AEPD (Spain) - PS/00024/2019

AEPD - PS/00024/2019
Authority:	AEPD (Spain)
Jurisdiction:	Spain
Relevant Law:	Article 12 GDPR Article 15 GDPR Article 56(2) GDPR Article 57(1)(f) GDPR
Type:	Complaint
Outcome:	Upheld
Decided:	n/a
Published:	3.02.2020
Fine:	None
Parties:	Health Department of Madrid Vs. Anonymous
National Case Number:	PS/00024/2019
European Case Law Identifier	n/a
Appeal:	n/a
Original Language:	Spanish
Original Source:	AEPD (in ES)

The AEPD found that a data controller may not require from the data subject to collect the personal data requested himself or on his behalf if it can be sent with appropriate and adequate means instead. Indeed, the data controller was able to identify the data subject and to send the personal data via encrypted email. Therefore, it was not proportionate to answer that the right of access could be exercised only if the data subject has appointed someone to collect his personal data on his behalf instead of sending directly to him, under Article 12 and 15 GDPR.

English Summary

Facts

The complainant requested his medical records containing personal data to the University Hospital Puerta de Hierro by e-mail. He asked them to send the documentation by post to his place of residence in Honduras and later, noticed that he wanted the document to be sent in Greece. The hospital answered it would have been impossible to send him the documentation requested to the alleged place of residence, namely in Greece, by post.

Nevertheless, they answered it was only possible that someone collect the documentation on the behalf of the data subject, as it was not possible to verify the data subject’s identity.

Following the data controller’s answer, the complainant filed a complaint with the AEPD, pursuant to Articles 56 and 57(1)(f) GDPR for obstructing his right of access.

Dispute

Could the data controller require to the data subject to collect the personal data or to appoint someone to collect them on his behalf?

Holding

The AEPD noted that it that the exercise of the followings rights: access, rectification, deletion, limitation, portability and opposition has been refused.

The AEPD pointed out that the data controller could have been easily identified the data subject as he sent a photocopy of his identity card. It also noticed that the data controller could have use an encryption system and send the medical records by e-mail.

Therefore, the AEPD rejected the data controller’s argument and urged the data controller to comply with the data subject’s request within the ten workings following days.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the original. Please refer to the Spanish original for more details.

Procedure Nº: PS/00024/2019938-051119Sanctioning procedure resolution of the procedure instructed by the Spanish Data Protection Agency and based on the following
BACKGROUND

FIRST: On September 12, 2018 Mrs. A.A.A. (hereinafter, the complainant) filed a complaint with the Spanish Data Protection Agency against the SCHOOL OF CHILDREN'S EDUCATION OF MILLADOIRO (AMES), (hereinafter, School or EEI), on the occasion of the presentation of the final list of students admitted for the 2018/2019 academic year, dated May 14, 2018, on the main facade and glass of the center, so that it is accessible from the outside to any passerby or neighbor. The above-mentioned list, of which the claimant has provided a copy, contains a detailed list of the order number, names, surnames and marks of a total of 100 students admitted for the said school year in the aforementioned Centre, which is dependent on the COUNSELING OF EDUCATION, UNIVERSITY AND VOCATIONAL TRAINING OF THE BOARD OF GALICIA (hereinafter, the Council or the claimant).The Complainant also states that the school provided all the families of the class of her youngest daughter with a list of the identification data of the students in the group, a copy of which is attached.

SECOND: On October 11, 2018, in accordance with Article 9.4 of Royal Decree-Law 5/2018, the complaint presented by the complainant was transferred to the aforementioned school so that within a period of one month this Agency could be informed of the causes that had motivated the facts of the complaint and inform the measures adopted to avoid similar incidents.In response to this request for information, on November 28, 2018, the complainant was registered in writing, indicating the following with respect to the list of admitted students: "That the process of admitting students to public schools is a competitive process, and that in these competitive procedures the most absolute transparency must govern, so that the lists of admitted students are always made public.It should also be pointed out that Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations, provides in Article 45 for the possibility of replacing individualized notification with publication of certain procedures. 
Specifically, this provision includes "acts that are part of a selective or competitive procedure of any kind. In this case, the notice of the procedure must indicate the medium in which the successive publications are to be made; those made in different places are not valid."As it is a competitive procedure, there is a legal authorization to proceed with the publication of these lists of admitted persons, which has been specified in the Order of March 12, 2013 by which the procedure for the admission of students to teaching centers supported by public funds that provide 2nd cycle of infant education is developed,   of primary education, compulsory secondary education and high school regulated by Organic Law 2/2006 of 3 May on education (DOG 15/03/2013), recently amended by the Order of 25 January 2017 amending the Order of 12 March 2013 (...) (DOG01/02/2017).
Article 30 of the Order of 12 March 2013 (...) establishes the following: "Article 30. Publication of the provisional list of admitted and non-admitted students and complaints1. In view of the applications for admission presented, and once the score resulting from the application of the scale criteria has been determined, if applicable, the centre will publish on its notice board and website the nominal list of all admitted and non-admitted students per course, in order of the total score obtained."Likewise, article 31 establishes that: "2. The management of the public centres and the ownership of the private centres involved will publish on their notice board and on their web page, before May 15th of each year, the definitive lists of persons admitted and not admitted (...) "Therefore, as a first premise it must be pointed out that publication both on the centre's web page and on the notice board is expressly authorised by current regulations. It should also be taken into account that the third additional provision of said Order of 12 March 2013, in its wording given by the Order of 25 January 2017, establishes the following<< In accordance with Organic Law 15/1999, of 13 December, on the protection of personal data, the personal data collected in the course of this procedure, the processing and publication of which is authorised by the interested parties through the submission of applications, will be included in a file called "Administrative relations with citizens and entities" for the purpose of managing this procedure, as well as to inform interested parties of its processing. The body responsible for this file is the Regional Ministry of Culture, Education and University Organisation of the Xunta de Galicia. (...)>>It is particularly important that the order regulating the procedure states that the processing and publication of personal data are authorised by the interested parties themselves by means of the presentation of the application.The claimant also manifests her disagreement with the fact that the publication on the board is made in the window of the educational centre, in this respect it should be noted that, having consulted the situation, the centre does not have a notice board as such, but rather the windows of the school are used to transmit information to families in which the information on the centre, the ANPA (extracurricular activities, etc.) and the educational and teaching activities of the Ames City Council are posted.During the admission period, and since a lot of documentation must be published (instructions from the council, data from the centre, provisional lists, definitive lists, etc.) the window in front of the school is used, as it is wider and allows a correct view of all the documentation.It should be noted that, as already indicated, the order regulating the admission procedure provides for publication not only on the school's notice board, but also on its web page, thus including an alternative means of publication that implies much greater publicity than the school's notice board.Therefore, it cannot be argued that the complainant did not know that the information that would be published would be accessible to persons outside the educational centre, since the announcement itself indicated that the lists would be published on the notice board and on the web page, a provision that makes it irrelevant that the notice board is accessible from the street, since the centre's web page is accessible by any person from any computer in the world.Thirdly, the complainant alleges that the centre provides a list of the members of the school group corresponding to the minor to all the families in the class.(...)Therefore, it is intended to explain that the elaboration of these lists and their delivery does not respond to the arbitrariness of the centre, but to the will to provide a better service that facilitates the adaptation period for the families. However, with a view to future school years, the General Technical Secretariat has informed the school that in order to continue using this system, they must obtain authorisation from the students' legal representatives to distribute the list to the other families in the classroom. If the appropriate authorisation is not available, a different system will have to be implemented that does not involve such delivery".

THIRD: On December 2, 2018, the claimant presented an extension of the claim, attaching the following documentation: -Printing of a document, dated November 30, 2018, for the attention of the General Technical Secretary of the Ministry, one of whose sections indicates that "Upon the election of the members of the School Council, the list of parents that make up the educational community is published in the window and outwards, associating their complete ID card to each name and surname, without any pixelation".  The claimant does not accredit the origin, authorship or nature of this document. Partial capture of a sheet of the list "Censo de Responsables" of theEEI do Milladoiro, Academic Year 2018/2019, which contains the names, surnames and NICs of the responsible detailed in the numbers 288 to 311 of the Census.   This document does not prove, by itself, the exact place of placement of this list.Two photographs showing a window with exposed documentation, but which do not allow us to know the content or nature of the documents exposed in said window.With regard to the lack of pixelation of the DNI contained in the "Census of Persons Responsible" supposedly published in the aforementioned window, it should be noted that on the date of presentation of the extension of the claim, which necessarily follows the date of issue of the aforementioned census, Organic Law 3/2018 of 5 December was not in force,   The additional provision contained in that regulation, concerning the "Identification of interested parties in notifications by means of announcements and publications of administrative acts", paragraph 1 of which provides, therefore, was not applicable:“1.   Where it is necessary to publish an administrative act containing personal data on the person concerned, that person shall be identified by his name and surname, with the addition of four random digit numbers from the national identity document, alien identity number, passport or equivalent document. When the publication refers to a plurality of affected persons, these random numbers must be alternated. When the notification is made by means of announcements, particularly in the cases referred to in Article 44 of Law 39/2015 of 1 October, on the Common Administrative Procedure of Public Administrations, the affected person will be identified exclusively by the complete number of his or her national identity card, foreigner's identity number, passport or equivalent document. When the affected person lacks any of the documents mentioned in the two previous paragraphs, he or she will be identified only by his or her name and surname(s). Under no circumstances must the name and surname be published together with the full number of the national identity card, alien's identity number, passport or equivalent document.

FOURTH: On May 10, 2019, the Director of the Spanish Agency of Data Protection agreed to initiate sanctioning proceedings against the claimed party, in accordance with the provisions of article 58.2 of the RGPD, for the alleged infringement of article 5.1.f) of the RGPD, typified in article 83.5.a) of the RGPD.
In that agreement it was stated "That, if the existence of the described infringements is confirmed, for the purposes provided for in Article 58.2 of the RGPD the corrective measures that could be imposed on the COUNCIL OF EDUCATION, UNIVERSITY AND VOCATIONAL TRAINING OF THE BOARD OF GALICIA, in the resolution, would consist, in view of the elements of judgment available at this time, in ORDERING it to adopt technical and organisational measures adapted to guarantee the principle of confidentiality in order to avoid third parties not interested in accessing the personal information in administrative acts referred to,   Both to those who participate in selective procedures or competitive tenders that must be notified through publication on bulletin boards or web pages, as well as to personal data concerning interested parties whose identification must include administrative acts to be published in the manner indicated, avoiding, in any case, that these data are accessible indiscriminately from the public highway or open from the websites, in addition to the fact that the published data respond to the principle of minimizing data with respect to the purposes for which they are treated.Such measures should be adopted, where appropriate, within the time limit specified from the date on which the decision imposing the penalty is notified to you, and evidence should be provided to show that it has been complied with".

FIFTH: Once the aforementioned agreement was notified, the respondent presented a written delegation in which, in summary, the statements made in the response to the request for information made together with the transfer of the claim were ratified. -With regard to the publication of the lists of students admitted on the website of the School and on the glass facade of the same, visible from the outside, it is reiterated that the process of admission of students to public schools constitutes a competitive procedure, governed by the principle of transparency, and these lists are published under the protection of the provisions of Article 45 of the LPACAP and in accordance with the Order of March 12, 2013.  It argues that such publication is based on two legitimate grounds provided for in the RGPD and the LOPDGDD. The first basis of legitimacy corresponds to the provisions of Article 6.1.e) of the RGPD, as there is a rule that expressly authorizes the administration to carry out such publication.   In this regard, it is pointed out that the schooling process corresponds to the fulfilment of a public interest mission attributed to the education administration by Organic Law 2/2006, of 3 May, on education. With respect to the specific method of notification of the resolution of said process, article 45.1.b) of the LPACAP establishes the legal obligation for the administration responsible for processing to substitute individualized notification of the resolution with publication in selective or competitive procedures.  In addition, Articles 30 and 31 of the Order of March 12, 2013, the transcription of which appears in the second precedent above, expressly authorize the publication of the lists of persons admitted and not admitted on the center's website and on the bulletin board.   The second basis of legitimacy, responds to the provisions of article 6.1.a) of the RGPD, while in accordance with the provisions of the third additional provision of the aforementioned Order of 12 March, the consent of the affected person would be required for the processing and publication of the personal data collected in the processing of this procedure, as it has been authorised by "the interested persons by means of the presentation of the applications".   Therefore, by signing and submitting the applications for the release of her daughters, a copy of which is provided by the claimant, the claimant consented to such publication. -As for the complainant's disagreement with the fact that the publication on the board is made in the window of the educational centre, the Regional Ministry stated that "the centre does not have a notice board as such, using the windows that are in front of the school to transmit different information to families" and to publish the documentation referred to during the period of admission, given that its scope allows a correct view of all the documentation.   The publication of the census lists is necessary for the procedure for holding elections to the School Board, as established in article 44 of Decree 92/1988, which regulates the governing bodies of public educational centres, that "The electoral census must be displayed on the school's notice board at least ten days before the date set for the election, for verification and possible claims by the parents and legal guardians of the students". It is noted that the objective of publishing the lists on the window in such a way that they are accessible from the outside is an attempt to make it easier for parents to consult the census, since in this way they can consult it even when the school is closed. - They communicate the adoption of measures to comply with the seventh additional provision of the LOPDGDD and to publish the electoral rolls on the internal board of the school.

SIXTH: On 15 November 2019 a proposal for a resolution was made, in the sense that the Director of the Spanish Data Protection Agency should impose on the person claimed, in accordance with the provisions of article 58.2.b) of the RGPD, a warning sanction for an infringement of article 5.1.f) of the RGPD, typified in article 83.5.a) of the RGPD.Likewise, it was proposed that, if the rectification of the irregular situation described above had not been accredited prior to the issue of the resolution that might be agreed upon, the Director of the Spanish Data Protection Agency should order the respondent, in accordance with the provisions of Article 58.2.d) of theRGPD, "the adoption of appropriate technical and organisational measures to guarantee the principle of confidentiality, which, as far as the School under study is concerned, will tend to prevent the publication of administrative acts containing personal data on the glass façade, and to the outside, of the School that we are concerned with. In general, these measures will be extended to prevent the information of a personal nature contained in this type of administrative acts that are subject to publication in the means established for this purpose from being visible and/or accessible from the outside of the schools, and mechanisms must also be implemented to guarantee that access to the content of these administrative acts published on the website of the schools will be available to the persons interested in the procedures (participants)".  It was also indicated that such corrective measures would have to be taken, in their In this case, within one month from the day following the date on which the sanctioning resolution was notified, the means of proof of its compliance within the same period must be provided.

SEVENTH: Having been notified of the aforementioned proposal for a resolution, the respondent presented a written statement expressing his disagreement with the alleged violation, based on the following arguments:- According to the proposal of resolution, any publication made by a public administration under the protection of the LPACAP or in accordance with the provisions of Article 20 of Law 38/2003, of November 17, 2003, on General Subsidies, "would be contrary to the principle of confidentiality, since a publication that not only has a legitimate basis that is not controversial, but also in its formal elements is in accordance with the provisions of the LOPDGDD.”     .   It reiterates that the admission of students to public schools is a competitive procedure in which it is necessary to replace individualized notification by publication in application of a regulation with the status of law (Article 45 of the LPACAP).-Since the seventh additional provision of the LOPDGDD includes the specific safeguards that apply in the publications of the administrations, it is stated that "a sensu contrario" it can be understood that "in the other aspects relating to publication, no other type of precaution that is legally necessary is established, how to avoid open publication through the conclave and password access suggested by the AEPD, but, as has been pointed out, the correct way to materialize the obligatory publication of the administrative act is provided, which is respectful, at the same time, of the normative limits referred to the protection of personal data.”. It adds that these precautions are designed, inter alia, for cases in which publication must have the effect of notification, mainly through official bulletins which, on the date of entry into force of the LOPDGDD, were mostly of an electronic nature, thus enabling maximum publicity among the public of the acts published through free access on the Internet.   In line with this, the claimant argues that "nothing prevents the conformity with the law and the legal validity of the administrative acts that follow the guidelines defined in the seventh additional provision of the LOPDGDD and are published in official electronic bulletins, extending those whose publicity is made through other electronic sites or websites that are enabled for this purpose through the respective calls.  And if the publication in those terms is adjusted to the right when it is done through electronic means of free access, with equal reason it will be when it is done in paper format". -Accessibility of information by an indeterminate number of individuals is inherent to the publication of administrative acts required by Article 45 of the LPACAP. -In the case analyzed it is considered that the technical and organizational measures adopted have been adequate, while the publication has affected the minimum identifying data, essential and appropriate to achieve, through the administrative procedure promoted, the purpose provided for in the educational regulations.   It is noted that there is no legal obligation to adopt measures to ensure that the provisional and final lists of students admitted and not admitted are published only on the school's internal bulletin board.  

The Regional Ministry considers that the public interest prevails in the effectiveness of the notification through publication and in the guarantee of the exercise of the right to defend legitimate interests, directly or through associations that protect collective interests that may appear a posteriori, as opposed to the rights of the persons involved, whose privacy is affected at a minimum level.   It maintains that taking into account the indications contained in the LOPDGDD regarding the form of publication of administrative acts, the possibility of access with a password is merely a suggestion by the AEPD, and therefore non-compliance would not constitute a breach of any legal obligation applicable to the case under analysis,

FACTS
First: On September 12, 2018, the claimant filed a complaint with the Spanish Data Protection Agency against the Centro EducativoESCUELA EDUCACION INFANTIL DE MILLADOIRO (hereinafter, EEIM School), on the occasion of the publication of the final lists of students admitted for the 2018/2019 school year, on the main and glass façade of the School, which were visible from outside the School to any person passing through. The complainant added that these lists were also published on the school's website.

Second: The final list of students admitted to the 4th grade of Early Childhood Education (continuous day), academic year 2018/2019 of the EEIM, lists, in order of importance, the names and surnames of the 100 students admitted for that year in that school, which depends on the Department of Education, University and Professional Training of the Galician Government (hereinafter, the Department or the complainant).

Third: On September 12, 2018, the claimant extended her claim to the publication of the census list required for the elections to the School Council on the main and glazed facade of the School, also towards the outside.

Fourth: The "Census of Heads" of the "Academic year: 2018/2019" published on the glass facade of the EEIM contains the name, surname and complete ID of the parents and guardians of the students.

Fifth: The Regional Ministry has acknowledged in the writings presented to this Agency the use of these windows to publish the provisional and final lists of students admitted in the following terms: "During the period of admission, and since it must publish a lot of documentation (instructions from the Regional Ministry, data from the centre, provisional lists, final lists, etc.) the window in front of the school is used, as it is wider and allows a correct view of all the documentation".

Sixth: The Regional Ministry has stated that the objective of publishing the electoral census lists "in the window so that they are accessible from the outside is an attempt to facilitate consultation of the census by parents, since in this way they can consult it even when the school is closed". 

LEGAL FOUNDATIONS
I
By virtue of the powers conferred on each supervisory authority by Articles 55.1 and 2, 57.1 and 58.2 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (hereinafter referred to as "GPRD"), and in accordance with the provisions of Articles  47 and 48.1, 77.1.c) and 2 of the Organic Law 3/2018, of December 5, on the Protection of Personal Data and the Guarantee of Digital Rights (hereinafter LOPDGDD), the Director of the Spanish Data Protection Agency is competent to resolve this procedure.

II
This Regulation lays down the rules relating to the protection of individuals with regard to the processing of personal data and the rules relating to the free movement of such data.2 This Regulation protects the fundamental rights and freedoms of natural persons, and in particular their right to the protection of personal data.3The free movement of personal data within the Union may not be restricted or prohibited on grounds relating to the protection of individuals with regard to the processing of personal data. "To this end, it is recalled that Article 4 of the GPRS, under the heading 'Definitions', provides that: 'For the purposes of this Regulation  any information relating to an identified or identifiable natural person ('the data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person  any operation or set of operations which is performed upon personal data or upon sets of personal data, whether or not by automatic means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destructionthe natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing; where the purposes and means of the processing are determined by the law of the Union or of the Member States, the controller or the specific criteria for his nomination may determine them by the law of the Union or of the Member States;"In accordance with the definitions given in the above-mentioned Article 4(1), (2) and (7) of the RGPD, the dissemination on the glass façade, towards the outside, and on the website of the EEIM educational establishment of the identification data (name and surname) contained in the provisional and definitive lists of pupils admitted and not admitted for the 2018/2019 school year,     as well as the exhibition in the glass facade of the electoral census (census of responsible) of the academic year 2018/2019 with the identification data (name, surname and complete ID card) of the parents and legal guardians of the students on the occasion of the election of the members of the School Council of the Centre, constitutes a processing of personal data by the claimant, in his capacity as the person responsible for such processing.

III
The defendant is accused of committing a breach of the principle of confidentiality set out in Article 5.1.f) of the RGPD, which, under the heading "Principles relating to processing", states that: "1.) "f) processed in such a way as to ensure adequate security of personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, through the application of appropriate technical or organizational measures (<<integrity and confidentiality>>) "For its part, paragraph 2 of the aforementioned Article 5 of the RGPD establishes that: "2. The data controller shall be responsible for compliance with the provisions of paragraph 1 and shall be able to prove it (<<proactive responsibility>>)", which must be linked to the provisions of Article 32.2 of the same Regulation, which in terms of "Security of the processing, establishes that: "To increase the adequacy of the level of security, particular account shall be taken of the risks presented by the processing of data, especially as a result of the accidental or unlawful destruction, loss or alteration of personal data transmitted, stored or otherwise processed, or the unauthorized communication of or access to such data".5 of the LOPDGDD, in terms of "Data Protection Principles", establishes: "Article 5.
1. Data controllers and processors as well as all persons involved at any stage of the processing shall be subject to the duty of confidentiality referred to in Article 5.1.f) of Regulation (EU) 2016/679.
11/182. The general obligation indicated in the previous paragraph shall be complementary to the duties of professional secrecy in accordance with the applicable regulations.3. The obligations established in the previous paragraphs shall be maintained even when the relationship of the data subject with the data controller or processor has ended".