AEPD (Spain) - PS/00044/2020

From GDPRhub
AEPD - PS/00044/2020
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 13 GDPR
Article 32(3) of the Spanish Law 10/2010 of April 28th on Money Laundering Prevention
Type: Complaint
Outcome: Upheld
Started:
Decided: 23.10.2020
Published: 29.10.2020
Fine: n/a
Parties: n/a
National Case Number/Name: PS/00044/2020
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Spanish
Original Source: AEPD decision (in ES)
Initial Contributor: Miguel Garrido de Vega

The Spanish Data Protection Agency (AEPD) imposed a warning on a Spanish public notary for infringing Article 13 GDPR by not offering the claimant relevant information when obtaining a copy of his national ID card to issue a certified copy of a document.

English Summary

Facts

The decision is the consequence of a complaint submitted by a Spanish citizen stating that, when he requested the defendant a copy of the deed corresponding to his house, the defendant required a copy of the national ID card of the claimant, but it did not offer him any information clauses regarding the circumstances of the data processing activity nor on the security measures used in order to keep the copy of the national ID card. The defendant promised that it would call the claimant to clarify such aspects, but this did not happen until two months later, when the defendant was newly required by the claimant. In that moment, the defendant sent the information clauses to the claimant, but it did not clarify any security measures; additionally, the defendant redirected the claimant to his data protection officer, who finally told the claimant that there was no need to inform him, with basis on Article 32 of the Spanish Law 10/2010 of April 28th on Money Laundering Prevention.

Dispute

The defendant answered to the first AEPD investigation requests (i) confirming that it did not offer the data protection information to the claimant until almost two months later, (ii) that it offered him the possibility of exercising his data rights, but that he only required a verification on the data protection information clause, that (iii) it considered that there was no need to inform the claimant on the basis of the money laundering legislation, and that (iv) the office of the defendant complied with the security measures specified at the ISO 27001, and it later added the following: (iv) a processing activities registry, the appointment of a DPO and the corresponding information clause at the invoices sent to its clients. The AEPD started the corresponding sanction procedure, and the defendant answered again insisting on the fact that public notaries are not obliged to offer data protection information based on the Spanish money laundering legislation.

Holding

Thus, the AEPD understood that the defendant has infringed Article 13 of the GDPR, as (i) it did not offer any data protection information to the claimant (not even the alleged exclusion concerning the money laundering legislation) until more than two months after the processing activity took place, and (ii) the money laundering legislation would not be really an exclusion, as it is only addressed to avoid information in cases in which the public notary is obliged to communicate the commission of a possible terrorism financing or money laundering offence to the SEPBLAC (the Spanish highest institution on money laundering issues), so Article 13 of the GDPR would be fully applicable to the processing activity. Consequently, the AEPD decided to impose a warning to the defendant and, additionally, required the defendant to include information clauses in any documents provided to its clients, within the period of one (1) month since this resolution.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

                                                                                1/12









     Procedure No.: PS / 00044/2020
938-0419
                RESOLUTION OF SANCTIONING PROCEDURE


In the sanctioning procedure PS / 044/2020, instructed by the Spanish Agency for
Data Protection, to A.A.A., with NIF: *** NIF.1 (hereinafter, “the person
claimed ”), by virtue of the complaint presented by B.B.B., (hereinafter,“ the
claimant ”), and based on the following,
                                  BACKGROUND


FIRST: On 07/28/19, you had a written entry in this Agency, presented by
B.B.B., (hereinafter, “the claimant”), in which it stated, among others, the following:

"When I went to the notary to request a copy of the deed of my house, without informing

Regarding, they scanned my ID. When asked about how they protected that document,
They told me that they did not have the information but that they were taking my data and
they would call. I wanted to know about the security measures that were applied
because, if I had been informed, I would have given them a black and white photocopy. Two
months and a half later, as they had not contacted me, I sent them an email, in the
that they already show me the informative clauses, but they still do not inform me of how

they keep my ID. For security, I don't like having copies of my ID scanned to
good resolution and in color, so since they had not provided me with that
information, I insisted on it. They sent me to their DPD, with whom I have exchanged
emails, but ended up claiming that I did not need to be informed based on
to article 32 of Law 10/2010, of April 28, on the prevention of money laundering

capitals ”.

SECOND: In view of the facts set forth in the claim and the documents
provided by the claimant, the Subdirectorate General for Data Inspection proceeded
to carry out actions for its clarification, under the powers of

investigation granted to the control authorities in article 57.1 of the Regulation
(EU) 2016/679 (RGPD). Thus, dated 10/18/19, an informative request is addressed
to the claimed person.

THIRD: On 11/07/19, this Agency receives a letter from the Delegate of
Data Protection of the claimed Notary, in which, among others, it indicates:


“On August 7, 2018, the claimant went to the notarial office to
request a copy of the protocol of the former notary of that city, *** NOTARY. 1.
That on December 7, 2011 as a result of the retirement of the person
was a notary of this city *** NOTARY.1, Mr. *** NOTARY.2 received the

notarial protocol of the former for safekeeping.

That the claimant's DNI not being scanned, it was considered appropriate to carry out
your scan in accordance with money laundering legislation. For this it was taken into
consideration of the fact that it was an economic operation of the protocol to

position of Mr. *** NOTARY. 2 of which identification document was lacking.

That the claimant expressed his discrepancy regarding the applied tariff by placing a
claim for the invoice issued (Doc1) before the Consumer Service of the Board of
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 2/12








Andalusia (Doc2). The professional services invoice contains the data
basic information on data protection for the activity of the notarial office.


That on October 31, 2018 this notarial office provided the claimant with
additional information on data protection in relation to merited activity (doc3).

That in subsequent communications he stated that he was against the scanning of his
DNI or consider that they should be aware of the security measures applied:
“… Must do a risk analysis or DPIA and determine it, according to its criticality.

This gives me little confidence in the measures implemented, which is why you requested
information",

That subsequently, and after several calls from the claimant, the incident was reported
to the Data Protection Delegate of this notarial office.


That the DPD by email of December 18, 2018 (doc5) requested
specify the request for rights exercised by the claimant. The claimant does not
He answered, so the DPD reminded him on January 14, 2019 (doc6) that
The term of the procedure was extended by two more months to be able to attend his
petition.


That same day, the claimant replies alleging that “what I am asking is the verification of
that said information was provided to me ”(doc7).

That with all of the above and having fulfilled the Notarial Office with the duty of

information regarding customer activity it was considered necessary to focus the
issue in the Money Laundering activity. Consequently, the DPD reported
to the claimant dated February 7 (doc8) on the special circumstances
that have these treatments and therefore the impossibility of meeting your request.
Later, on February 11, he was informed again (doc9-10).


Regarding the control measures applied in this Notarial Office: They accept the
ISO 27001 standard. However, in relation to the Activity Register and its
legitimation in the treatment, the following measures have been adopted:

A.18 Compliance

A.18.1 Compliance with legal and contractual requirements: RGPD: Control Measures
1. Activity Register
2. Data Protection Officer
3. DPD notification to the Data Protection Agency.
4. Legitimation of the treatment (yes, we inform or not)

5. Protocol to exercise the RGPD right

Consequently, and in accordance with the request for information, we state that, dated
On June 11, 2018, a Data Protection Audit was carried out. How
As a result, the consequent recommendations were formalized for

comply with the obligations indicated above.

Consequently, the following measures were adopted: The Register of
Activities that include, among others, a. Clients b. Money laundering

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 12/3









In consideration of the nature of the Public Authority of Notaries and based on article 37.1 a)
of the European Data Protection Regulation 2016/679 was designated Dpd and

reported to the Registry of the Spanish Agency for Data Protection (Doc1).

It was agreed to implant legends in order to comply with the duty of information
of article 13 of European Regulation 2016/679. 4. A procedure was established
management of RGPD rights in the Notarial Office.


The measures were reviewed on March 19, 2019. They were agreed
recommendations to correct the deficiencies found and improve the proper
implantation. A data protection legend is included on the invoices for reason
of the "clients" activity.


The claimant was sent a copy of the additional information dated October 31
2018, in relation to customer activity and was informed and explained the
specific circumstances derived from the processing of data for the activity "laundering
Capital ”and therefore the exclusion of the duty of information.

FOURTH: In view of the denounced facts, of the documentation provided by

the parties and in accordance with the evidence available, the Inspection of
Data from this Spanish Agency for Data Protection considered that the action
of the claimed entity did not meet the conditions imposed by the regulations in force,
for which the opening of a sanctioning procedure proceeds. So dated
06/01/20, the Director of the AEPD, agreed to initiate a sanctioning procedure for the per-

claimed, by virtue of the powers established, for failing to comply with the provisions of
Article 13 of the RGPD, by NOT offering the necessary information to the claimant when
The DNI was required for scanning, punishable in accordance with the provisions of art.
83 of the aforementioned RGPD, with an initial sanction of "APERCIBIMIENTO".


FIFTH: Notified the initiation agreement, the claimed person, by writing of
dated 06/15/20, made, in summary, the following allegations:

On the lack of information in relation to the treatment derived from the scan of the DNI
Of the interested. My client, in compliance with article 30, has a Record of Ac-
Treatment activities. There are, among others, two different declared activities:


1. Clients: in order to proceed with the granting of the public document and proceed
der to your billing 2. Money Laundering: for the management and registration of obligations
tions derived in matter.


These activities are different and coincide with the files declared at the time
in accordance with Law 15/1999 on data protection and Ministerial orders
of its creation to the extent that they were public files: OM de Justicia
JUS / 484/2003 and Ministry of Economy Order EHA / 114/2008, of January 29.


The Agreement that we are challenging says that the duty of information of Article 13 was omitted
of Regulation 2016/679 when the claimant's DNI was scanned in order to give
compliance with the Law on the Prevention of Money Laundering and subsequently
when requested. It is true what the notified act says: the interested party was not informed

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 4/12








of the money laundering activity of the *** NOTARY. 2. However and how I know
You will see, there is no legal obligation to inform about the data processing in case of
money laundering.


We note that the interested party was informed in relation to the activity of "clients"
as stated in the file.

The Agreement to Initiate the Penalty Procedure forgets some information that would have
allowed the correct qualification of the facts of this procedure:


1. The notary is bound by the Money Laundering Prevention Law: ar-
Title 2.1 n) Obliged subjects: “notaries”.

2. The notary as a subject bound by Regulation 2016/679 creates his Registry of

Activities. Following the criteria of the AGPD, it makes use of the file created by the Or-
den EHA / 114/2008, of January 29, regulating compliance with certain
obligations of notaries in the field of prevention of money laundering and
This is how the "Money Laundering" treatment activity has been declared.

3. Art 32.3 of Law 10/2010 of April 28 states that: “By virtue of the provisions of the

Article 24.1, and in relation to the obligations referred to in the preceding paragraph
rior, the obligation to provide information will not apply to data processing
in article 5 of Organic Law 15/1999. Likewise, they will not apply to the
les and treatments referred to in this precept the norms contained in the
aforementioned Organic Law regarding the exercise of rights of access, rectification,

cancellation and opposition. In case of exercise of the aforementioned rights by the interested party
do, the obliged subjects shall limit themselves to making clear the provisions of this article
ass".

4. On the obligation to make copies to the DNI: Art 28. 2. Laundering Regulation

of Capitals “The obligated subjects will store the copies of the authentic documents
formal identification clients on optical, magnetic or electronic media "

5. On the term of conservation of the DNI: Art 29.1 Regulation of Laundering of
Capitals: “The obligated subjects will keep the documents and keep records
of all business relationships and operations, national and international,

final, for a period of ten years from the termination of the relationship… ”.

Therefore, in compliance with the legal obligation of article 32 of Law 10/2010, no
informed the interested party of the data processing.


It has been proven that in the communication of October 31, 2018, the
interested in the peculiarities of the processing of personal data at the headquarters of
money laundering.

Regarding the official status of the Notary Public and part of the Public Administration: It says

the website of the Ministry of Justice: “The Notary, once he obtains the title and takes
session of its Notary, will have in the district to which it corresponds the character of function-
public authority and authority in everything that affects the service of the notarial function, with
the rights granted for such purposes by the Law ”.

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 5/12








https://www.mjusticia.gob.es/cs/ Satellite/Portal/es/servicios-
citizen / public employment / access-calls-profiles / notaries-for-notaries


The OM Justice JUS / 484/2003 says: “… Notaries, Notaries Associations and the Con-
General Council of Notaries present specialties in relation to the exercise of
other professions subject to membership, highlighting the character of public official
co of its members and of the Public Administration dependent on the Administration
General of the State, through the General Directorate of Registries and Notaries. "


Moreover, the TCl says that notaries are part of the public function of the State. So,
Sentence 120/1992, of September 21, says the High Court: “This competence
Regulatory, on the other hand, also derives from the character of public officials of the
all that Notaries have and their integration into a single national body ”.


Likewise, in Sentence 4/2014, of January 16, 2014, the High Court says: “Appli-
In view of the reiterated doctrine of this Court (SSTC 56/1987, of May 7; 67/1983,
of July 22; 120/1992, of February 21, and 207/1999, of November 11), only at
The State is responsible for directing mandatory orders or instructions to
notaries or registrars, it being unquestionable that it is the State, through the
DG of Registries and Notaries, the highest body of those, which are located in

hierarchical dependency relationship and, consequently, in a position of forced acceptance
issuance of binding orders or interpretations. On the application of article 77 of
Law 3/2018 on the protection of personal data.

The initiation Agreement is erred by not respecting the regime provided for in article 77 of the Law

2/2018 especially in its section 2 when it says:

"When the managers or managers listed in section 1 commit any-
one of the offenses referred to in articles 72 to 74 of this organic law.
ca, the competent data protection authority shall issue a sanction resolution

warning them with warning. The resolution will also establish the
measures to be taken to stop the conduct or correct the effects of the
offense that was committed. The resolution will be notified to the person responsible or
charged with the treatment, to the body on which it depends hierarchically, where appropriate, and to
those affected who have the status of interested party, where appropriate ”.


The notary public official status and his integration into the
the State Administration and, therefore, we cannot accept the allusion, as it intimidates
toria, of the Commencement Agreement when it says that “This offense may be sanctioned with
a maximum fine of € 20,000,000… ”.


Fourth: That the Resolution of June 2, 2020, of the General Directorate of Seguri-
Legal entity and Public Faith, the Ministry of Justice notifies in the Official Gazette of the
date of June 8, 2020, the retirement of the notary (Doc No. 2).

SIXTH: On 06/23/20, the person claimed presented in this Agency, new

brief of allegations, in which, in summary, it indicated the following:

“That having presented allegations last day fifteen of the current consi-
We deem appropriate the presentation of the copy of Resolution R / 01712/2016 by

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 6/12








as it concludes in its Third Ground that notaries are public officials
cos:


In this sense, the Notaries, the Notary Associations and the General Council of Notaries
They present specialties in relation to the exercise of other professions subject to
members of the association, highlighting the public official nature of their members and
of Public Administration dependent on the General State Administration, through
through the General Directorate of Registries and Notaries ”.


SEVENTH: On 06/08/20, the test practice period began, accord-
dose: a) .- to consider reproduced for evidentiary purposes the complaint filed by the
Advertiser and its documentation, the documents obtained and generated that form
part of file E / 9681/2019 and b) .- consider reproduced for evidentiary purposes, the
allegations to the agreement to initiate PS / 00044/2020, presented by the entity-

announced.
EIGHTH: On 07/22/20, the requested person is notified of the proposed reorganization
solution in which it is proposed that, by the Director of the Spanish Protection Agency

tion of Data is sanctioned with "APERCIBIMIENTO" for an infraction of article 13)
of the RGPD, in accordance with the provisions of article 58.2) of the aforementioned RGPD.

NINTH: After notification of the proposed resolution, dated 09/07/20, the
complained person presents a brief of allegations, in which, among others, indicates:

“The claimant initially filed a consumer claim with the Board of
Andalusia, due to its discrepancy due to the applied tariff. It was in said procedure

where he stated that he had not been informed of his rights when scanning the DNI.

The file contains a copy of the notarial invoice where the basic information appears.
physics of data processing the activity “clients” (Doc.1 of the report before the AEPD).

That said consumption procedure is filed in October 2018 and that is when the

Claimant requests data protection information that is given on October 31.

There is no evidence in the record that the claimant requested on July 7, 2018
exercise your rights in data protection. In his mail of November 1, the re
claimant ensures that the invoice does not include the rights and the way to exercise the

themselves. However, this manifestation does not correspond to reality.

That later, when the DPD intervenes, it was necessary to discern through various
e-mail the specific request of the claimant about the scanning of the DNI.


That before a month of silence from the complainant had elapsed, the DPD contacted
contacted him and the procedure to meet his request was extended for two months
(Doc. 6) of the Report requested by the AGPD. That finally the request of
information on the claimant called “money laundering”.

It should be noted that in relation to the “Money Laundering” activity, no

tado informative legends, there is no obligation in this regard. For activity
of clients, unrelated to this file, a legend was provided that is part of the file.
tea. Here is attached the same:

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 7/12









       << A.A.A. residing at *** ADDRESS. 1 is responsible for the treatment
       in order to study your file, draft the public document and

       yield to its granting, incorporation to the protocol and billing.

       The legal basis of the treatment is the exercise of the notarial public faith by virtue of
       the Law of Notaries and the Law of Voluntary Jurisdiction 15/2015 in the terms
       of article 6.1 e) of the European Data Protection Regulation
       2016/679 The legal basis based on a contractual relationship fits. The treatment

       data is necessary for the granting of the document.

       Likewise, the notary acts as the data controller in relation to
       to the protocol and notarial documentation whose Data Controller is the
       General Directorate of Legal Security and Public Faith with the purpose of archiving

       of the public documents of the notary and collaboration of the Administrations
       Public trades. The billing data will be kept until prescribed
       They ban tax obligations.

       In relation to the protocol and notarial documentation, the data will be kept
       as a public file indefinitely.


       This notarial office has designated a Data Protection Delegate:
       *** DPD.1.

       The data will be communicated to the Public Administrations, the Notarial Association

       or to the General Council of Notaries when there is a legal norm that protects it.

       You have the right of access, rectification, deletion and portabi-
       the quality of your data, limitation and opposition to its treatment, as well as not
       be the subject of decisions based solely on automated processing

       of your data, when applicable. You can exercise your rights before the Delegate
       data protection by providing a scanned copy of your ID addressed to
       *** DPD.1. We would like to point out that regarding the protocol and documentation
       Such rights have a series of limitations due to their specific purpose.
       archive feature.


       The right to file a claim with the Agency is also recognized.
       Spanish company for Data Protection as an interested party >>.

For all the foregoing, WE PLEASE V.I. that has presented this writing in time
in the manner and form and on the merit of its content, the file of the Sanctioning Procedure agrees.

dor as there was no delay in providing the information to Mr. B.B.B.
In view of all the actions, by the Spanish Agency for Data Protection

In this proceeding, the following are considered proven facts,




                                 PROVEN FACTS


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 12/8








1º.- On 08/07/18, the claimant went to the notarial office of A.A.A., to
request a copy of your house deed. According to the record, "by not
having the claimant's DNI scanned, it was considered appropriate to scan
in accordance with current legislation on money laundering ”. As stated in the
Claimant's announcement, “when asking the reason why the DNI was scanned, NO

received no adequate reply, informing him only that they would be in contact
with him to inform him conveniently ”.

2º.- According to the DPD's letter, the Notary Public contacted
with the claimant on 10/31/18, informing him of the special circumstances that
they have these treatments because they are subject to money laundering legislation.

In addition, it was indicated that, in the invoice for professional services delivered to the
clamoring, included the basic data of information on data protection by the
activity of the notarial office. From this date there were several exchanges of co-
electronic records between the claimant and the DPD of the Notary's Office, in relation to the
chos.

3.- The claimant responded to the DPD's answer one day later (11/01/18), at
the following terms:


“Dear Sir, thank you very much for the information. Indicate that the invoice does not have
that this information was provided, given that among other things, they must see
nir the rights and the contact to exercise them. I spoke to three employees who did not
they provided the information. The third, asked me for the telephone number to provide me with these data,
but until my email today, I have not received the information, which leaves me wondering
where my phone was saved. I will check if what you tell me about the

invoice. I understand that you have a record of what you tell me. Also indicate that
there are errors in the information you present to me, since the security measures do not
They are in article 26. In fact, the GDPR does not say what to do, but must
do a risk analysis or DPIA and determine it, according to criticality. This gives me
little confidence in the measures implemented, which is why I initially requested
training. I hope your DPO can answer me for security, I have two

months and a half plating, as well as the legitimation given that I have not been able to see
the need for the information required by law 15/2015, which was the reason
vo from my query. For security, as I indicated, I do not like to be scanned
directly my ID ".


4.- The information provided in the invoice issued by the notarial office (No.
Invoice: U001155 dated: 08/07/2018, the following information appears regarding the
Personal data protection:

    - Responsible: Notarial Office located at *** ADDRESS. 1 Contact information
        of the Data Protection Officer: *** DPD.1 Purpose: Granting documents

        public ment and billing.
    - Conservation: Until the prescription of the legal obligations derived from
        writing.
    - Legitimation: Compliance with public duties corresponding to the note-
        River
    - Recipients: No data will be transferred to third parties except in case of obligation to-

        gal. In general, the Public Administrations, the Notarial College and the General Council
        General of the Notary Public.
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 9/12








    - Rights: Access, rectify and delete the data, as well as other rights,
        as explained in the additional information.
    - More Information: You can request an expanded information sheet of

        Your rights".

5º.- In the allegations, presented in this Agency by the claimed person, the
11/07/19, indicated the following:

        “(…) Consequently and in accordance with the request for information, we state

        that, on June 11, 2018, an Audit was carried out to protect the
        Data. As a result, the consequent recommendations were formalized.
        mentions to comply with the obligations indicated above, were adopted
        the following measures:


        “(…) It was agreed to implant legends in order to fulfill the duty of
        information of article 13 of European Regulation 2016/679.

        A RGPD rights management procedure was established in the Office
        cho Notarial ”.


        The measures were reviewed on March 19, 2019. It was agreed-
        recommendations were made to correct the deficiencies found and improve the
        proper implementation. In the invoices a legend of protection of
        data by reason of the activity "clients".


                             FOUNDATIONS OF LAW

                                              I
The Director of the Spanish Agency is competent to resolve this procedure
of Data Protection, in accordance with the provisions of art. 58.2 of the GDPR in

the art. 47 of LOPDGDD.
                                              II
The joint assessment of the documentary evidence in the procedure brings to
knowledge of the AEPD, a vision of the denounced action that has been
reflected in the facts declared proven above related.


However, the following observations should be made:
The art. 32.3 of Law 10/2010, of April 28, on the prevention of money laundering

and the financing of terrorism, establishes that: “By virtue of the provisions of article
Article 24.1, and in relation to the obligations referred to in the previous section,
The information obligation provided for in
Article 5 of Organic Law 15/1999. Likewise, they will not apply to the files
and treatments referred to in this precept the norms contained in the citation

of the Organic Law regarding the exercise of rights of access, rectification, cancellation
lation and opposition. In case of exercise of the aforementioned rights by the interested party, the
Obliged subjects will limit themselves to making the provisions of this article clear to you ”.

Well, when the claimant went to the Notary, on 08/07/18, to request a copy
of the deed of his apartment, and ask him for the ID for his scan, he asked the reasons for

which this act was now required, receiving no satisfactory answer, nor
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 10/12








He was even told what was stipulated in the Money Laundering Prevention Act.
them: ”(…) In case of exercise of the aforementioned rights by the interested party, the subjects
obliged will limit themselves to making clear the provisions of this article ", limiting-

was to indicate that, “they would already contact him to receive the appropriate information
cuada ”, situation occurred two and a half months later, on 10/31/18, through the
DPD.

Therefore, although said article establishes that the duty to inform the interested party does not
It is applicable in relation to “the obligations referred to in section

above ”, that is, those related to the fulfillment of information obligations
provided for in Chapter III (which basically refer to cases in which there is
to communicate to SEPBLAC when there are indications of a possible case of money laundering
of capital or financing of terrorism), the right to information of art. 13 of
RGPD, it is completely applicable. Therefore, with that exception, you have the obligation

to provide all the information regarding the processing of personal data in
the moment to collect them from the interested parties.

Regarding the rights of citizens when they process their personal data, it says
recital 59) of the RGPD that: “(…) The data controller must be
obliged to respond to the interested party's requests without undue delay and no later than

give within a month, and explain your reasons if you do not attend.
der them ”. While recital 60) and 61) of the same RGPD indicates, respectively-
mind:

“(60) The principles of fair and transparent treatment require that the interested party be informed

the existence of the processing operation and its purposes. The person responsible for
treatment must provide the interested party with any additional information necessary
aria to ensure fair and transparent treatment, taking into account the circumstances
tances and the specific context in which the personal data are processed (…) ”.


“(61) Interested parties should be provided with information on the processing of their data
personal coughs at the time they are obtained from them (…) ”.

In the present case, the collection of the claimant's personal data, me-
Through the scanner of your ID, it is endorsed by art. 6.1.c) of the RGPD: “the treatment
is necessary for the fulfillment of a legal obligation applicable to the person responsible for the

treatment ”, such as compliance with the legislation on money laundering.
On the other hand, article 13.1.c) of the RGPD obliges the person responsible for the treatment of

the data to give the necessary information so that the interested party knows the purposes of the
treatment of the data and the legal basis for it: “c) the purposes of the treatment to which
the personal data and the legal basis of the treatment are destined ”.

But it is also that article 12 of the RGPD summons the person responsible for the treatment

of data to take the necessary measures to provide the interested party with the information indicated
each in article 13 indicated above: “1. The person responsible for the treatment takes-
The appropriate measures will be taken to provide the interested party with all the information indicated in the
Articles 13 and 14, as well as any communication in accordance with Articles 15 to 22
and 34 relating to the treatment, in a concise, transparent, intelligible and easily accessible way.
so, in clear and simple language, particularly any targeted information specifically

physically to a child. The information will be provided in writing or by other means, including
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 11/12








clusive, if applicable, by electronic means. When requested by the interested party, the information
The statement may be provided verbally provided the identity of the
affected by other means 2. The data controller will provide the interested party with the

exercise of their rights under Articles 15 to 22. In the cases referred to in
In accordance with article 11, paragraph 2, the controller shall not refuse to act at the request of the
interested party in order to exercise their rights under articles 15 to 22, except
that can demonstrate that it is not in a position to identify the interested party. 3.The res-
Responsible for the treatment will provide the interested party with information regarding their actions
on the basis of a request pursuant to Articles 15 to 22, and in any case

within one month of receiving the request (…) ”.

Well, the invoice delivered to the claimant contained the necessary information regarding the
About data protection, as the data controller; the purpose: (-Gives-
public document and billing); the conservation time; legitimation

for the treatment: (- compliance with public duties that correspond to the
notary); the recipients and the rights that could be exercised.

It can be verified that, in the purposes for which the data processing will be used
Notary public personnel include the, "Granting public document and billing", and
in the legal basis for the treatment of the data it appears, “the fulfillment of the

public services that correspond to the notary ”. Nothing is informed to the interested party about what
stipulated in art. 32.3 of Law 10/2010 of April 28, when it is indicated
that, in the event that personal data are processed in order to comply with the
current legislation on money laundering, as is the case, if the interest
sado wishes to exercise its rights recognized in the RGPD, “(…) the obligated subjects

they will limit themselves to making clear to you the provisions of this article ”. Well, not even-
You are informed of this circumstance, neither in writing nor verbally, when you ask.
to, receiving only as an answer that, "they would already contact him", circumscribed
It did happen, but not before a month as indicated by the RGPD, but with a de-
two and a half months late.


Finally, remember once again that the respondent undertook to take the necessary measures
necessary to correct the deficiency detected and this was indicated to this Agency:
"It was agreed to implant legends in order to comply with the duty of information
of article 13 of European Regulation 2016/679. 4. A procedure was established
management of RGPD rights in the Notarial Office (…) ”. Measures not yet

they have been submitted for corroboration by this Agency.

In view of the above, the following is issued:

                                       RESOLVES:


APPEAR: A.A.A., with NIF: *** NIF. 1 for violation of article 13) of the RGPD.

REQUIRE: A.A.A., so that, within one month from this act of notification
of the resolution, proceed to include legends in the documents that are provided to

clients, in order to comply with the information duty of article 13 of the
RGPD.

NOTIFY: this resolution to A.A.A.

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 12/12










In accordance with the provisions of article 50 of the LOPDPGDD, this Re-
solution will be made public once it has been notified to the interested parties.


Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the
LOPDPGDD, and in accordance with the provisions of article 123 of the LPACAP, the
The parties may optionally file an appeal for reconsideration before the Director
of the Spanish Agency for Data Protection within a month from

the day after notification of this resolution or directly contentious appeal
administrative before the Contentious-Administrative Chamber of the National Court,
in accordance with the provisions of article 25 and section 5 of the additional provision
Fourth nal of Law 29/1998, of July 13, regulating the Contentious Jurisdiction-

administrative, within two months from the day after the notification
tion of this act, as provided in article 46.1 of the aforementioned Law.

Mar España Martí

Director of the Spanish Agency for Data Protection.










































C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es