AEPD (Spain) - EXP202102056
| AEPD - EXP202102056 | |
|---|---|
 | |
| Authority: | AEPD (Spain) |
| Jurisdiction: | Spain |
| Relevant Law: | Article 5(1)(f) GDPR Article 30 GDPR Article 32 GDPR Article 58(2) GDPR Article 83 GDPR Article 99 GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | 06.01.2023 |
| Published: | 06.01.2023 |
| Fine: | n/a |
| Parties: | n/a |
| National Case Number/Name: | EXP202102056 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Spanish |
| Original Source: | AEDP (in ES) |
| Initial Contributor: | ANASTASIA TSERMENIDOU |
The Spanish DPA issued a reprimand and determined that the Island Council of El Hierro adjust the publications on its transparency portal, reconciling its obligation to publish acts of public interest with the protection of personal data.
English Summary
Facts
A Google search of the data subject's name brought as a first result the transparency page of the Island Council of El Hierro. On this webpage, there were records of a plenary session held during the administrative procedures to segregate and establish the municipality of El Pinar. These records contained personal data of 3,996 individuals. Upon becoming aware of the fact, the data subject filed a complaint with the Spanish DPA claiming that they did not consent with the publication of their data. In response, the Island Council (data controller) sustained that the publication did not require consent as the data were necessary to build public opinion and reach a consensus on the topic among the population. For this reason, it alleged that the purposes of the processing were statistical and of public interest. While conceding that it violated GDPR principles, the controller argued that the regulation was not yet in place at the time of the publication.
Holding
The Spanish DPA recognized that the website aimed to promote transparency in public activity, ensuring compliance with public disclosure obligations and safeguarding the right to access public information. However, it highlighted that these purposes shall be fulfilled in accordance with the principles of data minimization and storage limitation provided for by Articles 5(c) and (e) GDPR. The DPA also acknowledged that the disclosure of personal data to third-parties took place in the absence of an effective personal data protection regulation, but stated that the data controller should have adapted its practices to the GDPR within a period of two years after its entry into force as provided for by Recital 171. It considered the removal of personal data from the publication as a positive measure, but emphasized that the controller needs to implement technical and organisational measures to ensure an appropriate level of security as required by Article 32 GDPR. In the understanding of the AEDP, the failures of the controller constituted a violation of its duty of integrity, confidentiality and security in the processing of personal data. For this reason, it issued a reprimand on the controller for infringing Articles 5(1)(f) and 32 GDPR. .
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/19
BACKGROUND
SEGREGACIÓN DE EL PINAR", which includes numerous personal data.
The document contains an annex with the title: "ALLEGATIONS FILE OF
• File No.: EXP202102056
SEGREGACIÓN DE EL PINAR", which includes numerous personal data.
- URL.1
The document is a record of a plenary session of the Island Council of El Hierro in 2007, in which the matter "REPORT - RESOLUTION PROPOSAL OF THE ISLAND COUNCIL OF EL HIERRO IN THE SEGREGATION FILE OF EL PINAR" was discussed. FIRST: AAA (hereinafter, the complaining party) on July 27, 2021 filed a claim with the Spanish Agency for Data Protection. The claim is directed against the ISLAND COUNCIL OF EL HIERRO with NIF P3800003J (hereinafter, the claimed party/ the COUNCIL). The reasons on which the claim is based are the following: The record is incorporated into the file. The web address in question is: THIRD: In accordance with article 65.4 of Organic Law 3/2018, of December 5, Protection of Personal Data and guarantee of digital rights (hereinafter LOPDGDD), said claim was transferred to the claimed party, the TOWN HALL, to proceed with its analysis and inform this Agency within the term RESOLUTION OF SANCTIONING PROCEDURE SECOND: In order to verify the existence of the facts denounced, in September 2021, a search was carried out on Google for the name and surname of the claimant, the first result that appears indexed in the search engine is "REPORT - PROPOSAL FOR A RESOLUTION OF THE COUNCIL ISLAND OF EL HIERRO IN THE EL PINAR SEGREGATION FILE"; the screenshot of the search carried out is incorporated into the file. Of the procedure instructed by the Spanish Agency for Data Protection and based on the following By accessing the link of that first result, you can access the minutes of an extraordinary plenary session of the Island Council of El Hierro in 2007, in which the matter "REPORT - RESOLUTION PROPOSAL OF THE ISLAND COUNCIL OF EL HIERRO IN THE SEGREGATION FILE OF EL PINEWOOD". The document contains an annex with the title: "ALLEGATIONS FILE OF C / Jorge Juan, 6 28001 – Madrid www.aepd.es sedeagpd.gob.es Machine Translated by Google 2/19 On 09/23/2021, the Data Protection Delegate of the CABILDO presents a letter addressed to the AEPD in which he communicates that he has received the following email from the AEPD: "On 09/17/2021, to the data controller "CABILDO DE EL HIERRO" has been sent a notification from the AEPD by NOTIFIC@, which informs you in your capacity as Delegate of Data Protection of this entity" and asks how can you find out which person in charge has received the notification or what notification is it referring to? Because the email does not indicate any additional information. letter of "Request for additional documentation", which was collected on 11/02/2021 as stated in the acknowledgment of receipt that is in the file. of one month, of the actions carried out to adapt to the requirements established in the data protection regulations. The transfer, which was carried out in accordance with the rules established in Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP), was collected on 09/23/2021 as stated in the acknowledgment of receipt that appears in the file. In this regard, it should be noted, first of all, that the notice to the email address informing you of the availability of a notification in the electronic headquarters of the corresponding Administration or in the unique enabled electronic address is an obligation of the Public Administrations , in accordance with the provisions of article 41.6. of Law 39/2015, of October 1, on Common Administrative Procedure, which establishes that: “6. Regardless of whether the notification is made on paper or by electronic means, the Public Administrations will send a notice to the electronic device and/ or to the email address of the interested party that they have communicated, informing them of the availability of a notification on the electronic headquarters of the corresponding Administration or Organization or at the unique authorized electronic address. The lack of practice of this notice will not prevent the notification from being considered fully valid. As of the date of admission for processing of the claim presented, no response had been received either to the letter of transfer or to the request for additional information. And secondly, it should be noted that the notification was sent to the CABILDO DE EL HIERRO and referred to the request for information on the claim presented by the claimant. FOURTH: On December 23, 2021, in accordance with article 65 of the LOPDGDD, the claim presented by the claimant was admitted for processing. In response to the aforementioned letter dated 10/29/2021, it is sent to the DPD of the CABILDO C / Jorge Juan, 6 28001 – Madrid www.aepd.es sedeagpd.gob.es Machine Translated by Google C / Jorge Juan, 6 28001 – Madrid www.aepd.es sedeagpd.gob.es 3/19 These screenshots are incorporated into the file by diligence. - Warning for a violation of Article 5.1.f) of the GDPR, typified in Article 83.5 of the GDPR. FIFTH: On 03/02/2022, a Google search was carried out for the name and surname of the claimant, the "REPORT - RESOLUTION PROPOSAL OF THE ISLAND COUNCIL OF EL HIERRO IN THE SEGREGATION FILE OF EL PINEWOOD". Likewise, it is verified that when trying to access the URL in which the data object of the formulated claim supposedly appeared: ***URL.1, gives an error, indicating the non-availability of the information contained in the web page with which it is no longer possible to access the document containing the minutes of the extraordinary plenary session of the Island Council of El Hierro in 2007, in which the matter was discussed " REPORT - PROPOSED RESOLUTION OF THE ISLAND COUNCIL OF EL HIERRO IN THE FILE OF SEGREGATION OF EL PINAR" SIXTH: On March 17, 2022, the Director of the Spanish Agency for Data Protection agreed to initiate disciplinary proceedings against the claimed party, for the alleged violations of Article 5.1.f) of the GDPR, typified in Article 83.5 of the GDPR and of Article 32 of the GDPR, typified in Article 83.4 of the GDPR. In order to issue said resolution proposal, it was taken into account that once the initiation agreement was notified, on 04/25/2022 the claimed party submitted a brief in which, in summary, it stated that it acknowledged receipt of the brief sent by the Spanish Agency for the Protection of Data, in relation to the initiation of disciplinary proceedings for a claim made by Mr. AAA, No. XXXXXXXXX (complaint transfer document), for which the information indicated below is requested to be analyzed and forwarded: - Warning, for a violation of Article 30 of the GDPR, typified in Article 83.4 of the GDPR. SEVENTH: On July 4, 2022, a resolution proposal was formulated, proposing that the Director of the Spanish Agency for Data Protection sanction three warnings for each of the infractions imputed to the - Warning, for a violation of Article 32 of the GDPR, typified in Article 83.4 of the GDPR. COUNCIL OF EL HIERRO with NIF P3800003J: And, likewise, it was proposed that the Director of the Spanish Data Protection Agency impose on the ISLAND COUNCIL OF EL HIERRO, with NIF P3800003J, the adoption of measures to adapt their personal data processing to the requirements of the regulations of data protection, specifically, the performance of the Risk Analysis, the adoption of the security measures derived from them, the preparation of a register of treatment activities and the publication of the inventory of the Register of data treatment activities. for which the COUNCIL is responsible, as well as the contribution of means accrediting compliance with what is required, by virtue of the provisions of article 58.2 of the GDPR. Machine Translated by Google 4/19 “Regarding point 1.- Detailed description of the facts: After overcoming the different processes and requirements of a diverse nature (administrative, economic, popular...), on April 17, 2007, the proposal for segregation and constitution of the municipality of El Pinar was approved by the Extraordinary Plenary of the Plenary of the Island Council; The Minutes of said plenary session were published on the transparency portal (at that time the general portal) of the Cabildo de El Hierro. Likewise, the Cabildo indicates that the communication of the data between administrations and to a third party did not require the consent of the affected party since the purpose of these data was to be processed for statistical purposes for a matter of public interest, in accordance with article 11 section E) of the mentioned norm. And it is that this hearing process was necessary in accordance with article 84 of the already repealed Law 30/1992, on the Legal Regime of Public Administrations and the common Administrative Procedure, which establishes that "before the drafting of the resolution proposal, to process the hearing for the interested parties so that they could reveal the allegations, information and data necessary or related to the file.” The CABILDO certifies that on October 18, 2006, the necessary procedures were initiated in the different administrations for the start of the segregation and constitution of the new municipality of El Pinar, on the Island of El Hierro, in accordance with Royal Decree 1690/1986 , of July 11, which approves the Regulation of Population and Territorial Demarcation of Local Entities. Regarding points 2 to 5.- Regarding the causes of the incident and the information on those affected: The Cabildo also indicates that the gap between the information published in 2007 and the regulatory requirements subsequently required affects 3,996 people residing in the segregated municipality and extra-municipal stakeholders, whose published data is of a personal nature, through which those affected can see affected their right to intimacy, privacy or inviolability of the home, among others. The Cabildo recalls that at that time there were no regulations of an insular or autonomous nature regarding this issue, so Law 15/1999, of December 13, regarding the protection of personal data was applicable. And that this gap has been caused not by the malpractice or error in law of our corporation, but by the absence (justified, since there was no imperative norm that regulated this function) at that time of a system of transparency and protection of the personal data as effective and rigorous as that which exists today. That no information related to the ideology, religion or beliefs of the affected person has been published. 28001 – Madrid www.aepd.es sedeagpd.gob.es C / Jorge Juan, 6 Machine Translated by Google
