AEPD (Spain) - EXP202204501

From GDPRhub
Revision as of 15:40, 20 March 2024 by Lm (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
AEPD - EXP202204501
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 5(1)(f) GDPR
Article 32 GDPR
Article 37 GDPR
Type: Complaint
Outcome: Upheld
Started: 22.03.2022
Decided: 29.01.2024
Published:
Fine: n/a
Parties: Ayuntamiento de Llucmajor
National Case Number/Name: EXP202204501
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: lm

The DPA found that a public institution violated security measure obligations when it stored a document with employees' personal data, including names and use of sick leave, in an intranet folder that was accessible to unintended recipients.

English Summary

Facts

On 1 December 2021, a PDF was created by the resource management department of the local police of Llucmajor (the controller). The document contained the personal data of 47 police agents, including their first names, surnames, agent numbers, and sick leave information. On 12 January 2022, the document was posted on the intranet of the Llucmajor government in the ‘local police’ folder, within a subfolder labeled ‘photocopier.’

A complaint was filed with the DPA on 22 March 2022 and the DPA subsequently conducted an investigation. The controller reported that access to the document was meant to be restricted to the police headquarters and their staff, but due to an error, it was not deleted and remained in the ‘photocopier’ folder for several days. The controller also noted that the document was accessed by individuals who were not its intended recipients. In addition, the DPA found no evidence that the controller had designated a data protection officer.

Holding

The DPA held that the controller violated Article 5(1)(f), 32, and 37 GDPR. Pursuant to Article 58(2)(d), it ordered the controller to bring processing operations into compliance within 6 months. No other corrective measures were issued.

First, the DPA found that the controller violated the principle of confidentiality guarded by Article 5(1)(f) GDPR because, by keeping the document containing personal data in the ‘photocopier’ folder for a number of days rather than being immediately deleted, the personal data was exposed to unauthorised third parties.

Second, the DPA held that the controller lacked appropriate security measures to protect against data breaches pursuant to Article 32 GDPR. The DPA noted that there was no measure to ensure that documents placed in the ‘photocopier’ folder were properly deleted. In addition, the folder granted access to a number of users beyond the intended recipients.

Finally, the controller violated Article 37 GDPR because it did not have a designated data protection officer or, if it did, failed to communicate the officer to the DPA.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

1/20










     File No.: EXP202204501



                RESOLUTION OF SANCTIONING PROCEDURE

From the procedure instructed by the Spanish Data Protection Agency and based

to the following


                                   BACKGROUND


FIRST: A.A.A. (hereinafter, the complaining party) dated March 22, 2022
filed a claim with the Spanish Data Protection Agency. The
claim is directed against LLUCMAJOR CITY COUNCIL with NIF P0703100H
(hereinafter, the claimed party or the City Council). The reasons on which the
claim are the following:


The complaining party, local police from the LLUCMAJOR CITY COUNCIL, states that,
In December 2021, a PDF document has been published on the intranet with the
name "Unsubscriptions until 11/30/21", available to all users, which contains the
names and surnames of 47 agents, agent number, position, sick leave days of each
one and the percentage of annual work absenteeism it represents. Consider that they are

data that should only be accessed by STAFF members, the Chief of Police
Local and human resources members.

It indicates that, on January 12, 2022, the Local Police Chief published a circular, with
the title "Dismissals and illnesses", congratulating the agents who had not

state of discharge and recriminating and questioning the discharge of the remaining agents. HE
They provide the two documents referred to, as well as evidence of publication.

The complaining party also states that, after consulting the Agency, it invites it
to raise the issue with the Data Protection Officer (hereinafter, DPD) of the

City Council, confirming that the claimed party has not proceeded to its
appointment despite legal obligation since May 2018.

Lastly, he stated that on the date of presentation of the claim the document
was still published.


SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5
December, Protection of Personal Data and guarantee of digital rights (in
hereinafter LOPDGDD), said claim was transferred to the City Council of
Llucmajor, so that it could proceed with its analysis and inform this Agency within the period of
one month, of the actions carried out to adapt to the requirements provided in

data protection regulations.

The transfer, which was carried out in accordance with the rules established in Law 39/2015, of
October 1, of the Common Administrative Procedure of Administrations
Public (hereinafter, LPACAP), was collected on April 21, 2022 as

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/20








It appears in the acknowledgment of receipt that is in the file. Dated June 24,
2022 the City Council requested an extension of the deadline to respond to the letter
of transfer, which was granted.


On July 6, 2022, this Agency received a response letter sent
by the City Council. The same sends a report from the City Council of July 1, 2022,
which, among other aspects, highlights the following:

       "3. It is not true that a PDF document was published on the Police intranet, when

       reach all users, with personal data referring to the days of
       dismissal of agents.

       4. That it was verified how the controversial document, at the time, was
       saved in a temporary folder for printing, named “

       photocopier”, where documents are stored before being printed on the
       photocopier. Evidently the report had restricted access to the Headquarters
       and his Staff. Resulting in that after its edition, by mistake, it was not
       deleted, as is usually done with this type of files. Being
       deleted days later, when checking how the writing was still in the folder
       mentioned and that had been consulted by people who were not the

       recipients thereof.

       5. That the document is not still published nor was it published at any time in the
       Police intranet.


       6. Indeed, the Headquarters published a circular, in which and in a manner
       generic, the workforce was informed of the global absenteeism data.
       We understand that this information is relevant and that it should be known by
       all the workers of the department, since as a public service that
       we are, high levels of absenteeism make it difficult to provide a satisfactory response to

       the needs of citizens, while affecting the conditions of
       work of the entire group, by causing, in some cases, the denial
       of permits and licenses provided for in the legislation, due to the obligation to
       “prioritize service needs that would otherwise not be met.”

THIRD: On June 22, 2022, in accordance with article 65 of the

LOPDGDD, the claim presented by the complaining party was admitted for processing.

FOURTH: ON July 13, 2022, after having analyzed the documentation that
appeared in the file, a resolution was issued by the Director of the Spanish Agency
of Data Protection, agreeing to file the claim. The resolution was

notified to the claimant, on July 27, 2022, as evidenced in the
proceedings.

FIFTH: On August 9, 2022, the complaining party filed an appeal
optional replacement through the Electronic Registry of the AEPD, against the

resolution relapsed into the file, in which he showed his disagreement with the
contested resolution and requested that the processing of the claim continue
initial presented.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/20








SIXTH: On February 23, 2023, the appeal filed was sent to the party
claimed within the framework of the provisions of article 118.1 of Law 39/2015, of 1
October, of the Common Administrative Procedure of Public Administrations

(hereinafter, LPACAP) for the purposes of formulating the allegations and presenting
the documents and supporting documents that it considers appropriate, which has been verified
by written response dated May 3, 2023.

SEVENTH: On May 31, 2023, it was issued by the Director of the Agency
Spanish Data Protection Authority estimating the appeal for reconsideration filed by the

claimant.

The second legal basis of said resolution states:

“

                                           II
                     Response to the allegations presented

"In the appeal for reconsideration, he alleges that it is not true that the document was not published
on the intranet, since the “photocopier” folder mentioned is precisely
on the service's intranet, its use being unnecessary to send a file to print

or photocopy.

Likewise, it considers that, although the document has been withdrawn, the infringement has already been
has occurred and sanctioning proceedings should be initiated.


Finally, it highlights that the requested party has still not been appointed DPD despite
to have a legal obligation to do so, which leaves citizens in a situation of
helplessness.

In relation to these allegations, the claimed party has informed, in the response

upon initial transfer, that the document was placed in a folder accessible to
third parties prior to sending it to print, remaining in the same for
mistake. No representations are made in relation to the lack of appointment of
DPD.

In accordance with article 5.1.f) of the RGPD:


       f) treated in such a way as to ensure adequate safety of the
       personal data, including protection against unauthorized processing or
       unlawful and against its loss, destruction or accidental damage, through the application
       of appropriate technical or organizational measures ("integrity and

       confidentiality»).

Likewise, article 32 provides:

       1. Taking into account the state of the art, the application costs, and the

       nature, scope, context and purposes of the processing, as well as risks
       of varying probability and severity for the rights and freedoms of
       natural persons, the person responsible and the person in charge of the treatment will apply


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/20








       appropriate technical and organizational measures to ensure a level of
       security appropriate to the risk, which, where appropriate, includes, among others:


               a) pseudonymization and encryption of personal data;

               b) the ability to guarantee the confidentiality, integrity,
               permanent availability and resilience of security systems and services
               treatment;


               c) the ability to restore availability and access to data
               personnel quickly in the event of a physical or technical incident;

               d) a process of regular verification, evaluation and assessment of the
               effectiveness of technical and organizational measures to ensure the

               safety of treatment.

       2. When evaluating the adequacy of the security level, particular consideration will be given to
       take into account the risks presented by data processing, in particular as
       consequence of the accidental or unlawful destruction, loss or alteration of
       personal data transmitted, stored or otherwise processed, or the

       unauthorized communication or access to said data.

       3. Adherence to a code of conduct approved pursuant to Article 40 or to a
       certification mechanism approved pursuant to Article 42 may serve as a
       element to demonstrate compliance with the requirements established in the

       section 1 of this article.

       4. The controller and the person in charge of the treatment will take measures to
       ensure that any person acting under the authority of the person responsible or
       of the person in charge and has access to personal data can only process said

       data following instructions from the person responsible, unless obliged to do so
       under Union or Member State law.

On the other hand, with respect to the appointment of the Data Protection Officer, the
Article 37 of the GDPR provides:


       1. The person responsible and the person in charge of the treatment will designate a delegate of
       data protection provided that:

               a) the treatment is carried out by a public authority or body,
               except courts acting in the exercise of their judicial function; […]


In response to the hearing process, the claimed party has stated the following:

       “That is ratified in the entire content of the report signed on the day
       07/01/2022.


       Interesting to state a new point […] the content of the file
       called by the appellant as “Baixes fins el 30-11-2021” as the
       generic information contained in the Headquarters circular, which does not contain

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/20








       personal data, could be obtained by reviewing the data sheets
       “Daily Service” mentioned.”


Without making any statement regarding the lack of appointment of DPD.

Therefore, in the present case, the appeal filed is upheld.”

EIGHTH: On November 15, 2023, the Director of the Spanish Agency for
Data Protection agreed to initiate sanctioning proceedings against the claimed party,

by:

       -The alleged violation of Article 5.1.f) of the RGPD, typified in the article
       83.5.a), and classified as very serious for the purposes of prescription in the article
       72.1 a) of the LOPDGDD.


       -The alleged violation of Article 32 of the RGPD, typified in article 83.4
       a), and classified as serious for the purposes of prescription in article 73 f) of the
       LOPDGDD.

       -The alleged violation of Article 37 of the RGPD, typified in article 83.4

       a), and classified as serious for the purposes of prescription in article 73 v) of the
       LOPDGDD.

NINTH: The aforementioned initiation agreement has been notified in accordance with the established rules
in Law 39/2015, of October 1, on the Common Administrative Procedure of the

Public Administrations (hereinafter, LPACAP) and after the period granted
for the formulation of allegations, it has been verified that no allegation has been received
any by the claimed party.

Article 64.2.f) of the LPACAP - provision of which the claimed party was informed

in the agreement to open the procedure - establishes that if no
allegations within the stipulated period regarding the content of the initiation agreement, when
This contains a precise statement about the imputed responsibility,
may be considered a proposal for a resolution. In the present case, the agreement
beginning of the sanctioning file determined the facts in which the
imputation, the violation of the RGPD attributed to the person complained of and the sanction that could be

impose Therefore, taking into consideration that the claimed party has not
made allegations to the agreement to initiate the file and in response to what
established in article 64.2.f) of the LPACAP, the aforementioned initial agreement is
considered in the present case proposed resolution.


In view of everything that has been done, by the Spanish Data Protection Agency
In this procedure, the following are considered proven facts:



                                PROVEN FACTS


FIRST: On December 1, 2021, in the resource management department of
the Local Police of the Llucmajor City Council, a PDF document called-

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/20








do “baixes fins a 30-11-2021” (Discharges until 30-11-2021), which contained the names and
surnames of 47 agents, as well as other personal data relating to said agents
agents (agent number, position, sick days, and absenteeism percentage

labor), which was published on the intranet of the Llucmajor City Council.

In several of the screenshots provided by the claimant along with his writing
of claim, there is the document called “baixes fins a 30-11-2021” (Baixes fins a 30-11-2021)
until 11-30-2021) was created on December 1, 2021 at 9:38.

Likewise, these screenshots show that the document called
“Baixes fins a 30-11-2021” (Baixes fins a 30-11-2021) was located in the folder

called “Plocal” (Local Police) on the Intranet of the Llucmajor City Council, some
Some of these screenshots show the access path to said folder.

SECOND: The document “baixes fins a 30-11-2021” (Deregistrations until 30-11-2021), in
At first, it was housed in the folder called “photocopier”.

The Llucmajor City Council recognizes that the document called “baixes fins a

11-30-2021” (Unsubscribes until 11-30-2021), by mistake, was not eliminated and remained in
the temporary folder called “photocopier” for several days,

In the City Council report dated July 1, 2022, it stands out:

       "4. That it was proven how the controversial document, at the time, was
       saved in a temporary folder for printing, named “photocopier”,
       where documents are stored before being printed on the photocopier.

       Evidently the report had restricted access to the Headquarters and its Staff.
       Resulting in that after its edition, by mistake, it was not deleted, as
       usually does with this type of files. Being eliminated days later,
       upon checking how the writing was still in the mentioned folder and that there had been

       “has been consulted by people who were not its recipients.” (the su-
       brayado is ours).

THIRD: The Llucmajor City Council recognizes that, when the document denotes
mined “baixes fins a 30-11-2021” (Baixes fins a 30-11-2021) was housed in the
photocopier folder, people who were not recipients of said document, had

ron access to its content:

This is recognized by the City Council in its report of July 1, 2022:

       "4. That it was proven how the controversial document, at the time, was
       saved in a temporary folder for printing, named “photocopier”,
       where documents are stored before being printed on the photocopier.
       Evidently the report had restricted access to the Headquarters and its Staff.

       Resulting in that after its edition, by mistake, it was not deleted, as
       usually does with this type of files. Being eliminated days later,
       upon checking how the writing was still in the mentioned folder and that there had been
       “has been consulted by people who were not its recipients.” (the su-

       brayado is ours).

FOURTH: When the document called “baixes fins a 30-11-2021” (Deregistrations until
on 11-30-2021) was hosted in the folder called “Plocal” of said intranet, possibly
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/20








The personnel of the Local Police of the City Council, among others, could have access to it.
I lie.

This is shown in the screenshot called Annex 2, sent to the AEPD along with
with the claim, showing the user groups that had access to

said document:

 Computer science

 Local Police

 Local Police Staff

 Administrator

 Administrators

FIFTH: There is no evidence that the Llucmajor City Council has appointed a

Data Protection Officer and has communicated it to the AEPD.

In the file, there is a verification carried out by AEPD personnel on 8
April 2022 at 2:40 p.m. in the Electronic Headquarters section of this Agency called
mined “DPD Consultation”, in which it is verified that the Llucmajor City Council has not
communicated to this Agency the contact details of your DPO.


                           FOUNDATIONS OF LAW


                                           Yo
                                     Competence

In accordance with the powers that article 58.2 of Regulation (EU) 2016/679
(General Data Protection Regulation, hereinafter RGPD), grants each
control authority and as established in articles 47 and 48.1 of the Law
Organic 3/2018, of December 5, Protection of Personal Data and guarantee of

digital rights (hereinafter, LOPDGDD), is competent to initiate and resolve
this procedure the Director of the Spanish Data Protection Agency.

Likewise, article 63.2 of the LOPDGDD determines that: "The procedures
processed by the Spanish Data Protection Agency will be governed by the provisions
in Regulation (EU) 2016/679, in this organic law, by the provisions

regulations dictated in its development and, insofar as they do not contradict them, with a
subsidiary, by the general rules on administrative procedures."

                                           II
                                  Previous issues


The Llucmajor City Council, like any other public entity, is obliged to
compliance with Regulation (EU) 2016/679 of the European Parliament and of the Council,
of April 27, 2016, relating to the protection of natural persons in relation to
concerns the processing of personal data and the free circulation of these data
-RGPD-, and LO 3/2018, of December 5, on Protection of Personal Data and

Guarantee of Digital Rights -LOPDGDD- with respect to the processing of
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 8/20








personal data that they make, understanding personal data,
“any information about an identified or identifiable natural person.”


An identifiable natural person is considered one whose identity can be determined,
directly or indirectly, in particular through an identifier, such as a
name, an identification number, location data, an online identifier or
one or more elements of the physical, physiological, genetic, psychological identity,
economic, cultural or social of said person.


Likewise, treatment should be understood as “any operation or set of operations”.
rations made on personal data or sets of personal data, whether
by automated or non-automated procedures, such as collection, registration, organization, es-

structuring, conservation, adaptation or modification, extraction, consultation, use-
tion, communication by transmission, dissemination or any other form of enabling
access, collation or interconnection, limitation, deletion or destruction.”


Taking into account the above, the Llucmajor City Council would have processed the data
of a personal nature of 47 local police officers in the document with the title
“baixes fins a 30-11-2021” (Discharges until 30-11-2021) about which the claim relates.
tion that has given rise to this sanctioning file.


You carry out this activity in your capacity as data controller, given that it is
who determines the ends and means of such activity, pursuant to article 4.7 of the
GDPR:

"responsible for the treatment" or "responsible": the natural or legal person, authority
public, service or other body that, alone or together with others, determines the purposes and
means of treatment; whether the law of the Union or of the Member States determines
the purposes and means of the treatment, the person responsible for the treatment or the criteria es-

Specific conditions for his appointment may be established by the Law of the Union or of the
Member states.

Article 4 section 12 of the GDPR broadly defines “violations of
security of personal data” (hereinafter security breach or data breach).
personal cough) as “all those security violations that cause the
accidental or unlawful destruction, loss or alteration of transmitted personal data,
preserved or otherwise processed, or unauthorized communication or access to
said data.”

                                            III
                         Violation of article 5.1 f) of the GDPR


Article 5.1.f) of the GDPR, Principles relating to processing, states the following:

       "1. The personal data will be:


       (…)

       f) treated in such a way as to ensure adequate safety of the
       personal data, including protection against unauthorized processing or
       unlawful and against its loss, destruction or accidental damage, through the application

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 9/20








       of appropriate technical or organizational measures ("integrity and
       confidentiality»)”.

In the case examined in this sanctioning file, the claimant affirms that in
In December, a PDF document was published on the City Council's intranet with the title

“Baixes fins a 30-11-2021” (Discharges until 30-11-2021).

Along with your claim, you have provided the aforementioned document, consisting of two pages.
nas, which includes the casualties of local police officers related to the period
lit between January 1 and November 30, 2021. Likewise, the si-
following personal data relating to 47 police officers (the agent number, the
position, the first and both surnames, the days of sick leave and the percentage of absenteeism
boral).

Along with his claim, he has also sent several screenshots. In the same
but you can see images from the City Council intranet, folder called

“Plocal” (Local Police), which includes the PDF document called “baixes fins a
11-30-2021” (Unsubscription until 11-30-2021), created on December 1, 2021.

In the report of the Llucmajor City Council dated July 1, 2022, prepared in
response to the transfer of the AEPD, it stood out:

       "3. It is not true that a PDF document was published on the Police intranet, when
       reach all users, with personal data referring to the days of
       dismissal of agents.

       4. That it was verified how the controversial document, at the time, was
       saved in a temporary folder for printing, named “
       photocopier”, where documents are stored before being printed on the

       photocopier. Evidently the report had restricted access to the Headquarters
       and his Staff. Resulting in that after its edition, by mistake, it was not deleted.
       do, as is usually done with this type of files. being eliminated
       days later, upon seeing how the writing was still in the aforementioned folder and
       that had been consulted by people who were not the recipients of the same
       mo.

       5. That the document is not still published nor was it published at any time in the

       Police intranet.
       6. Indeed, the Headquarters published a circular, in which and in a general manner

       ca, the staff was informed of the global absenteeism data. Understand-
       We believe that this information is relevant and that it should be known by all
       department workers, since as a public service that we are, we
       high levels of absenteeism make it difficult to respond satisfactorily to the needs
       citizens, while affecting the working conditions of
       the entire group, by causing, in some cases, the denial of permissions.

       rights and licenses provided for in the legislation, due to the obligation to prioritize the
       service needs that would otherwise not be met.”

Therefore, in said report, the City Council recognizes that the document
ment called “baixes fins a 30-11-2021” (Withdrawals until 30-11-2021), by mistake,
was not deleted and remained in the temporary folder called “copier” for the duration.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 10/20








for several days, being consulted by people who were not recipients of the same.
mo.

From the information in the file, it appears that the aforementioned document,
“baixes fins a 30-11-2021” (Discharges until 30-11-2021), at first, was
housed in the folder called “photocopier”.

Subsequently, at the time the claimant took the image captures

that accompany his statement of claim, appeared in the folder called “Plo-
cal” on the City Council intranet.

In the present case, the personal data breach must be classified as confidential.
ity, given that as a consequence of the same the data of 47 police officers
premises would have been unduly exposed to third parties, violating the principle
of confidentiality. Circumstance that constitutes a violation of the provisions of the
article 5.1.f) of the RGPD.


                                           IV
         Classification and classification of the violation of article 5.1 f) of the RGPD

The aforementioned violation of article 5.1 f) of the RGPD implies the commission of one of the

violations classified in article 83.5 of the RGPD that under the heading “Conditions
general rules for the imposition of administrative fines” provides:

       "5. Violations of the following provisions will be sanctioned, according to
       with paragraph 2, with administrative fines of EUR 20 000 000 as
       maximum or, in the case of a company, an amount equivalent to 4%

       maximum of the overall total annual turnover of the financial year
       above, opting for the highest amount:

       a) the basic principles for the treatment, including the conditions for the
       consent in accordance with articles 5, 6, 7 and 9;”


In this regard, the LOPDGDD, in its article 71 “Infringements” establishes that
“The acts and conduct referred to in sections 4,
5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that result
contrary to this organic law.”


For the purposes of the limitation period, article 72 “Infringements considered very
“serious” of the LOPDGDD indicates:

       "1. Based on what is established in article 83.5 of the Regulation (EU)
       2016/679 are considered very serious and will expire after three years.

       infractions that involve a substantial violation of the articles
       mentioned in that and, in particular, the following:

        a) The processing of personal data violating the principles and guarantees
       established in article 5 of Regulation (EU) 2016/679.”


                                            V
                 Penalty for violation of article 5.1 f) of the GDPR

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 11/20









Article 83 “General conditions for the imposition of administrative fines” of the
GDPR section 7 states:


       “Without prejudice to the corrective powers of the supervisory authorities under
       of Article 58(2), each Member State may establish rules
       whether it is possible, and to what extent, to impose administrative fines on authorities
       public entities and bodies established in said Member State.”


Likewise, article 77 “Regime applicable to certain categories of
responsible or in charge of processing” of the LOPDGDD provides the following:

       "1. The regime established in this article will apply to the treatments
       of those who are responsible or in charge:


       c) The General Administration of the State, the Administrations of the
       autonomous communities and the entities that make up the Local Administration
       (…)

       2. When the persons responsible or in charge listed in section 1

       commit any of the infractions referred to in articles 72 to
       74 of this organic law, the data protection authority that results
       competent authority will issue a resolution declaring the infraction and establishing, in its
       case, the measures that should be adopted to stop the conduct or correct it.
       the effects of the infraction that has been committed, with the exception of the

       provided for in article 58.2.i of Regulation (EU) 2016/679 of the Parliament
       European Parliament and of the Council, April 27, 2016.

       The resolution will be notified to the person responsible or in charge of the treatment, to the
       body on which it depends hierarchically, if applicable, and to those affected who

       had the status of interested party, if applicable.

       (…)
       4. The data protection authority must be informed of the
       resolutions that fall in relation to the measures and actions to which
       refer to the previous sections.


       5. They will be communicated to the Ombudsman or, where appropriate, to the institutions
       analogous of the autonomous communities the actions carried out and the
       resolutions issued under this article.


       6. When the competent authority is the Spanish Agency for the Protection of
       Data, it will publish on its website with due separation the
       resolutions referring to the entities of section 1 of this article, with
       expresses indication of the identity of the person responsible or in charge of the treatment
       who had committed the infraction.

       (…)”

It is understood that a violation of article 5.1 f) of the RGPD has been committed, and it is necessary to declare
the infringement of the Llucmajor City Council.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 12/20









                                            SAW
                           Violation of article 32 of the GDPR



Article 32 of the GDPR, security of processing, establishes the following:

         "1. Taking into account the state of the art, the application costs, and the
nature, scope, context and purposes of the processing, as well as risks of

variable probability and severity for people's rights and freedoms
physical, the person responsible and the person in charge of the treatment will apply technical and
appropriate organizational measures to guarantee a level of security appropriate to the risk,
which, if applicable, includes, among others:


          a) pseudonymization and encryption of personal data;

          b) the ability to guarantee the confidentiality, integrity, availability and
       permanent resilience of treatment systems and services;

          c) the ability to restore availability and access to data

       personnel quickly in the event of a physical or technical incident;

          d) a process of regular verification, evaluation and assessment of effectiveness
       of the technical and organizational measures to guarantee the security of the
       treatment.


         2. When evaluating the adequacy of the security level, particular consideration will be given to
       take into account the risks presented by data processing, in particular as
       consequence of the accidental or unlawful destruction, loss or alteration of
       personal data transmitted, stored or otherwise processed, or the

       unauthorized communication or access to said data (The emphasis is
       our).
         (…)
         4. The controller and the person in charge of the treatment will take measures to
       ensure that any person acting under the authority of the person responsible or

       of the person in charge and has access to personal data can only process said
       data following the instructions of the person responsible, unless required to
       this by virtue of the law of the Union or of the Member States.”

For its part, recital 74 of the GDPR provides the following:


       “The responsibility of the person responsible for the treatment must be established
       for any processing of personal data carried out by himself or his
       account. In particular, the person responsible must be obliged to apply measures
       timely and effective and must be able to demonstrate the conformity of the
       processing activities with this Regulation, including the effectiveness of

       measures. These measures must take into account the nature, scope,
       context and purposes of the processing as well as the risk to the rights and
       freedoms of natural persons.”


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 13/20








In this sense, recital 75 of the GDPR lists a series of factors or
assumptions associated with risks to the rights and freedoms of the interested parties: (the
emphasis is ours)

       “The risks to the rights and freedoms of natural persons, of

       variable severity and probability, may be due to data processing that
       could cause physical, material or immaterial damage and harm, in
       particularly in cases where treatment may give rise to problems
       of discrimination, identity theft or fraud, financial loss, harm
       for reputation, loss of confidentiality of data subject to secrecy
       professional, unauthorized reversal of pseudonymization or any other

       significant economic or social harm; In cases where the
       interested parties of their rights and freedoms or are prevented from exercising control
       about your personal data; in cases where personal data
       treaties reveal ethnic or racial origin, political opinions, religion or
       philosophical beliefs, militancy in unions and data processing

       genetic data, data relating to health or data on sexual life, or the
       criminal convictions and offenses or related security measures; in the
       cases in which personal aspects are evaluated, in particular the analysis or
       prediction of aspects related to performance at work, situation
       economic, health, personal preferences or interests, reliability or
       behavior, situation or movements, in order to create or use profiles

       personal; in cases in which personal data of people are processed
       vulnerable, particularly children; or in cases where the treatment
       involves a large amount of personal data and affects a large number of
       interested.” (emphasis is ours)

In the case analyzed in this file, the processing of data of a nature

personnel of the 47 local police officers would not have been accompanied by some
appropriate security measures.

The Llucmajor City Council has not provided documentation that proves the
existence of appropriate security measures intended to prevent a breach of
personal data such as the one analyzed in this file may occur.


As has been highlighted in the foundation of law III, the City Council of
Llucmajor, in its report of July 1, 2022, prepared in response to the transfer
of the AEPD recognized that the document “baixes fins a 30-11-2021” (Baixes fins a 30-11-2021)
11-2021), by mistake, it was not deleted and remained in the temporary folder named
“photocopier” for several days, being consulted by people who were not

recipients thereof.

On the other hand, when the document was located in the folder called
“Plocal” (Local Police), one of the screenshots sent along with the
claim shows the user groups that had access to said document:


     Computer science
     Local Police
     Local Police Staff

     Administrator
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 14/20








     Administrators

It is considered that the known facts constitute an infringement, attributable

to the Llucmajor City Council, for violation of article 32 of the RGPD.

                                           VII
           Classification and classification of the violation of article 32 of the RGPD


The aforementioned violation of article 32 of the RGPD implies the commission of one of the
violations classified in article 83.4 of the RGPD that under the heading “Conditions
general rules for the imposition of administrative fines” provides:

       “Infringements of the following provisions will be sanctioned, according to
       with paragraph 2, with administrative fines of EUR 10 000 000 as

       maximum or, in the case of a company, an amount equivalent to 2%
       maximum of the overall total annual turnover of the financial year
       above, opting for the highest amount:

       a) the obligations of the controller and the processor pursuant to Articles 8,

       11, 25 to 39, 42 and 43; (…)”

In this regard, the LOPDGDD, in its article 71 “Infringements” establishes that
“The acts and conduct referred to in sections 4,
5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that result

contrary to this organic law.”

For the purposes of the limitation period, article 73 “Infringements considered serious”
of the LOPDGDD indicates:

       “Based on what is established in article 83.4 of Regulation (EU) 2016/679

       are considered serious and will prescribe after two years the infractions that
       involve a substantial violation of the articles mentioned therein and,
       in particular, the following:
       (…)
       f) The lack of adoption of those technical and organizational measures that

       are appropriate to guarantee a level of security appropriate to the risk
       of the treatment, in the terms required by article 32.1 of the Regulation
       (EU) 2016/679.(…)”

                                           VIII

                   Penalty for violation of article 32 of the GDPR

Article 83 “General conditions for the imposition of administrative fines” of the
GDPR section 7 states:

       “Without prejudice to the corrective powers of the supervisory authorities under

       of Article 58(2), each Member State may establish rules
       whether it is possible, and to what extent, to impose administrative fines on authorities
       public entities and bodies established in said Member State.”


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 15/20








Likewise, article 77 “Regime applicable to certain categories of
responsible or in charge of processing” of the LOPDGDD provides the following:


       "1. The regime established in this article will apply to the treatments
       of those who are responsible or in charge:

       c) The General Administration of the State, the Administrations of the
       autonomous communities and the entities that make up the Local Administration
       (…)


       2. When the persons responsible or in charge listed in section 1
       commit any of the infractions referred to in articles 72 to
       74 of this organic law, the data protection authority that results
       competent authority will issue a resolution declaring the infraction and establishing, in its

       case, the measures that should be adopted to stop the conduct or correct it.
       the effects of the infraction that has been committed, with the exception of the
       provided for in article 58.2.i of Regulation (EU) 2016/679 of the Parliament
       European Parliament and of the Council, April 27, 2016.

       The resolution will be notified to the person responsible or in charge of the treatment, to the

       body on which it depends hierarchically, if applicable, and to those affected who
       had the status of interested party, if applicable.

       (…)
       4. The data protection authority must be informed of the

       resolutions that fall in relation to the measures and actions to which
       refer to the previous sections.

       5. They will be communicated to the Ombudsman or, where appropriate, to the institutions
       analogous of the autonomous communities the actions carried out and the

       resolutions issued under this article.

       6. When the competent authority is the Spanish Agency for the Protection of
       Data, it will publish on its website with due separation the
       resolutions referring to the entities of section 1 of this article, with
       expresses indication of the identity of the person responsible or in charge of the treatment

       who had committed the infraction.
       (…)”

It is understood that a violation of article 32 of the RGPD has been committed, and the
violation of the Llucmajor City Council.


                                          IX
                        Violation of article 37 of the GDPR

Public Administrations act as data controllers responsible for

personal nature and, sometimes, they perform the functions of those in charge of the treatment
for what corresponds to them, following the principle of proactive responsibility,
meet the obligations that the RGPD details, which includes that of appointing


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 16/20








a data protection officer, make their contact details public and
communicate it to the AEPD.


Sections 1 and 7 of Article 37 of the GDPR refer to these obligations and
establish, respectively:

       "1. The person responsible and the person in charge of the treatment will appoint a delegate of
       data protection provided that:


       a) the treatment is carried out by a public authority or body, except for
       courts acting in the exercise of their judicial function;
       (…)
       7. The person responsible or the person in charge of processing will publish the data of
       contact the data protection officer and will communicate them to the authority

       of control."

Regarding the appointment of the data protection officer, sections 3 and 5
article 37 of the GDPR point out that:

       "3. When the person responsible or in charge of the treatment is an authority or

       public body, a single delegate for the protection of
       data for several of these authorities or bodies, taking into account their
       organizational structure and size.
       (…)
       5. The data protection officer will be appointed based on his or her

       professional qualities and, in particular, their specialized knowledge
       of the law and practice regarding data protection and its capacity
       to perform the functions indicated in article 39.

       6. The data protection officer may be part of the staff of the

       responsible or the person in charge of the treatment or perform their functions in the
       framework of a service contract.”

For its part, the LOPDGDD dedicates article 34 to the “Designation of a delegate of
data protection”, provision that provides:


       "1. Those responsible and in charge of the treatment must designate a
       data protection delegate in the cases provided for in article 37.1
       of Regulation (EU) 2016/679 (...)

       3. Those responsible and in charge of the treatment will communicate within the period of

       ten days to the Spanish Data Protection Agency or, where appropriate, to the
       autonomous data protection authorities, designations,
       appointments and dismissals of data protection officers both in the
       cases in which they are obliged to be appointed, such as in the
       case in which it is voluntary.”


The file contains a verification carried out by AEPD personnel on 8
April 2022 at 2:40 p.m. in the Electronic Headquarters section of this Agency


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 17/20








called “DPD Consultation”. It verifies that the City Council of
Llucmajor has not communicated the contact details of its DPO to this Agency.


It is considered that the Llucmajor City Council does not have a DPD designated as there is no
notification of your appointment or designation in this Agency, being mandatory
do it.

As indicated, the GDPR provides that the person responsible and in charge of
treatment must designate a DPO in the event that “the treatment is carried out

an authority or public body”, as well as “they will publish the contact details of the
data protection delegate and will communicate them to the supervisory authority.”

The known facts constitute an infraction, attributable to the City Council
of Llucmajor for violation of article 37 of the RGPD, “Designation of the delegate of

Data Protection".

                                           x
                        Classification and classification of the offense

The aforementioned violation of article 37 of the RGPD implies the commission of the violations

typified in article 83.4 of the RGPD that under the heading “General conditions
for the imposition of administrative fines” provides:

       “Infringements of the following provisions will be sanctioned, according to
       with paragraph 2, with administrative fines of EUR 10 000 000 as

       maximum or, in the case of a company, an amount equivalent to 2%
       maximum of the overall total annual turnover of the financial year
       above, opting for the highest amount:

       a) the obligations of the controller and the processor pursuant to Articles 8,

       11, 25 to 39, 42 and 43; (…)”

In this regard, the LOPDGDD, in its article 71 “Infringements” establishes that
“The acts and conduct referred to in sections 4,
5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that result
contrary to this organic law.”


For the purposes of the limitation period, article 73 “Infringements considered serious”
of the LOPDGDD indicates:

       “Based on what is established in article 83.4 of Regulation (EU) 2016/679

       are considered serious and will prescribe after two years the infractions that
       involve a substantial violation of the articles mentioned therein and,
       in particular, the following:

       v) Failure to comply with the obligation to designate a data protection delegate.

       data when their appointment is required in accordance with article 37 of the
       Regulation (EU) 2016/679 and article 34 of this organic law.”

                                           XI

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 18/20








                  Penalty for violation of article 37 of the GDPR

Article 83 “General conditions for the imposition of administrative fines” of the

GDPR section 7 states:

       “Without prejudice to the corrective powers of the supervisory authorities under
       of Article 58(2), each Member State may establish rules
       whether it is possible, and to what extent, to impose administrative fines on authorities
       public entities and bodies established in said Member State.”


Likewise, article 77 “Regime applicable to certain categories of
responsible or in charge of processing” of the LOPDGDD provides the following:

       "1. The regime established in this article will apply to the treatments

       of those who are responsible or in charge:

       c) The General Administration of the State, the Administrations of the
       autonomous communities and the entities that make up the Local Administration
       (…)


       2. When the persons responsible or in charge listed in section 1
       commit any of the infractions referred to in articles 72 to
       74 of this organic law, the data protection authority that results
       The competent authority will issue a resolution declaring the infraction and establishing, in its
       case, the measures that should be adopted to stop the conduct or correct it.

       the effects of the infraction that has been committed, with the exception of the
       provided for in article 58.2.i of Regulation (EU) 2016/679 of the Parliament
       European Parliament and of the Council, April 27, 2016.

       The resolution will be notified to the person responsible or in charge of the treatment, to the

       body on which it depends hierarchically, if applicable, and to those affected who
       had the status of interested party, if applicable.

       (…)
       4. The data protection authority must be informed of the
       resolutions that fall in relation to the measures and actions to which

       refer to the previous sections.

       5. They will be communicated to the Ombudsman or, where appropriate, to the institutions
       analogous of the autonomous communities the actions carried out and the
       resolutions issued under this article.


       6. When the competent authority is the Spanish Agency for the Protection of
       Data, it will publish on its website with due separation the
       resolutions referring to the entities of section 1 of this article, with
       expresses indication of the identity of the person responsible or in charge of the treatment

       who had committed the infraction.
       (…)”



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 19/20








It is understood that a violation of article 37 of the RGPD has been committed, and it is necessary to declare the
violation of the Llucmajor City Council.


                                          XII

Once the violations have been confirmed, it is appropriate to impose the adoption of the
of appropriate measures to adjust its actions to the regulations mentioned in this
act, in accordance with the provisions of the aforementioned article 58.2 d) of the RGPD, according to the
which each control authority may “d) order the person responsible or in charge of the

treatment that the processing operations comply with the provisions of the
this Regulation, where appropriate, in a certain manner and within a
specified period.”

It is warned that failure to comply with the order to adopt measures imposed by this

body in the sanctioning resolution may be considered as an infraction
administrative in accordance with the provisions of the RGPD, classified as an infringement in its
article 83.5 and 83.6, such conduct may motivate the opening of a subsequent
administrative sanctioning procedure.

Therefore, in accordance with the applicable legislation and evaluated the criteria of

graduation of sanctions whose existence has been proven,
the Director of the Spanish Data Protection Agency

RESOLVES:


FIRST: DECLARE that LLUCMAJOR CITY COUNCIL, with NIF P0703100H:

-Has violated the provisions of Article 5.1.f) of the RGPD, an offense classified in the
Article 83.5 of the GDPR.


- Has violated the provisions of Article 32 of the RGPD, an offense classified in the
Article 83.4 of the GDPR.

- Has violated the provisions of Article 37 of the RGPD, an offense classified in the
Article 83.4 of the GDPR.


SECOND: ORDER to LLUCMAJOR CITY COUNCIL, with NIF P0703100H,
that by virtue of article 58.2.d) of the RGPD, within a period of six months, proves that
proceeded to comply with the following measures:

       1. The appointment of a Data Protection Officer and communication

       of said appointment to the AEPD.

       2. The adoption by the City Council of management measures for the
       information systems designed to prevent improper dissemination of data
       personal.


THIRD: NOTIFY this resolution to the LLUCMAJOR CITY COUNCIL.



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 20/20








FOURTH: COMMUNICATE this resolution to the Ombudsman,
in accordance with the provisions of article 77.5 of the LOPDGDD.


In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.


Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the
LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the
Interested parties may optionally file an appeal for reconsideration before the
Director of the Spanish Data Protection Agency within a period of one month to
count from the day following the notification of this resolution or directly

contentious-administrative appeal before the Contentious-administrative Chamber of the
National Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-administrative Jurisdiction, within a period of two months from the

day following the notification of this act, as provided for in article 46.1 of the
referred Law.

Finally, it is noted that in accordance with the provisions of art. 90.3 a) of the LPACAP,
may provisionally suspend the final resolution through administrative channels if the

interested party expresses his intention to file a contentious-administrative appeal.
If this is the case, the interested party must formally communicate this fact through
writing addressed to the Spanish Data Protection Agency, presenting it through
of the Agency's Electronic Registry [https://sedeagpd.gob.es/sede-electronica-
web/], or through any of the other registries provided for in art. 16.4 of the

cited Law 39/2015, of October 1. You must also transfer to the Agency the
documentation that proves the effective filing of the contentious appeal
administrative. If the Agency was not aware of the filing of the appeal
contentious-administrative within a period of two months from the day following the

notification of this resolution would terminate the precautionary suspension.


                                                                               938-21112023
Sea Spain Martí
Director of the Spanish Data Protection Agency




















C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es