AEPD - PS 00214-2022 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 6(1) GDPR Article 9(2) GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | 26.02.2021 |
Decided: | |
Published: | 16.01.2023 |
Fine: | 40,000 EUR |
Parties: | AGROXARXA, S.L. THOMAS INTERNATIONAL SYSTEMS, S.A. |
National Case Number/Name: | PS 00214-2022 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | Teresa López |
The Spanish DPA fined a talent acquisition company €40,000 for collecting data on candidates' ethnicity and disability to improve its own services. The company violated Article 9 GDPR because, among other things, it could not rely on 'scientific research purposes' (Article 9(2)(j) GDPR).
English Summary
Facts
Thomas International Systems, S.A ('Thomas'), the controller, was a talent acquisition company that carried out aptitude testing on behalf of its clients. At the request of its clients, 'Thomas' provided behavioural tests and surveys in order to review job candidates. In this context, Agroxarxa, S.L. ('Agroxarxa'), a client of 'Thomas', requested a candidate for a job (data subject) to complete a behavioural survey on the website of 'Thomas'.
The data subject completed the assessment of 'Thomas' (From here, The first survey), on behalf of 'Agroxarxa'. However, once they completed the first survey, 'Thomas' asked the data subject to fill in a second questionnaire (From here, The second survey) for the purposes of research and improvement of the evaluations conducted by 'Thomas'. This second survey collected several categories of personal data, such as gender, year of birth, disability, ethnicity, mother tongue, level of education, current employment status, etc. For each question in this second survey, the data subject was presented with a drop-down mechanism that included the option “I prefer not to answer”, in all questions apart from those under the disability category. The second survey also contained an informative text which would be presented before the data subject would start answering the questions. 'Thomas' stated in this text that participation was entirely voluntary. Data subjects would be able to skip any question they did not wish to answer.
On 21 February 2021, the data subject filed a complaint with the Spanish DPA (DPA) against 'Thomas' for requesting disability and ethnicity data. The data subject stated that they were unaware of how the company would use such data.
After a request from the DPA, 'Thomas' disclosed its data processing agreement with 'Agroxarxa'. This agreement identified 'Thomas' as a data processor for the purposes of carrying out the first survey on behalf of 'Agroxarxa' for its recruitment process. Regarding the second survey, 'Thomas' acknowledged that it was the controller for the processing of disability and ethnicity data.
'Thomas' stated that it could rely on Article 9(2)(j) GDPR ('scientific research purposes') to process the special category health data. 'Thomas' asserted in this regard that it complied with several international psychometric standards. 'Thomas' also stated that the data subject had the option to consent to the processing of ethnicity and disability, because the data subject could simply choose to refrain from giving an answer to these questions.
Holding
First, The DPA started by acknowledging that 'Thomas' was the controller for the processing regarding the second survey. The DPA stated that the company determined both the means and purposes of the processing, and also held that the controller processed this data for its own benefit.
Second, The DPA held that 'Thomas' processed data relating to ethnicity and disability, which are special categories of data, without justifying the applicability of any circumstances or exceptions established in Article 9(2) GDPR. Therefore, 'Thomas' did not have a justification for violating the prohibition on the processing of special category personal data. The DPA specifically held that the exception alleged by the controller, that of Article 9(2)(j) ('scientific research purposes'), did not apply. The controller could not invoke any legal rule covering such data processing. Regarding the international psychometric standards invoked of the controller, the DPA held that these did not constitute "standards of Union or Member State Law", which is a requirement of Article 9(2)(j) GDPR. Therefore, the controller could not rely on Article 9(2)(j) GDPR for its processing.
Third, the DPA held that it was unclear if the controller even had an appropriate legal basis pursuant to Article 6 GDPR. The information contained in their privacy policy was too generic and was limited to citing several legal bases, without specifying which legal basis corresponded to each of the controller's processing operations. The DPA assessed the legal bases of contract (Article 6(1)(b) GDPR), legal obligation (Article 6(1)(c) GDPR) and legitimate interest (Article 6(1)(f) GDPR) and determined that the controller would not be able to use any of these legal bases for its processing.
Fourth, The DPA also dismissed the possibility that the processing of sensitive data was based on consent due to the optional nature of the survey. The DPA held that the mere indication of voluntariness does not meet the requirements of Article 9(2)(a) GDPR, which states that consent to the processing of special categories of personal data must be “explicit”. The DPA also stated that the controller did not have a consent-mechanism in place and held that the fact that the data subject could choose whether to fill in the form could not be accepted as a form of consent.
Fifth, The controller did not duly inform the data subject about the purpose, legal basis or the right to withdraw consent in accordance with the provisions of Article 13 GDPR. Another deficiency was the fact that the privacy policy was only provided in English.
Lastly, the DPA held that 'Thomas' had failed to provide sufficient evidence to prove that proportionality requirements were met, which was an obligation demanded by the Spanish constitutional court (see Judgement 14/2003, 28 January).
For all these reasons, the DPA found that the controller had breached Article 9 GDPR. The DPA imposed a sanction according to Article 83(5)(a) GDPR and Article 72(1)(e) of the Spanish Data Protection Law. After considering aggravating factors, the DPA determined a fine of €50,000. The DPA also ordered the controller to stop the collection of personal data relating to ethnicity and disability from the survey. The controller also had to stop using the data it had previously collected on this basis. The controller ended paying €40,000 by making use of the possibility, provided for in Spanish administrative law, to have the fine reduced due to a voluntary payment.
Comment
The Spanish Data Protection Authority gave an example of what measures would have constituted an adequate remedy and mitigation to the breach according to Article 83(2)(f) GDPR: “Mitigating the adverse effects or mitigating the damage caused by breaches involves restoring the rights of data subjects, which in this case entails deleting the ethnicity and disability data collected from data subjects and suspending their collection”.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/42 File No.: PS/00214/2022 RESOLUTION OF TERMINATION OF THE PROCEDURE FOR PAYMENT VOLUNTEER Of the procedure instructed by the Spanish Agency for Data Protection and based on to the following BACKGROUND FIRST: On May 5, 2022, the Director of the Spanish Agency for Data Protection agreed to initiate sanction proceedings against THOMAS INTERNATIONAL SYSTEMS, S.A. (hereinafter the claimed party). Notified on initiation agreement and after analyzing the allegations presented, on December 14, November 2022, the proposed resolution was issued as follows: transcribe: << File No.: PS/00214/2022 PROPOSED RESOLUTION OF SANCTION PROCEDURE Of the procedure instructed by the Spanish Agency for Data Protection and based on to the following: BACKGROUND FIRST: On 02/26/2021, he entered this Spanish Agency for Data Protection a document presented by A.A.A. (hereinafter, the part claimant), for which he files a claim against the entity Agroxarxa, S.L., with NIF B25269358 (hereinafter, Agroxarxa), for the processing of personal data of special categories. The complaining party states that (...) it should have carried out psychotechnical tests, accessible through a link from an entity specialized in these services. As he claims, in one of the forms used to carry out the process, they requested data sensitive (disability and ethnicity), ignoring the use that the company would make of these dates. It adds that the completion of these forms was required by the Agroxarxa Human Resources department. Provide a screenshot of the questionnaire in which the data is requested controversial, available on the web "***URL.1" (hereinafter "Questionnaire of Thomas Research” or “Questionnaire”), the content of which is outlined in the Fact Proven Second. In its upper left corner is the logo of the entity C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 2/42 "Thomas International Ltd.", to which said form belongs according to the indication inserted therein (“Copyright”). On the screen provided by the claimant the options detailed in Proven Fact Six are selected. SECOND: During the phase of admission for processing of the claim reviewed, by the General Subdirectorate of Data Inspection accessed the Privacy Policy of the entity "Thomas International Ltd.", dated 07/03/2019 and in English (the detail of the content of this document, in what interests the present procedure, is outlined in the Fourth Proven Fact). THIRD: In accordance with article 65.4 of Organic Law 3/2018, of 5 December, Protection of Personal Data and guarantee of digital rights (in forward LOPDGDD), the claim made was transferred to the entity Agroxarxa to proceed with its analysis and inform this Agency, within a month, of the actions carried out to adapt to the requirements established in the data protection regulations. The term granted for this to Agroxarxa elapsed without this Agency receive any written response. FOURTH: On 06/29/2021, in accordance with article 65 of the LOPDGDD, The claim presented by the complaining party was admitted for processing. FIFTH: In view of the facts denounced in the claim and the documents provided by the complaining party, the General Subdirectorate of Data Inspection proceeded to carry out preliminary investigation actions for the clarification of the facts in question, by virtue of the investigative powers granted to control authorities in article 57.1 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter GDPR), and in accordance with the provisions of Title VII, Chapter I, Second Section, of the LOPDGDD. The inspection services of the AEPD carried out the actions following: 1. The Inspection Services of this Agency sent Agroxarxa a information request, which was attended by said entity by means of a written 12/21/2021, in which he reports the following: . (…). . In reference to the personnel selection process, it warns that it does not request or require to the candidates the inclusion in the curricula of personal data concerning race, ethnicity or disability. Explain the process that follows to select the finalists, who are requests that they complete a "behavioral survey" with the aim of know if the candidate adjusts -in terms of skills and competencies- to the conditions required for the job, which is done through the platform owned by the company "Thomas International Ltd", who informs of its terms and conditions, privacy policy, cookies and other legal requirements in the mail that candidates receive to complete the survey. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 3/42 Once the candidates carry out the survey on the "Thomas International Ltd.”, and based on the analysis of the result it issues, a Final interview to select the person to be hired. . In reference to the information provided to the candidates. The company "Thomas International Ltd.", when sending the mail to participate in the survey sends the link to its rules where you can see in detail the treatment of data. Agroxarxa incorporates one of these emails as an example, whose text is the following: “Dear… …(name), from Agroxarxa, SLU has invited you to complete a brief evaluation of behaviour. Click on the following link or copy and paste it into your browser to start the evaluation https://open.***URL.1/Login/Login... There is a possibility that you will be asked to enter the following user data and password: User… Password… Visit the Thomas candidate area https://www.***URL.1/en-us/candidates.aspx for Learn more about this evaluation. Regards … (Name) Agroxarxa, SLU … (phone) rrhh_desenvolupament@Agroxarxa.com See our privacy policy www.***URL.1/es-es/Privacycookies.as.x” According to Agroxarxa, this makes it clear that "the information available to the candidates and the processing of data that informs the company, not Agroxarxa, SLU”. . In reference to the contract signed with "Thomas International Ltd.". Those responsible for the entity provide a copy of the contract for the provision of services and contract for data processing (“Data Processing Agreement”) signed in dated 05/30/2018 with the entity THOMAS INTERNACIONAL SYSTEMS, S.A. (in hereinafter THOMAS INTERNATIONAL SYSTEMS). The content of this "Agreement of data processing", as far as this procedure is concerned, consists of detailed in the Third Proven Fact. . In reference to the reason why "Thomas International Ltd." collect ethnicity data and disability. As indicated by the representatives of Agroxarxa, they are not expressly collected this data for the entity. Thomas International Ltd. uses the same "Questionnaire" for all your customers. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 4/42 In addition, the data requested in the "Questionnaire" regarding "disability" and “ethnic group” are voluntary, the person surveyed can choose the option “I prefer not to to answer". They provide the image of said "Questionnaire", whose content coincides with the described in the Second Proven Fact. The answers are in this image. following: . Sex: "Female". . Year of birth: “2017”. . Disability: "I prefer not to answer." . Ethnicity: "I prefer not to answer." Thomas International Ltd. only has the information that people Candidates contribute voluntarily, without it being mandatory and necessary to Agroxarxa have the data in question. Agroxarxa at no time has requested that this information be collected for any selection process. Therefore, “Thomas International Ltd.” only have information regarding ethnicity and disability when the candidate expressly and completely voluntarily and informed, provides it, without this information being provided to Agroxarxa, to which only the corresponding competency profile report is sent and skills, but never the answers. . In reference to the treatments carried out by Agroxarxa with the data related to ethnicity and disability and retention period. The application of “Thomas International Ltd.” not expressly designed for Agroxarxa selection processes, who (like the rest of the clients) do not participates in the preparation of the forms used by said company. That is why Agroxarxa does not collect, process or keep data related to ethnicity and disability. . In reference to the data contained in Agroxarxa relating to the complaining party. It does not have data related to ethnicity or disability of the complaining party. (…). With its response, Agroxarxa provided a copy of two reports as an example of the information about the candidates that “Thomas International Ltd.” facilitates the Agroxarxa: a) The first of them contains some graphics and scores related to "Mask of work”, “Behavior under pressure” and “self-image”. b) The second describes the "APP Profile" of the person assessed in relation to the “Self-image”, “Self-motivation”, “Work emphasis”, “Descriptive words”, “Mask” (“how others see you”), “Behavior under pressure” and “General comments”. 2. On 12/30/2021, the Inspection Services of this Agency sent to C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 5/42 Agroxarxa a new request for information, which was answered as follows: . In the selection process, Agroxarxa at no time gives data to the entity "Thomas International Ltd.", but hires this company to carry out a analysis of skills and competencies. The only data that Agroxarxa communicates to "Thomas Internacional Ltd." are the name and surname and contact email, used to facilitate access to the platform. . It is in your interest to proceed to a reassessment of the selection process and protocol of people with the aim of simplifying and improving the process, as well as facilitating the candidates more and better information. 3. (…): Its activity is to provide psychometric tools for companies to use. apply in their evaluation and recruitment processes. On 05/30/2018, a "Data Processing Agreement" was signed with the company Agroxarxa (provide a copy). (…). In the contract signed between the parties (Annex 1), it is contemplated that "Thomas International" will process, by order of Agroxarxa, the data information personal information of candidates selected by it and will be stored and controlled by the person responsible for the data, Agroxarxa, in the “Thomas International” hub that has previously been hired. Agroxarxa has tools for the maintenance of personal data resulting from the evaluation processes and during the time that Agroxarxa deems appropriate. In section 2.3 of the Contract it is specified that Agroxarxa is the one who controls the information of the personal data entered in the evaluation systems of Thomas International Ltd. through the tools provided by it, and that the data of the candidates (results of the evaluations) will be processed by indication of Agroxarxa, having the latter the only access to the processed results by “Thomas International” systems. In section 2.4 it is indicated that Agroxarxa is responsible for personal data that are introduced in the evaluation processes of "Thomas International" so that are processed and evaluation results are obtained that are analyzed and received by Agroxarxa for the development of its business activity. Likewise, Agroxarxa has previously contracted tools for unique access and exclusive to the "Thomas International" hub (where the results of the evaluations) to analyze, view, delete, maintain, etc. information processed by "Thomas International" by indication of Agroxarxa. According to section 3.1.1, the “Thomas International” systems process the data C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 6/42 personal information of Agroxarxa candidates by indication and following the instructions provided by it. And section 3.1.2 stipulates that “Thomas International” acts according to the instructions provided by the client, Agroxarxa. Section 3.2 provides that they must promptly comply with the instructions provided by Agroxarxa. In section 4 Agroxarxa authorizes "Thomas International Ltd." to send a form for permitted research purposes, to be filled out voluntarily and anonymously by the people who access the procedures authorized and contracted by Agroxarxa as long as the three sections 4.1; 4.2 and 4.3. THOMAS INTERNATIONAL SYSTEMS ends by noting that, according to the agreement signed between the parties, "Thomas International" is not obliged to provide information to the candidates that are going to be evaluated for Agroxarxa, which is the owner of the information relating thereto, and “Thomas International Ltd.” only processes the information that is provided by Agroxarxa and at its request. Thomas International Ltd.” does not know the personal data of the candidates who are going to be evaluated according to the needs determined by Agroxarxa in its policies of evaluation of candidates for certain jobs. In relation to the data on ethnic origin and disability, it indicates that they were collected from voluntarily and optionally, with the option not to respond. Any information collected through this optional survey is part of the psychometric evaluation and does not affect the results obtained by the candidate in his evaluation. All the information collected by the aforementioned optional survey would be used by the research team “Thomas International Sciences” to ensure that their assessment tools Psychometrics are designed in such a way that they do not discriminate against the people evaluated. THOMAS INTERNATIONAL SYSTEMS provides a copy of the form "authorized by part of Agroxarxa to be sent to the personnel who access the systems of Thomas International Ltd. according to the assumptions of section 4” (“the Questionnaire”), whose content coincides with that outlined in the Second Proven Fact, and a copy of the following prior information that you provide. After the informative text are included the “I disagree” and “Next” buttons. SIXTH: On 04/25/2022, by the General Sub-Directorate of Data Inspection the information available about the entity THOMAS INTERNACIONAL is accessed SYSTEMS in “Axesor”. (…). SEVENTH: On May 5, 2022, the Director of the Spanish Agency for Data Protection agreed to initiate sanction proceedings against THOMAS INTERNACIONAL SYSTEMS, in accordance with the provisions of articles 63 and 64 of the LPACAP, for the alleged violation of article 9 of the GDPR, typified in article 83.5.a) of the aforementioned Regulation; and classified as very serious for prescription purposes in article 72.1.e) of the LOPDGDD. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 7/42 In the opening agreement it was determined that the sanction that could correspond, attention to the existing evidence at the time of opening and without prejudice to the resulting from the instruction, would amount to a total of 50,000 euros. Likewise, it was warned that the imputed infractions, if confirmed, may entail the imposition of measures, according to the aforementioned article 58.2 d) of the GDPR. EIGHTH: Notification of the aforementioned initiation agreement in accordance with the established regulations at the LPACAP, THOMAS INTERNATIONAL SYSTEMS submitted a brief of allegations in which it requests the filing of the procedure or, alternatively, that it be issue a warning, based on the following considerations: 1. From the actions of THOMAS INTERNATIONAL SYSTEMS. THOMAS INTERNATIONAL SYSTEMS is a Spanish company that provides services to different entities in Spain consisting of facilitating the use of the platform specialized in the evaluation, training and consulting of users of said clients “www.***URL.1”. Client entities access a restricted area on the platform using a username and password and are in charge of managing the candidates, selecting those who performed the evaluations, and obtaining the final reports made on said valuations. Based on the foregoing, it concludes that THOMAS INTERNATIONAL SYSTEMS has not carried out any processing of personal data on the part claimant. 2. From the performances of “Thomas”. The “Thomas International group”, as a group, and specifically the parent company “Thomas International Limited LTD”, provides psychometric, evaluation, training and/or auditing to those clients who contract it through the platform www.***URL.1. Said platform offers said psychometric evaluation services, fulfilling all current legislation, the strictest international standards of psychometrics, as well as the strictest technical and organizational security measures and legal in general, and especially in matters of data protection and psychometry. Precisely, one of the measures adopted to guarantee compliance with the international standards and norms of psychometrics is the "Questionnaire of Thomas investigation" object of this procedure, which is carried out completely independent of user evaluations: only once you When the evaluation is finished and it is closed irreversibly, the user is offered to perform questionnaire". The user can choose to do it or not, without having any conditioning or consequence its completion or not, nor its responses, which are not are shared with client entities or with third parties. The sole purpose of this "Questionnaire" is to be able to comply with the standards international psychometrics required by regulations and protocols C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 8/42 international; as well as being able to guarantee the reliability of the evaluations and demoscopic questionnaires carried out by "Thomas International" through its platform. Customers are informed about this questionnaire through the order contract of the treatment (clause 4). Also to users who, before completing access a notice stating that “Thomas International” is the responsible for it, which has the purpose of scientific research, of the independence and conditionality of carrying it out or not of any evaluation that carried out previously, of the anonymous and confidential nature in the treatment of the information and that no information will be shared with the entity or person would have invited you to carry out the evaluation (in no case the data collected through the "Questionnaire" are known by the clients of the platform or other third parties and not even by those partners or employees of the Group). On this issue of transparency in the processing of data that entails the "Questionnaire", THOMAS INTERNATIONAL SYSTEMS states that it has entrusted to new professionals and a new DPD to perfect the compliance with data protection regulations. Provide a copy of the new informative clause, which is reproduced in the Second Proven Fact. 3. Of the legitimacy of the treatment of the questionnaire. The processing of personal data that is carried out in the "Questionnaire" object of the This file is carried out legitimately and in accordance with the provisions of the article 9.2 j) of the GDPR, in relation to article 89.1 of the same Regulation, and other regulations applicable to the sector in which the entity is dedicated. The "International company", prior to carrying out the "Questionnaire", has taken all necessary technical, organizational and legal measures to: a) Process data of a sensitive nature that obeys exclusively for the purpose of scientific research and to comply with the requirements demanded in international standards and norms of psychometrics, in order to guarantee the reliability required in its evaluations (limitation of the purpose), without the entity get any benefit from completing the questionnaire. b) Treat, in any case, the minimum data possible to fulfill said purposes and needs. The "Thomas Research Questionnaire" is carried out by the minimum necessary people, during the time strictly necessary and the data is processed strictly necessary for the fulfillment of the indicated purpose, fulfilling scrupulously observe the principle of data minimization and anonymization of the identifying data. Applies robust pseudo-anonymization processes and amonimization to their treatments. c) Apply all technical, organizational and legal measures necessary for a correct treatment of said information; establishing a robust system of minimization of information, access restricted to professional collegiate personnel of psychologists, who have duly signed the agreements of rules of use of the necessary information, confidentiality agreements and codes of ethics; Y also applying a system of anonymization of the information obtained, previously tested and continuously monitored. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 9/42 d) Applying equally robust security systems, encrypting the "Questionnaire", applying the highest security measures that guarantee the confidentiality, integrity and availability of information. Once Once completed, the form is stored in encrypted servers of the entity, with the highest security measures and anonymously in three tables. The system has obtained the ISO 9001 Certificates. e) Analyze and previously evaluate all possible risks and incidents, with adoption of the necessary measures to evidence and/or mitigate any incidence, and complying with all measures and/or obligations regarding data protection, concretely the principles established in article 5 of the GDPR. f) Respect the principle of accuracy of the data: the need for accuracy in the evaluations provided by "Thomas" through its platform makes it necessary to existence of the “Thomas Research Questionnaire”. Likewise, they have established all necessary measures to ensure accuracy in the collection process, storage and conservation of the processed data. g) Keep the data strictly for the purpose described. By anonymizing the data and irreversibly break down the identifying data of the responses given, the minimum conservation period is fully guaranteed, as it is securely and irreversibly destroy personal data immediately in the system of three tables. Therefore, only non-personal data that meet the purpose of scientific research and compliance with standards required scientists. In relation to the legality and loyalty of the data processing of the questionnaire, it indicates the Next: The data required through the "Questionnaire", among which are data from sensitive character (such as ethnicity and possible disabilities), it is necessary to in compliance with the requirements of international standards and regulations of psychometry; in such a way that the evaluations carried out on the platform measure with scientific rigor what they say they do, they do it accurately and they do it fair. And at the same time ensure they meet the right demographic and that no discrimination is made, as required by the standards and international standards listed below: . The “Questionnaire” is validated in accordance with the Federation Guidelines European Associations of Psychologists (FEAP) or EFPA in its acronym in English (European Federation Psychologists Associations). EFPA is an organization European Union of which most of the European associations of psychology. Its proof review model is used throughout Europe, and serves as a tool to evaluate psychometric evaluations from two points of view: on the one hand, to check if a group or sample is representative of a population broader and calculate the relative position in that sample of examinees; and by other hand, to ensure the fairness of the test. . International Testing Commission (ITC), Guidelines on the use of tests, which they also refer to the fairness of the tests, whether they are fair for use with various groups; and the need to control changes in the population through the demographic information provided by test takers. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 10/42 . Code of Conduct of the Business Psychology Association ***URL.2. It adds that the information collected is necessary, according to the aforementioned formulation survey (CIT or ITC in its acronym in English), since it allows to ensure, through anonymous statistical studies, that their psychometric assessment tools (personality, intelligence, aptitudes, emotional intelligence, etc.) do not discriminate against people evaluated, precisely for reasons of ethnicity or disability, among others circumstances. Therefore, it understands that "Thomas International", as designer of evaluations and questionnaires, is legitimized and protected in its objectives by the art.89.1 of the GDPR, which accepts the collection of data for research purposes and global statistics, with the guarantee that this data is anonymized and is impossible for them to be associated with a specific candidate, through the aforementioned CIT. The relevance of the activity of “Thomas International” and its CIT survey is based on the requirements of guaranteeing good practices in the design, development and monitoring of psychometric tests, according to the standards defined by the BPS (British Psychological Society), the EFPA (European Federation Psychologists Associations) or the COP (Official Association of Psychologists), who ensure good practices in psychometrics, certify the validity and reliability of a test and demand that the standards of quality are kept up-to-date through macro-statistical studies parallel to throughout the technical life of these tests, using statistical meta-analyses obligatorily anonymous, global and longitudinal. There has recently emerged a new application standard in this field, ISO.30414 Human Resources Management, that results in the requirement of carrying out an adequate use of the tests psychometrics, as well as the requirement of their discriminating power. In addition, it adds that "Thomas International" carried out the analyzes and evaluations of necessary impact, having assessed the proportionality of data processing and the need for them for scientific research, before making the platform evaluations. Likewise, both the evaluations and the questionnaires have been designed exclusively by prestigious collegiate psychology professionals who carry out their activity in "Thomas International", which are the ones that deal exclusively with the questionnaire data. These professionals are covered by agreements of confidentiality and strict compliance with standards and regulations International Psychometrics. 4. Bearing in mind that (...) without any discrimination, he did not suffer an infraction or damage (...), without having expressed any objection to the treatment of the "Questionnaire of Thomas investigation”; that Agroxarxa did not know whether or not the interested party made said "Questionnaire" or what you answered; that “Thomas International” has not obtained any benefit or harm; and has not had any claim or incident; THOMAS INTERNATIONAL SYSTEMS understands that there is no infringement and/or breach of data protection. 5. Of the non-existence of illegality in the treatment of information: it also understands, THOMAS INTERNATIONAL SYSTEMS that data processing is carried out personal data of a sensitive nature in accordance with article 9.2 j) of the GDPR; and once they have C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 11/42 anonymized the data; therefore, it cannot be considered that there is a treatment of personal information. 6. From the lack of intent and/or fault of "Thomas International": for there to be a punishable offence, there must be not only an unlawful act but also a intentionality in the commission or omission that causes it, as stated in the Resolutions and Judgments of the National Court of 02/25/2010, (which establishes that is not admissible in administrative law sanctioning responsibility objective, which is proscribed, after STC 76/1999; Judgment of the Hearing National 04/29/2010), 04/29/2020, 10/19/2010 and 02/10/2011. "Thomas International" has had a proactive attitude and compliant with its obligations regarding data protection in all the treatments it carries out, applying the highest safety standards in their treatments. 7. Of the non-existence of seriousness of "Thomas International": in the hypothetical case that it is considered that "Thomas International" has not informed correctly, so subsidiary, the attitude of "Thomas International" cannot be sanctioned with a serious infraction, since all the indicated circumstances that occur in the present case and that have been accredited, lead to determine the total non-existence of Serious offense. In addition, as a result of what is known in this case, it has taken additional measures to avoid any incident or infringement, such as appointing a new Delegate of Data Protection of proven experience and knowledge (ANNEX No. 15); initiate a new risk analysis and impact assessment on the treatments of personal data in order to identify possible risks and apply the measures necessary to avoid and/or mitigate its damages; write new informative clauses on the treatment carried out in the "Thomas Research Questionnaire"; reinforce the information and training of all the agents involved in the treatments of personal data, such as clients, collegiate psychological staff and personal technology, people who agree to carry out the evaluations and questionnaires. Therefore, it considers that the provisions of Recital 148 of the GDPR, as stated in the following AEPD resolutions: a) In the Resolution issued in procedure E/00660/2020, regarding a very serious infringement for illegal data processing, the proceedings for the adaptation to the regulations carried out before the presentation of the claim before the AEPD. b) In the procedures indicated with the numbers PS/00077/2021 and PS/00416/2020, regarding serious infractions due to security breaches of the information, is sanctioned with a warning for the measures adopted to resolve the problem and for the suspension of the website involved in the events, which was migrated to another server, adopting measures to avoid events similar to those that motivated the claim. c) In the actions followed with the number E/05039/2018, the procedure sanctioning is transformed into a file according to the measures adopted to C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 12/42 solve the problem and the low relevance of the deficiencies. d) In the case of procedures PS/00040/2021, PS/00041/2021, PS/00067/2021, PS/00071/2021, PS/00240/2020, PS/00366/2020, PS/00285/2020, PS/00311/2020, PS/00355/2020, PS/00371/2020, PS/00381/2020, PS/00399/2020, PS/00414/2020, PS/00441/2020, PS/00453/2020, PS/00454/2020, PS/00455/2020, PS/00457/2020 and PS/00490/2020, the disciplinary procedure becomes a warning in based on fundamentals such as those expressed below: . It is verified that the claimed party updated the information. . The Privacy Policy is prepared after the claim. . The consent is express because the treatment of the data is based on the Consent given by filling in and submitting the form and checking the box accepting data processing (PS/00040/2021). . The fine is considered disproportionate for the claimed party, whose activity principal is not directly linked to the processing of personal data, and that it does not there is evidence of the commission of any previous infraction in terms of data protection (PS/00041/2021 and others). . The provisions of article 58.2 of the GDPR (PS/00067/2021 and others) are complied with. . Absence of intentionality; adoption of measures to comply with the GDPR; appointment of a DPO; there is no recidivism; appropriate measures have been taken and reasonable to avoid incidents such as the claimed party (PS/00071/2021). . Rectification, once the file has been initiated, of the deficiency found in the existing form on the web and acceptance of the privacy conditions before the sending said form and enabling a box to consent to the sending of commercial communications (PS/00311/2020). . There is no record of any previous violation of data protection. . The privacy policies were conveniently modified. Finally, he highlights that he has a proactive attitude; all your staff are duly trained; its activity has not caused damage to the rights of the interested parties, that they have not received any claim or incidence or breach of security up to date; and that, upon learning of the matter, has initiated a review of its protocols, analyzes and evaluations, and has proceeded to appoint proven specialists in the field. With its allegations, it provides the following documentation: . Contract signed with Agroxarxa. . Partner agreement between "Thomas IS" and "Thomas LTD". . Explanation of the anonymization and minimization process in three tables that are performs the "Thomas Research Questionnaire". . Protocols and security policy applied, including a version of the Privacy Policy dated 03/31/2020. . EFPA Guidelines. . ICT Guidelines. . Code of conduct. . Executive summary of Thomas International's practices and compliance with the GDPR. . Protocol for the preparation of tests for Dyslexia and Occupational Tests. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 13/42 . Deontological Code. . Psychologist contract. PROVEN FACTS FIRST: The entity THOMAS INTERNATIONAL SYSTEMS provides services of evaluation and consultancy in personnel selection processes carried out by the entities that contract such services. The evaluation of candidates by THOMAS INTERNATIONAL SYSTEMS requires them to complete accessible behavioral tests or surveys through the website of said entity, "***URL.1", for, based on the information obtained, assess the suitability of the candidate for the job offered. The entity that summons the selection process makes a pre-selection of the Candidates who must be evaluated by THOMAS INTERNATIONAL SYSTEMS. These finalist candidates receive an email from the latter entity with the instructions to access your platform, the "candidate area", and be able to carry out the poll. The username and password that you must use for the access and includes a link to start the evaluation; and others that lead to information available on the "candidate area" and the Privacy Policy available on the web “***URL.1”. As a result of the provision of the service, THOMAS INTERNATIONAL SYSTEMS provides client entities with a report or profile on skills and abilities of the candidate person. SECOND: Once the candidates finish completing the tests necessary to carry out the evaluation, THOMAS INTERNATIONAL SYSTEMS asks them to fill in a new questionnaire, which he calls the "Questionnaire of Thomas Research”, which includes questions related to sex, year of birth, disability, ethnicity, mother tongue, educational level, employment status current sector currently working in current role current level of command level of happiness in the job (on a scale from 1 to 7), qualification of your work (with scale from 1 to 7), description of the disability (text field) and consideration about leadership. To answer each question, except for the description of the disability, a drop-down is shown with the options that the interested party can select, including the option “I prefer not to answer”. Prior to completing this "Questionnaire", the interested parties the following information regarding the protection of personal data: Thank you for completing the form. A notification has been sent to the person who invited you to take the assessment. Please, contact him for more information on this evaluation Thomas. Welcome to the Thomas Research Quiz. At Thomas International, we are committed to continuous improvement of our evaluations. As part of our research and development initiative, we ask that you provide us with information to help us improve our assessments. Information C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 14/42 collected will be used for research purposes only and will not be provided to your employer. Our psychologists abide by ethical guidelines and all information we collect will be confidential and only global results will be reported. Participation is entirely voluntary and you can choose to skip any question you do not want to answer. After the informative text, the buttons "I do not agree" and "Next". The entity THOMAS INTERNACIONAL SYSTEMS, on the occasion of the process of allegations at the opening of the procedure, has reported that the informative clause above has been modified, remaining as follows: Thank you for completing the form. A notification has been sent to the person who invited you to take the assessment. Please, contact him for more information on this evaluation Thomas. Welcome to the Thomas Research Quiz. At Thomas International we are committed to the continuous improvement of our evaluations. As part of this, Thomas International, as the controller of the data, regularly conducts research to ensure that our assessments are valid, reliable and, above all, fair. This allows us to ensure that we adhere to the international best practice standards. We would appreciate your help in this important research by filling in the following questionnaire. Completion of the questionnaire is voluntary and independent of the person who has asked to do the evaluation. In no case will the information of this questionnaire to the person who invited you to carry out the mentioned evaluation. Information collected in this questionnaire will be used solely for scientific research purposes, it will be treated only by Thomas International registered psychologists and will be treated anonymously. To exercise your rights and/or for more information, consult our privacy policy (***URL.3), or contact our Privacy Policy Data Protection in ***EMAIL.1. Our psychologists are governed by ethical guidelines and all information we collect will be kept confidential and only the results will be communicated anonymous aggregates. Participation is completely voluntary and you can choose to skip any questions you don't want to answer." After the informative text, the buttons "I do not agree" and "Next". THIRD: To formalize the provision of the services outlined in the Fact Tried First, the entity has arranged a form called “Agreement of data processing" that it signs with its clients. Of the stipulations contained in this agreement, which is declared reproduced at evidentiary purposes, the following should be noted: Background (...) (...) (…) (…) Thomas's Duties C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 15/42 (…): (…); (…); (…); (…) Research (…): (…); (…); (…). (...)”. FOURTH: The Privacy Policy available on the web "***URL.1", in its version of dated 07/03/2019, includes the following information: “1.3 Do we always act as data controllers? Although Thomas acts often as data controller, in some of our activities We can also act as data processor or sub-processor... Among the examples of cases where Thomas acts as data controller Data includes, but is not limited to, the following: (…) . Processing of personal data of candidates for research purposes. . Processing of personal data of candidates to create an anonymous form of Personal information… 2.5 Do we use personal data in our research? We are committed to continually improving our assessments. To do this, we ask the Candidates who provide us with additional information, such as age group, educational level, ethnicity and similar issues. Providing this information is voluntary and is not necessary to complete an assessment. When we process any of this personal data for research, we do so as responsible for data processing. Any personal information provided to us for research will be used exclusively for research purposes and will not be disclosed to third parties. Both during and after our psychologists evaluate your personal information, we will store it safely and with the highest confidence. If we share our results with third parties, only the results will be shared. anonymous and aggregate results from which no individual can be identified. 2.6 In case we are data controller: What legal basis we have to use your personal data? (…) . you have consented to the use of your personal data; . the use we make of your personal data is in our legitimate interest as business organization; In these cases, we will process your information at all times manner that is proportionate and respectful of your right to privacy. You will also have the right to C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 16/42 object to the processing, as explained in section 7; . the use of your personal data is necessary to perform a contract or take steps to enter into a contract with you; either . our use of your personal data is necessary to comply with a legal obligation or pertinent regulatory…” (Unofficial translation). The content of the transcribed sections is similar to that included in the version of the Privacy Policy dated 03/31/2020, contributed to the proceedings by THOMAS INTERNATIONAL SYSTEMS. FIFTH: Agroxarxa called a personnel selection process and hired the services of THOMAS INTERNATIONAL SYSTEMS to carry out the evaluations of the candidates shortlisted by Agroxarxa. For this reason, both entities signed a contract (“Data Processing Agreement”) in dated 05/30/2018, in the terms indicated in the Third Proven Fact. SIXTH: The complaining party participated in a personnel selection process summoned by Agroxaxa indicated in the Fifth Proven Fact and was selected as a finalist to be evaluated by THOMAS INTERNATIONAL SYSTEMS. After carrying out the surveys arranged to carry out this evaluation to Through the web "***URL.1", he was asked to fill in the "Questionnaire of Thomas Investigation", through which the claimed party provided the data following: . Sex: “XXXXXX”. . Year of birth: “XXXX”. . Disability: “XX”. . Ethnicity: “XXXXXXXXXXXX”. FUNDAMENTALS OF LAW Yo By virtue of the powers that article 58.2 of the RGPD recognizes to each authority of control, and as established in articles 47 and 48 of Organic Law 3/2018, of 5 December, Protection of Personal Data and guarantee of digital rights (hereinafter LOPDGDD), the Director of the Spanish Data Protection Agency is competent to initiate and resolve this procedure. Article 63.2 of the LOPDGDD determines that: "The procedures processed by the Spanish Data Protection Agency will be governed by the provisions of the GDPR, in this organic law, by the regulatory provisions issued in its development and, as long as they do not contradict them, on a subsidiary basis, by the rules general on administrative procedures”. II The claim that has motivated these proceedings questions the treatment of personal data relating to ethnicity and disability carried out by THOMAS INTERNACIONAL SYSTEMS during the candidate selection process for a C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 17/42 job offered by the entity Agroxarxa, constituting this question the sole purpose of this proceeding. Thus, the conclusions derived from the procedure do not imply any pronouncement regarding issues unrelated to said object. II The personnel selection process (...) begins with the publication, for this reason entity, of and with the following examination of the profile of the candidates who have interested in the position to select the finalists, who are asked to complete a “behavioral survey.” This "behavioral survey" is carried out through the entity's platform THOMAS INTERNATIONAL SYSTEMS. These are psychological tests that value intelligence, personality, emotional intelligence, and the potential of candidates. THOMAS INTERNATIONAL SYSTEMS sends an email to the candidate with access to your platform. In this email you warn that the reason is to carry out an evaluation of behavior for Agroxarxa, indicates the link to access the platform, as well as the username and password to use. In addition, it indicates the links for access the information contained in the candidate area and the privacy policy. As a result of this action, THOMAS INTERNATIONAL SYSTEMS sends to Agroxarxa a report on the profile of skills and abilities of the person candidate. The selection process ends with a final interview carried out by Agroxarxa. The tasks that THOMAS INTERNATIONAL SYSTEMS performs within the framework of this process were entrusted to him by Agroxarxa through a contract for the provision of services subscribed by both entities. Said contract includes an "Agreement of data processing", formalized on 05/30/2018, which defines the role of THOMAS INTERNATIONAL SYSTEMS as the person in charge of the treatment and points out that Said entity follows the instructions of Agroxarxa, which intervenes as responsible for the treatment. The figures of "responsible for the treatment" and "in charge of the treatment" are defined in article 4 of the GDPR as follows: . "Responsible for the treatment or responsible: the natural or legal person, public authority, service or other body which, alone or jointly with others, determines the ends and means of the treatment; if the law of the Union or of the Member States determines the ends and means of the treatment, the person in charge of the treatment or the specific criteria for their appointment they may be established by the law of the Union or of the Member States”. . "In charge of the treatment or in charge: the natural or legal person, public authority, service or other body that processes personal data on behalf of the data controller treatment". C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 18/42 Article 24 of the GDPR, referring to the "Liability of the person responsible for the treatment”, states the following: "one. Taking into account the nature, scope, context and purposes of the treatment as well as risks of varying probability and severity for the rights and freedoms of individuals physical, the person in charge of the treatment will apply appropriate technical and organizational measures to In order to guarantee and be able to demonstrate that the treatment is in accordance with this Regulation. These measures will be reviewed and updated when necessary. 2. When they are provided in relation to the treatment activities, among the measures mentioned in section 1 will include the application, by the person responsible for the treatment, of the appropriate data protection policies…”. Report 0064/2020 of the Legal Office of the AEPD has emphatically expressed that "The GDPR has meant a paradigm shift when addressing the regulation of the right to the protection of personal data, which is based on the principle of "accountability" or "proactive responsibility" as indicated repeatedly by the AEPD (Report 17/2019, among many others) and is included in the Explanation of reasons for the Organic Law 3/2018, of December 5, Protection of Personal Data and guarantee of digital rights (LOPDGDD)”. The said report goes on to say the following: “…the criteria on how to attribute the different roles remain the same (paragraph 11), reiterates that these are functional concepts, which are intended to assign responsibilities according to the real roles of the parties (paragraph 12), which implies that in most of the assumptions must be addressed to the circumstances of the specific case (case by case) based on their actual activities rather than the formal designation of an actor as "responsible" or "in charge" (for example, in a contract), as well as autonomous concepts, whose interpretation must be carried out under the European regulations on the protection of personal data (section 13), and taking into account (section 24) that the need for a factual assessment also means that the role of a controller is not derives from the nature of an entity that is processing data but from its activities concrete in a specific context…”. The concepts of data controller and data processor are not formal, but functional and must attend to the specific case. The person responsible for the treatment is from the moment he decides the purposes and the means of treatment, not losing such condition by the fact of leaving a certain margin of action to the person in charge of the treatment or for not having access to the databases of the manager This is undoubtedly expressed in the Guidelines 07/2020 of the European Committee of Data Protection (CEPD) on the concepts of data controller and in charge in the GDPR: “A controller is the one who determines the purposes and means of the processing. treatment, that is, the why and how of the treatment. The data controller must decide on both purposes and means. However, some more practical aspects of the implementation ("non-essential media") can be left to the person in charge of treatment. It is not necessary for the controller to actually have access to the data that is they are trying to qualify themselves as responsible” (the translation is ours). C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 19/42 In the present case, it is clear that Agroxarxa is responsible for the processing of personal data that have a cause in the personnel selection process in which the complaining party participated, since, as defined in article 4.7 of the GDPR, is the entity that determines the purpose and means of the treatments carried out. In its condition of controller is obliged to comply with the provisions of the transcribed article 24 of the RGPD and, especially, that related to the effective control and of the “appropriate technical and organizational measures in order to guarantee and be able to demonstrate that the processing is in accordance with this Regulation”, among which are those provided in article 28 of the GDPR in relation to the person in charge of the treatment that acts in the name and on behalf of the person in charge. Agroxarxa is responsible for data processing for the purpose of solve the selection process even if you do not have access to said data. In In this sense, in Directives 07/2020 of the European Committee for Data Protection (CEPD), on the concepts of data controller and processor in the GDPR, it is indicated that “42. It is not necessary for the data controller to actually have access to the data being processed. Whoever outsources an activity treatment and, in doing so, have a determining influence on the purpose and (essential) means of treatment (for example, adjusting the parameters of a service in such a way as to influence whose personal data will be processed), it must be considered as responsible although it will never have real access to the data” (the translation is ours). On the other hand, the existence of a data processor depends on a decision adopted by the person responsible for the treatment, which he may decide to carry out himself certain processing operations or hire all or part of the treatment with a manager. The essence of the function of the person in charge of the treatment is that the personal data are processed in the name and on behalf of the data controller. In practice, it is the person in charge who determines the purpose and the means, at least the essential ones, while the person in charge of the treatment has the function of providing services to the data controllers. In other words, “acting in the name and on behalf of of the person in charge of the treatment” means that the person in charge of the treatment is aware of the serving the interest of the controller in carrying out a task specific and, therefore, follows the instructions established by it, at least in regarding the purpose and the essential means of the treatment entrusted. The person responsible for the treatment is the one who has the obligation to guarantee the application of data protection regulations and the protection of the rights of interested parties, as well as being able to prove it (articles 5.2, 24, 28 and 32 of the GDPR). The control of compliance with the law extends throughout the treatment, From the beginning to the end. The data controller must act, in any case, in a diligent, conscious, committed and active way. This mandate of the legislator is independent of the fact that the treatment is carried out directly the person in charge of the treatment or to carry it out using a treatment manager. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 20/42 In addition, the treatment carried out materially by a person in charge of treatment by account of the person responsible for the treatment belongs to the sphere of action of the latter last, in the same way as if he did it directly himself. The person in charge of Treatment, in the case examined, is an extension of the person responsible for the treatment, and may only perform treatment on documented instructions of the controller, unless he is required to do so by Union law or by a Member State, which is not the case (Article 29 of the GDPR). Therefore, the data controller must establish clear modalities for said assistance and give precise instructions to the person in charge of the treatment on how comply with them adequately and document it previously through a contract or either in another (binding) agreement and verify at all times the development of the contract compliance in the manner established therein. Only the person in charge of the treatment will be fully responsible when it is fully responsible for the damages caused in terms of the rights and freedoms of the affected parties. By establishing the responsibility of the person in charge of the treatment in the commission of infringements of the GDPR, its article 28.10 also meets the criterion of determining of the purposes and means of processing. Pursuant to this article, if the manager determines the purposes and means of treatment will be considered responsible for it: “10. Without prejudice to the provisions of articles 82, 83 and 84, if a data processor infringes this Regulation when determining the purposes and means of processing, it will be considered responsible for the treatment with respect to said treatment”. In the present case, the correct legal classification under the GDPR of THOMAS INTERNACIONAL SYSTEMS is in charge of the treatment, since it acts in name and on behalf of Agroxarxa. However, the proceedings have revealed that THOMAS INTERNACIONAL SYSTEMS performs, for its own benefit, data processing of the candidates for the position offered by Agroxarxa or, in general, by any other client. Regarding these treatments, THOMAS INTERNATIONAL SYSTEMS determines the measures and purposes and holds the status of person responsible for the treatment, according to the provisions of the aforementioned article 28.10 of the GDPR. When carrying out the behavioral surveys commissioned by Agroxarxa, the entity THOMAS INTERNATIONAL SYSTEMS includes a "Questionnaire" for you to completed by the applicants for the job through which the applicants are requested to interested personal data related to sex, year of birth, disability, ethnicity, mother tongue, educational level, current employment status, sector in which you work currently, current role, current level of command, level of job happiness (with scale from 1 to 7), qualification of your work (on a scale from 1 to 7), description of the disability (text field) and leadership consideration. In order to respond For each question, except for the description of the disability, a drop-down menu with the options that the interested party can select (in the The specific "Questionnaire" provided by the claimant appears selected following options: Sex: “XXXXX”; Year of birth: “XXXX”; Disability: "XX"; Ethnicity: “XXXXXXXXXXXX”). C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 21/42 It is THOMAS INTERNATIONAL SYSTEMS who decides the collection of this data personal data and their use for their own purposes (research purposes and improvement of evaluations), for their own benefit. Ultimately, it is said entity that determines to carry out these personal data processing operations. is it same as saying that THOMAS INTERNATIONAL SYSTEMS is the entity that determines why (purpose) and how (means) such personal data is processed to achieve the intended purpose. Regarding the "means of treatment", the Directives 07/2020 of the European Committee of Data Protection (CEPD) on the concepts of data controller and in charge of the GDPR, already cited, state the following: As regards the determination of the means, a distinction can be made between essential and non-essential media. "Essential media" are traditionally and inherently reserved for the data controller. While non-essential media also can be determined by the manager, the essential means must be determined by the data controller. "Essential media" means media that are closely related to the purpose and scope of the treatment, such as the type of personal data that are processed ("what data will be processed?"), the duration of the treatment ("for how long will will they treat?"), categories of recipients ("who will have access to them?"), and categories of data subjects ("whose personal data is being processed"). Along with the purpose of treatment, the essential means are also closely related to the issue Whether the processing is lawful, necessary and proportionate. "Non-essential media" refers to to more practical aspects of the application, such as choosing a particular type of software or detailed security measures that can be left to the developer. treatment for you to decide” (the translation is ours. THOMAS INTERNATIONAL SYSTEMS holds the status of person in charge of the treatment regarding the collection and use of personal data relating to ethnicity and disability to which the claim refers, as well as that same entity has recognized and according to the record accredited by the documentation incorporated into the performances. The "Data processing agreement" formalized by Agroxarxa and THOMAS INTERNATIONAL SYSTEMS, referred to above, contemplates in its stipulation 4 the use of personal data as controller by THOMAS INTERNATIONAL SYSTEMS for research purposes. It is expressly said: “Thomas may act as a data controller in relation to the Personal Data of the Company and such processing may be carried out solely for the Purposes of investigation allowed. Likewise, in the Privacy Policy available on the web "***URL.1" the following information: 2.5 Do we use personal data in our research? We are committed to continually improving our assessments. To do this, we ask the Candidates who provide us with additional information, such as age group, educational level, ethnicity and similar issues. Providing this information is voluntary and is not necessary to complete an assessment. When we process any of this personal data for research, we do so as C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 22/42 responsible for data processing. Any personal information provided to us for research will be used exclusively for research purposes and will not be disclosed to third parties…” (Unofficial translation). This condition of responsible for the treatment of the response is also deduced provided by THOMAS INTERNATIONAL SYSTEMS to the Inspection Services of this Agency, when it states that data on ethnic origin and disability do not form part of the psychometric evaluation nor do they affect the results obtained by the candidate in his evaluation; and that said information is used by the team of “Thomas International Sciences” to ensure that their assessment tools Psychometrics are designed in such a way that they do not discriminate against the people evaluated. With this response, said entity provided a copy of the "Questionnaire" whose completion requests the interested parties (candidates for the position offered) and the previous information that In this information the form is referred to as "Thomas Research Questionnaire" and warn that the data will be used with research purposes, to improve their assessments. On the other hand, the entity Agroxarxa has reported that it does not collect data on ethnicity and disability, that these data are not collected by THOMAS INTERNATIONAL SYSTEMS for Agroxarxa nor are you provided with the answers contained in the form in question. Likewise, it has declared that THOMAS INTERNATIONAL SYSTEMS uses the same form for all its clients. THOMAS INTERNATIONAL SYSTEMS, in its allegations at the opening of the procedure, has not questioned the previous arguments, which were already set out in said opening agreement. IV. Personal data related to ethnicity and disability, by its nature, belongs to special categories of data, regulated in article 9 of the GDPR, which establishes a general prohibition of its treatment. This article provides the following: “Processing of special categories of personal data 1. The processing of personal data that reveals ethnic or racial origin, the political opinions, religious or philosophical convictions, or trade union membership, and the treatment of genetic data, biometric data aimed at uniquely identifying a person natural person, data relating to health or data relating to sexual life or sexual orientation of a physical person. 2. Section 1 shall not apply when one of the following circumstances occurs: a) the interested party gave his explicit consent for the processing of said personal data for one or more of the specified purposes, except where the law of the Union or of the Member States provide that the prohibition referred to in paragraph 1 cannot be raised by the interested party; b) the treatment is necessary for the fulfillment of obligations and the exercise of rights specific to the person responsible for the treatment or the interested party in the field of labor law and security and social protection, to the extent that it is authorized by Union Law or of the Member States or a collective agreement under the law of the Member States C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 23/42 members that establish adequate guarantees of respect for fundamental rights and the interests of the interested party; c) the processing is necessary to protect vital interests of the data subject or of another person physically, in the event that the interested party is not able, physically or legally, to give his/her consent; d) the treatment is carried out, within the scope of its legitimate activities and with the due guarantees, by a foundation, an association or any other non-profit organization, whose purpose is political, philosophical, religious or trade union, provided that the treatment refers to exclusively to current or former members of such bodies or to persons who maintain regular contact with them in relation to their purposes and provided that the data personal data are not communicated outside of them without the consent of the interested parties; e) the treatment refers to personal data that the interested party has manifestly made public; f) the treatment is necessary for the formulation, exercise or defense of claims or when the courts act in the exercise of their judicial function; g) the processing is necessary for reasons of essential public interest, on the basis of the Union or Member State law, which must be proportional to the objective persecuted, essentially respect the right to data protection and establish measures adequate and specific to protect the interests and fundamental rights of the interested party; h) the treatment is necessary for the purposes of preventive or occupational medicine, evaluation of the work capacity of the worker, medical diagnosis, provision of assistance or treatment of health or social type, or management of health and social care systems and services, on the basis of Union or Member State law or by virtue of a contract with a health professional and without prejudice to the conditions and guarantees contemplated inthe paragraph 3; i) the processing is necessary for reasons of public interest in the field of public health, such as protection against serious cross-border threats to health, or to ensure high levels of quality and safety of health care and medicines or medical devices, on the basis of Union or Member State law that establish appropriate and specific measures to protect the rights and freedoms of the concerned, in particular professional secrecy, j) processing is necessary for archiving purposes in the public interest, research purposes scientific or historical or statistical purposes, in accordance with article 89, paragraph 1, on the basis of Union or Member State law, which must be proportional to the objective persecuted, essentially respect the right to data protection and establish measures appropriate and specific to protect the interests and fundamental rights of the interested party. 3. The personal data referred to in section 1 may be processed for the purposes mentioned in the section 2, letter h), when your treatment is carried out by a professional subject to the obligation of professional secrecy, or under its responsibility, in accordance with the Law of the Union or of Member States or with the rules established by national bodies authorities, or by any other person also subject to the obligation of secrecy in accordance with the law of the Union or of the Member States or of the rules established by the competent national bodies. 4. Member States may maintain or introduce additional conditions, including limitations, regarding the treatment of genetic data, biometric data or data related to to health”. In general, this precept prohibits the performance of treatment of special categories of data, unless such treatment can be covered by any of the exceptions regulated in article 9.2 of the GDPR. Thus, a general prohibition of personal data processing is established that reveal ethnic or racial origin and health-related data, such as those relating to 28001 – Madrid 6 sedeagpd.gob.es 24/42 the disability of the person (Recital 35 and article 4.15 of the GDPR); and, in his Section 2 regulates the exceptions that lift said prohibition, some of them on the basis of Union or Member State law, which must incorporate into their own regulation the adequate guarantees so that the right to data protection is respected, also respect the principle of proportionality and establish adequate and specific measures to safeguard the rights fundamentals and the interests of the people affected. Specifically, for the processing of special categories of data that are necessary for scientific research purposes referred to in letter j) of the aforementioned Article 9.2 of the GDPR, the person in charge must inevitably go to a specific legal norm that protects it and, in addition, comply with the aforementioned principles and establish additional guarantees that safeguard the rights of the affected persons. In relation to the processing of personal data related to health, the provision additional seventeenth of the LOPDGDD establishes that they are covered by letters g), h), i) and j) of the aforementioned article 9.2 of the GDPR the treatments that are regulated in the laws that it lists, among which is the consolidated text of the Law General of the rights of people with disabilities and their social inclusion, approved by Royal Legislative Decree 1/2013 of November 29. Nonetheless does not rule out those data treatments that are carried out in application of other standards other than those indicated in the aforementioned additional provision. Article 89 of the GDPR expressly refers to "Guarantees and exceptions applicable to processing for archiving purposes in the public interest, research purposes scientific or historical or statistical purposes”: 1. Processing for archiving purposes in the public interest, scientific research purposes or historical or statistical purposes will be subject to the appropriate guarantees, in accordance with this Regulation, for the rights and freedoms of the interested parties. Such guarantees will technical and organizational measures are in place, in particular to ensure respect for the principle of minimization of personal data. Such measures may include the pseudonymization, provided that such purposes can be achieved in this way. As long as those purposes can be achieved through further processing that does not or no longer allows the identification of the interested parties, those purposes will be achieved in this way. (…)”. The GDPR includes the principles related to treatment in its article 5: legality, loyalty and transparency; purpose limitation; data minimization; accuracy; limitation of conservation period; and integrity and confidentiality. On the other hand, once the general prohibition with the coverage of the Article 9.2 of the GDPR, to legalize the processing of special category data it is necessary to resort to the cases of article 6 of the same Regulation. So indicated the Article 29 Working Group (whose functions have been assumed by the Committee European Union of Data Protection) in its opinion "Guidelines on decisions automated individuals and profiling for the purposes of the Regulation 2016/679”, adopted on 10/03/2017 and revised on 02/06/2018, indicating that “The Data controllers can only process category personal data especially if one of the conditions provided for in Article 9(2) is met, as well as C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 25/42 as a condition of article 6”. This article 6 of the GDPR establishes the assumptions that allow the treatment of data is considered lawful: "Article 6. Legality of the treatment 1. Processing will only be lawful if at least one of the following conditions is met: a) the interested party gave his consent for the processing of his personal data for one or various specific purposes; b) the treatment is necessary for the execution of a contract in which the interested party is a party or for the application at his request of pre-contractual measures; c) the processing is necessary for compliance with a legal obligation applicable to the responsible for the treatment; d) the processing is necessary to protect the vital interests of the data subject or of another person physical; e) the processing is necessary for the fulfillment of a task carried out in the public interest or in the exercise of public powers conferred on the data controller; f) the treatment is necessary for the satisfaction of legitimate interests pursued by the user. responsible for the treatment or by a third party, provided that such interests are not the interests or fundamental rights and freedoms of the data subject prevail require the protection of personal data, in particular when the data subject is a child. The provisions of letter f) of the first paragraph shall not apply to the treatment carried out by public authorities in the exercise of their functions. 2. Member States may maintain or introduce more specific provisions in order to adapt the application of the rules of this Regulation with respect to the treatment in compliance with section 1, letters c) and e), setting more precisely requirements treatment and other measures that guarantee lawful and equitable treatment, with inclusion of other specific treatment situations under chapter IX. 3. The basis of the treatment indicated in section 1, letters c) and e), must be established by: a) Union law, or b) the law of the Member States that applies to the data controller. The purpose of the treatment must be determined in said legal basis or, as regards to the treatment referred to in section 1, letter e), will be necessary for the fulfillment of a mission carried out in the public interest or in the exercise of public powers vested in the responsible for the treatment. Said legal basis may contain specific provisions for adapt the application of the rules of this Regulation, among others: the conditions general rules that govern the legality of the treatment by the person in charge; data types object of treatment; affected stakeholders; the entities to which you can communicate personal data and the purposes of such communication; purpose limitation; the terms of data storage, as well as processing operations and procedures, including measures to ensure lawful and equitable treatment, such as those relating to other specific situations of treatment according to chapter IX. Union law or of the Member States will meet a public interest objective and be proportionate to the end legitimate pursued. 4. When the treatment for a purpose other than that for which the data was collected personal information is not based on the consent of the interested party or on Union Law or of the Member States which constitutes a necessary and proportional measure in a company 28001 – Madrid 6 sedeagpd.gob.es 26/42 democracy to safeguard the objectives indicated in article 23, paragraph 1, the responsible for the treatment, in order to determine if the treatment for another purpose is compatible with the purpose for which the personal data was initially collected, will take into account account, among other things: a) any relationship between the purposes for which the personal data was collected and the purposes of the intended further processing; b) the context in which the personal data was collected, in particular with regard to to the relationship between the interested parties and the data controller; c) the nature of the personal data, in particular when dealing with special categories of personal data, in accordance with article 9, or personal data relating to convictions and criminal offenses, in accordance with article 10; d) the possible consequences for data subjects of the planned further processing; e) the existence of adequate guarantees, which may include encryption or pseudonymization”. V In the present case, THOMAS INTERNATIONAL SYSTEMS performs a treatment of data related to ethnicity and disability, for which we find ourselves in the case of treatment of special categories of personal data subject to the general rule of prohibition established in article 9.1 of the GDPR. On the other hand, it does not appear in the proceedings, nor has it been justified by the entity THOMAS INTERNATIONAL SYSTEMS, that none of the circumstances or exceptions established in section 2 of said article that save the prohibition of treatment of such personal data. The aforementioned entity considers the exception provided for in article 9.2.j) applicable. considering that those data of ethnicity and disability are subjected to treatment for scientific research purposes, and dedicates its allegations to justify the need and proportionality of that treatment and the additional guarantees established for respect the right to data protection of the affected persons, among them, the regarding the security, technical and organizational measures implemented, the non- communication of data to third parties, or compliance with the limitation principles of the purpose, minimization, limitation of the conservation and accuracy of the data. However, THOMAS INTERNATIONAL SYSTEMS does not invoke any legal norms that covers such data processing, in the context in which it is carried out, in so that the basic budget established in article 9.2.j) of the GDPR, according to which the treatment of data of special categories for the purpose of Scientific research must be carried out “on the basis of Union law or of the Member States, which must be proportional to the objective pursued, respect as far as the right to data protection is essential and establish appropriate measures and to protect the interests and fundamental rights of the interested party”. In this regard, the aforementioned entity has limited itself to stating that it complies with the international psychometric standards recommended by the European Federation Associations of Psychologists (FEAP), the International Testing Commission (ITC) or Association of Business Psychology, which do not constitute norms "of the Law of the Union or of the Member States. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 27/42 This requirement cannot be saved, as THOMAS INTERNATIONAL claims. SYSTEMS, for the establishment of the guarantees referred to in its letter of allegations or for compliance with the principles relating to treatment, nor for the measures that it claims to have taken as a result of this case, with which it has sought to improve the information offered to the interested parties and mitigate the possible damages with new risk assessments. The legal basis that legitimizes the treatment of these data in accordance with the provisions of article 6 of the GDPR, nor THOMAS INTERNACIONAL SYSTEMS clearly informs the interested parties in this regard. The information contained in the Privacy Policy in relation to this aspect is generic, limiting itself to enumerating the types of legitimation base, but without specify which of them corresponds to the specific treatments carried out: “2.6 In case we are responsible for data processing: What legal basis we have to use your personal data? We will only collect, use and share your personal data if we are convinced that we have an adequate legal basis for it. Based on the variety of services we provide, we may rely on one of the following legal bases for the treatment of your data: . you have consented to the use of your personal data; . the use we make of your personal data is in our legitimate interest as business organization; In these cases, we will process your information at all times manner that is proportionate and respectful of your right to privacy. You will also have the right to object to the processing, as explained in section 7; . the use of your personal data is necessary to perform a contract or take steps to enter into a contract with you; either . our use of your personal data is necessary to comply with a legal obligation or pertinent regulatory…” (Unofficial translation). The processing of data object of the proceedings is not necessary for the compliance with the contractual relationship that THOMAS INTERNATIONAL SYSTEMS formalizes with its clients as a service provider, since said treatment is carried out outside of said commercial relationship, for the exclusive benefit of THOMAS INTERNATIONAL SYSTEMS; nor does it respond to the fulfillment of an obligation legal; nor is a legitimate interest invoked that prevails over the rights and freedoms stakeholder fundamentals. THOMAS INTERNATIONAL SYSTEMS has only stated in this regard that ethnicity and disability data were collected on a voluntary and optional basis, offering the interested party the option not to respond. From this, it seems to be deduced that the legal basis invoked by this entity to legitimize the data processing that it carries out is the consent of the interested parties. However, in relation to the processing of personal data relating to ethnicity and disability, the provision of valid consent has not been justified by the interested. It is true that the information offered prior to completing the form warns interested parties that "participation is entirely voluntary and C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 28/42 You may choose to skip any question you do not want to answer”; and what after the informative text includes the buttons "I do not agree" and "Next". In addition, in the dropdown of answers that are shown for any of the questions also includes the option "I prefer not to answer". But there is no mechanism that allows the interested party to lend their consent and the mere completion of the form, in this case, cannot be accepted as a rendering of such consent. In accordance with the provisions of article 9.2.a) of the GDPR, the consent to processing of special categories of personal data must be “explicit”, so in such a way that a mere affirmative action that can be conclude that the interested party consents to the treatment, but it is necessary to have formal proof of the provision of said consent, a declaration or express confirmation of consent. The most obvious way would be to make a written statement, although in the environment digital or online forms can be enabled that could imply consent valid explicit: fill in an electronic form, send an email that contains the consent, use the electronic signature or upload a document scanned with handwritten signature. Similarly, in the case of web pages, this explicit consent could be collected by inserting some boxes with the options to accept and not accept together with a text referring to the consent that is clear to the interested. This is how the European Data Protection Committee understands it in the document "Guidelines 05/2020 on consent under Regulation 2016/679", updating the guidelines on consent adopted by the Group of Work of Article 29 on 11/28/2017, revised and approved on 04/10/2018: “91. Explicit consent is required in certain situations where there is a serious risk in relation to data protection and in which it is considered appropriate that there is a high level of control over personal data. Under the GDPR, the explicit consent has an important role in article 9 on the treatment of special categories of personal data… 92. The GDPR stipulates that the prerequisite for “normal” consent is “a statement or clear affirmative action. Since the “normal” consent requirement in the GDPR is no longer has been raised to a higher level compared to the consent requirement referred to in Directive 95/46/EC, it should be clarified what additional efforts should be perform the data controller in order to obtain the explicit consent of the interested in line with the GDPR. 93. The explicit term refers to the way in which the interested party expresses consent. It means that the interested party must make an express declaration of consent. A obvious way to ensure that consent is explicit would be to confirm express such consent in a written statement. When appropriate, the person in charge could ensure that the data subject signs the written statement, in order to remove any possible doubts or lack of proof in the future. 94. However, said signed statement is not the only way to obtain consent explicit and the GDPR cannot be said to prescribe written and signed declarations in all C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 29/42 circumstances requiring valid explicit consent. For example, in the context digitally or online, an interested party can issue the required declaration by filling out a form by sending an email, uploading a scanned document with your signature, or using an electronic signature. In theory, the use of verbal statements can also be a sufficiently manifest way of expressing explicit consent, however, It may be difficult for the controller to demonstrate that all the requirements have been met. conditions for valid explicit consent when the statement was recorded”. And other requirements that grant validity to the consent are not met, according to the definition contained in article 4 of the GDPR: “Article 4 Definitions For the purposes of this Regulation, the following shall be understood as: 11. "consent of the interested party": any expression of free, specific, informed will and unequivocal by which the interested party accepts, either by means of a declaration or a clear affirmative action, the processing of personal data that concerns you”. In relation to the provision of consent, the following must be taken into account: established in article 6 of the GDPR and in articles 7 of the GDPR and 7 of the LOPDGDD. Article 7 "Conditions for consent" of the GDPR: "one. When the treatment is based on the consent of the interested party, the person in charge must be able to demonstrate that he consented to the processing of his personal data”. Article 6 "Treatment based on the consent of the affected party" of the LOPDGDD: "one. In accordance with the provisions of article 4.11 of Regulation (EU) 2016/679, The consent of the affected person is understood to be any manifestation of free, specific, informed and unequivocal by which he accepts, either by means of a declaration or a clear affirmative action, the processing of personal data concerning you. 2. When it is intended to base the processing of the data on the consent of the affected party for a plurality of purposes it will be necessary to state in a specific and unequivocal way that said consent is granted for all of them. 3. The execution of the contract may not be made subject to the fact that the affected party consents to the processing of personal data for purposes that are not related to the maintenance, development or control of the contractual relationship”. Consent is understood as a clear affirmative act that reflects a expression of free, specific, informed and unequivocal will of the interested party accept the processing of personal data that concerns you, provided with sufficient guarantees to prove that the interested party is aware of the fact that give your consent and to the extent that you do so. And it must be given to all treatment activities carried out for the same purpose or purposes, so that, where processing is for multiple purposes, consent must be given for all them in a specific and unequivocal manner, without the execution of the contract to which the affected party consents to the processing of their personal data for purposes that are not related to the maintenance, development or control of the business relationship. In this regard, the legality of the treatment requires that the interested party be informed about the purposes for which the data is intended (consent informed). C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 30/42 Consent must be given freely. It is understood that the consent is free when the interested party does not enjoy true or free choice or cannot deny or withdraw your consent without prejudice; or when you don't know allows separate authorization of the different data processing operations despite being appropriate in the specific case, or when compliance with a contract or provision of service is dependent on consent, even when it is not necessary for such compliance. This occurs when consent is included as a non-negotiable part of the general conditions or when imposes the obligation to agree to the use of additional personal data to those strictly necessary. Without these conditions, the provision of consent would not offer the interested party a true control over your personal data and its destination, and this would illegal processing activity. The European Committee for Data Protection analyzed these issues in its document "Guidelines 05/2020 on consent in accordance with Regulation 2016/679", of 05/04/2020 From what is indicated in this document, it is now interesting to highlight some aspects related to the validity of consent, specifically regarding the “specific”, “informed” and “unambiguous” elements: “3.2. Expression of specific will Article 6(1)(a) confirms that the data subject's consent to the The processing of your data must be given "for one or more specific purposes" and that an interested party may choose with respect to each such purpose. The requirement that consent should be "specific" is intended to ensure a level of control and transparency for the interested. This requirement has not been changed by the GDPR and remains closely linked to the requirement of "informed" consent. At the same time, it must be interpreted in line with the “disassociation” requirement to obtain “free” consent. In sum, To comply with the "specific" character, the data controller must apply: i) the specification of the purpose as a guarantee against the deviation of the use, ii) dissociation in consent requests, and iii) a clear separation between information related to obtaining consent for data processing activities and information relating to other matters. (…) “3.3. Manifestation of informed will The GDPR reinforces the requirement that consent must be informed. in accordance with article 5 of the GDPR, the requirement of transparency is one of the principles fundamental, closely related to the principles of loyalty and legality. To ease information to the interested parties before obtaining their consent is essential so that they can make informed decisions, understand what they are authorizing, and, for example, exercise your right to withdraw your consent. If the person in charge does not provide information accessible, user control will be illusory and consent will not constitute a valid basis for data processing. If the requirements for informed consent are not met, the consent will not will be valid and the person in charge may be in breach of article 6 of the GDPR. 3.3.1. Minimum content requirements for consent to be "informed" For the consent to be informed, it is necessary to communicate to the interested party certain elements that are crucial to be able to choose. Therefore, GT29 is of the opinion that it is required, at C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 31/42 least, the following information to obtain valid consent: i) the identity of the data controller, ii) the purpose of each of the processing operations for which the authorization is requested; consent, iii) what (type of) data is to be collected and used, iv) the existence of the right to withdraw consent, v) information on the use of data for automated decisions in accordance with the Article 22(2)(c), where relevant, and vi) information on the possible risks of data transfer due to the absence of an adequacy decision and adequate guarantees, as described in article 46”. In the alleged case, there is no evidence of the provision of a valid consent on the part of the interested parties that covers the treatments of personal data object of the claim. This entity does not even report duly about this data processing, about its purpose and legal basis or the right to withdraw consent, where appropriate, in accordance with the provisions of Article 13 of the GDPR; nor has it established any mechanism for interested parties to can give explicit consent. Regarding the information, it should be noted that only the Privacy Policy is presented. Privacy of the British parent of the Group, Thomas International Ltd., in language English, and that it does not duly inform about the legal basis of the treatment and the purpose of the treatment, which is described simply by referring to the purposes of research. Finally, the entity THOMAS INTERNACIONAL SYSTEMS has not contributed sufficient elements to determine compliance with the judgment of the proportionality requirements demanded by the Constitutional Court, so that The suitability of the treatment for the proposed purpose can be concluded, if the same whether or not it is necessary or whether there are alternative, less intrusive measures. In this sense, the Constitutional Court has indicated (Judgment 14/2003, of 28 January) that "to verify if a restrictive measure of a fundamental right passes the proportionality judgment, it is necessary to verify if it complies with the three following requirements or conditions: if such a measure is likely to achieve the proposed objective (suitability judgement); if, moreover, it is necessary, in the sense of that there is no other more moderate measure for the achievement of said purpose with equal efficacy (judgment of necessity); and, finally, if it is weighted or balanced, because it derives from it more benefits or advantages for the general interest than damages to other goods or values in conflict (judgment of proportionality in Strict sense)". In this regard, the principle of minimum intervention must be taken into account (art. 5.1.c) and art. 25.1 GDPR), since it is necessary to prove that there is no other measure moderate to achieve the intended purpose with equal effectiveness, in the framework of the proactive responsibility of the data controller. Therefore, from the facts and legal grounds set forth, it results that, on the part of THOMAS INTERNATIONAL SYSTEMS, data processing is carried out personal of special categories against the prohibition established in the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 32/42 Article 9 of the GDPR and without any of the exceptions provided for lift that ban. This breach of what is established in article 9 of the GDPR gives rise to the application of the corrective powers that article 58 of the aforementioned Regulation grants the Spanish Data Protection Agency. SAW THOMAS INTERNATIONAL SYSTEMS has indicated that there is no infringement punishable in the absence of intentionality in the commission or omission that causes said infraction, adding that it has had a proactive attitude and complied with its obligations. In this regard, it should be noted, first of all, that the incident occurs in the scope of responsibility of THOMAS INTERNATIONAL SYSTEMS and this entity you must answer for it. In no way can it be considered that the lack of alleged intentionality excludes its responsibility, especially when the infraction could have been avoided by the use of greater diligence. In this case, the offense committed is incompatible with the diligence that said entity is obliged to To watch. This diligence must be manifested in the specific case being analyzed, and not in the general circumstances that the entity alleges to justify a proactive action, which cannot be taken as circumstances that prevent demanding the responsibilities that derive from the concrete irregular action. Accept the approach made by THOMAS INTERNATIONAL SYSTEMS in its allegations would amount to admitting that the application of the GDPR and the LOPDGDD, distorting the entire system established on the legality of the processing of personal data. It should be remembered, on the other hand, that the offense may be committed intentionally or guilty. The National Court in Judgment of September 21, 2004 (RCA 937/2003), is pronounced in the following terms: "Furthermore, as regards the application of the principle of guilt, it results (following the criterion of this Chamber in other Judgments such as the one dated January 21, 2004 issued in the appeal 1139/2001) that the commission of the offense provided for in article 44.3.d) can be both fraudulent as culpable... because although in penalizing matters the principle of guilt governs, As can be inferred from the simple reading of Article 130 of Law 30/1992, the truth is that the expression "simple non-observance" of Art. 130.1 of Law 30/1992, allows the imposition of the sanction, without doubt in fraudulent cases, and also in culpable cases, sufficing the non-observance of the duty of care”. In this line it is worth mentioning the SAN of January 21, 2010, in which the Court exposes: “The appellant also maintains that there is no guilt in her actions. Is true that the principle of guilt prevents the admission in administrative law sanctioning of strict liability, it is also true that the absence of intentionality is secondary since this type of infraction is normally committed C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 33/42 due to negligent or negligent action, which is enough to integrate the subjective element of guilt. XXX's performance is clearly negligent because... he must know... the obligations imposed by the LOPD on all those who handle personal data of third parties. XXX is obliged to guarantee the fundamental right to the protection of personal data of its clients and hypothetical clients with the intensity required by the content of its own right". The principle of guilt is required in the disciplinary procedure and thus the STC 246/1991 considers it inadmissible in the field of penalizing administrative law a responsibility without fault. But the fault principle does not imply that it can only punish an intentional or voluntary action, and in this regard article 28 of Law 40/2015 on the Legal Regime of the Public Sector, under the rubric "Responsibility" provides the following: "one. They may only be penalized for acts constituting an administrative offense physical and legal persons, as well as, when a Law recognizes their capacity to act, the affected groups, unions and entities without legal personality and estates independent or self-employed, who are responsible for them by way of fraud or fault". The facts set forth in the preceding Basis show that THOMAS INTERNATIONAL SYSTEMS did not act with the diligence to which it came obliged, who acted with a lack of diligence. The Supreme Court (Sentences of 16 and 04/22/1991) considers that from the guilty element it follows “...that the action or omission, classified as an administratively punishable infraction, must be, in all case, attributable to its author, due to intent or imprudence, negligence or ignorance inexcusable". The same Court reasons that "it is not enough... for exculpation against a typically unlawful behavior the invocation of the absence of guilt" but that it is necessary "that the diligence that was required by the person claiming his non-existence” (STS January 23, 1998). Also connected to the degree of diligence that the data controller is obliged to deploy in compliance with the obligations imposed by the data protection regulations can be cited the SAN of 10/17/2007 (Rec. 63/2006), which specified: "(...) the Supreme Court has been understanding that there is imprudence whenever a legal duty of care is neglected, that is, when the offender does not behaves with the required diligence”. In addition, the National Court on data protection of personal nature, has declared that "simple negligence or breach of the duties that the Law imposes on the persons responsible for files or the data processing to be extremely diligent..." (SAN 06/29/2001). It is therefore concluded, contrary to what was objected to by the defendant entity, that the subjective element is present in the declared infringement. VII In the event of an infringement of the provisions of the GDPR, among the corrective powers available to the Spanish Data Protection Agency, C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 34/42 as supervisory authority, article 58.2 of said Regulation contemplates the following: "2 Each control authority will have all the following corrective powers indicated to continuation: (…) b) send a warning to any person in charge or person in charge of the treatment when the processing operations have infringed the provisions of this Regulation;” (...) d) order the person in charge or in charge of the treatment that the treatment operations are conform to the provisions of this Regulation, where appropriate, of a given manner and within a specified period; (…) i) impose an administrative fine in accordance with article 83, in addition to or instead of the measures mentioned in this section, according to the circumstances of each case particular;". According to the provisions of article 83.2 of the GDPR, the measure provided for in letter d) above is compatible with the sanction consisting of an administrative fine. VIII It is considered that the facts exposed fail to comply with the provisions of article 9 of the GDPR, which implies the commission of an infringement classified in section 5.a) of the Article 83 of the GDPR. Article 83.5.a) of the GDPR, under the heading "General conditions for the imposition of administrative fines" provides the following: "5. Violations of the following provisions will be penalized, in accordance with the paragraph 2, with administrative fines of a maximum of EUR 20,000,000 or, in the case of a company, of an amount equivalent to a maximum of 4% of the total annual turnover of the previous financial year, opting for the highest amount: a) the basic principles for treatment, including the conditions for consent to tenor of articles 5, 6, 7 and 9”. On the other hand, Article 71 of the LOPDGDD considers any offense breach of this Organic Law: "Infractions are the acts and conducts referred to in sections 4, 5 and 6 of the Article 83 of Regulation (EU) 2016/679, as well as those that are contrary to this organic Law". Section 1.e) of article 72 of the LOPDGDD considers, as “very serious”, a prescription effects: "one. Based on what is established in article 83.5 of Regulation (EU) 2016/679, are considered very serious and will prescribe after three years the infractions that suppose a substantial violation of the articles mentioned therein and, in particular, the following: e) The processing of personal data of the categories referred to in article 9 of the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 35/42 Regulation (EU) 2016/679, without the occurrence of any of the circumstances provided for in said precept and in article 9 of this Organic Law. In order to determine the administrative fine to be imposed, the provisions of articles 83.1 and 83.2 of the GDPR, precepts that state: "one. Each control authority will guarantee that the imposition of administrative fines with under this article for the infringements of this Regulation indicated in the paragraphs 4, 9 and 6 are in each individual case effective, proportionate and dissuasive. 2. Administrative fines will be imposed, depending on the circumstances of each case individually, in addition to or in lieu of the measures contemplated in article 58, section 2, letters a) to h) and j). When deciding to impose an administrative fine and its amount in each individual case due account shall be taken of: a) the nature, seriousness and duration of the offence, taking into account the nature, scope or purpose of the processing operation in question such as the number of interested parties affected and the level of damages that have suffered; b) intentionality or negligence in the infraction; c) any measure taken by the controller or processor to alleviate the damages and losses suffered by the interested parties; d) the degree of responsibility of the controller or processor, taking into account the technical or organizational measures that they have applied under of articles 25 and 32; e) any previous infringement committed by the controller or processor; f) the degree of cooperation with the supervisory authority in order to remedy the infringement and mitigate the potential adverse effects of the infringement; g) the categories of personal data affected by the infringement; h) the way in which the supervisory authority became aware of the infringement, in particular whether the person in charge or the person in charge notified the infringement and, if so, in what extent; i) when the measures indicated in article 58, paragraph 2, have been ordered previously against the person in charge or the person in charge in relation to the same matter, compliance with said measures; j) adherence to codes of conduct under article 40 or to mechanisms of certification approved in accordance with article 42, and k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits obtained or losses avoided, directly or indirectly, through the infringement.” For its part, article 76 "Sanctions and corrective measures" of the LOPDGDD has: "one. The sanctions provided for in sections 4, 5 and 6 of article 83 of Regulation (EU) 2016/679 will be applied taking into account the graduation criteria established in the section 2 of said article. 2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679 also may be taken into account: a) The continuing nature of the offence. b) Linking the offender's activity with data processing personal. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 36/42 c) The benefits obtained as a consequence of the commission of the infraction. d) The possibility that the conduct of the affected party could have led to the commission of the infringement. e) The existence of a merger process by absorption subsequent to the commission of the infraction, that cannot be attributed to the absorbing entity. f) The affectation of the rights of minors. g) Have, when it is not mandatory, a data protection delegate. h) Submission by the person responsible or in charge, on a voluntary basis, to alternative conflict resolution mechanisms, in those cases in which there are disputes between those and any interested party”. Regarding the infringement of article 9 of the GDPR, based on the facts exposed, it is considered that the sanction that would correspond to be imposed is a fine administrative. The fine imposed must be, in each individual case, effective, proportionate and dissuasive, in accordance with the provisions of article 83.1 of the GDPR. Thus considers, in advance, the condition of small business and volume of business of THOMAS INTERNATIONAL SYSTEMS (Recorded in the proceedings that said entity (…). In accordance with the precepts indicated, for the purpose of setting the amount of the sanction to imposed in the present case, the following criteria are considered applicable: The following graduation criteria are considered concurrent as aggravating factors: . Article 83.2.a) of the GDPR: "a) the nature, seriousness and duration of the infringement, taking into account the nature, scope or purpose of the operation treatment in question as well as the number of interested parties affected and the level of damages they have suffered”. . The nature and seriousness of the infringement, taking into account that the interested party does not clearly knows the entity responsible for the treatment and the use that is will make of the personal data, which affects the ability of the interested in exercising true control over their personal data. . In relation to the duration of the infringement, it is stated in the proceedings that the Privacy Policy that includes data processing actions personal data that it carries out, including those that are the subject of this procedure, is dated 07/03/2019. . The number of interested parties: the infringement affects all the interested parties who are evaluated by the entity THOMAS INTERNATIONAL SYSTEMS. . The damages suffered by the interested parties: taking into account all the exposed circumstances, it is clear that the interested parties have seen increased risks to your privacy. . Article 83.2.b) of the GDPR: "b) intentionality or negligence in the infringement". The negligence appreciated in the commission of the infraction. In this respect, one has C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 37/42 taking into account what was declared in the National Court Judgment of 10/17/2007 (rec. 63/2006) that, based on the fact that these are entities whose activity coupled with continuous data processing, indicates that "...the Supreme Court has been understanding that imprudence exists whenever a duty is neglected legal care, that is, when the offender does not behave with due diligence callable. And in assessing the degree of diligence, consideration must be especially the professionalism or not of the subject, and there is no doubt that, in the case now examined, when the appellant's activity is constant and copious handling of personal data must insist on rigor and Exquisite care to comply with the legal provisions in this regard”. It is a company that performs personal data processing in a systematic and continuous in the workplace and that extreme care should be taken in the compliance with its obligations regarding data protection. . Article 83.2.d) of the GDPR: "d) the degree of responsibility of the controller or the processor, taking into account technical or organizational measures that they have applied by virtue of articles 25 and 32”. The accused entity does not have adequate procedures in place action in the collection and processing of personal data, in what refers to data relating to ethnicity and disability, so the offense is not the consequence of an anomaly in the operation of said procedures but a defect in the personal data management system designed by the person in charge at his initiative. . Article 76.2.b) of the LOPDGDD: "b) Linking the offender's activity with the processing of personal data”. The high link between the activity of the offender and the performance of treatments of personal data. The level of implementation of the Group at which belongs to THOMAS INTERNATIONAL SYSTEMS and the activity it develops. This circumstance determines a greater degree of demand and professionalism and, consequently, of the responsibility of said entity in relation to the data treatment. Considering the exposed factors, the valuation that reaches the fine, for the Violation of article 9 of the GDPR, is 50,000 euros (fifty thousand euros). THOMAS INTERNATIONAL SYSTEMS, in its statement of allegations at the opening of the procedure has not made any statement on the criteria of graduation exposed, which were exposed in said agreement with the same amplitude and detail. However, it has requested that, instead of sanctioning with an administrative fine, issues a warning considering that it has taken additional measures to avoid any incident, such as appointing a new data protection delegate data, carry out a new risk analysis and impact assessment, and write new informative clauses on the treatments involved in the "Questionnaire", in addition to reinforcing the information and training of its staff. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 38/42 In support of his approach, he cites various precedents processed by this Agency, that are mentioned in the Eighth Antecedent, in which the actions or a warning was addressed in accordance with the regulatory adequacy carried out by the responsible entity. THOMAS INTERNACIONAL SYSTEMS highlights the actions developed by the complaining party in the precedents that cites, among them, the suspension of the web implicated in the facts, the updating of the information regarding the protection of data offered to the interested parties, the improvement of the mechanisms to grant the consent by checking a box, appointment of a delegate of data protection, or the non-commission of any previous infraction by the party claimed. Finally, he highlights that he has a proactive attitude; all your staff are duly trained; its activity has not caused damage to the rights of the interested parties, that they have not received any claim or incidence or breach of security up to date; and that, upon learning of the matter, has initiated a review of its protocols, analyzes and evaluations, and has proceeded to appoint proven specialists in the field. In response to these allegations, it is reiterated that, in this case, considering the seriousness of the verified infringement, the imposition of a fine is appropriate, in addition to the adoption of measures. The request made by THOMAS cannot be accepted INTERNATIONAL SYSTEMS to impose other corrective powers that would have allowed the correction of the irregular situation, such as the warning, which is provided, in general, for natural persons and when the sanction constitutes a disproportionate burden (recital 148 of the GDPR). In addition, THOMAS INTERNATIONAL SYSTEMS has not justified, or even mentioned, what are the similarities between the present case and the assumptions of fact examined in the precedents that it invokes. In any case, it should be noted that the measures adopted are insufficient for the intended effects, since they do not restore the rights of the interested parties. THOMAS INTERNATIONAL SYSTEMS has not raised in any way the termination of conduct that violates the legal system. Nor can the measures that said entity has adopted be assessed as a mitigation. These measures are not adequate to "remedy the infringement and mitigate the possible adverse effects of the infringement”, according to the terms of article 83.2.f) of the GDPR, or "to alleviate the damages suffered by the interested parties" as a consequence of the infringement, according to section 2.c) of the same Article. Mitigate the adverse effects or alleviate the damages caused by the infringements implies restoring the rights of the interested parties, which in this case entails the suppression of the ethnicity and disability data collected from the interested and suspend their collection. On the other hand, none of the grading factors considered is attenuated due to the fact that the entity THOMAS INTERNATIONAL SYSTEMS has not been C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 39/42 previously subject to a disciplinary procedure. In this regard, the Judgment of the AN, of 05/05/2021, rec. 1437/2020, indicates: "It considers, on the other hand, that the non-commission of a previous violation. Well, article 83.2 of the GDPR establishes that it must be taken into account for the imposition of the administrative fine, among others, the circumstance "e) any infraction committed by the person in charge or the person in charge of the treatment". It is a aggravating circumstance, the fact that the budget for its application does not exist entails that it cannot be taken into consideration, but it does not imply or allow, as it claims the plaintiff, its application as attenuated.e” According to the aforementioned article 83.2 of the GDPR, when deciding to impose a fine administration and its amount must take into account "any previous infraction committed by the person responsible." It is a normative provision that does not include the inexistence of previous infractions as a factor for grading the fine, which must be be understood as a criterion close to recidivism, although broader. Nor can it be accepted that there has been no damage to the rights of the interested parties, since they have seen an increased risk in their privacy. IX If the infringement is confirmed, it could be agreed to impose on the person responsible the adoption of adequate measures to adjust its performance to the regulations mentioned in this act, in accordance with the provisions of the aforementioned article 58.2.d) of the GDPR, according to the which each control authority may "order the person responsible or in charge of the processing that the processing operations comply with the provisions of the this Regulation, where appropriate, in a certain way and within a certain specified term…”. This act establishes the offense committed and the facts that give rise to the violation of data protection regulations, from which it can be inferred clearly what are the measures to adopt, notwithstanding that the type of specific procedures, mechanisms or instruments to implement them corresponds to the sanctioned party, since it is the person responsible for the treatment who He fully knows his organization and has to decide, based on the responsibility proactive and risk-focused, how to comply with the GDPR and the LOPDGDD. However, in this case, regardless of the foregoing, it is proposed that in the resolution that is adopted, this Agency requires the responsible entity so that in the term to be determined accredits having proceeded to delete from the "Questionnaire" the collection of personal data related to ethnicity and disability of those affected; So such as the cessation of the use of those previously collected. It is noted that not meeting the requirements of this body may be considered as a serious administrative infraction by "not cooperating with the Authority of control" before the requirements made, and such conduct can be assessed at the time of the opening of an administrative procedure penalizing with a fine C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 40/42 pecuniary In view of the foregoing, the following is issued PROPOSED RESOLUTION FIRST: That by the Director of the Spanish Data Protection Agency penalize THOMAS INTERNATIONAL SYSTEMS, S.A., with NIF A81603391, for a breach of Article 9 of the GDPR, typified in Article 83.5.a) of the GDPR, and classified as very serious for the purposes of prescription in article 72.1.e) of the LOPDGDD, with a fine of 50,000 euros (fifty thousand euros). SECOND: That by the Director of the Spanish Data Protection Agency imposes on THOMAS INTERNATIONAL SYSTEMS, S.A., within the term determine, the adoption of the necessary measures to adapt its performance to the personal data protection regulations, with the scope expressed in the Legal basis IX of this proposed resolution. Likewise, in accordance with the provisions of article 85.2 of the LPACAP, you will be informs that it may, at any time prior to the resolution of this procedure, carry out the voluntary payment of the proposed sanction, which It will mean a reduction of 20% of the amount of the same. With the application of this reduction, the sanction would be established at 40,000 euros (forty thousand euros), and its payment will imply the termination of the procedure. The effectiveness of this reduction will be conditioned to the withdrawal or resignation of any action or appeal via administrative against the sanction. In case you choose to proceed to the voluntary payment of the specified amount above, in accordance with the provisions of the aforementioned article 85.2, you must do it effective by depositing it in the restricted account no. ES00 0000 0000 0000 0000 0000 open in the name of the Spanish Data Protection Agency in the entity bank CAIXABANK, S.A., indicating in the concept the reference number of the procedure that appears in the heading of this document and the cause, for voluntary payment, reduction of the amount of the sanction. You must also send the Proof of admission to the Sub-Directorate General of Inspection to proceed to close The file. By virtue of this, you are notified of the foregoing, and the procedure is revealed. so that within TEN DAYS you can allege whatever you consider in your defense and present the documents and information that it deems pertinent, in accordance with Article 89.2 of the LPACAP. 926-050522 B.B.B. INSTRUCTOR >> C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 41/42 SECOND: On November 18, 2022, the claimed party has proceeded to the payment of the penalty in the amount of 40,000 euros using the reduction provided for in the motion for a resolution transcribed above. THIRD: The payment made entails the waiver of any action or resource in the against the sanction, in relation to the facts referred to in the resolution proposal. FOURTH: In the previously transcribed resolution proposal, the acts constituting an infringement, and it was proposed that, by the Director, the responsible for adopting adequate measures to adjust its performance to the regulations, in accordance with the provisions of the aforementioned article 58.2 d) of the GDPR, according to which each control authority may "order the person responsible or in charge of the processing that the processing operations comply with the provisions of the this Regulation, where appropriate, in a certain way and within a certain specified term…”. FUNDAMENTALS OF LAW Yo Competence In accordance with the powers that article 58.2 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter GDPR), grants each control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the Organic Law 3/2018, of December 5, Protection of Personal Data and guarantee of digital rights (hereinafter, LOPDGDD), is competent to initiate and resolve this procedure the Director of the Spanish Protection Agency of data. Likewise, article 63.2 of the LOPDGDD determines that: "The procedures processed by the Spanish Data Protection Agency will be governed by the provisions in Regulation (EU) 2016/679, in this organic law, by the provisions regulations dictated in its development and, insofar as they do not contradict them, with character subsidiary, by the general rules on administrative procedures." II Termination of the procedure Article 85 of Law 39/2015, of October 1, on Administrative Procedure Common for Public Administrations (hereinafter, LPACAP), under the heading "Termination in disciplinary proceedings" provides the following: "one. Initiated a disciplinary procedure, if the offender acknowledges his responsibility, The procedure may be resolved with the imposition of the appropriate sanction. 2. When the sanction has only a pecuniary nature or it is possible to impose a pecuniary sanction and another of a non-pecuniary nature but the inadmissibility of the second, the voluntary payment by the presumed perpetrator, in any moment prior to the resolution, will imply the termination of the procedure, C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 42/42 except in relation to the replacement of the altered situation or the determination of the compensation for damages caused by the commission of the offence. 3. In both cases, when the sanction is solely pecuniary in nature, the The competent body to resolve the procedure will apply reductions of at least 20% of the amount of the proposed penalty, these being cumulative among themselves. The aforementioned reductions must be determined in the notification of initiation of the procedure and its effectiveness will be conditioned to the withdrawal or resignation of any administrative action or resource against the sanction. The percentage reduction provided for in this section may be increased according to regulations." According to what has been indicated, the Director of the Spanish Agency for the Protection of Data RESOLVES: FIRST: DECLARE the termination of procedure PS/00214/2022, in in accordance with the provisions of article 85 of the LPACAP. SECOND: REQUEST THOMAS INTERNATIONAL SYSTEMS, S.A. so that in within one month notify the Agency of the adoption of the measures described on the legal grounds of the proposed resolution transcribed in this resolution. THIRD: NOTIFY this resolution to THOMAS INTERNATIONAL SYSTEMS, S.A. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once the interested parties have been notified. Against this resolution, which puts an end to the administrative process as prescribed by the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure Common of Public Administrations, interested parties may file an appeal administrative litigation before the Administrative Litigation Chamber of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-Administrative Jurisdiction, within a period of two months from the day following the notification of this act, as provided for in article 46.1 of the referred Law. 1331-281122 Mar Spain Marti Director of the Spanish Data Protection Agency C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es