AEPD (Spain) - PS/00117/2022

From GDPRhub
AEPD - PS-00117-2022
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 4(11) GDPR
Article 6 GDPR
Article 9 GDPR
Article 9 GDPR
Article 57(1) GDPR
Article 58(1) GDPR
Article 83(1) GDPR
Article 83(2) GDPR
Article 83(5) GDPR
Type: Complaint
Outcome: Upheld
Started: 10.09.2016
Decided:
Published: 14.04.2027
Fine: 2000 EUR
Parties: Data subject
Data controller
National Case Number/Name: PS-00117-2022
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: isabela.maria.rosal

Spanish DPA fines controller for continuous sending of emails containing personal data for members and non-members of a Personnel Board. The DPA ruled that there is no legal basis for this processing, especially after the data subject's opposition.

English Summary[edit | edit source]

Facts[edit | edit source]

The data subject made a complaint regarding the ongoing processing of their personal data via email messages where their email address was available for members and non-members of the Personnel Board which both the data controller and the data subject are part of. Being part of the same labour group could justify processing personal data from the data subject. However, the data controller has shared personal data with various persons, including people outside of the Board. Even after the data subject requested that the information processing stopped, the emails with personal data continued to be sent. Even without the data subject's consent, the data controller justified the processing for laboural reasons, based on Article 9 of the GDPR, which is highlighted by the fact that the email with personal data is a corporate one.

Holding[edit | edit source]

The DPA understood that the processing of the data subject was abusive, especially because personal data as the email of the data subject was processed without their consent. In discordance with the GDPR, even after the request of the data subject to not have their email processed and shared with other people anymore, the activity continued without considering simple features such as "hidden copy" for sending emails that would mitigate risks. Thus, the DPA ruled that the processing was illegal, not complying with Article 6 of the GDPR, since there is no legal basis for the processing. The fact that both the data subject and the data controller were part of the same Personnel Board did not change the outcome, since the email address, reveling personal information was sent for non-members, so the Article 9 of the GDPR does not apply.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

1/11








     File No.: PS/00117/2022



                RESOLUTION OF SANCTIONING PROCEDURE

From the procedure instructed by the Spanish Data Protection Agency and based
to the following

                                   BACKGROUND


FIRST: A.A.A. (hereinafter, the complaining party) dated March 11, 2021
filed a claim with the Spanish Data Protection Agency. The
claim is directed against B.B.B. with NIF ***NIF.1 (hereinafter, the part
claimed).


The reasons on which the claim is based are the following:

Both the complaining party and the claimed party are members of the same
personnel meeting, and the claimant states that the claimant has forwarded emails
emails to other members and non-members of this staff board and to

corporate emails from unions and groups without legitimacy to do so.

The emails that do not belong to the personnel meeting are the following: ***EMAIL.1,
***EMAIL.2, ***EMAIL.3, ***EMAIL.4, ***EMAIL.5, ***EMAIL.6 and ***EMAIL.7; (in

forward, reported email addresses),

In that email, information about the claimant also appears, such as his name and address.
work email.


The complainant sent an email on January 22, 2021 to members of the
staff meeting in which he requested that they stop forwarding his email address
electronic to third parties; but the defendant again forwarded emails from the claimant to

people from outside the personnel meeting on February 16 and 17, 2021 and 16
March 2021.

Relevant documentation provided by the complaining party:


- Printout of email dated January 20, 2021 sent by
 ***EMAIL.8 to multiple emails including email
 work of the claimant and the reported email addresses indicated in his

 claim among others. In this email, we request that they be included among the
 recipients of staff board emails to a new board member and

 to the delegate of the STAS-CLM union section.

- Printout of email dated January 22, 2021 in which the
 claimant responds to the recipients of the previous email, except for the addresses

 of mail reported. In this email you request that your email not be sent


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/11








 or other information from the personnel board to the reported email addresses due to
 because they do not belong to the personnel board.


- Printout of email dated January 28, 2021 in which the
 complainant reiterates that he does not want his name or email to be sent to
 Other email addresses that do not correspond to board members

 of personal.

- Printout of email dated February 16, 2021 sent by the
 claimed to multiple email addresses that include the email address

 claimant's work email and the following addresses that the claimant
 indicates that they do not belong to the personnel board: ***EMAIL.4, ***EMAIL.5,
 ***EMAIL.9, ***EMAIL.2, ***EMAIL.10 and ***EMAIL.11. The content of this email is

 an attachment with the subject “exit minutes and documents”.

- Printout of email dated February 17, 2021 sent by the
 claimed to multiple email addresses that include the email address

 claimant's work email and the following addresses that the claimant
 indicates that they do not belong to the personnel board: ***EMAIL.4, ***EMAIL.5,

 ***EMAIL.9, ***EMAIL.2, ***EMAIL.10 and ***EMAIL.11. The content of this email
 There are three attachments and the content indicates that they contain FeSP-UGT proposals
 for a staff board meeting.


- Printout of email dated February 18, 2021 in which the
 complainant responds to the previous email of February 17, 2021 reiterates that no
 you want those emails to be sent to other email addresses that are not

 correspond to members of the personnel board, and indicate which email addresses
 email are the ones that should not have been in the “To” of the email of December 17
 February 2021.


This claim was complemented by a document presented by the
complainant before the Spanish Data Protection Agency (hereinafter, AEPD) and
entry date on March 26, 2021, in which, among other things, the following is provided

documentation:

- Printout of email dated March 16, 2021 sent by the
 claimed to multiple email addresses that include the email address

 the claimant's work email address and, among other addresses, the following:
 ***EMAIL.12, ***EMAIL.2, ***EMAIL.13 and ***EMAIL.9. This email
 It contains an attachment and its content is “attachment registered writings.”


- Indication that the emails ***EMAIL.12, ***EMAIL.2, ***EMAIL.13 and
 ***EMAIL.9 correspond to CCOO affiliates not belonging to the board of
 staff.




C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/11








SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5
December, Protection of Personal Data and guarantee of digital rights (in
hereinafter LOPDGDD), said claim was transferred to the claimed party, to

to proceed with its analysis and inform this Agency within a period of one month, of the
actions carried out to adapt to the requirements provided for in the regulations of
Data Protection.

The transfer, which was carried out in accordance with the rules established in Law 39/2015, of
October 1, of the Common Administrative Procedure of Administrations

Public (hereinafter, LPACAP), was collected on April 19, 2021 as
It appears in the acknowledgment of receipt that is in the file.

The background information contained in the information systems is as follows:

On May 11, 2021, within procedure E/04149/2021, it has entry

in the AEPD, a document presented on behalf of FSP-UGT, in which
provides, among other things, the following information:

- Allegation that the email address has been used in a way

 legitimate because it has been used by the union and the claimant is a delegate
 of staff and member of the staff board.


- Allegation that the defendant understood that, from his actions, no
 no infringement regarding the protection of personal data due to
 the following reasons:


       “- The corporate nature of that email account (***EMAIL.14),

        - Its use strictly related to the professional field of the board of directors
          “work center staff”

- Allegation that the emails reported by the claimant have been

 sent from an email account (***EMAIL.15) that is not owned
 of FeSP-UGT, and it is indicated that this aspect had already been warned to the

 UGT workers. And the impression of a “Reminder to workers” is provided.
 dated January 15, 2020, which indicates, among other things, the following:
 “Therefore, any email that is sent by any of the

 workers of this Federation from an unauthorized or unofficial address not
 will be considered the responsibility of this body, and the
 particular measures that correspond against the issuers.”



THIRD: On August 12, 2021, in accordance with article 65 of the
LOPDGDD, the claim presented by the complaining party was admitted for processing.

FOURTH: The General Subdirectorate of Data Inspection proceeded to carry out

of previous investigative actions to clarify the facts in
issue, by virtue of the functions assigned to the control authorities in the
article 57.1 and the powers granted in article 58.1 of the Regulation (EU)
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/11








2016/679 (General Data Protection Regulation, hereinafter GDPR), and
in accordance with the provisions of Title VII, Chapter I, Second Section, of the
LOPDGDD, having knowledge of the following points:


The list of members of the personnel board and the motivation for sending the emails
to email addresses that did not belong to members of that board of directors
personnel could not be verified after having sent a request for

information to the claimant at the address ***ADDRESS.1.

It is clear that this information request was notified on February 2,
2022, upon being collected by C.C.C. with NIF ***NIF.2 in ***ADDRESS.1, without

has received a response to this information request from the AEPD.


FIFTH: On June 9, 2022, the Director of the Spanish Agency for
Data Protection agreed to initiate sanctioning proceedings against the complainant, with

in accordance with the provisions of articles 63 and 64 of Law 39/2015, of October 1, of the
Common Administrative Procedure of Public Administrations (hereinafter,
LPACAP), for the alleged violation of article 6 of the RGPD, typified in article
83.5 of the GDPR.


SIXTH: On June 30, 2022, the claimed party presented a written
allegations in which, in summary, he stated that the address to which he was sent
The initial agreement is not your address, but that of the UGT union in your location, the
which is not authorized to collect notifications in your name, which is why it is not
was able to respond to the request carried out on February 2, 2022, causing

absolute helplessness, which is why he requests that the actions be taken back to
said date.

In relation to your address, you state that your address for notification purposes is
***ADDRESS.2.


The defendant considers that the email addresses sent are from
representatives of workers or union organizations with representation
at the Personnel Board.

The defendant alleges the non-existence of the infringement under Article 9 of the GDPR, by

the claimant belongs to a union organization, and said emails are processed
workplace electronics.

It is alleged that all Board workers have access to the employee portal
with a directory where you can access the name, job, destination, email

electronic and telephone.

SEVENTH: On July 7, 2022, the instructor of the procedure agreed to terminate
reproduced for evidentiary purposes the claim filed by A.A.A. and his
documentation, the documents obtained and generated during the admission phase to
processing of the claim, and the report of previous investigation actions that

They are part of procedure E/08764/2021.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/11








Likewise, it is considered reproduced for evidentiary purposes, the allegations to the agreement of
initiation of the referenced sanctioning procedure, presented by B.B.B., and the
documentation that accompanies them.


EIGHTH: On July 19, 2022, a proposed resolution was formulated,
proposing that the Director of the Spanish Data Protection Agency
sanction B.B.B., with NIF ***NIF.1, for a violation of article 6 of the RGPD,
typified in article 83.5 of the RGPD, with a fine of €2,000 (two thousand euros)


NINTH: On August 19, 2022, allegations were presented to the proposal
resolution, reiterating those already indicated on June 30, 2022

Of the actions carried out in this procedure and the documentation
recorded in the file, the following have been accredited:


                                PROVEN FACTS

FIRST: Dissemination of the email addresses of each member of the
personnel meeting of the claimant's workplace, by sending emails with the minutes of
board meetings to corporate emails from unions and groups without

legitimation for its reception, as well as to third parties who do not belong to the board of
staff.

SECOND: The defendant alleges the non-existence of the infringement as the
complainant to a union organization, and said emails be treated as

labor sphere.

                           FOUNDATIONS OF LAW

                                            Yo


Article 4.11 of the GDPR defines the consent of the interested party as “any
manifestation of free, specific, informed and unequivocal will by which the
interested party accepts, either by a declaration or a clear affirmative action, the
processing of personal data that concerns you.”


In this sense, article 6.1 of the LOPDGDD establishes that “in accordance with the
provided in article 4.11 of Regulation (EU) 2016/679, consent is understood to be
ment of the affected person any manifestation of free, specific, informed and ineligible will.
ambiguity by which he accepts, either through a statement or a clear action
“Yes, the processing of personal data that concerns you.”

For its part, article 6 of the RGPD establishes the following:

"1. The treatment will only be legal if at least one of the following conditions is met:
nes:

a) the interested party gave his consent for the processing of his personal data
for one or more specific purposes;

b) the processing is necessary for the execution of a contract in which the interested party

is part of or for the application at his request of pre-contractual measures;
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/11








c) the processing is necessary for compliance with a legal obligation applicable to the
responsible for the treatment;

d) the processing is necessary to protect vital interests of the interested party or another
Physical person;

e) the processing is necessary for the fulfillment of a mission carried out in the interest
public or in the exercise of public powers conferred on the controller;

 f) the processing is necessary for the satisfaction of legitimate interests pursued
by the person responsible for the treatment or by a third party, provided that on said interests

interests or fundamental rights and freedoms of the interest do not prevail.
s that require the protection of personal data, particularly when the interest
sado be a child.

The provisions of letter f) of the first paragraph will not apply to the treatment
carried out by public authorities in the exercise of their functions.”


                                           III

In the present case, the complaining party denounces the claimed party because

Emails have been repeatedly forwarded to other members and
non-members of the personnel board of which he is a member and to corporate emails of
unions and groups without legitimacy or consent on the part of the claimant.

A document submitted on behalf of FSP-UGT has been entered into the AEPD,

where two aspects are revealed, on the one hand the corporate nature of the
email account object of this assumption (***EMAIL.14), which makes its use
is strictly related to the professional field of the personnel board
of the workplace.”


Secondly, it is alleged that the emails reported by the claimant
have been sent from an email account (***EMAIL.15) that is not
property of FeSP-UGT, and it is indicated that this aspect had already been warned to the
UGT workers.

Print is provided of a “Reminder to workers” dated January 15,

2020 which indicates, among other things, the following:

“Therefore, any email that is sent by any of the
workers of this Federation from an unauthorized or unofficial address not
will be considered the responsibility of this body, and measures may be adopted

individuals that correspond against the issuers.”

Thus, it seems that FSP-UGT is exempt from all responsibility, but not
the defendant, since the issuance of emails on the 16th and 17th of
February 2021 and March 16, 2021, despite the claimant's request that

stop forwarding your email address to third parties.




C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/11








The defendant, in a written statement of allegations dated June 30, 2022, requests feedback from
the actions for not having received the information request dated 2
February 2022.


In this sense we must indicate that the actions carried out in the month of February
They are prior actions that are carried out in accordance with article 65.4 of the
LOPDGDD, carried out prior to the start of the sanctioning procedure.

Therefore, defenselessness can only be considered in the event that once the

initiation agreement, and not before, the defendant would not have been able to exercise the rights
that law 39/2015 on common administrative procedure confers in all
sanctioning procedure, such as the right to know the facts that are
accused and be able to present allegations and evidence, or exercise their right to
audience.


Since we are not in any of these cases, retroaction does not apply.
of the performances.

Secondly, the defendant resorts to article 9 of the RGPD, justifying that the
The data processed is about union membership and was disseminated in a work environment.


However, it is considered that the processing of the claimant's personal data
has been excessive because the emails subject to this complaint were
They also referred people outside the personnel board, and more so when possible
its omission with the use of tools such as blind copy, when required

by the owner of that personal data that it is not used when expressing
expressly that you do not consent to the processing of your email, in the exercise of
your right to object.

Therefore, it is considered that we are dealing with illegal processing of personal data,

by sending emails to other members and non-members of the board of directors
personnel of which the claimant is a member, and to corporate emails of unions and
collectives, incurring a violation of article 6 of the RGPD, indicated in the
legal basis II, since the personal data have been processed without counting
with any type of legitimation.


                                          IV

In accordance with the transcribed precepts, in order to set the amount of the sanction of
fine to impose we must take into account article 83.5.a) of the RGPD, where
indicates that “violations of the following provisions will be sanctioned, in accordance with

in accordance with paragraph 2, with administrative fines of EUR 20 000 000 as
maximum or, in the case of a company, an amount equivalent to 4% as
maximum of the total global annual turnover of the previous financial year,
opting for the highest amount:


 a) the basic principles for the treatment, including the conditions for the
consent in accordance with articles 5, 6, 7 and 9;”



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 8/11








Article 72.1 b) of the LOPDGDD states that “based on what is established by the
article 83.5 of Regulation (EU) 2016/679, are considered very serious and will prescribe
after three years, infractions that involve a substantial violation of the

articles mentioned in that and in particular, the following:

b) The processing of personal data without any of the conditions of
legality of the treatment established in article 6 of Regulation (EU) 2016/679.”

                                           V


In order to determine the administrative fine to impose, the following must be observed:
provisions of articles 83.1 and 83.2 of the RGPD, provisions that indicate:

“Each control authority will guarantee that the imposition of administrative fines

under this Article for infringements of this Regulation
indicated in sections 4, 5 and 6 are effective in each individual case,
proportionate and dissuasive.”


“Administrative fines will be imposed, depending on the circumstances of each
individual case, as an additional or substitute for the measures contemplated in the

Article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine
administrative and its amount in each individual case will be duly taken into account:

a) the nature, severity and duration of the infringement, taking into account the
nature, scope or purpose of the processing operation in question
such as the number of interested parties affected and the level of damages that
have suffered;


b) intentionality or negligence in the infringement;

c) any measure taken by the person responsible or in charge of the treatment to
alleviate the damages and losses suffered by the interested parties;

d) the degree of responsibility of the person responsible or in charge of the treatment,
taking into account the technical or organizational measures that have been applied under
of articles 25 and 32;

e) any previous infringement committed by the controller or processor;


 f) the degree of cooperation with the supervisory authority in order to remedy the
infringement and mitigate the possible adverse effects of the infringement;

g) the categories of personal data affected by the infringement;

h) the way in which the supervisory authority became aware of the infringement, in
particular whether the controller or processor notified the infringement and, if so, in what
extent;


i) when the measures indicated in Article 58, paragraph 2, have been ordered
previously against the person responsible or the person in charge in question in relation to the
same matter, compliance with said measures;

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 9/11








j) adherence to codes of conduct under Article 40 or to mechanisms of
certification approved in accordance with Article 42, and

k) any other aggravating or mitigating factor applicable to the circumstances of the case,
such as financial benefits obtained or losses avoided, direct or

indirectly, through infringement.”


Regarding section k) of article 83.2 of the RGPD, the LOPDGDD, article 76,
“Sanctions and corrective measures” provides:

"2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679
may also be taken into account:


a) The continuous nature of the infringement.

b) The linking of the offender's activity with the performance of medical treatments.
personal information.

c) The benefits obtained as a consequence of the commission of the infraction.


d) The possibility that the conduct of the affected person could have induced the commission
of the infringement.

e) The existence of a merger by absorption process subsequent to the commission of the
infringement, which cannot be attributed to the absorbing entity.


f) The impact on the rights of minors.

g) Have, when not mandatory, a data protection delegate.

h) The submission by the person responsible or in charge, on a voluntary basis, to
alternative conflict resolution mechanisms, in those cases in which

"There are disputes between them and any interested party."



In accordance with the transcribed precepts, in order to set the amount of the sanction of
fine to be imposed on B.B.B. with NIF ***NIF.1, as responsible for an infringement

typified in article 83.5.a) of the RGPD, are considered concurrent in this
case, as aggravating factors, the following factors:
     Intentionality or negligence in the infringement, since given the activity

    Greater care is required from the claimant in the processing of the data.
    (83.2.b) GDPR)

Therefore, in accordance with the applicable legislation and evaluated the criteria of
graduation of sanctions whose existence has been proven,


the Director of the Spanish Data Protection Agency RESOLVES:



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 10/11








FIRST: IMPOSE B.B.B., with NIF ***NIF.1, for a violation of article 6 of the
RGPD, typified in article 83.5 of the RGPD, a fine of €2,000 (two thousand euros).


SECOND: NOTIFY this resolution to B.B.B..

THIRD: Warn the sanctioned person that he must make the sanction imposed effective
once this resolution is executive, in accordance with the provisions of the
art. 98.1.b) of Law 39/2015, of October 1, on Administrative Procedure
Common Public Administrations (hereinafter LPACAP), within the payment period

voluntary established in art. 68 of the General Collection Regulations, approved
by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003,
of December 17, by entering it, indicating the NIF of the sanctioned person and the number
of procedure that appears in the heading of this document, in the account
restricted number ES00 0000 0000 0000 0000 0000, opened in the name of the Agency

Spanish Data Protection in the banking entity CAIXABANK, S.A.. In case
Otherwise, it will be collected during the executive period.

Once the notification is received and once enforceable, if the enforceable date is
between the 1st and 15th of each month, both inclusive, the deadline to make the payment
voluntary will be until the 20th of the following month or immediately following business month, and if

The payment period is between the 16th and last day of each month, both inclusive.
It will be until the 5th of the second following or immediately following business month.

In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.


Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the
LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the
Interested parties may optionally file an appeal for reconsideration before the
Director of the Spanish Data Protection Agency within a period of one month to

count from the day following the notification of this resolution or directly
contentious-administrative appeal before the Contentious-administrative Chamber of the
National Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-administrative Jurisdiction, within a period of two months from the
day following the notification of this act, as provided for in article 46.1 of the

referred Law.

Finally, it is noted that in accordance with the provisions of art. 90.3 a) of the LPACAP,
may provisionally suspend the final resolution through administrative channels if the
interested party expresses his intention to file a contentious-administrative appeal.

If this is the case, the interested party must formally communicate this fact through
writing addressed to the Spanish Data Protection Agency, presenting it through
of the Agency's Electronic Registry [https://sedeagpd.gob.es/sede-electronica-
web/], or through any of the other registries provided for in art. 16.4 of the
cited Law 39/2015, of October 1. You must also transfer to the Agency the

documentation that proves the effective filing of the contentious appeal
administrative. If the Agency was not aware of the filing of the appeal
contentious-administrative within a period of two months from the day following the
notification of this resolution would terminate the precautionary suspension.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 11/11













                                                                                                          938-120722

Sea Spain Martí
Director of the Spanish Data Protection Agency







































































C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es