AEPD (Spain) - E/03783/2020: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoES.jpg |DPA_Abbrevation=AEPD (Spain) |DPA_With_Country=AEPD (Spain) |Case_Number_Na...")
 
No edit summary
 
(7 intermediate revisions by 2 users not shown)
Line 23: Line 23:
|Currency=
|Currency=


|GDPR_Article_1=Article 2 GDPR
|GDPR_Article_Link_1=Article 2 GDPR


|EU_Law_Name_1=Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data,
|EU_Law_Name_1=Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data
|EU_Law_Link_1=https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016L0680
|EU_Law_Link_1=https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016L0680
|EU_Law_Name_2=Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data
|EU_Law_Link_2=https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016L0680




Line 50: Line 50:
}}
}}


The Spanish DPA did not find that the monitoring of news and social networks by the Directorate for National Security violated any data protection norms. [in progress]
The Spanish DPA held that the monitoring of news and social networks by the Directorate for National Security and the Spanish police forces did not violate any data protection regulation, since no personal data had been processed.  


== English Summary ==
==English Summary==


=== Facts ===
=== Facts===
The Directorate for National Security of the Ministry of Interior issued guidelines for the police forces to monitor news and social networks to spot fake news and misinformation, to prevent some actors from causing social stress, specially in light of the covid-19 pandemic.  
The Directorate for National Security of the Ministry of Interior issued guidelines for the police forces to monitor news and social networks to spot fake news and misinformation, to prevent some actors from causing social stress, in light of the covid-19 pandemic.  


This came to the Spanish DPA knowledge, that launched an investigation to verify that such behaviour complied with the personal data regulations.
This came to the Spanish DPA (AEPD) knowledge, that launched an investigation to verify that such behaviour complied with the personal data regulations.


Such guidelines were issued to prevent and minimize the effects of misinformation, with extreme vigilance and monitoring of networks and websites where false messages and information aimed at increasing social stress are disseminated, and, where appropriate, calling for the intervention measures provided for in the applicable legislation".


=== Dispute ===
According to the guidelines, within the surveillance and monitoring of networks and web pages, intervention shall only be carried out in accordance with the aforementioned purposes and principles and always under the protection of the applicable legislation. Also, personal data will only be processed when there is sign of a criminal offence, in accordance with the [https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016L0680 Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data].


If such activities were related to national security, then the processed would be carried out with basis on the national legislation regarding state secrets and classified matters.


=== Holding ===
In their response to the DPA, the Directorate for National Security also stated that they do not collect personal data, but only carry out a daily observation of news or public information from social networks, where the information collected relates to data of a public nature, shared by its authors through social networks and public media, consisting primarily of the content of the communication and the medium of dissemination.
in progress


== Comment ==
For this, specialized officers from the Spanish Civil Guard ("Guardia Civil") browse the news and create anonymous users to monitor (read) social networks such as Twitter, Facebook, Instagram, Badoo and other websites.
 
Afterwards, reports with reference to cybercrime, cyberterrorism, hacktivism, cyberattacks, misinformation and news summaries are issued. If there is a sign of a criminal offence, evidence is gathered. Such reports are stored for 5 years.
 
===Holding ===
The DPA concluded that there was no violation of the GDPR, that is not applicable in accordance with its Article 2, nor with the [https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016L0680 Directive (EU) 2016/680], as personal data were not processed, as the reports showed, and there was no evidence that there was any illegal additional processing. Therefore, the presumption of innocence principle applied.
 
Hence, the AEPD archived the case.
 
==Comment==
''Share your comments here!''
''Share your comments here!''


== Further Resources ==
==Further Resources==
''Share blogs or news articles here!''
''Share blogs or news articles here!''


== English Machine Translation of the Decision ==
==English Machine Translation of the Decision==
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.



Latest revision as of 09:37, 12 May 2021

AEPD (Spain) - E/03783/2020
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 2 GDPR
Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data
Type: Investigation
Outcome: No Violation Found
Started:
Decided:
Published: 04.05.2021
Fine: None
Parties: Dirección General de la Guardia Civil
Ministerio del Interior
Secretaría de Estado de Seguridad
Secretaría de Estado de Seguridad del Ministerio del Interior
National Case Number/Name: E/03783/2020
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: n/a

The Spanish DPA held that the monitoring of news and social networks by the Directorate for National Security and the Spanish police forces did not violate any data protection regulation, since no personal data had been processed.

English Summary

Facts

The Directorate for National Security of the Ministry of Interior issued guidelines for the police forces to monitor news and social networks to spot fake news and misinformation, to prevent some actors from causing social stress, in light of the covid-19 pandemic.

This came to the Spanish DPA (AEPD) knowledge, that launched an investigation to verify that such behaviour complied with the personal data regulations.

Such guidelines were issued to prevent and minimize the effects of misinformation, with extreme vigilance and monitoring of networks and websites where false messages and information aimed at increasing social stress are disseminated, and, where appropriate, calling for the intervention measures provided for in the applicable legislation".

According to the guidelines, within the surveillance and monitoring of networks and web pages, intervention shall only be carried out in accordance with the aforementioned purposes and principles and always under the protection of the applicable legislation. Also, personal data will only be processed when there is sign of a criminal offence, in accordance with the Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data.

If such activities were related to national security, then the processed would be carried out with basis on the national legislation regarding state secrets and classified matters.

In their response to the DPA, the Directorate for National Security also stated that they do not collect personal data, but only carry out a daily observation of news or public information from social networks, where the information collected relates to data of a public nature, shared by its authors through social networks and public media, consisting primarily of the content of the communication and the medium of dissemination.

For this, specialized officers from the Spanish Civil Guard ("Guardia Civil") browse the news and create anonymous users to monitor (read) social networks such as Twitter, Facebook, Instagram, Badoo and other websites.

Afterwards, reports with reference to cybercrime, cyberterrorism, hacktivism, cyberattacks, misinformation and news summaries are issued. If there is a sign of a criminal offence, evidence is gathered. Such reports are stored for 5 years.

Holding

The DPA concluded that there was no violation of the GDPR, that is not applicable in accordance with its Article 2, nor with the Directive (EU) 2016/680, as personal data were not processed, as the reports showed, and there was no evidence that there was any illegal additional processing. Therefore, the presumption of innocence principle applied.

Hence, the AEPD archived the case.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

                                                                                 1/10











940-0419 procedure No.: E / 03783/2020



                  RESOLUTION OF ACTION FILE



Of the actions carried out by the Spanish Agency for Data Protection and
based on the following

                                       FACTS


FIRST: On April 30, 2020, the Director of the Spanish Agency for
Data Protection agrees to initiate the present investigation actions in

relationship with the Order of the Ministry of the Interior *** ORDER.1, of *** DATE.1, which
establishes in section Fourth point 8, 2nd paragraph that, on the part of the Bodies
acting police officers and the competent centers of the Secretary of State for
Safety, guidelines will be issued to prevent and minimize the effects of
disinformation, extreme surveillance and monitoring of networks and pages

website in which false messages and information are disseminated aimed at increasing
social stress, and urging, where appropriate, the intervention measures envisaged in the
applicable legislation, and to the news appeared in various media
on the preparation of a report dedicated to the identification, study and monitoring,
in relation to the situation created by the COVID-19 of disinformation campaigns,

as well as publications denying hoaxes and fake news likely to generate
social stress and disaffection with government institutions, indicated in the Order of
*** ORDER. 2 (ECHO-ALFA) Service of the General Directorate of the Civil Guard.

SECOND: The Subdirectorate General for Data Inspection proceeded to carry out

of previous investigative actions to clarify the facts,
having knowledge of the following points:

On April 30, 2020, the Secretary of State for Security of the
Ministry of the Interior (hereinafter SES) information in relation to the Order

*** ORDER.1 of *** DATE.1 and with the Service Order *** ORDER.2 (ECHO-ALFA) of
the General Directorate of the Civil Guard, specifically requesting information on
what are the specific purposes of the processing of personal data
carried out in the aforementioned actions by both the General Directorate of the Police and
by the Civil Guard, the type of data collected in these treatments and period of

conservation foreseen by said treatments, the number of affected of said
treatments and which authorities have been considered as recipients of the data.

On May 14, 2020, it has entered the Spanish Agency for the Protection of
Data (hereinafter AEPD) a letter sent by the Data Protection Delegate
of the Ministry of the Interior in which it states that after collecting the appropriate reports
of the General Directorate of the Police and the General Directorate of the Civil Guard,
convey the following considerations:



C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 2/10








    “Regarding the obtaining of information in open sources of the so-called
    Cyberspace (networks and web pages) indicate that the Security Strategy
    Current national (hereinafter, ESN), approved by Royal Decree 1008/2017,

    of December 1, warns of "the use of cyberspace as a means for
    carrying out illegal activities, disinformation actions, propaganda or
    terrorist financing and organized crime activities, among others, impacts on
    National Security, amplifying complexity and uncertainty, and also
    puts citizens' own privacy at risk. "

    Among the general objectives pursued by the ESN is to deepen and
    adapt the comprehensive crisis management model within the framework of the
    National Security in order to provide effective and timely responses to

    the threats and challenges of the current panorama so that crisis management
    involves several phases in a temporal arc that ranges from early warning
    to the response where it is important to promote a preventive approach and
    anticipatory, for which permanent monitoring is particularly relevant
    security environment and its constant changes, intelligence systems and
    information, the development of risk analysis methodologies and instruments

    that contribute to protection against misinformation.
    Within the framework of crisis management caused by COVID-19 and following the

    provided in the ESN, that Department established by Order *** ORDER.1,
    of *** DATE.1, the action criteria for the Forces and Corps of
    Security in relation to Royal Decree 463/2020, of March 14, by which
    the state of alarm is declared for the management of the health crisis situation
    caused by COVID-19.

    In said Order, it is provided in section First.3, that the planned measures
    in the same they will be applied in accordance with the principles of proportionality and
    necessity, in order to protect the health and safety of citizens and

    contain the progression of the disease.
    The section under analysis specifically states that “on the part of the Corps

    acting police officers and the competent centers of the Secretary of State for
    Safety guidelines will be issued to prevent and minimize the effects of
    disinformation, extreme surveillance and monitoring of networks and pages
    website in which false messages and information aimed at
    increase social stress, and urging intervention measures where appropriate

    provided for in the applicable legislation ”.
    Within the surveillance and monitoring of networks and web pages,
    It will only intervene in accordance with the aforementioned purposes and principles and always

    under the applicable legislation.
    In the event that in the course of the analysis of the "open" area of said

    sources, rational indications of the commission of a criminal offense were observed,
    will act under the corresponding judicial authorization for the processing of data from
    personal character, which in this case would be protected by the provisions of the
    Directive (EU) 2016/680, of the European Parliament and of the Council, of April 27,
    2016, regarding the protection of natural persons with regard to the

    processing of personal data by the competent authorities for
    purposes of prevention, investigation, detection or prosecution of infractions
    penalties or the execution of criminal sanctions, and the free movement of said
    data and repealing the Council Framework Decision 2008/977 / JHA.
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 3/10








        In the event that these activities refer to the investigation of threats
        against National Security, would not fall within the scope of application of the
        RGPD or the aforementioned Directive, but would be dealt with under the
        regulations regarding official secrets and classified matters.

        In this sense, specifically in the aforementioned area of the Civil Guard, the
        Complementary Order No. 2 of the Service Order *** ORDER.2 (ECHO-
        ALFA), cited in the requirement of the AEPD, collects in a generic way what is

        provided in the aforementioned Order *** ORDER.1, of *** DATE.1, specifically
        provides that it be increased (not implemented since it is a mission
        derived from article 11 of Organic Law 2/1986, of March 13,
        Security Forces and Bodies) the surveillance of social networks for the
        detection of disinformation activities.

        By virtue of the foregoing, by the Security Forces and Bodies of the
        Status, an active monitoring of cyberspace is carried out, in order to
        meet intelligence needs in the field of their functions
        related to the fight against terrorism and other serious forms of

        organized crime in this area, carry out an early detection of
        cyber threats that may affect ICT Information Systems
        (Information and Communication Technologies) of organizations
        cataloged as critical infrastructures, and those dependent on
        main State agencies involved in the management and treatment of the
        health crisis motivated by COVID-19, and disinformation activities.

        In these activities, a priori, no data processing is carried out
        personal, limiting itself to the daily observation of news or

        public information from social networks, in which the information collected is
        refers to public data, shared by their authors through
        consistent social media and public media
        fundamentally in the content of the communication and the means of diffusion.

        In the case of detecting any criminal offense, the corresponding
        proceedings and the proceedings are made available to the judicial authority
        competent."

In response to the specific questions raised in the request for
information the following answers are given:

    In relation to the specific purposes of the processing of personal data
    carried out in the aforementioned actions by both the General Directorate of the Police
    as by the Civil Guard it is stated that:

    “No specific personal treatment has been carried out by virtue of the
    provided in paragraph 2 of section 4.8 of the Order *** ORDER.1, of
    *** DATE. 1. In the event that the supervision of open sources in the
    Cyberspace, if any criminal offense is detected, the

    corresponding treatment in accordance with what the laws determine
    criminal proceedings and applicable data protection. In the event that
    any threat against National Security is detected, it is acted in accordance
    with what determines the regulations on official secrets and classified matters;
    as well as the rest that is applicable to the course. "

In relation to the type of data collected in these treatments and period of
conservation provided for by said treatments, state that
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 4/10








       "No personal data has been collected in relation to the aforementioned
       Cyberspace monitoring activity. In the event that in said
       activities would have detected a criminal offense or a threat against the

       National Security the treatment of identifiers and / or personal data is
       would be carried out in accordance with the criminal procedural regulations, the
       applicable data protection, regulations on classified matters and
       any other that may be applicable. "

In relation to the number of people affected by these treatments, it is stated that

       “No people have been identified in relation to the aforementioned activity of
       Cyberspace supervision. In the event that in said activities there were
       detected an illicit criminal offense or a threat against National Security the
       Obtaining or processing identifiers that allow to "identify" the
       interested parties would be carried out in accordance with the criminal procedure regulations, the
       applicable data protection regulations, regulations on matters

       classified and any other that may be applicable. "
In relation to which authorities have been considered as recipients of the data,

notes that
       "No personal data derived from the activity object has been transferred

       of the requirement. In the event that such activities had
       detected an illegal criminal offense or a threat against National Security the
       data collected in accordance with the appropriate regulations (in a treatment
       specific and different) will be sent to the competent Judicial Authority or to the
       competent bodies of the Ministry of the Interior to receive information
       classified. "


THIRD: On June 17, 2020, the GENERAL MANAGEMENT is required

DE LA GUARDIA CIVIL (hereinafter DGGC) copy of the Service Order
*** ORDER 2 (ECHO-ALFA), of complementary orders 1 and 2, of the
instructions given to the Cybersecurity Coordination Unit, Information
about the period of validity of these orders and instructions, the purposes
specific information on the processing of personal data carried out by the Civil Guard in the
framework of the Service Order *** ORDER. 2 (ECHO-ALFA) and complementary as

related to publications likely to generate disaffection with institutions of the
government, the recipients of this data and the legal basis that protects the treatments.
On July 2, 2020, a letter sent by the
Lieutenant Colonel Delegate for Data Protection of the Civil Guard who states
the next:


 “On May 4, 2020, we were requested by the Secretary of State
Ministry of the Interior, information regarding this matter for the purpose
to answer that AEPD. For which we prepare a report on the matter that is
attached to this letter, understanding that this response contains the information that

it is requested again. "
The report provided includes the considerations transferred on May 14,
2020 to the AEPD by the Data Protection Delegate of the Ministry of the Interior.




C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 5/10








FOURTH: On October 6, 2020, an inspection visit was made at the
headquarters of the General Directorate of the Civil Guard (DGGC), highlighting
the following facts, collected in the Inspection Report:


    1. Regarding the obtaining of information in open sources of the so-called
       Cyberspace (social networks and web pages) the representatives of the DGGC
       indicate that the current National Security Strategy (hereinafter, ESN),
       approved by Royal Decree 1008/2017, of December 1, warns of "the
       use of cyberspace as a means to carry out activities

       illicit actions, disinformation, propaganda or terrorist financing and
       Organized crime activities, among others, impact Security
       National, amplifying complexity and uncertainty, and also puts in
       risk the own privacy of citizens. "
    2. Within the framework of crisis management caused by COVID-19 and following the

       established in the ESN, the Ministry of the Interior established by Order
       *** ORDER.1, of *** DATE.1, the action criteria for the Forces and
       Security Bodies in relation to Royal Decree 463/2020, of 14
       March, declaring the state of alarm for the management of the situation
       of health crisis caused by COVID-19.
    3. In the area of the Civil Guard, Complementary Order No. 2 of the Order of

       Service *** ORDER.2 (ECHO-ALFA), collects in a generic way the provisions of
       the aforementioned Order *** ORDER.1, of *** DATE.1, specifically provides that
       be increased (not implemented since it is a derived legal mission
       of Article 11 of Organic Law 2/1986, of March 13, on Forces and
       Security Bodies) the surveillance of social networks for the detection of

       misinformation activities. Specifically, point 2.2 (tasks)
       establishes in its section g): “Increase the surveillance of social networks to
       the detection of disinformation activities, both internal and
       external, as well as for the prevention and investigation of activities
       related to cybercrime. " Both the *** ORDER.1 and the Order of

       Service *** ORDER.2 (ECHO-ALFA) and its complements were
       in force during the time the decreed alarm state was in force
       by the Government through Royal Decree 463/2020
    4. Printed copies of the Order were collected by the data inspection
       Service *** ORDER. 2 (ECHO-ALFA) and Complementary Order number
       2 of this. 4.2. On the part of the CG, they state that the surveillance of the RRSS is

       carried out by creating anonymous users created for this purpose and
       making a visualization of the publications made by the users of
       these networks, in the jobs of the agents in charge of carrying out
       This function. This surveillance is carried out among other social networks, on Twitter,
       Facebook, Instagram, Badoo and also web pages.

    5. The product of these actions is the preparation of a daily report by
       part of the Coordination Unit that is sent to the Deputy Directorate
       Operational. The total number of reports made is 53, one was made
       daily between March 20 and May 11, 2020.
    6. These reports are structured in 4 sections that collect the findings in the

       matters of cybercrime, cyberterrorism and hacktivism, cyberattacks,
       disinformation and news summary. In each of these sections,
       collects the publication made in the corresponding social network, in some
       In some cases it includes a link to the publication and in others a screenshot of the

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 6/10








        publication with the identification information with which the user is
        presents on the net. The reports contain only information published in
        networks, not increasing the information from other sources or files.

        They state that when an alleged crime is detected, evidence is captured
        in the same way that they are collected in any other police investigation,
        according to the chain of custody of evidence. In these cases the
        The investigation is prosecuted, the police forces making a report without
        expand the information (including only what is openly published in
        networks). Later the judge can make an order to extend

        information, in particular, to find out who is the promoter or the one who incites the
        investigated behaviors. Those findings that could be
        constituting a crime are prosecuted becoming part of the
        treatments collected in the activity called INTPOL in the Registry of
        Treatment Activities.


        In relation to the reports that have not been the subject of legal proceedings,
        are kept in the administrative files of the target Units
        and conserved during the period of five years established for the
        passive correspondence.


        The inspectors obtained copies of 3 reports dated March 19, 20 and 28
        2020, in which it is verified that the structure and content correspond
        with the previously described.



                               FOUNDATIONS OF LAW

                                                I

       In accordance with the investigative and corrective powers that article 58 of the

Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter
RGPD) grants each control authority, and according to the provisions of article 47 of the
Organic Law 3/2018, of December 5, on the Protection of Personal Data and
guarantee of digital rights (hereinafter LOPDGDD), is competent to
resolve these investigative actions by the Director of the Spanish Agency for
Data Protection.


                                                II

       Article 2 of the RGPD when determining its scope of application provides that


       "1. This Regulation applies to the total or partial treatment
automated personal data, as well as non-automated data processing
personal content or intended to be included in a file.

        2. This Regulation does not apply to the processing of personal data:


       a) in the exercise of an activity not included in the scope of application
of the Law of the Union;


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 7/10








       b) by Member States when carrying out activities
included in the scope of application of chapter 2 of title V of the TEU;


       c) carried out by a natural person in the exercise of activities
exclusively personal or domestic;

       d) by the competent authorities for prevention purposes,
investigation, detection or prosecution of criminal offenses, or the execution of
criminal sanctions, including protection against threats to public safety

and its prevention. "

       Article 1 of Directive (EU) 2016/680 of the European Parliament and of the
Council of April 27, 2016 regarding the protection of natural persons in the
regarding the processing of personal data by the authorities

competent for the purposes of prevention, investigation, detection or prosecution of
criminal offenses or the execution of criminal sanctions, and the free movement of
said data and repealing Council Framework Decision 2008/977 / JHA,
establishes in its article 1 under the title Object and objectives that “1. This Directive
establishes the rules relating to the protection of natural persons in what
Regarding the processing of personal data by the authorities

competent, for the purposes of prevention, investigation, detection or prosecution of
criminal offenses or the execution of criminal sanctions, including protection and
prevention against threats to public security. (…) "

       Article 2 of the same provides regarding its scope of application that “1.

This Directive applies to the processing of personal data by companies
competent authorities for the purposes established in article 1, paragraph 1. "

       However, the aforementioned
Directive at the time of the occurrence of the events that are the object of the

investigation, the provisions of the fourth transitory provision of
Organic Law 3/2018, of December 5, on Protection of Personal Data and
guarantee of digital rights, according to which:

       "Treatments subject to Directive (EU) 2016/680 of the Parliament
Council and Council, of April 27, 2016, on the protection of individuals

with regard to the processing of personal data by the
competent authorities for the purposes of prevention, investigation, detection or
prosecution of criminal offenses or execution of criminal sanctions, and the
free circulation of such data and repealing the Framework Decision
2008/977 / JAI of the Council, will continue to be governed by Organic Law 15/1999, of 13

December, and in particular Article 22, and its development provisions, as long as
the rule that transposes the provisions of the aforementioned into Spanish law does not come into force
directive."

       In this regard, it should be noted that articles 1 and 2 of the Organic Law

15/1999 extend their protection to the rights of citizens with regard to
to the processing of your personal data, these being defined in the article
3.a) of said Law as “any information concerning natural persons
identified or identifiable. “Article 5.1.f of the Regulations for the development of said

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 8/10








Law, approved by Royal Decree 1720/2007, of December 21, specifies said
definition indicating that they constitute personal data "Any
numerical, alphabetical, graphic, photographic, acoustic or any other information
concerning identified or identifiable natural persons. "


       From the actions mentioned in the factual antecedents, it appears
that within the framework of the National Security Strategy and the competencies
attributed by article 11 of the Law of State Security Forces and Bodies,
as well as Royal Decree 463/2002 of March 14, which declares the state
alarm for the management of the health crisis situation caused by COVID-
19, a visualization of open publications made by the

social media users. This activity is carried out among other social networks, in
Twitter, Facebook, Instagram, Badoo and also web pages, circumscribed to
cybercrime, cyberterrorism, hacktivism, cyberattacks and
disinformation.


       The product of these actions is the preparation of a daily report by
part of the Coordination Unit that is referred to the Deputy Operational Directorate,
having carried out a total of 53 reports, one daily, between March 20 and
on May 11, 2020.

       The delegate of Data Protection of the Ministry of the Interior, states that

In these activities, a priori, no data processing is carried out
personal, limiting itself to the daily observation of news or information
public social networks, in which the information collected refers to data from
public nature, shared by their authors through social networks and media
communication audiences, consisting mainly of the content of the
communication and the means of dissemination.


       As stated in the on-site inspection carried out, “these reports are
structured in 4 sections that collect the findings in the subjects of
cybercrime, cyberterrorism and hacktivism, cyberattacks, disinformation and
news summary. In each of these sections the publication is included
made in the corresponding social network, in some cases it includes a link to the

publication and in others a capture of the publication with the information of the
Identification with which the user is presented on the network. The reports contain
only information published on networks in the aforementioned subjects, not
increasing the information from other sources or files. "

       The AEPD inspectors collected copies of 3 reports dated 19, 20 and

March 28, 2020, in which it is verified that the structure and content are
corresponds to the above, without the documents provided
contain personal data.

       Therefore, the processing of data from

personal character. It must be taken into account that, to Administrative Law
Sanctioner, due to his specialty, are applicable to him, with some qualification but without
exceptions, the inspiring principles of the criminal order, being clear the full
virtuality of the principle of presumption of innocence.


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 9/10








       In this sense, the Constitutional Court, in Sentence 76/1990 considers that
the right to the presumption of innocence implies “that the sanction is based on
acts or means of proof of charge or incriminating the reproached conduct; what

The burden of proof rests with the accuser, without anyone being obliged to prove
his own innocence; and that any shortcomings in the test result
practiced, freely valued by the sanctioning body, should be translated into a
acquittal ”. This principle is expressly stated for
sanctioning administrative procedures in article 53.2.b) of the Law
39/2015, of October 1, of the Common Administrative Procedure of the

Public Administrations, which recognizes the interested party the right “To the presumption of
non-existence of administrative responsibility until proven otherwise "

       In short, the application of the principle of presumption of innocence prevents
impute an administrative infraction when no evidence has been obtained or

evidence from which the existence of an infringement is derived.


       Therefore, in accordance with what was stated, by the director of the Agency
Spanish Data Protection,


       HE REMEMBERS:

       FIRST: PROCEED TO THE FILING of these actions.

       SECOND: NOTIFY this resolution to the Secretary of State for

Security of the Ministry of the Interior.

       In accordance with the provisions of article 50 of the LOPDGDD, the
This Resolution will be made public once it has been notified to the interested parties.


       Against this resolution, which puts an end to the administrative procedure according to
prescribed by art. 114.1.c) of Law 39/2015, of October 1, on the Procedure
Common Administrative of Public Administrations, and in accordance with the
established in arts. 112 and 123 of the aforementioned Law 39/2015, of October 1, the
Interested parties may optionally file an appeal for reconsideration before the
Director of the Spanish Data Protection Agency within one month to

counting from the day after the notification of this resolution or directly
contentious-administrative appeal before the Contentious-Administrative Chamber of the
National High Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-Administrative Jurisdiction, within a period of two months from the

day following notification of this act, as provided in article 46.1 of the
referred Law.

       Mar Spain Martí
       Director of the Spanish Agency for Data Protection






C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 10/10


































































































C / Jorge Juan, 6 www.aepd.es

28001 - Madrid sedeagpd.gob.es