo ”. Indicates that URBAN PLANET ENTERTAINMENT is responsible for the treatment
(hereinafter the claimed).


It provides in electronic format, together with the answer hash, four more so-called documents
ment 1 to 4 to which he refers in his explanations. Manifests:

1) Regarding the decision made regarding the claim, the main one has been acted upon.

lize the registration processes at its different parks to homogenize and centralize the
training that is provided to the user “so that it is accessible in various ways. "

There is a "previous step" to access the facilities of the company in which the user has
to register as shown in DOCUMENT 1 that provides, registration form, which
It must be completed with: name and surname DNI address telephone email fe-

birth certificate and photograph. It coincides with the one provided by the claimant as a "sheet of
registration ", at the top left is" Your data. Are you already registered? It has to
also mark the privacy policy section. “The data contained in the question
nary are described in the privacy policy, being a necessary condition to know and have
read the privacy policy. "



2) Regarding the causes that have motivated the incident that originates the claim, they state
"We do not consider the amount of data excessive", since the purpose is to identify with
accuracy to who accesses the leisure centers. Identity verification is to avoid

possible cases of impersonation, being the collection of the ideal image to achieve the
objective and identify them, and it is not very onerous.

Also, as a facilitating means of defense of the user against others and against the claimed,
as a way of accrediting the physical state in which the users are within the
belt or in the event that someone who is injured outside the facilities, comes to the

nally to the park to allege that the injury was produced within the facilities,
proceeds to a PRIOR REGISTRATION OF THE USER. Provides document 2 containing a
registration with "Clients-Client Administration" that collects the data of name and surname.
two, in this case of the claimant, the e-mail, the date of the visit to the leisure center and the name
mination or name of this center.


He adds that in practice it is an optional requirement because “in the parks” if the user manifests
party your disagreement with the taking of the photo, the registration ends up being carried out the same with the
taking the photo in another direction, or with the taking of a photo in which the user actually
It is not portrayed as was the case of the claimant.


3) On the measures adopted to prevent similar incidents from occurring on dates
implementation and controls carried out to verify its effectiveness, manifest in application
tion of the principle contained in article 5 of the RGPD, in order to “rectify the damages

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 3/16








that are inaccurate with respect to the purposes for which they are treated ", and" taking a
proactive liability policy ”“ have modified the treatment activity to which they go
affected the data collected, which was previously called “acceptance of standards for accessing

so to parks and use of facilities ”(provides copy of document 4) and that is now being separated
in various treatment activities (provides a copy of document 3).

In document 4, previous situation, provides a document of “explicit consent for the
data processing ”in which there are spaces to sign and complete the sections: name
Name and surname, NIF, address, telephone. "The interested party authorizes the collection of information

of personal data of the following processing activities: registration for ac-
cease to parks and use of facilities and whose location is in ww.urbanplane-
tjump.es ". The purpose of collecting and processing the information "is to record data
for access to the enjoyment of the parks, online sales, acceptance of rules of use and acceptance
video recordings for security purposes in the facilities. Communications ad-

ministerial through WhatsApp, SMS and email. "The typology of the data of the
interested party that will be treated by the person in charge are name and surname, NIF, DNI, NIE, te-
phone number, address, voice image, email, password, passport number, age ”.

In document 3, it provides the informative clauses that respond to different activities of
treatment, being in all of them the person in charge of the treatment the claimed one, and its base of

legitimation of consent. Is about:

- Treatment activity of “acceptance of use of facilities whose location is located
tran urbanplanetjump.es ”,“ the purpose of collecting and processing information from the inte-
resado is to inform the correct use of the facilities and video recording for the purposes

security ”, collecting“ name and surname, signature ”.

- "Registration for access to parks" whose location is at "urbanplanetjump.es",
The purpose of the collection and treatment being that of the “data record for access to the dis-
fruit of the parks, photo registration for user identification, video recording to

security effects in the facilities ”, indicating that the data collected is named
Name and surname NIF, DNI, address, voice image, email, password, number of
passport, age.

- "online sale on the website" being the purpose of the collection and treatment of "management
of online ticket sales ”. The type of data of the interested party that will be processed are

Names and surnames, NIF, DNI, telephone numbers, address, email, date of birth.

- "sending newsletter", for the purpose of advertising and commercial prospecting, in the case of-
Name and surname, NIF, DNI, NIE, telephone numbers, address, email.


FOURTH: On 03/30/2020 the claim is admitted for processing.


FIFTH: On 03/24/2021 the director of the AEPD agreed:


"INITIATE SANCTIONING PROCEDURE to URBAN PLANET ENTERTAINMENT S.L.,
with NIF B-87223822, for the alleged violation of article 5.1.c) of the RGPD, of
in accordance with article 83.5.a) of the RGPD and 72.1.a) of the LOPDGDD.


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 4/16








       "For the purposes specified in the art. 64.2 b) of Law 39/2015, of 1/10, on the Procedure
Common Administrative Procedure of Public Administrations, the sanction that may correspond to
ponder would be a warning. "


       Notified the agreement, no allegations are received.

SIXTH: On 10/7/2021 an access procedure to the website of the claimed person is carried out and the
me the data protection and privacy policy.



SEVENTH: On 10/8/2021 a test practice period begins, incorporating the
of proceedings prior to the initiation agreement, and the diligence of 10/7/2021 of acce-
or to the claimed website, legal notice, privacy policy and personal data.
In addition, it was decided to request the claimed:


1. Copy of the register of treatment activities updated, since May 2018, explaining-
do if there have been variations, dates and explanation of the reasons.


On 10/28/2021 a response was received, providing document 1 the registration of activities.
des of treatment.

With relevance for access, the list of activities created in 2018 are:

- CONTACTS VIA WEB

-VIDEO SURVEILLANCE

-ACCEPTANCE OF RULES FOR ACCESS TO PARKS AND USE OF FACILITIES.

The “treatment activity, acceptance of standards for access to parks and use of facilities
tions was a very extensive purpose and was separated in the modifications
of 2019. The list of activities created or modified in the year 2019-2020 are:

- ACCEPTANCE OF USE OF FACILITIES-discharge 12/30/2019

- REGISTRATION FOR PARKS ACCESS

- ONLINE SALE ON THE WEBSITE-discharge 12/27/2019

2. Reason why on its website, in legal notice, data protection and privacy policy
valence, there is no mention of the processing activity of: "Registration for access to par-
which "purpose" data record for access to the enjoyment of the parks, photo record -

trust for user identification, video recording for security purposes in the facilities
nes ”indicating that the data collected are name and surname NIF, DNI, address,
image voice, email, password, passport number, age.

It states that it is currently in the process of updating and depends on the parks to

carried out in one way or another, puts the examples of Alicante in which when making the purchase on
line, is when the data has to be provided. Selecting the center and the number of
entries and time leads to another screen that indicates, according to the copy provided, “Complete the following
following fields to finalize your purchase ”“ Your data, are you already registered ?: e-mail, name
and surnames, mobile phone: There is NO section referring to a photo. There is an almost-
The “I have read and accepted the privacy policy” ”that if clicked leads to the information

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 5/16








of said treatment, seeing the information sheet to be accepted, and at the end a
box with "I accept", containing the statement: "duty to inform about the treatment, about" the
relation of registration treatment activities for access to parks ”, stating that“ it is

records the photograph for user identification, Video recording for security purposes
in the facilities ", and also · telephone, address, email, NIF," The legal basis
ca of the treatment, the unequivocal consent.

He adds that in the Las Rozas park “the privacy policy notice refers to the legal notice
gal and "the acceptance of the use of rules is made either through the computer or in the park at

through a QR code. "

3. Reason why in relation to your website, in legal notice, data protection and policy
ca of privacy, treatment activity of - “registration for access to parks and use of ins-
talaciones ", in their allegations they state that they will collect name and surname, signature and on the web

figure being collected image.

The treatment of "registration for access to parks and use of facilities" is the product of the
breakdown of treatment activities produced in 2019 2020. Now it is about "registration
for access to parks ”, and in the“ acceptance of use of the facilities ”. In both
it is known that the image is collected. Also before breaking down the image was collected.


4. Please detail when and by what means the data collection for the treatment occurs.
statement of the "acceptance of use of facilities", which documents or instructions are given
to inform users, and because it is necessary to treat as stated on the web: Name and
surnames; Image; Firm; Connection metadata; mobile phone.


He states that “the image is not currently being collected. "Currently the
data through the computer, if it is done from home or in centers that have codes
go QR to do it through the customers' phones and that lead to a referral URL.
register. For this reason, the name and surname are included in the metadata of connection, mobile phone,

necessary data to know who is the person who enters the center, who reserves a
birthday, who to turn to if you need their help etc. " "Previously they requested
through some tablets that were available at the reception desk "" In the centers
there are also posters where the rules of use are indicated ”.

5. In what distinguishes the treatment of "previous registration of clients to access facilities.

tions ", of the treatment that appears on its website of" acceptance of use of facilities ", and if
this already existed when the events took place. In his allegations to the transfer of the claim
tion do not indicate the name of "acceptance of use of facilities".

The treatment activity "registration for access to parks" "is aimed at registering the

interested to know who is the person who enters the center, who reserves a birthday
years etc., and it is a prerequisite before accessing the facilities and to avoid
Undue claims, it is punctual every time you enter a park. "

The treatment activity called "acceptance of use of facilities", supposes the

acceptance of the rules of use and once done is valid for all parks.




C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 6/16








“These two activities were created as a result of our reply to the allegations.
December 30, 2019 as a proactive responsibility measure but has always
there has been a mandatory register where the use of the facilities was accepted. "


6. Regarding the document that, at the time of the events, was used for the “re
registration for access to parks and use of facilities, document 1 that you provided,
In whose upper left header it appears with: "Your data, are you already registered?" point out
the ways to fill it in: before going to the premises, on the web or at the premises, and how it is obtained
I had the photograph that was requested, and if it is still requested.


Also, if that record is the one that refers to or coincides with that of the "acceptance of use of
facilities ”, where did the general conditions of use of facilities appear or how
The conditions of use of the facilities were considered accepted since in no document
ment, 1 or 2 that contributed in the transfer of the claim, it is pointed out that this is

cificidad ?, referring only to the section of the privacy policy.

It states that “the document could be completed through the web or locally through
through a Tablet.

The photograph was taken on the premises through the tablet that was used for registration. Ac-

Photography is not usually required. In the same registry, in addition to appearing the policy
of privacy appear the norms of use. In addition, in the center there are signs where
The rules of use are also indicated ”.

7. Why do you need to register personal data to accept the use of facilities? Yes

Wouldn't it be enough to read and mark them at the time of completing
registration for access? What relationship does this purpose have with the assignment to assurance entities?
guradoras and because it appears as an assignment in both treatment activities.

"Personal data is requested to accept the use of facilities since once accepted-

you give the rules allow you to access any park ”.

“Regarding the activities, registration for access to parks is carried out every time you go to
a park since it is necessary to know who is the person who enters the center, who
Book a birthday or other event to whom to go if you need their help if for
example is a parent who has registered is helpful to be able to locate him in case of

be necessary.

As for the recipients, there are insurance entities since it is the insurance that is
in charge of reviewing and analyzing the causes of a possible accident and determining the possible culprit.
to detect any broken material or incidence in the facilities and it has been included as a

recipients in the most activities ”.

8. Although nothing was requested in the procedure regarding the taking of images by video surveillance-
of the people captured when they access the facilities, they are requested to detail the
purpose of collecting the images, how long the images are kept, and if they are used

zed for accident claim cases. Number of cases they have had.

He states that “the video surveillance system focuses on the playground and is used to recognize
ger accident information. The images are kept for a period of 10 days. His

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 7/16








The purpose is contained in the treatment activity called "registration for access to
parks ”where, among other things, video recording for security purposes in the facilities
nes.

They indicate that they keep a control of each case, but not a total sum of cases.
9. If the request for the image, photograph, the collection of "DNI", "address" and
of the “electronic mail” for the treatment of document 1, since in this informative literal
vo obtained on 10/7/2021 does not appear on the web in privacy policy and personal data the
“customer registration for access” activity, and why is photography still required?
If there is video surveillance from the moment it is accessed.?


He states that currently photography is not required of those interested. At first by
insurance recommendation was requested, but later it was decided not to collect that
fact.


10. If when accessing the leisure center, with the tickets purchased on the web, the
sitting of the DNI upon entering.

It indicates that “the DNI number is requested to verify the previous registration made by the
user once they enter the park ”.


11. Regarding the collection of data such as user registration, document 1, which indicates
It is also necessary to collect the image, photography to ensure safety
of the user and the rest to guarantee that people “enter the park and initiate the activi-
fullness of physical capabilities ”” no one can claim that another entered the venue with
injuries acquired with the aim of avoiding possible liabilities that arise

of a negligent use of the facilities against other users and against the claimed ”, is
say questions of liability for accidents, injuries etc., however they do not report
of said purpose, detailing if so, the need and the reasons.

After receiving the transfer of the claim, in their allegations they specified that the activity of

treatment called then "acceptance of rules for access to parks and use of
facilities ”was broken down into four other treatment activities. In the new "regis-
tro for access to parks ", was included" as a purpose, among others: "registration of photography
for user identification ”. In the activity called “acceptance of use of facilities
tions ”, the purpose is:“ To inform about the correct use of the facilities and of the
deo-recording for security purposes ”.


"It is reported through the document of use of mandatory standards for all customers, of
Mandatory signature when you first enter a center and where it indicates the exemption of
responsibility in case of non-compliance with the rules ”.


12. How are those affected informed about issues related to accidents?
or injuries produced in the development of the activity, exemptions from liability,
exemption sas etc.


"It is reported through the document of use of mandatory standards for all customers, of
Mandatory signature when you first enter a center and where it indicates the exemption of
responsibility in case of breach of the norm "


EIGHTH: On 11/11/2021 a resolution proposal is issued, from the literal:
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 8/16









"That URBAN be sanctioned by the Director of the Spanish Data Protection Agency
PLANET ENTERTAINMENT S.L., with NIF B87223822, for a violation of article 5.1.c)

of the RGPD, with warning. "


Faced with the same allegations.

Of the actions carried out in the present procedure and of the documentation obtained

in the file, the following have been accredited:

                                    PROVEN FACTS



1) The defendant is dedicated to offering in leisure parks in Spain activities with
mats, trampolines and trampolines, with various locations. At the time
if the events occurred, 09/10/2019, the defendant had an activity of trafficking in
called “registry for access to parks and use of facilities, whose purpose
consisted as:


“Data registration for access to the enjoyment of the parks, online sales, acceptance of norms
more use and acceptance of video recordings for the security of the facilities.
Administrative communications through whatsapp, sms and email ”.

In document 1 of the collection of said type of data provided by the claimant, it appeared in the

upper left header: "Your data, are you already registered?" that could be completed
by the user "through the web or on the premises through a Tablet". It was essential
fill in the registration before accessing the activity, the facilities. The data that had
to be completed as mandatory, marked with an asterisk were those of: name and surname
two DNI address, telephone, email, date of birth and photograph. The photograph

fía was taken on the premises through the tablet that was used for registration. In the same re
I also registered the privacy policy and the rules of use. In the center
There are posters where the rules of use are also indicated.



However, the records of treatment activity, stated the claimed in the transfer
of the claim, that the purpose of collecting the user's photo was their identification
unequivocal when accessing, in order to avoid impersonations, in case of injuries in the activity
(correlation of name and data taken, plus the photo, contributes to the precision in case of inci-

tooth or injury) as well as “facility safety”.
The complainant adds that, in practice, the requirement of the photo was optional and that when the

user expressed his disagreement, it was not implemented, “as was the case of the claim
mante ", who" decided to put his hand in front of the camera in the process ", and was not prevented
the access. There is no image of it in their files.


2) After the transfer of the claim, on 01/02/2020, the defendant specifies that the activity of
treatment called until then: "acceptance of rules for access to parks and

use of facilities ”begins to be differentiated and broken down, in terms of data necessary to
access to carry out the activity, in:
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 9/16









- "registration for access to parks", they are collected each time a park is accessed
to do an activity. The data indicated are collected are: Nif / DNI. / Nie; Telephone;

Direction; Image, photography / voice; Email; Password; Passport number; Age.
The photograph for "user identification", purpose "for access to the enjoyment of the par-
ques, "registration of photography for user identification." In some parks like the one in
Alicante, the data is completed when the tickets are purchased on the web, although it has the
option that asks if you are already registered. It contains the data to be filled in, among which
photography is not mentioned. In the same purchase leads to "I have read the privacy policy",

that by clicking the information of this treatment activity is read where it is indicated again
that "the photograph is registered to identify the user."

The defendant indicated after the initiation agreement that the photo is no longer required.


Faced with the statement of the complainant that “Regarding registration activities to access
so to parks is done every time you go to a park since it is necessary to know
who is the person who enters the center, who reserves a birthday or other event to
who to turn to if you need their help if, for example, it is a parent who has registered
traced is helpful to be able to locate you if necessary. ”, it is observed, however,
you, that when buying tickets on the web, with a reservation of day and time, there are data to be fulfilled.

mention that at no time is it inferred that it is the person or subject who is going to participate
in the activity, or he has to be the one who participates in it. If you buy multiple tickets
It is also not clear the identification of the subject who is going to use the tickets.

- "Acceptance of use of facilities", the purpose is: "To inform of the correct use

of the facilities and of the video recording for security purposes ”. Assumes acceptance
of the rules of use and once carried out is valid for all parks. After the agreement
Initially, the defendant stated that the image is not being collected for this treatment.
gen.


The rules for the use of facilities were included in the privacy policy, and it could be
cir at the same moment in which the installation was accessed, together with the collection of the
tro for access to parks "


3) In addition, the defendant has a video surveillance system inside his facilities.
lance that focuses on the playground and is used to collect information on accidents.
The images are kept for a period of 10 days. Its purpose is included in the activi-

treatment entity called "registry for access to parks" where it consists, among others,
"Video recording for security purposes at the facilities."


They indicate that “they keep a control of each in case of accident claim in case
from which responsibility is derived in the development of the activity. "

4) The defendant indicated after the initiation agreement that the photo that was required before each time

access to a park, part of the treatment "registration for access to parks"
it is no longer required. At first, it was collected on the recommendation of the insurance.




C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 10/16








5) Asked the claimed if when accessing the leisure center, with the tickets purchased at the
web, the presentation of the DNI was requested, indicated in evidence that “the number of the

DNI to verify the previous registration made by the user once they enter the park ”.


6) The defendant informs clients about matters related to accidents or injuries.
tions produced in the development of the activity, exemptions from liability, causes of
exemption etc. Through the document of rules of use, "mandatory for all customers",
mandatory signature when accessing “for the first time to a center and where it indicates the exemption
ration of responsibility in case of breach of the norm "" In the centers, there are also

posters indicating the rules of use ”. Information on mandatory use rules
that occurs in the posters may be related to the treatment activity called
"Acceptance of use of facilities", which implies acceptance of the rules of use and a
Once carried out, it is valid for all parks, although data was collected for this, between
them the picture.



                                FOUNDATIONS OF LAW

                                                  I

By virtue of the powers that article 58.2 of the RGPD recognizes to each authority of

control, and as established in arts. 47 and 48.1 of the LOPDGDD, the Director of the
Spanish Data Protection Agency is competent to resolve this procedure.


                                                 II


The defendant is accused of violating article 5.1.c) of the RGPD, which provides:

"The personal data will be:


b) adequate, relevant and limited to what is necessary in relation to the purposes for which
are processed ("data minimization");

The "Practical guide to risk analysis in the processing of personal data subject to the
RGPD ”published by the AEPD in its section 3,“ Data Protection from the design and

risk management what should be the route to follow? Section: "definition and design of activities
des of treatment ”, reproduces, on the treatment activity:















C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 11/16








“Defining a treatment activity is a fundamental step that requires having
clear what are the purposes of the processing of personal data. It corresponds to each
organization, in accordance with the principle of proactive responsibility (accountability), decide the

level of aggregation or segregation to prepare the record of treatment activities and
must assess to what extent that aggregation or segregation corresponds to purposes,
legal bases and different groups of individuals. Likewise, it is necessary to weigh, as
did before when defining files, the optimization of the management of the
data protection within your organization so that it is useful, agile, effective and
allows to achieve the objectives that the legislation seeks: that the individuals whose data are

object of treatment may have, where appropriate, an effective knowledge of the
treatments that the organization performs on them.

Once all those activities have been incorporated into the entity's treatment registry
that correspond to the work or functions that it performs on the character data

staff of the groups of people he manages, he should pay attention to the new
obligations that the RGPD describes about the person responsible for the treatment and the person in charge of
treatment. Do these new obligations entail the generation of new business activities?
treatment that should be described and incorporated into the activity register? The GDPR
establishes in article 5 the following principles regarding data processing
personal you need to consider


Data minimization: Data must be adequate, relevant and limited to what
necessary in relation to the purposes for which they are processed.

Additionally, article 5 of the RPGD establishes that the person responsible for the treatment must

ensure compliance with the principles relating to treatment, as well as the figure
responsible for proving it. Therefore, it is essential to adequately define the
treatment activities and document the analyzes carried out, as well as leave traceability
of the same and the conclusions that support them in order to guarantee the
proactive responsibility. "


Regarding the principle of the need to process personal data, it should be said that
Any data processing implies per se and from the start, the restriction of the right
fundamental, when the collection and disposal of the same by the
responsible who will operate with them. According to jurisprudence, due to the affectation that the
processing of personal data involves a series of fundamental rights, the

limitation of the fundamental right to the protection of personal data should be the
strictly necessary. This implies that if the achievement of the intended purposes can
carried out without processing of personal data, this route will be preferable and will assume that it is not
necessary to carry out any data processing, which will mean that such right, with
the limitations that it entails, it would not be at stake, as there is no data. The collection,

storage and use constitutes per se a limitation of the right to data protection
which must comply with the regulations. This therefore requires first of all analyzing and ensuring
that the data collection is necessary for the established or intended purpose and that it is
proportional.







C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 12/16








This need must be justified in the compliance documentation that the
responsible must dispose of in accordance with article 5.2. of the GDPR. The need must

determine whether personal data is processed on the basis of objective evidence, according to the
purposes has to determine, if such personal data is unavoidably required or if the purpose
can be fulfilled without processing that personal data. Also that the
request for the data that you already have.


The achievement of the legitimate objective pursued does not offer more advantages if data is used
personal data that if not used, and the data processing implies risks with the
themselves, and ultimately an unjustified intrusion compared to the other option. The
proof of the need for treatment for any limitation of the exercise of rights to
Protection of personal data must be strict, and they must be treated only in the

strictly necessary cases, since in principle, any data processing operation
data (such as the collection, storage, use, disclosure of data) established by
the legislation limits the right to the protection of personal data, regardless of
that such limitation may be justified.


On the one hand, the record of treatment activity expressly includes the collection of the
image, photograph, for two different treatment operations, although connected. A,
materializes on each occasion that each leisure park is visited, trying to verify
with the photo and the data that are given, your identity, to avoid requests for damages by
people who pose as them, (although it does not explain the degree of importance or

evidence of the alleged incidence that motivates this type of collection to be essential). From
In fact, this detail explained by the claimed does not appear in the purpose of the treatment.
Another taking or collection of the photo would be or assume that it is only provided on one occasion and
Its purpose is to know the rules of use of the facilities. Both connected
because it is intended to identify the person who accesses. When the ticket (s) is acquired

On the web you have to fill in "I have read the privacy policy", which by clicking. read the
information of that treatment activity where it is indicated that "the photograph is registered
to identify the user ”, without adding that it would be when accessing when asked, should
correspond the information that is given with the moment and act in which it is going to be developed,
and the affected subject, also considering that the person who acquires the tickets can

not be the end user of the activity, and that no reference to data from
fathers.




















C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 13/16









On the other hand, since the transfer of the claim, it is recognized that even if the taking
of photography, in fact in many cases it is not collected.


Finally, after the initial agreement, it was decided not to use the photo.

All this, in addition, having the taking of images that is done with the camera
Indoor video surveillance, destined, during the recording period, to the games area, to the
eventual events related to incidents that may imply responsibility in the

installation use.

The collection of the image of the people who accessed the parks on each occasion, to
Through photography, which was also stored, it was done mainly by the
issue of damage claims and insurance, only then does the idea of avoiding

impersonations or identify who really intends to access, for assurance of
eventual accidents in order to avoid possible impersonations, as can be deduced.

This seems relevant, in terms of the relationship with the intended purpose, and that it is not
made explicit specifically in the activity register, since the control of the identity of
The person would be credited with the data given and, where appropriate, the display of the DNI, not the

mere repetition of the number, and the taking of the photo is not appropriate, also including the
interior recording of images.

When the same end can be achieved with other means or with those already available,
it does not seem necessary to accumulate more data. Limited to what is necessary, the

taking the photo for insurance reasons or proof of what happened, since it has been
identified before the accessing identity bearer or can be identified, and there are
already enough data that is considered adequate and is already relevant to identify the
person who agrees.


The adequacy, relevance and limitation of the data is related as indicated,
with the purpose that according to the RGPD article 5.1.b) indicates, that they must be “
collected for specific, explicit and legitimate purposes ”.

Thus, for example, the treatment of acceptance of use of facilities: "with the purpose of
report the correct use of the facilities and video recording for security purposes.

Being the type of data collected: Name and surname; Image; Firm. "Being a mere
information, one might wonder if a specific treatment has to be carried out for this,
differentiated or if data are to be used for it. It could consist of a box mark
in the same section that is contained in the access record.


On the other hand, video recording has an information system with an informational poster in the
establishment and its purpose and basis of legitimation is not similar to that of access control
or acceptance of mandatory standards.








C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 14/16








Regarding the treatment of the registry for access to parks; for the purpose of registering
data for access to the enjoyment of the parks, registration of photography for identification of the
Username. Being the type of data collected: Name and surname; Nif / DNI. / Nie;

Phones; Direction; Image / voice; Email; Password; Passport number; Age.
The access relationship is not specified, enjoy the park with the need to provide
the rest of the data, being too brief and generic in terms of the explicit purpose
and the purpose of the treatment cannot be classified as a specific purpose.
Obviously the non-collection of the photo must be contained in the record of activities of
treatment so that it is updated, with the assessment of the reason documented in its

case leading to such a conclusion. The covert purpose behind the making of
photographs for access are not contemplated in the purpose of the treatments, nor is it
necessary or proportional.

It is accredited that the implementation of the need to provide photos at the entrances to the

park, each time they are visited and accessed, and the taking of photos to prove
the knowledge of the rules of use is not adequate, pertinent and relevant data in
this assumption, proving the infringement related to the processing of data in the
cited context.

                                                III



Article 83.5.a) of the RGPD refers to said infringement, which indicates:

"Violations of the following provisions will be sanctioned, in accordance with the

paragraph 2, with administrative fines of a maximum of EUR 20,000,000 or, in the case of
a company, of an amount equivalent to a maximum of 4% of the total turnover
annual global of the previous financial year, opting for the highest amount:

   a) the basic principles for the treatment, including the conditions for consent-

under the terms of articles 5, 6, 7 and 9; "


Article 58.2 b) of the RGPD provides the possibility of sanctioning with warning, in
in relation to what is stated in Considering 148:


"In the event of a minor offense, or if the fine that is likely to be imposed constitutes a
disproportionate burden for a natural person, instead of a fine can be
impose a warning. However, special attention must be paid to nature,
severity and duration of the offense, to its intentional nature, to the measures taken to
mitigate the damages suffered, to the degree of responsibility or any infraction

relevant above, to the way in which the supervisory authority has had knowledge of the
infringement, to the fulfillment of measures ordered against the person in charge or in charge, to the
adherence to codes of conduct and any other aggravating or mitigating circumstance. "

In this case, considering the context in which the data is collected, a

leisure activity, the absence of damages to the claimant, and that it has been chosen not to
request or collect said photo, the penalty of warning, as stated
agreed in the start-up agreement.


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 15/16








For the purposes of calculating the prescription, the LOPDGDD states in its article 72:

  "one. In accordance with the provisions of article 83.5 of Regulation (EU) 2016/679,
considered very serious and will prescribe after three years the infractions that suppose a

substantial violation of the articles mentioned therein and, in particular, the following:

  a) The processing of personal data violating the principles and guarantees established
in Article 5 of Regulation (EU) 2016/679. "



Therefore, in accordance with the applicable legislation and the graduation criteria assessed
of the sanctions whose existence has been proven,


the Director of the Spanish Agency for Data Protection RESOLVES:

FIRST: DIRECT URBAN PLANET ENTERTAINMENT S.L., with NIF B87223822, by
an infringement of article 5.1.c) of the RGPD, in accordance with article 83.5 a) of the
RGPD, and for the purposes of prescription, of article 72.1.a) of the LOPDGDD, a sanction of

warning, in accordance with article 58.2.b) of the RGPD.

SECOND: NOTIFY this resolution to URBAN PLANET ENTERTAINMENT
S.L ..

THIRD: In accordance with the provisions of article 50 of the LOPDGDD, the

This Resolution will be made public once it has been notified to the interested parties.

Against this resolution, which ends the administrative procedure in accordance with art. 48.6 of the
LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the
Interested parties may optionally file an appeal for reconsideration before the Director of

the Spanish Agency for Data Protection within a month from the day
following notification of this resolution or directly contentious appeal
administrative before the Contentious-Administrative Chamber of the National Court, with
in accordance with the provisions of article 25 and paragraph 5 of the fourth additional provision
of Law 29/1998, of July 13, regulating the Contentious-Administrative Jurisdiction,

within two months from the day following notification of this act,
as provided in article 46.1 of the aforementioned Law.

Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP, you may
provisionally suspend the final administrative resolution if the interested party manifests
his intention to file a contentious-administrative appeal. If this is the case, the

The interested party must formally communicate this fact by writing to the Agency
Spanish Data Protection, presenting it through the Electronic Registry of the
Agency [https://sedeagpd.gob.es/sede-electronica-web/], or through any of the
remaining records provided for in art. 16.4 of the aforementioned Law 39/2015, of October 1.
You must also send the Agency the documentation that proves the filing

effective contentious-administrative appeal. If the Agency is not aware of the
filing of the contentious-administrative appeal within a period of two months from the
following the notification of this resolution, it would terminate the suspension
precautionary.


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 16/16













                                                                                                        938-26102021

Mar Spain Martí
Director of the Spanish Agency for Data Protection







































































C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es