AEPD (Spain) - EXP202205850

From GDPRhub
Revision as of 18:53, 17 April 2023 by Saineybelle (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoES.jpg |DPA_Abbrevation=AEPD |DPA_With_Country=AEPD (Spain) |Case_Number_Name=EXP20...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
AEPD - EXP202205850
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 5(1) GDPR
Organic Law 3/2018 on Protection of Personal Data and Guarantee of Digital Rights
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published:
Fine: n/a
Parties: De La Guardia Civil
National Case Number/Name: EXP202205850
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: n/a

De La Guardia de Civil was given a written warning for sharing an email containing excrddive health data of an employee on medical leave contrary to the data minimisation principle contained in Article 5.

English Summary

Facts

The data subject is a civil guard, who was on medical leave following an incident at work. During his tenure on medical leave, he received a call from a colleague, who had access to the corporate mail of the Civil Guard (the Controller) advising him that a file was opened regarding confiscating his weaponry at the start of his leave. The email also alluded to the data subject needing to appear at the psychological office for assessment.

Holding

Within the body of the emails, there was no reference to his exact diagnosis or any other health data. The mere fact he was on leave from his post will not be a new and/or a hidden fact, the hierarchical superior who received the email was already aware. The data subject would have also been required to communicate it in order to ensure that he is not appointed to the service until he is discharged from leave (regardless of the type of leave) as in the case of any worker. Further, the matter will be known by the rest of his colleagues by the simple observation of his absence at work without the need to receive any formal communication.

The Controller sought to argue that it is common knowledge within the service for guards to go through a psychological assessment in order to determine their fitness for work per the applicable regulations. In addition, the email served as communication to the wider company in order to make them aware of the absence of the data subject. They also sought to rely on an Informed Consent Form (“ICF”) signed by the data subject authorising the processing of his medical data. The data subject argued that the ICF was inaccurate, not very transparent and did not comply with Article 13 GDPR. The AEPD stated the ICF alluded to the repealed Organic Law 15/1999 (pre GDPR).

The AEPD was of the opinion that the e-mail which specifies that the data subject "should report to the Psychology Office of the Command for the purpose of examination" contains excessive data for the intended purpose of processing as per Article 5(1) GDPR and Recital 39 GDPR.

Although it may be considered necessary, as stated by the Controller, to send the information on the data subjects medical leave to his superior officer, and it could even be admitted that it is also necessary to communicate that weapons must be removed, it is totally unnecessary to add specific medical data, such as the appointment at the psychology office. The only information that was necessary to the superior is that the data subject will not be available for service due to being in a situation of incapacity for work, it was not essential to explicitly mention the reason that has given rise to such medical leave or the tests that he/she must undergo. This means the data processed was not limited to what was necessary and exceeded the purpose for which it was processed.

The Controller was given a written warning.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

1/9










     File No.: EXP202205850



               RESOLUTION OF SANCTIONING PROCEDURE

Of the procedure instructed by the Spanish Agency for Data Protection and based on
to the following


                                  BACKGROUND

FIRST: A.A.A. (hereinafter, the claiming party) dated May 12, 2022
filed a claim with the Spanish Data Protection Agency. The

claim is directed against D.G. OF THE CIVIL GUARD with NIF S2816003D (in
forward, DGGC). The reasons on which the claim is based are the following:

The claimant is a civil guard. By decision of a superior, an Information is opened
Reserved to clarify what happened in a performance carried out by him in the
exercise of their functions. On 10/26/2021, within the aforementioned procedure,

the claimant's statement is taken, he is informed of his right to listen to an audio
provided by the complainant (Criminal proceedings for an alleged crime of abuse of
authority, archived) and shows that recording to another component of the
*** POSITION 1, (...), in case you recognize the voice of the complaining party.
On 12/17/2021, it requests information on whether the aforementioned has been shown

recording to (...) as a voice expert. Noting that, if not,
understands that said treatment would not be legitimized and that said action is not
would have been carried out in accordance with arts. 5.1.f) and 32 of the GDPR, a request that is
denied through Resolution dated 12/24/2021, not having the condition of
interested in Reserved Information, not being able to provide data or information

about it. Presents an Appeal against said resolution and it is dismissed
again through Resolution dated 03/14/2022 for the same reason.

On the other hand, he alleges that, being on sick leave due to work stress, he receives a call
from a colleague of ***POINT.1, who has access to the corporate mail of the
position, and informs him that a file has been opened for anomalous conduct to

the withdrawal of weapons and is summoned for an act of delivery of weapons, as regulated
in the Weapons Regulation and Law 4/2015 for the protection of Citizen Security.
Provides Official Letter dated 03/11/20XX on the subject: "Report on Communication Withdrawn
of Armament of a civil guard".
It considers that this form of communication was already sanctioned by this Agency in the

procedure PS/00384/2020, not having established customization measures
of communications, revealing data related to your health to all staff of the
Since they have general access to said corporate mail.
It also states that the act of handing over the weapons took place in an office
open to the public for the processing of weapons licenses in general in the town

of ***LOCATION.1, exposing his personal image both to the three agents who
serve the public, such as the agents who go there and civilian personnel who carry out their
administrative procedures, which it considers to be in breach of legal precepts before
cited.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/9








On 01/31/2022, the firm was presented with an Informed Consent that
alludes to the repealed L.O. 15/1999, which, in the claimant's opinion, is inaccurate, little
transparent and does not comply with the provisions of art. 13 of the GDPR.

In addition, it alleges that on 02/09/2022, it requested access to data and information from
interest for your defense regarding the Confidential Information opened against your person
and to know if it complies with the data protection regulations and the National Scheme
of security.

Along with the notification is provided:

-Office of summons for appearance by instruction of a reserved information.
-Certificate of the events that occurred on ***DATE.1 at (...) hours
-Complaint filed by B.B.B., a retired civil guard, against the claimant, in
the one that says to provide a CD with a recording in relation to the events that occurred on the day
***DATE.1 at (...) hours, and a photograph showing the license plates of the

official vehicles. He states that he received by WhatsApp, sent by a relative, the
audio file.
-Writ of provisional dismissal of the Court (...) of ***LOCATION.2.
-Writ of refusal of information for not being an interested party in the information
reserved.
-Written informed consent to access and use clinical information

that is in the file of the complaining party for the processing of a
disability application.

SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5
December, Protection of Personal Data and guarantee of digital rights (in

forward LOPDGDD), said claim was transferred to the DGGC, so that
proceed to its analysis and inform this Agency within a month of the
actions carried out to adapt to the requirements established in the regulations of
Data Protection.


The transfer, which was carried out in accordance with the regulations established in Law 39/2015, of
October 1, of the Common Administrative Procedure of the Administrations
Public (hereinafter, LPACAP), was collected on 06/14/2022 as stated in the
acknowledgment of receipt in the file.

On 06/27/2022, this Agency received a written response indicating:


"The General Directorate of the Civil Guard has protocolized as a measure, both for
citizens as well as for the civil guards themselves, who, when there is a
medical leave with a diagnosis of mental illness, the withdrawal of the
weapons, both official and private, that in his capacity as a member of the Armed Forces

and State Security Bodies of which they may be in possession.
With the foregoing, an attempt is made to prevent the state of mental alteration that he presents
causes both harmful actions against third parties and self-injurious behaviors of a nature
suicidal, which redounds to the benefit not only of society, but also of the
own member of the Body as a human being.


In order to put the foregoing into effect in the case at hand, an email was sent
email on October 13, 2021, from the Medical Service of the Command


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/9








from ***LOCATION.1 to ***COMPANY.1 and ***POINT.2, with the following
text:


       <<Today the assistance service has learned
       of this Unit, of the medical leave related to the Civil Guard D.A.A.A.
       (XX.XXX.XXX), bound for ***POINT.1.
       Likewise, it is agreed that said Civil Guard must appear at the
       Office of Psychology of the Command to the object of recognition on the day
       11/18/XX at 09:00.

       Proceed to the withdrawal of official and private weapons possessed by said
       Civil Guard>>

In the text of said email, as can be seen, no reference is made
any diagnosis or other health data. The fact that it is mentioned that he is of

low for the Service is nothing new, since the Hierarchical Superior who
receives already knows this, since the Civil Guard itself has to communicate it to
effects of not being named Service until registration occurs (regardless of the
type of sick leave) as in the case of any worker, an issue that will be
known by the rest of the classmates by the simple observation of his absence in the
I work without the need for you to communicate anything.


In this way, it cannot be accepted, as indicated by the claimant, that
there has been indiscriminate communication of their situation in the absence of adoption
of security measures. The only thing that has been communicated is the administrative fact
of your Temporary Work Incapacity, which is necessary for the name of the person to know

the daily service, not to count on it.

We understand that the necessary confidentiality measures have been kept in the
as possible, knowing only those who had a “need to know” and
insofar as they had it."


THIRD: On August 12, 2022, in accordance with article 65 of the
LOPDGDD, the claim presented by the claimant party was admitted for processing.

FOURTH: On October 25, 2022, the Director of the Spanish Agency for
Data Protection agreed to initiate disciplinary proceedings against the claimed party,

for the alleged infringement of Article 5.1.c) of the GDPR, typified in Article 83.4 of the
GDPR.

Once the Initiation Agreement was notified, the DGGC submitted a written statement of allegations, in which
synthesis stated:


-That the reason for the communication made by email, sent by the
Medical Service of the Command of ***LOCATION.1 and the ***COMPAÑÍA.1 and the
***POINT.2, it was not only to notify who appoints daily service the medical leave of
the complaining party, in order that no service be indicated, as indicated in the

response to the transfer of the claim that the AEPD made at the time, in the
which textually specify:



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/9








 "In the text of said email, as can be seen, no reference is made
any diagnosis or other health data. (...) The only thing that has been communicated is the
administrative fact of your Temporary Work Incapacity, which is necessary for

know who appoints the daily service, so as not to count on him”,

but also, the purpose of said email was to indicate that "the claimant
must go to the psychology office on the mentioned date to be submitted to the
mandatory recognition according to internal procedures", because they do not understand that
"There is no other way to let you know but to send a communication to your destination at

in order to be informed of it", given that "according to article 23 of the Organic Law
11/2007 of October 22, Regulating the Rights and Duties of the Members of
the Civil Guard, nominated for psychophysical examinations, the Civil Guards have the
obligation to submit to the necessary psychophysical examinations to
determine their fitness for service.


       In this regard, this Agency observes that the purpose
       initial communication of an absence due to IT, for the purpose of not appointing
       service to the person who is on leave, with the addition in the letter of
       allegations, also communicate in the same email that
       must notify the civil guard on discharge of their obligation to

       undergo an examination, "since according to article 23 of the Law
       Organic 11/2007 of October 22, Regulating the Rights and Duties of
       the Members of the Civil Guard, nominated for psychophysical examinations, the
       Civil Guards have the obligation to submit to examinations
       psychophysical tests necessary to determine his fitness for service.


       This Agency does not share the criteria that said
       communication to the ***COMPANY.1 and the ***POINT.2, given that, the Law
       29/2014, of November 28, of the Civil Guard Personnel Regime
       indicates in its article 103: (the underlining corresponds to the AEPD)

       1. In the Health of the Civil Guard are included the medical services and the

       health inspection and will have the support of psychological care.

       2. Corresponds to the Health of the Civil Guard, regardless of the
       health benefits to which Corps personnel are entitled for their
       belonging to the Special Regime of the Social Security of the Forces
       Armed:

       a) Determine the existence of the precise psychophysical conditions for the

       admission to educational training centers and for the loss of status
       student, in accordance with the provisions of article 35.2 and article 48.1
       b).

       b) Carry out the follow-up and control of the temporary absences of the personnel of the
       Civil Guard Corps, and advise and report on this matter to the Chiefs

       unit, center or organism.

       c) Assess and confirm, where appropriate, temporary leave that have been
       issued by physicians unrelated to Body Health whose recovery
       has not occurred before the tenth day after they were issued.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/9








       d) Arrange that those who are on temporary leave be
       subjected to the psychophysical examinations deemed appropriate.

       e) Issue opinions directly or through medical-expert bodies,
       detailing in them the diagnosis of the disease or pathological process and the

       degree of disability that corresponds to determine the aptitude for the
       stakeholder service.

       f) Issue the mandatory opinions determined by the class legislation
       liabilities of the State, for the purpose of determining, where appropriate, in accordance with the
       established in article 98, the limitation to occupy certain destinations or

       the retirement pass as a consequence of the fact that the affected person is disabled
       totally for the performance of the functions of the Civil Guard.

       For the development of its powers, the Health of the Civil Guard may
       establish contracts or collaboration agreements with certain
       medical professionals or public or private entities.

       3. The services referred to in the first section of this article are
       authorized to access the reports and diagnoses related to the

       situations of temporary leave of the members of the Corps, in order to exercise the
       functions entrusted to them, with the limits established by the
       Current regulations regarding the treatment and protection of personal data
       staff.

       In accordance with section 3 of article 103 of the aforementioned legal text, the

       reports and diagnoses related to situations of temporary leave does not have
       to be known neither by hierarchical superiors nor by people
       in charge of setting daily the services to be performed by the staff
       assigned to the corresponding unit.

       Therefore, this Agency confirms the criterion that the summons to the Cabinet of
       Psychology is a piece of information that is not pertinent, adequate or necessary in communication

       made of the situation of temporary leave of the complaining party.

       It is considered more appropriate to make such a summons to the affected person
       directly, and not across your entire target drive.

FIFTH: On November 14, 2022, a resolution proposal was formulated,
proposing that the Director of the Spanish Data Protection Agency
impose on D.G. OF THE CIVIL GUARD, with NIF S2816003D, for an infraction of the

Article 5.1.c) of the GDPR, typified in Article 83.4 of the GDPR a penalty of
warning.

Notified of the resolution proposal, no allegations have been presented to it.


In view of all the proceedings, by the Spanish Agency for Data Protection
In this proceeding, the following are considered proven facts:


                                PROVEN FACTS


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/9








FIRST AND ONLY: It is proven that an email was sent on the 13th
October 2021, from the Medical Service of the Command of
***LOCATION.1 to ***COMPANY.1 and ***POINT.2, with the following text:

       <<Today the assistance service has learned

       of this Unit, of the medical leave related to the Civil Guard D.A.A.A.
       (XX.XXX.XXX), bound for ***POINT.1.
       Likewise, it is agreed that said Civil Guard must appear at the
       Office of Psychology of the Command to the object of recognition on the day
       11/18/XX at 09:00.
       Proceed to the withdrawal of official and private weapons possessed by said

       Civil Guard>>


                          FUNDAMENTALS OF LAW


                                           Yo
In accordance with the powers that article 58.2 of Regulation (EU) 2016/679
(General Data Protection Regulation, hereinafter GDPR), grants each
control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the
Organic Law 3/2018, of December 5, Protection of Personal Data and
guarantee of digital rights (hereinafter, LOPDGDD), is competent to

initiate and resolve this procedure the Director of the Spanish Protection Agency
of data.

Likewise, article 63.2 of the LOPDGDD determines that: "The procedures
processed by the Spanish Data Protection Agency will be governed by the provisions
in Regulation (EU) 2016/679, in this organic law, by the provisions

regulations dictated in its development and, insofar as they do not contradict them, with character
subsidiary, by the general rules on administrative procedures."

                                          II
Article 5, "Principles relating to processing" of the GDPR establishes:


"1. Personal data will be:
(…)
c) adequate, pertinent and limited to what is necessary in relation to the purposes for which
that are processed ("data minimization");"

It must be clarified that this article does not limit the excess of data, but the need. Is

In other words, the personal data will be "adequate, pertinent and limited to the need",
for which they were collected, in such a way that, if the objective pursued can
achieved without excessive data processing, this should be done at all
case.


Similarly, recital 39 of the GDPR indicates that: "Personal data only
should be processed if the purpose of the processing cannot reasonably be achieved by
other media." Therefore, only the data that is "adequate,
relevant and not excessive in relation to the purpose for which they are obtained or processed”. The
categories of data selected for processing must be those strictly

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/9








necessary to achieve the stated purpose and the controller must
strictly limit data collection to information that is directly
related to the specific goal that is intended to be achieved.


In this case, the email sent by the Medical Service of the
Command of ***LOCATION.1 to ***COMPANY.1 and ***POSITION.2, in which
it is specified that the complaining party "should appear in the Cabinet of
Psychology of the Command to the object of recognition" contains excessive data
for the intended purpose.


Although it may be considered necessary, as stated by the DGGC, to send the
information of the claiming party's medical leave to his hierarchical superior, including
the fact that it is necessary to communicate, likewise, that it should be
proceed to the withdrawal of weapons, it is totally unnecessary to add medical data

specific, such as the appointment in the Psychology cabinet, since, to know that
the complaining party is not available for the service due to being in a situation of
Work Incapacity, it is not essential to explicitly cite the reason given
place to said medical leave or the tests that must be submitted.

From the instruction carried out in this proceeding it is concluded that the

DGGC has violated the provisions of article 5.1.c) of the GDPR, by sending an email
email to the unit of destination of the complaining party, in which, in addition to
communicate that you are on leave, which must be taken into account to
not assign him service, it is indicated that he must report to the psychology office,
This last fact is unnecessary to add.


                                           II
Article 83.5 of the GDPR, under the heading "General conditions for the taxation
of administrative fines”, provides:


Violations of the following provisions will be sanctioned, in accordance with the
paragraph 2, with administrative fines of maximum EUR 20,000,000 or,
in the case of a company, an amount equivalent to a maximum of 4% of the
total annual global business volume of the previous financial year, opting for
the highest amount:


a) the basic principles for the treatment, including the conditions for the
consent under articles 5, 6, 7 and 9; (…)”

In this regard, the LOPDGDD, in its article 71 "Infractions" establishes that:


"The acts and behaviors referred to in sections 4,
5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that result
contrary to this organic law”.

For the purposes of the limitation period, article 72 "Infractions considered very

serious” of the LOPDGDD indicates:

"1. Based on what is established in article 83.5 of Regulation (EU) 2016/679,
are considered very serious and will prescribe after three years the infractions that

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 8/9








a substantial violation of the articles mentioned therein and, in particular, the
following:


a) The processing of personal data in violation of the principles and guarantees
established in article 5 of Regulation (EU) 2016/679. (…)”

                                          IV.
Article 83 paragraph 7 of the GDPR provides the following:


Without prejudice to the corrective powers of the control authorities under
of Article 58(2), each Member State may lay down rules on whether
can, and to what extent, impose administrative fines on authorities and bodies
public establishments established in that Member State.”


Likewise, article 77 “Regime applicable to certain categories of
responsible or in charge of the treatment" of the LOPDGDD provides the following:

"1. The regime established in this article will be applicable to the treatment of
who are responsible or in charge:


(…)
c) The General State Administration, the Administrations of the communities
autonomous entities and the entities that make up the Local Administration.
(…)


2. When the managers or managers listed in section 1 commit
any of the offenses referred to in articles 72 to 74 of this law
organic, the data protection authority that is competent will dictate
resolution sanctioning them with a warning. The resolution will establish
likewise, the measures that should be adopted to cease the conduct or to correct it.

the effects of the offense committed.

3. Without prejudice to what is established in the previous section, the data protection authority
data will also propose the initiation of disciplinary actions when there are
enough evidence for it. In this case, the procedure and the sanctions to be applied
will be those established in the legislation on the disciplinary or sanctioning regime that

be applicable. Likewise, when the infringements are attributable to
authorities and executives, and the existence of technical reports or
recommendations for treatment that have not been adequately addressed, in
The resolution in which the sanction is imposed will include a reprimand with
name of the responsible position and the publication in the Official Gazette will be ordered

of the State or autonomous community that corresponds.

4. The data protection authority must be informed of the resolutions that
fall in relation to the measures and actions referred to in the sections
previous.


5. They will be communicated to the Ombudsman or, where appropriate, to similar institutions
of the autonomous communities the actions carried out and the resolutions issued
under this article.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 9/9











                                           V
Therefore, in accordance with the applicable legislation and assessed the criteria of
graduation of sanctions whose existence has been accredited,
the Director of the Spanish Data Protection Agency RESOLVES:


FIRST: IMPOSE D.G. OF THE CIVIL GUARD, with NIF S2816003D, for a
infringement of Article 5.1.c) of the GDPR, typified in Article 83.4 of the GDPR, a
warning sanction.

SECOND: NOTIFY this resolution to D.G. OF THE CIVIL GUARD.


THIRD: COMMUNICATE this resolution to the Ombudsman, in
in accordance with the provisions of article 77.5 of the LOPDGDD.

In accordance with the provisions of article 50 of the LOPDGDD, this

Resolution will be made public once the interested parties have been notified.

Against this resolution, which puts an end to the administrative process in accordance with art. 48.6 of the
LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the
Interested parties may optionally file an appeal for reversal before the

Director of the Spanish Agency for Data Protection within a period of one month from
count from the day following the notification of this resolution or directly
contentious-administrative appeal before the Contentious-administrative Chamber of the
National Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the

Contentious-administrative jurisdiction, within a period of two months from the
day following the notification of this act, as provided for in article 46.1 of the
referred Law.

Finally, it is noted that in accordance with the provisions of art. 90.3 a) of the LPACAP,

may provisionally suspend the firm resolution in administrative proceedings if the
The interested party expresses his intention to file a contentious-administrative appeal.
If this is the case, the interested party must formally communicate this fact through
writing addressed to the Spanish Data Protection Agency, presenting it through
of the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica-

web/], or through any of the other registries provided for in art. 16.4 of the
aforementioned Law 39/2015, of October 1. You must also transfer to the Agency the
documentation proving the effective filing of the contentious appeal-
administrative. If the Agency was not aware of the filing of the appeal
contentious-administrative proceedings within a period of two months from the day following the

Notification of this resolution would terminate the precautionary suspension.


                                                                               938-181022
Mar Spain Marti
Director of the Spanish Data Protection Agency




C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es