AEPD (Spain) - EXP202202960

From GDPRhub
Revision as of 12:02, 3 April 2024 by Lm (talk | contribs)
AEPD - EXP202202960
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 13 GDPR
Article 32 GDPR
Article 35 GDPR
Type: Complaint
Outcome: Upheld
Started: 22.02.2024
Decided: 12.02.2024
Published:
Fine: 360,000 EUR
Parties: CTC Externalización, S.L.
National Case Number/Name: EXP202202960
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: lm

The DPA fined a controller that was processing employees’ fingerprint data € 360,000 because it failed to disclose processing and storage information to data subjects, lacked security measures ensuring the data’s confidentiality and failed to carry out a data protection impact assessment.

English Summary

Facts

On 14 February 2022, a data subject filed a complaint with the Spanish DPA (AEPD) against their employer, CTC Externalización, S.L. (the controller), which collected fingerprint data from employees to implement a sign-in system.

In its defense brief, the controller stated that the fingerprint scanner was an authentication system, not an identification system. As such, it claimed that fingerprints were not stored; instead, the fingerprint reader generated a numeric identifier that matched the fingerprint. The numeric identifier, not the fingerprint, was then stored in an encrypted system that compared the generated numeric identifiers. The fingerprint was allegedly erased immediately. As result, the controller claimed that it was impossible to reproduce the fingerprint from the numeric identifier. The controller also noted that it provided a disclosure in the employee portal concerning the data processing.

Holding

The AEPD concluded that the controller violated Articles 13, 32, and 35 GDPR and imposed a fine of € 360,000.

First, the AEPD noted that the processing disclosure made available in the employee portal violated Article 13(2)(d) and (e) GDPR because it was inaccurate, overly general and insufficiently informative. The clause concerning processing only mentioned that a fingerprint sign-in system was being implemented; it provided no information about the collection, processing or storage of fingerprint data. The clause referred generally to a number of processing activities and purposes and invoked contract as a legal basis for all of them. In assessing the disclosure's adequacy, the AEPD took note of the controller's amendments to the disclosure. The controller’s updates referred specifically to the fingerprint processing and cited legal obligations under national law as the legal basis for this processing. They also articulated a different data retention period, further indicating the inaccuracy of the original disclosure. Finally, at no point did the controller’s disclosure inform data subjects about their right to file a complaint with the AEPD, violating Article 13(2)(d) GDPR.

Second, the AEPD found that the controller violated Article 32 GDPR because it lacked sufficient security measures to ensure the erasure and integrity of the fingerprint data. In particular, the controller failed to demonstrate how fingerprint data could be erased after each scan and did not demonstrate the existence of any technical measures to protect processed personal data. Additionally, while the fingerprint data and numeric identifiers were kept in separate tables, the controller could not demonstrate measures to ensure the storage locations were kept sufficiently separate.

Finally, the AEPD concluded that the controller violated Article 35 GDPR because it failed to conduct data protection impact assessments for the fingerprint data, which is a special category of data under Article 9(1) GDPR. In addition to posing high risks for data subjects, the AEPD’s published list of processing requiring a data protection impact assessment expressly includes biometric data.

In sanctioning the controller € 360,000, the AEPD considered the high sensitivity of biometric data and took into account the duration of the infraction period of over two years.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

1/51








       File No.: EXP202202960



                       RESOLUTION OF SANCTIONING PROCEDURE

From the procedure instructed by the Spanish Data Protection Agency and based
to the following





BACKGROUND................................................. .................................................. .......2

   FIRST:................................................ .................................................. ...............2

   SECOND:................................................ .................................................. ..............3
   THIRD:................................................ .................................................. ...............6

   ROOM:................................................ .................................................. .................6

       BACKGROUND................................................. .................................................. 6

       RESULT OF THE RESEARCH ACTIONS..............................................7

   FIFTH:................................................ .................................................. ................fifteen

   SIXTH:................................................ .................................................. ..................fifteen
   SEVENTH:................................................ .................................................. ..............16

   EIGHTH:................................................ .................................................. ................16

PROVEN FACTS................................................ ................................................18

   FIRST................................................. .................................................. .............18

   SECOND................................................. .................................................. ............18

   THIRD................................................. .................................................. .............18

   ROOM................................................. .................................................. .................18
   FIFTH................................................. .................................................. ................19

   SIXTH................................................. .................................................. ...................19

   SEVENTH................................................. .................................................. ..............19

   EIGHTH................................................. .................................................. ................19

   NINETH................................................. .................................................. ...............twenty

   TENTH................................................. .................................................. ................twenty

   ELEVENTH................................................. .................................................twenty
LEGAL FUNDAMENTALS................................................. ..................................twenty-one

   I Competition................................................ .................................................. ........twenty-one

   II Previous questions................................................ .................................................twenty-one

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/51








  III Response to allegations regarding non-compliance with article 13 GDPR
  .................................................. .................................................. ............................22

  IV Response to allegations regarding non-compliance with article 32 GDPR

  .................................................. .................................................. ............................25

  V Response to allegations regarding non-compliance with article 35 GDPR27
  VI Unfulfilled information obligation. Article 13 GDPR...................................29

  VII Lack of information. Article 13 GDPR Typification and qualification of the infringement

  .................................................. .................................................. ............................32
  VIII Lack of information. Article 13 GDPR. Sanction...............................................33

  IX Lack of security measures. Article 32 GDPR. Unfulfilled obligation.........33

  X Typification and qualification for the purposes of the prescription of the violation of the

  article 32 of the GDPR................................................ ...................................................36
  XI Lack of security measures article 32 RGPD................................................. ......37

  XII Impact assessment relating to data protection. Article 35 GDPR

  Unfulfilled obligation................................................ ................................................38

  XIII Classification of the violation of article 35 RGPD................................................. .....46
  XIV Lack of impact assessment article 35 RGPD................................................. ...47

  XV Adoption of measures................................................ ............................................47

RESOLVES:................................................ .................................................. .................48






                                     BACKGROUND



FIRST:

A.A.A. (hereinafter, the claiming party) on February 14, 2022 filed
claim before the Spanish Data Protection Agency. The claim is

directs against CTC EXTERNALIZACIÓN, S.L. with NIF B60924131 (hereinafter, the
claimed party). The reasons on which the claim is based are the following:

It is claimed that the entity CTC EXTERNALIZACIÓN, S.L. data has been requested
biometrics, specifically the fingerprint, to employees for the purpose of

implement a signing system based on that data.

It is stated that at the time of taking the biometric data it was not communicated that the
information was in the employee portal, located in the most
hidden part of the application to which not all workers who work

They use the new signing system.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/51








Along with the claim, a printout of emails exchanged is provided.
between the complaining party and the defendant



SECOND:
In accordance with article 65.4 of Organic Law 3/2018, of December 5, of
Protection of Personal Data and guarantee of digital rights (hereinafter

LOPDGDD), said claim was transferred to the claimed party so that
proceed to its analysis and inform this Agency within a period of one month, of the
actions carried out to adapt to the requirements provided for in the regulations of
Data Protection.


The transfer, which was carried out in accordance with the rules established in Law 39/2015, of
October 1, of the Common Administrative Procedure of Administrations
Public (hereinafter, LPACAP), was collected on 03/14/2022 as stated in the
acknowledgment of receipt that appears in the file.

On 03/22/2022, this Agency received a written response indicating

basically the following:

    1. This is a verification/authentication system (one to one), not
            Identification (one to many).


    2. Fingerprint is not stored. The reader generates an identifier
            numeric which is the one that matches the fingerprint. The
            identifiers and not the fingerprint. An encryption system is used for
            storage. It is impossible to reproduce the fingerprint from the
            numeric identifier.



    3. The system does not compare fingerprints, it compares the code that is generated in the
            reading with the code that is stored.



    4. The system matches a number with a numerical identifier that has been
            created through a hash.


    5. No more data is requested or processed than is strictly necessary to
            the purpose of this treatment.



    6. The data cannot be reused for other purposes and is deleted
            when they are no longer needed.



    7. The data processed are name, surname, employee code and fingerprint
            initial fingerprint that is transformed into an identification code. The
            fingerprint as such is eliminated.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/51








    8. They store only one biometric template that is registered in a repository
            central for distribution to the rest of the biometric devices.



    9. The central repository is located on a non-accessible internal server
            publicly and with access restricted exclusively to the administrator of the
            system.


    10. You have been informed about the processing of personal data,

            specifically: the identity of the Data Controller, the basis of
            legitimation, purposes of the treatment, contact of the delegate of
            data protection, rights and procedure to exercise them, which are not
            They carry out data transfers and the expected retention period. Besides, the
            Information is provided through the Employee Portal to which they have

            access to all Employees. The protection clauses are delivered
            company data with job registrations. and sent in October 2021 a
            email to employees informing them of the update of the
            data protection policies and their publication on the Portal of the
            Employee. The fingerprint access system was activated at the end of

            December 2021.


    11. They have data protection by design: a
            supplier with software that offers all guarantees in compliance
            of data protection regulations, with which a

            contract as Data Processor.


    12. There are no international data transfers. The location is
            in the EEA.



    13. The impact evaluation carried out is provided, where among others
            questions:

            It is clear that the principle of data minimization is fulfilled because “The
            The purpose that is intended to be covered requires all the data to be collected and

            for all affected persons/stakeholders (principle of minimization
            of data).". There is no justification for how this principle is fulfilled.

            It is clear that the question that “The data
            collected will be used exclusively for the declared purpose and will not

            for any other not informed or incompatible with the legitimacy of its
            use (principle of limitation of purpose)”. There is no justification for
            How is this principle fulfilled?

            It appears in the Result section that “After analyzing the need and

            proportionality of this treatment, the risk analysis carried out and the
            Residual risk assessment after the application of the corresponding

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/51








            security measures, the result of this Evaluation study of
            data protection impact EIPD is: ACCEPTABLE.”


    14. An information sign has been installed next to the signing apparatus about the
            processing of data with the purpose that it is perfectly visible by
            all workers. The information has also been expanded
            data protection relating to the use of the fingerprint for control of the
            working day and has been communicated to employees, through the Portal
            of the employee.


    15. Due to this claim, an email has been sent to all
            employees the information clause.


    16. They have implemented the following measures to prevent the occurrence of

            Similar incidents:

               - Information poster next to the transfer apparatus about the
               data treatment.


               Provide a copy of the information poster containing information about the
               responsible, purpose, legitimacy, recipients, rights and place
               where to locate additional information (Employee Portal).

               A screenshot of the Employee Portal is provided where there is a

               link to the informative clause, but there is no date of publication, nor
               url of the Employee Portal.

               - Expansion of data protection information related to the
               use of the fingerprint to control the working day and
               communication to employees, through the Employee Portal.


               - Sending an email to employees with the
               updated data protection information regarding the use of the
               fingerprint to control the working day and as a channel for
               all the doubts or clarifications you need.



               - The receipt of new messages will be monitored
               clauses published by all employees.



    1. The Record of fingerprint processing activities is provided in
            which states that the fingerprint is used as a security system
            verification/authentication, not identification.

    2. They have ruled out other systems, e.g. card signing because after the

            experience with it, conflictive situations arose. It's about a
            service in which there is a high staff turnover. When
            used the card system for signing, sometimes it was transferred to others
            people who were not the owners of the same, present in the area
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/51








            of personal work unrelated to it with all the risks that it entails
            job security. The use of the fingerprint is the system that
            allows you to avoid these criminal situations and guarantees the correct

            compliance with labor regulations and prevent unauthorized access.

THIRD:
On May 14, 2022, in accordance with article 65 of the LOPDGDD,

admitted for processing the claim presented by the complaining party.

ROOM:

The General Subdirectorate of Data Inspection proceeded to carry out
prior investigative actions to clarify the facts in
issue, by virtue of the functions assigned to the control authorities in the
article 57.1 and the powers granted in article 58.1 of the Regulation (EU)
2016/679 (General Data Protection Regulation, hereinafter GDPR), and
in accordance with the provisions of Title VII, Chapter I, Second Section, of the

LOPDGDD, having knowledge of the following points:


BACKGROUND


Along with the claim, the complaining party provides the following emails:

    - Copy of email sent by soliobrera.secciontourline@gmail.com

       to ***USUARIO.1@grupoctc.com and to ***USUARIO.2@grupoctc.com with
       date 01/31/2022 with the text:

       “Last Friday when I got ready to sign out of my work day
       (method implemented from the beginning for registration and entry-exit control
       of workers in the Madrid-Coslada workplace), they inform me that they are leaving

       start clocking in with fingerprint access control and
       They have to take my samples, to which I ask what else are they going to give me?
       information and some document in which you consent to the treatment of this type
       of data and they tell me (to my surprise) that there is no[…]”


    - Provide a copy of the email sent by ***USUARIO.1@grupoctc.com
       dated 02/02/2022 with the text:

       “First of all, you were not properly informed when you asked in the
       service if there was information about the processing of the data, then yes,

       We have this information. Specifically, it is found on the portal of the
       CTC employee, portal to which you have access since you joined the
       company.
       On the other hand, and taking into account article 9 on the Legality of the treatment, it is not
       Express consent is necessary because the treatment is necessary for the
       compliance with obligations on the part of the businessman, as well as for the

       compliance with the exercise of the rights of the data controller.
       It is true that article 13 establishes a duty of information, and this duty is
       complies perfectly as the information is posted on the portal of the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/51








       Employee (in the data protection policy). There you will see all the information
       regarding the person responsible for the treatment, purposes of data collection,
       recipients, conservation of data and the procedure for the exercise of

       rights.

       Secondly, you comment that article 64.5.f) authorizes you to issue a
       previous report. In this case, I regret to inform you that point 5 of the
       mentioned article, is related to work control (in a sense
       of content). In fact, the literal of the article stipulates the following: "the

       implementation and review of work organization and control systems,
       time studies, establishment of bonuses and incentives and valuation of
       jobs". In this case, it is a signing system through
       fingerprint, and the legality of this treatment is protected, not only by the
       article 6 GDPR 2016/679 EU, but also for compliance with a

       legal obligation such as time registration, regulated in article 34.9 of the
       Status of workers.
       For greater peace of mind, tell you that the fingerprint, in this case, does not
       acquires the category of special data because it is used only for
       authenticate that the person is who they say they are. Additionally, the
       fingerprint, but only a series of points that, via algorithm, provides a unique signature

       for that print. That is, by itself it does not represent the fingerprint, and is
       stored in a centralized system with restricted access.
       Regarding the reason for this signing system, it is the one that is being
       implementing in most CTC services, including central offices.
       Finally, and if after this explanation you still consider it necessary,

       We will send the results of the impact evaluation study (EIPD) that
       you asked us.
       […]”

During the proceedings, the following entity was investigated:


CTC EXTERNALIZACIÓN, S.L. with NIF B60924131 with address in PLAZA
EUROPA, 30 32. - 08902 L'HOSPITALET DE LLOBREGAT (BARCELONA) (in
forward CTC)


RESULT OF THE RESEARCH ACTIONS

General issues:


1. That in the event that the employee declines the use of his or her fingerprint for the registration process,
marking or the print is insufficiently good, the marking can be carried out
via RFID card.
2. That the fingerprint processing began on 12/29/2021 and ends
when the employment relationship with the employee ends. In that case, the fingerprint hash
is eliminated.

3. That there are 208 fingerprint readers installed in 117 work centers, all in
Spain.


Regarding the data protection information provided:

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 8/51








4. They provide screenshots showing that the document with name
“POL RGPD CTC EXTER_2021.pdf” was published on 10/28/2021 associated with
a “cluster_id” = 66 which, according to them, refers to the employees to whom
the document is published.


5. They provide a screenshot of their systems where “cluster_id” = 66 appears
associated with the field “description”=”CTC company employees”.

6. Provide a copy of the email sent to ctc@grupoctc.com on 10/28/2021 with
subject “Updating CTC data protection policies OUTSOURCING
S.L.U.” where it consists:

       “[…]
       Through this communication we want to inform that CTC
       EXTERNALIZACIÓN S.L.U., in its obligation to comply with regulations, has
       proceeded to update its data protection policies regarding the
       processing of personal data. They can access through the

       Employee Portal, upon publication of the new policies:
       POL/RGPD CTC EXTER_2021: Employee data protection clause
       You must carefully read these clauses and click on your acceptance. in case
       If you have any questions, you can contact the Department of Protection of
       Data, via email: dpo@grupoctc.com
       […]”


7. The informative clause referred to above is provided where it appears as
Date: 03/02/2018, Update date: 10/26/2021 and the code “POL/RGPD CTC
EXTER_2021”. Likewise, there is information about:
       to. The legal framework
       b. The person responsible for the treatment

       c. Legitimation, this being the contractual employment relationship.
       d. Purposes of the treatment, these being to manage the employment relationship
       with employees, administrative accounting management, payroll preparation,
       prevention of occupational risks, training. It is reported that it is installed
       a fingerprint reader for office access.
       and. Recipients, which include:

       “The data will be communicated to public administrations (Social Security and
       Tax Agency) in compliance with labor regulations, labor mutual funds,
       to the labor consultancy company, to training companies and to entities
       banking for direct debit and payroll payment.
       Also between Group companies, to Client companies to which we lend
       our services, as well as to Suppliers who act as managers of the

       treatment and with whom treatment contracts have been duly signed.
       Data Protection.
       In the case of subcontracting, the worker authorizes the transfer of the data
       included in the TC's, to all those companies that are necessary to
       carry out subcontracting.

       If the Employee's task involves driving vehicles, the rights will be transferred.
       Employee data to the vehicle rental company, as well as to the
       Administration in the case of a fine for a traffic violation.”
       F. Employee's duty of confidentiality.
       g. Conservation of data, which includes:

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 9/51








       “The data provided will be kept for the duration of the relationship.
       contractual and during the years necessary to comply with the obligations
       legal.
       Please remember that the use of the email account provided by the
       company, is strictly and limited for professional purposes and not for

       personal topics.
       The Employee agrees to use email and the Internet
       only for professional issues of a labor nature, expressly recognizing
       that the email account is the company's domain.
       It is also reported that the company, in the case of termination of employment, will have
       access to corporate email and equipment used by the Former Employee.”

       h. Rights.

This document “POL/RGPD CTC EXTER_2021” contains exclusively the
following specific reference to fingerprint processing:
       “[…]

       A fingerprint reader is installed for office access.
       […]”

8. Screenshots of their systems are provided showing that the
claimant has accessed (…)” on dates between 08/23/2021 and 12/16/2021. Consists
Likewise, the claimant has executed the “sign” action with respect to the object “POL06

2018 DATA PROTECTION CLAUSE” on 08/23/2021 10:20. Consists
Likewise, there is an “agreement_date” related to the claimant and the
document “POL06_2018_CLAUSULA.pdf” on 08/23/2021 10:20:16. It is clear that
The last “agreement_date” associated with the claimant was 08/23/2021.

9. A screenshot of the employee portal is provided where the

“Informative clause on the use of fingerprints to control the working day” and “Clause
Employee data protection”. Which consists of a button to the right of each
document with the text “Received” that, by clicking on it, marks the
document as “Received”.

10. That after receiving the transfer of the claim from the AEPD they published

the most detailed clause “Informative clause on the use of fingerprints to control the
working day”, which was sent by email.
Provide email sent on 03/22/2022 with this information clause.
This informative clause contains specific information on the treatment of
fingerprint with the sections of person responsible, legitimation, purpose, recipients,
conservation period, rights and security measures. What is included in this

information provided “This is an authentication/verification system, not a
ID."

In relation to the technical characteristics of the system and the contracts:


11. Using a single Windows Server 2016 server as a virtual machine
managed by CTC. (…). That the server is located in Spain.

Provide a copy of the order contract signed and dated 01/27/2023 between CTC and
***COMPANY.1) this being the person in charge of the treatment. This contract includes

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 10/51








that CTC has contracted with ***EMPRESA.1 for the implementation and
maintenance of the access control system and control of working hours through
fingerprint.

There is also another contract dated 09/29/2020 and signed between CTC and

***COMPANY.1 as a provider of control, access and presence software (...).

Provide contract with the hosting provider ***COMPANY.2. where the date is
11/27/2019. The object of the contract is not stated nor is the complete contract provided.
It appears in section “12 Personal data” in subsection “5)
Data processing responsibility of the Client, ***COMPANY.2 as in charge of the

treatment” that:

       “5) Data processing responsibility of the Client. ***COMPANY.2 as
       treatment manager
       Only in the event that ***COMPANY.2 had access to data from

       personal nature responsibility of the Client, and the provision of services
       contracted involves processing personal data on behalf of a
       responsible for the treatment, whether it is the Client or a third party that contracts the
       services of the Client directly or indirectly, ***COMPANY.2 will be
       considered, "in charge of the treatment" committing to comply with the
       obligations that correspond to it based on the nature and scope of the

       contracted services and by virtue of what is established in the regulations in force in
       matter of data protection, national or supranational.
       […]”

12. That fingerprint readers are (…).


Provide a document of technical specifications of the reader where it states that
supports (…).

13. That the fingerprint reader is a device that is located in an accessible area and
passage in which employees record the different markings throughout the
workday. To do this they can use their fingerprint and the system calculates the

hash that will be compared with the one registered at the time of activation in the
system (record of the initial hash of the fingerprint and association to the employee).

14. That the system is configured to perform a 1:N fingerprint comparison.
That (…) calculates the template and compares it with the ones stored. Yes
There is correspondence with some stored pattern, the reading is considered good.


Provides a diagram showing that after detecting the finger on the sensor and calculating the
pattern, there is the “Compare with stored patterns” process.

15. That the template is generated in the biometric module so the image of the

fingerprint is not stored or propagated to other systems. That at no time
saves the employee's fingerprint. That the response obtained by the module is the
template. That the biometric template is according to (…).



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 11/51








16. That the template is registered in the database. That a signal is sent to
propagate the template only to the devices where the employee works
labor.


17. That in relation to how it is guaranteed that the fingerprint captured is erased when
finish the recruitment process, states the following:
       “In no case is the fingerprint image saved since it is not obtained,
       The response obtained by the module is the template.
       All these procedures and criteria are based on the specific standard

       (...).”
The standard is not provided (...).

18. That in response to the requested information on the detailed description
step by step of the complete process followed by an employee to access your center

of work and clock the start of the work day using the reading devices of
fingerprint and, where appropriate, without using them, CTC states:
       “The fingerprint reader is a device that is located in an accessible and safe area.
       step in which employees record the different markings throughout the
       working day, for this they can use their fingerprint and the system calculates
       the hash that will be compared with the one registered at the time of its activation in

       the system (record of the initial hash of the fingerprint and association to the employee). A
       Once the system recognizes the hash, the marking type option is presented, e.g.:
       entry, exit or pause, the markings are synchronized with the central server
       through a private network. No further information is collected.
       The employee may need other ways to use the device (e.g. reading

       insufficiently good fingerprint) or decline the use of your fingerprint for the
       marking process, in both cases you can do it using an RFID card.”


Regarding the content of the database:


19. Provides extraction of its database where, for 100 records, the
data (…). It is verified that the “code” is made up of numbers and letters. (…). In
The extraction of this data shows that the hash of the fingerprint is in a table
different from the table where the employee identification data is found.


However, it has not been possible to verify the possible security measures that
They could be implemented to separate access to both tables.

20. Provides a screenshot of your systems showing a total of
***QUANTITY.1 employee fingerprints stored.


21. Provide an extract from the database with all unsubscribed users
of the system with ***QUANTITY.2 as well as another extract with the dates of deletion of
each footprint with ***QUANTITY.3.


It is verified that the employee discharge table has the ID field extracted from the
user.id field and the fingerprint deletion table has the USER_ID field. HE
checks that by searching for matches by the ID and USER_ID fields, to


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 12/51








***QUANTITY.4 employees, the leave date coincides exactly with the date of
fingerprint erasure.


It is also verified that there are fingerprint deletions prior to the date
12/29/2021. In total there are ***QUANTITY.5 fingerprint erasures prior to 12/29/2021:

Finally, it is verified that the first deletion of the fingerprint occurs on the date
03/25/2020


22. That in relation to the erasure of fingerprints, it states that biometric templates
are completely removed from the system in an automatic synchronization process
of employees (4 times a day). Since it is an automatic process, it is guaranteed
that the objective of data elimination is met.


In relation to the impact evaluation:

23. That justify compliance with data minimization, as well as the
analysis of necessity and proportionality and the process followed to ensure that the
Data collected is not used for any other purpose, stating the following:


       “We justify the application of the principle of minimization, in the sense that
       in each of the operations that constitute the treatment, data and
       operations are the minimum and necessary to address the purposes of the
       treatment. To make signing queries, it is necessary to have the hash
       of the fingerprint associated with the code and in relation to the name and surname of the

       Employee, otherwise there is no way to know who the
       workday. On the other hand, and in relation to the purpose of access control
       associated with occupational risk prevention issues, in the case of a
       emergency (e.g. fire, ...) it is necessary to know which people are
       within the facility.

       Regarding the weighting of the proportionality of the treatment, taking into account
       the following criteria:
       Suitability judgment: to achieve the objective of access control and
       working day, the system, through the fingerprint hash, has
       result that is appropriate for the purpose pursued. The effectiveness threshold that
       should be achieved to fulfill the purposes of the treatment, it must be

       practically 100%, it is about compliance with a legal obligation and
       ensure safety in the workplace. The effectiveness of this system,
       We consider that it helps us reach this threshold.
       Judgment of necessity: The correct control of the working day, as well as the
       access control to the service, is relevant and to achieve the purpose

       pursued, this system offers us greater reliability compared to others. HE
       They had used other systems, e.g. card signing, but after the
       experience with it, did not provide us with sufficient effectiveness for the
       pursued objective. Using the card system for signing in,
       We experienced that, on certain occasions, the card was transferred to another

       person who was not the owner of the same, with all the risks that they entail
       for job security and the inaccuracy of working hours registration.



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 13/51








       We consider that there is no alternative treatment that is equally
       effective for achieving the intended purpose, aiming to facilitate as much as possible
       the use of the system by the employee, veracity of the records and job security

       Judgment of proportionality in the strict sense: When we carry out the assessment
       initial implementation of this system, we consider that the severity of the risk
       for the rights and freedoms of employees and interference with their
       Privacy was zero. Employee fingerprints are not stored
       They cannot be reproduced from the hashes either.
       On the other hand, considering the social benefit for the Employees,

       We appreciated that it was more positive and comfortable for them, avoiding
       situations e.g. when the card is lost, or forgotten in the vehicle...,
       producing delays in signings that hurt the most is the players themselves
       interested.
       Regarding Expiration: the treatment disappears at the moment it is

       suspends the employment relationship with the Employee. The hashes are removed.
       Regarding use for other purposes: The only function that the system allows
       with the use of the fingerprint is the registration of marking and/or access to the center, not
       enables no other access to employee data, nor is it used as part of
       identification for other systems or functionalities.”


In relation to access to readers, application server and database server
data and security in general:

24. That the readers cannot be accessed directly but through the
application or accessing the web embedded in the device, with only one

administration credentials. That the readers cannot be accessed from any
another point on the network other than from the server, since they have implemented
network restrictions.

25. That the application server is isolated from the domain. that only has

3 access users; “CLI.gruntc”, “CLI.***COMPANY.1”, “PRV.gruntc”.

Provides access logs to said server showing successful authentication
exclusively two of those users.

26. Provides access logs to the database server where they state that

“Account Name” users for whom no data has been provided, such as “DWM-
12”, “SRVINTEMO$” or “-“.

27. Provides access logs to the application that controls the system as well as the
users with access permissions to this application and deleted users. In these

The lists contain access to the application of the users “CTT”, “CTT Valencia”,
“Gestamp”, “...”, “Makro” which do not appear in the list of users with permission
of access to the application nor do they appear in the list of deleted users.

28. Provides documents on Procedures for accessing servers and applications,

as well as Procedure for registering and deleting system users.




C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 14/51








29. That in response to the request for justification of why it cannot
dispense with the direct association between the fingerprint hash and the name and
surnames, state:

       “The fingerprint hash is related to an employee code that could be

       sufficient to complete the day record, but clearly insufficient
       to be able to track markings in real time by
       those responsible for the center. Likewise, it would not allow control over the
       location of people (inside-outside) for risk prevention purposes
       labor.
       It should be noted that the device module, when comparing the hash in time

       Really, what is returned is the code. And it is from this, where all
       the functionalities, the hash does not intervene in any way in the
       process."

30. That in response to him proving how he prevents fingerprint data from being

reused for other purposes or by other responsible parties, states:
       “Biometric devices are inventoried with their data
       corresponding to installation, location, as well as its status. Devices
       removed by closure are recovered, contents deleted and stored
       for later use.
       Biometric data have no meaning in the installation, they do not provide

       interpretable or relevant information. The use of biometric data also
       is totally ruled out in any other use, its use as identification
       It does not provide us with value beyond collecting the markings in an agile way,
       easy for the employee and that allows fraudulent marking to be avoided. The hardware
       It is dedicated and cannot be used for a different use than that intended by the manufacturer.
       design."



CONCLUSIONS OF THE REPORT OF PREVIOUS ACTIONS OF
INVESTIGATION

1. There are clear indications that the user accessed a URL that could be that of the

employee portal, but there is no such evidence. It is clear that the claimant accepted
the data protection information document, but did so at an earlier date
to the last update of the information document. In this latest update of the
document contains specific information regarding fingerprint treatment, although only
making mention of said treatment with a phrase.


2. There is an email sent in October 2021 to the organization with the update
of the data protection information document.

3. There is another email sent, although already in March 2022, with more information
specific to fingerprint treatment.


4. In relation to the operation of the system, it works with a comparison
of 1:N fingerprints, however in the data protection information provided
It is clear that this is an authentication system, not an identification system.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 15/51








5. In relation to the deletion of fingerprints, there are hashes of deleted fingerprints with a date
prior to the first sending of information on data protection with information from the
treatment of fingerprints and also prior to the date on which they state that

treatment began.

6. In relation to system security:

       to. The identifying data of the
       employee and his fingerprint hash. CTC has not been required to

       justification of the security measures implemented to prevent a
       eventual unwanted association of this data, although it has been required
       justification of why they need the direct association between the data
       identifications and the fingerprint hash whose answer seems insufficient.


       b. The information provided by CTC confirms the access of some
       users who do not appear in the lists of users with access privileges
       provided, both to the application and to the database server.

       c. CTC has not proven how the erasure of the fingerprint is guaranteed
       after his capture.




FIFTH:

On May 12, 2023, the Director of the Spanish Agency for the Protection of
Data agreed to initiate sanctioning proceedings against the claimed party, for the alleged
violation of Article 35 of the GDPR, Article 32 of the GDPR and Article 13 of the GDPR,
typified in Articles 83.5 of the RGPD and Article 83.4 of the RGPD.


SIXTH:
Notified of the aforementioned initiation agreement in accordance with the rules established in the Law
39/2015, of October 1, of the Common Administrative Procedure of the

Public Administrations (hereinafter, LPACAP), the claimed party presented a written
of allegations in which, in summary, he states the following:

In relation to the imputation of article 13 of the RGPD for the lack of information to the
workers in relation to the implementation of a signing system through the

processing of biometric data, the claimed party is limited to reaffirming arguments
already exposed in the phase of previous investigation actions: (having corrected the
informative clause; the complaining party would have accessed the information content of the
clause; the adoption of additional and subsequent information measures; and the existence
of alternative systems to fingerprints for signing in


In relation to the violation of article 32, he alleges that the fingerprint is not stored
na. What the system does is convert the fingerprint into a numerical identifier; and that already
it would have been proven that users who should not access the data were
contraban unsubscribed, without being able to access the application.


Finally, nothing was alleged in relation to non-compliance with article 35 of the GDPR,
regarding the absence of a true impact evaluation.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 16/51









SEVENTH:

On November 2, 2023, a resolution proposal was formulated, proposing

      “FIRST That by the Director of the Spanish Data Protection Agency
      CTC EXTERNALIZACIÓN, S.L. is sanctioned, with NIF B60924131,


          - For a violation of Article 13 of the RGPD, typified in Article
          83.5 of the RGPD, with a fine of €200,000 (TWO HUNDRED THOUSAND EUROS).

          - For a violation of article 32 of the RGPD, typified in Article

          83.4 of the RGPD with a fine of €100,000 (ONE HUNDRED THOUSAND EUROS).


          - For a violation of article 35 of the RGPD, typified in Article
          83.4 of the RGPD, with a fine of €100,000.00 (ONE HUNDRED THOUSAND EUROS)


      SECOND That by the Director of the Spanish Data Protection Agency
      is ordered to CTC EXTERNALIZACIÓN, S.L., with NIF B60924131, which by virtue
      of article 58.2.d) of the RGPD, within a period of 6 months, prove that you have proceeded
      to compliance with the following measures:


      - Inform all workers appropriately, including all
      the extremes that have not been included until now, as detailed in the
      legal foundations of this proposal

      - Establish the necessary security measures to prevent access by
      personnel not expressly authorized, as well as to guarantee the erasure of the

      trace after his capture. Also to separate access to the tables that
      They contain the hash of the fingerprints and the identification data of the workers.

      - Prepare a data protection impact assessment that contains
      all the extremes provided for in article 35 of the RGPD, in particular taking

      take into account the defects pointed out in this proposal. “


EIGHTH:

Notified of the aforementioned proposed resolution in accordance with the rules established in the
Law 39/2015, of October 1, on the Common Administrative Procedure of the
Public Administrations (hereinafter, LPACAP), the claimed party presented a written
of allegations in which, in summary, he states the following:


In relation to the imputation of article 13 GDPR: in this regard, the defendant
limits itself to reiterating allegations already presented in the initial agreement:

    - Reiterates that CTC made corrections to the initial version of the clause
        data protection (date October 2021) for adequate information to users.

        workers.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 17/51








    - If any damage has been caused, the right of possible
        affected would have been fully guaranteed by the application of
        the subsequent informative measures adopted by CTC
    - Information on the processing of personal data related to the fingerprint
        fingerprint of CTC employees would have been available in advance

        to the start-up, which occurred in December 2021.
    - CTC established an information sign next to the signing devices and
        He also sent an informative email.
    - In any case there would not have been a total lack of information, but rather aspects that
        would need clarification


In relation to the imputation of article 32 GDPR:

    - It also reiterates what was already alleged in the investigation phase, about having identified
        ced to the companies involved in the establishment of the system and have
        provided documents on the technology used

    - Indicates that at the time a responsible declaration of the company was provided.
        sa INTEMO proving the fact that the fingerprint is not stored
    - As a novelty with respect to previous allegations, CTC provided a report
        bre user records in the system.
    - Access to the system, it states, would only be carried out by “technical users with
        purpose of controlling” the system


In relation to the imputation of article 35 GDPR

    - CTC reproduces what it considers to be the reproach made against him in the file
        directs, that it would only be, in his opinion, that the evaluation document of
        impact provided by the claimant would not constitute an “impact assessment”

        under the terms of the RGPD, as it suffers from substantial defects such as not determining
        undermine the purpose of the treatment or do not contain a judgment about the need
        ity and proportionality of the system.

    - Invokes various precedents of resolutions of this AEPD:



           o E/00793/2016: the defendant interprets this resolution in the sense of
               that, if the workers have been informed about the implementation of the system
               issue, the AEPD would not evaluate its suitability.
           o E/10900/2019: according to this resolution, the biometric access system

               This process can be implemented if there is a legal basis, even without consent.
               your workers
           or E/03925/2020. The AEPD, in the opinion of the defendant, would be accepting
               not a “similar” case in which there would be no Impact Assessment.


    - In relation to the principle of proportionality, he alleges that in the file
        previous PS/00050/2021 a fine of €20,000 was imposed for the violation of
        lack of impact evaluation, while in this case it would be
        sanctioning €100,000.



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 18/51








Of the actions carried out in this procedure and the documentation
recorded in the file, the following have been accredited:




                               PROVEN FACTS


FIRST.
A.A.A. (hereinafter, the claiming party) on February 14, 2022 presented
claim before the Spanish Data Protection Agency. The claim is directed
ge against CTC EXTERNALIZACIÓN, S.L. with NIF B60924131. The reasons why
basis of the claim are the following:


It is claimed that the entity CTC EXTERNALIZACIÓN, S.L. data has been requested
biometrics, the fingerprint, to employees with the purpose of implementing a system
transfer based on that data.


It is stated that at the time of taking the biometric data it was not communicated that the
information was in the employee portal, located in the most
hidden part of the application to which not all workers who work
They use the new signing system.


SECOND.
An email was sent to ctc@grupoctc.com on 10/28/2021 with subject
“Updating data protection policies CTC EXTERNALIZACIÓN S.L.U.”
where it consists:

       “[…]
       Through this communication we want to inform that CTC
       EXTERNALIZACIÓN S.L.U., in its obligation to comply with regulations, has
       proceeded to update its data protection policies regarding the
       processing of personal data. They can access through the

       Employee Portal, upon publication of the new policies:
       POL/RGPD CTC EXTER_2021: Employee data protection clause
       You must carefully read these clauses and click on your acceptance. in case
       If you have any questions, you can contact the Department of Protection of
       Data, via email: dpo@grupoctc.com

       […]”

THIRD.
On behalf of CTC, an informative clause is provided where the Date appears:

03/02/2018, Update date: 10/26/2021 and the code “POL/RGPD CTC
EXTER_2021”. This document contains exclusively the following specific reference:
cific to fingerprint processing:

      “[…]

      A fingerprint reader is installed for office access.
      […]”



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 19/51








ROOM.
There are screenshots of the CTC systems showing that the claimant
has accessed an application encoded as “com.ctc.portal[…]” on dates between

08/23/2021 and 12/16/2021. It is also clear that the claimant has carried out the action
tion “sign” regarding the object “POL06 2018 DATA PROTECTION CLAUSE” in
date 08/23/2021 10:20. It is also known that there is a related “agreement_date”
with the claimant and the document “POL06_2018_CLAUSULA.pdf” on date
08/23/2021 10:20:16. It is known that the last “agreement_date” associated with the claimant

It was on 08/23/2021.

FIFTH.

After receiving the transfer of the claim from the AEPD, CTC published a clause
more detailed information clause “Information clause for fingerprint use to control
the working day”, which was sent by email.

Provide email sent on 03/22/2022 with this information clause.


This informative clause contains specific information on the treatment of
fingerprint with the sections of person responsible, legitimation, purpose, recipients,
conservation period, rights and security measures. What is included in this information
information provided “This is an identity authentication/verification system.
tification.”


SIXTH.
The fingerprint reader is a device that is located in an accessible area and passes through.

which employees record the different markings throughout the work day.
To do this, they can use their fingerprint and the system calculates the hash that is compared.
will be equal to the one registered at the time of its activation in the system (hash registration
initial fingerprint and association to the employee).

The system is configured to perform a 1:N fingerprint comparison. It has the

CBM biometric module that calculates the template and compares it with the ones it has stored.
dined. If there is a correspondence with a stored pattern, consider
good reading.


SEVENTH.
The claimed party provides extraction of its database where, for 100
records, name data, surname, user ID, code, registration date, registration date
low, fingerprint hash. It is verified that the “code” is composed of numbers
groupers and letter. It is verified that the letter complies with the rule (...). In the extraction of es-

The data shows that the hash of the fingerprint is in a table different from the table
where the employee identification data is located. However, it is not
has been able to verify the possible security measures that could be implemented.
das to separate access to both tables.


EIGHTH.
In CTC systems there are a total of ***QUANTITY.1 fingerprints of
stored jobs. CTC provides an extract from the database with all users.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 20/51








rios deregistered from the system with ***QUANTITY.2 as well as another extract with the dates
erase cards for each fingerprint with ***QUANTITY.3.


It is verified that the employee discharge table has the ID field extracted from the
po user.id and the fingerprint erasure table has the USER_ID field. It is checked
than searching for matches by the ID and USER_ID fields, for ***QUANTITY.4 em-
employees exactly match the date of withdrawal with the date of deletion of the fingerprint.

It is also verified that there are fingerprint deletions prior to the date

12/29/2021. In total there are ***QUANTITY.5 fingerprint erasures prior to
12/29/2021. Finally, it is verified that the first erasure of the fingerprint occurs in the fe-
cha 03/25/2020


NINETH.
The readers cannot be accessed directly but through the application or
accessing the web embedded in the device, with a single ad credentials.
ministration. The readers cannot be accessed from any other point on the network
other than from the server, since they have network restrictions implemented.


TENTH.
The application server is isolated from the domain, and only has 3 users

access; “CLI.gruntc”, “CLI.***COMPANY.1”, “PRV.gruntc”.v CTC provides access logs
to said server where only two of those
users.



ELEVENTH.
The impact evaluation document provided by CTC contains the following:

       “We justify the application of the principle of minimization, in the sense that

       in each of the operations that constitute the treatment, data and
       operations are the minimum and necessary to address the purposes of the
       treatment. To make signing queries, it is necessary to have the hash
       of the fingerprint associated with the code and in relation to the name and surname of the
       Employee, otherwise there is no way to know who the

       workday. On the other hand, and in relation to the purpose of access control
       associated with occupational risk prevention issues, in the case of a
       emergency (e.g. fire, ...) it is necessary to know which people are
       within the facility.
       Regarding the weighting of the proportionality of the treatment, taking into account

       the following criteria:
       Suitability judgment: to achieve the objective of access control and
       working day, the system, through the fingerprint hash, has
       result that is appropriate for the purpose pursued. The effectiveness threshold that
       should be achieved to fulfill the purposes of the treatment, it must be
       practically 100%, it is about compliance with a legal obligation and

       ensure safety in the workplace. The effectiveness of this system,
       We consider that it helps us reach this threshold.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 21/51








       Judgment of necessity: The correct control of the working day, as well as the
       access control to the service, is relevant and to achieve the purpose
       pursued, this system offers us greater reliability compared to others. HE

       They had used other systems, e.g. card signing, but after the
       experience with it, did not provide us with sufficient effectiveness for the
       pursued objective. Using the card system for signing in,
       We experienced that, on certain occasions, the card was transferred to another
       person who was not the owner of the same, with all the risks that they entail
       for job security and the inaccuracy of working hours registration.

       We consider that there is no alternative treatment that is equally
       effective for achieving the intended purpose, aiming to facilitate as much as possible
       the use of the system by the employee, veracity of the records and job security
       Judgment of proportionality in the strict sense: When we carry out the assessment
       initial implementation of this system, we consider that the severity of the risk

       for the rights and freedoms of employees and interference with their
       Privacy was zero. Employee fingerprints are not stored
       They cannot be reproduced from the hashes either.
       On the other hand, considering the social benefit for the Employees,
       We appreciated that it was more positive and comfortable for them, avoiding
       situations e.g. when the card is lost, or forgotten in the vehicle...,

       producing delays in signings that hurt the most is the players themselves
       interested.
       Regarding Expiration: the treatment disappears at the moment it is
       suspends the employment relationship with the Employee. The hashes are removed.
       Regarding use for other purposes: The only function that the system allows

       with the use of the fingerprint is the registration of marking and/or access to the center, not
       enables no other access to employee data, nor is it used as part of
       identification for other systems or functionalities.”




                           FOUNDATIONS OF LAW

                                     I Competition


In accordance with the powers that article 58.2 of Regulation (EU) 2016/679
(General Data Protection Regulation, hereinafter RGPD), grants each
control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the

Organic Law 3/2018, of December 5, on Protection of Personal Data and
guarantee of digital rights (hereinafter, LOPDGDD), is competent to
initiate and resolve this procedure the Director of the Spanish Protection Agency
of data.

Likewise, article 63.2 of the LOPDGDD determines that: "The procedures

processed by the Spanish Data Protection Agency will be governed by the provisions
in Regulation (EU) 2016/679, in this organic law, by the provisions
regulations dictated in its development and, insofar as they do not contradict them, with a
subsidiary, by the general rules on administrative procedures."



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 22/51








                                  II Previous questions

In the present case, in accordance with the provisions of article 4.1 of the RGPD, there is
the processing of personal data, since CTC

EXTERNALIZATION, S.L. carries out this activity in its capacity as responsible for the
treatment, given that it is the one who determines the purposes and means of such activity, by virtue
of article 4.7 of the RGPD: "Controller" or "responsible": the person
physical or legal entity, public authority, service or other body that, alone or together with
others, determine the purposes and means of the treatment; If the law of the Union or of the
Member States determines.


According to the data obtained in AXESOR, the business volume of the part
claimed for the 2020 financial year was (…).

Additionally, article 4.2 of the Regulation defines the “processing” of data

personal as “any operation or set of operations carried out on
personal data or sets of personal data, whether by procedures
automated or not, such as the collection, registration, organization, structuring,
conservation, adaptation or modification, extraction, consultation, use,
communication by transmission, broadcast or any other form of enabling
access, collation or interconnection, limitation, deletion or destruction”


In this regard, it is worth referring to the distinction made by the interested party in his
claims about the difference between “identification” and “authentication” in relation
with the processing of biometric data. He states that a system would not be being used
of “identification” (that is, one that would determine the identity of the subject based on
fingerprint), but rather “authentication” (that is, one that verifies that the fingerprint is

corresponds to the one previously provided).

Two things must be meant in this regard. First of all, it is more than
It is doubtful that the system used in this case is an “authentication” system. The
installed fingerprint readers do not compare the subject's fingerprint with any
document or support that he uses at the time of signing, but what

does is compare said fingerprint, read at the time of signing, with the total fingerprints
previously registered by the workers. With this, the comparison is 1:N.

But, the most important thing is that since Guidelines 05/2022, of the CEPD, on
Facial Recognition Technologies, it is made clear that both systems
(identification and authentication) constitute a treatment of special categories of

personal information. In effect, section 12 of the Guidelines establishes the following:

       (12) While both functions – authentication and identification – are distinct, they
      both relate to the processing of biometric data related to an identified or
      identifiable natural person and therefore constitute a processing of personal data,

      and more specifically a processing of special categories of personal data.


      (12) While both functions – authentication and identification – are different,
      Both refer to the processing of biometric data related to a
      identified or identifiable person, and thus constitute a processing of

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 23/51








      personal data, and more specifically the processing of special categories
      of personal data. (the translation is ours)


From the above it follows that the regime provided for in the RGPD for the categories
special personal data is applicable to this case.

  III Response to allegations regarding non-compliance with article 13 GDPR


In response to the allegations presented by the entity claimed in both the agreement
At the outset and in the proposed resolution the following should be noted:

In relation to the imputation of article 13 of the RGPD for the lack of information to the

workers in relation to the implementation of a signing system through the
processing of biometric data, the claimed party reiterates arguments already presented
in the phase of prior investigation actions:

    - The fact of having corrected the information clause for workers. To this
        In this regard, CTC expressly acknowledges having made the correction on the date

        after having received the claim through this Agency.

    - The complaining party would have accessed the informative content of the clause

    - The adoption of additional and subsequent information measures. Also, there

        located information posters next to the signing devices.

    - The existence of alternative systems to the fingerprint for the signing of
        employees, particularly through the use of an RFID card.


In the case at hand, it has been proven that the claimed party did not correctly inform

carefully about the treatment. The informative clause to which it refers and which
had been included in the company's “employee portal” in October 2021.
ce of important defects. These are also corroborated by the correction that was
made the version of the information clause, without date, but prepared after the request
information of this Agency and, as stated in the report of actions
previous, sent to workers in March 2022:


    - It does not include which treatments are the subject of said information clause. Of
        In fact, the only specific reference to the treatment of the fingerprint comes from a
        very brief mention in section 3 “A fingerprint reader is installed.
        lar for access to offices.” It does not indicate if it is activated or if it collects the fingerprint and,

        Of course, it does not include fingerprint data among those that are subject to
        treatment.

        By contrast, the later clause (March 2022) contains a reference
        specific to the treatment of the “fingerprint to control the working day”


        In this regard, it is important to note that the information clause seems
        refer to a plurality of treatments, which are included in a single
        document written in a very concise manner. They are not related

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 24/51








        treatments carried out, and for all of them a legitimizing basis applies, which
        It would be the execution of the contract. Furthermore, it states that the data processing
        personal is carried out for multiple purposes:


           o Manage the employment relationship with the company's employees.
           o Administrative accounting management of employee data.
           o Preparation of payrolls.

           o Prevention of occupational risks.
           o Training


    - In the first informative clause, joint information was made to

        what is assumed to have been multiple processing of personal data that
        lised the company. Well, for all of them the original document informed
        as a basis of legitimation simply the expression “Labor contractual relationship”
        boral”.


       However, in the later version, this has been corrected and, referring to
       specifically to the processing of the fingerprint, it is stated that the
       legitimation would come from “fulfillment of a legal obligation (article 34.9
       of the Workers' Statute), referring to the control of the working day.”
       As can be seen, a totally different legitimizing basis.


       In fact, after consulting the Registry of Treatment Activities provided by the
       claimed party, in the treatment “Access control and working day
       by fingerprint”, in the field “Legitimation of security operations”.
       treatment” includes “compliance with a legal obligation (article 34.9 of the
       Status of workers)".


       For all these reasons, the duty to inform the parties was not complied with in this regard.
       workers in the initial information that was provided. In this regard, you must
       Remember that the aforementioned article 13.2.e) of the RGPD establishes that
       find out about “whether the communication of personal data is a legal requirement

       or contractual, or a necessary requirement to enter into a contract, and if the
       interested party is obliged to provide personal data and is informed of the
       possible consequences of not providing such data.”

    - In relation to the data retention period, in the initial version of
        The information clause stated “The data provided will be kept

        while the contractual relationship lasts and during the years necessary to fulfill
        comply with legal obligations.” Furthermore, as indicated above,
        ba, in relation to the multiple treatments that were carried out. However,
        The later version clarifies the conservation and blocking periods.
        queo, also specifying the total period in years “The data will be kept

        while the employment relationship lasts. The data regarding the working day is
        will remain blocked and pseudonymized for as long as required for compliance.
        legal ment (4 years.)”




C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 25/51








    - Neither in the initial version of the clause nor in the later version is information about the right
        right to file a claim with the Control Authority (art. 13.2.d) of the
        GDPR).


In relation to the alleged voluntary nature of the use of the signing system with
fingerprint, remember that it is not the object of this file to elucidate whether
whether or not workers were forced to use that system. With
independence of the legitimacy regarding the processing of personal data or
the possible obligation regarding its supply, was the obligation of the person responsible for the

treatment comply with its information duties established in article 13 of the
GDPR.

For all these reasons, it cannot be considered that the claimed party has complied with its
information obligations of article 13 of the GDPR. It is also striking that

the text of the email sent by the company makes only a reference
to the “updating of its data protection policies”, without any reference to the
implementation of a fingerprint signing system (which will surely
would have encouraged consultation of the information clause which, from what has been seen, was
totally defective).


  IV Response to allegations regarding non-compliance with article 32 GDPR

In relation to this violation, relating to the lack of security measures in the

processing of biometric data, CTC alleges the following:

Firstly, regarding the processing of the fingerprint data, it is stated that the image
The fingerprint is not stored. What the system does is convert the fingerprint into
a numerical identifier. In this way, when the worker clocks in, that

identifier with the one previously assigned to said fingerprint. With this, the fingerprint does not
could be reproduced from that numerical identifier. In this regard, it provides a
certificate from the company IDEMIA IDENTITY & SECURITY FRANCE SAS stating
that “there is no way to recover the templates in case of theft, since it is impossible
recreate an image of a footprint from the typical points.”


In relation to this allegation, it should be noted that the imputation of the violation of the
Article 32 is not based on the factor alleged by the defendant, but on what is reflected in the
initiation agreement, that is:

      “b. The information provided by CTC confirms the access of some

      users who do not appear in the lists of users with access privileges
      provided, both to the application and to the database server.

      c. CTC has not proven how the erasure of the fingerprint is guaranteed after its
      capture.


      d. As detailed in the report of previous investigation actions, in
      The extraction of the data shows that the hash of the fingerprint is in a
      table different from the table where the identifying data of the
      employees. However, it has not been possible to verify the possible measures of


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 26/51








      security that could be implemented to separate access to both
      boards."


In relation to access to the application that controls the system, of which this
Agency has deduced that access could occur by users who did not have
permits for this, it is stated in the allegations that in the documents that were
provided during the inspection period, it would have already been proven that said
Users were unsubscribed, without being able to access the application.
In addition, they point out that the security and safety policies were also contributed by them.

information.

Regarding the issue of access by users who would not have permissions,
The following can be noted, analyzing the documentation provided by the interested party
in their allegations to the initiation agreement.


    - It is noted that, as CTC states, the “CTT” users are eliminated,
       “CTT Valencia”, “Gestamp”, “…” and “Makro”. With this, it cannot be stated that
       With respect to these users, improper access occurs.

    - In relation to the user “DWM-12”, there is a screenshot of the

       ted by the interested party, with the letterhead “Log File Viewer – SRVINTEMO” but
       It does NOT appear in the file called “21.a.3 AccessesSQLSERVER.log”.
       With this, it is possible that this user appears in the server log but NOT the
       database log. Therefore, the explanation provided could be considered valid.
       related to being an account that is automatically generated when

       a remote desktop session is started and therefore it can be deduced that it is not
       what to be an account that is actually accessing the database.

    - On the contrary, the Users “SRVINTEMO$” or “-“ do appear in the file
       named “21.a.3 AccessesSQLSERVER.log”, that is, where it is assumed that

       There are accesses to the database server and they also appear associated with
       two to the message “An account was successfully logged on”. These users do not
       had been identified in the response to the request for institutional licenses.
       pection. In any case, the allegations do not explain in sufficient detail
       ll and clarify the matter. They only include a somewhat ambiguous phrase about the
       character of the user (“In the case of users who have not been provided

       data, such as "SRVINTEMO$" or “-“ are not user or system accounts,
       It is simply information that appears in the log generated by the system itself.
       operational issue.”)

       No evidence is provided in this regard, such as the list of

       users who are registered with access to the database or confirmation
       that the file “21.a.3 AccesosSQLSERVER.log” refers to access logs
       to the database.

Subsequently, in his arguments to the proposed resolution, the defendant has

provided a technical report about accesses and users. From this we conclude
following:



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 27/51








The defendant affirms that, in the response to the Inspection's request, what was
attached would have been an extraction from the Windows event log that included
all accesses. It is understood that what they contributed in response to the request

They were not specific accesses to SQL Server, although they did identify it as such in
Your day. Furthermore, it appears that the information provided in response to the request
It was cut off since it was a screenshot and in this report it would be contributed
more completely.

Well, from all the documentation provided throughout the file

(relative to the users “DWM-12”, “-“, “SRVINTEMO$” with respect to which no
clearly determined who they were, it seems, according to the explanation given in
allegations and associated with screenshots also provided now, which are
linked to accesses from the user “CLI.gruntc”, if previously declared as
legitimized for access.


Likewise, some specific accesses to SQL Server are also attached and in these
You can see accesses from the users “sa” and “SRVINTEMO$” and “SQLTELEMETRY”. The
users are declared, according to the screenshot also provided now,
except the “SRVINTEMO$” account. But regarding this account “SRVINTEMO$”
It can be assumed that something similar to what has already been explained will happen with respect to the other log of the

contributed server, and where you could see that that same account was actually
linked to a user who was declared.

Therefore, after analyzing all the information and documentation provided now, there is no
the access of some users who do not appear can be determined with complete certainty.

in the lists of users with facilitated access privileges, both to the application
as well as the database server. As will be seen later, this factor is taken
taken into account for the reduction of the amount of the penalty for violation of the
article 32.


Finally, it must be noted that nothing has been alleged in relation to the rest of
imputed facts that were contained in the agreement that initiated this file. To this
In this regard, we remember that the following was indicated:

      “c. CTC has not proven how the erasure of the fingerprint is guaranteed
      after his capture.


      d. As detailed in the report of previous actions of
      investigation, in the extraction of the data it is clear that the fingerprint hash was
      found in a different table than the table where the data is located
      employee identification. However, it has not been possible to verify the

      possible security measures that could be implemented to separate the
      access to both tables.”



  V Response to allegations regarding non-compliance with article 35 GDPR


In relation to this non-compliance, CTC alleges the following: firstly, it invokes di-
preceding verses of resolutions of this AEPD:

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 28/51









    - E/00793/2016: the defendant interprets this resolution in the sense that, if
        workers have been informed about the implementation of the system, the AEPD

        I would not go into evaluating its suitability.

       In relation to this case, it should be noted that it prosecutes a case that occurred
       before the entry into force of the current GDPR. And in this Regulation it is
       Two obligations are perfectly established and differentiated. By a
       part, the information to the owners of the personal data of the data that

       they are going to be treated and their conditions (art. 13). And on the other hand, the need to
       passing an impact assessment relating to data protection, in
       which includes “an evaluation of the necessity and proportionality of the
       processing operations with respect to their purpose” (art. 35.7.b).


       In any case, it cannot be said that mere information to workers can
       could be a legitimizing basis for the installation of the biometric system. And all
       this without prejudice to the fact that in the present file it is also sanctioned by the
       absence of information, thus not even that requirement, which indicates that
       would be enough, it would have been fulfilled.


    - E/10900/2019: according to this resolution, it is alleged that the biometric system
        access could be implemented if there is a legal basis, even without consent
        workers.

       In this regard, it is noted that article 6.1 of the RGPD establishes what are

       the different bases of legitimacy for the processing of personal data.
       Consent (letter a) of said article) is only one of them, and may
       effectively occur others such as the execution of a contract, compliance
       of a legal obligation or even the existence of a legitimate interest that must
       be considered.And that in addition, for the treatment of special categories of damage

       personal coughs, an exception to those in section 2 is required.
       of article 9 of the GDPR.

       However, the concurrence of an exception from article 9.2 of the RGPD together
       with a basis of legitimation of those of article 6 of the RGPD, in no way
       exempts from compliance with the rest of the obligations established by the RGPD. AND

       One of them consists of preparing and passing an evaluation of im-
       data protection agreement in the cases established in said Regulation-
       ment, among which is the treatment that is being subject to
       this file.


       With this, it cannot be affirmed that the mere existence of a legitimizing basis
       exempts from the necessary completion and passing of the impact evaluation of
       data protection in the legally provided cases.

       Furthermore, the resolution that puts an end to this file bases its motivation

       in the old differentiation, in order to determine the treatment of categories
       special categories of personal data, between “identification” and “authentication” to
       determining identity in fingerprint signing systems


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 29/51








       As has been sufficiently explained in the second foundation of
       This resolution, based on CEPD Guidelines 05/2022, on recognition
       facial treatment, the distinction between both types of treatments has disappeared,

       considering in any case the existence of a treatment of specific categories.
       special personal data.


    - E/03925/2020. The AEPD, in the opinion of the defendant, would be accepting a
       “similar” assumption in which there would be no DPIA.


       Analyzing the procedure invoked, it is observed that it is a resolution
       tion of file of actions, in which the aforementioned file was due to
       that the data protection impact assessment had been prepared and
       surpassed Thus, the resolution states the following:


       “The complainant has attached a copy of the extensive Impact Assessment carried out.
       zada for the processing of the fingerprint.

       Therefore, it has been proven that the actions of the defendant, as an entity
       responsible for the treatment, has been in accordance with the regulations on protection

       of personal data analyzed in the previous paragraphs.”

       Consequently, this assumption has nothing to do with the fact that it was developed and su-
       The impact evaluation was carried out, with the defendant in the present file.


In relation to the principle of proportionality, the defendant alleges that in the
file of this Agency PS/00050/2021, a fine of €20,000 was imposed for the
infringement of lack of impact assessment, while in this case it would be
sanctioning €100,000.

It is necessary to indicate in this regard that article 83.4 of the RGPD establishes that the

The amount of the penalty will take into account the business volume of the defendant. To this
In this regard, as reflected in this resolution, it has been found that the
turnover of the claimed party is (…).l while the income of the
sanctioned in PS/00050/2021 were considerably lower. For the rest, the
The rest of the circumstances taken into account for the graduation of the sanction are

different in both cases.

Additionally, it should be noted that in accordance with the provisions of article 83.1 of the
GDPR, the supervisory authorities will ensure that the imposition of fines
administrative procedures under that Regulation must be in each individual case

effective, proportionate and dissuasive.

Its section 2 adds that “Administrative fines will be imposed, depending on the
circumstances of each individual case, in addition to or substitute for the measures
referred to in Article 58, paragraph 2, letters a) to h) and j). When deciding the tax
of an administrative fine and its amount in each individual case will be taken

due account:"



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 30/51









              VI Unfulfilled information obligation. Article 13 GDPR



Article 13 of the GDPR states the following:

      Information that must be provided when personal data is obtained from the

      interested

      1. When personal data relating to him or her are obtained from an interested party, the
      responsible for the treatment, at the time these are obtained,
      will provide all the information indicated below:


      a) the identity and contact details of the person responsible and, where applicable, their
      representative;

      b) the contact details of the data protection officer, if applicable;


      c) the purposes of the processing for which the personal data are intended and the basis
      legal treatment;

      e) the recipients or categories of recipients of the personal data, in
      Their case;


      f) where applicable, the intention of the controller to transfer personal data to a
      third country or international organization and the existence or absence of a
      adequacy decision of the Commission, or, in the case of transfers
      indicated in Articles 46 or 47 or Article 49, paragraph 1, second subparagraph,

      reference to adequate or appropriate guarantees and to the means of obtaining
      a copy of these or to the place where they have been made available.

      2. In addition to the information mentioned in section 1, the person responsible for the
      treatment will provide the interested party, at the time the data is obtained
      personal, the following information necessary to guarantee a treatment of

      loyal and transparent data:

      a) the period during which the personal data will be kept or, when it is not
      possible, the criteria used to determine this period;


      b) the existence of the right to request from the data controller access to
      the personal data relating to the interested party, and its rectification or deletion, or the
      limitation of your treatment, or to oppose the treatment, as well as the right to
      data portability;


      c) when the processing is based on Article 6, paragraph 1, letter a), or the
      Article 9, paragraph 2, letter a), the existence of the right to withdraw the
      consent at any time, without affecting the legality of the
      treatment based on consent prior to its withdrawal;

      d) the right to file a claim with a supervisory authority;

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 31/51









      e) if the communication of personal data is a legal or contractual requirement, or
      a necessary requirement to sign a contract, and if the interested party is obliged

      to provide personal data and is informed of the possible consequences
      not to provide such data;

      f) the existence of automated decisions, including profiling,
      referred to in Article 22, paragraphs 1 and 4, and, at least in such cases,
      significant information about the logic applied, as well as the importance and

      foreseen consequences of said processing for the interested party.

      3. When the data controller plans the subsequent processing of
      personal data for a purpose other than that for which it was collected,
      will provide the interested party, prior to said further processing,

      information about that other purpose and any additional information relevant to
      tenor of section 2.

      4. The provisions of paragraphs 1, 2 and 3 shall not apply when and in the
      to the extent that the interested party already has the information.


In that sense, Recital 60 of the GDPR says that “The processing principles
loyal and transparent require that the interested party be informed of the existence of the operation.
tion of treatment and its purposes. The data controller must provide the interested party
provided as much complementary information as is necessary to guarantee treatment
fair and transparent, taking into account the specific circumstances and context in

personal data are processed. The interested party must also be informed of the
existence of profiling and the consequences of such profiling.
If personal data is obtained from data subjects, they must also be informed
whether they are obliged to provide them and the consequences if they do not do so.
ran.”


In the case at hand, it can be proven that the claimed party did not inform
correctly about the treatment. The informative clause referred to and
which would have been included in the company's “employee portal” in October 2021
suffers from important defects. These are also corroborated by the correction that
The version of the informative clause was made, without date, but prepared after the

information requirement of this Agency and as stated in the report of
Previous actions sent to workers in March 2022:

    - It does not include which treatments are the subject of said information clause. Of
        In fact, the only specific reference to the treatment of the fingerprint comes from a

        very brief mention in section 3 “A fingerprint reader is installed
        “fingerprint for access to offices.” It does not indicate if it is activated or if it collects the fingerprint
        and, of course, it does not include the fingerprint data among those who are the object
        of treatment.


        By contrast, the later clause contains a specific reference to
        treatment of the “fingerprint to control the working day”



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid Seeagpd.gob.es 32/51








       In this regard, it is important to note that the information clause seems
       refer to a plurality of treatments, which are included in a single
       document written in a very concise manner. They are not related
       treatments carried out, and for all of them a legitimizing basis applies, which
       It would be the execution of the contract. Furthermore, it states that the data processing

       personal is carried out with multiple purposes:

           o Manage the employment relationship with the company's employees.
           o Administrative accounting management of employee data.

           o Preparation of payrolls.
           o Prevention of occupational risks.
           o Training



    - In the first informative clause, joint information was made to
       which were supposed to be multiple processing of personal data that
       the company carried out. Well, for all of them the original document
       reported as a basis of legitimation simply the expression “Relationship
       labor contract.”


       However, in the later version, this has been corrected and, referring to
       specifically to the processing of the fingerprint, it is stated that the
       legitimation would come from “compliance with a legal obligation (article 34.9 of the
       Workers' Statute), referring to the control of the working day.” As
       It is observed, a totally different legitimizing basis.


       In fact, after consulting the Registry of Treatment Activities provided by the
       claimed party, in the treatment “Access control and working day
       by fingerprint”, in the field “Legitimation of security operations”.
       treatment” includes “compliance with a legal obligation (article 34.9 of the
       Status of workers)".


       For all these reasons, the duty to inform the parties was not complied with in this regard.
       workers in the initial information that was provided. In this regard, you must
       Remember that the aforementioned article 13.2.e) of the RGPD establishes that
       find out about “whether the communication of personal data is a legal requirement
       or contractual, or a necessary requirement to enter into a contract, and if the

       interested party is obliged to provide personal data and is informed of the
       possible consequences of not providing such data”

    - In relation to the data retention period, in the initial version of
       The information clause stated “The data provided will be kept
       for the duration of the contractual relationship and for the years necessary to

       comply with legal obligations.” Furthermore, as has been indicated more
       above, in relation to the multiple treatments that were carried out. Without
       However, in the later version it is clarified what the periods of
       conservation and blocking, also specifying the total period in years “The data
       They will be kept for the duration of the employment relationship. The data regarding the
       working day will be kept blocked and pseudonymized for the duration.

       required for legal compliance (4 years.)”
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 33/51









    - Neither in the initial version of the clause nor in the later version is information about the
        right to file a claim with the Control Authority (art. 13.2.d)


For all these reasons, it cannot be considered that the claimed party has complied with its
information obligations of article 13 of the GDPR. It is also striking that
the text of the email sent by the company makes only a reference
to the “updating of the update of its data protection policies”, without
no reference to the implementation of a fingerprint signing system

(which would surely have encouraged consultation of the information clause that, for
what has been seen, was totally defective)



  VII Lack of information. Article 13 GDPR Typification and qualification of the infringement

In accordance with the evidence available at the present time of the
sanctioning procedure, it is considered that the claimed party has omitted the
information related to the data processing carried out, thereby violating the article

13 of the GDPR.

The known facts constitute an infringement, attributable to the party
claimed typified in article 83.5 of the RGPD which stipulates the following:


"5. Violations of the following provisions will be sanctioned, in accordance with the
paragraph 2, with administrative fines of a maximum of EUR 20 000 000 or,
In the case of a company, an amount equivalent to a maximum of 4% of the
global total annual business volume of the previous financial year, opting for
the largest amount:


b) the rights of the interested parties under articles 12 to 22;”

For the purposes of the limitation period for infringements, the alleged infringement
prescribes after three years, in accordance with article 72.h). of the LOPDGDD, which qualifies as
The following behavior is very serious:


“h) The omission of the duty to inform the affected party about the processing of their data
personal in accordance with the provisions of articles 13 and 14 of the Regulation (EU)
2016/679 and 12 of this organic law.”



                 VIII Lack of information. Article 13 GDPR. Sanction


This violation can be punished with a fine of a maximum of €20 million or,
In the case of a company, an amount equivalent to a maximum of 4% of the
global total annual business volume of the previous financial year, opting for the
of larger amounts, in accordance with article 83.5 of the RGPD.

Likewise, it is considered that it is appropriate to graduate the sanction to be imposed in accordance with the

following criteria established by article 83.2 of the RGPD:

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 34/51








    - The duration of the violation. It would have lasted at least
       from October 2021 (date of submission of the original clause) until March
       2022 (containing the revised version) (art. 83.2.a) of the GDPR).


    - The category of personal data affected by the infringement. It must be kept in
       Keep in mind that the fingerprint is biometric data and in accordance with article 9 of the
       GDPR are considered special categories of data “the processing of
       biometric data aimed at uniquely identifying a person
       physics,” (article 83.2.g) of the RGPD)


According to these criteria, it is estimated that the corresponding sanction is a fine.
TWO HUNDRED THOUSAND EUROS (€200,000)



      IX Lack of security measures. Article 32 GDPR. Unfulfilled obligation

With regard to the application of data protection regulations to the case
raised, it must be taken into account that the RGPD, in its article 32, requires

responsible for the treatment, the adoption of the corresponding measures of
necessary security to guarantee that the treatment complies with the regulations
in force, as well as ensuring that any person acting under the authority of the
responsible or the person in charge and has access to personal data, can only process it
following instructions from the person in charge.


Article 32 “Security of processing” of the GDPR establishes:

"1. Taking into account the state of the art, the application costs, and the
nature, scope, context and purposes of the processing, as well as risks of

variable probability and severity for people's rights and freedoms
physical, the person responsible and the person in charge of the treatment will apply technical and
appropriate organizational measures to guarantee a level of security appropriate to the risk,
which, if applicable, includes, among others:

       a) pseudonymization and encryption of personal data;


       a) the ability to guarantee the confidentiality, integrity, availability and
           permanent resilience of treatment systems and services;

       a) the ability to restore availability and access to data

           personnel quickly in the event of a physical or technical incident;

       b) a process of regular verification, evaluation and assessment of effectiveness
           of the technical and organizational measures to guarantee the security of the
           treatment.


2. When evaluating the adequacy of the security level, particular consideration will be given to
takes into account the risks presented by data processing, in particular as
consequence of the accidental or unlawful destruction, loss or alteration of data
personal data transmitted, preserved or otherwise processed, or the communication or
unauthorized access to said data.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid Seeagpd.gob.es 35/51









3. Adherence to a code of conduct approved pursuant to Article 40 or to a
certification mechanism approved pursuant to article 42 may serve as an element

to demonstrate compliance with the requirements established in section 1 of the
present article.

4. The controller and the person in charge of the treatment will take measures to ensure that
any person acting under the authority of the person responsible or in charge and
has access to personal data can only process said data following

instructions of the person responsible, unless it is obliged to do so by virtue of the Law of
the Union or the Member States.”

Article 32 does not establish static security measures, but will correspond to the
responsible for determining those security measures that are necessary to

incorporate the ability to ensure confidentiality, integrity and
availability of personal data, therefore, the same data processing
may involve different security measures depending on the specificities
specific conditions in which said data processing takes place.

In line with these provisions, Recital 75 of the GDPR establishes:

risks to the rights and freedoms of natural persons, serious and
variable probability, may be due to data processing that could cause
physical, material or immaterial damages, particularly in cases where
that the treatment may give rise to problems of discrimination, usurpation of
identity or fraud, financial loss, reputational damage, loss of

confidentiality of data subject to professional secrecy, unauthorized reversal of the
pseudonymization or any other significant economic or social harm; in the
cases in which the interested parties are deprived of their rights and freedoms or are
prevents you from exercising control over your personal data; in cases where the data
processed personal reveals ethnic or racial origin, political opinions, religion

or philosophical beliefs, militancy in unions and the processing of genetic data,
data relating to health or data on sexual life, or convictions and offenses
criminal or related security measures; in cases in which they are evaluated
personal aspects, in particular the analysis or prediction of aspects related to the
performance at work, economic situation, health, preferences or interests
personal, reliability or behavior, situation or movements, in order to create or

use personal profiles; in cases in which personal data of
vulnerable people, particularly children; or in cases where the treatment
involves a large amount of personal data and affects a large number of
interested.


Likewise, Recital 83 of the GDPR establishes: In order to maintain the security and
prevent the processing from infringing the provisions of this Regulation, the
responsible or the person in charge must evaluate the risks inherent to the treatment and
apply measures to mitigate them, such as encryption. These measures must guarantee a
appropriate level of security, including confidentiality, taking into account the

state of the art and the cost of its application with respect to the risks and
nature of the personal data that must be protected. When assessing the risk in
Regarding data security, the risks involved must be taken into account.
arise from the processing of personal data, such as the destruction, loss or

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 36/51








accidental or illicit alteration of personal data transmitted, preserved or processed
otherwise, or unauthorized communication or access to said data, susceptible
in particular of causing physical, material or immaterial damages. (he

emphasis is ours)

In short, the first step to determine the security measures will be the
Risk assessment. Once evaluated, it will be necessary to determine the measures of
security aimed at reducing or eliminating risks for the treatment of
data.


The principle of data security requires the application of technical measures or
appropriate organizational measures in the processing of personal data to protect
said data against access, use, modification, dissemination, loss, destruction or damage
accidental, unauthorized or unlawful. In this sense, security measures are

keys when it comes to guaranteeing the fundamental right to data protection. It's not
possible the existence of the fundamental right to data protection if it is not possible
guarantee their confidentiality, integrity and availability.

It should not be forgotten that, in accordance with article 32.1 of the aforementioned GDPR, the
technical and organizational measures to apply to incorporate the capacity to guarantee

a level of security appropriate to the risk must take into account the state of the
technical, implementation costs, nature, scope, context and purposes of the
treatment, as well as the risks of varying probability and severity for the
rights and freedoms of natural persons.


Therefore, the claimed party, when evaluating the risks and determining the
appropriate technical and organizational measures to include the ability to ensure a
level of security appropriate to the risk, is obliged to take into account the specific
activity carried out and the type of data processed.


Therefore, derived from the activity to which it is dedicated, the claimed party is obliged
to carry out a highly specialized risk analysis and implementation of
appropriate technical and organizational measures to ensure a level of security
appropriate to the risk of its activity for the rights and freedoms of people.

In the present case, in the course of the investigation carried out by this Agency, it has been

was able to verify the following in relation to the security of the system:

       to. The identifying data of the
       employee and his fingerprint hash.


       b. CTC has not proven how the erasure of the fingerprint is guaranteed
       after his capture.

       c. As detailed in the report of previous actions of
       investigation, in the extraction of the data it is clear that the fingerprint hash was

       found in a different table than the table where the data is located
       employee identification. However, it has not been possible to verify the
       possible security measures that could be implemented to separate the
       access to both tables.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid Seeagpd.gob.es 37/51









With this, the claimed party has not proven the existence of technical measures and
organizational in relation to the security of the processing of personal data.




 X Typification and qualification for the purposes of the prescription of the violation of the article

                                     32 of the GDPR

The aforementioned violation of article 32 of the RGPD implies the commission of the violations
typified in article 83.4 of the RGPD that under the heading “General conditions

for the imposition of administrative fines” provides:

“Infringements of the following provisions will be sanctioned, in accordance with the
paragraph 2, with administrative fines of a maximum of EUR 10 000 000 or,
In the case of a company, an amount equivalent to a maximum of 2% of the
global total annual business volume of the previous financial year, opting for

the largest amount:

       a) the obligations of the controller and the processor pursuant to Articles 8,
           11, 25 to 39, 42 and 43; (…)”


In this regard, the LOPDGDD, in its article 71 “Infringements” establishes that
“The acts and conduct referred to in sections 4,
5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that result
contrary to this organic law.”


For the purposes of the limitation period, article 73 “Infringements considered serious”
of the LOPDGDD indicates:

“Based on what is established in article 83.4 of Regulation (EU) 2016/679,
are considered serious and will prescribe after two years the infractions that involve a
substantial violation of the articles mentioned therein and, in particular, the

following:

f) The lack of adoption of those technical and organizational measures that result
appropriate to guarantee a level of security appropriate to the risk of the treatment,
in the terms required by article 32.1 of Regulation (EU) 2016/679.”


                 XI Lack of security measures article 32 RGPD.



This violation can be punished with a fine of a maximum of €10 million or,
In the case of a company, an amount equivalent to a maximum of 2% of the
global total annual business volume of the previous financial year, opting for the
of larger amounts, in accordance with article 83.4 of the RGPD.


Likewise, it is considered that it is appropriate to graduate the sanction to be imposed in accordance with the
following criteria established by article 83.2 of the RGPD:

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 38/51








    - Duration of the violation. It would have lasted at least since
        October 2021 (date of sending the original clause), without the inspector
        would have confirmed his termination at any time. (art. 83.2.a) of the RGPD).


    - The category of personal data affected by the infringement. It must be kept in
        Keep in mind that the fingerprint is biometric data and in accordance with article 9 of the
        GDPR are considered special categories of data “the processing of
        biometric data aimed at uniquely identifying a person
        physical,". In this regard, the risk situation created by the lack of measures

        security is superior with respect to data that is not considered
        (article 83.2.g) of the RGPD).

Both in the initiation agreement and in the proposed resolution of this file
included as one of the breaches within this infraction the fact that

In the information provided by CTC, the access of some users who
were not included in the lists of users with access privileges provided, both to
the application as well as the database server.

However, throughout this file, the defendant has provided information and
documentation that have led to the conclusion that the

access of some users who do not appear in the lists of privileged users
facilitated access, both to the application and to the database server.

Consequently, although the initial agreement of this resolution proposed a
penalty of €100,000 for non-compliance with article 32, after assessment

mentioned, the amount is set at SIXTY-FIVE THOUSAND EUROS (€65,000).


     XII Impact assessment relating to data protection. Article 35 GDPR

                                 Unfulfilled obligation

Obligation to carry out and pass a data protection impact assessment.


Article 35.1 of the GDPR states that “When it is likely that a type of
processing, particularly if it uses new technologies, due to their nature, scope,
context or purposes, entails a high risk for the rights and freedoms of people
physical, the person responsible for the treatment will carry out, before the treatment, an evaluation
of the impact of processing operations on the protection of personal data.

A single evaluation may address a series of similar treatment operations
that entail similar high risks.”

Section 3 of said article 35 contains the cases in which the
preparation of the impact evaluation:


“a) systematic and exhaustive evaluation of personal aspects of natural persons
that is based on automated processing, such as profiling, and on
on the basis of which decisions are made that produce legal effects for people
physically or that significantly affect them in a similar way;



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 39/51








b) large-scale processing of the special categories of data referred to in the
Article 9(1) or personal data relating to convictions and offenses
criminal offenses referred to in article 10, or


c) large-scale systematic observation of a publicly accessible area.”

In this procedure, the need to prepare an impact evaluation of
data protection is not questioned by the defendant, who has also sent the
prepared in relation to this treatment. Article 35.7 GDPR includes the content

minimum you must have:

“a) a systematic description of the planned treatment operations and the
purposes of the processing, including, where applicable, the legitimate interest pursued by the
responsible for the treatment;


b) an assessment of the necessity and proportionality of the operations of
processing with respect to its purpose;

c) an assessment of the risks to the rights and freedoms of the data subjects to
referred to in section 1, and


d) the measures planned to address the risks, including guarantees, security measures
security and mechanisms that guarantee the protection of personal data, and to
demonstrate compliance with this Regulation, taking into account the
rights and legitimate interests of the interested parties and other affected persons.”


Before implementing data processing based on this intrusive technology, it is
It is also necessary to previously audit its operation, not in isolation but in the
framework of the specific treatment in which it is going to be used.


The personal data protection impact assessment, DPIA, then appears
as the tool required by the GDPR to ensure compliance with this
aspect of the treatment, as established in the aforementioned section 1 of the
Article 35 of the GDPR.

The processing of biometric data is a high-risk treatment, by virtue of the

provided for in article 35.4 of the RGPD, so it must be assumed that the
treatment carried out in this case by CTC should have been preceded by the
carrying out and passing a valid impact evaluation, which included, as
minimum the sections provided for in article 35.7 of the RGPD. This implies that it is not enough
with carrying out a DPIA, but will have to be passed to comply with the RGPD.


For these purposes, this Agency has published the document called “Lists of
types of data processing that require impact assessment relating to the
Data Protection". This list is based on the criteria established by the Group of
Work of Article 29 in the guide WP248 “Guidelines on impact assessment

regarding data protection (DPIA) and to determine whether the processing "involves
“probably a high risk” for the purposes of the GDPR”, complements them and should
be understood as a non-exhaustive list. Inside it is:


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 40/51








"5. Treatments that involve the use of biometric data for the purpose of
uniquely identify a natural person.”


This evaluation will be done prior to the start of treatment, without prejudice to
that should be understood as a continuous or periodic evaluation, in the sense
established by article 35.11 of the GDPR, which provides: “If necessary, the
responsible will examine whether the treatment complies with the impact assessment
regarding data protection, at least when there is a change in the risk that
represent the treatment operations.”


A DPIA must comply with the requirements or minimum content related to the
Article 35.7 of the GDPR, which provides:

“The evaluation must include at least:


    a) a systematic description of the planned processing operations and of
       the purposes of the processing, including, where applicable, the legitimate interest
       pursued by the data controller;
    b) an assessment of the necessity and proportionality of the operations of
       processing with respect to its purpose;

    c) an assessment of the risks to the rights and freedoms of data subjects
       referred to in section 1, and
    d) the measures planned to address the risks, including guarantees, measures
       security and mechanisms that guarantee the protection of personal data,
       and to demonstrate compliance with this Regulation, taking into account

       the rights and legitimate interests of the interested parties and other persons
       affected.”

In short, overcoming a DPIA requires that the person responsible for a treatment
high risk document in writing that it passes the suitability assessment,

necessity and proportionality of the treatment, and that manages from the design the
specific risks of the treatment, with the practical application of measures aimed at
them in a way that guarantees an acceptable risk threshold throughout the
processing life cycle, as established in article 35 of the GDPR.
Furthermore, it requires prior consultation with the supervisory authority in the event that the
responsible has not taken measures to mitigate the risk in accordance with the

article 36 of the GDPR.

To analyze CTC's compliance with this obligation, we must start from the
consideration made by the person responsible, and already refuted in previous sections of
this resolution, that the person responsible was not processing data classified as

special provisions in article 9 of the GDPR. As has been proven, the treatment of
biometric data fits into that category of data, without distinction being applied
anything, for these purposes, between identification and authentication

Once this factor has been established, the validity of the document must be ruled out from the beginning.

presented by the controller as an “impact assessment” relating to the data
personal. And this is because at no time is this document based on the
processing of special category personal data such as biometric data. And in


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 41/51








Consequently, the evaluation has not been able to take into account crucial aspects that
should be analyzed, among them:


    - If any of the causes for lifting the prohibition of
        processing of those categories of personal data among those provided for in the
        article 9.2 of the GDPR.

    - Correct identification and analysis of risks regarding treatment
        referenced also with respect to these categories of personal data, which

        must be taken into consideration along with the rest of the elements that
        involved in the processing of personal data, and how they can affect the
        rights and freedoms of data owners.


    - Technical and organizational measures of all kinds, with express mention of the

        specific security measures inherent to the processing of this data.


The above necessarily leads to the conclusion that in no way can
be considered a valid data protection impact assessment,

when it starts from premises in which the person responsible for the treatment does not take into account
consideration that is faced with the processing of special categories of data
personal, with all that this entails in terms of compliance with the RGPD and the
risk management.

One of the obligations that correspond to every data controller

personal is to ensure that the treatment respects the Principles provided for in the
Article 5 of the GDPR. In the case of biometric data, because it is a special category and
high risk, it is worth highlighting the essential importance of respecting the principle of
minimization of processing/data, provided for in article 5.1.c) which indicates:


"1. The personal data will be:
a) adequate, relevant and limited to what is necessary in relation to the purposes for
those that are processed (“data minimization”)”.

Respect for this principle must be the starting point at the beginning of everything

treatment, the person responsible must first of all consider whether this treatment
It will be really necessary, suitable, and proportional before starting it. And if this
treatment is high risk - in the case of biometrics - should reflect this evaluation
prior of necessity and proportionality in a specific document called
personal data protection impact assessment, in accordance with the provisions
in article 35.7.b) of the RGPD, which provides that “a

assessment of the necessity and proportionality of treatment operations
regarding its purpose.”

This is confirmed by recital 39 of the GDPR, which underlines the importance of
processing is necessary, indicating that “Personal data should only be processed

if the purpose of the processing could not reasonably be achieved by other means.”



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 42/51








Along the same lines, the Working Group of article 29, in its Opinion 3/2012 on the
evolution of biometric technologies, indicates that “When analyzing the proportionality of
a proposed biometric system, it is necessary to previously consider whether the system is

necessary to respond to the identified need, that is, if it is essential to
satisfy that need, and not just the most appropriate or profitable one. A second factor
What must be taken into account is the probability that the system will be effective for
respond to the need in question in light of the specific characteristics of the
biometric technology to be used. A third aspect to consider is whether the
The resulting loss of privacy is proportional to the expected benefits. If he

benefit is relatively minor, such as greater comfort or slight savings,
then the loss of privacy is not appropriate. The fourth aspect to evaluate the
adequacy of a biometric system is to consider whether a less invasive means of
intimacy would achieve the desired end.”


Idea that is reiterated in section 72 of Guidelines 3/2019 on the treatment of
personal data through video devices, dated 01/29/2020, from the CEPD, which
indicates: “The use of biometric data and, in particular, facial recognition entails
high risks for the rights of the interested parties. It is essential that the resource
to such technologies takes place with due respect for the principles of legality,
necessity, proportionality and data minimization as established by the GDPR.

Although the use of these technologies may be perceived as particularly
effective, those responsible for the treatment must first evaluate the impact on
fundamental rights and freedoms and consider less intrusive means of
achieve its legitimate purpose of processing. That is, we would have to answer the question of whether
This biometric application is something that is really essential and necessary, or is it

just “convenient”.

Since the processing of biometric data implies restricting rights and freedoms
of the interested parties, the obligation to process only “personal data that is
appropriate, relevant and limited to what is necessary in relation to the purposes for which

that are processed” provided for by the principle of data minimization/processing of the
article 5.1.c) of the RGPD, must be interpreted in accordance with the provisions of the
reiterated jurisprudence of our Constitutional Court regarding the need to
verify that any restrictive measure of fundamental rights (treatment
biometric in this case) overcomes what is called “the triple judgment of
proportionality.”


This implies that, first of all, it is necessary to verify whether it meets the following three
requirements or conditions referred to by the Constitutional Court: "if such measure
is likely to achieve the proposed objective (suitability judgment); yes, furthermore, it is
necessary, in the sense that there is no other more moderate measure for the

achievement of such purpose with equal effectiveness (judgment of necessity); and finally, if
It is weighted or balanced, since more benefits or advantages are derived from it.
for the general interest that damages other goods or values in conflict (judgment
of proportionality in the strict sense).


Document provided by the claimant.

After analyzing the impact evaluation provided by the defendant, it can be seen
which suffers from important defects:

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 43/51









First of all, it must be made clear that a data protection impact assessment
data is not a mere formal document that is included as a procedure

prior to carrying out the treatment. On the contrary, it is the document that
reflects an analysis that must begin with a criterion as basic as if for the
carrying out the activity in question, it is necessary to carry out data processing
personal. If this first analysis is not passed, it should not be performed or
continue with treatment.


Next, if it is essential to carry out data processing
personal data, an analysis must be carried out regarding the typology of personal data
treaties. And this, because together with other elements, they will determine the risks that such
treatment implies and that must be evaluated by the person responsible for the treatment. AND
In view of them, proceed to the analysis of the need, suitability and

proportionality, so that a result is obtained according to which the
if the risks involved in the treatment, and depending on the established measures,
organizational and security, whether or not they advise its implementation.

This brings us back to the concept of data protection impact assessment as
a material as well as formal concept.


Formal because the existence of a document that summarizes it, accompanied by
of a set of documents that, for the sake of proactive responsibility, prove
its realization. Among others, the documentation prior to the EIPD must be present in
that the need for the decision to carry out the DPIA has been expressed; also

specifies all the documentation prepared on the occasion of carrying out the DPIA and
justification of the results obtained in the DPIA and the measures adopted to
respect, including the documentation related to the participation of the Delegate of
Data Protection, if applicable, in its preparation.


And material because it must carry out the analyzes mentioned above and contain a verdict
that allows the treatment to be carried out. That is, the impact evaluation is not
not only a document that must be prepared, but a judgment that must be overcome. Only if
produces said improvement, that is, if the conviction is reached that the risks
existing ones are acceptable depending on the technical and organizational measures, of all
type, established, the treatment may be carried out under the established conditions.


And, in the event that the exceedance occurs, additional provisions must be made
reactive measures, so that, in the event of risks materializing, they are avoided or
minimize the impact on the rights and freedoms of data subjects
personal.


Well, in relation to the document provided by the claimed party, there is no
describe the purposes of the treatment. For these purposes, the only reference contained
in the document is to indicate that the treatment would be legitimized by compliance
of a legal obligation (Workers' Statute) and an indication of “The purpose

that is intended to be covered requires all the data to be collected and for all the
affected persons/interested parties (principle of data minimization)”, followed by the
expression “YES”


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 44/51








Necessity and proportionality

          to. Need


The impact assessment provided by the controller does not contain a true
judgment on the necessity and proportionality in carrying out the treatment object of the
proceedings. For these purposes, said document contains only the following
explanation:


"Other systems have been ruled out, e.g. card signing because after the experience
With it, conflictive situations arose. This is a service in which
There is a high staff turnover. When the card system was used for
signing, sometimes it was transferred to other people who were not the owner of it,
personnel not related to it being present in the work area with all the risks

that involve job security. The use of the fingerprint is the system that
allows you to avoid these criminal situations and guarantees correct compliance with the
labor regulations and prevent unauthorized access”

The need implies that a combined evaluation is required, based on facts,
on the effectiveness of the measure for the objective pursued and on whether it is less

intrusive compared to other options to achieve the same goal.

Necessity should not be confused with utility of the system. It may be that the detection of
fingerprint makes it easier to avoid having to carry a card, which takes a few seconds
less in its access, which is automatic and instantaneous and not excessively expensive.

Obviously, a fingerprint system can be useful, but it doesn't have to be
objectively necessary (the latter being what really must be present).
As established in opinion 3/2012 on the evolution of biometric technologies-
of WG 29-, it must be examined “if it is essential to satisfy that need, and not only
the most appropriate or profitable.” Options and alternatives must be analyzed before

establish a new system that represents an exaggerated limitation of the right of each
user, when there may be less invasive means of privacy, and not opting for
what is practical or agile and comfortable, when the rights of its owners are at stake.

That a system previously established to achieve a purpose is not
effective, as the claimed party claims regarding its card signing-in system, it does not

means that there are no other systems that are effective without the need to perform a
biometric treatment. And all of them must be considered, taking into account a
detailed description of them, and not only the one that they previously assert that
It was not effective.



The jurisprudence of the CJEU applies a strict necessity assessment to
any limitation on the exercise of the rights to the protection of personal data
personal and respect for private life in relation to the processing of personal data.
personal nature: "the exceptions and limitations in relation to the protection of

Personal data should be applied only to the extent that they are
strictly necessary. The ECtHR applies a strict necessity assessment in
depending on the context and all existing circumstances, as in the case of
secret control measures.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 45/51









In this regard, none of that is done in the document provided. This is limited to
affirm that the fingerprint signing system would be justified by alleged

problems that could arise from the transfer of cards between workers. In
Regarding this aspect, nothing explains why some other is not feasible.
supervision system that would avoid this problem and why, ultimately, the
Fingerprint processing is essential and other systems cannot be used
less intrusive than the processing of biometric data.


Consequently, if there are alternatives available so that at a given time
all fans opt for non-biometric access, and consent is articulated
free, express and specific that allows you to choose between these other less intrusive methods
and biometrics, this implies that the processing of biometric data is not necessary
for the purpose of controlling the identity of those who access the cheering stands.

In no case is the judgment of necessity overcome because the biometric treatment
there's no need.

b. Suitability.

The principle of suitability implies the need to evaluate that there is a logical and

direct between the treatment and the objective pursued. In this sense, the only
explanation provided in this regard by the claimed party is the following:

“Suitability judgment: to achieve the objective of access control and the day
work, the system through the fingerprint hash has been the appropriate one for us

for the purpose pursued. The effectiveness threshold that should be reached for
comply with the purposes of the treatment, it must be practically 100%, it is the
compliance with a legal obligation and guaranteeing safety in the workplace.
“We consider the effectiveness of this system to help us reach this threshold.”


The claimed party adds nothing more in this regard, limiting itself to affirming the effectiveness of a
system like the one established for signing. It does not detail why this is the system
suitable, particularly based on the risks involved, nor does it explain why
What do you consider the effectiveness of the system to be total? In fact, he does not affirm that said
effectiveness is complete but rather that “The threshold of effectiveness that should be achieved to
comply with the purposes of the treatment, it must be practically 100”. That is, no

proves its effectiveness, but is limited to declaring an objective to be achieved).


               c. Proportionality


Once a legislative measure is considered necessary, it must be analyzed in detail.
depending on its proportionality. An assessment of proportionality implies, therefore,
Generally, assess what “safeguards” should accompany a measure (e.g.
on surveillance) to reduce the risks posed by the planned measure for
fundamental rights and freedoms of the affected persons, at a level

«acceptable» /proportional.

Another factor that must be taken into account when evaluating the proportionality of a
proposed measure is the effectiveness of existing measures above the proposed one.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 46/51








If measures already exist for a similar or identical purpose, their effectiveness must be evaluated
systematically as part of the proportionality assessment. Without that
evaluation of the effectiveness of existing measures that pursue a similar objective or

the same, it cannot be considered that the evaluation of
the proportionality of a new measure.

There must be a logical link between the measure and the legitimate objective pursued. For
that the principle of proportionality is respected, the advantages resulting from the measure
should not be overcome by the disadvantages that the measure causes with respect to the

exercise of fundamental rights. And one of the factors that play in the
Proportionality is the effectiveness of the measures of existing measures, above
of the proposal, if in the same context measures already existed for a purpose
similar or identical, must be considered, otherwise the assessment of proportionality will not
has been duly carried out.


As can easily be seen, the impact evaluation provided does not
deduces any judgment on proportionality. In this regard, the Protection Guide
of data in labor relations, of this AEPD (May 2021), clarifies the following
in its “Biometric data” section:


"4. Storage will preferably be done on a personal device, before
than going to centralized storage. A password must be used
Specific encryption for reading devices to effectively protect
these data against all unauthorized access.”


In the case in question, we are faced with a centralized system. And by
Otherwise, nothing about the proportionality judgment appears in the evaluation of
impact contributed by the person responsible.

Risk analysis


Article 35.7.d) of the RGPD establishes as part of the minimum content of the
data protection impact assessment the following:

“d) the measures planned to address the risks, including guarantees, security measures
security and mechanisms that guarantee the protection of personal data, and to

demonstrate compliance with this Regulation, taking into account the
rights and legitimate interests of the interested parties and other affected persons.”

Observing the corresponding section of the impact assessment document
provided, it is concluded that a very partial view of the risks has been included,

including (apart from the generic risk of “not carrying out a risk assessment”
impact”, those related to the security of information systems (possible
cyberattacks, breaches, etc.).

On the contrary, nothing is included about guarantees and mechanisms that guarantee the

Protection of personal data. Nothing related to the possible treatment of the information
stored in relation to biometric data or any other aspect other than the
security of the information. Much less an analysis of the risks from the
perspective of the rights and interests of those interested and affected.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 47/51










Based on the above, it cannot be considered that the person responsible

has fulfilled its obligation to carry out and pass an impact assessment relating to
data protection in relation to fingerprint processing.


                  XIII Classification of the violation of article 35 RGPD


The aforementioned violation of article 35 of the RGPD implies the commission of the violations
typified in article 83.4 of the RGPD that under the heading “General conditions
for the imposition of administrative fines” provides:


“Infringements of the following provisions will be sanctioned, in accordance with the
paragraph 2, with administrative fines of a maximum of EUR 10 000 000 or,
In the case of a company, an amount equivalent to a maximum of 2% of the
global total annual business volume of the previous financial year, opting for
the largest amount:


       b) the obligations of the controller and the processor pursuant to Articles 8,
           11, 25 to 39, 42 and 43; (…)”

In this regard, the LOPDGDD, in its article 71 “Infringements” establishes that

“The acts and conduct referred to in sections 4,
5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that result
contrary to this organic law.”

For the purposes of the limitation period, article 73 “Infringements considered serious”

of the LOPDGDD indicates:

“Based on what is established in article 83.4 of Regulation (EU) 2016/679,
are considered serious and will prescribe after two years the infractions that involve a
substantial violation of the articles mentioned therein and, in particular, the
following:


t) The processing of personal data without having carried out the evaluation of the
impact of processing operations on the protection of personal data in the
“cases in which it is required”


                 XIV Lack of impact assessment article 35 RGPD.


This violation can be punished with a fine of a maximum of €10 million or,

In the case of a company, an amount equivalent to a maximum of 2% of the
global total annual business volume of the previous financial year, opting for the
of larger amounts, in accordance with article 83.4 of the RGPD.

Likewise, it is considered that it is appropriate to graduate the sanction to be imposed in accordance with the

following criteria established by article 83.2 of the RGPD:

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 48/51








    - Duration of the violation. It would have lasted at least since
       October 2021 (date of sending the original clause), without the inspector
       would have confirmed his termination at any time. (art. 83.2.a)


    - The category of personal data affected by the infringement. It must be kept in
       Keep in mind that the fingerprint is biometric data and in accordance with article 9 of the
       GDPR are considered special categories of data “the processing of
       genetic data, biometric data aimed at uniquely identifying
       a natural person." In this regard, the risk situation created by the lack

       of security measures is aggravated with respect to data that does not have the
       consideration of specials (article 83.2.g)

According to these criteria, it is estimated that the corresponding sanction is a fine.
ONE HUNDRED THOUSAND EUROS (€100,000)


                               XV Adoption of measures

Once the violation is confirmed, it is agreed to impose measures on the person responsible.

appropriate to adjust their actions to the regulations mentioned in this act, in order
in accordance with the provisions of the aforementioned article 58.2 d) of the RGPD, according to which each
control authority may “order the person responsible or in charge of the treatment to
processing operations comply with the provisions of this
Regulation, where appropriate, in a certain manner and within a period

specified…". The imposition of this measure is compatible with the sanction
consisting of an administrative fine, as provided in art. 83.2 of the GDPR.

Specifically, based on the violations observed, the following are established:
measures, establishing the deadline for compliance within SIX MONTHS:


    - Inform all workers appropriately, including all
       extremes that have not been included until now, as detailed in the
       legal foundations of this resolution

    - Establish the necessary security measures to prevent access by

       personnel not expressly authorized, as well as to guarantee the deletion of
       the footprint after his capture. Also to separate access to the tables that
       They contain the hash of the fingerprints and the identification data of the workers.

    - Prepare a data protection impact assessment that contains

       all the extremes provided for in article 35 of the RGPD, in particular taking
       take into account the defects pointed out in this resolution.

Additionally, and in accordance with articles 90.3 of the LPCAP, and 58. 2.f), of the RGPD, in
This resolution agrees that within a period of ten days from its notification, the

claimed temporary limit or definitively the treatment of the control system
time using the fingerprint, as long as it does not adequately inform the
workers, until you complete and pass a health protection impact assessment.
valid processing data, which takes into account the risks to the rights and
freedoms of employees and the appropriate measures and guarantees for their treatment,
or even if it were carried out, it would be necessary to carry out the consultation forecast established

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 49/51








in article 36 of the RGPD and ultimately, until it complies with the regulations of
Data Protection. In this sense, the Agency has recently published a guide
on presence control through biometric treatment systems that are

It is available on its website where the necessary requirements are indicated
to establish a system of these characteristics.

It is warned that failure to comply with the order to adopt measures imposed by this
body in the sanctioning resolution may be considered as an infraction
administrative in accordance with the provisions of the RGPD, classified as an infringement in its

article 83.5 and 83.6, such conduct may motivate the opening of a subsequent
administrative sanctioning procedure.

Therefore, in accordance with the applicable legislation and evaluated the criteria of
graduation of sanctions whose existence has been proven,


the Director of the Spanish Data Protection Agency


RESOLVES:


FIRST: IMPOSE on CTC EXTERNALIZACIÓN, S.L., with NIF B60924131, the
following fines:

    - For a violation of Article 13 of the RGPD, typified in Article 83.5 of the

       RGPD a fine of 200,000 euros (TWO HUNDRED THOUSAND euros).

    - For a violation of Article 32 of the RGPD, typified in Article 83.4 of the
       RGPD, a fine of 65,000 euros (SIXTY-FIVE THOUSAND euros)

    - For a violation of Article 35 of the RGPD, typified in Article 83.4 of the

       GDPR, a fine of 100,000 euros (ONE HUNDRED THOUSAND euros).

This makes a total of €365,000 (THREE HUNDRED AND SIXTY-FIVE THOUSAND euros).

SECOND: ORDER to CTC EXTERNALIZACIÓN, S.L., with NIF B60924131, which

pursuant to article 58.2.d) of the RGPD, within 6 months, prove that
proceeded to comply with the following measures:

    - Inform all workers appropriately, including all
       extremes that have not been included until now, as detailed in the

       legal foundations of this resolution

    - Establish the necessary security measures to prevent access by
       personnel not expressly authorized, as well as to guarantee the deletion of
       the footprint after his capture. Also to separate access to the tables that
       They contain the hash of the fingerprints and the identification data of the workers.






C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 50/51








    - Prepare a data protection impact assessment that contains
       all the extremes provided for in article 35 of the RGPD, in particular taking
       take into account the defects pointed out in this resolution, and overcome it.



    - Comply with data protection regulations.

THIRD. ORDER, in accordance with articles 90.3 of the LPCAP, and 58. 2.f), of the
RGPD, to CTC EXTERNALIZACIÓN, S.L., with NIF B60924131 which, within the period of
ten days from the notification of this resolution, temporary or definitive limit
treatment of the time control system using the fingerprint, as long as it is not

adequately inform workers, until they carry out and pass an evaluation
of valid data protection impact of the processing, which takes into account the
risks to the rights and freedoms of employees and the measures and guarantees
suitable for its treatment, or even if it were carried out, it would be necessary to make the forecast
consultation established in article 36 of the RGPD and ultimately, until it is
in accordance with data protection regulations


FOURTH: NOTIFY this resolution to CTC EXTERNALIZACIÓN, S.L..

FIFTH: This resolution will be enforceable once the deadline to file the
optional resource for replacement (one month counting from the day following the
notification of this resolution) without the interested party having made use of this power.

The sanctioned person is warned that he must make effective the sanction imposed once
This resolution is executive, in accordance with the provisions of art. 98.1.b)
of Law 39/2015, of October 1, on the Common Administrative Procedure of the
Public Administrations (hereinafter LPACAP), within the voluntary payment period
established in art. 68 of the General Collection Regulations, approved by Real

Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003, of 17
December, through your entry, indicating the NIF of the sanctioned person and the number of
procedure that appears in the heading of this document, in the account
restricted IBAN number: ES00-0000-0000-0000-0000-0000 (BIC/SWIFT Code:
CAIXESBBXXX), opened on behalf of the Spanish Data Protection Agency in
the banking entity CAIXABANK, S.A.. Otherwise, it will be

collection in executive period.

Once the notification is received and once enforceable, if the enforceable date is
between the 1st and 15th of each month, both inclusive, the deadline to make the payment
voluntary will be until the 20th of the following month or immediately following business month, and if
The payment period is between the 16th and last day of each month, both inclusive.

It will be until the 5th of the second following or immediately following business month.

In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.

Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the

LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the
Interested parties may optionally file an appeal for reconsideration before the
Director of the Spanish Data Protection Agency within a period of one month to
count from the day following the notification of this resolution or directly

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 51/51








contentious-administrative appeal before the Contentious-administrative Chamber of the
National Court, in accordance with the provisions of article 25 and section 5 of

the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-administrative Jurisdiction, within a period of two months from the
day following the notification of this act, as provided for in article 46.1 of the
referred Law.


Finally, it is noted that in accordance with the provisions of art. 90.3 a) of the LPACAP,
may provisionally suspend the final resolution through administrative channels if the
interested party expresses his intention to file a contentious-administrative appeal.
If this is the case, the interested party must formally communicate this fact through

writing addressed to the Spanish Data Protection Agency, presenting it through
of the Agency's Electronic Registry [https://sedeagpd.gob.es/sede-electronica-
web/], or through any of the other registries provided for in art. 16.4 of the
cited Law 39/2015, of October 1. You must also transfer to the Agency the

documentation that proves the effective filing of the contentious appeal
administrative. If the Agency was not aware of the filing of the appeal
contentious-administrative within a period of two months from the day following the
notification of this resolution would terminate the precautionary suspension.



                                                                          938-21112023
Sea Spain Martí
Director of the Spanish Data Protection Agency

































C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es