AEPD (Spain) - PS/00024/2019

AEPD - PS/00024/2019

Authority:	AEPD (Spain)
Jurisdiction:	Spain
Relevant Law:	Article 12 GDPR Article 15 GDPR Article 56(2) GDPR Article 57(1)(f) GDPR
Type:	Complaint
Outcome:	Upheld
Decided:	n/a
Published:	3.02.2020
Fine:	None
Parties:	Health Department of Madrid Vs. Anonymous
National Case Number:	PS/00024/2019
European Case Law Identifier	n/a
Appeal:	n/a
Original Language:	Spanish
Original Source:	AEPD (in ES)

The AEPD found that a data controller may not require from the data subject to collect the personal data requested himself or on his behalf if it can be sent with appropriate and adequate means instead. Indeed, the data controller was able to identify the data subject and to send the personal data via encrypted email. Therefore, it was not proportionate to answer that the right of access could be exercised only if the data subject has appointed someone to collect his personal data on his behalf instead of sending directly to him, under Article 12 and 15 GDPR.

English Summary

Facts

The complainant requested his medical records containing personal data to the University Hospital Puerta de Hierro by e-mail. He asked them to send the documentation by post to his place of residence in Honduras and later, noticed that he wanted the document to be sent in Greece. The hospital answered it would have been impossible to send him the documentation requested to the alleged place of residence, namely in Greece, by post.

Nevertheless, they answered it was only possible that someone collect the documentation on the behalf of the data subject, as it was not possible to verify the data subject’s identity.

Following the data controller’s answer, the complainant filed a complaint with the AEPD, pursuant to Articles 56 and 57(1)(f) GDPR for obstructing his right of access.

Dispute

Could the data controller require to the data subject to collect the personal data or to appoint someone to collect them on his behalf?

Holding

The AEPD noted that it that the exercise of the followings rights: access, rectification, deletion, limitation, portability and opposition has been refused.

The AEPD pointed out that the data controller could have been easily identified the data subject as he sent a photocopy of his identity card. It also noticed that the data controller could have use an encryption system and send the medical records by e-mail.

Therefore, the AEPD rejected the data controller’s argument and urged the data controller to comply with the data subject’s request within the ten workings following days.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the original. Please refer to the Spanish original for more details.

Procedure Nº: PS/00024/2019938-051119Sanctioning procedure resolution of the procedure instructed by the Spanish Data Protection Agency and based on the following
BACKGROUND

FIRST: On September 12, 2018 Mrs. A.A.A. (hereinafter, the complainant) filed a complaint with the Spanish Data Protection Agency against the SCHOOL OF CHILDREN'S EDUCATION OF MILLADOIRO (AMES), (hereinafter, School or EEI), on the occasion of the presentation of the final list of students admitted for the 2018/2019 academic year, dated May 14, 2018, on the main facade and glass of the center, so that it is accessible from the outside to any passerby or neighbor. The above-mentioned list, of which the claimant has provided a copy, contains a detailed list of the order number, names, surnames and marks of a total of 100 students admitted for the said school year in the aforementioned Centre, which is dependent on the COUNSELING OF EDUCATION, UNIVERSITY AND VOCATIONAL TRAINING OF THE BOARD OF GALICIA (hereinafter, the Council or the claimant).The Complainant also states that the school provided all the families of the class of her youngest daughter with a list of the identification data of the students in the group, a copy of which is attached.

SECOND: On October 11, 2018, in accordance with Article 9.4 of Royal Decree-Law 5/2018, the complaint presented by the complainant was transferred to the aforementioned school so that within a period of one month this Agency could be informed of the causes that had motivated the facts of the complaint and inform the measures adopted to avoid similar incidents.In response to this request for information, on November 28, 2018, the complainant was registered in writing, indicating the following with respect to the list of admitted students: "That the process of admitting students to public schools is a competitive process, and that in these competitive procedures the most absolute transparency must govern, so that the lists of admitted students are always made public.It should also be pointed out that Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations, provides in Article 45 for the possibility of replacing individualized notification with publication of certain procedures. 
Specifically, this provision includes "acts that are part of a selective or competitive procedure of any kind. In this case, the notice of the procedure must indicate the medium in which the successive publications are to be made; those made in different places are not valid."As it is a competitive procedure, there is a legal authorization to proceed with the publication of these lists of admitted persons, which has been specified in the Order of March 12, 2013 by which the procedure for the admission of students to teaching centers supported by public funds that provide 2nd cycle of infant education is developed,   of primary education, compulsory secondary education and high school regulated by Organic Law 2/2006 of 3 May on education (DOG 15/03/2013), recently amended by the Order of 25 January 2017 amending the Order of 12 March 2013 (...) (DOG01/02/2017).
Article 30 of the Order of 12 March 2013 (...) establishes the following: "Article 30. Publication of the provisional list of admitted and non-admitted students and complaints1. In view of the applications for admission presented, and once the score resulting from the application of the scale criteria has been determined, if applicable, the centre will publish on its notice board and website the nominal list of all admitted and non-admitted students per course, in order of the total score obtained."Likewise, article 31 establishes that: "2. The management of the public centres and the ownership of the private centres involved will publish on their notice board and on their web page, before May 15th of each year, the definitive lists of persons admitted and not admitted (...) "Therefore, as a first premise it must be pointed out that publication both on the centre's web page and on the notice board is expressly authorised by current regulations. It should also be taken into account that the third additional provision of said Order of 12 March 2013, in its wording given by the Order of 25 January 2017, establishes the following<< In accordance with Organic Law 15/1999, of 13 December, on the protection of personal data, the personal data collected in the course of this procedure, the processing and publication of which is authorised by the interested parties through the submission of applications, will be included in a file called "Administrative relations with citizens and entities" for the purpose of managing this procedure, as well as to inform interested parties of its processing. The body responsible for this file is the Regional Ministry of Culture, Education and University Organisation of the Xunta de Galicia. (...)>>It is particularly important that the order regulating the procedure states that the processing and publication of personal data are authorised by the interested parties themselves by means of the presentation of the application.The claimant also manifests her disagreement with the fact that the publication on the board is made in the window of the educational centre, in this respect it should be noted that, having consulted the situation, the centre does not have a notice board as such, but rather the windows of the school are used to transmit information to families in which the information on the centre, the ANPA (extracurricular activities, etc.) and the educational and teaching activities of the Ames City Council are posted.During the admission period, and since a lot of documentation must be published (instructions from the council, data from the centre, provisional lists, definitive lists, etc.) the window in front of the school is used, as it is wider and allows a correct view of all the documentation.It should be noted that, as already indicated, the order regulating the admission procedure provides for publication not only on the school's notice board, but also on its web page, thus including an alternative means of publication that implies much greater publicity than the school's notice board.Therefore, it cannot be argued that the complainant did not know that the information that would be published would be accessible to persons outside the educational centre, since the announcement itself indicated that the lists would be published on the notice board and on the web page, a provision that makes it irrelevant that the notice board is accessible from the street, since the centre's web page is accessible by any person from any computer in the world.Thirdly, the complainant alleges that the centre provides a list of the members of the school group corresponding to the minor to all the families in the class.(...)Therefore, it is intended to explain that the elaboration of these lists and their delivery does not respond to the arbitrariness of the centre, but to the will to provide a better service that facilitates the adaptation period for the families. However, with a view to future school years, the General Technical Secretariat has informed the school that in order to continue using this system, they must obtain authorisation from the students' legal representatives to distribute the list to the other families in the classroom. If the appropriate authorisation is not available, a different system will have to be implemented that does not involve such delivery".

THIRD: On December 2, 2018, the claimant presented an extension of the claim, attaching the following documentation: -Printing of a document, dated November 30, 2018, for the attention of the General Technical Secretary of the Ministry, one of whose sections indicates that "Upon the election of the members of the School Council, the list of parents that make up the educational community is published in the window and outwards, associating their complete ID card to each name and surname, without any pixelation".  The claimant does not accredit the origin, authorship or nature of this document. Partial capture of a sheet of the list "Censo de Responsables" of theEEI do Milladoiro, Academic Year 2018/2019, which contains the names, surnames and NICs of the responsible detailed in the numbers 288 to 311 of the Census.   This document does not prove, by itself, the exact place of placement of this list.Two photographs showing a window with exposed documentation, but which do not allow us to know the content or nature of the documents exposed in said window.With regard to the lack of pixelation of the DNI contained in the "Census of Persons Responsible" supposedly published in the aforementioned window, it should be noted that on the date of presentation of the extension of the claim, which necessarily follows the date of issue of the aforementioned census, Organic Law 3/2018 of 5 December was not in force,   The additional provision contained in that regulation, concerning the "Identification of interested parties in notifications by means of announcements and publications of administrative acts", paragraph 1 of which provides, therefore, was not applicable:“1.   Where it is necessary to publish an administrative act containing personal data on the person concerned, that person shall be identified by his name and surname, with the addition of four random digit numbers from the national identity document, alien identity number, passport or equivalent document. When the publication refers to a plurality of affected persons, these random numbers must be alternated. When the notification is made by means of announcements, particularly in the cases referred to in Article 44 of Law 39/2015 of 1 October, on the Common Administrative Procedure of Public Administrations, the affected person will be identified exclusively by the complete number of his or her national identity card, foreigner's identity number, passport or equivalent document. When the affected person lacks any of the documents mentioned in the two previous paragraphs, he or she will be identified only by his or her name and surname(s). Under no circumstances must the name and surname be published together with the full number of the national identity card, alien's identity number, passport or equivalent document.

FOURTH: On May 10, 2019, the Director of the Spanish Agency of Data Protection agreed to initiate sanctioning proceedings against the claimed party, in accordance with the provisions of article 58.2 of the RGPD, for the alleged infringement of article 5.1.f) of the RGPD, typified in article 83.5.a) of the RGPD.
In that agreement it was stated "That, if the existence of the described infringements is confirmed, for the purposes provided for in Article 58.2 of the RGPD the corrective measures that could be imposed on the COUNCIL OF EDUCATION, UNIVERSITY AND VOCATIONAL TRAINING OF THE BOARD OF GALICIA, in the resolution, would consist, in view of the elements of judgment available at this time, in ORDERING it to adopt technical and organisational measures adapted to guarantee the principle of confidentiality in order to avoid third parties not interested in accessing the personal information in administrative acts referred to,   Both to those who participate in selective procedures or competitive tenders that must be notified through publication on bulletin boards or web pages, as well as to personal data concerning interested parties whose identification must include administrative acts to be published in the manner indicated, avoiding, in any case, that these data are accessible indiscriminately from the public highway or open from the websites, in addition to the fact that the published data respond to the principle of minimizing data with respect to the purposes for which they are treated.Such measures should be adopted, where appropriate, within the time limit specified from the date on which the decision imposing the penalty is notified to you, and evidence should be provided to show that it has been complied with".

FIFTH: Once the aforementioned agreement was notified, the respondent presented a written delegation in which, in summary, the statements made in the response to the request for information made together with the transfer of the claim were ratified. -With regard to the publication of the lists of students admitted on the website of the School and on the glass facade of the same, visible from the outside, it is reiterated that the process of admission of students to public schools constitutes a competitive procedure, governed by the principle of transparency, and these lists are published under the protection of the provisions of Article 45 of the LPACAP and in accordance with the Order of March 12, 2013.  It argues that such publication is based on two legitimate grounds provided for in the RGPD and the LOPDGDD. The first basis of legitimacy corresponds to the provisions of Article 6.1.e) of the RGPD, as there is a rule that expressly authorizes the administration to carry out such publication.   In this regard, it is pointed out that the schooling process corresponds to the fulfilment of a public interest mission attributed to the education administration by Organic Law 2/2006, of 3 May, on education. With respect to the specific method of notification of the resolution of said process, article 45.1.b) of the LPACAP establishes the legal obligation for the administration responsible for processing to substitute individualized notification of the resolution with publication in selective or competitive procedures.  In addition, Articles 30 and 31 of the Order of March 12, 2013, the transcription of which appears in the second precedent above, expressly authorize the publication of the lists of persons admitted and not admitted on the center's website and on the bulletin board.   The second basis of legitimacy, responds to the provisions of article 6.1.a) of the RGPD, while in accordance with the provisions of the third additional provision of the aforementioned Order of 12 March, the consent of the affected person would be required for the processing and publication of the personal data collected in the processing of this procedure, as it has been authorised by "the interested persons by means of the presentation of the applications".   Therefore, by signing and submitting the applications for the release of her daughters, a copy of which is provided by the claimant, the claimant consented to such publication. -As for the complainant's disagreement with the fact that the publication on the board is made in the window of the educational centre, the Regional Ministry stated that "the centre does not have a notice board as such, using the windows that are in front of the school to transmit different information to families" and to publish the documentation referred to during the period of admission, given that its scope allows a correct view of all the documentation.   The publication of the census lists is necessary for the procedure for holding elections to the School Board, as established in article 44 of Decree 92/1988, which regulates the governing bodies of public educational centres, that "The electoral census must be displayed on the school's notice board at least ten days before the date set for the election, for verification and possible claims by the parents and legal guardians of the students". It is noted that the objective of publishing the lists on the window in such a way that they are accessible from the outside is an attempt to make it easier for parents to consult the census, since in this way they can consult it even when the school is closed. - They communicate the adoption of measures to comply with the seventh additional provision of the LOPDGDD and to publish the electoral rolls on the internal board of the school.

SIXTH: On 15 November 2019 a proposal for a resolution was made, in the sense that the Director of the Spanish Data Protection Agency should impose on the person claimed, in accordance with the provisions of article 58.2.b) of the RGPD, a warning sanction for an infringement of article 5.1.f) of the RGPD, typified in article 83.5.a) of the RGPD.Likewise, it was proposed that, if the rectification of the irregular situation described above had not been accredited prior to the issue of the resolution that might be agreed upon, the Director of the Spanish Data Protection Agency should order the respondent, in accordance with the provisions of Article 58.2.d) of theRGPD, "the adoption of appropriate technical and organisational measures to guarantee the principle of confidentiality, which, as far as the School under study is concerned, will tend to prevent the publication of administrative acts containing personal data on the glass façade, and to the outside, of the School that we are concerned with. In general, these measures will be extended to prevent the information of a personal nature contained in this type of administrative acts that are subject to publication in the means established for this purpose from being visible and/or accessible from the outside of the schools, and mechanisms must also be implemented to guarantee that access to the content of these administrative acts published on the website of the schools will be available to the persons interested in the procedures (participants)".  It was also indicated that such corrective measures would have to be taken, in their