AEPD (Spain) - EXP202100897

From GDPRhub
AEPD - PS-00520-2021
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 6(1) GDPR
Article 83(2) GDPR
Article 83(5)(a) GDPR
Type: Investigation
Outcome: Violation Found
Started: 26.07.2021
Decided:
Published: 11.10.2022
Fine: 12.000 EUR
Parties: Sean Serios S.L
National Case Number/Name: PS-00520-2021
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: Michelle Ayora

The Spanish DPA fined a training academy €12,000 for a violation of Article 6(1) GDPR by unlawfully publishing a ranking list which included the results of a selection process and sensitive health data.

English Summary

Facts

The data subject submitted a complaint against a training academy (the controller) for unlawfully publishing their personal data on a website. The publication contained results of a selection process in which the data subject participated. Specifically, the document contained a list with names, last names, anonymised ID numbers and categories assigned to participants. The list allowed the identification of health data relating to disabilities.

In addition, the list corresponded with the provisional publication of results by the Galician Health Services (SERGAS), the authority competent for the examination and selection of candidates. Both lists were different, thus the controller made a re-work of the official list by selecting some candidates, grouping them by categories, breaking down their marks (studies, work experience, other activities) and assigning them a position according to their total score.

The Spanish DPA started a sanctioning proceeding against the controller due to an alleged violation of Article 6(1) GDPR for the lack of legal basis for processing of personal data, including special categories of personal data. Furthermore, the publication allegedly did not include the mandatory information regarding the origin of the data nor the right to object.

In response, the controller argued that the legal basis was legitimate interest since the academy offered training courses and the publication showed the participants, in a clear way, the position obtained. The controller stated that it was not processing carried out in the context of their usual activity since it was done only once, in relation with that specific selection process. Another argument was that the information had been made public by SERGAS and that candidates who participated in the public selection process expected their data to be published due to transparency obligations.

Holding

In the first place, the DPA stated that the publication of data subjects' first and last names on a website was considered processing of personal data. These data allowed the identification of the data subjects since the list contained names of persons who fulfil the requirements to enroll in a specific category, and more elements allowing the identification by a broader audience.

Regarding the claim of the public character of the data, since it had been published on the SERGAS website, the DPA considered that a website is not a publicly accessible source. In addition, in case that the data was made available by a public entity for a specific purpose, the list made by the controller must rely on its own legal basis. When it comes to the concept of publicly accessible sources, the GDPR regulates it in the context of the right to information when the data was not collected from the data subject. In any case, data contained in a publicly accessible source must have a legal basis for further processing.

On the legitimate interest, the DPA noted that Article 29 Working Party Opinion 6/2014states that is necessary to take into account not only the data subject’s fundamental rights and freedoms but also their interests and that “legitimate” involves the need for processing and the use of the least invasive method to achieve the same end. For instance, the controller could have informed only the participants about the results but opted to inform the public in general.

In the context of data impact assessments, the DPA highlighted which elements to include, such as the bargaining position of the parties (especially the controller’s), if there is a reasonable expectation of further processing, the way that the controller processes the data (including if there is profiling or not) and the need for a balancing exercise between the data subject’s rights and interests and the controller’s legitimate interest whose results must show a prevalence of the latter, being the only case to rely on Article 6(1)(f) GDPR.

In the present case, the Spanish DPA did not observe a prevalence of the controller’s interest over the data subject’s rights for the following reasons. The processing was not necessary for the initial collection purposes, the data subjects were not informed about the publication of results on the website, sensitive data was included in the list, the storage limitation principle was violated (the publication lasted for more than three months), there was an incomplete impact assessment, there was no inclusion of information regarding the right to object which is mandatory when relying on legitimate interest as legal basis for the processing (Article 21(1) GDPR).

Finally, the DPA fined the controller €12,000 for a violation of Article 6(1) GDPR due to the lack of a valid legal basis for processing.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

1/23













     File No.: EXP202100897




                RESOLUTION OF PUNISHMENT PROCEDURE

Of the procedure instructed by the Spanish Agency for Data Protection and based on
the following



                                  BACKGROUND



FIRST: A.A.A. (hereinafter, the complaining party) dated 07/26/2021, filed
claim before the Spanish Data Protection Agency. The claim is directed
against SEAN SERIOS S.L. with NIF B70528989 (hereinafter, the claimed party). The
claimant states that in the URL: https://www.cursosefficients. (...), appear
published a list with the results of a selective process of opposition competition

convened by SERGAS, which contains the personal data of the people who
they agreed for the turn of (...).

It ends by requesting “remove said URL”.


You access the url in which the elaboration ***DATE.1 appears in the lower left, in
the right "prov competition (...).Sergas".

The information that appears is, of 95 candidates, three pages, with the name and surnames,
the anonymized DNI in accordance with the provisions of the D.A. 7th of Organic Law 3/2018, of

5/12, Protection of Personal Data and guarantee of digital rights (in
hereinafter LOPDGDD), and the notes broken down in opposition, and competition, this aspect
last one that frames and distinguishes: training, experience, other activities. Then he
follows the column of “total”, and “order number”. Next to each candidate, in the column
"Access" can be read (...). The claimant is ranked XX, and all candidates

they are listed in DI access sorted by total score. There is no reference to
identification of any specific call or process.

The "privacy policy" of the claimed party that offers training courses is accessed, and
is incorporated into the procedure.


In "purpose of data processing", there is the sending of advertising related to your data.
services and products. The data will be kept as long as the relationship is maintained
commercial or during the years necessary to comply with legal obligations.


In section 7, “origin”, “how have we obtained your data?” They state: “the data
data that we treat come from the interested party. The categories of data


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/23








they treat are identification data, postal or electronic addresses, economic data,
specially protected data is not processed.”


SECOND: In accordance with article 65.4 of the LOPDGDD, a transfer of
said claim to the claimed party, so that he proceeded to analyze it and inform
this Agency within a month, of the actions carried out to adapt to
the requirements set forth in the data protection regulations. In the transfer it
reported:


“FACTS GIVING RISE TO THE CLAIM: The claimant states that on the website
webcursosficients.com appears published a list with the results of a process
selection of opposition contest convened by the SERGAS, in which the
personal data of the people who accessed the shift (...)”


On 08/23/2021, the electronic submission appears accepted, without having received
response.

THIRD: On 10/26/2021, in accordance with the provisions of article 65.5 of the
LOPDGDD, the processing of the claim continues.


FOURTH: On 01/13/2022, the Director of the AEPD agreed:


“INITIATE PUNISHMENT PROCEDURE against SEAN SERIOS S.L., with NIF
B70528989, for the alleged infringement of article 6.1 of the RGPD, in accordance with the

article 83.5.a) of the RGPD, typified as very serious for the purposes of prescription in the
article 72.1.b) of the RGPD, with an administrative fine of 12,000 euros
(twelve thousand euros).

For the purposes specified in the art. 64.2 b) of Law 39/2015, of 1/10 of the Procedure

Common Administrative of Public Administrations (hereinafter, LPACAP), the
sanction that could correspond would be an administrative fine.”

FIFTH: On 01/28/2022, allegations were received from the respondent in which
states:


- Provides a copy of the publication of the Official Gazette of Galicia of ***DATE.1, section
oppositions and competitions, Galician Health Service, RESOLUTION of ***DATE.2, of
the General Directorate of Human Resources, through which the
provisional scores of the contest phase of the selective process for admission
in the category of (...), summoned by the Resolution of ***DATE.3, which states:


"The eighth base of the Resolution of the General Directorate of Human Resources of (...),
by which a contest-opposition is called for entry into the category of (...) of the
Galician Health Service, provides that, carried out by the court, the assessment of the
merits provided by the applicants, the General Directorate of Human Resources

will publish, in the Official Gazette of Galicia, the announcement of its exhibition with an indication of the
provisional score obtained by each applicant in the different sections, as well as the
total evaluation of the contest phase.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/23








Resolves first: Publish on the website of the Galician Health Service
(www.sergas.es), the provisional scores of the contest phase obtained by the
applicants who passed the opposition phase of the selective process for the

admission in the category of (...), summoned by Resolution of ***DATE.3. Each
applicant may also consult the details of the score obtained in the different
sections of the scale, in your personal electronic file at Fides/expedient-e/
process section.



Resolves second, the possibility of presenting a claim against the results of the
provisional assessment

In the annex, which is provided with the published list, there is the SERGAS logo, scale
provisional, competition phase (broken down into: training, experience and other activities) and the

note of the opposition, ordered by total score from most to least, and surnames, and together
all access systems (DI: disability, LI: free, Pri: internal promotion),
including the one claimed.

-The reason for the publication, in the case of public information, is: "to publicize the
results published by SERGAS, since many of the participants in the process

of selection were students of our Academy”, trying to facilitate access to the
public information".

-States that prior to publishing the list they carried out an "analysis
of regulatory compliance” in order to confirm whether said publication could imply or

not a violation of the Data Protection regulations, reaching the following
conclusions:

 The information that was intended to be published was information published on the website of
SERGAS, which is part of a selective process whose advertising and dissemination is

established by a norm with the rank of Law

 This information is previously anonymised, as the number has been hidden.
of the DNI of the participants, and the name and surname of only one person per se
itself should not be considered personal data as there are numerous
people with the same name and surname. “They are neither identified nor

reliably identifiable.

       They continued with their analysis considering that "it could be a treatment
       of public personal data.


 The next approach was to determine the applicable legal basis, concluding
which would be the legitimate interest consisting in facilitating access to the results
provisions of the opposition contest, in the case of information previously made
public what the previous regulations called sources accessible to the public, which
considers applicable to the case in an entity that especially focuses on the professions

sanitary




C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/23








       “Since it is public information, having been published in the Official Gazette of
       Galicia and on the Sergas website we understood that the
       rights and freedoms of the interested parties.


-Refers to the judgment of the Court of Justice of the European Union of 24/11/2011 matter
accumulated C 468/2010 National Association of Financial Credit Establishments
(ASNEF), and C 469/2010 Federation of Electronic Commerce and Direct Marketing
(FECEMD) which resolves the preliminary questions raised by the Court
Supreme Court and in which the direct effect of article 7 f) of the

Directive 95/46/CE. In its recitals 44 and 45 it refers to the sources accessible to the
public considering that there is a minor impact on the private life of the interested party
since the information is public knowledge. “The third party or third parties to whom
communicate the data do not access data related to the private life of the interested party, given
that the information is already public knowledge. The severity of the injury

fundamental rights of the person affected by such treatment may vary in
depending on whether or not the data already appears in publicly accessible sources.

-They have deleted the aforementioned publication

-They consider relevant to show that public information is currently

is published and available on the Sergas website accompanies the Sergas address
in which the aforementioned list is available, ***URL.1 and another access address to the
“complete, contracting” procedure.

 ***URL.2 Does not accompany the access made at the time of submitting your

written, nor is any element viewed.

-The claimant at no time addressed the claimed by any means requesting
suppression of information


-States that he has acted in the belief that the treatment was adjusted to the
RGPD, because prior to carrying out the treatment object of the claim they have made
a “regulatory compliance analysis”.

-Requests that a warning be applied instead of an economic sanction and in the event that
apply this, that the sanction be reduced to 600 euros, considering the lack of

intentionality and that it was limited to publishing public information, and there is no recidivism.

SIXTH: On 05/24/2022, the testing period is opened, as provided in the
Article 77 and 78 of Law 39/2015, of 1/10, of the Common Administrative Procedure of
the Public Administrations (hereinafter, LPACAP), agreeing to consider reproduced

for evidentiary purposes, the claim filed and its documentation, as well as the
documents obtained and generated during the admission phase of the application
claim.

Likewise, it is considered reproduced for evidentiary purposes, the allegations to the agreement of
initiation of the referenced sanctioning procedure, presented by the claimed party, and the
accompanying documentation.


The respondent is requested to report or provide the following:

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/23








a) Reason why they only published the list of opponents of the turn (...), and reason why
that they only made the sequential ordering by score order of these (...) for their
differentiated ordering.


On 06/15/2022, a response was received indicating that its purpose was to facilitate the
access to interested parties in an orderly manner, different from the mode of publication in
alphabetically, so that people, “many of them clients of our
academy” can verify if your score gives you access to the job or not.


It states that, on this occasion, SERGAS did not publish at the same time by order
alphabetical and punctuation, but did it first only by alphabetical order, falling behind
exposure by score.

Provides a copy of the "general list of the definitive scale", contest phase of the

SERGAS, (...), in which it appears arranged first in alphabetical order, followed by
of the total score, date of elaboration ***DATE.4, the descending order is appreciated
of the scores on the right side of the points, and arranged alphabetically in the
left side, and a copy of the same SERGAS list, same date and titles, but
ordered from the alphabetical criterion, without preference for the punctuation.


It adds that in the publication of the provisional list the lists were only published
mode or alphabetical order, always ordering by the one claimed by "punctuation and
access” the list previously published in alphabetical order.

a) Number of people who through their courses prepared for this

call, through its services, and in what shifts.

It states that "it is not a center for preparing oppositions, so it does not have
closed groups that prepare a specific category of SERGAS. The training that
teaches Efficient Courses is aimed at the merit phase, specifically it facilitates the

Obtaining the points corresponding to the continuous training section in the phase
competition.”, referring to cross-cutting subjects, information technology, risk prevention
labor etc., scored in any of the SERGAS categories in the section on
“continuous training”, being difficult to discern for which category that course has been used
each student.


b) Reason why there were people who were preparing this call, it was not
They limited themselves to putting only their data on their website or sending them exclusively their
results.

It is answered with the answer of the previous point.


d) Reason why they did not index an informative literal of the data collection and
rights on your web page that was published. If you currently have collected data from
Newsletters public employment web pages, indicate address.


He points out that what they usually report is by way of news, the publications of
calls made by SERGAS with direct links to its website. Give examples of
links that from the website of the claimed party leads to the section in which it reports the
resolution in which the listings are published. The page contains the information that has been

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/23








published on the web, by way of example, of SERGAS and the categories appear and "click here"
Pressing takes you to the SERGAS extranet with the information

"What we want to show is that in an exceptional and motivated way that the
Sergas had not yet published the list in order of punctuation, we consider that

in the case of information already published in a source accessible to the public such as
the Official Gazette of Galicia and the website of the public body of SERGAS, would not imply a
impairment of the rights of the participants that the list was ordered by
punctuation". They also add that the complete DNI number was not published, since
it was anonymized.


It accompanies the news of its website of "ordered list of scores of the phase of
contest of the opposition ***CATEGORY.1 of Sergas”, referring to the publication on
*** DATE.1 on the Sergas website of the provisional lists of the phase of
contest of the oppositions of different categories and points out that since it has not yet
published the lists ordered by scores of the contest phase, referring to the

call for ***DATE.3, "here you have them in PDF format (...), with links for each
one of the shifts (free, internal, disabled).

c) Copy of the record of treatment activities related to the exposure in your
data web of public calls.


States that its record of treatment activities does not include as such the
publication on the web of information related to public calls, and that it is not
an activity that they will carry out in the future.

On their website they limit themselves to publishing news about publications related to
calls or updated information on news published by the

public administrations in relation to oppositions or contests that are being processed.
Its website usually refers to the news by making a link to the body's website
posting public, but never post listings directly. The only time
and evidently the last one has been the publication that is the object of this
process.


They consider that it was a one-off event that they corrected immediately.


d) In relation to your alleged legitimate interest for the treatment, you are requested to
provide the document in which the consideration and analysis of said base was carried out
legitimizing, and specifically how it took into account the rights and freedoms

rights of those affected and because their rights to the legitimate interest do not prevail
alleged, and the offer of opposition to the treatment and the causes, considering,
In addition, only the disabled option appears published, and grouped.

Statement that accompanies the "regulatory compliance analysis" report, dated

12/6/2019, referring to the information from the DOG of ***FECHA.1 and the SERGAS extranet,
to order the already published list based on the scores obtained by the
participants in the contest of the (...). It refers to the analysis of the treatment and conformity to
the regulations, that the NIF number is partially, with name and surnames and punctuation.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/23








It does not refer to (...). “Indicates that by not having the complete number of the NIF it is not possible to
consider information of a personal nature that identifies a specific person.”


It seems that it would not be possible that “without making disproportionate efforts,
will identify the participants except for those people who have a
prior knowledge that a certain person is going to present himself to the referred
contest but they will not be identifiable for the rest of the population” Then he indicates that
It deals with public information that has to be disseminated by regulations with a range of
Law, they must assess the legitimating basis, and refers to article 6.1 f) of the RGPD adding

now that it is information that "we can consider as sources accessible to the
public, since they have been previously published in an Official Gazette of Galicia and
on the SERGAS extranet without the interested parties being able to oppose said
treatments and even its publication being a legal obligation to which the users submit.
interested by the mere fact of participating in the selection process. Add that

considers that Royal Decree 1720/2007 has not been repealed, and in this regard it highlights
its article 7. “For this reason it seems reasonable to think that the rights of
interested parties cannot prevail against the legitimate interest pursued considering that
When the data appears in sources accessible to the public, the person in charge and, where appropriate, the
third party or third parties to whom the data is communicated do not access data related to the
private life of the interested party given with the information is already public knowledge according to

recitals 44 and 45 of the judgment of the Court of Justice of the European Union of
11/24/2011, as a consequence there is a minor impact on the rights of the interested party, which
that must be appreciated at its fair value in the weighting with the legitimate interest
pursued by the data controller or by the third party or third parties to whom
communicate the data.” “with regard to the weighting required by article 7

letter F of Directive 95/46, the fact that the seriousness of the
the infringement of the fundamental rights of the person affected by said treatment
may vary depending on whether or not the data already appears in sources accessible to the public”

“Taking into account that the only purpose pursued by the treatment that is intended

to carry out is to facilitate access to interested parties to some lists ordered in
depending on the score obtained, that many of the participants in the contest are
students of our center, the requirements that legitimize the treatment in
based on the provisions of article 6.1 f) of the RGPD.”



e) If you have any document that accredits and verifies the date of your withdrawal
can contribute it.

It states that "as indicated in our pleadings brief, once
notification of the initiation of this sanctioning procedure and once our

advisors were able to review the information that has been the subject of the same, dated 20
January 2022, an email was sent, requesting the company to
manages our website, so that it proceeds to immediate deletion” accompanies in
document 3 and 4 copies of the email sent and the company that manages the
web page that verifies the date of deletion, including both the link of the news

like those of each of the shifts.




C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 8/23








4). The Instructor will verify if in the URL***URL.2 the data of the
claimant. If you have any document that accredits and verifies the date of your
withdrawal can bring it.


For this purpose, on 06/7/2022, the internet was accessed in the GOOGLE search engine, and
entered the URL indicated by the complainant without finding information in the
page. It is accredited by diligence incorporated into the procedure.

SEVENTH: On 07/13/2022, a resolution proposal was issued, from the literal:


“That by the Director of the Spanish Agency for Data Protection, a sanction is made for
SEAN SERIOS S.L., with NIF B70528989, for an infringement of article 6.1 of the RGPD,
typified in article 83.5 a) of the RGPD, with a fine of 12,000 euros.”


EIGHTH: The respondent, dated 07/27/2022, states:

1-No further treatment and different from the
pursued by the publication in the Official Gazette of Galicia, has not incorporated any
additional information, no communications have been made to the interested parties.


2-Reiterates that due to the provisions of the sole repeal of the LOPDGDD: "there are

repealed as many provisions of equal or lower rank contradict, oppose, or
are incompatible with the provisions of Regulation (EU) 2016/679 and in this
organic law”, considers that the Royal Decree 1720 2007 that develops the LOPD would be
applicable and establishes as sources accessible to the public the publications of newspapers and
official bulletins, lacking the unlawful component of the infraction.



3-Reiterates that the impact on the rights of the interested party is less as it is data that
come from sources of public access, "which must be appreciated at its fair value in

weighting with legitimate interest”. Your interpretation of legitimate interest is plausible
and justified, which evidences the lack of intentionality, fault or negligence
legally required for the imposition of administrative sanctions.



4-The amount is disproportionate, "it is not a large company, it is a micro-SME". The
purpose was to improve access to public information, accessible through sources
accessible to the public, ordered by punctuation, instead of being ordered by
alphabetical order. "The magnitude of the amount calls for its dissolution and subsequent liquidation."

It should not be considered as a continuing infringement, "because said listings with the same

information continues to be published on the SERGAS website”. It is also not credited
“the alleged damage that may have been caused” to the claimant.

There is no intentionality. No benefit was obtained, "the only purpose was that our
students, who were part of this selective process, could verify more

The score achieved is simple.



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 9/23








5-Request the file for being your action adjusted to law, or exoneration of
liability for lacking the elements of fault or negligence. Subsidiarily, it
appreciate a qualified decrease in culpability or unlawfulness, resulting

sufficient a warning or failing that, a minimum sanction.


NINTH: Of the actions carried out in this procedure and the
documentation in the file, the following have been accredited:


                                  PROVEN FACTS



1) The claimant states that in the URL ***URL.1 their data is published in a
listing on a selective process of competition convened by the SERGAS.


2) The list that is contained in the URL, in pdf, is a specific preparation of the
claimed, which contains only data from the shift of (...), three pages, the title indicates:
“(…) elaboration ***DATE.1”. The list is ordered by total points and
consequent order number, up to 104 candidates. The claimant is listed at number
XX with the last three digits of the NIF and surnames and name, with the key (...),


3) The official publication of this provisional ranking of the applicants was made in the
SERGAS web page, as enabled in the resolution of ***DATE.2, of the
General Directorate of Human Resources, by which the scores are made public
Provisional results of the contest phase of the selective process for entry into the category

of (...), summoned by the Resolution of ***DATE.3 (DOG of ***DATE.1). As such
listed, it is not published in the aforementioned Official Gazette. The official publication, differs
of the one of the claimed one, in the copy of the official one that the claimed one contributes in its
allegations, there are 80 pages, figuring the shifts mixed, and ordered by the
total score obtained, the mark of the opposition and the contest phase (training,
experience, other activities), and in alphabetical order, including the one claimed in the

listed as it appears in the list of the claimed.


4) The page www.cursosefficients.com is dedicated to training courses such as
Academy, and is the owner of the claim, thus appearing in "privacy policy". impart

courses of different types and modalities that count in the training section
continuation of calls.

5) In the privacy policy of the “efficient courses” website, it is indicated:


       2. PURPOSE: For what purpose do we process your personal data? in Sean
Serios S.L. We treat the information provided by interested persons for the
following purposes: Manage registration to allow access to our systems
Provide the requested service, bill it. Send advertising
related to our products and services


       4. LEGITIMATION: What is the legitimacy for the processing of your data? The
legal basis for the treatment of the data is the consent obtained from the interested party,
In addition to contracting the services
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 10/23









       7. ORIGIN: How have we obtained your data? The personal data that
we treat in Sean Serios S.L come from the interested party The categories of data that

are treated are: Identification data. Postal or electronic addresses. Data
Economic. Specially protected data is not processed


6) After receiving the initiation agreement, the respondent stated that she had withdrawn the page from her website,
fact that is verified in the testing phase.


7) The respondent points out that she published the list because she gives courses that count in the
assessment of the contests, in "training", without specifically identifying that the
claimant would have given any for his score, or what courses may be the one in
this case counted, and that its basis of legitimation is the legitimate interest, in the case of

public information or information accessible to the public to which the interested parties cannot oppose
for being a legal obligation for the fact of participating in a selective process


8) The Resolution of the General Directorate of Human Resources of ***DATE.3 (DOG no.
XX, of XX/YY), for which a competition-opposition is called for entry into the category

(...) considers the "training" section as a scale, including the assessment of
courses such as occupational risk prevention, clinical management that can be offered by the
claimed.

9) The defendant usually informs through the news section on its website about the

calls, offering direct links to the entities so that they can be seen, for example
the listings. In the case of the claim, he adds that he published by score obtained, for
name and surname, (...), so that the participants could more easily see the order
obtained, stating the same (its publication) in the other shifts (this is deduced from the
internal mail sent on 01/20/2022, after receiving the startup agreement to a company to

to delete the list, also including a referenced free shift list) and due to
that the SERGAS list had a different order.


10) The publication carried out is not supported by a treatment activity that
contemplate the claim, pointing out that it is the only time that it has been exposed in relation
with oppositions or competitions that are being processed.



11) In the publication of the list prepared by the claimed party, it is not indicated or informed of the
origin of the data, nor any information nor the right to oppose, that based on a
legitimate interest in processing, should be offered.








                             FOUNDATIONS OF LAW

                                             Yo
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 11/23









In accordance with the powers that article 58.2 of Regulation (EU) 2016/679
(General Data Protection Regulation, hereinafter RGPD), grants each

control authority and as established in articles 47 and 48.1 of the Organic Law
3/2018, of December 5, on the Protection of Personal Data and guarantee of rights
(hereinafter, LOPDGDD), is competent to initiate and resolve this
procedure the Director of the Spanish Data Protection Agency.

Likewise, article 63.2 of the LOPDGDD determines that: “The procedures

processed by the Spanish Agency for Data Protection will be governed by the provisions
in Regulation (EU) 2016/679, in this organic law, by the provisions
regulations issued in its development and, as long as they do not contradict them, with a
subsidiary, by the general rules on administrative procedures.”




                                             II

The GDPR defines

1) "personal data": any information about an identified natural person or
identifiable ("the interested party"); An identifiable natural person shall be deemed to be any person

whose identity can be determined, directly or indirectly, in particular by means of a
identifier, such as a name, an identification number,
location, an online identifier or one or more elements of the identity
physical, physiological, genetic, psychic, economic, cultural or social of said person;



2) “processing”: any operation or set of operations performed on data
personal information or sets of personal data, whether by automated procedures or
no, such as the collection, registration, organization, structuring, conservation, adaptation or
modification, extraction, consultation, use, communication by transmission, diffusion or
any other form of authorization of access, collation or interconnection, limitation,

deletion or destruction;

Opinion 4/2007, on the concept of personal data, adopted on 06/20 by the

Working group 29, of Directive 95/46, analyzes in depth the concept of data
personal data, indicating the reference: "they are all information about a natural person
identified or identifiable, considering identifiable any person whose identity
can be determined directly or indirectly, in particular by a number of
identification or one or more specific elements characteristic of their physical identity
physiological psychic economic cultural or social”. A person is directly considered

identified through the name and surnames and is more individualized, when
In addition, there is another identifier, for example the NIF, through which you can obtain
further information about that person or any information that may specify or
place it in a specific area.

The conduct that consists of making reference on a web page to a person with their
name and surnames, and that in this case is distinctive because it is not frequent, constitutes

per se a personal data that identifies it, and to which would be added in this case
that meets the requirements indicated in the call to be able to appear for the shift
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 12/23








(...), with which elements are added to be able to be identified by a larger sector of
the population.




Regarding the allegation of the respondent that the published data is "personal" data
public” because it comes from a website, that of SERGAS, a website is not a source of access
public, even taking into account what the RLOPD defined of it. If what you mean is that
a data made public, this has not been by its owner, but by a public entity that
under current regulations can legitimize it for publication, with a finality
concrete given.


This is also clear with the definition and detail of the right to data protection
contained in STCO 292/2000, of 11/30, resource 1463/2000, legal basis
sixth:




“In this way, the object of protection of the fundamental right to data protection
It is not reduced only to the intimate data of the person, but to any type of personal data.
whether or not intimate, whose knowledge or use by third parties may affect their rights
rights, whether fundamental or not, because their object is not only individual intimacy, which

for this there is the protection that art. 18.1 CE grants, but the personal data
nal. Consequently, it also reaches those public personal data that, by reason of
fact of being, of being accessible to anyone's knowledge, they do not escape the power of
disposition of the affected party because this is guaranteed by their right to data protection.
Also for this reason, the fact that the data is of a personal nature does not mean that they only have
protection those related to the private or intimate life of the person, but that the data covered

classified are all those that identify or allow the identification of the person,
tending to serve for the preparation of their ideological, racial, sexual, economic or
any other nature, or that serve for any other use than in certain circumstances
circumstances constitutes a threat to the individual.”


                                             III


The data included in the URL of the claimed correspond to a process

of the Galician Health Service, although the complainant includes it in a URL
own, on which he carries out a selected own elaboration to order by
surnames and punctuation order, within the turn (...).

The RGPD maintains the principle that all data processing needs to be supported by a

legal basis that legitimizes it points establish the inverse legitimating causes of the
treatment as the consent mode does not operate as the only possible one.

In any case, from the entry into force of the RGPD, it cannot be spoken of a
legal concept of “sources accessible to the public” such as the one that existed in the LOPD, nor

nor can we understand that the fact that the data appears in this type of
sources legitimizes the treatment without further ado, specifying in any case a legitimate basis
for your treatment. The RGPD only talks about public access sources when regulating the
right to information, if the data has not been collected from the interested party.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 13/23








The mention of the validity of the RLOPD has no effect, as the data is not in any case
contained in a source of public access a legitimizing base, requiring the
coverage of any of the circumstances as a legitimate basis in article 6.1 of the

GDPR.

The exposed facts may imply, on the part of the defendant, the commission of a
violation of article 6.1 of the RGPD that indicates:

a) the interested party gave his consent for the processing of his personal data for

one or more specific purposes;

b) the treatment is necessary for the execution of a contract in which the interested party is
part or for the application at the request of the latter of pre-contractual measures;


c) the treatment is necessary for the fulfillment of a legal obligation applicable to the
data controller;

d) the treatment is necessary to protect the vital interests of the interested party or another
Physical person;


e) the treatment is necessary for the fulfillment of a mission carried out in the interest
public or in the exercise of public powers vested in the data controller;

a) the treatment is necessary for the satisfaction of legitimate interests pursued by
the data controller or by a third party, provided that said interests are not

prevail the interests or the fundamental rights and freedoms of the interested party that
require the protection of personal data, in particular when the interested party is a
little boy."



Contrary to what was stated by the respondent, the lists are not published in the Diario
Official, but in this it is indicated that it be published on the SERGAS website, to which it has been
to go for viewing and in the manner indicated.

Based on the alleged legitimate interest, much of it is limited to stating that
are data of public access due to the fact that the opponents by legal norm related to

nothing with public employment and transparency, they must submit to the exposure of their
data as a guarantee of objectivity, reinforcing his thesis that due to the fact that his
data on an open web, can be found within said treatment scheme.
unto However, the listings are not exposed in any official bulletin or newspaper, but in
the SERGAS website, no longer fulfilling one of the requirements so that in the past it could

to be considered a source of public access.

"Establishes recital (47):" The legitimate interest of a data controller,
including that of a person in charge to whom personal data may be communicated, or of a

third, it can constitute a legal basis for the treatment, provided that it does not
prevail the interests or the rights and freedoms of the interested party, taking into account
the reasonable expectations of data subjects based on their relationship with the
responsible. Such legitimate interest could occur, for example, when there is a relationship
relevant and appropriate relationship between the data subject and the controller, such as in situations where

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 14/23








that the interested party is a client or is at the service of the person in charge. In any case, the
existence of a legitimate interest would require careful assessment, even if a
interested party can reasonably foresee, at the time and in the context of the

collection of personal data, which may be processed for this purpose. In
In particular, the interests and fundamental rights of the interested party may prevail
on the interests of the person in charge of the treatment when proceeding to the treatment of
personal data in circumstances in which the data subject does not expect
reasonably for further processing to take place. Since it corresponds to
legislator establish by law the legal basis for the processing of personal data by

part of public authorities, this legal basis should not apply to the processing
made by public authorities in the exercise of their functions. The tratment of
personal data strictly necessary for the prevention of fraud
it also constitutes a legitimate interest of the controller in question. The
processing of personal data for direct marketing purposes can be considered

carried out for legitimate interest.”



Regarding the content of the legitimate interest of article 6.1.f) of the RGPD alleged as
legitimizing base, it is necessary to go for its interpretation and content to Opinion 6/2014
of Working Group 29 (advisory body created by virtue of Article 29 of Directive
95/46/CE, which with the entry into force of article 94.2 of the RGPD that repeals the directive

95/46 is changed to European Data Protection Committee (CEPD) dated 04/09/2014,
that contemplates the diverse factors that can be valued when carrying out the
mandatory weighting of the rights and interests at stake.
Although Opinion 6/2014 was issued to favor a uniform interpretation of the Di-

Directive 95/46 then in force, repealed by the RGPD, given the almost total identity between
its article 7.f) and article 6.1.f) of the RGPD

Article 7, letter f) of said Directive indicated:

“Member States shall provide for the processing of personal data only to be carried out
act if: it is necessary to satisfy the legitimate interest pursued by the person responsible
or by the third party or third parties to whom the data is communicated, provided that they do not present
the interest for the fundamental rights and freedoms of the interested party that requires
are protected under Article 1(1) of this Directive”.

Article 6.1.f) of the RGPD indicates:

"1. The treatment will only be lawful if at least one of the following is met

conditions:

f) the treatment is necessary for the satisfaction of legitimate interests pursued by
the data controller or by a third party, provided that said interests are not
prevail the interests or the fundamental rights and freedoms of the interested party that
require the protection of personal data, in particular when the interested party is a

little boy."

The Opinion underlines, first of all, that the implication that the data controller
ment may have in the data processing carried out is that of "interest", which is a
broader concept than that of fundamental rights and freedoms, hence with respect to

those affected are weighed not only their fundamental rights and freedoms but also
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 15/23








well their “interests”. The "interest" of the person responsible for the treatment -according to the ar-
article 6.1.f) of the RGPD and before article 7.f) of the Directive- must be "legitimate", which
means, says the Opinion, that it must be respectful of national legislation and of the

EU. In addition, the treatment must be the necessary one, so that they are always preferred.
pre less invasive means to serve the same end. If the respondent has had students
us who have taken courses that can be counted in the training section, about those
people could establish an information mechanism for calls, but that is not
the case, what it establishes is in general, the information for any person
access your website.

On the impact that data processing has on the interested parties, the Opinion

that the more “negative” or “uncertain” the impact of the treatment may be, the more important it is
likely that the processing as a whole can be considered legitimate. It fits
here the assessment of the nature of the personal data that have been processed
process, if the data has been made available to the public by the interested party or by a third party.
zero, a fact -says the Opinion- that can be an evaluation factor especially if the
publication was carried out with a reasonable expectation of data reuse

for certain purposes. Reuse that, by the way, has its specific rules and re-
references to data protection.

The way in which the person in charge treats the data; whether they have been disclosed to the public or
made available to a large number of people or if large amounts of data are
process or combine with other data creating profiles must also be taken into account.
The Opinion also considers it pertinent when evaluating the impact of the treatment to analyze the pos-

tion of the person in charge of the treatment and of the interested party; their position may be more or less
us dominant with respect to the interested party depending on whether the data controller
you are a person, a small organization or a large company, even a company
multinational.

So that section f) of article 6.1. RGPD may constitute the legitimizing basis of the
processing of personal data that is carried out, mandatory, and on a pre-
saw the treatment, a weighting of the rights and interests at stake must be made:

the legitimate interest of the data controller, on the one hand, and on the other, both the
rights and fundamental freedoms of those affected. weighting that
it is essential because only when as a result of it prevails the legitimate interest
of the person in charge of the treatment on the rights or interests of the owners of the data.
The aforementioned interest may operate as a legal basis for the treatment.

The aforementioned Opinion refers to the multiple factors that can operate in the
weighting of the interests at stake and groups them into these categories:

(a) The evaluation of the legitimate interest of the data controller;

(b) the impact on data subjects, emphasizing that the claim is not that the treatment

processing of data carried out by the person in charge does not have any negative impact on the
stakeholders but to prevent the impact from being “disproportionate”;

(c) the provisional balance and

 (d) additional guarantees.

In light of the elements that affect the interests and the rights and freedoms in
conflict, it is not appreciated in the processing of personal data on which the claim deals.
mation, as it is proposed, and with the elements that make it up, can be considered
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 16/23








as a prevailing legitimate interest of the person in charge over those affected that may operate
rar as legitimizing cause of the treatment, for:

-The treatment carried out is not usual in the claimed, which casts doubt on whether
necessary, since it is usual to indicate the reference and a link in the news section.
She herself declares that she is not part of the records of treatment activities that

develops, being an exceptional case. It doesn't seem very normal for development
occasional treatment that goes beyond what is usually carried out, go to a
basis on which a balance of rights and risks of those affected must be made.

-The origin of the data is not informed, especially those affected, its origin, its

purpose, its legitimizing basis. For the people included in the list, who gave their
data based on legal and specific expectations regarding the selection process,
it can suppose a surprising treatment the fact of going out in lists to which it is not
difficult to access on GOOGLE, and that they do not know anything and may not find out when
regard.


-The treatment carried out that has been revealed at least was that of an exclusive listing
on duty (...) and that is published under the generic formula that some people have
made training courses that could count in said call.

-In addition, the revelation remained for an excessive time, which is not justified given

which was a provisional score, being withdrawn in January 2022, having started to
end of 2019, deducing that the principle of data conservation was not followed
properly analyzed.

-The respondent states that the impact on the rights of the affected party is different if their

data is exposed on a website, but this could only be related to one aspect
of the risk, without indicating the different risks and impacts to be considered, nor
details or describes the impact derived from the publication on its website, without accrediting
that the claimant had any relationship with her, neither describes nor relates it to
its effects, or details the probability of its occurrence.



-Finally, the guarantee of the right to oppose the treatment that must be
include any legal basis that is based on said alleged interest. (21.1. RGPD).



Regarding the allegation that his explanation of the concurrence of the legitimate interest
is well-founded and plausible, to point out in addition to all of the above, that the treatment
that carries out the claimed is different from that of the entity convening the tests
selective not only because of the different legal basis for collecting health data such as data
disabled, and purpose, but because the treatment of the claimed is a

reworking of the original source, presenting the information in a different way than
It is for informational purposes, and also contains the aforementioned health information.

                                             IV



Article 83.5.a) of the RGPD refers to this infringement, which indicates:

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 17/23








“The infractions of the following dispositions will be sanctioned, in accordance with the
section 2, with administrative fines of a maximum of EUR 20,000,000 or, in the case of
of a company, of an amount equivalent to a maximum of 4% of the volume of

Total annual global business of the previous financial year, opting for the one with the highest
amount:

a) the basic principles for the treatment, including the conditions for the consent
tion under articles 5, 6, 7 and 9;”


  The LOPDGDD indicates in its article 72:

  "1. Based on the provisions of article 83.5 of Regulation (EU) 2016/679,
considered very serious and will prescribe after three years the infractions that suppose a

substantial violation of the articles mentioned therein and, in particular, the
following:

b) The processing of personal data without the concurrence of any of the conditions of
legality of the treatment established in article 6 of Regulation (EU) 2016/679.

In addition, among the corrective powers contemplated in article 58 of the RGPD, in its
section 2, it is determined that “each control authority may”:

“d) order the person responsible or in charge of the treatment that the operations of

treatment comply with the provisions of this Regulation, where appropriate, in accordance with
a certain way and within a specified period…”.


i) impose an administrative fine under article 83, in addition to or instead of the
measures mentioned in this section, according to the circumstances of each case
particular;"


The complainant requested the elimination of the URL in which her data appears, which appears
along with those of other candidates in the same circumstances. Article 17 of the GDPR
indicates:


“The interested party shall have the right to obtain, without undue delay, from the person responsible for
treatment the deletion of personal data that concerns you, which will be
obliged to delete personal data without undue delay when any of the
the following circumstances:


a) the personal data is no longer necessary in relation to the purposes for which
were collected or otherwise treated;
[…]”

d) the personal data has been illicitly processed;”


In this case, the respondent has not given any explanation about the claim and the
Data is treated outside of the expectations that candidates have when participating in
a selection process, being data related to health, of a
therefore, the imposition of an administrative fine is considered appropriate.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 18/23













                                              v

The determination of the sanctions that should be imposed in this case requires observing
var the provisions of articles 83.1 and 2 of the RGPD, precepts that, respectively,
have the following:

    "1. Each control authority will guarantee that the imposition of administrative fines

under this article for infringements of this Regulation indicated
in sections 4, 9 and 6 are in each individual case effective, proportionate and di-
persuasive.”

    "two. Administrative fines will be imposed, depending on the circumstances of each
individual case, in addition to or as a substitute for the measures referred to in article
58, section 2, letters a) to h) and j). When deciding to impose an administrative fine and its
amount in each individual case shall be duly taken into account:


a) the nature, seriousness and duration of the offence, taking into account the nature,
scope or purpose of the treatment operation in question, as well as the number
of interested parties affected and the level of damages they have suffered;

b) intentionality or negligence in the infringement;

c) any measure taken by the controller or processor to alleviate
the damages suffered by the interested parties;

d) the degree of responsibility of the person in charge or of the person in charge of the treatment,
account of the technical or organizational measures that they have applied under the articles
titles 25 and 32;

e) any previous infringement committed by the person in charge or the person in charge of the treatment;

f) the degree of cooperation with the supervisory authority in order to remedy the

infringement and mitigate the possible adverse effects of the infringement;
g) the categories of personal data affected by the infringement;

h) the way in which the supervisory authority became aware of the infringement, in particular

whether the controller or processor reported the breach and, if so, to what extent;

i) when the measures indicated in article 58, section 2, have been ordered prior to
directly against the person in charge or the person in charge in question in relation to the same
matter, compliance with said measures;

j) adherence to codes of conduct under article 40 or certification mechanisms
cation approved under article 42, and

k) any other aggravating or mitigating factor applicable to the circumstances of the case,
such as financial benefits obtained or losses avoided, directly or indirectly.
you, through the infraction.” Within this section, the LOPDGDD contemplates in its

Article 76, entitled “Sanctions and corrective measures”:

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 19/23








  "1. The penalties provided for in sections 4, 5 and 6 of article 83 of the Regulation
(EU) 2016/679 will be applied taking into account the graduation criteria established

in section 2 of the aforementioned article.

  2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679
may also be taken into account:

  a) The continuing nature of the offence.


  b) The link between the activity of the offender and the performance of data processing
personal.

  c) The profits obtained as a result of committing the offence.


  d) The possibility that the conduct of the affected party could have induced the commission
of the offence.

  e) The existence of a merger by absorption process subsequent to the commission of the
infringement, which cannot be attributed to the absorbing entity.


  f) Affectation of the rights of minors.

  g) Have, when not mandatory, a data protection delegate.

  h) Submission by the person in charge or person in charge, on a voluntary basis, to

alternative conflict resolution mechanisms, in those cases in which
there are disputes between them and any interested party.



The defendant in her allegations considers the amount disproportionate, considering:


-It is a micro-enterprise,

-the purpose of the treatment was to improve access to information, having a
not alphabetical order of the interested parties, but by punctuation.


-It would advocate the dissolution of the entity, for which it does not provide figures.

-Considers that the infringement cannot be described as "continued", as it still appears
the "same information" on the SERGAS website.


-The damage to the claimant is not credited.

-There is no intentionality.

-There are no benefits.


In accordance with the precepts transcribed, in order to set the amount of the sanction of
fine to be imposed in the present case for the infraction in article 83.5.a) of the RGPD, of
which the defendant is held responsible, are considered concurrent as aggravating circumstances

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 20/23








the following factors that reveal greater unlawfulness and/or culpability in the
defendant's conduct:


-Article 83.2.a) RGPD: “Nature, seriousness and duration of the infraction taking into account
account the nature, scope or purpose of the processing operation in question
as well as the number of interested parties affected and the level of damages that
have suffered." These are treatments related to selective processes, and data
that were provided at the time for a specific purpose in a process
determined, not collecting directly from the claimed data, processed on a website,

their own, so that it is difficult for those affected to find out, amounting to data from
95 people, identifying them by name and surname.

-Article 83.2.b) GDPR. “Intentionality or negligence in the infringement”: Aspect that
relates the execution of the action to the subject, in the sense of not only imputability

of the infraction to its responsible, but the fact of being able to aggravate or reduce the sanction
depending on the degree of guilt. Regarding the imputability to the responsible subject, the
principle of culpability, prevents the admission in the sanctioning administrative law of
strict liability, although it is also true that the absence of intentionality
It is secondary since this type of infraction is normally committed by a
guilty or negligent action, which is sufficient to integrate the subjective element of

the blame. What is valued in this section is its analysis for the graduation of the
sanction (art 40 LRJPAC), observing the specific diligence displayed in the action by
responsible, which excludes the imposition of a sanction, solely based on the mere
result, that is to say to the principle of strict liability. In this specific case, it
produces a lack of diligence that means that when handling data, extreme care must be taken

precautions, and here it does not seem that it has been taken into account, therefore it is not considered that
the intentional element intervenes.

-Article 83.2.d) GDPR. “Degree of responsibility of the person in charge”: The degree of
responsibility of the person in charge is relevant, being the owner of a web page in which

offers services, has created a list incorporating data from the official headquarters that treats them,
with its own purpose for its services, being its full responsibility.

-Article 83.2.g) GDPR. “Categories of personal data affected by the infringement”: The
data is health data, "special", by reference to the key, which is not difficult to
interpret since the link also carries the description.


-article 76.2.a) LOPDGDD: “The continuing nature of the infraction”, estimation of more
of a year and a half, the treatment begins on 12/2/2019, the complaint is from July 21,
predictably, the damage to the legal asset may continue, in this case it does so until
receive the initial agreement, constituting what diverse and repeated sentences

identified as a "permanent violation". (- which are characterized because the conduct
constituting a single offense is maintained for a prolonged period of time
(SAN, September 21, 2001 (Rec 95/2000), Supreme Court, Third Chamber, of the
Contentious-administrative, Section 3, Judgment 978/2020 of July 9, 2020, Rec.
4700/2019). In addition, it must be added that the claimed party receives in the transfer of the

claim the facts and knowing them, could then act, not proceeding to
this but after receiving the start agreement, January 2022, dilating the treatment period
of data. On the other hand, the fact that the SERGAS website continues to be exposed or not,
It does not serve as a mitigating factor for the claim.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 21/23









The fact that the claimed party was not
sanctioned previously, that is, not being a repeat offender. The sentence of the AN, of

05/05/2021, Rec. 1437/2020, indicates: "It considers, on the other hand, that it should be appreciated as
extenuating the non-commission of a previous infraction. Well, article 83.2 of the RGPD
establishes that it must be taken into account for the imposition of the administrative fine, among
others, the circumstance "e) any previous infraction committed by the person in charge or the
in charge of the treatment". This is an aggravating circumstance, the fact that
concurrence of the budget for its application entails that it cannot be taken into

consideration, but does not imply or allow, as claimed by the plaintiff, its application as
extenuating."

Nor is the lack of benefits obtained that is deduced from a
incorrect interpretation of article 76.2.c) of the LOPDGDD, incardinated as a reference
of 83.2.k) of the RGPD: "any other aggravating or mitigating factor applicable to the
circumstances of the case, such as the financial benefits obtained or the losses

avoided, directly or indirectly, through the infraction”, when indicating as such: “The
benefits obtained as a result of the commission of the infraction. This, for several
reasons.

-The literal of the article refers not to the benefits not obtained, but to "The benefits

obtained as a consequence of committing the infraction” (76.2.c LOPDGDD).

-In any case, the administrative fines established in the RGPD, in accordance with the
established in its article 83.2, are imposed based on the circumstances of each
individual case and, at present, the absence of benefits is not considered to be a

adequate and decisive grading factor to assess the seriousness of the behavior
offending Only in the event that this absence of benefits is relevant to
determine the degree of illegality and guilt present in the specific action
infringer may be considered as a mitigating circumstance.

-If to this we add that the sanctions must be effective "in each individual case",

proportionate and dissuasive, in accordance with the provisions of article 83.1 of the RGPD,
admitting the absence of benefits as a mitigating factor is not only contrary to the
presuppositions of facts contemplated in article 76.2.c), but also contrary to what
established in article 83.2.k) of the RGPD and the indicated principles.


Thus, assessing the absence of benefits as a mitigating factor would nullify the dissuasive effect
of the fine, to the extent that it reduces the effect of the circumstances that affect
effectively in its quantification, reporting to the person in charge a benefit that is not
has made worthy. It would be an artificial reduction of the sanction that can lead to understand
that violating the norm without obtaining benefits, financial or of any kind, does not

will produce a negative effect proportional to the seriousness of the infringing act nor is it a
reprehensible conduct.

Considering the exposed factors, the valuation that reaches the fine for the infraction
imputed is 12,000 euros.


Therefore, in accordance with the applicable legislation and having assessed the criteria for

graduation of sanctions whose existence has been proven,
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 22/23









the Director of the Spanish Data Protection Agency RESOLVES:


FIRST: IMPOSE SEAN SERIOS S.L., with NIF B70528989, for an infringement of the
article 6.1 of the RGPD, typified in article 83.5 a) of the RGPD, and for the purposes of
prescription in article 72.1.b) of the LOPDGDD, a fine of 12,000 euros, of
in accordance with articles 83.2 a), b) d) of the RGPD and 76.2.a) of the LOPDGDD.



SECOND: NOTIFY this resolution to SEAN SERIOS S.L.

THIRD: Warn the sanctioned party that he must make the imposed sanction effective once
Once this resolution is enforceable, in accordance with the provisions of art.
98.1.b) of Law 39/2015, of 1/10, of the Common Administrative Procedure of the

Public Administrations (hereinafter LPACAP), within the voluntary payment period
established in art. 68 of the General Collection Regulations, approved by Real
Decree 939/2005, of 07/29, in relation to art. 62 of Law 58/2003, of 12/17,
by entering, indicating the NIF of the sanctioned person and the number of the procedure that
appears at the top of this document, in the restricted account number ES00 0000
0000 0000 0000 0000, opened on behalf of the Spanish Data Protection Agency

in the banking entity CAIXABANK, S.A.. Otherwise, it will be processed
collection in executive period.

Received the notification and once executed, if the date of execution is between
on the 1st and 15th of each month, both inclusive, the deadline to make the voluntary payment

will be until the 20th day of the following month or immediately after, and if it is between
On the 16th and last day of each month, both inclusive, the payment term will be until the 5th of
second following business month or immediately following.

In accordance with the provisions of article 50 of the LOPDGDD, this

Resolution will be made public once it has been notified to the interested parties.

Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the
LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the
Interested parties may optionally file an appeal for reconsideration before the Director
of the Spanish Agency for Data Protection within a period of one month from the

day following the notification of this resolution or directly contentious appeal
before the Contentious-Administrative Chamber of the National High Court,
in accordance with the provisions of article 25 and paragraph 5 of the additional provision
fourth of Law 29/1998, of 13/07, regulating the Contentious Jurisdiction-
administrative, within a period of two months from the day following the notification

of this act, as provided for in article 46.1 of the aforementioned Law.

Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP,
may provisionally suspend the firm resolution in administrative proceedings if the interested party
states its intention to file a contentious-administrative appeal. If this is the

In this case, the interested party must formally communicate this fact in writing addressed to
the Spanish Agency for Data Protection, presenting it through the Registry
Electronic Agency [https://sedeagpd.gob.es/sede-electronica-web/], or through
any of the other records provided for in art. 16.4 of the aforementioned LPCAP. Also

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 23/23









must transfer to the Agency the documentation that accredits the effective filing of the

Sponsored links. If the Agency were not aware of the
filing of the contentious-administrative appeal within two months from the
day following the notification of this resolution, the suspension would end
precautionary



                                                                                    938-120722

Sea Spain Marti
Director of the Spanish Data Protection Agency





















































C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es