AEPD (Spain) - EXP202212247
From GDPRhub
| AEPD - EXP202212247 | |
|---|---|
 | |
| Authority: | AEPD (Spain) |
| Jurisdiction: | Spain |
| Relevant Law: | Article 9(1) GDPR Article 9(2)(b) GDPR Article 12 GDPR Article 15 GDPR Article 25 GDPR Article 35 GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | 11.10.2022 |
| Decided: | 17.01.2025 |
| Published: | 24.01.2025 |
| Fine: | 220,000 EUR |
| Parties: | n/a |
| National Case Number/Name: | EXP202212247 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Spanish |
| Original Source: | AEPD (in ES) |
| Initial Contributor: | elu |
The DPA fined an employer €220,000 for unlawfully processing employees' biometric data for timekeeping purposes in violation of Article 9 GDPR. Additionally the controller had failed to conduct a DPIA and violated the data subject's right of access.
English Summary
Facts
The data subject, a former employee of the controller, complained to the DPA against the controller’s practice of using scans of employees' faces to register entry and exit to the work place.
The data subject had advanced an access request under Article 15 GDPR, asking for specifications regarding the purpose and category of data processing. To the date of the complaint, they had received no answer to this request by the controller.
The DPA deemed it appropriate to start an investigation. The investigation revealed the following:
- the data subject was an employee of the controller.
- the controller received the data subject´s access request and confirmed that the procedure started. However, no further reply to the access request was given.
- the controller replied via fax (to an address that was not present in the data subject´s request) which lacked both floor number and door. The reply only contained a generic reference to the type of data, not the actual data, without mentioning facial recognition or biometric data, daily records of working hours.
- the data subject signed a consent form for the processing of their personal in the context of employment relationship. Moreover, under lawfulness, the payroll processing´s purpose is deemed to be the fulfillment of a legal obligation. The document does not contain any section to select affirmative consent, or to withhold it, nor any option to revoke consent, nor any invitation to consent, nor any invitation to accept a processing operation.
- a representative of the controller forced the data subject to sign in at the entrance to work with a facial recognition device, not providing any alternative means.
- the system used by the controller would use a 3D recognition system, and the biometric data would be subsequently stored in the software´s own database. Thus, the controller recorded the workers´ clocking in a database. Once identification has been made, information is sent to an access database confirming of the employee´s registration.
- the controller used this facial recognition system until 29.05.2023.
- the controller did not respond to the claims related to special categories of data, as per Article 9 GDPR, stating that it had already provided for a lot of information and that the data subject signed the consent form.
Holding
The DPA conducted a step-by-step analysis of the alleged GDPR violation.
1. Biometric Data Processing
The DPA considers that in the case at hand, automated technical instruments are used which allow the permanent and univocal identification, stemming from the biological identity of each employee.
The DPA held that each singular scan of an employee's face is compared to the database containing all scans of employee´s faces and not just the individual´s registered biometric data. This entails that a processing operation takes place.
In relation to whether or not the data was biometric data and whether or not there has been processing of such data, the DPA held that the data processed is linked to the identification of the data subject in each access log and thus is biometric data.
2. Obligations under Article 25 GDPR
The DPA determined that the purpose of processing is the registration of employees for the working day, access and exit throughout the workday. Against this background, the DPA considered that the controller is obliged to respect the principles of privacy by design and privacy by default as per Article 25 GDPR.
3. Processing of Biometric data: legitimization
As per Article 9 GDPR, the processing of biometric data is in principle prohibited. The DPA considered that the “labour exception” to this general prohibition under Article 9(2)(b) GDPR, may apply to the case at hand. The ground for processing under Article 9(2)(b) GDPR can only be successful if there is a provision of national law that requires the data processing. However, the DPA concluded that no such provision existed in Spanish law, rendering the ground for processing under Article 9(2)(b) GDPR inapplicable to the case at hand.
The DPA considered that, even if that was not the case, the “necessity” element was not fulfilled. In fact, the intended purposes could have been achieved through other means. This was further confirmed by the fact that the system had since been discontinued by the controller, in favor of an ID-card system.
Thus, the DPA found that no lawful ground for the processing of biometric data under Article 9(2) GDPR was applicable.
4. DPIA and Violation of Article 35 GDPR
As biometric data is sensitive data, it shall be processed only when no risks to the rights and freedoms of individuals are present. Therefore, as put forward in Article 35 GDPR, any processing considered high risk to the rights and freedoms of natural persons, must be legitimised through a data protection impact assessment, describing the processing in detail.
The DPA acknowledged that the processing of biometric data for labor control began in 2016. It has been acknowledge by the controller that they were not aware of whether a DPIA was ever carried out or not.
Considering that the controller did not provide a DPIA of the processing of biometric data, the DPA found that the controller violated Article 35 GDPR.
5. Violation of Article 15 GDPR
As the controller did not effectively reply to the email of the data subject requesting access to their personal data, the DPA found a violation of Article 12 and 15 GDPR.
6. Fine
In light of the aforementioned violations, the DPA deemed it appropriate to impose a twofold fine to the controller:
- €200,000 for the violation of Article 35 GDPR;
- €20,000 for the violation of Article 15 GDPR.
Thus, the overall amount of the fine was €220,000.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/60
File No.: EXP202212247
SANCTIONING PROCEDURE RESOLUTION
From the procedure instructed by the Spanish Data Protection Agency and based on the
following
SECOND: Transfer of the claim................................................................................2
THIRD: Response to the transfer of the claim.......................................................3
FOURTH: Conduct of preliminary investigation actions................................................5
FIFTH: AXESOR diligence........................................................................................9
SIXTH: Commercial Registry and AXESOR diligence........................................................9
SEVENTH: Start agreement signed by the director of the AEPD........................................10
EIGHTH: Allegations of the respondent dated 5/01/2024..................................................10
NINTH: Dated 10/23/2024, a resolution proposal is issued, literal: 14
TENTH: Allegations to the resolution proposal........................................................14
PROVEN FACTS........................................................................................................16
FIRST:.................................................................................................................16
SECOND:................................................................................................................16
THIRD:...................................................................................................................16
FOURTH:...................................................................................................................16
FIFTH:...................................................................................................................17
SIXTH:...................................................................................................................17
SEVENTH:...................................................................................................................17
EIGHTH:...................................................................................................................18
NINTH:...................................................................................................................19
TENTH:...................................................................................................................19
GROUNDS FOR LAW.................................................................................................19
I Competence.......................................................................................................19
II Definition of biometric and personal data..........................................................19
III Object and purpose of processing.............................................................................27
IV Processing of biometric data: legitimacy................................................................29
V Data protection impact assessment (DPIA)........................................................31
VI Response to the allegations of infringement of article 35 of the GDPR................37
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/60
VII Exercise of the right of access and consequences of failure to comply......44
VIII Classification and classification of infringements........................................................48
IX Determination of sanctions.................................................................................49
X Adoption of measures........................................................................................................57
RESOLVES:.......................................................................................................................58
FIRST: Presentation of the claim
A.A.A. (hereinafter, the claimant) on 11/10/2022, filed a claim with the
Spanish Data Protection Agency. The claim is directed against CARTONAJES
BAÑERES, S.A. with NIF A03009263 (hereinafter, CB). The reasons on which the claim is based are the following:
The claimant states that CB “takes a photograph of the employees’ faces
from a device located at the entrance” and that (…) tells him that this photo is used
only for the employee file and that “the face is not saved”.
He provides a screenshot of a WhatsApp conversation, (...), no date is shown, as follows:
- “Is it the face thing with the card? Because I would like to check in without biometric data. Are there cards or something like that?
- “No, it must be the face,
-…the biometric data makes me feel a bit uncomfortable”
- He doesn't keep his face calm”
In addition, the claimant requested access to his personal data on 08/29/2022, (with
a copy of his data being processed) specifying the purposes and category of data,
stating that he has not received a response to date either by post or by email. A copy of the request made is provided, stating an email address:
(...), and his address at ***ADDRESS.1, “to be sent to the address indicated” as a
contact, with a receipt of CB dated 08/29/22. The complainant states that in
response to information “that I send to the company, they indicate to me through an email dated 14/09, that they are aware of my request for information and that the
management of CB will contact them to comply with their request in relation to the P.D.C.P.”
In document 3, they provide a copy of said email from an address (...) and the logo
of that entity.
The complainant adds that the use of the image is not reported.
SECOND: Transfer of the claim.
In accordance with article 65.4 of Organic Law 3/2018, of 5/12, on the Protection of
Personal Data and Guarantee of Digital Rights (hereinafter LOPDGDD), the claim was transferred to the respondent party, so that it could proceed to analyze it and
inform this Agency within one month of the actions taken to comply with the requirements provided for in the data protection regulations.
The transfer, which was carried out in accordance with the rules established in Law 39/2015, of 1/10,
on the Common Administrative Procedure of Public Administrations (hereinafter,
LPACAP), was recorded on 11/22/2022, as stated in the acknowledgment of receipt that is in
the file.
THIRD: Response to the transfer of the claim
On 12/22/2022, a letter was received from CB in which its representative provided a power of attorney dated 7/07/2022, which states that: "the person designated by SAICA
PACK SL, domiciled at Avda. San Juan de la Peña 144, B50035179, Zaragoza, appears as
"sole administrator on behalf and representing CB..." granting power to the person
designated as CB representative, stating:
1) The claimant was an employee of the entity of ***DATE.1. They are aware that he exercised the
right of access, provided a copy (document 2) in which he also signed the notice of voluntary
resignation from the company on (...), indicating that, respecting the notice, his last day of
work is 12/09.
2) “it does not obtain a photograph of the employees’ faces from a device at the company entrance, as the complainant states”, but rather “The biometric data used at the plant are obtained through a device used for employees to clock in and out of the facilities. This device does not take a photograph of any worker, but rather performs a triangulation of eyes, mouth, and nose and counts the pixels that allow the identification of the person”.
The entity states that “after performing the aforementioned triangulation, the system sends the confirmation of the worker’s clocking to an Excel page that contains only the name of the worker, the day, and the time, without saving or transferring any biometric data.
“The Excel file with said data is the only information that is kept.”
3) The entity indicates that the worker was informed of the processing of his data. Provides
a copy of the document called “consent and information on the processing of personal data of employees”, edition 11/01/2022, signed by the claimant on 11/05/2022.
It begins by informing that CB is responsible for the processing, adding:
- “read the conditions and sign the consent”. “If you do not provide your express consent,
CB will not be able to process your personal data for the purposes set out therein.
According to the RGPD and the LOPDGDD, by accepting the conditions for the processing of personal data set out in this document, the interested parties give their express consent
for CB to process the data provided in the employee's file in accordance with the
previously accepted processing conditions”.
It should be noted that the signature footer states “I have read and accept the conditions for the
processing of my personal data”.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/60
As sections, there are different headings, which, due to their relationship with the employment subject, are
highlighted as the most significant:
- “Purpose:
manage the employment relationship between the worker and CB, such as those necessary for the preparation
of the contract, sending and payment of payrolls, as well as IRPF withholdings.
Time control based on the capture of the employee's fingerprint to control compliance with the working day."
- "Legitimation": Refers to the regulatory provisions applicable to payroll management and to:
"preparation of contract. The communication of personal data is a necessary requirement
to be able to carry out the registration of the employee."
- "COMMUNICATION OBLIGATION" states that "The communication of personal data
is a necessary requirement to be able to carry out the registration of the employee, in case of not giving
their express consent to the treatment, the hiring cannot be carried out."
- "Data categories": Among others, it highlights: "images: photograph-facial scan."
In the "rights" section, information is provided, among other means, on their exercise, through sending to the
offices by post or delivery to the offices.
The entity states that the claimant was informed of the processing of his data, including biometric data, and “gave his express consent to it.”
4) Regarding the legal basis of the processing and the circumstance that lifts the prohibition to
process special categories of data, according to article 9 of the GDPR and the purpose of the
processing, CB indicates that it provides “the files declared to the AEPD in 2011”, which is
a letter from the AEPD in which it informed it on 22/06/2011 of the registration of files. CB
indicates that it would correspond to the so-called “payrolls, personnel and human resources”
with the purpose being “human resources, payroll management, prevention of occupational
risks, other types of purposes” without any mention of biometric data in the type of data.
5) In relation to the appropriate guarantees implemented for the protection of the rights and
freedoms of individuals, CB provides a written “privacy policy” published on its
website that refers to the information given to users who provide data on the
website, as well as to questionnaires that are filled out.
In relation to the access request, CB states, according to the copy attached in
document 1, that they sent an email from the entity called SAICA,
informing that its processing has begun, and that, within fifteen days following the
receipt of the request by the claimant, the response to be sent to the
worker would be drafted. They attach the document dated 09/15/2022, in response that indicates in the body of the
letter that it is sent to you by means of this burofax in which it informs you that the data that
appear in the entity are the “basic data of the employment relationship”.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/60
“name, surname, address, telephone number, ID, date of birth, membership number, for
the fulfillment of work obligations.”
However, they tried to connect to deliver the requested information both
by telephone and by WhatsApp, without me coming to pick it up. Therefore, on
12/9/2022, a written response to the access request was sent by burofax.
The entity has provided a copy of the burofax that appears to have been sent on 12/9/2022.
It can be seen that the burofax begins with “We are answering your letter dated August 29, 2022 by means of this burofax, since you did not pick up this communication
during the month of September as you indicated to us.” The burofax is addressed to a different address
to the one the claimant stated in his application, without knowing the reason.
In addition, the information on facial recognition for the labor control carried out
is not mentioned.
6) Regarding the Impact Assessment of the processing operations on the protection of personal
data, whether it was carried out or why it was not carried out, no response was given.
7) In relation to the measures adopted to prevent similar incidents from occurring,
the dates of implementation and controls to verify effectiveness, they respond that the procedure
is adequate, since “when hiring a worker, informed consent is obtained,
indicating the processing of their data”, and when the relationship is terminated, the data is deleted.
8) Regarding the decision adopted with this claim, CB states that it “prepared and
communicated the response to the claim to the worker and his data was deleted, except
those that must be kept by Law”, and “regarding his biometric data, they were deleted from the
system”.
THIRD: Admission for processing of the claim.
On 01/11/2023, in accordance with article 65 of the LOPDGDD, the claim submitted by the claimant was admitted for
processing.
FOURTH: Carrying out preliminary investigation actions.
The General Subdirectorate of Data Inspection proceeded to carry out preliminary investigation actions to clarify the facts in question, by virtue of the functions assigned to the control authorities in article 57.1 and the powers granted in article 58.1 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter RGPD), and in accordance with the provisions of Title VII,
Chapter I, Section Two, of the LOPDGDD, having knowledge of the following
details:
On 05/31/2023, an in-person inspection was carried out at the establishment of
CARTONAJES BAÑERES, located at Polígono Industrial Barrio Les Molines, 22, 03450,
Banyeres de Mariola, Alicante, from which it follows:
1. It is stated by those inspected that CARTONAJES BAÑERES, S.A. “was acquired
by SAICA PACK S.L. on 7/07/2022”, an entity with registered office in Zaragoza. A copy of the notarial deed of sale of registered shares representing
98.52% of CB's share capital is provided
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/60
. 2. The inspected parties state that on 6/05/2022, the minutes of the
constitution of the DATA PROTECTION DELEGATES COMMITTEE of the SAICA GROUP,
(hereinafter CDPD) were held. The following meetings of the CDPD are highlighted as:
- 10/19/2022, in the copy of the document provided (minutes of the CPD of 10/19/2022), in
agreement 7 "given the recent acquisition by the SAICA group of the entity
CARTONAJES BAÑERES, it is agreed to review the situation of the aforementioned company in relation
to Data Protection. Likewise, it is agreed to recommend to the company that it
proceed immediately to replace the timekeeping system given that the current one uses
biometric data."
-20/01/2023, according to the copy of the document provided (minutes of the CPD of 20/01/2023
document 5), in the second agreement, it is stated: “agenda” “adaptation of the control of
employees to Regulation 2016/679” and that, “the requirements received from the
AEPD for the complaint filed by a former employee of CB, now a commercial company of the Group, are reviewed”, “
since the company was acquired, work has been done to eliminate the current
employee identification system and implement a new system that does not require
biometric data”. “It is also stated that the development of a new work plan has been initiated and
audited by an independent third party for the adaptation of the plant to the requirements of
Regulation 2016/679”
It is also included in the third point, which is agreed on access requests, that
the Committee defines aspects of the response period, information to be given and
the period that the entity must retain, in order to comply with the requirements established by the
regulation.
3. They provide a copy of:
3.1-document of April 23, “plan for the preparation of the RAT and RGPD Audit” for CB, which
consists of an offer of provision of services related to information, security and
data protection, signed by CB on 04/28/2023.
3.2- budget and order for the new time clock system dated 03/14/2023, subject “terminal and
cards for new SAICA plant”, with request for 175 cards.
3.3- “Time clock system implementation plan” “SAICA CARTONAJES
BAÑERES integration plan” initial date 03/20. The development phases are listed: Analysis and design, construction
and validation and putting into production with the different managers who execute them and total
hours. The same sheet in situation on 05/23 and another on 05/25/2023. On 05/29 it appears “project
completed”.
3.4- “Internal communication of the change in the timekeeping system” dated 05/25/2023, in which it is
reported that, on 05/29/2023, the new timekeeping system will come into operation
by means of an individualized card, following the standard system used in all
plants of the SAICA Group. It is recalled that “the processing of personal data of employees is
necessary for the fulfillment of a legal obligation derived from the
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/60
employment contract for the purpose of fulfilling the same and the obligations derived from
said employment relationship.”
In this regard, the Agency Inspection Service verifies that, at the time of the
inspection, the time clock requests an identification card from the employee and once
contact has been made, it must be entered whether it is entry or exit.
3.5-DOCUMENTATION ON “OLD TIME SIGNING SYSTEM”, entitled “facial biometric treatment”, signed by the company SABACOINSA SL, without date, containing as
highlights:
3.5.1- The “3D facial recognition terminal” was of the brand ***MARCA.1 and used a
patented facial recognition reader called (...), with a false acceptance rate (FAR
false acceptance rate), less than 0.001%, and a (FRR false rejection rate), less than 1%,
“algorithm (...)”
3.5.2- In “biometric pattern capture mode”, it is indicated that: “The capture of the biometric
pattern is based on taking several images of the face and using a mathematical algorithm
generating a pattern. This encryption algorithm ((...) algorithm) generates a template
representative of said pattern (hash) and is stored in the equipment and in the software to be able to
perform biometric identification."
It provides a long list of sequences of alternating numbers, letters and signs, which would be a
“hash (biometric pattern)”.
3.5.3- “It is impossible to obtain the real image of the face with the pattern stored in the
terminal, since no image of the face is stored, but rather a mathematical
relation is established between certain points of the face - singularities,
characteristic points - giving rise to a set of numbers that will later be used to unequivocally
identify each person”.
It is not possible to obtain the image of a face with the stored hash.
This procedure consists of verifying a person by a biometric system
by comparing them with their biometric data acquired at the time of verification with a
hash stored in the equipment. The search process is one-to-one.“
“The procedure is set up according to the criteria established by the European Commission
on Data Protection which authorizes a verification/authentication consisting of the
verification of an individual by a biometric system in comparison between his/her biometric data
-acquired at the time of verification-with a single biometric template
stored on a device (i.e. the one-to-one matching process). Biometric data are not considered to be of a special
level in the case of biometric verification/authentication by hash templates that establish one-to-one hash checks,
fulfilling the criteria of articles 6 and 9 of the General Data Protection Regulation.”
… Our PHUC Control management software stores the hash
(biometric pattern) provided to us by the facial recognition terminal. This hash is
related to the end user with the user id in a special table for biometric data.”
“Biometric data is stored in the database of the PHUC Control time control software, located on the server at the client's premises.”
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 8/60
In this regard, the Data Inspection has verified that the company
SABACOINSA (web address phuc.es) has among its products facial recognition solutions for the control of the presence of workers.
3. The Agency's Inspection Service claims that in the documentation provided
to the Agency during the transfer proceedings, AT/04915/2022, it was
stated that "the device for checking in and out of employees performs
"a triangulation of eyes-mouth-nose and counting of the pixels that allow the
identification of the person, and that once the identification has been made, the confirmation of the employee's
check-in is sent to an Excel page that contains only the employee's name, the
day, and the time, without saving or transferring any biometric data. The file with
this data is the only information that is kept. The hashes were stored in the
facial recognition system itself. In this regard, the entity confirms it and adds:
a) That was the operation of the previous timekeeping system since it was uninstalled as a
consequence of the meeting of the Data Protection Committee where the
implementation of a new timekeeping system is required, which is to be carried out in May 2023.
b) They correct that the database manager where the timekeeping of the workers is recorded is
Microsoft Access, not Microsoft Excel as indicated in the documentation.
4. The Agency Inspection Service raises the statement that already appears
that: “In the event of a worker's leave, the hash of the facial recognition system is
eliminated and the data in the Access file of the timekeeping are stored in a history”, and in this
regard they state that “all the timekeeping of workers since May 2019 are
kept in a history since the new timekeeping system has been implemented”, and that the
“stored hashes have been destroyed”. A copy of a waste management certificate SM0529 from the company WEE INTERNATIONAL RECYCLING SL, dated 06/02/2023, is provided,
indicating that on 05/29/2023 they received at their facilities from SAICA NATUR some waste, concept "consumer electronics" and attaches three photographs of what
appears to be the facial recognition reader (you can see (...) in the photo on the left), and
two other elements, one of them open and disassembled.
6. In relation to the right of access requested from the entity by the claimant, the
representatives of the entity state that they contacted the applicant by
WhatsApp to come and collect the reply and later, "they sent it by
fax". In this regard, they provide a printout of WhatsApp messages held with the
complainant, dated 09/16/2022, as indicated to arrange an appointment for his reception. In
the messages, it can be seen that what is involved is that the claimant is required by the company to
go to the company to "sign a letter in the presence of (...)"
a document that is not defined what it is, despite the claimant's insistence that it be sent to him
before by mail and in another message, he states that if it were the response to his request, it does not
need to be signed by him. It is referenced in document 14.
7. The Agency's Inspection Service requests access to the complainant's transfer data, and it is verified that no information appears.
8. The Agency's Inspection Service, accompanied by the inspected personnel, accesses
the premises where the old application's time management system is located
with facial recognition, checking:
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 9/60
The premises are locked and have video surveillance equipment and a fire
detector.
The computer where the application is installed is connected to the local network and
uses the Windows 10 operating system. The database manager is Microsoft Access.
Identification to the computer is through the user code and password defined
in Windows and to access the application, a user name and password are also used,
but different from the previous ones. Only the person in charge of human resources (currently
the person in charge of production) and the administrator of the computer system have the
access credentials to the application.
The application is accessed by verifying:
The clockings made by a user can be viewed and the data they contain
correspond to the date and time of entry and exit. Holidays and absences
without specifying the reason are also listed.
The application has tables that allow you to consult lists of worker clockings
with the data of: name and surname, card number, shifts, calendar and a
discharge status indicator.
The clockings corresponding to 05/29 and 05/30/2023 appear as “Absent”. The
representatives of the entity state that this is because the clock associated with this system
was deactivated on 05/29/2023.
All of this is included in document 13
9. The representatives of the entity provide a copy of the following documentation:
- Document 15, “SAICA Group Data Protection Policy - v.2 11/04/2022”.
In the “data controller” section, it states that “In this document, any
reference to the controller will refer to each of the companies that make up the SAICA GROUP”, and in the introduction it states that the document has the purpose of “informing the SAICA GROUP of the internal policy that it carries out in compliance with the
RGPD”
- Document 16: Privacy management standard.
Attached is a document with a screenshot of the checks carried out
FIFTH: AXESOR Diligence
On 6/06/2023, the Inspection Service carried out the following diligence with the information
obtained from MONITORIZA.AXESOR.ES:
-From CARTONAJES BAÑERES, in active status, registered office in Alicante, share capital
(...)€, same number of shares, type of company “parent group”, 99 employees, sales
(…) €.
SIXTH: Proceedings of the Commercial Registry and AXESOR
On 08/30/2023, the following was obtained and associated with the file:
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 10/60
a) Registration entries in the Commercial Registry of CARTONAJES BAÑERES, S.A., NIF
A03009263, appearing active, and since 08/01/2022, the registration, as SOLE ADMINISTRATOR,
SAICA PACK SL, publication 08/09/2022.
b) In axesor.es, report of CARTONAJES BAÑERES, S.A. with the following data:
-date of incorporation 06/24/1957, type of company: parent company, status: active, share capital: (...)€, size: medium-sized SME,
- last financial year presented 2021.
-activity: corrugated paper and cardboard manufacturing: manufacturing of paper and cardboard containers and packaging.
-sales: (...)€.
-(...).
-turnover 2021: (...)€.
-nominal value (…)€.
-appears as sole administrator SAICA PACK SL, date of appointment 08/01/2023.
-subsidiary and associated companies ELECTRO MARIOLA SL, two employees.
a) In axesor.es, report of SAICA PACK SOCIEDAD LIMITADA NIF: B50035179.
-Type of Company: Group subsidiary.
-Activity: 1721 - Manufacture of corrugated paper and cardboard; manufacture of paper and cardboard containers and
packaging.
-Size: Large.
-Parent company: SOCIEDAD ANONIMA INDUSTRIAS CELULOSA ARAGONESA, which appears
as a shareholder with a 99.99% stake.
SEVENTH: Start agreement signed by the director of the AEPD.
On 12/15/2023, the director of the AEPD agreed:
“TO START SANCTIONING PROCEDURE against CARTONAJES BAÑERES, S.A., with NIF
A03009263, for the alleged infringement of the GDPR in the following articles:
-35, in accordance with article 83.4.a) of the GDPR and for the purposes of the statute of limitations of the
infringement, classified as serious in article 73.t) of the LOPDGDD.
-12, in accordance with article 83.5.b) of the GDPR, and for the purposes of the statute of limitations of the
infringement, classified as very serious in article 72.1.k) of the LOPDGDD”
“for the purposes provided for in art. 64.2 b) of the LPCAPAP, the sanction that could correspond
would be an administrative fine of 200,000 euros, for the infringement of article 35 of
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 11/60
RGPD, and an administrative fine of 20,000 euros for the infringement of article 12 of the
RGPD, totaling 220,000 euros, without prejudice to what results from the investigation.”
EIGHTH: Claims of the respondent dated 5/01/2024.
1) The respondent states that the time clock system referred to in the complaint was implemented
in 2016, and is accompanied by an invoice dated 14/12/2016 - “1 Facial identification terminal, and 1
Software for presence control - PHUC Official Distributor”. At that time, the LOPDGDD and the RGPD were not
applied, differentiating between the entry into force, twenty days after its publication in the DOUE and its application, as of 25/05/2018. “At the time when
the time clock system was implemented, this regulation was not applicable.”
“In the previous applicable regulation, the LOPD 15/1999, biometric data were not
configured as specially protected, nor did it require the completion of a DPIA”.
Furthermore, it adds that, once the GDPR is in force, the performance of such an impact assessment is not required, and inserts a link from the AEPD:
(https://www.aepd.es/preguntas-frecuentes/2-rgpd/10-evaluacion-deimpacto/FAQ-0227-los-
tratamientos-iniciados-antes-de-la-aplicacion-del-rgpddeben-somterse-a-una-evaluacion-
deimpacto#:~:text=No%2C%20el%20mandato%20del%20RGPD,comience%20a%2 0ser
%20de%20aplicaci%C3%B3n)
“The principle of non-retroactivity of the sanctioning provisions, art. 9.3 of the
EC, is violated. by sanctioning a conduct with a regulation that was not in force at the time when the events were committed, also taking into account article 40 of Law 40/2015 of 1/10,
on the legal regime of the public sector, LRJSP on the application of the sanctioning provisions in force at the time of the events." The respondent gives as an
example a judgment of the National Court, dated 05/14/2021, of which it does not give more details
than the transcription of some paragraph, coinciding in this sense with that of the Contentious-Administrative Chamber, Section 1, Judgment of 05/14/2021, Rec. 115/2020:
Therefore, a regulation that was not applicable when
the sanctioned events occurred has been applied retroactively. We must add that the aforementioned
regulation could have been applied if it had been more favorable - art. 26.2 of Law 40/2015, of October 1-, but
as indicated in the Supreme Court ruling of October 30, 2009 - appeal no.
334/2006, F.J.6º-, and, in the same sense, in the Judgments of said Court of 12 and 26 November 2020, issued respectively, in appeals numbers 4,039/2019 and
5,285/2019: "[...] the retroactive application of the most beneficial rule must be done
by determining which provision is more favourable, by contrasting both, previous
and subsequent, considered globally.... And said contrast does not exist in the
challenged resolutions, in which there is not even any mention of Organic Law 15/1999, of 13 December, and in which the GDPR and Organic Law 3/2018, of 5 December, are applied,
as if it were the regulations that were in force when the sanctioned events occurred,
in April 2018.”
The respondent understands that this ruling is applicable, because in 2016 neither the
RGPD nor the LOPDGDD were applicable.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 12/60
Alternatively, the respondent states that, given that the “installation of the time-clocking system
took place in 2016, the infringement would have prescribed after two years, taking into account
what is stated in article 73 of the LOPDGDD”.
2) It considers that a lack of proportionality of the sanction has not applied any mitigating
circle. It considers that the statement that “there came a time when the respondent determined
that it was not adequate and maintained it for a few more months”, functioning as an aggravating circumstance, has not
taken into account that “prior to any type of procedure being initiated
against it, the time-clocking system was replaced by one in which There is no
biometric data processing. Once the existence of a problem with the time-keeping system was confirmed, the necessary procedures were carried out to replace the system, and the Administration cannot expect the change to be immediate.”
It adds that on 03/14/2023, the new time-keeping system was acquired, “a project plan for its replacement” was established
on pages 335 to 336 of the file, and on 05/31/2023, when the inspection took place, the system had already been replaced.
“The replacement of the time-keeping system cannot, under any circumstances, be considered as an
aggravating circumstance,” considering instead that the mitigating circumstance of article
83.2.f) of the GDPR should have been applied.
-In addition, the respondent states that CARTONAJES BAÑERES SA was acquired by SAICA PACK on 7/07/2022, (98.52% of the shares), that is, once the access system was installed, and it is clear that the respondent had carried out actions to
prevent the use of the installed system, so the mitigating circumstance of article 83.2 b) of the GDPR has not been applied either.
-It adds that none of the mitigating circumstances included in article 76 of the LOPDGDD are applied, of which it cites:
- b, because there is no relationship between the offender and the processing of personal data.
- c, because no benefit has been obtained.
- e, because although an absorption process was not carried out, 98.52% of the shares of CARTONAJES BAÑERES were acquired.
-The f, did not affect the rights of minors.
“By not applying a single mitigating circumstance, it violates the principle of proportionality.”
-As for the aggravating circumstances applied, it indicates that compared to other sanctioning proceedings
with the same type of infraction, significantly lower sanctions have been imposed and provides a table of said procedures, comparing by employees, amount
imposed and mitigating/aggravating circumstances.
202100603, 20,000 attendees, 200 thousand euros - Aggravating circumstance: type of event with mass attendance.
202209921, 500 workers, 20 THOUSAND euros - Mitigating circumstance 76.2.b) (when the PS was started, the system of signing in that processed biometric data was
still in place).
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 13/60
PS/00120/202135, (...), 90 thousand workers, countless clients and including minors, 50
THOUSAND euros, “eight aggravating factors, ONE mitigating factor: “There is no record of recidivism”.
-It also considers that a fact is used and subsumed in the type, and at the same time uses
said fact as an aggravating circumstance, since it estimates that there is negligence and lack of
diligence for “having implemented the system and not foreseeing its impact”, which
precisely, is what is classified as an infraction, since what is sanctioned is having
carried out a processing of biometric data without having carried out the corresponding impact
assessment.
3-Regarding the infringement of article 12 of the GDPR, classified as very serious in article
72.1k) of the GDPR, it indicates that the same legal text could be classified as serious, according to
article 73.c) of the LOPDGDD “The impediment or obstruction or repeated failure to comply with the rights of access, rectification, deletion, limitation of processing or portability of data in treatments in which the identification of the affected party is not required, when the latter, for the exercise of these rights, has provided additional information that allows their identification.”
Or, as minor, in article 74.c) of the LOPDGDD:
“Failure to respond to requests to exercise the rights established in articles 15 to 22
of Regulation (EU) 2016/679, unless the provisions of article
72.1.k) of this organic law apply.”
"ignoring a series of circumstances that would not justify the classification of the infringement as
very serious":
- On 09/16/2022, the complainant "was informed" that the requested
documentation was available to him, and the complainant indicated that "he had no problem coming to
collect said documentation."
- On 09/19/2022, a new message was sent to him to come and collect it,
this time the complainant indicating that "at that time he had other priorities," and that
that was why he could not go.
- Finally, "a burofax was sent to him on 12/9/2022."
The respondent states that, “if the petition is examined, it can be seen that it only
indicates the street and the number and town, without indicating the floor or door, given that she lived in a
building of flats, so her address was incomplete”, and the “only thing they could do
was send the burofax to the only valid address they had.”
The worker was asked on numerous occasions to go to the registered office, which he
agreed to, but never went. Even so, a burofax was sent to the address they had,
given that the address he had given was incomplete.
He understands that the conduct that is classified as very serious does not occur:
-He considers that the principle of proportionality is violated, showing as an example
PS/369/2022 in which the same fine is imposed, with the following differences:
-The case to be compared had four aggravating factors, this one with two, that one, treating the data of the affected person without having been a client, there one mitigating factor is valued, in this case none.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 14/60
-Also in this infringement, the Administration uses the same fact to classify the infringement and to apply the aggravating circumstance, since it is estimated that there is negligence and lack of diligence due to the summons made by WhatsApp and the burofax sent to another address than the one indicated, but at the same time, these circumstances are taken into account to classify the infringement as very serious and not as serious or minor.
4-It ends by indicating that, as a result of the above, the initiation agreement has been issued
totally and absolutely disregarding the legally established procedure, therefore
it is appropriate to declare it null according to article 47.1.e) of the LPACAP or alternatively
annullable according to article 48 of the same Law.
NINTH: On 10/23/2024, a resolution proposal is issued, literal:
"FIRST: That the Director of the Spanish Data Protection Agency
sanction CARTONAJES BAÑERES, S.A., with NIF A03009263, for the violation of the RGPD
in its articles:
- 35, in accordance with article 83.4 a) of the RGPD, and for the purposes of prescription of the
infringement, classified as serious in article 73.t) of the LOPDGDD, with 200,000 euros.
- 15, in accordance with article 83.5 b) of the GDPR, and for the purposes of the statute of limitations for the infringement, classified as very serious in article 72.1.k) of the LOPDGDD, with 20,000
SECOND: That the Director of the Spanish Data Protection Agency
order CARTONAJES BAÑERES, S.A., with NIF A03009263, pursuant to article 58.2.c)
of the GDPR, to prove that within 30 days from the date the resolution that ends this
procedure becomes enforceable, it has complied with the exercise of the claimant's right of access."
TENTH: Objections to the proposed resolution
On 12/11/2024, objections were received to the proposed resolution, which, in summary,
indicate:
1-Regarding the INFRINGEMENT OF ARTICLE 35 OF THE GDPR, it reiterates what was stated in the
previous objections of 5/01/2024. It adds:
- It considers that there is an error in the classification by the AEPD, the fact of
continuing to use a facial recognition tool being one thing, and another, not having
carried out a DPIA prior to installing the tool. It reiterates on the latter, what was
already stated in objections to the agreement of 5/01/2024.
-“The AEPD states that it is necessary to carry out a DPIA if there have been changes
in the risks that the processing involves in relation to the time when the processing was
started”, “the fact that the biometric data are part of the special category
does not imply that there is a change in risk”, but in this case:
-Neither new technologies have been used nor are the data used for
different purposes, nor are more data or different data collected than those that were used.
-“At no time has the acting Administration proven that
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 15/60
such a change in the risks has occurred, so it is clear that it is not appropriate to
carry out a DPIA”.
Furthermore, it points out that the proposal:
- emphasises that “the infringement imputed to the appearing commercial entity, consisting of
not adapting its behaviour by carrying out a DPIA”, is not
classified as an infringement. The alleged infringement committed has been reformulated, indicating: “Therefore, it is also indisputable that processing has been carried out through the use of the
facial biometric system established by the data controller, CB, after the entry
into force of the GDPR, to which the respondent has not adapted its behaviour consisting of
carrying out a DPIA, as determined by recital 171 of the GDPR and is derived from the
principles and guarantees applicable in the aforementioned GDPR.”
The respondent states that the infringement is “not carrying out an impact assessment at the time the processing is initiated”, and considers that “the alleged infringement committed is being wrongly classified”, “since said provision does not sanction the failure to adapt its behaviour in accordance with the aforementioned article”.
It adds to its reiteration of the STATUTE OF LIMITATIONS of the infringement, that, if the obligation to be carried out arises from the entry into force of the GDPR, 05/25/2018, “dies a quo”, “by having to adapt said processing to the new regulations”, from the date on which the obligation should have been fulfilled, the liability would be prescribed, as more than two years have passed from the date on which the initiation agreement is initiated, or in other words, the time of prescription “dies ad quem”, would be 05/25/2020.
-Regarding PROPORTIONALITY, it reiterates what was stated in its previous allegations of
01/05/2024, emphasizing that the replacement of the timekeeping system before the start of "any
procedure" must be assessed, and that before the Inspection of 05/31/2023, the system had been
acquired and once CB was acquired on 07/07/2022, "SAICA confirmed the existence of a
problem regarding the timekeeping system", and established the Work Plan to implement the
change of system, WHICH CANNOT BE AN AGGRAVATING FACTOR. The mitigating factor that
it indicates should be applied, article 83.2.f) of the GDPR, which considers that it is not necessary for the measure
to be taken immediately, but that what is relevant would be to remedy the infringement and
mitigate the adverse effects.
He reiterates that the mitigating circumstance of article 83.2.b) of the GDPR does not apply either, on the basis that
when the system was installed, the applicable regulations did not require the completion of a DPIA, and
CB was acquired on 7/07/2022, once the system was installed.
-He adds new resolutions that sanction his case differently:
-File 202213792, with three aggravating factors, no mitigating factors, and 700
subscribers, with 50 THOUSAND euros.
-File 202202960, with two aggravating factors and no mitigating factors, and 4125
employees, with 100 THOUSAND euros.
He considers that the non-application of any mitigating factor violates the principle of
proportionality.
-In response to the statement in the proposal that it did not comply with the principle of proactivity by
not documenting the reasons why it did not carry out a DPIA with any expert document
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 16/60
that would have drawn such a conclusion, the respondent states that it has already stated its
considerations on the entry into force of the GDPR and the implementation of the system in 2016, and
the BURDEN OF PROOF falls on the ADMINISTRATION, since the presumption of
innocence is guaranteed by the Spanish Constitution. It concludes that it did not carry out the EIPD
because “in 2016 such obligation was not contemplated in the regulations”
2-Regarding the infringement of article 15 of the GDPR, it reiterates the allegations made on
01/05/2024, although it continues to refer to them as article 12, requesting the filing of the
sanctioning procedure.
PROVEN FACTS
FIRST:
The claimant was an employee of Cartonajes Bañeres (CB) from ***DATE.1, date on which
he communicated his voluntary resignation, effective 09/12/2022 (last day of work).
SECOND:
The request for exercise of the right of access made by the claimant is recorded as having been received by the respondent on 08/29/2022. In the same figure as contact information for the purpose of sending the response there, the email address: (…), and its address at ***ADDRESS.1. The
complainant received a first communication from the respondent via email on
09/14/2022, indicating that the procedure had been initiated, but he did not receive a response to the exercise of his
right. In the petition, he requested a copy of the data being processed.
THIRD:
Regarding the response to the claimant's exercise of the right of access made on
08/29/2022, the respondent does not prove that he has made it effective, and the claimant stated that he has not
been answered either by email or at the postal address he provided in his
petition. The respondent provides as a response, a letter dated 09/15/2022 sent on
12/09/2022 by burofax to an address that was not the one the claimant stated in his
application, specifically to ***ADDRESS.2, the respondent stating that he did so,
because he understood that since there was only ***ADDRESS.1 indicated, the floor number and
the door were missing. Despite it being proven that the respondent's staff contacted the
claimant, by WhatsApp on 09/16 and 09/19/2022, according to a screenshot provided in
previous actions by the respondent, it was, according to the literal so that he would come to sign a
letter in the presence of (...), without in any way addressing or implying that it referred
to the response to the right to exercise.
It is not proven that the aforementioned contacts by the respondent with the claimant had
as their object or purpose, that of delivering the response to the right of access to the claimant, but it is
proven that contact was made by said means, but for other reasons that do not prove
that they refer to the exercise of the right.
It is not proven that the respondent warned the claimant of the correction of his request in any
way.
Furthermore, in the document that the respondent states that it sent to give effect to the
right, the generic reference is contained to the type of data, not to the actual data, without
any mention of facial recognition or data inferred from it, daily records
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 17/60
product of daily work time control, or to the right to file a claim with the
control authority.
FOURTH:
The respondent provided on 12/22/2022 in its response to the transfer, a copy of the document:
“consent and information on: processing of personal data of employees”
signed by the claimant on 05/11/2022. In purpose, it was indicated that the data provided
will be processed to manage the employment relationship, and “time control based on the capture of
the employee's fingerprint to control compliance with the working day”,
It ends: “I have read and accept the conditions for the processing of my personal data”,
reiterating in its header that “by accepting the conditions for processing personal data
included in this document, the interested parties give their express consent”, and that “if they do not provide their express consent, CB will not be able to process their personal data
for the purposes set out therein”.
In “legitimation” it specifies, for example, that payroll management responds to compliance with
a legal obligation, without any reference to the legitimation of the employee system
for controlling compliance with the working day. The document does not have any section
to select affirmative consent, or deny it, nor any option to revoke consent,
nor any invitation to accept a processing operation.
FIFTH:
In addition, the claimant points out that, as an employee, the defendant requires him to check in at the
work station entrance with a facial recognition device, with no alternative to using
any other means.
SIXTH:
In the response to the transfer, on 12/22/2022, CB responded, providing a power of attorney dated
7/07/2022, from SAICA PACK SL as sole administrator of the former, in his name and
representation.
In the Commercial Registry, as of 08/30/2023, the company CB appears in active service, and since 08/01/2022 it has been registered as the sole administrator of SAICA PACK SL
During the inspection visit carried out by the AEPD Inspection Service on 05/31/2023,
the inspected company CB presented the information that CARTONAJES BAÑERES, S.A.
“was acquired by SAICA PACK S.L. on 07/07/2022”, presenting the deed of sale
of registered shares representing 98.52% of the share capital of CB, without
resulting in the extinction of the legal personality of CB.
CB, now belongs to the SAICA GROUP, as stated, among others, in the minutes of the
10/19/2022 Committee on Data Protection of the SAICA GROUP, established on 05/06/2022.
In the minutes cited, the review of the situation of the CB entity in relation to
data protection is discussed, among others. In subsequent meetings of the CPD, such as that of
01/20/2023, the situation of CB is analyzed.
SEVENTH:
In the AEPD inspection carried out on 05/31/2023, the respondent also provided the document referenced as FOURTH, 3.5 “DOCUMENTATION ON
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 18/60
OLD TIME-CORD SYSTEM”, entitled “facial biometric treatment”, signed by the company
SABACOINSA SL, undated, from which it can be seen that:
- The system would use a 3D facial recognition terminal, brand ***MARCA.1, reader
called (...). “The capture of the biometric pattern by the camera is based on
taking several images of the face and a pattern is generated using a mathematical algorithm.
This encryption algorithm generates a representative template of said pattern (hash) and is
stored in EQUIPMENT and in the SOFTWARE to be able to perform the biometric identification”
-The biometric data is stored in the database of the PHUC CONTROL time control software,
located on the server at the client's facilities.
-The PHUC CONTROL management software stores the hash (biometric pattern) that
the facial recognition terminal provides. -This hash is related to the end user
with the user id in a special table for biometric data.
In addition, the respondent acknowledges:
-It has a database where the employee's time clocks are recorded, managed
by Microsoft Access.
-If an employee leaves the company, the hash is removed from the facial recognition system, and the
data from the ACCES file of the time clocks is stored in a history. In the event that an
employee leaves the company, the biometric pattern is removed. The respondent, by
stopping using the RF biometric system for time control, destroyed the biometric patterns.
-It is proven that, once the identification has been made, information is sent to an ACCESS database with confirmation of the employee's clocking-in, containing the name of the
worker, the day and the time, which is the time registration information that is kept.
-At the time of the inspection visit, 05/31/2023, the data from the employee's clocking-in record since 2019 are kept in a historical Access file due to the implementation
of the new daily work control card system, and the stored hashes that served that system have been
destroyed. To this end, the respondent provides a waste disposal certificate dated 06/02/2023.
The respondent proves in the allegations that the biometric system used for the registration of facial recognition for daily work time control was acquired on 12/14/2016 with the
provision of a copy of a purchase invoice from “PHUC Distributor”, without providing any details
on the date of its implementation.
EIGHTH:
Before receiving the transfer of the claim that the AEPD made to the respondent, the COMMITTEE
OF DATA PROTECTION DELEGATES of the SAICA GROUP, (CDPD), established on
05/06/2022, recommended in an agreement dated 10/19/2022 to CB, that the labor control time clock system using facial recognition be immediately
replaced by using biometric data.
It is proven that the respondent continued to use the aforementioned facial biometric treatment system until its effective replacement, carried out on 05/29/2023, with records of employee work schedules with such a system appearing in the ACCESS database of
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 19/60
time control as could be proven in previous investigation actions by the
In-person Inspection Service carried out on 05/31/2023, accessing the
timekeeping management control application, PHUC control registered version.
The same CDPD agreed on 01/20/2023, that the CB plant was being adapted to the
requirements of the GDPR, expressly referring to the attention of the exercise of rights.
Specifically, on April 23, a GDPR audit and preparation of the RAT with an offer of service provision was planned.
On 03/20/2023, a CB integration implementation plan was started at SAICA for the time-clocking system,
ending with the distribution of cards to employees and updating of ID cards.
CB employees are informed of the operation of the new labor control time-clocking system in a document dated 05/25/2023, informing them of the effective implementation
from 05/29/2023 of the new time-clocking system using an individualized card, similar to that of the
rest of all SAICA GROUP plants. The AEPD inspection service found
that the time-clocking system requested an identification card.
NINTH:
On the legal basis of the processing and the circumstance that raises the prohibition to process
special categories of data, according to article 9 of the GDPR, the respondent did not respond in
the transfer of the claim, excusing that it had provided “the files declared to the
AEPD in 2011”, “payrolls, personnel and human resources” and that the claimant had given
his express consent for the processing of his data, including also for the
biometric “fingerprint” for “control of compliance with working hours”.
TENTH:
CARTONAJES BAÑERES; (CB) according to AXESOR.ES, has as its corporate purpose, the manufacture
of corrugated paper and cardboard, manufacture of paper and cardboard containers and packaging, was
acquired on 7/07/2022 by SAICA PACK SL, with its publication in the Commercial Registry
as sole administrator of CB registered on 1/08/2022. In axesor.es, the CB figure, its incorporation 24/06/1957, type of company: parent company, status: active, share capital: (...)€,
size: medium-sized SME, last financial year presented 2021, -sales: (...)€, (...),-turnover 2021: (...)€.
LEGAL BASIS
I Competence
In accordance with the powers granted to each supervisory authority by article 58.2 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter RGPD) and
as established in articles 47, 48.1, 64.2 and 68.1 of the LOPDGDD, the Director of the Spanish Data Protection Agency is competent
to initiate and resolve this procedure.
Likewise, article 63.2 of the LOPDGDD determines that: "The procedures processed
by the Spanish Data Protection Agency shall be governed by the provisions of Regulation
(EU) 2016/679, in this organic law, by the regulatory provisions issued in
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 20/60
its development and, insofar as they do not contradict them, on a subsidiary basis, by the general rules on administrative
procedures."
II Definition of biometric and personal data
Biometric data is defined in Article 4.14 of the GDPR as follows:
“biometric data” means personal data obtained through specific technical processing,
relating to the physical, physiological or behavioural characteristics of a natural person which
allow or confirm the unique identification of that person, such as facial images or
dactyloscopic data;”
The other definitions contained in Article 4 of the GDPR should be indicated:
“1) “personal data” means any information relating to an identified or identifiable natural person
(“data subject”); an identifiable natural person is any person whose identity
can be determined, directly or indirectly, in particular by reference to an identifier such
as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental,
economic, cultural or social identity of that natural person;
(2) “processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;”
(…)
“7) “controller” or “controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing; where the purposes and means of processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;”
The scope of the GDPR extends its protection, as established in its article 1.2,
to the fundamental rights and freedoms of natural persons and, in particular, their right
to the protection of personal data, defined in its article 4.1 of the GDPR. as “any
information relating to an identified or identifiable natural person («the data subject»);
an identifiable natural person shall be considered to be any person whose identity can be determined,
directly or indirectly, in particular by reference to an identifier such as a
name, an identification number, location data, an online identifier or to one or more
factors specific to the physical, physiological, genetic, mental, economic,
cultural or social identity of that natural person.”
As already pointed out in Opinion 4/2007 of the Article 29 Working Party (Article 29 of
Directive 95/46 EC, as an EU body, with an advisory and independent character), on
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 21/60
the concept of personal data (WP136), dated 20/06/2007, biometric data can be
defined as:
“biological properties, physiological characteristics, personality traits or tics, which are,
at the same time, attributable to a single person and measurable, even if the models
used in practice to measure them technically imply a certain degree of probability.
Typical examples of biometric data include fingerprints, retinal patterns, facial structure, voices, but also hand geometry, venous structures, and even a certain deep-rooted skill or other behavioral characteristic (such as handwriting, pulse, a particular way of walking or talking, etc.). A particularity of biometric data is that it can be considered both as containing information about a particular person (So-and-so
has these fingerprints) and as an element for linking information to a particular person (this object has been touched by someone who has these fingerprints and
these fingerprints correspond to So-and-so; therefore So-and-so has touched this object). As such, they can serve as "identifiers." Indeed, by corresponding to a single person, biometric data can be used to identify that person. This dual character also occurs in the case of DNA data, which provide information about
the human body and allow the unequivocal identification of one, and only one, person.”
It can be said that, based on the biological identity of each person, automated
technical instruments are used that will allow the permanent and unique identification of
all individuals, since all have this biological identity (fingerprints,
face, voice, iris, etc.).
Biometric data irrevocably change the relationship between the body and identity, since
they make the characteristics of the human body readable by machines and
subject to repeated subsequent use.
Biometric data have the particularity of being produced by the body itself and
characterize it definitively; they are data, not about that person, but the data refer to the
same person, in principle not modifiable by the will of the individual. Furthermore, because biometric data is unique to a person and perpetual, the user uses the same data in different systems.
Biometric data can be processed and stored in different ways. Sometimes, biometric information captured from a person is stored and processed in raw form, allowing the source to be recognized without special knowledge; for example, a photo of a face, a photo of a fingerprint, or a voice recording. Other times, the raw biometric information captured is processed in such a way that only certain characteristics or features are extracted and saved as a biometric template.
Biometric systems are closely tied to a person, since they can use a certain unique property of an individual for identification. Each individual has unique fingerprints that display specific characteristics that can be measured to decide whether a fingerprint matches a registered sample. Biometric data have the particularity of being produced by the body itself and characterize it definitively. Therefore, they are unique, permanent or definitive
in time and the person cannot get rid of them, they can never be changed, not even with age, creating questions of responsibility in case of compromise-loss or intrusion into
the system. Unlike a password, in case of loss they cannot be changed.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 22/60
The definition of biometric data refers to “technical processing”, without specifying, except to
note that the purpose of such processing must be to identify a person.
To be considered biometric data in the sense of the GDPR, the processing of raw data,
such as the physical, physiological or behavioral characteristics of a natural person,
must involve a measurement of said characteristics. Thus, from the concept, we must not
lose sight of:
-The nature of the data: data relating to the physical, physiological or
behavioural characteristics of a natural person;
-The means and forms of processing: data “obtained from specific
technical processing”; which differentiates them, for example, from images of a person
in a video surveillance system, which cannot be considered biometric data if they have not been
technically processed in a specific way in order to contribute to the unique identification
of that person.
They must be subject to “specific technical processing”. According to WP80 of the WP29, adopted on
1/08/2003 (hereinafter “WP 80 of the WP 29”), the processing of these data is carried out through
biometric systems which are: “applications of biometric technologies
that allow the automatic identification, and/or authentication/verification of a person.
Authentication/verification applications are often used for a variety of tasks in
very different fields and under the responsibility of a wide range of different entities.”
The reference included in article 4.14 of the GDPR as biometric data intended
to "allow" can be understood as identification, the reference to "confirm" as verification.
For a better understanding, the concepts of authentication/verification and
identification are described. Opinion 3/2012 on the evolution of biometric technologies of
27/04/2012 of Working Group 29, stated:
“-Biometric identification: the identification of an individual by a biometric system is
normally the process of comparing his or her biometric data (acquired at the time of
identification) with a series of biometric templates stored in a database (i.e. a one-to-many matching process).
-Biometric verification/authentication: the verification of an individual by a biometric system is usually the process of comparing his or her biometric data (acquired at the time of verification) with a single biometric template stored
on a device (i.e. a one-to-one matching process).”
With slight nuances, the concepts are mentioned in the “White Paper on Artificial Intelligence of the European Commission”, dated 19/02/2020, referring to the facial image:
“In relation to facial recognition, “identification” means that the template of a person’s facial image is compared with many other templates stored in a database to find out whether his or her image is stored there. “Authentication” (or “verification”), on the other hand, usually refers to the search for matches
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 23/60
between two specific templates. It allows the comparison of two biometric templates that, in
principle, are assumed to belong to the same person; thus, the two templates are compared
to determine whether the person in the two images is the same. This procedure is
used, for example, at the automated border control gates used in airport border
controls.”
The European Data Protection Board (EDPB) Guidelines 5/2022 on the use of facial recognition in law enforcement (see Version 2.0, 26/04/2023), in section 10, states:
“Like any biometric process, facial recognition can serve two different functions:
• Authenticating a person in order to verify that the person is who he or she claims to be. In this case, the system compares a pre-recorded biometric template or sample (for example, stored on a smart card or biometric passport) with a single face, such as that of a person presenting himself or herself at a checkpoint, to verify whether they are the same person. This function is therefore based on comparing two templates. It is also called 1-to-1 verification.
• The identification of a person in order to locate him or her among a group of individuals, within
a specific area, in an image or in a database. In this case, the system must
process each captured face to generate a biometric template and then check if
it matches a person known to the system. Thus, this function is based on
comparing a template with a database of templates or samples (reference
base). It is also called “one-in-many” identification. For example, it can
relate a record of personal names (surnames, first names) to a face, if the
comparison is made with a database of photographs associated with surnames and first names.
It can also involve tracking a person through a crowd, without
necessarily establishing a link to the person’s civil identity.”
The aforementioned Guidelines 05/2022, in section 12, indicate that the concept of biometric data
covers both “authentication” and “identification”, and although they are
different concepts, both procedures process data aimed at uniquely identifying
a natural person, so both are included in the concept of “data processing”, and
more specifically, they are processing of personal data of special categories.
As regards the consideration that the respondent deserves for its biometric facial recognition
system, as can be seen from the content referred to in FACT
FOURTH/3/3.5/3.5.3/ in which it is considered as a verification/authentication, one against
one, it is proven that the comparison between the biometric facial recognition data
used by the respondent is that of identification, or 1:N, one versus N, or also
called one to many.
This is because the data acquired/incoming by reading the face each time you log in or out for the check-in, would carry out a comparison process with the data of
the staff, but not with ONE SINGLE BIOMETRIC TEMPLATE STORED IN A
DEVICE, but with all the templates of all employees - including the claimant's own - all subject as employees to the time control system of the respondent, and
previously also collected to be used, stored, ALL in the centralized database of the respondent itself, proceeding, not to a 1:1 comparison/comparison, or one against
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 24/60
one, but 1, the one presented at that time, versus N or 1 versus several (all those
stored in the database of the respondent), to find his/her own previously registered one, without the employee having any storage device as it seems to suggest.
In both cases, whether verification-authentication or identification, the facial recognition
techniques used are based on an estimated match between templates: the one being
compared and the reference(s). From this point of view, they are probabilistic techniques:
the comparison deduces a greater or lesser probability that the person is actually
the one to be authenticated or identified; if this probability exceeds a certain threshold in
the system, defined by its user or developer, the system will understand that there is a
match.
Identified natural person data is that this person is distinguished or isolated from a group of
people. Unique can refer to the fact that the biometric data has such particularities that
it can unambiguously identify an individual. In this way, a unique identifier
can be associated with other additional attributes or personal data.
It is anticipated, as already indicated, that the biometric template, for identification or authentication purposes, is personal data per se and a unique identifier.
The purpose of the treatment: the data must be used for the purpose of identifying a natural person in an
univocal manner.
The biometric characteristics are subject to technical treatment by which a person is
recognized from an image or photograph, which includes, for its implementation, a chronological process that is contained in all biometric data
treatments: its capture or registration of data with its subsequent storage or processing
and the comparison or correspondence phase.
On the other hand, recital 51 of the GDPR refers to the non-consideration
systematically as a special category of data treatment, to photographs, since
they are only included in the definition of biometric data when a specific technical treatment means is applied to them that
"allows or confirms the unique identification of said person." In any case, contrary to the aforementioned consideration, whether
by applying a specific technical treatment method to the photograph, or by registering the
face specifically (for example, with an express appointment by CB for the exposure of the
face and the collection of data), we would be dealing with biometric data.
Any biometric system for a purpose, in this case work time control, in order to
be used, must first register in the system by means of capture a series of
biometric parameters (the face in this case), since what is intended is to
perform a processing on these facial parameters to identify the person
each time they enter and leave the access point again.
The system's operating mechanics consist of the fact that once the face image has been captured and the template created, it is stored so that when the user attempts to access the workplace, in this case, through the space determined by the employer, the face image is detected and processed again, a template is obtained and compared with the one that is stored. The physical space and support in which the template can be saved to start the operating technique can vary, from storage on a device that is only stored in the hands of the person, kept under their exclusive control by carrying the user name (for example, a card), which is not the case here, to a centralized database in the systems of the person responsible, as in this case.
In addition, in this case, together with the biometric templates stored in the management software, they are linked to the user ID (company employees) in a specific table
for biometric data, from which each time a person clocks in and out of the workplace, the time control record is generated, the purpose sought by the respondent.
The so-called registration process includes the following phases:
- Registration of biometric parameters. It covers all the processes carried out in a biometric system in order to extract biometric data from a biometric source and
link this data to an individual. In this case, the face. The facial recognition software
sees the face and converts these measurements into a numeric code, hash or template.
This numerical code, hash or template, is what is saved to compare when entering or leaving through the space where the facial recognition reader is located, which records the entry or exit, in this case access to the requested company, and which serves as a control point
used for recording the hours of the day. Therefore, facial recognition techniques
require a certain cooperation on the part of the employee since the camera must be placed
in front of the face while the photo is taken.
-Processing: Creating a template with the personal characteristics of the parameters captured
-Registration: from the processed template, saving it in a suitable storage medium. Once the registration is complete, the system can begin to be used.
Thus, the in-person capture in front of the device results in obtaining an image, from which the characteristics are extracted through the algorithm, which is based on the software of the device of the person claimed.
Algorithms, which should be noted, come from the manufacturer or designer of said device and
which is considered a further risk factor for the treatment, since the lack of
transparency, accuracy rate, its hearing, and certifying entities can be factors to
take into account.
These characteristics are the positioning measurements and relative reference
measurements (nodal points distance: between the eyes, shape of cheekbones...) that are collected from each
image in each individual and the natural starting point for the automatic treatment and recognition of individuals. Feature extraction is what provides
information to distinguish between the faces of different people according to their
geometric or photometric variations.
The raw image of the biometric features, in this case the faces, is
reduced by transforming them, but retaining the outstanding discriminated information that is
essential for the recognition of the person. These extracted features are kept in a
biometric template, which is a reduced mathematical representation of the
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 26/60
original feature, referred to here by CB as a “hash”. The reference template is
stored for comparison, in this case in a database where the templates of all employees are.
In the last phase, a biometric sample - such as the face - presented to the sensor
will be compared with a previously recorded/stored template. The phases are consistent with the enumeration
of what could be a data processing operation (collection, storage, use).
As for the fact that it could be argued that it only identifies workers belonging to the
group of previously registered employees, this is no reason not to consider it biometric data, which are intended to identify natural persons with the data
generated from the extraction of their biometric characteristics.
Furthermore, the definition of biometric data includes that through specific technical
processing, they “allow or confirm” “the unique identification” of said person. Therefore,
both identification and authentication must be unique, referring to the identification that is
produced for the person. Unique identification, on the other hand, goes beyond the fact that the data is
from an identified or identifiable natural person. Data of an identified natural person is that
that person is distinguished or isolated from a group of people. Unique, may refer to the fact that the
biometric data has such particularities that it can unambiguously identify an
individual. In this case, the unique identification is produced by the registration of the
facial image of each employee, associating it with a user ID stored in the database of the
claimed, which allows each employee to be identified.
According to the information provided by CB, when passing through the space that collects the
facial recognition image, placed for the purpose of time registration of entry and exit,
a “number with many digits” has been generated “through the hash function (application of an
algorithm) that provides a unique value. What this means is that the biometric
information collected, in this case, the image of the face is processed following procedures
defined in standards and the result of this process is stored in data records
called signatures, patterns or “templates”. These patterns numerically record the
physical characteristics that allow people to be differentiated. In the image collection space, the device software compares the pattern offered when it is presented with the one stored, in order to record the workday.
In this case, although not the entire image of the face is saved, but a template,
all the templates of all the employees, each one of them different, is able to uniquely identify each employee when compared in the space where the image was taken when accessing
the rest of the existing ones stored. The functions contained in the algorithm
allow the characteristic points to be extracted for later comparison with a database
associated with the previously stored set of employees, being able to
identify its owner from among all the templates, treating personal data
based on the processing of the fingerprint, uniquely identifying said person.
Technically, the biometric template against which the sample is compared is the product of a
measurement that uniquely and uniquely identifies the individual. The biometric data of each user, acquired at the time of their capture and
registered, to be subjected to the technical procedure that converts the image, the format, into
a biometric sample and through the algorithm into a biometric template, stored, so that
with the samples entered when placing the finger on the accesses, it identifies through
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 27/60
the saved model, from among all the templates, without a doubt, its owner, which would,
would be, without a doubt, to uniquely identify said person.
The use of the face is not only capable of validating the identity accurately, but it
has unique information about physical persons. The software algorithm extracts the biometric characteristics from the biometric sample, reduces and transforms that sample into a label or number, constituting a mathematical representation of the original biometric characteristic, which is the biometric template. The template is stored for comparison in the last phase, in which the employee is uniquely identified with the biometric sample - in the reader - and with the previously recorded template, each time he or she enters or leaves, showing his or her face in front of the reader. Therefore, the data is considered to fall within the scope of special data, as it is a unique identification.
In the present case, of course, it cannot be said that this is not information linked to
personal data of a person identified in each access record, since, in addition,
it must be noted that if they did not allow the unequivocal identification of the employee, the time record for which it is intended would not be produced.
It is thus proven that CB processes personal data of a biometric nature of its employees, in this case for the purpose of recording hours that allow each employee to be identified when entering or leaving their workplace, recording the daily workday, technical and organizational instruments provided by the respondent as responsible for such processing.
III Object and purpose of the processing
The subject of assessment in this procedure is the regulatory adjustment that is analyzed regarding the
biometric facial recognition system that CB implemented for the purpose of processing
the data of its entity's employees for the recording of the working day, access and
exit in the development of daily employment.
Within CHAPTER IV of the GDPR, the general obligations of the data controller and the data processor are discussed in its Section 1. To this end, article 25 of the GDPR states:”
“1. Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity that processing entails for the rights and freedoms of natural persons, the controller shall, both when determining the means of processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, designed to effectively implement data protection principles, such as data minimisation, and to integrate necessary safeguards into the processing, in order to comply with the requirements of this Regulation and to protect the rights of data subjects.
2. The controller shall implement appropriate technical and organisational measures to ensure that, by default, only personal data are processed that are necessary for each of the specific purposes of the processing. This obligation
shall apply to the amount of personal data collected, the extent of their processing,
their retention period and their accessibility. Such measures shall ensure in particular that,
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 28/60
by default, personal data are not accessible, without the intervention of the person, to an
undetermined number of natural persons.”
This implies that in the design of processing operations these obligations of data protection by design and by default (DPD) are applied, “being applicable throughout
the processing cycle, and being mandatory for processing systems that already existed
before the GDPR came into force” (Guidelines 4/2019 relating to article 25.
Data protection by design and by default, adopted on 20/10/2020 by the European Data Protection Board.).
Along the same lines: “37…The nature, scope and context of processing operations, as well as the risk, may change during the course of processing, which
means that the controller must re-evaluate its processing operations by periodically reviewing and
assessing the effectiveness of the measures and safeguards it has decided to
adopt.
38. The obligation to maintain, review and update the processing operation, as necessary,
also applies to existing systems. This means that legacy systems that were designed
before the entry into force of the GDPR must be reviewed and maintained to
ensure that measures and safeguards are in place that effectively implement the
principles and rights of data subjects, as explained in these
Guidelines. “
Chapter III of Royal Decree-Law 8/2019, of 8/03, on urgent measures for social protection
and the fight against job insecurity in the working day included a reform aimed at
regulating the registration of working hours, as a way of combating job insecurity, and
specifically, art. 10 modifies Royal Legislative Decree 2/2015, of 23/10 (ET), Revised Text of the Workers' Statute Law, (ET) to regulate in its article 34.9 the
registration of working hours, in order to guarantee compliance with the limits on
working hours, to create a framework of legal security for both workers and companies and to enable control by the Labor and Social Security Inspection. This obligation of the employer is imposed with a specific purpose, favorable to the
worker, as reiterated in various sections of the Preamble. The regulation does not indicate more
than the aforementioned obligation, corresponding to the entities to implement the way in which it is
to be carried out, which should respect the regulatory framework. The indicated article indicates:
“The company will guarantee the daily registration of the working day, which must include the specific
start and end time of the working day of each worker, without prejudice to the
flexible hours established in this article.”
Since said implementation, the registration of the working day is a legal obligation imposed on
the employers, legal obligation, that of the registration, not that of the registration through facial recognition
with biometric registration and reading and the respondent has stated that, nevertheless, it had been
using it since before this date, specifically since 2016.
In this case, such compliance was imposed through the biometric system of facial
recognition, which involves a processing of personal data with the purpose of verifying the registration
of the daily working hours by verifying the “specific start and end time of the working day of
each worker”.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 29/60
CB, as the data controller and employer, was the one that decided from the
beginning, the exact date is unknown, to use the registration and storage of data
originated by facial recognition for the purpose of recording working hours. This is
proven by proven facts through the Inspection Service, which provided a copy of the
employee management system.
The entity SAICA acquired the majority of the shares of the entity in question on
7/07/2022, once the facial biometric processing system had been implemented and
continued to operate. The CB entity was still active, although it was incorporated into the scope of the
SAICA GROUP of companies, which after its acquisition promoted the development of decisions that
could affect its data protection policy, as evidenced by, among others, the project to
abandon the facial biometric processing system adopted on 10/19/2022. The
enforceability of the data protection obligations to CB is based on the fact
that its lack of compliance can be considered proven and imputable, at least
during the processing of the claimant's data, through the system that it
itself imposed, as responsible for the processing and maintenance of its legal personality, which
implies full imputability for its responsibility in the actions that are reproached and
attributed to said entity.
The obligation to record the daily working hours of employees does not come from
a contract, but from a law, the Workers' Statute, but it does not specify the means or
ways in which it must be carried out. Since this registration of personal data for this purpose
affects a fundamental right of its owners, that of the protection of their personal data,
any interference in them must be expressly provided for in a Law.
The analysis of the legitimacy of biometric processing must be based on a
legitimising basis, but also on whether the processing is necessary, proportional and can be carried
out with a low risk for the rights and freedoms of the interested parties, considering the
regulatory norm that frames the obligation. IV Processing of biometric data: legitimacy
Biometric data, classified as “special category” in article 9 of both the
RGPD and the LOPDGDD, are data whose use may give rise to significant
risks for fundamental rights and freedoms, and therefore, in principle, their
processing is prohibited in article 9.1 of the RGPD, which states:
“The processing of personal data that reveal ethnic or racial origin,
political opinions, religious or philosophical beliefs, or trade union membership, and the
processing of genetic data, biometric data aimed at uniquely identifying
a natural person, data relating to the health or data relating to the sexual life or sexual
orientation of a natural person are prohibited.”
A similar prohibition is contemplated in Recommendation CM/REC (2015)5, of the
Committee of Ministers of the Council of Europe to the Member States on the processing of
personal data in the employment context. Specifically, principle 18 of this Recommendation
establishes the following: “18.1. The collection and subsequent processing of biometric data
should only be undertaken when the legitimate interests of employers, employees or third parties
are to be protected, only if there are no other less intrusive means available
and only if it is accompanied by the appropriate guarantees provided for in principle 21. 18.2. The
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 30/60
processing of biometric data must be based on scientifically recognised methods and
must be subject to the requirements of strict security and proportionality”.
Regarding the exceptions that could be applied in the field of employment, which is affected here, article 9 of the GDPR states:
“2. Paragraph 1 shall not apply where one of the following circumstances applies:
…
b) the processing is necessary for the fulfilment of obligations and the exercise of specific rights of the controller or the data subject in the field of labour law and social security and protection, to the extent that this is authorised by Union or Member State law”
These are cumulative requirements with the legitimacy provided for in Article 6.1 of the GDPR,
which represent an additional guarantee in the processing of the data of its owner, which takes into account that, if the achievement of the intended purposes can be carried out without processing personal data, this route will be preferable and will mean that it is not necessary to carry out any processing of data, and subsidiarily, that the collection of data is necessary for the established or intended purpose and, if necessary, that it is proportional.
The Article 29 Working Party, in its Opinion 3/2012 on the development of biometric technologies, states that “When assessing the proportionality of a proposed biometric system, it is necessary to first consider whether the system is necessary to meet the identified need, that is, whether it is essential to meet that need, and not just the most appropriate or cost-effective. A second factor to be taken into account is the likelihood that the system will be effective in meeting the need in question in the light of the specific characteristics of the biometric technology to be used. A third aspect to consider is whether the resulting loss of privacy is proportionate to the expected benefits. If the benefit is relatively minor, such as increased convenience or slight savings, then the loss of privacy is not appropriate. The fourth aspect in assessing the appropriateness of a biometric system is to consider whether a less invasive means of privacy would achieve the desired end.”
However, in the case of biometric data, in addition to lifting the prohibition on its processing,
it must comply with one of the legal bases legitimizing the processing contained in
Article 6.1 of the GDPR. The fundamental right to data protection, provided for in
Article 18.4 of the EC, is based, as far as this is concerned, on the essential principle that the
processing of the data of its owner, which "will only be lawful if at least one" of the
conditions provided for in Article 6.1.a) to f) of the GDPR is met, based on the assumption that any
processing of such data restricts the rights of its owner by the mere fact of undergoing such
processing, at which point it will be increasingly identified with this mechanism.
The respondent refers in her information to the respondent regarding the processing of work data,
that the legitimacy of the processing of her data, which included time control by
“fingerprint capture”, “images: photograph-facial scan” which in the procedure was
verified to be the biometric facial recognition system, is based on the
compliance and development of the employment relationship, which would be included in article 6.1.b) of the
RGPD. However, referring exclusively to the processing of biometric data of
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 31/60
facial recognition for work control, the respondent did not state any aspect
when she was questioned about it in the process of transferring the claim. It should be noted that, according to article 9.2.b) of the GDPR, this would be:
-that the treatment is necessary for the fulfillment of obligations and the exercise of specific rights of the data controller or the interested party in the field of labor law and social security and protection
-“to the extent that it is authorized by the Member States”, which does not appear in the Spanish legal system to contain such an authorizing provision.
-“or a Collective Agreement also in accordance with the law of the Member States, which
establishes adequate guarantees of respect for the fundamental rights and interests of the interested party.”
Thus, it must also be agreed that the legal obligation to record daily working hours
does not derive from obligations assumed between the parties but from legal regulations contained
in article 34.9 of the ET.
For the control by means of the daily record of the working hours of each employee, it is necessary to
process their data, the analysis of the need and proportionality being different in the chosen
medium, for which, it could be considered that there are alternative systems, which would
remove the need and proportionality of the processing of facial recognition for this purpose, which
would not conform to this assumption of strict necessity to carry out the execution of the contract.
It should be considered that, in this case, the RF has stopped being used, moving to a
card system, which can be a practical example that another system was possible that is less intrusive
in rights and with fewer inherent risks that arise from the very nature
that entails the use for an ordinary activity such as time control, given the entity of
the company in which there are no special conditions of circumstances that
advise this means in the company claimed, which uses the measured body measurement in an automated
way for these purposes.
In conclusion, although the Workers' Statute ("ET") provides for the possibility of the employer adopting surveillance and control measures to verify compliance with the
labour obligations of its workers (article 20.3 of the ET), in the case of control of the
working day, the regulation establishes the need to prepare a daily record of the working days. However, the regulation does not determine the specific mechanism to be used for the
registration of the working day, nor does it provide any express authorisation for the use of special categories of data
and, specifically, biometric data.
In any case, in these treatments, one must be very cautious in the assessment that is
made on whether these requirements are met, since special data is being processed.
V Data Protection Impact Assessment (DPIA)
In addition, the proactive accountability system implemented by the GDPR, focused on the
continuous management of potential risks associated with processing, requires data controllers to
analyze what data they process, for what purposes and what type of
processing they carry out, relating the potential risks to which they are exposed and,
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 32/60
from there, decide what measures they take and apply to ensure compliance based on
the risks detected and assumed. It has already been mentioned in legal basis III
that the object of processing must be completed with a PDD process.
The processing of RF through biometric reading and recording tools presents high
risks for fundamental rights and freedoms. Before implementing a data processing project, provided that it is likely to pose a significant risk to the rights and freedoms of individuals, as is the case here, it is necessary to audit its operation, not in isolation but within the framework of the specific processing in which it is to be used. The personal data protection impact assessment, EIPD, is the tool that the GDPR deals with ensuring compliance with this aspect of processing.
In this case, the various risks that may arise must be analyzed, including its technology, within the framework of an increasingly intensive use of this type of data. Its use, interoperability and technological interconnection are more than likely to interfere with these fundamental rights and may give rise to questions about its implementation.
The GDPR establishes the obligation to manage the risk that a processing poses to the rights and freedoms of individuals. This risk arises both from the very existence of the processing, as well as from its technical and organizational dimensions. The risk arises from
the purposes of the processing and its nature, as well as its scope and the context in which it is
carried out.
The use of biometric data and, in particular, facial recognition
involves increased risks for the rights of data subjects. It is essential that the use
of such technologies is done with due respect for the principles of legality, necessity,
proportionality and data minimisation set out in the GDPR. While the use of
these technologies may be perceived as particularly effective, controllers must first
assess the impact on fundamental rights and freedoms and consider
less intrusive means of achieving their legitimate processing aim.
The “risk-based approach” is developed in the “Statement on the role of a risk-
based approach in data protection legal frameworks WP218” of WG 29, WP218, and is not a
new concept in the data protection framework.
Risk management for rights and freedoms aims to study the impact and
the probability of causing harm to people, at an individual or social level, as a consequence
of the processing of personal data. On the contrary, regulatory compliance risk management
is intended to provide the controller with a tool to verify the degree of
compliance with the obligations and precepts required by law in relation to a
processing activity. Therefore, prior to the risk management process and as a
sine qua non condition for undertaking a processing activity, it is necessary to
systematize the verification of regulatory compliance throughout the entire life cycle of the
processing. The
complexity of the risk management process must be adjusted, not to the size of the entity, the
availability of resources, its specialty or sector, but to the possible impact of the
processing activity on the interested parties and to the difficulty of the processing itself.
Article 35 of the GDPR establishes the obligation to have a Personal Data Protection Impact Assessment (DPIA), stating:
“1. Where a type of processing, in particular using new technologies, is likely, by its nature, scope, context or purposes, to result in a high risk for the rights and freedoms of natural persons, the controller shall, prior to processing, carry out an assessment of the impact of the processing operations on the protection of personal data. A single assessment may address a series of similar processing operations that entail similar high risks.
2. The controller shall seek the advice of the data protection officer, if appointed, when carrying out the data protection impact assessment.
3. The data protection impact assessment referred to in paragraph 1
shall be required in particular in the case of:
a) systematic and in-depth assessment of personal aspects relating to natural persons which is
based on automated processing, such as profiling, and on the basis of which
decisions are made which produce legal effects concerning natural persons or similarly
significantly affect them;
b) large-scale processing of special categories of data referred to in Article
9(1) or of personal data relating to criminal convictions and offences referred to in Article 10, or
c) large-scale systematic monitoring of a publicly accessible area.
4. The supervisory authority shall establish and publish a list of the types of processing operations which
require a data protection impact assessment in accordance with paragraph 1. The supervisory authority shall
communicate those lists to the Board referred to in Article 68.
5. The supervisory authority may also establish and publish the list of types of processing that do not require data protection impact assessments. The supervisory authority shall communicate those lists to the Board.
6. Before adopting the lists referred to in paragraphs 4 and 5, the competent supervisory authority shall apply the consistency mechanism referred to in Article 63 if those lists include processing activities that relate to the offering of goods or services to data subjects or to the monitoring of their behaviour in several Member States, or processing activities that may substantially affect the free flow of personal data within the Union.
7. The assessment shall include at least:
a) a systematic description of the intended processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller;
b) an assessment of the necessity and proportionality of the processing operations with respect to their purpose;
(c) an assessment of the risks to the rights and freedoms of data subjects referred to in
paragraph 1, and (d) the measures envisaged to address the risks, including safeguards, security measures
and mechanisms to ensure the protection of personal data, and to demonstrate compliance with this Regulation, taking into account the rights and
legitimate interests of data subjects and other affected persons.
8. Compliance with the approved codes of conduct referred to in Article 40 by
the relevant controllers or processors shall be duly taken into account when assessing
the impact of processing operations performed by those controllers or processors, in particular for the purposes of the data protection impact assessment.
9. Where appropriate, the controller shall seek the views of data subjects or their
representatives concerning the intended processing, without prejudice to the protection of
public or commercial interests or the security of processing operations.
10. Where processing pursuant to Article 6(1)(c) or (e) has
its legal basis in Union law or the law of the Member State to which the controller is
applicable, such law governs the specific processing operation or set of operations
in question, and a data protection impact assessment has already been carried
out as part of an overall impact assessment in the context of the adoption of that legal basis, paragraphs 1 to 7 shall not apply
unless Member States consider it necessary to carry out such an assessment prior to
processing activities.
11. Where necessary, the controller shall examine whether the processing is in compliance with the
data protection impact assessment, at least where there is a change
in the risk posed by the processing operations.”
In developing paragraph 4, the Director of the AEPD approved a non-exhaustive,
guiding list of the types of processing that require a data protection impact assessment,
indicating: “When analysing data processing, it will be necessary
to carry out a DPIA in most cases where such processing complies
with two or more criteria from the list set out below, unless the processing is
on the list of processing operations that do not require a DPIA referred to in article
35.5 of the GDPR. The list is based on the criteria set out in the “GUIDELINES ON
DATA PROTECTION IMPACT ASSESSMENT (DPIA) AND FOR
DETERMINING WHETHER PROCESSING IS “LIKELY TO INVOLVE A HIGH RISK” FOR
THE PURPOSES OF THE GDPR”, last revised and adopted on 4/10/2017, WP 248 rev.01
of WG 29 which complements them and should be understood as a non-exhaustive list:
“4. Processing involving the use of special categories of data referred to in
Article 9.1 of the GDPR… or inferring information about individuals related to
special categories of data.
5. Processing involving the use of biometric data for the purpose of uniquely identifying a natural
person.”
9. Processing of data of vulnerable subjects…”
The Guidelines themselves state:
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 35/60
“In order to provide a more specific set of processing operations requiring a DPIA due to their inherently high risk, taking into account the particular elements of
Article 35(1) and Article 35(3)(a) to (c), the list to be adopted
at national level pursuant to Article 35(4) and recitals 71, 75 and 91, and other
references in the GDPR to processing operations that are “likely to entail a high
risk”, the following nine criteria should be considered:
“7. Data relating to vulnerable data subjects (recital 75): The processing of this type of data represents a criterion due to the increased imbalance of power between the data subjects and the controller, which implies that individuals may be unable to authorize or deny the processing of their data, or to exercise their rights.
Vulnerable data subjects may include children (who are considered unable to consciously and responsibly deny or authorize the processing of their data),
employees”
The DPIA is a necessary step for data processing, not being, as described, the only one that is required. It constitutes a condition to which the rest of the legal requirements for processing must be added. Among them, it is worth highlighting, when it comes to processing of special categories, the concurrence of an exception of art. 9.2 of the GDPR that lifts the
prohibition of art. 9.1 of the same legal text to process special categories of personal data (in this case to lift the prohibition of biometric data processing),
in addition to the legal basis of article 6.1 of the GDPR. In addition, and in any case, the fundamental principles of data processing provided for in article 5 of the
GDPR would have to be complied with.
WP 249, Opinion 2/2017 on data processing at work, of WG 29 (hereinafter, "WP 249 of WG29") states that: "Regardless of the legal basis for
such processing, before its commencement a proportionality test must be carried out in order to
determine whether the processing is necessary to achieve a legitimate purpose, as well as the
measures that must be taken to ensure that violations of the rights to
private life (…) are limited to a minimum."
Before implementing an RF system, the controller must assess whether there is another less intrusive system that achieves the same purpose.
Biometric processing not only presents high intrinsic risks for the rights and
freedoms of the interested parties, and this has been made clear in the successive opinions and
Guidelines that have been drafted on biometric systems by the advisory and
consultative bodies, the Article 29 Working Party and since the entry into force of the GDPR by the
European Data Protection Committee, but it also combines technological products used for its
operation, which evolve very quickly, undoubtedly influencing the essence of
processing operations, transferring to new scenarios the exposure to the
multiple risks that require continuous re-evaluations to which organizations must
respond at a technical and organizational level.
Among others, and without being exhaustive or attempting to create a closed list, we can mention some that are contemplated in Opinion 3/2012 on the evolution of biometric technologies of WG 29 of 27/04/2012:
-The definition of the size (quantity of information) of the biometric template is a crucial
issue. On the one hand, the size of the template must be large enough to manage
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 36/60
security (avoiding overlaps between the different biometric data, or identity
substitutions), and on the other hand, it should not be too large in order to avoid the risks of
reconstruction of biometric data.
-Risks involved in the use of biometric data for identification purposes in
large centralized databases, given the potentially harmful consequences for the affected persons.
-It goes without saying that any loss of integrity, confidentiality and
availability with respect to databases would clearly be detrimental to any future
application based on the information contained in such databases, and would also cause
irreparable harm to the data subjects. For example, if the registered data of an
authorized person were associated with the identity of an unauthorized person, the
latter could access the services available to the data owner, without having the right to do so.
The result would be identity theft, which (regardless of its detection) would
unreliability the system for future applications and, consequently, limit its freedom.
-The transfer of information contained in the database.
-The illusion may be created that identification through the face is always correct,
for this reason an analysis of the errors that may occur in its use, performance
evaluation meters, false acceptance rate - probability that a biometric
system incorrectly identifies an individual or does not reject an individual who does
not belong to the group, and false rejection or false negative rate: the
correspondence between a person and his or her own staff is not established. In the face of decisions that legally
affect a person, any decision that is adopted based on this, such as in
registration and time control systems, the deduction of remuneration for registration with the
system, which should only be carried out safeguarding the rights and freedoms and the
legitimate interests of the interested party, at least the right to obtain human intervention by the
controller, to express his or her point of view and to challenge the decision. - Linking: A large number of online services allow users to upload an image
to link it to the user's profile. RF can be used to link profiles across
different online services (via the profile image), but also between the online and
offline world. It is not beyond the realm of possibility to take a photo of a person
on the street and determine their identity in real time by searching these public
profile images. Third-party services can also crawl publicly available profile
photographs and other photographs to create large collections of images in order to associate a
real-world identity with such images. This impact increases with the increasing
deployment of these technologies. Each individual may be listed in one or more biometric
systems.
- Security measures must be taken regarding the processing of biometric
data (storage, transmission, feature extraction and comparison, etc.) and in particular
if the data controller transmits such data over the Internet. Security measures could include, for example, encoding templates and protecting encryption keys, as well as access control and protection that makes it virtually impossible to reconstruct the original data from the templates.
Additionally, the use of realistic masks or photos to try to fool the system, always in connection with advances and the state of the art, taking into account that the most
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 37/60
biometric systems that are most effective at recognising a person are also the most
potentially vulnerable.
Furthermore, with the development of technologies, these risks detected at that time are
significantly increased.
As for the guarantees to be implemented that must be contained in the EIPD, the Guide “Data protection in employment relationships” of the AEPD includes, as a reference, ten aspects that can be taken into account.
Furthermore, the working document on biometrics, adopted on 1/08/2003 by WP29, is of the opinion
that biometric systems relating to physical characteristics which leave no trace (for
example the shape of the hand, but not fingerprints) or biometric systems relating to physical characteristics which leave a trace but do not depend on the storage of data held by a person other than the data subject (in other words, the data are not stored in the access control device or in a central database) create
less risks for the protection of the fundamental rights and freedoms of persons
(A distinction can be made between biometric data which are processed centrally and biometric reference data which are stored on a mobile device and the conformity process is carried out on the card and not on the sensor or when the latter is part of the mobile device).
-It is generally accepted that the risk of reusing biometric data obtained from physical traces left by individuals unwittingly (e.g. fingerprints) for
incompatible purposes is relatively low if the data are not stored in centralized databases, but are held by the individual and are inaccessible to third parties.
Centralized storage of biometric data also increases the risk of using biometric data as a key to interconnect different databases, which could
allow detailed profiles of a person's habits to be obtained both at public and private level.
In addition, the question of compatibility of purposes leads us to the interoperability
of different systems that use biometrics. The standardization required by
interoperability may lead to greater interconnection between databases.
The respondent did not provide the Impact Assessment of the processing of biometric data that
it should have passed in order to carry out the processing it did, capable of
identifying each employee, since it has their template saved and when it presents the sample,
it checks it among all the existing ones, fully identifying its owner through
the samples that are saved in the database. As previously indicated,
a processing of this type of data occurs.
In accordance with the evidence available, it is considered that CB breached the
establishments of article 35 of the GDPR, and said infringement is imputed to it.
VI Response to the allegations of infringement of article 35 of the GDPR
Regardless of the fact that the rest of the allegations have been answered in the specific section that could be related to them, such as in the section on determining the sanction, those related to proportionality, here they are limited to those related to the typified infringement that is charged under article 35 of the GDPR.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 38/60
Regarding the claim made against the proposed resolution, regarding the fact that it did not comply
with the principle of proactive responsibility by not documenting the reasons why it did not
carry out a DPIA, the respondent states that it has already raised its considerations regarding the entry
into force of the GDPR and the implementation of the system in 2016, and the burden of proof falls on the Administration, given that the presumption of innocence is guaranteed by the
Spanish Constitution. It concludes that it did not carry out the DPIA because “in 2016, this
obligation was not contemplated in the regulations.”
Regarding the burden of proof, when the GDPR imposes obligations on the data controller, specifically, in this case, referring to the documentation on the lack of
need to have a DPIA for the processing of work data with a facial recognition system, it must be indicated that it is the data controller who is responsible for proving that
such obligations are met.
This derives from what is stated in article 5.2 of the GDPR, which requires that data controllers
demonstrate compliance with their obligations under the GDPR,
including the effectiveness of the measures, by adequately documenting all decisions that they
adopt in order to be able to demonstrate this, in accordance with recital 74 of the GDPR.
Therefore, the fact that the respondent considers that it does not have to carry out a DPIA does
not diminish the general obligation of data controllers to implement measures to
adequately manage the risks to the rights and freedoms of the interested parties. In practice,
this means that controllers must continually assess the risks created by their
processing activities in order to identify when a type of processing is
likely to result in a "high risk to the rights and freedoms of natural persons". Even if a
processing operation falls within the cases where a DPIA is to be carried out,
a controller may not consider that such processing is "likely to result in a
high risk". In such cases, the controller must justify and document the reasons
why a DPIA is not being carried out and include/record the views of the data protection
officer. The opposite would mean ignoring that the GDPR pursues as objectives a broad and
strengthened protection of the right to data protection in the rights of interested parties
as well as the obligations of data controllers as can be deduced from
recital 11 of the GDPR: “The effective protection of personal data in the Union requires
that the rights of interested parties and the obligations of
those who process and determine the processing of personal data be strengthened and specified”.
In any case, and in the case examined, it has been perfectly proven, in light of
what has been established in the proven facts and what has been acknowledged by the respondent itself, that it has not
carried out a prior analysis to determine whether or not it had to carry out a DPIA as of
May 2018, nor has it carried out a DPIA, thus undermining the presumption of innocence.
What is stated in the defence, regarding the fact that the risks have not changed, are mere
statements by the respondent party without having carried out an analysis on this particular matter, without
clear elements and documents to support it.
Regarding the allegations related to the non-requirement of carrying out a DPIA because
in 2016, when the system was implemented and the use of biometric personal data from the fingerprint began, the GDPR was not in force. Therefore, this rule was not in force
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 39/60
when the events occurred, and it is intended to apply a rule
retroactively.
He cites as an example of the defense of his thesis, the judgment of the National Court, administrative litigation chamber, section 1 of 05/14/2021, rec. 115/2020.
In this regard, it should be noted:
-The aforementioned judgment declares the nullity of the sanction imposed by the AEPD for a very serious infringement classified in article 5.1.f) of the GDPR (duty of confidentiality in the
processing of data) by considering that a regulation that was not applicable has been applied when the sanctioned events occurred, 04/13/2018, such as the GDPR.
It is worth citing from it:
“legal basis fourth”: “art. Article 99 of the GDPR states: "1. This Regulation
shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.
2. It shall apply from 25 May 2018."
And, in this regard, in recital 171 of the cited GDPR, it is stated: "Directive
95/46/EC should be repealed by this Regulation. Any processing already started on the date of application of this Regulation must be brought into compliance with this Regulation within two years from the date of its entry into force. Where processing is based on consent in accordance with Directive 95/46/EC, the data subject does not need to give consent again if the manner in which consent was given complies with the conditions of this Regulation, in order for the controller to be able to continue such processing after the date of application of this Regulation. Commission decisions and authorisations by supervisory authorities based on Directive 95/46/EC remain in force until they are amended, replaced or repealed."
Therefore, the GDPR entered into force 20 days after its publication in the Official Journal of the
European Union, that is, on May 24, 2016, however, it will only be directly
applicable and mandatory in all its elements in each Member State from May 25, 2018, therefore, the Member States and their respective
Control Authorities have a period of 2 years for its preparation, application and interpretation of the
different rights and obligations it establishes.”
The judgment indicates that, to such facts, not only the GDPR was applied, but also the
LOPDGDD that entered into force on 6/12/2018, “therefore, a regulation has been applied that was
not applicable when the sanctioned facts occurred. We must add that the aforementioned regulations could have been applied if they had been more favorable... the retroactive application of the most beneficial regulation must be done by determining which provision is more favorable,
by contrasting both, previous and subsequent, considered globally...". And
such contrast does not exist in the contested resolutions, in which there is not even any mention of Organic Law 15/1999, of December 13, and in which the RGPD and Organic Law 3/2018, of December 5, are applied, as if it were the regulations that were
in force when the sanctioned events occurred, in April 2018."
As can be seen, first of all, it is a question of examining the application of the preferred rule in force, or if it were, the most beneficial, at the time of the events, which in principle should be the one in force at the time of the occurrence of the typified event. However,
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 40/60
in this case, the respondent excludes the application of the GDPR from the outset, adding that the
conduct occurred before the entry into force of the GDPR, without explaining what it understands by such
statement.
And, in any case, the facts constituting the infringement and which have been proven have occurred
since the entry into force of the GDPR, this rule being fully applicable to them.
The claim considers the processing carried out with the data for work purposes of the
complainant who provided his services to the respondent in a period from the year 2023, It is
undisputed that both he and the rest of the employees were subjected to biometric facial recognition
processing to control their daily working hours. It is therefore irrefutable that
various operations of varying scope were carried out for this purpose on the data of
the defendant's employees. To this, it must be added that when the claimant ceased his
employment relationship on 09/12/2023, the rest of the employees continued to have their data processed for
such purposes until the system was changed on 05/28/2023. Therefore, it is also indisputable that
data processing has been carried out using the biometric facial recognition system
established by the data controller, CB, after the entry into force of the
RGPD, to which the respondent has not adapted its behaviour, consisting of
carrying out a DPIA, as determined by recital 171 of the RGPD and arising from the
principles, guarantees and obligations applicable in the aforementioned RGPD.
Article 35 of the RGPD indicates that before the start of these treatments considered to be high
risk, for the rights and freedoms of natural persons, it is mandatory to carry out a detailed DPIA,
with the information that describes it. This is an essential tool
to identify and mitigate risks related to the treatment and to establish the necessity and
proportionality of the treatment among other comprehensive elements of the same.
The statement on the role of a risk-based approach in data protection,
adopted on 30/05/2014 by WG 29 states “The so-called risk-based approach is not
a new concept, as it is already well known under the current Directive 95/46/EC,
especially in the area of security (Article 17) and the prior control obligations of
the DPA (Article 20). The legal regime applicable to the processing of special categories of data
(Article 8) can also be considered the application of a risk-based approach: the reinforcement of obligations follows from a processing that is
considered risky for the data subjects. It is important to note that even with the adoption
of a risk-based approach, there is no question of weakening the rights of individuals
with respect to their personal data. These rights must be just as strong, even if the
processing in question is relatively “low risk”. Rather, the scalability of risk-based legal obligations addresses compliance mechanisms. This
means that a data controller whose processing is of a relatively low risk level may not have to do as much to comply with its legal obligations
as a data controller whose processing is of a high risk level.”
This obligation is independent of others established in the cited GDPR. It is clear that
the regulations have evolved and the model established at the level of the European Data Protection Regulation, aims to guarantee a high level of protection of natural persons with regard to the processing of their personal data.
What the precept seeks through the requirement that such an assessment be carried out
prior to processing is, precisely, the evaluation of potential situations of high
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 41/60
risk to the rights and freedoms of the interested parties and to avoid, as far as possible, that
such risks materialize. Such risks also vary over time, because the
circumstances in which the processing takes place (context, nature, scope or purposes)
do not remain intact over time. This therefore requires a
continuous evaluation which, as regards the DPIA, involves not only passing it,
but also carrying out periodic updates as the context, nature,
scope or purposes of the processing (including the type and number of personal data
processed) vary over time. As a consequence of the above, each time that
the system established by the respondent carries out the various processing operations
necessary for the control of working hours, a series of data processing operations take place, to
which the regulations provided for in the GDPR would apply. Therefore, although the
system hypothetically was operational before the entry into force of the GDPR, the
processing carried out after its entry into force requires the existence and passing of the
prior impact assessment so that said processing complies with these regulations and
with the obligations set forth therein.
Regarding the claim of the link provided by the respondent, located on the Agency's website,
“frequently asked questions-GDPR-2.10 Impact assessment: Should processing operations initiated
before the application of the GDPR be subject to a DPIA?”, collecting the information of:
“No, the mandate of the GDPR does not extend to processing operations that are already in
progress at the time when it begins to be applied. However, an Assessment should be carried out
when, in an operation initiated prior to the application of the Regulation, there have been changes in the risks that the processing involves in relation
to the time when the processing was started.
This change in the risks may arise, for example, from the fact that new technologies have begun to be applied to that processing, that the data are being used for
different or additional purposes to those decided at the time, or that more data are being collected, or different data, than those that were initially used for the
processing.”
It should be noted that all the FAQs and Guides of the AEPD are intended to be a means
available to the general public for awareness and knowledge of the
issues related to data protection, with a purely informative character that
does not delve into the specific case or situations. Although it also serves the Data Controllers and Data Processors, since many of them are addressed to them
trying to facilitate their compliance management, this does not prevent the Data Controller from examining, in the specific case of the specific treatment that is being carried out, what their obligations are in terms of data protection.
Moreover, if we look at the answer given by the AEPD to this general question,
this is not an absolute answer, but is related again to the specific
processing being carried out, in light of the vision implemented by the
RGPD, which is based on the pillars of proactive responsibility (demonstrating compliance with the
RGDP) and the risk approach to processing with respect to the rights and freedoms
of the data subjects. If for any reason, including others not provided for as examples in the
answer, the data controller observes that there have been changes in the risks,
he must at least consider whether or not to carry out a DPIA, documenting the conclusion
reached in any case. C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 42/60
Regarding the fact that the processing of biometric data for labour control began in 2016,
with the purchase invoice being provided, the respondent also stated to the Inspection that the
data collected for said registration of the working day under Royal Decree Law 8/2019
incorporated in the current article 34.9 of Royal Legislative Decree 2/2015, of 23/10 (ET),
Revised Text of the Workers' Statute Law, (ET), remained stored
in an Access, historical file, and the templates destroyed.
The Inspection Service also accessed the record of biometric data in its management software
of the respondent, with employee data recorded in April and May 2023,
which would prove the continued use of the system until its replacement by the new system,
on 29/05/2023. This makes it clear that the data, including that of the claimant employee who
was only bound by a contract for three months in 2023, were recorded for
daily work control using the facial recognition tool, affecting the
right to data protection not only of the claimant, but of all employees,
continuous processing over a long cycle of existence of the data, a time in which
the obligation to be fulfilled by the respondent with the entry into force of the
RGPD, through the completion of the EIPD, is not put into practice, as is evident by its lack.
As regards the claim that the obligation to carry out said DPIA would be prescribed, it must be indicated that the beginning of the calculation of the prescription of the infringement would not be computed from the day on which the system was implemented, in 2016, as claimed by the respondent, since such act does not determine anything more than its implementation, with the processing activity being carried out since then, consisting of various and repeated processing operations with the use of a specific technology until the moment of its replacement by another system based on time cards. The absence of said obligation begins from the day on which the obligation provided for in the GDPR had to be fulfilled, May 2018; failure to comply with this obligation, which has continued uninterruptedly and at least until the day on which the system for this type of registration was stopped being used, 28/05/2023, since on the 29th and 30th, during the inspection visit, it was stated that said data was no longer recorded, due to the implementation of the new procedure for controlling timekeeping by cards from 29/05/2023.
In other words, the failure to comply with the mandatory obligation has continued throughout this period, considering that each day that data processing is carried out without a DPIA, the risk to the rights and freedoms of the affected persons remains unassessed and without
adequate measures and guarantees based on its analysis, thus prolonging the infringement. We are therefore faced with an infringement that persists over time as long as the obligation imposed by the GDPR is not complied with. This is related to the fact that, although SAICA's specialized technical body, the Data Protection Committee, stated that CB's biometric system should be replaced immediately
from October 2023, its application will be extended until 05/28/2023. In this case, the aforementioned
calculation of the prescription of the serious infringement considered to be that of article 35 of the
RGPD, would initially cover two years from 05/28/2023, considering that it would not be
time-barred when the present procedure is initiated.
Likewise, regarding the claim made to the proposal that the requirement to carry out the
DPIA before processing must be counted from the date of entry into force of the GDPR, it must be indicated that this start date of calculation cannot be considered, given that the
processing carried out on the persons employed by the respondent continued and is thus
proven, at least until 28/05/2023, and the obligation of a prior DPIA has never been
fulfilled after the entry into force of the GDPR. Express obligation that is not cured or validated
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 43/60
by the passage of time as long as the processing on which it serves as a basis has continued. The
data have been processed from 2016 to 05/28/2023, and although the obligation to
carry out the EIPD occurs from 05/25/2018, the obligation to do so was not fulfilled,
resulting in the claimant's claim and confirming the continuation of his lack of
compliance. Regarding the claim in the proposal that the continued use of the tool should be distinguished from the fact of not having carried out the DPIA prior to the “installation of the tool”, this is not what is indicated in the proposal, but rather that said DPIA is chronologically “before the actual processing of the data”, as is expressly deduced from the content of article 35 of the GDPR on the moment of its implementation: “
Where a type of processing, in particular if it uses new technologies, is likely, by its nature, scope, context or purposes, to entail a high risk for the rights and
freedoms of natural persons, the controller shall, before the processing…”. In the same sense, the rest of the requirements on the guarantees of processing by design, article 24.1 of the
GDPR, would apply to the aforementioned processing, since risk management cannot be carried out in isolation, independently
or after the design and/or implementation of a processing. This treatment by design,
as a proactive responsibility measure, must be applied by the data controller
prior to the start of the treatment, and also when it is being
developed. It is about thinking in terms of data protection from the very
moment that a treatment that involves the processing of personal data is designed,
so that from the beginning those responsible must take organizational and
technical measures that allow the principles of the GDPR to be applied effectively.
Furthermore, the data processing defined as indicated in article 4.2 of the GDPR, is
not related in any way to the installation of a system that supports it, since it is
proven in this case that the data processing with the system analyzed was
effective, and carried out, and has transitioned to the protection regime established by a
directly applicable standard such as the GDPR. The respondent has continued to use the biometric data of its employees in the daily work control processing activity, periodically carrying out such processing with the facial recognition technique that involves
varied risks, so the start of the prescription could not be counted from
the installation of the system or from the start of its use.
Regarding the claim that the risks have not changed since the implementation of the system in
2016, it should be noted that it is not a question of connecting the risk in the processing of data
only with the security of the data or with the damage that may be caused, but with the risks
to the fundamental rights and freedoms that the processing of data with these
systems implies, inherent and specific risks, as well as others derived from their implementation in the
specific case, which was what led to characterizing them from the RGPD in special category data. Furthermore, it must be taken into account that the elements that form part of the
data processing, the nature, scope, context and purposes, are those that condition, on the other hand, in addition to the risks, the application of the appropriate technical and organizational measures
to guarantee its processing.
In any case, as has already been expressed, the risks to the rights and freedoms of natural persons
derived from processing vary or change over time, a question that is
uncontroversial. The categorical assertion of the respondent party that the risks to the rights and freedoms of natural persons
derived from processing have not changed since
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 44/60
this was implemented in 2016, has no support, no analysis, no
justification.
Furthermore, the accreditation of the high risk affecting this treatment system has not only been contemplated in and since the first guidelines and opinions on this data in 2003, Working document on biometrics, dated 1/08/2023, continued in Opinion 3/2012
on the evolution of biometric technologies, adopted on 27/04/2012, and continues to be contemplated, as an example of the recent ones: Guidelines 5/2022 on the use of
facial recognition technology in the field of the application of the Law adopted on 26/04/2023, or the Opinion of the EDPB of 11/2024 on the use of facial recognition to
rationalize the flow of passengers, adopted on 23/05/2024, which exemplifies the risks in the
various ways of treating this type of data.
The high risk inherent in the processing of this type of data comes from the fact that the
biometric data, in this case of the face, physiological features, are unique and represent the same
person. In addition, it does not pose the same risks, for example, the use for identification purposes,
in an uncontrolled environment, without the active participation of the interested parties, where
the template of each face that enters the monitoring area is compared with the templates of
a broad cross section of the population stored in a database,
raising specific risks that must be assessed on a case-by-case basis.
Therefore, without prejudice to the fact that the determination of the risks corresponds to each data controller
in relation to each of its specific treatments. It seems clear that
neither the technological level, nor the level and sophistication of possible attacks, nor their level of
sophistication or the risks of fraud due to intrusion into the systems, as well as the impacts
are not the same now as they were eight years ago. On the other hand, knowing and identifying the
threats to the use and the treatment system that has evolved and continues to do so
over time, can help to know and minimize the impacts.
With regard to the claim of the respondent entity that it was not
a new system, it should be noted that such a circumstance does not exempt compliance with the
obligation provided for, once the regulation took full effect after its entry into force. Although
it is true that the previous regulation did not contemplate said obligation, in which the focus
was on the type of data and not as now on the risks to the rights and
freedoms of the interested parties derived from the treatment, it is no less true that, once
the RGPD is applied, it is fully effective. And that the claimant, by virtue
of the proactive responsibility provided for in art. 5.2 of the GDPR, should not only have carried out and passed a DPIA as set out in this procedure, but should also have determined whether the circumstances provided for in Article 35 for carrying out a DPIA were met, making it necessary to verify whether in the case of the processing there was a probability of high risk to the rights and freedoms of natural persons, in the terms indicated by the aforementioned article, even if the processing had been initiated before the application of the GDPR. And this, taking into account that (i) the risks are not static but dynamic, which can change in a processing over time, especially in this reality in which we find ourselves and (ii) that they depend on the specific processing of personal data that is carried out and the
own organization, purposes and idiosyncrasy of the data controller, among other
issues. Finally, it should be added that not only the risks for the rights and freedoms of those affected have changed, as shown by the fact that biometric data became part of the special category in the GDPR due to the inherent risks that their processing implies for the rights and freedoms of the interested parties. To this must be added the automated technologies used through algorithms, the poor transparency of such means, as well as the assessment of the need and proportionality in the establishment of the system, principles that are applicable at all times and must be complied with.
For all these reasons, these allegations cannot be accepted.
VII Exercise of the right of access and consequences of failure to do so
The complainant exercised his right of access on 29/08/2022, with the obligations established
in Article 12 of the GDPR, which states:
1. The controller shall take appropriate measures to provide the data subject
with all information referred to in Articles 13 and 14, as well as any communication pursuant to
Articles 15 to 22 and 34 relating to the processing, in a concise, transparent,
intelligible and easily accessible form, using clear and plain language, in particular any
information specifically addressed to a child. The information shall be provided in writing or by
other means, including, where appropriate, by electronic means. When requested by the data subject,
the information may be provided verbally provided that the identity of the data subject is proven by other means.
2. The controller shall enable the data subject to exercise his or her rights under
Articles 15 to 22…
3. The controller shall provide the data subject with information concerning its actions
on the basis of a request pursuant to Articles 15 to 22 without undue delay and in any
case within one month of receipt of the request…”
4. If the controller does not act on the data subject's request, it shall inform the data subject without
delay and at the latest one month after receipt of the request of the reasons for its failure to act and of the possibility of lodging a complaint with a
supervisory authority and of bringing legal proceedings.
This Article lays down general obligations, falling within Section 1 of Chapter III of
that Regulation, concerning in particular the principle of transparency set out in Article
5(1)(a) of that Regulation. These general obligations apply to the controller with regard to the transparency of information and communications, as well as the modalities of exercising the rights of the interested party.
Article 15 of the GDPR, included in section 2 of chapter III, relating to information and access to personal data, completes the transparency framework of the GDPR by granting the interested party a right of access to his or her personal data and a right to information about the processing of said data.
Regarding the attention to the right of access requested on 08/29/2022, the aforementioned article 15 of the GDPR indicates its content:
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 46/60
“1. The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed and, where that is the case, access
to the personal data and the following information:
a) the purposes of the processing;
b) the categories of personal data concerned;
c) the recipients or categories of recipients to whom the personal data have been or will be
communicated, in particular recipients in third countries or international
organisations;
d) where possible, the envisaged period for which the personal data will be stored, or, if
not possible, the criteria used to determine that period;
e) the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning him or her, or to
object to such processing;
f) the right to lodge a complaint with a supervisory authority;
g) where the personal data have not been obtained from the data subject, any available information
as to their origin;
(h) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4), and, at least in such cases, meaningful information
about the logic involved, as well as the significance and the envisaged consequences of such
processing for the data subject.
2. Where personal data are transferred to a third country or to an international
organisation, the data subject shall have the right to be informed of the appropriate safeguards pursuant to
Article 46 relating to the transfer.
3. The controller shall provide a copy of the personal data subject to
processing. The controller may charge a reasonable fee for any further copy requested by the data subject
based on administrative costs. Where the data subject makes the request by electronic means, and unless the data subject requests it to be provided otherwise, the
information shall be provided in a commonly used electronic format.
4. The right to obtain a copy referred to in paragraph 3 shall not adversely affect the
rights and freedoms of others.”
Article 15 of the GDPR regulates the right known as habeas data or habeas scriptum, which
consists of the fact that the affected party can demand from the data controller a performance
consisting of the mere display of their data.
This is an essential right in the matter that is included in art. 8.b) and c) of
Convention 108 of the Council of Europe. Furthermore, it is indisputable that the right of access
constitutes the essential core of the right regulated in art. 18.4 of the Constitution -STC
292/2000 – and that it will help the applicant to verify the legality of the relevant treatment or to
exercise other rights.
Guidelines 1/2022, of the European Data Protection Committee, on the rights of interested parties-right of access, version 2.1, adopted on 03/28/2023 indicate that “3. Under the GDPR, the right of access consists of three components, namely confirmation
of whether or not personal data are being processed, access to the data and information about the
processing itself. The data subject may also obtain a copy of the personal data being
processed, while this possibility is not an additional right of the data subject, but rather the
modality of providing access to the data. The right of access can therefore be
understood both as the possibility for the data subject to ask the data
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 47/60
processor whether personal data concerning him or her are being processed, and the possibility of accessing and
verifying this data. The data controller shall provide the data subject, on the basis of
their request, with the information falling within the scope of Article 15, paragraphs 1 and 2,
of the GDPR.”
“19. Access to personal data is the second component of the right of access under Article 15(1) and forms the core of this right. It refers to the
notion of personal data as defined in Article 4(1) GDPR. Apart from basic personal data, such as name and address, an unlimited variety of
data may be included in this definition, provided that it falls within the material scope of the GDPR, especially as regards the way in which it is processed (Article 2 GDPR). Access to personal data means access to the actual personal data, not
just a general description of the data or a mere reference to the categories of personal data
processed by the controller. If no limits or restrictions apply, data subjects have the right to access all data processed in relation to them, or parts of the data, depending on the scope of the request (see sec.
2.3.1). The obligation to provide access to data does not depend on the type or source of the data. It applies in full even in cases where the requesting person has initially provided the data to the controller, as its purpose is to inform the data subject about the actual processing of the data by the controller. The scope of personal data under Article 15 is explained in detail in sec. 4.1 and 4.2.
34. When data subjects submit a request for access to their data, in principle, the information referred to in Article 15 of the GDPR must always be provided in full. Accordingly, when the controller processes data relating to the data subject, the controller shall provide all the information referred to in Article 15(1) and, where applicable, the information referred to in Article 15(2). The controller must take appropriate measures to ensure that the information is complete, correct and up-to-date, as close as possible to the state of data processing at the time of receiving the request. Where two or more controllers process data jointly, the arrangement of the joint controllers with regard to their respective responsibilities in relation to the exercise of the data subject's rights, in particular with regard to responding to access requests, does not affect the rights of the data subjects vis-à-vis the controller to whom they address their request.
As can be seen, rather than the violation of the principle of data processing related
to data transparency, which could mean relating it to article 12 of the GDPR, due to
the principle of applying specialization of the typification to the conduct, it is more
appropriate to include it in the scope of the infringement of article 15 of the GDPR, of the rights of the
interested party that all processing of such data must respect, given its specificity that
includes, within the period established in the GDPR, answering the interested party about whether their personal data are being
processed, providing them with the actual personal data processed as well as information
on the processing and on the rights, without diminishing the complements that outline article 12 of the GDPR for all communication (clear language, deadline to cite only one).
Therefore, the legal qualification of the facts in this resolution proposal is changed in
the terms explained. In this regard, the Constitutional Court has been pointing out that
“the essential content of the constitutional right to be informed of the accusation refers to
the acts considered punishable that are imputed to the accused” (STC 95/1995). On the
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 48/60
the contrary, and unlike what happens with the facts, the TC, in Sentence 145/1993,
warns that the communication to the alleged offender of the legal qualification and the eventual
sanction to be imposed does not form part of the essential content of the right to be informed of the
accusation. The disclosure of the facts constituting the administrative infringement is so important that the Constitutional Court has declared that the requirements of Article 24.2 of the EC are fundamentally satisfied by the sole communication of the imputed facts in order to be able to defend oneself against them (STC 2/1987 and 190/1987). Along these lines, the Supreme Court, in its judgment of March 3, 2004, states that “the primary purpose of the initiation agreement is to inform about the imputed facts and not about the legal qualification, which will be the responsibility of the resolution proposal.”
In this case, the respondent only proves that it sent the applicant a burofax on 12/9/2022, outside the deadline established for the response in Article 12.3 of the GDPR to an address that does not correspond to the address that the complainant stated in his application, so the sending is ineffective. The respondent alludes to the fact that the address provided did not contain anything other than the number, and that was the reason for sending it to another address,
which is unknown where or when it came from or its purposes. However, it was not sent to the
alternative means of email that was stated in the request, and ultimately does not prove
having carried out the right. Previously, on 09/15/2022, it sent the claimant a letter
without warning of any inconvenience that it now states occurred in the right
exercised.
Furthermore, in the content of the response, which the complainant never received,
it can be seen:
-The generic mention of the data available (name and surname, ID, membership number, bank account number, etc.) is not enough, it must identify them specifically, real data, not reference to the category of data.
-It omits the reference to point 1.f), of article 15: "the right to file a complaint with
a supervisory authority;"
-It omits any reference to the data processed based on facial recognition as a category of data, and omits its intended purpose, the fulfillment of a legal obligation, according to the
complainant.
-It omits any reference to the derived data, resulting from facial recognition, such as
the attendance list during the working day that reflects the marking of the days by facial recognition when entering or leaving the workplace.
As regards the respondent's explanations that the complainant was contacted in order
to deliver the response to her request, as has been made clear throughout the
procedure, it is not proven that this was the purpose or object of the content of the
WhatsApp messages that allude to the fact that (…) she wants to see him and deliver a document, to which the
complainant indicates that it should be sent to him by mail first so that he can read it and, in addition, that the
response to her request does not require any signature.
The response to the exercise of the right of access must be proactive, assessing
the request appropriately and responding without undue delay. At the same time, the
data controller, the respondent, must make all reasonable efforts to
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 49/60
ensure that the exercise of the right is facilitated. To this end, it is recalled that the complainant
also provided his own email address, to which the respondent does not appear to have sent a
copy of his response, nor, as has been reiterated, to request a correction from the complainant of the
address, as he states that he considered it incorrect, since the floor and door of the postal address did not appear.
Therefore, the allegations that seek to exempt the respondent from non-compliance with this obligation
contained in article 15 of the GDPR cannot be accepted.
VIII Classification and classification of infringements
Regarding infringements of Article 35 of the GDPR, Article 83.4 of the GDPR states that: “Infringements of the following provisions shall be punishable, in accordance with paragraph 2,
by administrative fines of not more than EUR 10,000,000 or, in the case of an undertaking,
an amount equivalent to not more than 2% of the total annual global turnover
of the preceding financial year, whichever is higher:
“a) the obligations of the controller and the processor pursuant to Articles 8, 11, 25 to 39, 42
and 43;”
The LOPDGDD establishes in its article 73.t):
“In accordance with the provisions of article 83.4 of Regulation (EU) 2016/679, infringements that constitute a substantial violation of the articles mentioned therein and, in particular, the following are considered serious and will be subject to a two-year statute of limitations:
t) The processing of personal data without having carried out an assessment of the impact of the processing operations on the protection of personal data in cases where this is required.”
Regarding the claim made after the defendant's proposal that the classification has been changed, as it appears therein as "failure to adapt its behaviour consisting of
carrying out a DPIA", extracting it from the explanatory paragraph contained in the response to its claim in the infringement section of article 35: "Therefore, it is also indisputable
that processing has been taking place after the entry into force of the GDPR to which the
defendant has not adapted its behaviour consisting of carrying out a DPIA, as
determined by recital 171 of the GDPR and is derived from the principles and guarantees
applicable in the aforementioned GDPR." the answer must be that the aforementioned classification has not been changed,
according to legal ground VIII, dedicated to the issue.
As regards the alleged infringement of Article 15 of the GDPR, the defendant is charged with
falling within the scope of Article 83.5 b) of the GDPR. “Infringements of the following provisions shall be
sanctioned, in accordance with paragraph 2, with administrative fines of a maximum of EUR 20,000,000
or, in the case of a company, an amount equivalent to a maximum of 4% of the total annual global turnover of the previous financial year, whichever is
higher”: “the rights of interested parties pursuant to Articles 12 to 22”.
The consideration of the right of access has not undergone excessive modifications in its
basic configuration in the GDPR and the LOPDGDD. According to, among others, the
Judgment of the National Court, administrative litigation chamber, section 1, appeal
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 50/60
165/2005, of 14/12/2006, it is considered that the lack of response to the right of access
constitutes an impediment or obstruction in the exercise of the right, becoming an
ineffective right. This interpretation is reiterated later, among others in the SAN administrative
litigation chamber, section 1, appeal 556/2008 of 18/06/2009.
For the purposes of prescription, the LOPDGDD frames it in its article 72.1.k), which determines:
“1. According to the provisions of Article 83.5 of Regulation (EU) 2016/679, infringements that constitute a substantial violation of the articles mentioned therein and, in particular, the following are considered to be very serious and will be subject to a three-year statute of limitations:
“k) The repeated impediment or obstruction or failure to comply with the exercise of the rights established in Articles 15 to 22 of Regulation (EU) 2016/679.”
IX Determination of sanctions
Article 58.2 of the GDPR provides the following: “Each supervisory authority shall have all of the following corrective powers indicated below:
i) impose an administrative fine in accordance with Article 83, in addition to or instead of the measures
mentioned in this section, depending on the circumstances of each particular case;”
The determination of the penalties to be imposed in the present case requires compliance with
the provisions of Articles 83.1 and 83.2 of the GDPR, which respectively provide
as follows:
“1. Each supervisory authority shall ensure that the imposition of administrative fines pursuant to
this Article for infringements of this Regulation referred to in paragraphs 4, 9 and 6 are effective, proportionate and dissuasive in each individual case.”
“2. Administrative fines shall be imposed, depending on the circumstances of each individual case, as an
addition to or an alternative to the measures referred to in Article 58,
paragraph 2, points (a) to (h) and (j). When deciding whether to impose an administrative fine and its amount
in each individual case, due account shall be taken of:
a) the nature, seriousness and duration of the infringement, taking into account the nature,
scope or purpose of the processing operation in question, as well as the number of
data subjects affected and the level of damage suffered by them;
b) the intent or negligence of the infringement;
c) any measures taken by the controller or processor to mitigate the
damage suffered by the data subjects;
d) the degree of responsibility of the controller or processor, taking into account
the technical or organisational measures they have implemented pursuant to Articles
25 and 32;
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 51/60
e) any previous infringement committed by the controller or processor;
(f) the degree of cooperation with the supervisory authority in order to remedy the
breach and mitigate any adverse effects of the breach;
(g) the categories of personal data affected by the breach;
(h) the manner in which the supervisory authority became aware of the breach, in particular whether
and, if so, to what extent, the controller or processor notified the
breach;
(i) where measures referred to in Article 58(2) have previously been ordered against the
controller or processor concerned in relation to the same matter, compliance with those measures;
(j) adherence to codes of conduct pursuant to Article 40 or to certification
mechanisms approved pursuant to Article 42; and
(k) any other aggravating or mitigating factors applicable to the circumstances of the case, such as
financial benefits obtained or losses avoided, directly or indirectly, through the
breach.”
Within this section, the LOPDGDD contemplates in its article 76, entitled “Sanctions and
corrective measures”:
“1. The sanctions provided for in sections 4, 5 and 6 of article 83 of Regulation (EU)
2016/679 will be applied taking into account the grading criteria established in
section 2 of the aforementioned article.
2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679, the following may also
be taken into account:
a) The continued nature of the infringement.
b) The link between the offender's activity and the processing of personal
data.
c) The benefits obtained as a result of the commission of the infringement.
d) The possibility that the conduct of the affected party could have induced the commission of the
infringement. e) The existence of a merger by absorption process after the commission of the infringement, which cannot be attributed to the absorbing entity.
f) The impact on the rights of minors.
g) Having, when not mandatory, a data protection officer.
h) The submission by the controller or processor, on a voluntary basis, to
alternative dispute resolution mechanisms, in those cases in which there are
disputes between them and any interested party.
3. It will be possible, additionally or alternatively, to adopt, where appropriate, the
remaining corrective measures referred to in article 83.2 of Regulation (EU)
2016/679.”
For the assessment of the sanction that would be implemented in this start-up agreement, for the
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 52/60
alleged infringement of article 35 of the GDPR, the following factors are considered:
a) “The nature, seriousness and duration of the infringement, taking into account the nature,
scope or purpose of the processing operation”, which was the recording of the daily working
day and affected the entire workforce, 99 employees, which, having been carried out without prior EIPD,
supposes a nature of the processing that implies an imbalance between those affected and the
data controller in the employment relationship of control of the time worked that is
established by legal norm, and that can be carried out using other and diverse means
less invasive of the employee's privacy that were not taken into consideration.
Furthermore, there came a time when the respondent, despite determining that it was not
appropriate, maintained it for several more months, with the result that the effects have persisted and the infringement is
aggravated by the lengthening of the period of repeated processing that occurs together with
the storage of the data on the device, in the database and in the records. All
these factors would operate as aggravating factors. (83.2.a GDPR).
The respondent alleges that the principle of proportionality of sanctions has not been respected,
as it considers that the change in the daily work control processing system should be considered
as an attenuating factor. As indicated by the SSTS, Chamber 3, of 3/12/2008 (Rec. 6602/2004) and
12/04/2012 (Rec. 5149/2009) it is the fundamental one that beats and presides over the process of grading
the sanctions and implies, in legal terms, "their adequacy to the seriousness of the fact
constituting the infringement" as provided in article 29.3 of Law 40/2015, of the Legal Regime of the Public Sector, given that all sanctions must be determined in congruence with the
enormity of the infringement committed and according to a criterion of proportionality in relation to the
circumstances of the fact. In the GDPR it is contained in article 83.1 that each control authority
will guarantee that the imposition of administrative fines for infringements of the
same is in each case "individual, effective, proportionate and deterrent”.
It must be assumed that the change in the timekeeping system has meant that
even though it was recognised in October 2022 that the processing should cease immediately, the system was
maintained, which implies that the data processing was continued without having carried out
the DPIA, which could condition multiple aspects regarding what its content determined,
especially the necessity and proportionality of the processing and the risks to the
fundamental rights and freedoms of employees.
Regarding the respondent's claim that its actions that led to the fact that when the procedure was initiated, the system had already been replaced by
the card system should be counted as an attenuating circumstance, since it cannot be claimed that the change would be immediate, it
should be noted that the respondent herself stated that she has been using the processing activity for
work control since 2016, using a system that allows the purpose for which she
processes data. After the entry into force of the GDPR without undertaking this
very important obligation, it continued to serve the established purposes, for compliance
with the time control established in the indicated labor regulations. Since the entry into force of the
GDPR, biometric data has been classified as special data, and the processing
carried out by the respondent as data controller implies a high level of risk
to the rights and freedoms of those affected in the different aspects related to its content.
In addition, it must be taken into account that the collection and processing of data occurs between
the company and employees, which implies a context of power imbalance between the
parties, associated with the poor information regarding the processing of their data, by indicating that
they had to give express consent for the processing of their data, including
facial recognition data, when they were not given any other option. Additionally, in the other
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 53/60
infringement, the respondent became aware of the facts with the transfer of the complaint, and
there is no record of its updating taking into account the claimant's right
Finally, although when the Inspection visit was carried out it was also confirmed that
the system had been replaced, it is no less true that the expert body in data protection, the Committee of data protection delegates, of the SAICA GROUP, purchaser of the respondent, determined already on 19/10/2022 the lack of suitability of the biometric data for the purpose
of daily labor control, and immediately advised the replacement of the time clock system.
It should also be noted that the respondent was informed of the claim, its full terms
at the transfer procedure headquarters, as recorded in the receipt dated 21/11/2022. For this purpose, and while the new one is being implemented, almost seven months later, the data continues to be processed
with such means for the 99 employees. The change in the system is not that it is not taken into account or that it will not be taken as an attenuating circumstance of the infringement, but that what constitutes an aggravating circumstance in any case is the maintenance of the previous system, extending its effects in
processing repeated over time by periodic ones, which do not contain a DPIA (as determined by the type "The processing of personal data without having carried out the evaluation
of the impact of the processing operations on the protection of personal data". On the other hand, the substitution of the system to mitigate the circumstance of the infringement is neither more nor less than complying with the obligation to control working hours in compliance with the data protection regulations, which is nothing more than a general obligation whose compliance cannot
be rewarded when there has been an extra processing since it is decided that it should be abandoned, adding to the already long period in which the
cited DPIA should have been carried out.
It is also not explained that the aforementioned substitution is related to article 83.2.f) of the GDPR,
since the procedure had not yet been initiated and the response to the request in
previous actions does not per se imply cooperation, which could also have taken place on the occasion of the transfer of the claim in which the claim was made clear with
the facts in their terms. Such cooperation with the supervisory authority is not and does not constitute
anything other than an expression of the general obligation imposed by the GDPR cited in article 58.1 of
the GDPR.
Finally, the mitigation of the infringement cannot be considered an attenuating circumstance, if the use of the system could have been stopped on dates close to October 2022, and yet it was extended until 28/05/2023,
maintaining the lack of guarantees of the treatment when it should have been mitigated at a time closer to the first date. Despite the development of the planning of the new system,
for 99 employees a transition modality could have been used that took into account
the rights of the employees, and this possibility was not chosen.
Regarding the actions carried out by SAICA as the acquirer of the defendant, it must be noted
that the management of the same is not based on the merger or absorption of the entity that
gave rise to the transfer of liability to SAICA. Therefore, the fact that the system was already
implemented on 7/07/2022 when it acquired CB, is not sufficient to
attenuate the liability of the defendant, given that, as the new administrator of the defendant, the
decisions taken that affect the defendant are enforceable against the defendant
regardless of the correctness or promptness and effectiveness of the response of the new administrator.
b) A serious lack of diligence is included, given that the entity voluntarily prepared the
implementation of the system and did not foresee its impact, so this factor would operate
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 54/60
as an aggravating factor (art. 83.2.b GDPR).
Regarding the respondent's allegation of disagreement with this assessment of lack of
diligence, considering it included in the classification of the infringement, it should be clarified that the type
describes the processing without having carried out a prior DPIA. In this case, it should be noted that
although there is no evidence that the entity acted fraudulently, the action and
the reason for not having acted in accordance with the regulations reveal a serious lack of diligence in
its conduct that must aggravate the infringement due to its unlawfulness. This occurs when
considering the total absence of compliance with an obligation that is enforceable since the entry into force
of the GDPR, on which it acted as if there were no regulations or such obligation. It bases its failure
to carry out such an instrument of guarantees of the treatment that supposes the DPIA, on the
statement that the GDPR was not applicable to it on the date on which it implemented and
began to operate the system, 2016. This declaration is made, without documentary or
specialized expert basis on the matter that would have drawn such a conclusion in a reasoned manner,
being required by the principle of proactive responsibility to comply and demonstrate compliance. In this sense, the mere fact that the conditions that give rise to the
obligation to carry out a DPIA are considered by the respondent to have not been fulfilled, does
not diminish the general obligation of the data controllers to justify and document
the reasons why a DPIA is not carried out.
However, there is no record of it having prepared any document in which it assessed the
need or not of a DPIA, taking into account that the management of the daily time control of the
staff with the biometric system has been carried out without interruption
since 2016. This is an entity that, according to the data collected in the sector of its
activity, is an SME, with an average number of employees of 99, and that should have been aware of the
change in model operated for the purposes of data protection, as it is another branch of
human resources data processing that affects it. If the logic defended in
the statement for not implementing such a system were followed, which can be applied to other aspects of such
obligations imposed by the GDPR (RAT, accreditation of documentary compliance with the
measures, data protection from the design stage, risk analysis), none of the
obligations or measures would apply to such treatments, or to others that have been developed
for some time, which is unacceptable from the point of view of the model that the GDPR
implements that aims to guarantee a high level of protection of such data. Thus, the proven lack of serious diligence must
be confirmed.
As for the proportionality of the sanction, in accordance with these circumstances, it
is understood as the adequacy, according to criteria of justice and equity, between the facts subject to
the type of infringement and the determination of the applicable sanction, taking into account the intensity
of the intervening fault, that is, the degree of intentionality, carelessness or negligence that
the conduct reveals. And of course, a motivation is required regarding the judgment of intensity of the intervening fault. With which it would be linked to what is prescribed in article 83.2 b) of the
RGPD.
As a consequence of the elements that are available, the sanction is quantified at 200,000 euros.
Regarding the infringement of article 15 of the RGPD, it must be assessed:
- When the applicant claims his right, the entity claimed had already been acquired by
SAICA, which sends the claimant a first letter, indicating that it will respond,
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 55/60
but has not carried out such a response in an accredited manner. At the meeting of the CPD of 23/01/2023, the question of the procedure for addressing the rights of access to personal data was raised, which is why the aggravating circumstance determined by article 83.2 d) of the GDPR occurs: due to the poor implementation of the "degree of responsibility of the controller or the person in charge of the treatment, taking into account the technical or organizational measures that they have applied pursuant to articles 25 and 32"
-It is also considered that there is a lack of diligence that is attempted to be combated in allegations by the respondent with telephone contacts or by WhatsApp in order to summon her to
supposedly attend to the exercise of the right, giving her the documentation, without proving the purpose of the form. The respondent is not required to take a disproportionate action to
comply with the fulfillment of the right, but rather the minimum. The fact that the claimant does not
go to the company at the request of a matter that is not proven to be related to the
response, and the letter is sent to him on 12/9/2022 to another address, not the one the claimant
recorded, without proving its receipt, shows a clear lack of diligence in the manner
of compliance with the duty of care of said right, which could have been carried out in another
way and be effective. Then, if it is determined that there was a lack of diligence, it would be classified as an aggravating factor in article 83.2.b) of the GDPR.
Regarding the allegation for this infringement that PS/00369/2022 violates the principle of
proportionality by imposing the same fine when the former had four aggravating factors, it
should be noted that the nature of the treatments are different, this procedure is
on the exercise of the right of access to data of the employment relationship, the latter was for infringement
of article 17 of the GDPR, and consequently, by not granting the right, those data continued to be
treated, as a debtor and receiving messages about payment of his alleged debt, with
different circumstances that do not allow accommodation in the comparison. Regarding the allegation that in this aggravating circumstance, the same fact is used to classify the infringement and apply the aggravating circumstance, and at the same time it is classified as very serious, not as serious or minor,
it should be noted that the types advocated for application by the respondent, contained in
articles 73.c) of the LOPDGDD, the serious one, and 74.c) the minor one, do not fit the conduct that the respondent displays and for which it has been classified, as can be seen from the fact that the reading of the
first one refers to cases in which “the identification of the affected party is not required, when this one,
for the exercise of these rights, has provided additional information that allows his
identification.”, a situation that is not addressed in the present case. Likewise, it is not considered that the conduct is
qualifiable as minor, because it has already been detailed why article
72.1.k) of the LOPDGDD is applicable.
As a consequence of the elements available, the penalty is quantified at 20,000 euros.
As regards the defendant's allegations regarding the lack of proportionality in the
penalties provided for in the initiation agreement, the GDPR expresses this principle in
Article 83.2.1 ("Each supervisory authority shall ensure that the imposition of administrative
fines pursuant to this Article for infringements of this Regulation
referred to in paragraphs 4, 9 and 6 are effective, proportionate and
dissuasive in each individual case"), adding in paragraph 2 the criteria to be taken into account; for its part,
Article 76.2 b) specifies the mitigating or aggravating factors to be taken into account, in accordance
with Article 83.2 k) GDPR.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 56/60
In this sense, there is no inconsistency with the entity of the infringements committed and
the circumstances of the known facts, the degree of unlawfulness and the attitude of the
respondent, who was aware of the claim since the transfer took place.
Furthermore, the proportionality of the sanction is understood as the adequacy, according to
criteria of justice and equity, between the facts subject to the type of infringement and the determination
of the applicable sanction, taking into account the intensity of the intervening fault, that is, the
degree of intentionality, carelessness or negligence revealed by the conduct. And of course,
a motivation is required regarding the judgment of the intensity of the intervening fault, which has been
detailed here. Furthermore, considering that the amounts could increase in accordance with
Article 83.4.a) and 83.5.a) of the GDPR, which provides for administrative fines of up to €10,000,000 and €20,000,000 for infringements of Article 35 and 12 of the GDPR, or, in the case of a
company, an amount equivalent to a maximum of 2% or 4% respectively of the
total annual global turnover of the previous financial year, choosing the
highest amount, and recording a net turnover of (…) €. in 2021, the last
financial year presented.
As regards the allegations of the different treatment in the amounts of the infringements, which
has been carried out, giving data from three files, it would not be possible to compare the cases, given
that the nature, scope, context and purposes of the treatment are different in each
procedure. Although, it should be noted, regarding the allegation of the unequal amount of the penalty for the
infringement of the same article, a comparison with case (…), file PS/00XXX/20XX and the
volume of business that it indicates, as well as the penalty for the infringement of article 35 that was imposed there, it should be noted that there was indeed an EIPD as can be deduced from the reading
in which its terms are even analyzed. SECOND FACT, points 6 and 7 among others.
In the present case, despite the fact that since 2018 with the entry into force of the GDPR a data protection regime has been established that establishes new obligations for the controllers, focused on guarantees of compliance with the obligations imposed, compliance with the development of the new principle of proactive responsibility and the management and analysis of the risks to the rights and freedoms of people that data processing entails, the analysis of risks to fundamental rights and freedoms. The system of proactive responsibility measures includes general obligations such as data protection by design and by default, security measures and an assessment of the impact on data protection, and classified biometric data as a special category, in which the risks to fundamental rights and freedoms for data protection and the processing of the same through compliance with general obligations is imperative.
Regarding the allegation that the defendant was acquired by SAICA PACK on 7/07/2022 once the system was installed, and considers that it took actions to avoid the use of the installed system, considering that it should be mitigated based on article 83.2.b).
In this sense, the new acquirer, without the original entity having disappeared, does not
deduce that it has complied diligently when in the assessment of each infringement it has been reasoned that this was not the case. In addition, in none of the actions regarding the cessation of its effects did the acquirer of CB take effective and decisive action, since the effects of
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 57/60
the infringements went beyond what was reasonable, regardless of the change in the signing system and the time it takes to undertake it.
Finally, as regards the non-application of letters b), c), e) f) of article 76 of the LOPDGDD, it must be indicated:
-in letter b), the fact that its main activity does not appear to be directly linked to the
processing of data, such as, for example, business entities,
financial entities or telecommunications operators, should not serve as an incentive or benefit
for a possible reduction in the sanction to which it has not deserved, understanding
that by not participating in the usual and daily traffic of the personal data market it will not
affect proportionally the seriousness of the offending act. In fact, it is difficult to specify an
activity or sector that does not involve the performance of data processing to a greater or lesser
extent and with different scopes. The respondent is a business organization that
manages data classified as special category, for the purpose of daily work control,
which means that, as stated, the extension in time and frequency is high. Therefore,
the defendant must assume the risk that they may be treated in a manner
contrary to the law. Considering the link between the offender's activity and the eventual or
supposed scarce performance of data processing as an attenuating circumstance, can only nullify
the deterrent effect of the fine, reducing by default the circumstances that may
occur, which would be equivalent to considering that the non-habitual processing of data or the lack
of link between the offender's activity and the performance of data processing, could
not produce negative effects, but rather positive ones, preconfiguring the
attenuating circumstance without considering the elements that occur on a case-by-case basis, as in this case. With
their deterrent effect, administrative fines contribute to strengthening the protection of
individuals with regard to the processing of personal data and are, therefore, a key element in guaranteeing respect for the rights of such persons, in accordance
with the purpose of the aforementioned Regulation of ensuring a high level of
protection of such persons with regard to the processing of personal data. In
conclusion, it is not considered that this mitigating circumstance exists in the conduct of the respondent.
-Regarding letter c), the infringements committed do not require that a benefit be obtained in favor of
the offender. Regarding the lack of benefits obtained in the processing of the data subject to the claim, as an attenuating circumstance, this grading criterion is established in the LOPDGDD, in accordance with the provisions of article 83.2.k) of the GDPR, according to which administrative fines will be imposed taking into account any “aggravating or attenuating factor
applicable to the circumstances of the case, such as the financial benefits obtained or the
losses avoided, directly or indirectly, through the infringement”, understanding that
avoiding a loss has the same nature for these purposes as obtaining benefits. If we add to this that the sanctions must be “in each individual case” effective,
proportionate and dissuasive”, in accordance with the provisions of article 83.1 of the GDPR, admitting the
absence of benefits as an attenuating circumstance is not only contrary to the factual assumptions contemplated in article 76.2.c), but also contrary to the provisions of
article 83.2.k) of the GDPR and the principles indicated. Thus, assessing the absence of benefits
as an attenuating circumstance would nullify the deterrent effect of the fine, to the extent that it reduces the
effect of the circumstances that effectively affect its quantification, giving the
person responsible a benefit that he has not earned. It would be an artificial reduction of the
sanction that could lead to the understanding that violating the rule without obtaining benefits, financial
or of any other kind, “will not produce a negative effect proportional to the seriousness of the
infringing act”. It should be added that “In any case, the administrative fines established in the
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 58/60
RGPD, in accordance with the provisions of its article 83.2, are imposed based on the
circumstances of each individual case”, and, at present, it is not considered that the absence of
benefits is an adequate and determining grading factor to assess the seriousness of
the infringing conduct. Only in the event that this absence of benefits is relevant to
determine the degree of unlawfulness and culpability present in the specific infringing
action may it be considered as an attenuating circumstance, in application of article 83.2.k) of the RGPD,
which refers to “any other aggravating or attenuating factor applicable to the circumstances of the
case”. This paragraph leaves the door open to those cases in which the absence of
benefits may be considered an attenuating circumstance, but not according to the literal and teleological interpretation of the legislator in accordance with the provisions of art. 83.2.k) of the GDPR.
-Regarding letter e), although an absorption process was not carried out, 98.52% of the shares of CARTONAJES BAÑERES were acquired. The acquisition or control of the
responded entity, which was the one that had the previously implemented system, must
have known of the existence of such a system when it was acquired, and although it took control of said
entity, it also began the direction and management of the same, without such direction, apart from
not being included in said absorption, having been decisive for the correction or mitigation of
the effects produced.
-Regarding letter f) because it does not process data of minors, it must be considered that the processing of
such data may constitute an aggravating circumstance in this case, but the fact that such data are not processed in themselves, does not constitute an attenuating circumstance, without, on the other hand, the person responsible for the
processing justifying in any way why such circumstance must be taken into account in this regard.
As regards the last allegation, which indicates after setting out the circumstances regarding the lack of
proportionality that the nullity be declared according to article 47.1.e) of the LPACAP or
subsidiarily voidable according to article 48 of the same Law, such reasons, due to the fact
of not respecting in its case the principle of proportionality of the sanctioning amounts,
are not among the reasons that can lead to the nullity or voidability. On the other
hand, it does not reason what reason would contribute in its opinion to each of the requests, so the
allegation cannot be accepted.
X Adoption of measures
Article 58.2 of the GDPR provides the following: “Each supervisory authority shall have all
of the following corrective powers indicated below:
“c) order the controller or processor to attend to requests for
exercising the rights of the interested party under this Regulation; “
[…]
i) impose an administrative fine in accordance with article 83, in addition to or instead of the
measures mentioned in this section, depending on the circumstances of each
particular case;”
The imposition of any of these measures is compatible with the sanction consisting of
an administrative fine, as provided for in art. 83.2 of the GDPR.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 59/60
Considering that the exercise of the right of access of the claimant has not been attended to,
in accordance with the guidelines contained in the analysis of his respective infringement, as a
measure to be adopted, the request to exercise the right of the interested party must be fully attended to, for which he must exhaust the channels of communication offered at the time
contained in the request, complying with the sending and accrediting the receipt or provision of the attention of the
said right.
In view of the above, the following is issued
Therefore, in accordance with the applicable legislation and having assessed the criteria for grading
the sanctions whose existence has been proven,
the Director of the Spanish Data Protection Agency,
RESOLVES:
FIRST: TO IMPOSE CARTONAJES BAÑERES, S.A. with NIF A03009263 two administrative fines for the infringement of the following articles of the GDPR:
- Article 35, in accordance with article 83.4 a) of the GDPR, and for the purposes of the statute of limitations of the infringement, classified as serious in article 73.t) of the LOPDGDD, with 200,000 euros
- Article 15, in accordance with article 83.5 b) of the GDPR, and for the purposes of the statute of limitations of the infringement, classified as very serious in article 72.1.k) of the LOPDGDD, with 20,000 euros.
SECOND: TO ORDER CARTONAJES BAÑERES, S.A. with NIF A03009263 who, pursuant to
article 58.2.c) of the GDPR, within 30 days from the resolution that ends
this procedure is enforceable, proves that it has complied with the exercise of the
claimant's right of access.
THIRD: NOTIFY this resolution to CARTONAJES BAÑERES, S.A.
FOURTH: This resolution will be enforceable once the period for filing the optional appeal for reconsideration
ends (one month from the day following notification of this resolution) without the interested party having made use of this faculty. The sanctioned party is warned
that he must make effective the imposed sanction once this resolution is enforceable, in accordance with the provisions of art. 98.1.b) of Law 39/2015, of 1/10, of the
Common Administrative Procedure of Public Administrations (hereinafter LPACAP),
within the voluntary payment period established in art. 68 of the General Collection Regulations, approved by Royal Decree 939/2005, of July 29, in relation to art. 62
of Law 58/2003, of 17/12, by means of its payment, indicating the NIF of the sanctioned party and the
procedure number that appears in the heading of this document, in the restricted account
no. IBAN: ES00-0000-0000-0000-0000-0000 (BIC/SWIFT Code:
CAIXESBBXXX), opened in the name of the Spanish Data Protection Agency in the
banking entity CAIXABANK, S.A. Otherwise, it will be collected in the
enforcement period.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 60/60
Once notification has been received and has become enforceable, if the date of enforceability is between the 1st and 15th of each month, both inclusive, the deadline for making voluntary payment will be until
the 20th of the following month or the next business day thereafter, and if it is between the 16th and
the last day of each month, both inclusive, the payment deadline will be until the 5th of the second
following month or the next business day thereafter.
In accordance with the provisions of article 50 of the LOPDGDD, this Resolution
will be made public once it has been notified to the interested parties.
Against this resolution, which ends the administrative procedure in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, interested parties may optionally file an appeal for reconsideration before the Director of the Spanish Data Protection Agency within one month from the day following the notification of this resolution or directly file an administrative appeal before the Administrative Litigation Division of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of 13/07, regulating the Administrative Litigation Jurisdiction, within two months from the day following the notification of this act, as provided for in article 46.1 of the aforementioned Law.
Finally, it is noted that in accordance with the provisions of art. 90.3 a) of the LPACAP, the final resolution may be provisionally suspended by administrative means if the interested party
states his intention to lodge an administrative appeal. If this is the case, the interested party must formally communicate this fact by means of a letter addressed to the Spanish Data Protection Agency, submitting it through the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica-web/], or through one of the
other registries provided for in art. 16.4 of the aforementioned LPCAP. He must also transfer to the
Agency the documentation that proves the effective filing of the administrative appeal. If the Agency is not aware of the filing of the administrative appeal
in the period of two months from the day following the notification of
this resolution, it will consider the provisional suspension to be terminated.
938-16012024
Mar España Martí
Director of the Spanish Data Protection Agency
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es
