AEPD (Spain) - EXP202104896

From GDPRhub
Revision as of 13:27, 3 April 2023 by Ba (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
AEPD - EXP202104896
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 9(2) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published:
Fine: 10.000 EUR
Parties: n/a
National Case Number/Name: EXP202104896
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: Bernardo Armentano

AEPD held that the requirement of a vaccine passport or a negative test for Covid-19 to access a table tennis test site violated Article 9(2) GDPR, The controller was fined 10.000 euros.

English Summary

Facts

Federación Nacional de Tenis de Mesa, the data controller, organized a test for certification of table tennis coaches. After registering for the test, the data subject received an email requiring the submission of a Covid-19 vaccine passport or a negative PCR test in order to be allowed to access the location where the test was going to take place. In response, the data subject argued that such a requirement needed a legitimate basis. Before the day of the test, the controller sent a list to the owner of the location informing the name and the identity number of those who have met the entry requirements. The data subject filed a complaint with the Spanish DPA claiming that they were forced to provide information about their health. The data controller alleged that the purpose of the data processing was preventing the spread of COVID-19. According to the controller, the processing was necessary to protect vital interests of the participants and was carried out in the public interest in collaboration with the Public Administration.

Holding

First, the AEPD emphasized that the approval of sanitary rules must be made in accordance with the general prevention and hygiene measures against COVID-19 indicated by public health authorities. In the case at hand, it observed that the sanitary regulations in force at the time of the test did not require vaccination certificates or any diagnostic infection tests, such as PCR. The AEPD also recalled that exam participants are not employees and, therefore, not subject to occupational risk prevention laws. With regard to the alleged legal basis for the processing of health data, the AEPD rejected the vital interest clause as participants were able to give their consent. Similarly, it considered that sports federation are not public entities and, for this reason, cannot rely on public interests nor on the exercise of public powers. In addition, the AEPD pointed out that there were other measures that were less intrusive to the privacy of the participants. For instance, it would be sufficient to request them to show said documents when entering the test site. For these reasons, the AEPD ruled that the data controller did not have a legal basis for the processing of health data and concluded that they violated Article 9(2) GDPR, imposing a fine of 10.000 euros on the controller.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

1/33








     File No.: EXP202104896



                - RESOLUTION OF SANCTIONING PROCEDURE

Of the procedure instructed by the Spanish Agency for Data Protection and based on
the following



                                    BACKGROUND

FIRST: A.A.A. (hereinafter, the claimant) on 11/8/2021 filed
claim before the Spanish Data Protection Agency. The claim is directed
against ROYAL SPANISH FEDERATION OF TABLE TENNIS with NIF Q2878038E,

(RFETM), and against the SUPERIOR SPORTS COUNCIL, (CSD). The reasons on which
The claim is based on the following:

On 11/20/2021, he had to appear to take the tennis coach exam
table in the facilities of the ***RESIDENCIA.1, Madrid, dependent on the CSD.
On 11/2/2021, he received an email of which he provides a copy, from RFETM (sports management)

in which they explain based on a previous email, by indicating "I understand what we
comment" and indicates that: "the Residence establishes as a mandatory requirement to be able to
access its facilities be vaccinated. They ask us as a Federation, that
Let's certify that all attendees have the full vaccine schedule. For
For this we need attendees to certify that they have completed the vaccination through

of a document that accredits it."" ... I propose that you send the document to the
RFETM medical adviser, Doctor..., in order for your medical data to remain
protected. The doctor's email is …@gmail.com. In case of not proving that you have
with the vaccine we cannot certify that you have it. We just need you to help us
be able to find a solution."


You consider that you are required to deliver documents related to your health data and
I don't know if there is an obligation.

SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5/12, of
Protection of Personal Data and guarantee of digital rights (hereinafter

LOPDGDD), on 11/29/2021 the claim was transferred to the RFETM and the CSD so that they
proceed to their analysis and inform this Agency within a month of the
actions carried out to adapt to the requirements established in the regulations of
Data Protection.


Although the notification was validly made for both entities, only the
RFETM on 12/28/2021, indicating:

1) The coach exams are called by the RFETM for those who wish to obtain the
title, in accordance with the powers regulated in Sports Law 10/1990 of

10/15.

2) As a consequence of the pandemic, in order to be able to take the exam in the
Residence facilities, "it is necessary in accordance with the applicable regulations

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/33








in this regard, the monitoring of a health protocol, in order to preserve the health of
all participants, members of the Residence and members of the RFETM
(workers).”


"The protocol was prepared jointly by the Federation and the Department of
CSD facilities, by virtue of the obligations imposed on the Federation and the CSD
as organizer of the activity and owner of the center where the tests were carried out,
among other regulations, by law 2/2021, of 03/29, on urgent prevention measures
containment and coordination to deal with the health crisis caused by the

COVID-19, articles 5, 15 and 16 in order not to spread the virus and preserve health.”
It does not provide a copy of the protocol.

3) By email, all applicants for the exam were informed, including the
claimant, that for access to the examination room "they had to provide the certificate of

vaccination well to an email address of the Director of Activities
Sports or through their simple display at the entrance to the classroom.”

4) The claimant initially opposed submitting the certificate, requesting its withdrawal
of said requirement, responding the Federation "on 2/11 and by the same means of
send the document to the medical adviser of the Royal Federation, the doctor... in order to

that your medical data is protected", without the defendant taking advantage of this
alternative.

However, those responsible for "Training, and the course, of the RFETM continued in
its attempt to offer alternatives" and a solution to the claimant, "offering him the possibility of

to provide at the time of the examination a PCR test carried out
within the previous 72 hours, which would allow us to safeguard their own integrity and the
integrity of the rest of the participants, informing to this effect by telephone to the
interested in dates prior to the exam.“


Provide a copy of the letter of 11/11/2021, addressed to the claimant in which he gives the two
alternatives.

“However, and in response to the brief presented on his behalf by his lawyer,
objecting to presenting the vaccination certificate, dated 11/18, he was answered in
the same sense in which he had been informed by telephone, that is, offering him

the alternative to presenting the negative certificate of the PCR test”. Provide a copy of writing
the one offered by the two alternatives.

"On the day appointed for the examination, the claimant appeared at the place and at
the indicated time, and exhibited at the entrance of the same, negative certificate of the PCR Test,

within 72 hours prior to the activity, allowing access to the facility and
being able to perform the test."

5) “Once the activity was finished, all vaccination certificates were destroyed
COVID-19 of the rest of the students sent to the email address of the

responsible for the treatment, which were sent freely and with consent, and with
knowledge of the purpose of the health data requirement”.



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/33








6) Considers that “in accordance with art. 6 of the GDPR, the processing of
data, when at least one of the following conditions is met, the interested party gave
your consent for one or more specific purposes, as the case may be; the treatment is

necessary to protect vital interests of the data subject or of another natural person, objective
end of the protocol adopted by the CSD and the RFETM”.

“On the other hand, as it deals with data that could be considered special categories, the
processing is justified (mere display) under art. 9 h) of the aforementioned GDPR
in order to prevent the rights of the workers of the RFETM and the residence of

athletes, and for the purposes of social utility, already mentioned, of prevention of spread
of the virus, in sports facilities, the residence of athletes from Alto
performance "JOAQUIN BLUME" In this sense, also refer to the regulations
on occupational risk prevention, since there are labor personnel in the same, being a
obligation of the companies, in accordance with the instructions of the Ministry of Health and the

aforementioned regulations, to establish all the necessary measures to preserve the health
and the spread of the virus

7) They have not proceeded to the data processing but have limited themselves to verifying that
the necessary circumstances were present to be able to attend the
sports center dependent on the CSD, in accordance with the protocol established for this purpose.


It considers that the data has not been processed, has not been stored, limiting itself to the
mere examination of the documentation that validated access to sports facilities.
"No list of people excluded or included has been carried out, nor has
proceeded to no storage of said data.”


The interested party had two alternatives: medical certificate of vaccination or negative PCR, and
exhibiting the latter, they consider that this measure was not established as mandatory,
but as an alternative and always on a voluntary basis.


“The claimant only showed the result of the test, without providing or collecting any data
identification of the same, but an opposition to the requirements of access to a venue
closed property of the CSD.”

“The decision to request the COVID certificate, or failing that, the PCR test, was a
measure agreed between facilities of the Higher Sports Council and the Royal

Spanish Table Tennis Federation”.

THIRD: On 01/24/2022, in accordance with article 65 of the LOPDGDD, the
admitted for processing the claim presented by the claimant.


ROOM; On 05/03/2022, the Director of the AEPD agreed:

"START SANCTION PROCEDURE against ROYAL SPANISH FEDERATION OF
TABLE TENNIS, with NIF Q2878038E, for the alleged violation of the articles:


-6.1 of the GDPR, in accordance with article 83.5.a) of the GDPR and article 72.1.b) of
the LOPDGDD.



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/33








-9.2 of the GDPR, in accordance with article 83.5.a) of the GDPR and article 72.1.e) of
the LOPDGDD. “


"For the purposes specified in the art. 64.2 b) of Law 39/2015, of 1/10, on Procedure
Common Administrative Law of Public Administrations, the sanctions that could
correspond would be 6,000 euros and 10,000 euros, without prejudice to what results from
The instruction."

FIFTH: The defendant makes allegations on 05/17/2022, indicating:


1) The exam that was held on 11/20/2021, was the last test of the completion of the
compulsory face-to-face part of a call for the level 1 sports technician course in
table tennis, summoned through circular 43, season 2020/2021, dated
03/16/2021. It does not appear from the access requirements that at the time of the course
You must have a federal license.


2) On 10/14/2021, an email was received from the CSD that addressed all the Federations
in which it was notified "updating of access regulations to the Center for High
Yield (CAR)", indicating that the "complete vaccination schedule" was necessary and "if
could not be due to a medical prescription, it would be necessary to provide a proof of

antigen or PCR no older than 24 hours”. It also required the submission of two
lists "certifying complete vaccination", one with athletes (internal scholarship recipients,
external and long-lasting concentrates, and another with those authorized to use
facilities-attached file to provide the requested information-, having the
Rules effective from 10/25/2021. Provide a copy of the email sent that so

testifies in which it is appreciated that it is due to "the changes in the protocols of the Covid-
19 and given the evolution of the pandemic and the preventive measures that have been taken”,
As recipients, the multiple Spanish Federations appear.

3) On 10/15/2021, the defendant informed the students that access to the exam
in the CAR, required, at the request of the center, the "COVID passport". It does, however, provide...

an email dated 05/15/2022, addressed from the formation of the defendant, to different emails, from
informative type about the exam that will be in the Blume Residence, and "to access there it is
the COVID passport is necessary” ”We would need you to send us your passport
COVID to this email”.


4) Provide the claimant, a copy of the claimant's email dated 10/26/2021, of which the following stands out:

– “I am replying to the email dated 10/15/2021 that you sent me, requesting that I send you the
COVID passport as a condition of access to the Residence…”, he continues indicating that
health data is being requested and that a legitimate basis would be required to request them with

In order to access the exam site, whether public or private, "I ask you to confirm
that I can access the > Blume Residence for the common block exam of the course
from > Level 1 Trainer, without sending you the COVID passport.”

-It is followed by another email from the claim of the same day, indicating that it is forwarded to the
responsible.


5) On 11/8/2021, a claim was received on behalf of the claimant to be removed-
meet the vaccination requirements.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/33








The defendant states that she "directed several official communications, reiterating the double
possibility of presenting a vaccination certificate or exhibiting a negative test, adding
the mail of the doctor of the entity to which it can be directed, with dates 1 1 and

11/18/2021. All students were able to take advantage of the double option of presenting the
certificate or the negative test, accessing all of them and the training staff of the
Federation to Residence (provides doc 6)”. In it, he addresses exclusively the
claimant, explains that the need to provide the data comes from "regulations
agreed", and that "The regulations for access to the examination site are clear and
includes different options such as the presentation of a negative PCR test performed

within 72 hours prior to taking the exam or submitting the
vaccination schedule certificate. “…unfortunately from the Royal Federation
Table Tennis Association we must indicate that D. must, if he wants to appear at the
exam next Saturday, November 20, meet the requirements established by
those responsible for the facility, in this case the Higher Sports Council, in the

same conditions as the rest of the classmates who will be examined on this date,
thereby protecting public health.

6) He considers that he has a legitimizing basis for the treatment of data, considering that he
Article 8.2 of the LOPDGDD would be applicable, considering that the law from which
derives the treatment that enables the exercise of public powers, acting as

collaborating agent, which was carried out in this case, related to the
training of its sports technicians, is Sports Law 10/1990, which gives the
Federations said public powers. In addition, it reiterates the legitimacy of the treatment
to protect vital interests of the interested party based on the report of the Legal Cabinet
of the AEPD 17/2020 and recital 46 of the GDPR.


He considers that his actions could only be subject to a warning, as indicated by the
article 77 of the LOPDGDD, since he acted in the call and execution of the course of
coaches, public function of an administrative nature, including the part of the
organization and conduct and conditions of said examination in the CAR as well, as

exercise of public functions of an administrative nature, acting in this case as
collaborating agent of the Public Administration, in accordance with article 33.1.d)
of the Sports Law, and under the control and supervision of the CSD.

As a comparison, he gives the example of the disciplinary procedure file, in
Resolution R/00985/2011, which filed and opened an infraction by Public Administration,

according to the then current LOPD, 15/1999.

7) Alludes to the decision of the TS, fourth section contentious administrative chamber,
1112/2021 of 09/14/2021, to certify that the display of the COVID passport does not
violates the right to equality, and that appreciates an objective and reasonable justification for

allow or not access to the corresponding establishment, since it is about the protection
the health and lives of people in a way that prevents or restricts the spread
of the pandemic.

"In the same way, the court rules out the violation of the fundamental right to

Protection of Personal Data when what is established to enter the interior of
a certain establishment is the mere exhibition, that is to say, to teach to show the
Documentation in any of the three required modalities. Without, of course,
can collect the data of those attending such premises, nor can a

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/33








file, nor do a computer processing in this regard" In this case, "the students
They voluntarily chose to send the documentation to the email of the Technical Director of the
RFETM or display it at the entrance to the venue. The CSD was transferred a list with the

names of the members who could access the Center and pass the security control
that the CAR has established"

8) The imposition of the CSD and the good faith of the defendant means that the fact cannot
be considered unlawful, acting in a "state of necessity". The non-request of the
documentation would mean not being able to finish your task.


9) It must be considered that the CAR is a main center of reference in sport,
where more than 250 elite athletes live, hence more regulations are imposed
strict within its contingency plan. The CSD requirement applies to all
people who access the premises of the CSD, and the protocols and contingency plans

adopted by the CSD, come from Order 1362/2021 of 10/21, of the Ministry of
Health of the CCAA of Madrid, by which Order 1244/2021, of 1/10, is modified by
which establishes preventive measures to deal with the health crisis
caused by COVID-19.


 Considers that in view of the special circumstances of the access center, the
epidemiological situation, there is legitimacy for the treatment of data contemplated
in article 9.2 of the GDPR based on section h) and i) of said article. In the first
case, under the guarantee of a professional, the medical doctor of the Federation, B.B.B.,
citing article 9.3 of the GDPR.


10) Regarding economic sanctions, for the infringement of article 6.1 of the GDPR,
contemplated in the provisions of section 83.2.a), indicates that the purpose of the treatment
was to comply with the mandate of the CSD, none of the members of the course that had to
attend the exam suffered any type of damage or harm, since they voluntarily

communicated the requested data, understanding that they carried out a clear action
affirmative.

The circumstances of 83.2.b) of the GDPR would not apply, since the defendant does not have

premises where to carry out public functions of an administrative nature-exams-
must use the premises of the CSD, and abide by the rules on access and use that the
same impose.

Article 83.2.c) of the GDPR has not been taken into account, since the RFETM tried to

accommodate the demands of the CSD to the manifestations against the claimant,
understanding their position and trying to offer new alternatives.

Regarding the amount for the infringement of article 9 of the GDPR, consider the category
of health data would be implicit in the typification, so it cannot be aggravating, and

on that of 83.2.d) of the GDPR, they only requested the strictly necessary data that
were treated, only for the intended purpose, they were not stored, being limited to
communicate to the CSD “that the people who were going to access the premises complied with the
access requirements” imposed by the CSD.


SIXTH: On 11/11/2021, a testing period begins, assuming they have been reproduced
for evidentiary purposes, the claim filed by the claimant and its documentation,
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/33








the documents obtained and generated during the phase of admission to processing of the
claim, and previous actions that are part of procedure E/12548/2021.
Likewise, the allegations to the agreement to start the procedure are reproduced

referenced sanctioner, presented by the defendant and the documentation that they
accompanies.

In addition, it is decided to request:

-To the claimed, report or contribution:


a) Number of people who were examined and confirm if all the people who
they took the table tennis sports technician course they had to have a license
federative.

On 11/28/2022, a response is received.


Reproduces the general and specific requirements of circular 43 season 20/21 and in
It is not found that they should be federated, although the defendant states that
all of them were federated on the date of the exam, providing a certificate, adding
A total of 20 students attended.



a) How did you respond to the reasoned request that on behalf of the claimant
Did they register on 11/8/2021 about the non-enforceability of the COVID passport? He moved to
CSD?

He was told that the conditions were imposed by the CSD, and that the RFETM did not
had jurisdiction to modify said protocol.


c) If the verification of entrance to the access to the exam was carried out by personnel of the
claimed or from the CSD, of the residence?, and if they were given any list for verification
of access of people.


He states that access control was carried out by the CSD security service.

The defendant sent to the CSD on 11/19/2021, a list of students who had
presenting a vaccination certificate or negative test. Provide a copy of document number
1, which contains said certificate of students who had presented their "certificate of
vaccination or a negative PCR test in the previous 72 hours”. format contains name
and surnames, and NIF, of 29 people.


"On 11/20, since there were two people not included in the list, a
communication to the CSD and to the surveillance and security service of the same, together with the
claimant who appeared with a negative PCR test on the same day 20 at the gates" and from
which also had to certify. Provide document 2, e-mail in which this is communicated
inclusion with names and surnames in the same terms as those in the list. The message

It is sent with a copy to various addresses with csd domain, including Security and
an address with domain gmail.com, in addition to various addresses of the RFETM.

c) If the possibility of presenting a vaccination certificate or negative test was communicated and
was offered only to the claimant or to other persons, accrediting the communication to

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 8/33








all participants. If the final admission with antigen test or PCR that uses the
claimant, was consulted by the defendant to the CSD, documents that prove it.
He answers that this possibility “was offered and known by all the students”.

One of the emails that were sent is provided where they are reminded that they can send

vaccination certificate or negative test and this is how it is viewed in document 3, e-mail of
11/17/2021, adding that "for both cases to those who have not already sent it, it is
necessary to send it urgently to ***EMAIL.1.”

He adds that the CSD sent an email on 12/17, which contains new guidelines for
access to the CAR in Madrid

. "-If it is the first time that the Madrid CAR is accessed, the corresponding Federation

will justify the presentation of a negative antigen test, subsequently it will not be requested
test unless they present symptoms, in the case of being vaccinated.

-In case of not being vaccinated, you must present a negative test before accessing the CAR,
In addition, tests will be carried out every 3 days or 72 hours during the period that accesses the CAR.

-In both cases, vaccinated or not vaccinated, if there is an absence of several days per
competition, returns from the weekend or for another reason, they must submit proof of

negative antigen 24 hours in advance maximum. The federations will be
responsible for certifying the results of these tests”

It does not provide a document that verifies that it is from the date indicated and the content.

d) "Copy of the first communication where the literal and date are appreciated, sent to the
claimant, that, in addition to vaccination, he can provide test certificates
diagnoses, likewise the first communication to the rest of the people who were going to

examine."


"In addition, in allegations they stated:"

"In compliance with this obligation, the RFETM, dated October 15, 2021, from
the training department sends an email informing the students that the
The exam will be at the Blume Residence Hall and that in order to access it, the center

requires the COVID passport.”

However, they provided an email dated 05/15/2022, therefore, it is requested: accreditation of the
delivery and content of the text they indicate.

In addition, clarification of why in the referred email it is read that they request "passport
COVID", when the literal of the CSD indicated "complete vaccination schedule" and "if it is not
could by any medical prescription, it would be necessary to provide an antigen test or

PCR no older than 24 hours”.

It indicates that on 10/15/2021, an email was sent from the training department where
students are informed of the location of the exam and that in order to gain access, "the Center
will require the COVID passport” ”The fact that in the arguments phase it was provided and
The May date appears, it must have been due to some error or overlapping of emails
forwarded” “Reference is made to this COVID passport, since the proof of

antigens implied an economic cost for the students and the vaccination certificate
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 9/33








It was free. However, in other emails and conversations with the students, they were
communicates the double option. This email is the one used during the course to communicate
with the students and there is fluid communication between them and the coaches,

federation staff teachers.

The students understood the situation generated by COVID as logical. The only
student who expressed his qualms in accrediting such extremes, they tried to give him different
solutions.”

e) The protocol requires "sending lists certifying complete vaccination" to the CSD. Mode
and the way in which this communication was put into practice, if it was by sending a copy

of the vaccines, photograph of the same, e-mail et., what information was transferred and
how many were sent, since the instructions of the CSD were received.

The Federation directs to the CSD a list with the students who have accredited the vaccination
o Negative PCR dated 11/19/2021 and on the 20th, another email where the name is attached
of another 3 students, including the claimant's, these lists have already been

provided in document 1 and 2 that contains name and surname and ID of the people
who have provided negative PCR or vaccination certificate without distinction between them, do not
no further documentation or information is transmitted.

The CSD is the one required to be able to access the exam site that the Federation provides
List of students who have the complete vaccination schedule or negative test,
being the obligation of the Federation to comply with the mandate of the CSD to prepare

a list certifying that the students included in it meet these requirements.

f) During the transfer they stated: "As a consequence of the current pandemic situation
caused by COVID 19, to be able to take the level 1 coach exam, in the
premises mentioned, it is necessary in accordance with the applicable regulations in this regard, the
monitoring of a health protocol, in order to preserve the health of all

participants, members of the residence and members of the Royal Spanish Federation of
Table Tennis (workers) The protocol was prepared jointly by the RFETM and
the facilities department of the CSD", details are requested in which the
RFETM of that joint health protocol, and a copy of it if available.


He replied that he did not participate in its preparation, but that his role in front of the

It is limited to "the acceptance and fulfillment of the requisitions that
communicating to the federations”.


g) During the transfer, they stated: that the attendees “should provide a certificate of
vaccination, either to the email address of the activities director
sports, or by simply displaying it at the entrance to the classroom.", then they added:

”The claimant initially opposed submitting the vaccination certificate, requesting
the withdrawal of said requirement from the call, to which was answered by this
Federation, on the same date, that is, 11/2, and by the same means, that made us
“Get the document to the RFETM medical adviser, Doctor B.B.B., so that he
your medical data is protected. The doctor's email is ***EMAIL.2.”




C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 10/33








In this regard, you are requested to report how many emails were received in both
addresses and because two mailboxes were created, the difference between one person and the other, and
the course that was given to the contents of those emails, dates and destruction of the

documents, proof of destruction, if the person who sent it was verified
with some receipt, and how they were used for access on 11/20/2021 of the
conducting the face-to-face test.

“The students used two email addresses, both official, from the RFETM to
send the vaccination certificates or the negative test, ***EMAIL.3 and ***EMAIL.1. “


“The first was the normal channel of communication between students and those responsible for
training, and the second was offered two days before the exam due to the need to
obtain the necessary data to submit the list and have access to the exam.

All students listed in the DOC. No. 1 sent the required documentation to
one of those two emails. Only the name of the student was extracted from said documentation,

to include it in the list that was transferred to the CSD. All documentation submitted by
students was eliminated on November 22, 2021, as stated in DOC No.
5. The mail of doctor B.B.B., (RFETM classifier doctor) was only offered to the
claimant, without it being used since he provided PCR just before the exam.
In document 5 that it provides, it is indicated that on "11/22/2021 the destruction of the

documents attached to emails received at the addresses ***EMAIL.1 and ***EMAIL.3
with the COVID passport concept”.

h) Report the role played by your Data Protection Delegation in the
claim.


“The RFETM did not communicate this circumstance to the Data Protection Delegate, in
how much it considered that it was a norm of obligatory compliance by the Federation,
considering that there was no room for negotiation or any modification of it. The
The Data Protection Delegation became aware of it once the AEPD communicated the
claim filed against the RFETM.”


-AL CSD,

a) Regarding the rules of access given to the Federations (in this case to the Royal
Spanish Table Tennis Federation, which was going to hold an examination test on

11/21/2021 at the ***RESIDENCE.1 for coach), informing by email to the different
Spanish federations, on 10/14/2021, with the literal:

"To access the CAR it will be necessary to be vaccinated with the complete schedule, if it is not
could by any medical prescription it will be necessary to provide an antigen test or

PCR not older than 24 hours, repeating this test every 72 hours”
They are asked for the regulations under the protection of the one they demanded to be able to access said
space to the Federations and their members the vaccination or test requirements
diagnosis, prior medical accreditation that he could not be vaccinated, as well as the
instruction or protocol in which said requirements are formalized. Likewise, if any
health authority reported on the necessity or proportionality to require such

diagnostic tests or vaccination certificate on Federated or people who
As in this case, they agree to use their facilities to take an exam. report

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 11/33








also if the Data Protection Delegation intervened in the aforementioned requirements
providing the report issued if it were the case.


b) Protocol or contingency plan in the year 2021-October, to December 2021 on
preventive measures to deal with the health crisis of COVID 19.

c) Regarding the lists of people from the Federations that they had to communicate
for access to the CAR, specifically in this case by the Royal Federation
Table Tennis Association, to access the tests to be held at the

*** RESIDENCE.1 on 11/21/2021, what procedure for processing this data that
received had, and date until which they have been stored, or certification of deletion
of the data if it had taken place. Also specifying how many lists the company sent them
RFETM, and dates, with copies if they had them.


d) If they received observations or complaints from the Federations for the requirement of this type
of health data as an obligation for access to its facilities, what response is
I hate them.

Once the letter was received, the CSD did not respond.



SEVENTH: On 12/9/2022, the literal proposal is issued:

"That the Director of the Spanish Agency for Data Protection sanctions
ROYAL SPANISH FEDERATION OF TABLE TENNIS, with NIF Q2878038E, by:


-An infringement of article 6.1 of the GDPR, in accordance with article 83.5.a) of the
GDPR, and for the purposes of prescription in article 72.1.b) of the LOPDGDD, with a fine
Administrative of 6,000 euros.


- An infringement of article 9.2 of the GDPR, in accordance with article 83.5.a) of the
GDPR, and for the purposes of prescription in article 72.1.e) of the LOPDGDD, with a fine
administrative fee of 10,000 euros.”


EIGHTH: On 12/23/2022 the claimed


-Dissatisfied with the expression of the fourth proven fact in which it is indicated that "the
claimant opposed submitting the certificate requesting the withdrawal of said requirement.”
inasmuch as they consider that the claimant opposed "presenting or exhibiting, both the
vaccination certificate as well as the negative test carried out in the last 72 hours”. He

The complainant, aware of the two alternatives, requested the withdrawal of both options,
refusing the mere exhibition, urged that they be "eliminated within a period of 72 hours from the
referred protocol any differentiation between vaccinated, people who do not provide their
medical and non-vaccinated data”.


-Reiterates its lack of guilt, by giving the claimed compliance with the demands of the
obligations imposed by the CSD, and directed to all the Federations on 10/14 and the
12/17/2021. He adds that he acted under the conviction that there was a protocol of
Sanitary measures approved by the CSD "that prohibits entry into the examination area

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 12/33








to those users who are not included in a list, who must carry out their own
federations, certifying that they have provided a vaccination certificate or test
negative made in the 72 hours prior to access”. The Federation did not transfer to the CSD

the claim, considering that he was acting having received a mandate, "to certify that
the attendees met the entry requirements..." and performs the necessary acts
for its compliance, on the basis that it understands that the CSD has approved a
protocol that bound them.”

-The claimant exhibited the negative result of the test on the same day of the examination before the

CSD security personnel, confirming that same day by email the claim to the
CSD permission for access. Based on this, it estimates that there was no data processing
of the claimant, "without any documentation being collected or transferred",
determining access and inclusion in the list of attendees.


-Reiterates that they have legitimacy for the treatment of the data of the attendees, and that
In this case, there may be several.

On obtaining consent due to the fact that there have been people who
presented their certificate by sending it by email or showing it when accessing, attendees
they had the option of not providing the certificate that did not carry as a sanction not being able to

access to the place, but rather having to show it so that the defendant could certify before the CSD
his mandate, existing option of one way or another. "So the students who sent
the documentation, freely gave their consent for said act, given that
they could opt for mere display.”



The art. 8 of the LOPDGDD, establishes in relation to said article 6, that “2. He
processing of personal data can only be considered based on compliance with
a mission carried out in the public interest or in the exercise of public powers vested in the
responsible, in the terms provided in article 6.1 e) of Regulation (EU)

2016/679, when it derives from a competence attributed by a norm with the force of law.
In this sense, and as previously stated, it is Law 10/1990 itself,
of October 15, of Sport, which confers on the federations the exercise of said
public powers. Therefore, given that the treatment of the data object of the present
file was carried out in the exercise of the public powers conferred on the RFETM as
collaborating agent in the training of sports technicians, said action does not

contravenes art. 6 LPD, insofar as it establishes that the treatment will be lawful
if at least one of the listed conditions is met.”

Therefore, it reiterates that, in addition to its own powers, it acts as a collaborating agent
of the Public Administration in the training of table tennis sports technicians,

exercising by delegation public functions of an administrative nature, under the tutelage of the
CSD. It refers to the control and supervision of the rules by which the Federation is governed,
from the Statutes that are published by resolution of the CSD, or the Regulation of the
national coaching school or sports education. Add or link this
acting as a collaborating agent, to the fact that he requested the use of the Residence

"Joaquín Blume", dependent on the CSD, since the defendant lacks its own premises
and "acts in this matter, under the tutelage and coordination of the CSD." Consider that the
holding the exam is one more element in the promotion of sports technicians, "the
body that coordinates, supervises and protects, and that ultimately is the one who imposes the rules

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 13/33








of use of said premises, to exercise the functions by the different Federations
sports that by law can be entrusted to him"


He believes that sports federations must be considered assimilated to entities
referred to in article 77 of the LOPDGDD, and there would be no economic sanction. Furthermore, in
In this case, it agrees that the requirement of possible data processing derives from
direct requirement of the public body, CSD, which if expressly contemplated in
the said precept.



 "Similarly, reference is made to opinion 6/2014 on the concept of legitimate interest
of the data controller, to conclude that it is not admissible in the
this file, the existence of protection of vital interests of the interested party or of
another natural person, as there is no danger of life or death in case of not treating the

data, or a qualified tangible hazard associated with it. However, the position
maintained in the Covid Report N/REF: 0017/2020 of the Legal Office of the AEPD, in
what it establishes on the same concept that "Said legal basis of the treatment (the
vital interest) may be sufficient for the processing of personal data aimed at
protect all those people susceptible to being infected in the spread of
an epidemic, which would justify, from the point of view of data processing

personal, in the widest possible way, the measures adopted for this purpose, including
even if they are aimed at protecting unnamed or in principle unidentified persons or
identifiable, since the vital interests of said natural persons must be
safeguarded, and this is recognized by the data protection regulations
personal”.



- “Absence of economic benefits.” A fine is expected to be imposed on the
federation for an action in compliance with a legally imposed obligation and
from which it does not obtain any type of economic benefit. “The Federation

economically depends on annual subsidies from the Ministry of Culture and
Sports".


-Absence of connection of the activity of the Federation with the realization of
processing of personal data. In this sense, the LOPD recognizes that

circumstance and thus only requires the Data Protection Delegate, to those federations
sports, that process data of minors. It stands out a lot in the resolution that is not
notified the Data Protection Officer and that this implies more
guilty, when, on the contrary, the Law does not require having a data protection officer,
when the data of minors is not processed, as was the case in this case when they were all

of legal age. (art.34 of the LOPDGDD).

- Lack of intentionality in the actions of the Federation. The pandemic situation,
mass nature of vaccination, the legislative diversity between the different
autonomous communities on requirements for access to the premises, which caused a total

confusion when implementing them.

-An aggravation of the sanction is requested due to the fact that on the part of the Federation
the list requested by the CSD is drawn up and transferred to it. It should be noted that

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 14/33








in said list it is not distinguished if they are vaccinated or not, the remission of the same is
necessary for the purpose for which the data was requested and sent to the
official CSD emails.



All the participants were aware and for this purpose exhibited or contributed the
documentation, to appear on the list that the CSD required. In this sense, “estimate
that the transfer or communication of data between Public Administrations, while
carried out, precisely and solely, to achieve the purpose or one of the purposes for which

obeys the very creation of the file and the collection of those, and not, therefore,
for the exercise of different powers or powers that deal with
different matters, is already covered by the consent initially given by the
owner of the data for its collection and treatment. That is, in such a case, the
need for a new consent whose specific purpose is that assignment or

communication." Supreme Court (Contentious-Administrative Chamber, Section 3)
Judgment of April 15, 2002. RJ 2002\4689.

-Indicates that the purpose of the treatment was none other than to comply with the mandate of the CSD,
autonomous body of an administrative nature through which the action is exercised
of the AGE in the field of sport, certifying the requirements established by the CSD,

the ultimate purpose being that of students being able to take the technical exam
table tennis.

-There was no intention to violate any rule or harm the rights of the users.
assistants


- "There is no claim by any of the students who exhibited or contributed
the documentation, given that none of the members of the course that had to attend the
examination suffered any type of damage or loss, since they voluntarily communicated
The requested data. Including the claimant, who agreed to the examination after showing

negative test. All documentation was duly removed upon completion
the final exam. “

- Point c) of the aforementioned article "any measure
taken by the person in charge or in charge of the treatment to alleviate the damages and losses
suffered by the interested parties", given that the RFETM tried to accommodate the demands of the
Higher Sports Council to the demonstrations against the claimant,

understanding their position and trying to obtain new alternatives without undermining their
rights. Note that the claimant, the same day that he formally submitted his complaint to
the RFETM, filed a claim with the AEPD. The Federation, oblivious to the interposition
of said claim, he addressed the claimant on several occasions to try to reach a
solution without the affected party suffering any impairment of their rights, offering the

participation of the Federation's medical service, which in any case implies a
mitigating and non-aggravating circumstance as described in the proposed resolution.

-Provide a copy of the email from the CSD of 12/17/2021, “new access rules
CAR Madrid COVID 19", addressed to various Federations, including the one claimed. In it
writing indicates that "it will be mandatory to access", "the Federation will justify the
negative antigen test presentation", or "if there is an absence of several days per

competition”, being responsible for certifying the results of these tests.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 15/33










                               PROVEN FACTS



1) The claimant claims that he was going to take an exam on 11/20/2021 to
"table tennis coach" who had summoned the defendant and was required to present
the complete vaccination schedule against COVID 19. The place where the test is carried out
was chosen by the defendant, in the facilities of the "Joaquín Blume" residence,
High Performance Center (CAR), owned by the Higher Sports Council. The

test of the exam, corresponded to the last of the mandatory face-to-face part, of a
Announcement of the level 1 course of sports technician of table tennis. was summoned by
circular 43, of 03/16/2021, 2020/2021 season and the date was already determined
11/20/2021 as the exam date. According to the lists provided by the defendant in
tests, 32 students finally attended, including the claimant, all of them

federated as certified, although it was not a requirement to take the exam.


2) On 10/14/2021, the defendant received an email from the CSD with a copy to all
Sports federations in which an update of access regulations was notified
to (CAR), Residence, indicating that the "complete vaccination schedule" was necessary and

"If it is not possible due to a medical prescription, it would be necessary to provide a proof of
antigen or PCR no older than 24 hours”. It also required the referral of
lists "certifying complete vaccination", with those authorized to use the
facilities-attached file to provide the requested information-, having the
Rules effective from 10/25/2021. The email added that it was due to "the

changes in the Covd-19 protocols and in view of the evolution of the pandemic and the measures
preventive measures that have been taken. The defendant did not have or obtain a copy of the protocol
and the CSD did not send a copy of it.



3) Upon request for evidence of the role of the Data Protection Delegation in the
claim, the defendant indicated that she did not inform him, considering that "it was a
standard of obligatory compliance by the Federation, considering that it was not possible
negotiation or any modification of the same.", nor does it appear that it gave
knowledge of the claimant's claims, indicating that if he gave notice
"When the AEPD became aware of it, it communicated the claim filed against

the RFETM”

4) The defendant - training department - communicated on 10/15/2021, to the students
that they were going to be examined, that the examination center, Residence J. Blume, of the CSD,
required to access to take the exam, the "COVID passport", and "We would need you to

You will send us your COVID passport to this email" (for training, used to
communicate with students). The claimant sent an email in response to it on
10/26/2021 noting that for this a legitimate basis is required, being health data.
The Federation responded on 2/11 (sports management, with a copy to training) that the
requirement was imposed by the head of the headquarters, CSD "giving the option of sending the

document to the medical adviser of the Royal Federation, the doctor... so that your
medical data are protected”, without the defendant taking advantage of this measure or
alternative.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 16/33








On 11/8/2021, the claimant asked the respondent to eliminate the
vaccination and was answered in writing dated 11/11/2021, that the conditions came
imposed by the CSD, and that the RFETM had no jurisdiction to modify

said protocol, existing "the possibility of an alternative such as the presentation of PCR
refusal of the last 72 hours” “that they have already tried to expose”.

There is another letter from the defendant to the claimant dated 11/18/2021, reiterating that the
protocol belongs to the CSD to offer health guarantees to attendees, and protect the
public health, reiterating the option of the PCR test to the certified vaccination schedule.


5) It is proven that on 11/17/2021, the defendant informed the students in an email "that
they can send a vaccination certificate or negative test” indicating the email address:
***EMAIL.1.


6) The defendant sent a list to the CSD on 11/19/2021, of the students who had
accredited to the claimed the presentation of "the vaccine or diagnostic test PCR
negative in the previous 72 hours", in the form of a certificate, a total of 29, containing their
names and surnames and the NIF. These students sent their vaccination certificates and
evidence, without distinguishing the one claimed in the list if it is of one type or another. The claimed
indicates that the students used two email addresses, both official, from the

RFETM to send you the vaccination certificates or the negative test, ***EMAIL.3 and
***EMAIL.1, the first being the one used as normal between the person in charge of training and
the students, the second, were offered two days before the exam due to the need to
obtain the necessary data to submit the list and have access to the exam. The
claimed indicates that the address ***EMAIL.2, as belonging according to the claimed to

a medical advisor from the RFETM, offered himself exclusively to the claimant in an e
Response email to the claimant on 2/11, but it was not used.

The mode of sending and receiving the list of 11/18/2021 is unknown.


The following day, the defendant also communicated to the CSD in an email, a total of
three more students, including the claimant, also with name and surname and NIF,
certifying that they can access. The e-mail is sent with a copy to various addresses,
among others, to a Gmail address, several csd domains, including staff from
security, and different sections of the claimed.


7) On the day of the exam, the access control was carried out by the staff of
Security stationed at the Residence, and at the access, the claimant appeared and
exhibited negative certificate of the PCR Test, confirming in email -proven fact
previous - the one claimed that same day to the CSD the permission for access.


8) According to what was expressed by the defendant, access to the Residence is due to
a CSD protocol that establishes obligations not to spread the virus and preserve the
health, mentioning articles 5, 15 and 16 of Law 2/2021 of 03/29, on measures
Urgent measures for prevention, containment and coordination to face the health crisis
caused by COVID-19, which do not establish the power to establish enforceability

contribution of vaccination certificate or PCR test.

The defendant, as a Federation, does not show that it had a part or intervened in the decision
of the imposition of the vaccination requirement ordered by the CSD in the mail of

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 17/33








10/14/2021 for access to the Residence, although he has stated that it was a "measure
consensual”, has also stated that it was only up to him to obey said requirement, if
nor is there evidence that he transferred the various complaints of the claimant to the CSD before said

imposition, (three writings) nor to the DPD, since the defendant has stated, that he did not give
know the facts to this but when the first letter of the AEPD was entered with the
claim.

9) The defendant, despite having stated that the requirement of certification of the
vaccination or PCR tests are imposed by the CSD, owner of the facility,

considers the treatment lawful based on:

-The interested parties gave their consent for "one or more purposes".

-The treatment is necessary to protect vital interests of the interested party or of another

Physical person.

-Carries out a mission of public interest as a collaborating agent of the Public Administration
when exercising public functions of an administrative nature (art 30.2 and 33-1-d) of the Law
10/1990 of 10/15 of Sport).


-For the treatment of special health data, he stated that it is carried out at the
under article 9.h) of the GDPR, based on the prevention of employee health
of the RFETM and of the residence, where the tests were held, in order to avoid the
virus spread.


                           FUNDAMENTALS OF LAW

                                           Yo

In accordance with the powers that article 58.2 of Regulation (EU) 2016/679
(General Data Protection Regulation, hereinafter GDPR), grants each

control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the Law
Organic 3/2018, of December 5, Protection of Personal Data and guarantee of the
digital rights (hereinafter, LOPDGDD), is competent to initiate and resolve this
procedure the Director of the Spanish Data Protection Agency.


Likewise, article 63.2 of the LOPDGDD determines that: "The procedures
processed by the Spanish Data Protection Agency will be governed by the provisions
in Regulation (EU) 2016/679, in this organic law, by the provisions
regulations dictated in its development and, insofar as they do not contradict them, with character
subsidiary, by the general rules on administrative procedures."



                                           II

The claimant, in the exercise of a right, to qualify as a coach of a modality
of the RFETM, must undergo an exam on 11/20/2021 carried out by the

RFETM and which is held in some facilities of the “Joaquín Blume” residence, which
They depend on the CSD. At the time of submitting the application for the examination, it is not
You need to be federated.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 18/33










The Federations perform various functions in relation to their own field,
powers in which they act. Law 10/1990 of 10/15 on Sports states in its article
30:


"1. The Spanish sports federations are private entities, with personality
its own legal system, whose scope of action extends to the entire territory of the State,
in the development of the competences that are its own, integrated by Federations
regional sports, sports clubs, athletes, technicians, judges and
referees, Professional Leagues, if any, and other interested groups that

promote, practice or contribute to the development of sport.

2. The Spanish sports federations, in addition to their own powers, exercise,
by delegation, public functions of an administrative nature, acting in this case
as collaborating agents of the Public Administration.”


Among other functions, which are exercised under the supervision and coordination of the CSD, would be the
of “Collaborating with the State Administration and that of the Autonomous Communities in
the training of sports technicians”. (art 33 1.d Sports Law)


The approval of regulations for health protection and access to residence have
to be carried out, in accordance with the provisions of the general measures of prevention and
hygiene against COVID-19 indicated by the health authorities. In this case, the
CSD rules are not intended exclusively for the staff who attend the exam,
They are general access rules that are sent to all Federations by diffusion

general. In the same, which are unknown, it was obliged to provide a certificate of
vaccination in order to access it.

Article 3 of the Organic Law 3/1986, of 14/04, on Special Measures in the field of
Public Health, is a norm of coverage of the sanitary measures that involve
some restriction of fundamental rights, specifically, when it provides that "with the

In order to control communicable diseases, the health authority, in addition to
carry out general preventive actions, may adopt the appropriate measures for the
control of the sick, of the people who are or have been in contact with the
themselves and the immediate environment, as well as those deemed necessary in
case of risk of a communicable nature".


Law 2/2021 that mentions the RFTM establishes protocols that contemplate
ventilation, cleaning and disinfection measures appropriate to the characteristics of the
workplaces, entities or holders of economic activities. This Law states that
the adoption of necessary measures for its compliance will correspond to the

General State Administration with the collaboration of the Autonomous Communities.
Nothing is indicated about the vaccination certificates or the obligatory nature of tests of
diagnosis of infection such as a PCR.

Neither has the CCAA of Madrid issued any regulations that develop measures of
specific prevention as a consequence of the evolution of the epidemiological situation

derived from the Covid-19, nor therefore explicit and specific about the exhibition requirement
documentation of vaccination or diagnostic test to access establishments such as the
place where the exam is held, to which attendance is required, in order to
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 19/33








realization. Order 1362/2021 of 10/21 of the Ministry of Health, by which
modifies Order 1244/2021, of 10/1, which establishes preventive measures to
deal with the health crisis caused by COVID-19, apart from measures

preventive measures and the non-obligation to wear a mask when carrying out an activity
outdoor sport, does not determine any aspect in terms of the requirement to provide
vaccination certificate or diagnostic test.


The RFETM indicates that it collected vaccination and test certificates that were sent to
two e-mail addresses, one of them the training one, which was operational from the
start, and another that was launched shortly after the exam was held. Besides
upon receipt of such certificates, they were kept for a while. On the other hand, it

they made lists with data to the CSD, and the claimant, in addition to being in a
of those lists, he agreed by showing his PCR test.

In principle, the claimant urged athletes to have to send by email
your “COVID passport”, a term from Parliament Regulation 2021/953
European Union and of the Council of 06/14/2021, or EU digital COVID certificate, which is not

specified that it included PCR tests. Taking into account that the option of the
PCR tests, was limited, since they must be valid for 72 hours before the exam,
it is estimated that vaccination certificates were collected from the notice, 10/15/2021 and only
72 hours before, the aforementioned PCR would have been received, estimating that the
Most of them, also because they are free, would be certified.


Being the general rule that vaccination is voluntary, moreover, the "performing of
diagnostic tests for infection for the detection of COVID-19 are limited to those
cases in which there is a prior prescription by a physician and comply with criteria
established by the competent health authority.” (second section of Order SND/
344/2020 of 04/13 establishing exceptional measures to reinforce the

National Health System and containment of the health crisis caused by the
COVID-19, BOE (04/14/2020). As indicated in the preamble of that standard, it is
In this way, it tries to limit the performance of diagnostic tests for the detection of
COVID-19 to those cases in which there is a prior prescription by a physician and
conform to criteria established by the competent health authority, submitting

In this way, the regime for carrying out this type of evidence is based on the prior existence of
medical criteria that advise its performance.

If this medical indication exists, the scope of the obligation for the
assistants to the residence of the CSD.



                                            II


Based on data collected from exam attendees through
vaccination certificates sent to the email addresses recommended by the RFETM,
two, there has been a data processing defined in article 4.2 of the GDPR as:


“any operation or set of operations carried out on personal data or
sets of personal data, whether by automated procedures or not, such as the

collection, registration, organization, structuring, conservation, adaptation or modification,
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 20/33








extraction, consultation, use, communication by transmission, diffusion or any other
form of authorization of access, comparison or interconnection, limitation, deletion or
destruction;"

An email and a letter have also been sent, both with complete lists of

people who went to examine the CSD on 11/20/2021 for the defendant.

Therefore, there has been no mere exhibition of the document, or documents of the
examination attendees, as they have been collected, sent, stored, verified and
They have created lists and sent e-mails with these data, on which they have been certified,
including the claimant, knowing that each one has provided the required data, which

that enters into the concept of data processing, for which reason the
GDPR.

The less intrusive alternative option might have been the mere display on the day of the
examination, without any annotation even on the access door on the day of the examination, of the
certificates or evidence granting access.

In this case, the defendant deals with health data defined in article 4.15 of the
GDPR, which indicates:

“Health-related data: personal data relating to the physical or mental health of a

natural person, including the provision of health care services, revealing
information about your state of health;”

For its part, Considering (35) "Among the personal data related to health,
must include all data relating to the state of health of the interested party that give
information about your past, present or future physical or mental health status. (…) all

number, symbol or data assigned to a natural person that identifies them in a
unambiguous for sanitary purposes; information obtained from tests or examinations of a
part of the body or a body substance, including from genetic data and
biological samples, and any information relating, by way of example, to a
disease, disability, risk of disease, medical history,
the clinical treatment or the physiological or biomedical state of the person concerned,

regardless of its source, for example a doctor or other healthcare professional, a
hospital, a medical device, or an in vitro diagnostic test.”

The GDPR establishes a very broad concept of health data, and grants it a regime
specific menu, corresponding to the so-called "special categories of data" to
referred to in article 9 of the normative text. They are named that way because their

processing involves situations in which a serious data protection risk arises,
from the consequences that its improper use may have for people, and it is
considered so harmful that their treatment is prohibited unless it is applied
an exception.


Article 9 of the GDPR indicates:


"1. The processing of personal data that reveals the ethnic origin or
race, political opinions, religious or philosophical convictions, or affiliation
union, and the processing of genetic data, biometric data aimed at identifying
unequivocally to a natural person, data relating to health or data relating to life
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 21/33








sexuality or sexual orientation of a natural person.

2. Section 1 shall not apply when one of the circumstances occurs
following:


a) the interested party gave their explicit consent for the processing of said data
personal data for one or more of the specified purposes, except when the Law of the
Union or of the Member States establishes that the prohibition mentioned in the
section 1 cannot be lifted by the interested party;


b) the treatment is necessary for the fulfillment of obligations and the exercise of
specific rights of the controller or the interested party in the field of
Labor law and social security and protection, to the extent that it is authorized
Union or Member State law or a collective agreement pursuant to
Law of the Member States establishing adequate guarantees of respect for

the fundamental rights and interests of the interested party;

c) the processing is necessary to protect the vital interests of the data subject or of another
natural person, in the event that the interested party is not capable, physically or
legally, to give consent;


d) the treatment is carried out, within the scope of its legitimate activities and with the
due guarantees, by a foundation, an association or any other body without
profit, whose purpose is political, philosophical, religious or trade union, provided that the
Treatment refers exclusively to current or former members of such
bodies or persons who maintain regular contact with them in relation to
their purposes and as long as the personal data is not communicated outside of them without the

consent of the interested parties;

e) the treatment refers to personal data that the interested party has made
manifestly public;

f) the treatment is necessary for the formulation, exercise or defense of

claims or when the courts act in the exercise of their judicial function;

g) the processing is necessary for reasons of essential public interest, on the basis
of the law of the Union or of the Member States, which must be proportional to the
objective pursued, essentially respecting the right to data protection and

establish adequate and specific measures to protect the interests and rights
fundamentals of the interested party;

h) the treatment is necessary for the purposes of preventive or occupational medicine, evaluation of
the worker's work capacity, medical diagnosis, provision of assistance or
health or social treatment, or management of assistance systems and services

health and social, on the basis of Union or Member State law or in
under a contract with a healthcare professional and without prejudice to the conditions and
guarantees referred to in section 3;

i) the processing is necessary for reasons of public interest in the field of health
such as protection against serious cross-border threats to health, or

to guarantee high levels of quality and safety of health care and
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 22/33








medicines or medical devices, on the basis of Union law or of the
Member States to establish adequate and specific measures to protect the
rights and freedoms of the interested party, in particular professional secrecy,


j) the processing is necessary for purposes of archiving in the public interest, purposes of
scientific or historical research or statistical purposes, in accordance with article 89,
paragraph 1, on the basis of Union or Member State law, which must
be proportional to the objective pursued, essentially respect the right to protection
of data and establish adequate and specific measures to protect the interests and

fundamental rights of the interested party.

3. The personal data referred to in section 1 may be processed for the aforementioned purposes
in section 2, letter h), when your treatment is carried out by a professional subject to
the obligation of professional secrecy, or under its responsibility, in accordance with the
Law of the Union or of the Member States or with the rules established by the

competent national bodies, or by any other person also subject to the
secrecy obligation under Union or Member State law
or the standards established by the competent national bodies.

4. Member States may maintain or introduce additional conditions, including
limitations, regarding the treatment of genetic data, biometric data or data

relating to health."
These applications with exceptions can be considered requirements that only limit the
scope of the prohibition, but which, in and of themselves, do not offer a reason

of sufficient legitimacy for the treatment. In this sense, the applicability of the ex-
Exceptions of article 9.2 a) to j) of the GDPR does not exclude the applicability of the requirements
of article 6.1 of the GDPR, and both, when applicable, must be applied cumulatively.
mind. This translates into practice in that even if it were proven that in the specific case
If there were any circumstances that would lift the prohibition of data processing

of health, is not enough for its legality, requiring a legal basis for the
indicated in article 6.1 of the GDPR that establishes the assumptions that allow considering
lawful processing of personal data:

"1. Processing will only be lawful if at least one of the following is fulfilled
conditions:

a) the interested party gave his consent for the processing of his personal data for

one or more specific purposes;

b) the treatment is necessary for the execution of a contract in which the interested party is
party or for the application at his request of pre-contractual measures;

c) the processing is necessary for compliance with a legal obligation applicable to the

responsible for the treatment;

d) the processing is necessary to protect the vital interests of the data subject or of another
Physical person;

e) the treatment is necessary for the fulfillment of a mission carried out in the interest

public or in the exercise of public powers conferred on the data controller;

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 23/33








f) the treatment is necessary for the satisfaction of legitimate interests pursued by
the data controller or by a third party, provided that such interests are not
the interests or fundamental rights and freedoms of the data subject prevail

require the protection of personal data, in particular when the interested party is a
child.
The provisions of letter f) of the first paragraph shall not apply to the treatment
carried out by public authorities in the exercise of their functions


                                            IV.

It is appropriate to assess the causes alleged by the defendant that would lift the treatment of
the health data, the defendant indicated as such:

-art. 9 h) of the aforementioned GDPR, in order to prevent the rights of workers in the
RFETM and the residence of athletes, and with the purposes of social utility, already said, of

prevention of the spread of the virus, in sports facilities, the residence of
high performance athletes "JOAQUIN BLUME". Also the existence of staff
employee of the residence being an obligation of the companies the application of
Occupational risk prevention measures to preserve health and avoid spreading the
virus.

The defendant argues that given the pandemic situation, in order to carry out the examination
established "in accordance with the applicable regulations the monitoring of a
health protocol" in order to preserve the health of the participants, members of the

residence and members of the defendant (workers). The protocol was developed by the
CSD, without having the claimed copy of any, or knowing its content, despite
inform this AEPD that he had participated in it. Thus, the CSD sent an email
to all the Federations, alluding to this situation.

The CSD avoided responding both in the transfer and in the requested tests. For this purpose,

The situation described is transferable and comparable to any other public entity in the
that visits from the public are received or that first-class public services are also provided
need, since the assistants are going to take an exam, they will not stay there any longer
longer than the duration of the test, an element that seems to clearly differentiate those who reside
over there.

There is no doubt that in the health crisis situation caused by COVID-19, the

employer is obliged to adopt extraordinary measures aimed at preventing
new infections of COVID-19 and these measures must be applied taking into account the
criteria defined by the health authorities.

The action procedure for occupational risk prevention services
against exposure to SARS COV-2, approved by the Ministry of Health, has already been
indicated, which provides for the practice of diagnostic tests, prior prescription

optional of the employees and if there is no obligation as a general rule for them to
perform any test or provide a vaccination certificate in the performance of their
positions, it is not understood why for a third party outside that circle it is required in
based on said norm, or used for the protection of those. serve as an example
that for the groups of ambulance transport technicians there was no standard

any, including prevention of occupational hazards, which obliges the company to carry out
company to perform the COVID 19 detection test (STS fourth room, social,
judgment 562/2021 of 05/20).
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 24/33








These occupational risk prevention or social protection regulations do not apply
when the third party to be examined is not an employee and therefore is not subject to
right to prevent occupational hazards that must be applied. Likewise, I don't know

appreciates the note of necessity, when information about a possible immunity
against the disease does not contribute significantly to the protection of the rest of
personnel or the person himself, to the extent that the protocols for the prevention of
risks adopted by the health and labor authorities apply equally to the entire
personnel, orienting themselves as regards the presence of infection to the cases
suspects.


Regarding the alleged vital interest of article 9.2 c) "the treatment is necessary to
protect vital interests of the data subject or of another natural person, in the event that
the interested party is not able, physically or legally, to give his consent;", no
It seems the case in which the assistants could give their consent.


Therefore, it is estimated that there is no alleged cause that would lift the prohibition of the
treatment of special data, considering that article 9.2 of the
GDPR.



                                            V

Now it is appropriate to assess the cumulative legitimating bases of data processing
of health alleged by the defendant included in article 6.1 of the GDPR. Base
applicable legitimizing entity must be determined before treatment begins and must be

keep record. In the privacy notice or information on data processing to which
subjects to whom they are collected, the legal basis for the treatment and the
purpose thereof.


The students who take the exam have a legal relationship with the defendant,
Oriented towards taking the exams and obtaining the title. Each student

formalized his request and paid the amount established, submitting to the face examination process
to have the degree after the successive examination processes to which they have been submitted.


The RFTM alludes to the legal basis that allows the processing of the data of the
people to be examined, who meet “at least one of the following
conditions: "the interested party gave his consent for one or more specific purposes,
As is the case, the processing is necessary to protect vital interests of the
interested party or another natural person, final objective of the protocol”.


Recital 42 of the GDPR indicates: "...Consent should not be considered
freely provided when the interested party does not enjoy true or free choice or not
You can deny or withdraw your consent without suffering any prejudice.”

Article 4.11 of the GDPR defines:


"consent of the interested party": any expression of free, specific,
informed and unequivocal by which the interested party accepts, either through a declaration
or a clear affirmative action, the processing of personal data that concerns you”

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 25/33








Regarding the consent that the RFETM expresses, it has obtained due to the fact that
there have been people who presented their vaccination certificate, sending it by email
to the enabled address, or display it when accessing, said consent would not be valid

If your non-contribution will have negative consequences such as not having access to the exam,
as is the case, so that it cannot be classified as free will in its provision
being conditioned by those consequences. The defendant must certify in any case
that there is an element, vaccination, or a negative PCR test has been performed
in the 72 hours prior to the exam. Either way, data is required from
health of the person to be examined, data that by the mere fact of being certified,

will continue to be health data. For this reason, it is indifferent that they do not appear or are
Differentiate those who provide a vaccination certificate or antigen test. Throughout
case, and so the defendant warned the claimant, if either of the two was not provided,
access was not possible, and therefore the performance of the test, as its
access, becoming a norm of general access for any person that the

CSD had established, which affected the athletes who resided there, but also the
who agreed, for any reason, in this case, to carry out a test of
exam. Thus, "Consent should not be considered freely given when
the interested party does not enjoy true or free choice or cannot deny or withdraw his
consent without suffering any prejudice" (recital 42).

In general, consent can only be an adequate legal basis if it is offered to the

stakeholder control and real choice as to whether to accept or
reject the conditions offered or reject them without suffering any prejudice. here, besides
there was the option of being able to send by e-mail to a training address and address
certificates or tests, to which was added the sending of lists with the data
name and surname and ID to another group of CSD employees. Those who delivered the

certificate through e-mail were in that situation, being the truth that
When requesting consent, the data controller has the obligation to
assess whether said consent will meet all the requirements for obtaining a
valid consent. The implementation of consent as a legal basis for
treatment must be subject to strict requirements since it affects the rights
of the interested party and the data controller wishes to carry out a

treatment operation that would be unlawful without the consent of the interested party.

It also considers that, having carried out the training of sports technicians, it
has "Collaborated with the Administration" "under the tutelage and coordination of the CSD",
Considering that it exercises public functions of an administrative nature by delegation,
acting as a collaborating agent of the Public Administration, which would include the
access to the headquarters that the CSD programs as necessary to provide the certificate of

vaccination or PCR. Estimates the defendant that could be covered in the base of the
Article 6.1.e) of the GDPR which states: "The processing is necessary for compliance
of a mission carried out in the public interest or in the exercise of public powers
conferred on the data controller”


Regarding the legal relationship leading to obtaining the title of coach, the parties
develop a relationship, in the course of which, by going to take the exam to a
specific headquarters, they are required by the owner of that headquarters, in this case an entity
administrative guardian, the CSD, the contribution of health data.

It seems clear that issues such as the system for contesting questions in the
examination, qualification of exercises, and their challenge, or to some extent the issuance

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 26/33








of the titles if they have a clear direct relationship with the training and obtaining the title.


But in this specific case, the access rules that do not call into question the
claimed, would be common to any person, not for taking the exam but for the

fact of accessing, which does not deduce its intrinsic legitimate and necessary relationship
with the tests. Although it can be seen that the function is
characterized by the note adduced by the defendant, access to the Residence is subject to
the common norms for the rest of the people, so that this function does not reach
influence the access regime established by the CSD to legitimize the treatment of

data with such consideration.


On the other hand, it is not possible to “accumulate legal bases with the same purpose”, nor to go from one
legal basis to another or retrospectively use another basis when encountering
problems to justify the validity problems of the previous base, and should be the
application and selection of the base duly informed to those affected when it is
collect the data. Controllers must decide which is the applicable legal basis

before collecting the data.

Regarding the legal basis for processing for vital interest, "necessary to protect

vital interests of the interested party or of another natural person”, in this case, the personnel who
attends to the performance of the tests, or the staff of the residence that can keep
relation to tests.
Recital (46) of the GDPR already recognizes that in exceptional situations, such as

an epidemic, the legal basis of the treatments can be multiple, based both on the
public interest, such as in the vital interest of the data subject or another natural person.

       (46) The processing of personal data should also be considered lawful when
       necessary to protect an interest essential to the life of the data subject or that of

       another physical person. In principle, personal data should only be processed
       on the basis of the vital interest of another natural person when the processing does not
       may manifestly be based on a different legal basis. certain types of
       processing may respond both to important reasons of public interest
       as well as the vital interests of the interested party, such as when the

       treatment is necessary for humanitarian purposes, including epidemic control
       and its spread, or in situations of humanitarian emergency, especially in
       case of natural or man-made disasters.

Article 6.1.d) of the GDPR considers not only that vital interest is a sufficient basis
legal treatment to protect the "interested party", in this case the person who

submitted to the examination, but that such a legal basis can be used to protect the
vital interests "of another natural person", which by extension means that they can be
both unidentified or identifiable persons, as well as unnamed, in terms of holding
an interest worth safeguarding. In addition, it does not emerge as indicated by the
Article 6.3 of the GDPR that the need for the basis of the treatment for reasons of

vital interest has to be established by the law of the Union or the law of the
Member States applicable to the data controller.


After analyzing this basis of legitimation, it is considered that it would cover the treatment originated
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 27/33








due to the pandemic situation in the specific framework of carrying out an official examination
to obtain the qualification of trainer in a residence for athletes, for

that the alleged infringement of article 6.1 of the GDPR must be archived.

                                             SAW



The offense is typified in article 83.5.a) of the GDPR, which indicates:


5. Violations of the following provisions will be penalized, in accordance with the
paragraph 2, with administrative fines of a maximum of EUR 20,000,000 or, in the case of
of a company, in an amount equivalent to a maximum of 4% of the volume of

overall annual total business of the previous financial year, opting for the one with the highest
amount:

a) the basic principles for the treatment, including the conditions for the
consent under articles 5, 6, 7 and 9;

For the purposes of prescription in the LOPDGDD, its article 72.1) states:


"1. Based on what is established in article 83.5 of Regulation (EU) 2016/679,
are considered very serious and will prescribe after three years the infractions that suppose a
substantial violation of the articles mentioned therein and, in particular, the
following:


"e) The processing of personal data of the categories referred to in article 9
of Regulation (EU) 2016/679, without any of the circumstances provided
in said precept and in article 9 of this organic law.”



                                             VII


Sections d) and i) of article 58.2 of the GDPR provide the following:


"Each control authority will have all the following corrective powers
indicated below:

       (…)

"d) order the person in charge or person in charge of the treatment that the operations of
treatment comply with the provisions of this Regulation, where appropriate, in accordance with the
a certain manner and within a specified period;”


“i) impose an administrative fine in accordance with article 83, in addition to or instead of the
measures mentioned in this section, according to the circumstances of each case

particular;"




C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 28/33








In this case, the sanctioning procedure of an administrative fine is resorted to, given the
category of the data that is collected and the risks of the rights and freedoms that with
they are compromised.


                                           VIII

Law 10/1990 of 10/15, on Sports, states in its article 30.2:

"The Spanish sports federations, in addition to their own powers, exercise,
by delegation, public functions of an administrative nature, acting in this case
as collaborating agents of the Public Administration.”

Regarding the allegation that the defendant must be considered to be a collaborating agent,
in the exercise of public powers in the work of the call for the formation of
its technicians, which are provided for in Sports Law 10/1990 (art. 33.1.d), it must be indicated
as already mentioned, that the place where the exam was held, which conditioned the

contribution of vaccination is an accessory element of said competence, it is not imposed
The celebration in that place is not a norm, but rather there were general rules for
access, to any member, of any Federation, not linked in a specific way to
the performance of any test related to the training courses. That way,
that another could have been chosen that would not have imposed that requirement of limitation of

rights, or having selected one of their own directly, and this does not make the claim
Made in the subject of those mentioned in article 77 of the LOPDGDD, which indicates:

"1. The regime established in this article will be applicable to the treatment of

who are responsible or in charge:
d) Public bodies and public law entities linked or dependent
of the Public Administrations


g) Public law corporations when the purposes of the processing are
related to the exercise of public law powers.


2. When the managers or managers listed in section 1 commit
any of the offenses referred to in articles 72 to 74 of this organic law,
the competent data protection authority will issue a resolution
sanctioning them with warning. The resolution will also establish the
measures that should be adopted to cease the conduct or to correct the effects of the
infraction that had been committed."


For the rest, a Sports Federation, even if it exercises the functions indicated by the
claimed, it would not be classified as a public law corporation, according to
already recognized the judgment of the Constitutional Court 67/1986 of 05/24/1985, appeal
364/1983, which makes the application of said regime doubly unfeasible.


Regarding the allegation that the imposition of the request for the vaccination certificate
It was imposed on him by the organizer, CSD, there is no record that he raised any issue that was
accurately raised by the claimant on at least three occasions, assuming as
own the request and requesting it, and establishing the proper means to carry out its
treatment, collecting and storing the data, as well as preparing lists

that were sent to the CSD.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 29/33








                                              IX

The determination of the sanctions that should be imposed in the present case requires obtaining
observe the provisions of articles 83.1) and .2) of the GDPR, precepts that, respectively,
mind, provide the following:

"1. Each control authority will guarantee that the imposition of administrative fines
under this Article for the breaches of this Regulation indicated

in paragraphs 4, 5 and 6 are in each individual case effective, proportionate and dissuasive.
sorias.”

"2. Administrative fines will be imposed, depending on the circumstances of each
individual case, in addition to or in lieu of the measures contemplated in article
58, paragraph 2, letters a) to h) and j). When deciding to impose an administrative fine and its
amount in each individual case shall be duly taken into account:


a) the nature, seriousness and duration of the offence, taking into account the nature,
scope or purpose of the processing operation in question, as well as the number
of interested parties affected and the level of damages they have suffered;


b) intentionality or negligence in the infringement;

c) any measure taken by the controller or processor to mitigate
the damages and losses suffered by the interested parties;

d) the degree of responsibility of the data controller or processor, given

account of the technical or organizational measures that have been applied by virtue of the articles
articles 25 and 32;

e) any previous infringement committed by the controller or processor;

f) the degree of cooperation with the supervisory authority in order to remedy the in-

fraction and mitigate the possible adverse effects of the infringement;

g) the categories of personal data affected by the infringement;

h) the way in which the supervisory authority became aware of the infringement, in particular
whether the controller or processor notified the infringement and, if so, to what extent;


i) when the measures indicated in article 58, paragraph 2, have been ordered
previously against the person in charge or the manager in question in relation to the same
As a matter, compliance with said measures;

j) adherence to codes of conduct under article 40 or certification mechanisms.

cation approved in accordance with article 42, and

k) any other aggravating or mitigating factor applicable to the circumstances of the case,
such as the financial benefits obtained or the losses avoided, directly or indirectly.
you, through the infraction.”


 Within this section, the LOPDGDD contemplates in its article 76, entitled: "Sanctions
and corrective measures”:
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 30/33








"1. The sanctions provided for in sections 4, 5 and 6 of article 83 of Regulation (EU)
2016/679 will be applied taking into account the graduation criteria established in the
section 2 of said article.


2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679 also
may be taken into account:

a) The continuing nature of the offence.

b) Linking the offender's activity with data processing

personal.

c) The benefits obtained as a consequence of the commission of the infraction.

d) The possibility that the conduct of the affected party could have led to the commission of
the infraction.


e) The existence of a merger by absorption process subsequent to the commission of the
violation, which cannot be attributed to the absorbing entity.

f) The affectation of the rights of minors.


g) Have, when it is not mandatory, a data protection delegate.

h) Submission by the person responsible or in charge, on a voluntary basis, to
alternative conflict resolution mechanisms, in those cases in which
there are controversies between those and any interested party.


3. It will be possible, complementary or alternatively, the adoption, when appropriate, of the
remaining corrective measures referred to in article 83.2 of Regulation (EU)
2016/679.”


In accordance with the precepts transcribed, for the purpose of setting the amount of the sanction of
fine to be imposed in the present case, typified in article 83.5.a) of the GDPR, of which
the RFETM is held responsible for the infringement of article 9.2 of the GDPR, it is estimated
concurrent as aggravating factors the following factors that reveal a greater
illegality and/or culpability in the conduct of the defendant:

- Article 83.2 g) “the categories of personal data affected by the

infraction" health data have been collected for which it is necessary to carry out
actively, either an action, vaccination, with which a certificate is obtained, or a
infection detection test, in order to be able to perform the exams. These dates,
In addition, they were communicated to an e-mail address for the formation of the defendant, and to another
of the same entity, being saved and were also communicated by email to the CSD
to different groups with a copy.

- Article 83.2 d) “the degree of responsibility of the person responsible or in charge of the
treatment, taking into account the technical or organizational measures that have been applied
by virtue of articles 25 and 32”, considering the nature referred to the data of

health that intrinsically suppose an exception to its treatment, object of
restrictive interpretation, and that restriction has not been considered in the design of the
treatment, as it shows that the complaints of the affected were neither transferred nor
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 31/33








valued by the DPD, answering that they were imposed norms. having a
DPD, that the data affect minors so that they participate only in those
cases, it is not adequate to establish said figure.


Regarding the alleged lack of guilt of the defendant, article 28 of Law 40/2015,
of 1/10 of the legal regime of the public sector, states: “1. They can only be penalized
for acts constituting an administrative infraction, natural and legal persons, as well as

such as, when a Law recognizes their capacity to act, the affected groups, the
unions and entities without legal personality and the independent patrimonies or
self-employed, who are responsible for them by way of fraud or negligence.”

The jurisprudence of the Supreme Court, in line with that of the Constitutional Court, has
established that the sanctioning power of the Administration, as
manifestation of the ius puniendi of the State, is governed by the principles of criminal law,
being the basic structural principle of guilt, incompatible with a regime of
strict liability, no fault


The Supreme Court (Sentences of 04/16 and 22/1991) considers that the element of the
guilt it follows "that the action or omission, classified as a punishable offense
administratively, it must be, in any case, attributable to its author, due to intent or recklessness.
inexcusable inaccuracy, negligence or ignorance.”

This requirement of guilt in the field of administrative offenses has been reiterated

endlessly by the jurisprudence of the Supreme Court. Thus, the SSTS of 12 (dated.
388/1994) and 05/19/1998, Sixth Section, affirm that in the sanctioning field "it is ve-
given any attempt to build strict liability" and that "in the field of
administrative responsibility is not enough that the conduct is unlawful and typical,
but it is also necessary that it be guilty, that is, the consequence of an action or

omission attributable to its author due to malice or imprudence, negligence or inexcusable ignorance.
saber (...) that is, as a requirement derived from article 25.1 of the Constitution, no one
may be sentenced or punished except for acts that can be imputed to him under
fraud or guilt (principle of guilt)".

In view of the exposed jurisprudence, it is appropriate to conclude that when a
action that could incur an administrative infraction, must be examined
effects of not proceeding to initiate a disciplinary procedure automatically. Yeah
well, intent or negligence is not necessary in the commission of an infraction, but rather the

mere negligence to be able to demand responsibility from the offender, it is no less true that,
As stated by the Constitutional Court "beyond simple negligence, the facts
They cannot be penalized."

In the present case, the defendant indicated to the students that she had passed a
protocol together with the CSD, and up to three times the defendant answered the
petitions of the claimant that questioned the legitimizing basis of the treatment of
data of the COVID 19, without knowing the claimed the regulation that manifests was

applicable, of the CSD, and ultimately preferring the sacrifice of their own rights,
asking for the vaccination to be carried out or to pay for a PCR, rather than clarifying the basis of the
aforementioned obligation as an imposition, and may have paralyzed the process before the
invasion of the rights of those attending the tests, estimating the prevalence of
themselves. It is therefore considered that there is guilt in the conduct of the defendant.

Considering the circumstances, an amount of the fine of 10,000 euros is considered.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 32/33









Therefore, in accordance with the applicable legislation and assessed the criteria of
graduation of sanctions whose existence has been accredited,

the Director of the Spanish Data Protection Agency RESOLVES:

FIRST: IMPOSE the ROYAL SPANISH TABLE TENNIS FEDERATION, with
NIF Q2878038E, by:

- An infringement of article 9.2 of the GDPR, in accordance with article 83.5.a) of the

GDPR, and for the purposes of prescription in article 72.1.e) of the LOPDGDD, a fine
Administrative of 10,000 euros.

SECOND: NOTIFY this resolution to the ROYAL SPANISH FEDERATION OF
TABLE TENNIS.


THIRD: Warn the penalized person that they must make the imposed sanction effective
Once this resolution is enforceable, in accordance with the provisions of art.
98.1.b) of Law 39/2015, of 1/10, on the Common Administrative Procedure of
Public Administrations (hereinafter LPACAP), within the voluntary payment term
established in art. 68 of the General Collection Regulations, approved by Royal

Decree 939/2005, of 07/29, in relation to art. 62 of Law 58/2003, of 12/17,
through its entry, indicating the NIF of the sanctioned party and the number of the procedure that
appears in the heading of this document, in the restricted account IBAN number: ES00-
0000-0000-0000-0000-0000, opened in the name of the Spanish Agency for the Protection of
Data in the banking entity CAIXABANK, S.A.. Otherwise, it will proceed to its

collection in executive period.

Once the notification has been received and once executed, if the execution date is between
on the 1st and 15th of each month, both inclusive, the period for making the voluntary payment
It will be until the 20th day of the following or immediately following business month, and if it is between

on the 16th and last day of each month, both inclusive, the payment period will be until the 5th of
second following or immediately following business month.


In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once the interested parties have been notified.


Against this resolution, which puts an end to the administrative process in accordance with art. 48.6 of the
LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the
Interested parties may optionally file an appeal for replacement before the Director
of the Spanish Agency for Data Protection within a period of one month from the

day following the notification of this resolution or directly contentious appeal
before the Contentious-Administrative Chamber of the National Court,
in accordance with the provisions of article 25 and section 5 of the additional provision
fourth of Law 29/1998, of 07/13, regulating the Contentious Jurisdiction-
administration, within a period of two months from the day following the notification

of this act, as provided in article 46.1 of the aforementioned Law.

Finally, it is noted that in accordance with the provisions of art. 90.3 a) of the LPACAP,
may provisionally suspend the firm resolution in administrative proceedings if the interested party

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 33/33









expresses its intention to file a contentious-administrative appeal. If this is the one
case, the interested party must formally communicate this fact by writing to

the Spanish Data Protection Agency, presenting it through the Registry
Email from the Agency [https://sedeagpd.gob.es/sede-electronica-web/], or through
any of the other records provided for in art. 16.4 of the aforementioned LPCAP. Also

must transfer to the Agency the documentation that proves the effective filing of the
Sponsored links. If the Agency were not aware of the
filing of the contentious-administrative appeal within a period of two months from the
day following the notification of this resolution, would terminate the suspension

precautionary






                                                                                    938-181022
Mar Spain Marti

Director of the Spanish Data Protection Agency










































C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es