AEPD (Spain) - PS/00347/2020

From GDPRhub
AEPD (Spain) - PS/00347/2020
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 5(1)(c) GDPR
Article 5(1)(f) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published: 11.05.2021
Fine: None
Parties: AYUNTAMIENTO DE EL ESCORIAL
National Case Number/Name: PS/00347/2020
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: n/a

The Spanish DPA warned a City Council for infringing the integrity and confidentiality principle by publishing personal data related to a public grant procedure.

English Summary

Facts

A data subject filed a complaint with the Spanish DPA (AEPD) against a City Council, alleging that they had published a document with data related a public grant, that included their own personal data.

The Council alleged that they were, following their bylaw, obliged to publish such data so the rest of the participants in the grant procedure were able to contrast the data. However, they declared that they were willing to change the bylaw if the AEPD determined that such processing was unlawful.

Holding

The AEPD concluded that, even if it was justified by the nature of the proceeding and related procedural issues, and by the Transparency Act, to publish data related to the grants, it should be done following the data protection principles. Therefore, the minimization principle applied, so data such as the personal ID should not be published, as it does not add any necessary information to the grant procedure.

Additionally, the data should not have been accessible to all the workers and parties with access to the platform, but only to the ones that were involved and needed to access the data.

The DPA took into account the will of the Council to change their bylaw if necessary, and the lack of bad faith.

Therefore, the AEPD concluded that the Council had violated Article 5(1)(f) for breaching the confidentiality principle, and issued a warning against it.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

                                                                                  1/9








     Procedure Nº: PS / 00347/2020

                RESOLUTION OF SANCTIONING PROCEDURE


Of the procedure instructed by the Spanish Agency for Data Protection and based on
to the following:

                                   BACKGROUND


FIRST: D. A.A.A. (hereinafter, the claimant), dated 02/14/2020, filed
claim before the Spanish Agency for Data Protection. The claim is
directed against the CITY COUNCIL OF EL ESCORIAL with NIF P2805400E (hereinafter,
the claimed). The reasons on which the claim is based are: the claimant, worker
of the City Council, states that by publishing the list of granting aid from

social action violates data protection regulations; points out that in the list
the amount assigned to each worker in relation to the requested aid is stated; according
the claimant the list of aid has been sent to all workers of the
consistory.


Provides printing of the published list.

SECOND: Upon receipt of the claim, the Subdirectorate General of Inspec-
tion of Data proceeded to carry out the following actions:


On 06/03/2020, the claim submitted for analysis was transferred to the defendant
and communication to the claimant of the decision adopted in this regard. Likewise, he is
required so that within one month it sent certain information to the Agency
tion:

- Copy of the communications, of the adopted decision that has been sent to the complainant

maintain regarding the transfer of this claim, and accreditation that the claim-
you have received the communication of that decision.
- Report on the causes that have motivated the incident that has originated the claim.
mation.
- Report on the measures adopted to prevent similar incidents from occurring.

lares.
- Any other that you consider relevant.

On 09/11/2020, the defendant sent a letter stating, in summary: that the
The claim refers to the internal remission of provisional and definitive resolutions.

of aid granted to municipal employees within the framework of the ac-
municipal social organization and that said resolutions only contain the name, surname and
amounts assigned to each worker and requirement of corrections in the contribution
documentation.

That it is necessary for the worker to know both data, otherwise it may be

It would make sense to open a public information process and for the worker to know
the specific allocation of amounts that would allow you to exercise your right to claim
or correct the necessary documentation. In this sense, it should be noted that the Law
19/2013, of December 9, on transparency, access to public information and good

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 2/9








government, imposed mandatory advertising of all grants and other aid
public. The notification of the resolutions does not allow to know any personal data
protected or that violates the necessary confidentiality.


That the granting and processing of the aid is carried out in accordance with the regulations in force
You are approved by the social representation of which the claimant is part. This re-
Regulation expressly establishes that the grants will be processed and studied by a
commission made up of members representing the social part and company. The
secretary in charge of the formalization of documents and publication of the grants

falls on the social part.

That it is not the City Council or the Delegated Department of Personnel and Human Resources
the person in charge of the processing and resolution of these aids and therefore cannot
to be responsible for the actions of this collegiate body.


However, if this publication of names and assigned amounts were to be considered
das could violate any precept of the data protection law, through the
Presidency will propose to this body the modification of its management regulations
so that in the future the secretary of this body may carry out the individual notification
dualized to each worker of the assigned amount.


THIRD: On 09/30/2020, in accordance with article 65 of the LOPDGDD, the Di-
rector of the Spanish Agency for Data Protection agreed to admit to processing the re
claim filed by the claimant against the defendant.


FOURTH: On 11/16/2019, the Director of the Spanish Protection Agency
of Data agreed to initiate a sanctioning procedure for the one claimed for the alleged infringement
tion of article 5.1.f) of the RGPD, contemplated in article 83.5.a) of the aforementioned Regulation-
ment.



FIFTH: Once the initiation agreement was notified, the complainant, on 11/27/2020, presented
brief of allegations stating that the process of granting aid is not of
competitive competition, in accordance with the municipal regulations on the matter;
that at no time was the information made public on freely accessible web pages
by third parties; that said communication was made in order to comply with the specifications

do in article 8.1.c) of Law 19/2013; that the modification of the regulation will be proposed.
management process so that individualized notification is carried out for each job.
jador of the assigned amount.

SIXTH: On 12/14/2020, a test practice period began, according to the
taking the following

       - To consider reproduced for evidentiary purposes the claim filed by the
       claimant and its documentation, the documents obtained and generated by the
       Inspection services that are part of file E / 10062/2019.

       - To consider reproduced for evidentiary purposes, the allegations to the initial agreement
       cio submitted by the claimed


SEVENTH: On March 31, 2021, a resolution proposal was formulated,
stating that the Director of the Spanish Agency for Data Protection sanctions
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 3/9








cite the CITY COUNCIL OF EL ESCORIAL, for an infraction of Article 5.1.f) of the
RGPD, typified in Article 83.5 of the RGPD, with a warning sanction.


                                 PROVEN FACTS


FIRST: On 12/03/2018 you have entry into the Spanish Agency for the Protection of Da-
written by the claimant, President of the Works Council, stating that des-

In 2016, the list with the list of aid from the denomination has been published.
do Social Action Fund granted by the City Council containing the name and
surnames of the workers who have applied for help, the amount they will receive from the
Social Action Fund and providing information on whether the aid corresponds to gas-
to dentistry, orthodontics, orthopedics, etc.



SECOND: Screen printing is provided in excellent format of the List of
grants awarded.



THIRD: The complained party in writing dated 09/25/2020 has indicated that: ”the
The granting and processing of the aid is carried out in accordance with current and approved regulations.
by the social representation of which the claimant is a part.

This regulation expressly establishes that the aid will be processed and studied
by a commission made up of members representing the social and entrepreneurial part
sa. The secretary in charge of the formalization of documents and publication of the

aid falls on the social part ”.


FOURTH: The respondent in writing dated 11/26/2020 states that: “However, and if
consider that this publication of names and assigned amounts could violate
any precept of the data protection law, through the presidency it is proposed

will give this body the modification of its management regulations so that in the future the
secretary of this body carry out the individualized notification to each worker
of the assigned amount ”.



FIFTH: The Joint Regulation of the Social Action Commission of the
Official and Labor Personnel of the City Council of El Escorial and its Autonomous Body
nomo.



                            FOUNDATIONS OF LAW
                                             I

By virtue of the powers that article 58.2 of the RGPD recognizes to each authority of
control, and as established in articles 47 and 48 of the LOPDGDD, the Director

of the Spanish Data Protection Agency is competent to initiate and to re-
solve this procedure.


                                            II
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 4/9









The denounced facts materialize in the publication of the concession list
of social action aids whose list contains personal data, as well as

such as the amounts granted, causes for denial, etc., violating the duty
of confidentiality.

Article 58 of the RGPD, Powers, states:

        "two. Each supervisory authority shall have all the following powers co-

Rectives listed below:

        (…)
        b) sanction any person responsible or in charge of the treatment with warning
to when the treatment operations have infringed the provisions of this

Regulation;
        (…) "


Article 5, Principles relating to treatment, of the RGPD establishes that:


        "1. The personal data will be:

        (…)
        f) treated in such a way as to guarantee adequate security of the data
        personal coughs, including protection against unauthorized or unlawful processing

        to and against its loss, destruction or accidental damage, by applying
        appropriate technical or organizational measures ("integrity and confidentiality").
        (…)

Also article 5, Duty of confidentiality, of Organic Law 3/2018, of 5 of

December, Protection of Personal Data and guarantee of digital rights (in
hereinafter LOPDGDD), points out that:

        "1. Those responsible and in charge of data processing, as well as all
The people who intervene in any phase of this will be subject to the duty of
confidentiality referred to in article 5.1.f) of Regulation (EU) 2016/679.


        2. The general obligation indicated in the previous section will be complementary
of the duties of professional secrecy in accordance with its applicable regulations.

        3. The obligations established in the previous sections will be maintained

even when the relationship of the obligated party with the person in charge or manager has ended
treatment ”.

                                            III


On the other hand, article 83.5 a) of the RGPD, considers that the infringement of “the principles
basic guidelines for the treatment, including the conditions for consent to
nor of articles 5, 6, 7 and 9 ”is punishable, in accordance with section 5 of the mentioned
cited article 83 of the aforementioned RGPD, “with administrative fines of € 20,000,000

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 5/9








at most or, in the case of a company, of an amount equivalent to 4% as
maximum total annual global business volume of the previous financial year, op-
taking the highest amount ”.


The LOPDGDD in its article 72 indicates: “Violations considered very serious:

       1. In accordance with the provisions of article 83.5 of the Regulation (EU)
2016/679 are considered very serious and will prescribe after three years the infractions that
suppose a substantial violation of the articles mentioned therein and, in part,

ticular, the following:

       a) The processing of personal data violating the principles and guarantees es-
       established in article 5 of Regulation (EU) 2016/679.


       (…)

                                         IV

The documentation in the file offers clear indications that the
claimed, violated article 5 of the RGPD, principles relating to treatment, in

in relation to article 5 of the LOPGDD, duty of confidentiality, when the publication of the
list of granting aid for social action and, in addition, be sent to all
workers the list of aid.

This duty of confidentiality is an obligation that falls not only on the person responsible
and in charge of the treatment but to everyone who intervenes in any phase of the
treatment and complementary to the duty of professional secrecy.

As already reported in the initiation agreement in the case of social assistance, there was
to distinguish between those that are granted under competitive competition
and non-competitive competition, thus distinguishing two scenarios:

In cases of competitive competition, and therefore without a maximum number of
requests to be accepted by the entity, the notification should be individualized according to
so that personal data should not be accessible to third parties.

In cases of non-competitive competition, applicants - never third parties at the
procedure- they will be able to know the list of award of the aids, but not data

not necessary or expendable (eg, DNI number).
Consequently, entities that intend to grant aid from a fund
social action can not publish the list of grants awarded and / or denied

on a freely accessible web page, or on a notice board located in an area
open to the public, because it would allow third parties outside the procedure to have
access to personal data.

The defendant in his response to the agreement to initiate the procedure indicated that the
The procedure in question was not one of competitive concurrence, a reality that
It could be verified after reading the JOINT REGULATION OF THE COMMISSION
OF SOCIAL ACTION OF THE OFFICIAL AND LABOR STAFF OF THE

CITY COUNCIL OF EL ESCORIAL AND ITS AUTONOMOUS ORGANISM.
Likewise, it pointed out that the list containing the information related to the grants did not
had been published on web pages freely accessible by third parties, but rather the

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 6/9








notification was made through the document manager program itself being
necessary or have access to said software and in order to comply with what is specified in
Article 8.1.c) of Law 19/2013, of December 9, on transparency, access to the

public information and good governance that indicates:
       "1. Subjects included in the scope of this title must do
public, at least, the information related to administrative management acts with

economic or budgetary impact indicated below: (…)
       c) Subsidies and public aid granted with indication of their

amount, objective or purpose and beneficiaries. (…) "

In a report from the IGAE it is indicated that “the aid for Social Action and the advances

non-refundable granted to the staff of public administrations are not
subsidies or public aid, but fall within the remuneration scope of the
personal, and have the fiscal and budgetary treatment of these expenses "


The defendant indicates that, if it could be considered that said notification of names and
assigned amounts could violate any precept of the law of protection of
data, it would be proposed to modify its management regulations so that it is carried out

carry out individualized notification to each worker of the assigned amount. With
According to what is indicated, the aforementioned modification should be made.


                                            V

The LOPDGDD in its article 77, Regime applicable to certain categories of res-
those responsible or in charge of the treatment, establishes the following:


       "1. The regime established in this article will be applied to the treatments
of those who are responsible or in charge:

       a) The constitutional bodies or those with constitutional relevance and the institutions
       tions of the autonomous communities analogous to them.

       b) The jurisdictional bodies.
       c) The General State Administration, the Administrations of the communities
       autonomous communities and the entities that make up the Local Administration.
       d) Public bodies and public law entities linked to or
       pending of the Public Administrations.
       e) The independent administrative authorities.

       f) The Bank of Spain.
       g) Public law corporations when the purposes of the treatment
       are related to the exercise of powers of public law.
       h) Public sector foundations.
       i) Public Universities.

       j) Consortia.
       k) The parliamentary groups of the Cortes Generales and the Legislative Assemblies
       autonomous communities, as well as the political groups of the Local Corporations.

       2. When the managers or managers listed in section 1 commit-

have any of the infractions referred to in articles 72 to 74 of this law
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 7/9








organic, the competent data protection authority will issue a resolution
sanctioning them with warning. The resolution will also establish
the measures to be adopted to stop the conduct or correct the effects

cough of the offense that had been committed.

        The resolution will be notified to the person in charge of the treatment, to the
earning that depends hierarchically, where appropriate, and those affected who had the
condition of interested party, if applicable.


        3. Without prejudice to the provisions of the previous section, the protection authority
tion of data will also propose the initiation of disciplinary actions when
there is sufficient evidence to do so. In this case, the procedure and the sanctions to
apply will be those established in the legislation on disciplinary or sanctioning
dor that is applicable.


        Likewise, when the infractions are attributable to authorities and managers,
and the existence of technical reports or recommendations for treatment is accredited
that had not been duly attended to, in the resolution imposing the
The sanction will include a reprimand with the name of the responsible position and
will order the publication in the Official Gazette of the State or regional

gives.

        4. The data protection authority must be informed of the resolutions
tions that fall in relation to the measures and actions referred to in the
previous sections.


        5. They will be communicated to the Ombudsman or, where appropriate, to the institutions
of the autonomous communities, the actions carried out and the resolutions
rules issued under this article.


        6. When the competent authority is the Spanish Agency for the Protection of
Data, it will publish on its website with due separation the resolutions related to
to the entities of section 1 of this article, with express indication of the
identity of the person in charge or in charge of the treatment that had committed the infringement
tion.


        When the competence corresponds to an autonomous protection authority
of data will be, in terms of the publicity of these resolutions, to what is available
its specific regulations ”.

In the case under examination, the publication of data relating to the granting of

aid in the field of social action violates the regulations on the protection of
personal data as it is considered that it violates the principle of confidentiality.

In accordance with the evidence available, such conduct constitutes,
on the part of the claimed the infringement of the provisions of article 5.1.f) of the RGPD.
However, it should be noted that the RGPD, without prejudice to what is established in its

Article 83, contemplates in its article 77 the possibility of resorting to the sanction of
warning to correct the processing of personal data that is not appropriate
to their forecasts, when the managers or managers listed in section

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 8/9








1 commit any of the offenses referred to in articles 72 to 74 of
this organic law.

Likewise, it is contemplated that the resolution issued will establish the measures that
proceed to adopt so that the conduct ceases, the effects of the offense that
was committed and its adaptation to the requirements contemplated in article
5.1.f) of the RGPD of the RGPD, as well as the contribution of supporting means of the

compliance with what is required.
However, the defendant has informed this Agency of the circumstances in which

that the incident that led to the claim occurred, as well as the measures to
adopt in order to prevent events such as the one claimed from occurring again in the
future, as it is that the modification of its management regulations will be proposed in order to
carry out individualized notification to each worker of the assigned amount
of the social action fund, so it is required to report if there were
carried out or any other action taken.

Likewise, taking into account the absence of bad faith in the aforementioned publication, which in
At no time was the information made public on web pages freely accessible by

third parties, that a notification was made through the manager's internal program
documentary and that to access it it was necessary to have access to the software,
considers that the answer has been reasonable, acknowledging the facts and trying
correct the error made, not having evidence of other claims for
part of the affected persons, so it is not appropriate to urge the claimed adoption

of additional measures.

Therefore, in accordance with the applicable legislation and the graduation criteria assessed

tion of the sanctions whose existence has been proven,

The Director of the Spanish Data Protection Agency RESOLVES:

FIRST: IMPOSE THE CITY COUNCIL OF EL ESCORIAL, with NIF P2805400E,

for a violation of Article 5.1.f) of the RGPD, typified in Article 83.5 of the RGPD,
a warning sanction.

SECOND: NOTIFY this resolution to the CITY OF EL ESCO-
RIAL.


THIRD: COMMUNICATE this resolution to the Ombudsman, of
in accordance with the provisions of article 77.5 of the LOPDGDD.

In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.


Against this resolution, which ends the administrative procedure in accordance with art. 48.6 of the
LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the inte-
Residents may file, optionally, an appeal for reconsideration before the Director
of the Spanish Agency for Data Protection within a month from

the day after notification of this resolution or directly contentious appeal
administrative before the Contentious-Administrative Chamber of the National Court,
in accordance with the provisions of article 25 and section 5 of the additional provision

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 9/9









Fourth nal of Law 29/1998, of July 13, regulating the Contentious Jurisdiction-
administrative, within a period of two months from the day following the notification
tion of this act, as provided in article 46.1 of the aforementioned Law.


Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP,
may provisionally suspend the final resolution through administrative channels if the interested party
do manifests its intention to file a contentious-administrative appeal. Of being
In this case, the interested party must formally communicate this fact in writing

addressed to the Spanish Agency for Data Protection, presenting it through the Re-
Electronic registry of the Agency [https://sedeagpd.gob.es/sede-electronica-web/], or to
through any of the other records provided for in art. 16.4 of the aforementioned Law
39/2015, of October 1. You must also forward the documentation to the Agency

that certifies the effective filing of the contentious-administrative appeal. If the
Agency was not aware of the filing of the contentious-administrative appeal
trative within two months from the day following notification of this
resolution, would terminate the precautionary suspension.



                                                                                       938-131120
Mar Spain Martí
Director of the Spanish Agency for Data Protection






































C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es