AEPD (Spain) - PS/00050/2021
|AEPD (Spain) - PS/00050/2021|
|Relevant Law:||Article 35 GDPR|
|Parties:||SERVICIOS LOGÍSTICOS MARTORELL SIGLO XXI, S.L.|
|National Case Number/Name:||PS/00050/2021|
|European Case Law Identifier:||n/a|
|Original Source:||AEPD (in ES)|
|Initial Contributor:||Carmen Villarroel|
The Spanish DPA fined a controller €20,000 (reduced to €16,000) for implementing a biometric identification system without carrying out a DPIA beforehand.
English Summary[edit | edit source]
Facts[edit | edit source]
A workers union lodged a complaint with the Spanish DPA (AEPD) against a company that had implemented a biometric identification system to control workers' access using their fingerprint, a system that was used along with a card reader system. The company had 520 workers.
According to the union, the system was:
- disproportionate, since there were already two access control systems in place;
- unnecessary, since these systems were already effective and less intrusive;
- the system is just a method of control, since it was placed only in working places;
- there was no free consent, since workers were obliged to sign the consent document.
According to the company, the system was necessary and more efficient than the old one. They argued that the working place was so big that workers needed to walk for 20 minutes in order to reach their working post, so they needed an additional control system to determine when they really accessed their post. The company also argued that the biometric system is more reliable than using cards, since people could use another worker's card. The intention was to substitute the cards with the biometric system.
The project was presented to the Workers Council, which rejected it and reported it to the Labour Inspection. This claim was archived. Additionally, the company gave the companies an informative document.
The system, according to the company, only used an encrypted biometric template, that was used to compare it with the biometric data (fingerprint) stored in the local database to verify it, but without storing any images, being it a verification/authentication system (one to one).
The company also showed a risk analysis carried out beforehand, in which the result was "low risk", and therefore a DPIA was not carried out.
Holding[edit | edit source]
Firstly, the AEPD concluded that the system was not a one-to-one system, as alleged by the company, but a one-to-many, in which the biometric data was compared to the biometric templates of all the workers in order to verify the identity of the data subject.
According to the DPA, since biometric systems are very intrusive to data subjects' rights and freedoms, they are generally prohibited, and restrictions shall be interpreted restrictively.
The DPA remarked that Article 9 GDPR establishes an exception when processing is necessary to carry out obligations and exercising specific rights of the controller or of the data subject in the field of employment. Furthermore, the DPA remarks that Article 88 GDPR allows Member States to provide for more specific rules to ensure the protection of the rights and freedoms in respect of the processing of employees' personal data in the employment context. Those rules shall include suitable and specific measures to safeguard the data subject's human dignity, legitimate interests and fundamental rights.
Here, the AEPD argued that, since processing shall be necessary, the controller needs to substantiate such necessity. However, the DPA considered that there are alternative systems that comply with the minimization, proportionality and necessity principles, and that in order to use biometric systems the controller needs to demonstrate high levels of proactive accountability and privacy by design implementation, including a justification for the necessity and proportionality of the system, certifying that there are no less intrusive alternatives for the purposes for what the system needs to be used.
Before implementing such a system, the controller should have carried out a DPIA, to determine whether an alternative less intrusive method was possible in order to attain the same results.
The DPA also noted that the controller did not provide the document with which they obtained the consent of the workers. The DPA also noted that the processing, contrary to what the controller had alleged, could not have been based on the legal basis from Article 6(1)(b) GDPR, since the access control is not necessary for the performance of a contract. In any case, it could be argued that it could have relied on Article 6(1)(c), on the norm that regulates access control for workers, as long as it respected the data protection principles.
Subsequently, the DPA argued that consent shall always be exceptional in the framework of labour relationships, since there is risk of coercion. Additionally, consent must be withdrawable without any negative consequences. There shall also be a possibility of not giving consent in the first place.
Finally, the DPA concluded that the controller should have carried a DPIA previous to the implementation of the biometric system. Controllers shall be able to demonstrate compliance, in accordance with the accountability principle, for which it is necessary that controllers document all the data processing activities in order to minimize risks, and that controllers analyze future processing so they can determine how data subjects' rights will be affected. In case of high risk, as this case, the controller shall carry out a DPIA, which is a mandatory previous step to comply with this regulation, as well as complying with all the other obligations such as relying on a valid legal basis and respecting data protection principles.
Since the controller had not carried out such DPIA, the AEPD decided to fine it €20,000, that were reduced to €16,000 because of voluntary payment, for a violation of Article 35 GDPR.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/25 File No.: PS / 00050/2021 RESOLUTION OF TERMINATION OF THE PROCEDURE BY PAYMENT VOLUNTARY Of the procedure instructed by the Spanish Agency for Data Protection and based on to the following BACKGROUND FIRST: On February 19, 2021, the Director of the Spanish Agency for Data Protection agreed to initiate a sanctioning procedure for SERVICIOS LOGÍSTICOS MARTORELL SIGLO XXI, S.L. (hereinafter the claimed part). The initiation agreement was notified and after analyzing the allegations presented, dated 6 October 2021, the resolution proposal was issued, which is set out below transcribe: << File number: PS / 00050/2021 Of the procedure instructed by the Spanish Agency for Data Protection and based on the following: BACKGROUND FIRST: The claim filed by UNION SECTION *** SECTION 1 (in hereinafter, the claimant) has an entry dated 02/06/2020 in the Spanish Agency for Data Protection from the Catalan Data Protection Authority. The claim is directed against the company, in which, they claim to represent union: SERVICIOS LOGÍSTICOS MARTORELL SIGLO XXI, S.L., with CIF B65050247 (in later, the claimed one), “for their opposition to the implementation of a control system of the workers through a biometric fingerprint system in the dependencies. of the company, through terminals that incorporate readers to capture the fingerprint of each employee ", and" currently the system is combined with the reader of card". The claimed one dedicates its activity to the "transport of assembly and assembly of pieces of motor vehicles, being the SEAT company for which they provide services as the only customer ”with about 520 workers. The claimant states that, in his opinion, the system that is in the "evidence" phase is not in accordance with the regulations, by: a) Disproportionate: “The company's premises are located within the SEAT MARTORELL venue, which has its own ac- C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 2/25 cease, visits and work presence, to which the workers must be submitted ”of the Claimed “to which must be added the card transfer system established in the company, so a third control system is disproportionate. " a) Unnecessary, due to the existence of other less invasive means to achieve the presence control. b) It is also intended with the implementation of the system, the control of the duction by having installed the readers in the work areas. c) Absence of consent: the company obliges workers to sign a document document of consent for the processing of your data so it is not a manifestation of festation of free will. SECOND: On 03/26/2020, the claim is transferred to the claimed one, that the 07/09/2020, states: 1) As the company is located within the client's facilities, SEAT, the workers res, to access, they have to go through the factory access control that the owner has im- planted. From this point, to the location of the claimed business, there is a path walk of about twenty minutes. Indicates that the work center has a total area more than sixty thousand square meters, providing a graph with the location of the points of hourly record. In the spaces where the fingerprint records are implanted, there were historically two card presence control terminals, which allowed presence control, and the control of the working day - entries, exits and absences - and, on the other, the generation of variable report for the preparation of payroll-overtime, nights. He states that “during 2017, with the idea of replacing these card terminals, five fingerprint terminals in each of the center's work areas. These new ter- They came to replace the two cards with the same purposes and the same information. mation ”. This measure is executed with several premises: -to avoid the problem of staff leaving their job earlier of the time and clock at the entrance of the workshop the exit of your shift, and, - facilitate the check-in process by avoiding crowds at check-in points, pass- two to five. He adds that the fingerprint exceeds the card as it avoids cases that have been given to give the card between employees to sign for the owner. A single type of record of presence of working hours will be implemented, although currently the card and the new fingerprint coexist, they are using both to verify that it works. tions with correction before implanting it definitively. Indicates that they are going to establish a gram to reduce the period in which both systems, card-fingerprint, will coexist, and will make new explanations of the system to workers and their representatives. 2) On 11/13/2017, the Company Committee was convened and the project and objectives were presented C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 3/25 presence control by fingerprint, delivering a copy of the report of the supplier of the technology, giving a deadline for it to issue its report. Provide documentation of the minutes of the meeting. It indicates that on 11/20/2017, they held a second meeting in which the Sec- Union opinion of *** SECTION.1, but not that of *** SECTION.2, opposed because it considered it dis- provided and stated that the current card system was sufficient and requested a mediation, which did not come to fruition, and subsequently, on 10/15/2018, the complainant transferred the complaint to the Labor Inspectorate. On 01/14/2019, the complaint for not crediting an infringement. Provide a copy of these documents. 3) It states that each fingerprint was collected and the system was implanted. worker, documenting your delivery with I received. They provide a copy of that of an employee, which is dated 01/22/2018, with the literal “information by the management of the company- prey and acceptance by users of the fingerprint registration "," from the address of the The human resources department informs the workers that the implementation of a system to control access, visits and work presence through hue- the fingerprint for which users will be asked to register it and all this in accordance with compliance with the provisions of the Personal Data Protection Law 15/99 of 12/13 ". 4) It states that the publication of Royal Decree Law 8/2019 of March 8, on urgent measures social protection and the fight against job insecurity in the working day, intensi- The tasks of setting up the signing system were established, establishing a deadline for given of four-year recorded data. 5) Provides a graphic diagram of the operation of the fingerprint treatment process fingerprint indicating: to. “After the worker is discharged and at the time he is informed of the collection of the In order to control the shift, an HR technician takes the fingerprint with the reader called nado *** READER.1 (“System based on minutiae: identifies a limited number of forms of the footprint and its position within it. The reader captures the fingerprint and digits talizes some landmarks and converts minutiae into a ci-footprint template. frada (algorithm) ”. “Fingerprint images are never stored. This footprint template does not allow biometric identification, only biometric verification " b. After taking the footprint, it appears that the “human resources technician associates in program *** PROGRAM.1 the fingerprint template with employee ID ”. In the drawing from *** PROGRAM.1 figure that “stores data on the server; Employee ID, name Name and surname, NIF, encrypted fingerprint template, date, time of entry, time of departure, absence cias ". c. From *** PROGRAM.1 there is a double date to FICHADORA, and from this to *** PROGRAM. 1. On the FICHADORA, it appears: "the worker files". From *** PROGRAM.1 a FICHADORA consists of: “TCP automatic transfer of frame extra decimal: employee ID, name and surname, encrypted fingerprint template ”. From FI- CHADORA, in which it appears: “Stores data in the device: employee ID, template the encrypted fingerprint ”, the arrow appears at *** PROGRAM.1, showing:“ Automatic transfer TCP extradecimal frame: employee ID, date, time of entry, time of exit, automatic C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 4/25 sentences ". There is an explanatory parenthesis below FICHADORA, which indicates: “User verification is done locally against the encrypted template stored in the file. chadora. It is never verified against the central database of *** PROGRAM.1. They are collected date and time data automatically. The worker manually registers with a code absences ”. In the explanatory graph, another screen also shows the flow when the drop occurs of the employee. 6) It states that by analyzing the reports of the Legal Office of the AEPD number 65/2015, 36/2020, of 8/05, and opinion 3/2012, of the Article 29 Group, on “evolution of biometric technologies ”, the difference in biometric data is concluded: - "Biometric identification: The identification of an individual by a biometric system is normally the process of comparing your biometric data (acquired at the moment identification) with a series of biometric templates stored in a database cough (ie a one-to-many match search process. ” - “Biometric verification / authentication: the verification of an individual by a biometric system is normally the process of comparison between your biometric data (acquired in the time of verification) with a single biometric template stored on a device (ie a one-to-one matchmaking process). " “Only those in which they are subjected to data would be treated as special category data technical treatment aimed at “one-to-many” biometric identification, and not in the case of “one-to-one” biometric verification / authentication. They state that their system is for verification / authentication, explaining that they are only looking for the correspondence of the biometric data provided at the time of registration by the intere- sado to prove that it is him. "This data is stored in the device in an encrypted form and it is consulted by the authentication system to verify that there is a match ”. “When an employee puts his finger on the token reader, this device verifies in local, never against the central database, which corresponds to the footprint template encrypted that is stored on the device. In case there is a match, collects the booking data- date, time, employee ID, absence, etc.- and sends them to the program- transfer management system *** PROGRAM. 1. It is an authentication, similar to the one zada with a password ”. 7) It states that to date no employee has exercised any type of right with respect to your data. 8) Provides a copy of the risk analysis of treatment activities, (questionnaire model and notes to it). "Applying as a first step the adaptation of the FACILITA tool RGPD on 04/08/2019 the result of the “low risk” activity is obtained. Indicates that evaluated the need to carry out a DPIA or not. “The result determined that it is not accurate knew how to carry out a data protection impact assessment (DPIA) precisely because of the C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 5/25 interpretation that the fingerprint template encrypted by the algorithm should not frame fall into specially protected data ”. But if a “basic risk analysis” was carried out “to determine if it was necessary to implement processes and protocols in addition to those designed ”: - “09/16/2019, revision of the probability of risk number 5 due to opportunity for improvement in the process of deletion detected as a result of the implementation plan of ISO 27001 passes valuation- tion ”. -In the section on specifying the categories of data processed: “Data from personal identification character, fingerprint template, and employee: name and surnames and NIF. In addition, the date of entry and exit, and absences are dealt with ”. The conclusion of the analysis indicates: “it is low risk”, “when an employee puts his finger in the token reader, the device itself verifies that it corresponds to the the fingerprint that is stored in the device. In the event that there are coincide- company, collects the transfer data: date, time, employee ID, absence, etc., and sends them to the transfer management program *** PROGRAM.1 ”. ”It is considered that it is an authentication similar to that performed with a counter- sign and not a biometric identification so it is not considered a data especially protected how will the complete image of a fingerprint that will identify a worker dor within a whole bag of people. " THIRD: The Director of the Spanish Data Protection Agency agreed to admit Processing the claim submitted by the claimant on 09/07/2020. FOURTH: Within the framework of the actions carried out by the General Subdirectorate of Data Inspection, in order to clarify the response of the claimed, dated 11/23/2020, your collaboration was requested to inform you about the registration system of footprint they use. 1) They are asked to briefly explain how the recording and keeping system is produced. da-storage of the template What is *** PROGRAM.1 ?, What is the central base of *** PROGRAM.1 ?, and if the template converted into each employee's algorithm is saved there, and what relationship does it have with the device called "token" On 12/15/2020, your response was received stating: *** PROGRAM.1, “main server for the management of the presence system, belongs to “Grupo Sesé”, the same group to which the claimed belongs and is implemented through a commercial application called *** PROGRAM.1, from the company TECISA ”.” The information for management is stored in a database included with the application, and it is in this database what the application has, where the template collected from the paw print". The token, or remote terminal “acts as an interface between the employee and the *** PRO- GRAMA.1 for the validation and collection of information ”. Through this device, “we validate we enter the system and collect information such as the time we have interacted, for example". C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 6/25 2) In the drawing of the process graphic "The worker records", and "token", appears the literal "al- store data on the device: employee ID-encrypted fingerprint template ", in this sense, clarify Which device are you referring to? To the tokenist ?, describing if this is how it is stored the staff of all employees in each and every one of the five they have. It distinguishes two phases of the process, the data recording phase and the operation phase of presence registration. Phase 1, Data recording: -Human Resources records the employee's data and collects his fingerprint with a reader (called mined in this case *** READER.1). “At the moment of capture, a template is generated with the characteristic points of that fingerprint, which is stored encoded in the database *** PROGRAM. 1. The fingerprint image is not stored. When the data is recorded, the synchronization process sends the necessary data from the *** PROGRAM.1 application to the associated loggers -five- where they are stored- two said values. The data that is sent are the employee's ID, name and surname and the encrypted template. " Phase 2, Operation: - “When an employee wants to register his presence, he places his finger on the token that me- through the built-in reader *** READER.1, carry out the same process mentioned in phase 1 when the employee was registered in the system. So it captures the characteristic points of the employee's fingerprint, this capture is encoded and compared with the coded template that is stored in the memory of the card maker and associated with the ID of the employee. If it is correct- both templates match- the logger will send the pertinent data. nents of the employee. The coded fingerprint or name is never sent, only information is sent mation relevant to the clocking: date, time, employee ID and any defined code of absence. These data are transmitted to the *** PROGRAM.1 application to further processing. " 3) About your manifestation of: “User verification is done locally against the encrypted template stored in the file. chadora. It is never verified against the central database of *** PROGRAM.1 ” They are requested to expand information on: a) If your system uses the same template for each employee, registering different al- gorithms, or different templates for each employee. It states that when mentioning the template “it is actually the encoded information that has been saved after reading the fingerprint, it is not stored as an image, but rather it is detected and they save between 25 to 80 minutiae -they are the points of the footprint where a line ends or is forks - these points are the ones that are encoded and stored as a template. Each one of we have different points from each other, which is enough to be able to identify ourselves and what is saved are these points, so there cannot be two codes identical. " a) Explain how it is possible to correlate through the system one to one (authenticate tion) the introduction of the fingerprint in the stamp, with the template (s), explain if all the template / s are in the tab. (Apparently there will be an internal fingerprint validation shredded versus all templates.) C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 7/25 It reiterates that “Each checklist stores the templates and the ID of each employee, therefore When an employee puts the fingerprint, it is encoded in a template and the system performs the search to see which one is equal to the one generated. The process is carried out locally, it is not consult the application *** PROGRAM.1 " b) What difference would there be between the worker registering with the counter and the verification does it locally against the encrypted template stored in the token machine, so that it does it against the central database of *** PROGRAM.1? “There would be no technical difference or practicality. The process would be the same, only in that case should be compared with all the stored templates and it would be noticeably increased- mind the time it would take to transmit the information back and forth ”. c) Does the tokenizer have at any one time a single data packet that identifies the person who is signing or all packages of all workers? He answered that “The file clerk keeps the information of all the workers of the center, that have been configured to facilitate the signing of any of them by the worker. dor ”. 4) In the graph, from "tab" to "*** PROGRAM.1", there is a double arrow in which literals are contained: "automatic transfer, extradecimal frame TCP etc.", it is requested that explain the meaning of these extremes in both senses, and that they imply arrows, if it could be understood that there is a transfer of data from the system central ma to the tabulator. (id employee-name / surname-fingerprint). It reiterates that: “When an employee is registered or modified, it is done from the *** APP PROGRAM. 1. Once the data is saved, the system launches an update. tion to the tokenders through a TCP frame where the information is transmitted (names Employee ID, Employee ID, Fingerprint Template) by being registered in the files chadoras ”. Only when an employee makes a check-in at the check-in and after the validation process tion, the clock taker, sends the information (ID, date and time, absences) to the application *** PROGRAM. 1 ”. They indicate that your system works like that of a password. To this end, they must detail the elements of said idea, user, how it is verified and what would be the password element, how, and where they are stored and how and against what element the pairing occurs. Responds that comparing the traditional way of identifying through user / counter- sign, indicates that the simile with the biometric fingerprint is that it allows more authentication stronger than the simple username / password pair, since biometric data are more complex jos to reproduce and break that password. For that reason, they indicated that it is treated as if it were a password, since with the fingerprint “no other employee can supplant the identity of others in a simple way. In this case, the user is the employee ID and the password is your fingerprint template ”. 5) Other questions that they consider clarifying or convenient about the system that according to can searches for the correspondence of the biometric data provided by the employee when proceeds to the action of signing, with the way in which the data is recorded, after confrontation and coincidence that it manifests is of the "authentication" type. It states that the biometric validation system has as its sole objective and purpose the C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 8/25 unequivocal identification of an employee within the system providing guarantees to it to any attempt to impersonate your identity, making it difficult to reproduce the fingerprint by a third party. FIFTH: On 02/19/2021 the Director of the AEPD agreed: "START SANCTIONING PROCEDURE for MARTORELL LOGISTICS SERVICES SIGLO XXI, S.L., with CIF B65050247, for the alleged violation of article 35 of the RGPD in accordance with article 83.4 a) of the RGPD. " "For the purposes specified in the art. 64.2 b) of Law 39/2015, of 1/10, of the Administrative Procedure Common Administrative Law of Public Administrations, the sanction that may correspond to There is an administrative fine of 20,000 euros, without prejudice to what results from the instruction. " SIXTH: The defendant makes the following allegations: 1) Uses a minutiae-based fingerprint pattern, a limited number is identified of footprint shapes and their position within it, associating an algorithm. The boss it is stored encrypted, containing the position and type of minutiae, not being possible to "apply car reverse engineering the templates to recover images from the footprints ”. 2) “A fingerprint reader is used that reads the employee's fingerprint for the first time and creates the point pattern, but it does not save the fingerprint image as such, but a derivative algorithm do of the points obtained in the pattern. When a worker puts his finger to clock in the taker, the reader reads the points and compares them with the database in which they are entered. it has the algorithm, which has also been stored in an encrypted form; what converts it in a unique alphanumeric code associated with the pattern of the fingerprint read for the first time. That the device reads the fingerprint and compares it against an encrypted pattern is exactly the same identification process in a password or smart card, therefore, by not storing the image of the fingerprint and make the identification by means of a code, we understand that it is not- we would be talking about a biometric data according to the definition of article 4.14 RGPD. " 3) “The system used cannot always identify the person unambiguously, unlike What would happen if, for example, a genetic piece of information that is unique was used. And that, since the identification in the group of workers is made with coordinates that They are not unique in the world, therefore, the identification of the employee is done without using the biometric data, that is, the fingerprint. In conclusion, the footprint pattern does not meet the requirement site of uniqueness. " “Therefore, the employee's fingerprint pattern is not biomedical data. according to article 4.14 of the RGPD, therefore, it is not appropriate to apply article 9 of the RGPD as a special category of data regarding the purpose of data processing biometric " 4) The attendance and working hours control system, to implement the system by means of your presence management software called *** PROGRAM. 1 was contracted with the company sa TECISA 74, S.L. and the installation of the takers (*** FICHADORAS.1) that contain the fingerprint readers (*** READER.1) at the accesses to the work areas. TECISA uses the *** LECTOR.1 / IDEMIA technology in relation to the identification system through fingerprint. 5) Hired the services of TECISA 74, S.L. for being a reference provider for the Administration Public service, as shown on the provider's own website *** URL.1, from which it follows that “the Ministry of Justice of Spain (Audiencia Na- C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 9/25 tional), the General Secretariat of Penitentiary Institutions of the Ministry of the Interior of Es- paña, the Ministry of Employment and Social Security in the Control of access of inmates in the Temporary Stay Centers for Immigrants from Ceuta and Melilla, Getafe City Council and the Community of Madrid in its Campus for Justice have trusted TECISA 74, S.L. as a provider of access control and presence services. " Also, in the same web, specifically in the section https://www.tecisa.com/quienes-somos, it is reported that "TECISA 74, S.L. is considered by the Spanish Public Administration as the company manufacturer of the best software and terminals for access control and work presence, according to This is indicated in the recent resolution of the State Heritage Catalog competition by a After months of evaluation, all the proposals submitted by more than 100 companies sas. Among the 195 products presented by national and international companies, the access control and work presence terminals manufactured by Tecisa have been, conclusively, the best valued by a group of experts from the Ministry of Finance and Public Administrations on behalf of the Spanish State. " The respondent acted in the belief that the information provided to her by TECISA Regarding the fingerprint treatment, it was valid and in accordance with the RGPD. In addition, it has an ISO 9001/2015 certification of quality management systems, an international standard that accredits the ability to regularly provide products and services that satisfy customer requirements and applicable legal and regulatory requirements. On the other hand, the complainant has the ISO IEC 27001/2013 certificate, document two, "As it has implemented and applies an information security management system that allows the assurance, confidentiality and integrity of data and its systems that process them, in addition to the risk assessment and application of necessary controls to mitigate or eliminate them. " 6) It states that despite the fact that the legal basis of the treatment could be article 6.1 b) or the 6.1 c), has chosen to request the consent of its employees as indicated in article 6.1 a) and 9.2 a) of the RGPD. They consider that there is no pressure when giving consent if it is not provided by the employees, since the defendant first informed the representation of the workers of the new system, who in turn informed the employees of the company and that the vast majority of employees did not refuse to give their consent. not even some members of *** SECTION.1 that make up the works council who have presented the present claim, nor has anyone revoked the consent mentor has not opposed the treatment at any time, not even the union section *** SECTION.1 informed the workers of their disagreement in the implementation of the system. 7) It states that the presence control and the registration of working hours with fingerprint pattern as indicated before, they coexisted with the previous system based on the use of the reader of cards, until the moment it was suspended due to COVID-19, on 03/14/2020 The claimant union section of *** SECTION 1, recognizes the existence of the two systems thus listed in the initiation agreement. During the testing phase of the new attendance and working hours control system that has been interrupted, it becomes relevant that there are employees who have made unique use of ca and exclusively of your card according to the previous face-to-face control, not using the fingerprint readers according to the new system due to the fact that the two systems. For the total number of transfers for each month and the reference days, the new transfer system was C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 10/25 used by 40 or 50% of the workforce and not the whole. The action of the Labor and Safety Inspection was already provided in previous actions Social that analyzing the face-to-face fingerprint control system did not find any irregularities rity, the opposite of what the AEPD states. It adds that there is no specific instruction or circular on the treatment of data through through biometric devices for presence control, which have acted in good faith in the belief that the control and schedule system was in accordance with the RGPD. They carried out an audit for the certification 27001/2013 of 2019, in which it was an evaluation and corresponding analysis of the application *** PROGRAM.1. 8) However, and what has motivated the initiation agreement, they have carried out an evaluation impact applying the Agency's criteria that a treatment is being carried out of a biometric data for identification purposes, also modifying the record of activities vity of the treatment, and provide document 3 with the impact assessment and document 4 with the record of the modified treatment activity. They indicate that the impact assessment has been carried out, despite the fact that the presence and working hours by fingerprint pattern was only in effect from the 01/16/2020 until 03/14/2020, that is, it is inoperative from before the transfer of the start of the transfer. It considers that it has been complying with and observing enforceable obligations and asks that it be noted or, where appropriate, reduced to a minimum penalty, also considering who previously analyzed in the risk analysis the assessment of whether or not to carry out lization of the Impact Assessment. 9) It refers to other files of the AEPD on registration with biometric data in which no The obligation to carry out an impact assessment has been imposed as indicated in the article 35 of the RGPD such as PS 7044/2019 against a Community of owners (in In reality, it would be E77044 / 2019, no more than seven thousand records are reached or assigned. sanctioning measures in a year) in which the proceedings were archived without stating that had an impact assessment, according to the minutes of the owners' meeting that approved the 09/26/2017 the installation of “lathes with fingerprint recognition for access to facilities nes ”of a Social Club with swimming pool, attached to the house. The resolution indicates that there was another alternative of access through a photo ID and the technical system is not detailed. single collection, storage, and storage facility and whether the data when putting the finger to enter was identification one-one, or one several, and it is expressed that “The legitimacy for the treatment of the fingerprint for access to the facilities by part of the claimed we must look for it in article 9 and 6 of the RGPD. " Adding no The prohibition will be applied by virtue of the consent, article 9.2.a), being in addition to the detailed, a different assumption to the one that is valued here. And he points out another similar case such as PS 145/2019 to the Ministry of Education and Sports of the Junta de Andalucía, in a similar case a warning was imposed for infringement of the Article 13 without there being any sanction for breach of Article 35 of the RGPD. SIXTH: Of the actions carried out in this procedure and of the documentation Obrante in the file, the following have been accredited: PROVEN FACTS C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 11/25 1) The defendant dedicates its activity to the transport of assembly and assembly of pieces of automobiles, being the SEAT company for which they provide services as the only customer with about 520 workers. The company's offices are located within the your client's premises, SEAT. The work center has a total surface area greater than sixty thousand square meters, providing a graph with the location of the hourly registration points River. 1) Historically there were two card presence control terminals. Duran- te 2017, to replace these card terminals, five fingerprint terminals are installed in each work area of the center, with the same purposes. When the claimed responds upon transfer, 07/09/2020, reported that the card transfer methods and the new footprint, using both to check correctness before implanting definitely the footprint. 2) The respondent accredits having consulted the union representation on 11/13/2017, before the use of the fingerprint system and individually to employees, from 01/22/2018, in accordance with the provisions of the law on the Protection of Character Data personal 15/99 of 13/12. In allegations, the respondent indicated that the use of the fingerprint was suspended due to COVID 19, on 03/14/2020, and that it was only in force since 01/16/2020 until 03/14/2020. 3) The reasons why the respondent prefers to use the fingerprint on the card, are that avoids cases that have occurred to give the card between employees to sign for the holder, and that an unequivocal identification of the employee is produced, avoiding the impersonation of the cultar the reproduction of the footprint by a third party. 4) The purpose of the fingerprint registration is to control the time or day, in accordance with with article 34.9 of the Workers' Statute. 5) The system for collecting and registering the employee's fingerprint and its use is divided into two phases: 1 Data record, 2 Presence record operation. Phase 1: it is carried out by an HR technician who, with the transfer management program of the *** PROGRAM.1 application of the TECISA company, and through a reader called *** READER.1, collects the fingerprint, captures it so that it identifies a limited number of forms more of the footprint and its position within it (minutiae) turning them into a template encrypted fingerprint (encoded information, between 25 to 80 minutiae-branch points are stored cation or where a line ends). The complete image of the footprint is not stored. In the database included in the application associates and stores the fingerprint template with the ID of the employee, name and surname, NIF. When recording the data, the punching machines or remote terminals five in this case, in a synchronization process associated with the application, stored These values have these values: encrypted template, employee ID, first and last name. Phase 2: When an employee wants to register their presence, they can do so at any- ra of the five terminals or fingerprint reader-fingerprint readers *** READER.1-, place your finger on the token that, through the built-in reader *** READER.1, performs the same process as mentioned in phase 1 when the employee was registered in the system. In a way that performs a capture of the characteristic points of the employee's fingerprint, this capture is encoded and it is compared with the coded template that of each employee is stored in the memory of each token and associated with the employee's ID. If correct- both templates co- incide- the registrant will send the pertinent data of the employee. The footprint is never sent C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 12/25 encoded or the name, only information relevant to the signing is sent: date, time, ID of the employee and any defined absence codes. These data are what is transmitted Please keep the *** PROGRAM.1 application for further processing. 6) The respondent had the document on risk analysis of trafficking activities. operation, carried out on 04/08/2019, showing the result of the “low risk” activity, with result that it was not necessary to carry out an impact assessment on data protection (EIPD). The defendant indicates that while the two transfer systems were in operation, there were employees who have made use solely and exclusively of their card with face-to-face control, and others over 40 or 50% used the footprint. 8) Despite the fact that the fingerprint collection system for transferring from 03/14/2020, after the initiation agreement, the respondent modified the risk analysis of the activities vities of the treatment, and the record of treatment activity to agree that The impact evaluation that it states has been carried out although it was not provided. FOUNDATIONS OF LAW I Biometric data is defined in article 4.14 of the RGPD: "Biometric data": personal data obtained from a technical treatment specific, related to the physical, physiological or behavioral characteristics of a person that allow or confirm the unique identification of said person, such as images facial or fingerprint data; The scope of the RGPD extends its protection, as established in its article 1.2, to the fundamental rights and freedoms of natural persons and, in particular, their right to the protection of personal data, defined in its article 4.1 as “all information about an identified or identifiable natural person ("the data subject"); I know Any person whose identity can be determined shall be considered an identifiable natural person, directly or indirectly, in particular by means of an identifier, such as a name, an identification number, location data, an online identifier or one or various elements of the physical, physiological, genetic, psychic, economic, cultural or social of said person. " According to the information provided by the claimed, when entering the fingerprint in the taking into account that each token has all the stored templates of all two employees, so that they file in the one they want, the same is compared in order to clear access by recording the beginning or end. It is estimated that the comparison is not produces one against one, that of the employee who agrees with his, but with all those who are are stored, performing a one-to-many comparison function each time they are entered. work or go out. In this case, although the image of the footprint is not saved entirely, but some C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 13/25 coordinates, each of them in template form, is able to identify unequivocally to each employee when confronting the fingerprint with the rest at the terminal of the existing ones. The functions contained in the algorithm allow to extract the points characteristics of the fingerprint for later comparison with an associated database to the previously stored set of users, being able to identify their owner of among all templates, treating personal data based on the fingerprint processing, uniquely identifying said person. Biometric data have the particularity of being produced by the body itself and definitely characterize. Therefore, they are unique, permanent in time and person cannot be freed from it, they cannot be changed in case of compromise- loss or intrusion into the system etc. Article 9.1 of the RGPD indicates: "Treatment of special categories of personal data" 1. The processing of personal data that reveals ethnic origin or racial, political opinions, religious or philosophical convictions, or union membership, and the treatment of genetic data, biometric data aimed at identifying in a way univocal to a natural person, data related to health or data related to sexual life or sexual orientation of a natural person. " Given the growing interest in using these systems in different areas and, as they are novel and very intrusive identification systems for rights and freedoms fundamentals of natural persons, the constant concern of this authority of control has been shared by the rest of the authorities for years, as they manifested the Working Document on biometrics, adopted on 08/01/2003 by the Group of 29, or the subsequent Opinion 3/2012, on the evolution of biometric technologies, adopted on 04/27/2012, and which has led the community legislator itself to include these data among the special categories of data in the GDPR. In this way, being prohibited its treatment in general, any exception to said prohibition will have to be subject to restrictive interpretation. In this sense, recitals 51 and 52 of the RGPD make it clear: "Such data personal should not be treated, unless their treatment is allowed in situations specific provisions contemplated in this Regulation, taking into account that the States Members can establish specific provisions on data protection in order to to adapt the application of the rules of this Regulation to the fulfillment of a legal obligation or to fulfill a mission carried out in the public interest or in the exercise of public powers conferred on the data controller. In addition to the requirements specific to that treatment, the general principles and other rules of the this Regulation, especially with regard to the conditions of legality of the treatment. Exceptions to the general prohibition of treatment of these special categories of personal data, among other things when the interested party give their explicit consent or in the case of specific needs, in particularly when the treatment is carried out within the framework of legitimate activities by certain associations or foundations whose objective is to allow the exercise of fundamental liberties. (52) “Likewise, exceptions to the prohibition of C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 14/25 treat special categories of personal data when established by the Law of the Union or Member States and provided that appropriate guarantees are given, in order to protect personal data and other fundamental rights, when it is in the public interest, in particular the processing of personal data in the field of labor legislation, the legislation on social protection, including pensions and for security purposes, supervision and health alert, prevention or control of communicable diseases and other serious threats to health. (...) " II Faced with the prohibition of starting the treatment of biometric data that identify univocally to the persons of article 9.1), indicates article 9.2 b) and 9.4) 2. Section 1 shall not apply when one of the circumstances occurs following: “B) the treatment is necessary for the fulfillment of obligations and the exercise of specific rights of the data controller or interested party in the field of Labor and social security and protection law, to the extent authorized by it Union or Member State law or a collective agreement pursuant to the Law of the Member States that establishes adequate guarantees of respect for the fundamental rights and interests of the interested party; " (…) 4. Member States may maintain or introduce additional conditions, including limitations, regarding the processing of genetic data, biometric data or data related to health. ”´ The correlation to this mention is found in article 9 of the LOPDGDD, which states: "1. For the purposes of article 9.2.a) of Regulation (EU) 2016/679, in order to avoid discriminatory situations, the sole consent of the affected party will not be enough to raise the prohibition of data processing whose main purpose is to identify your ideology, union membership, religion, sexual orientation, racial or ethnic beliefs or origin. The provisions of the preceding paragraph will not prevent the processing of said data under of the remaining cases contemplated in article 9.2 of Regulation (EU) 2016/679, when appropriate. " In this sense, Article 88 of the RGPD has established that Member States may den, through legislative provisions or collective agreements, establish standards more specific to guarantee the protection of rights and freedoms in relation to with the processing of personal data of workers in the workplace, in particular lar, among others, for the purposes of compliance with the obligations established by law or by the collective agreement, management, planning and organization of work. These standards must include adequate and specific measures to preserve the human dignity of stakeholders rights, as well as their legitimate interests and fundamental rights, in particular, in relation with, among others, the supervisory systems in the workplace. In accordance with the provisions, the treatment must be necessary for compliance with legal obligations, considering that the same compliance effects were satisfied C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 15/25 before the fingerprint system with the use of the cards, being the preferred fingerprint by the re claimed by a series of issues among which the type of data was not taken into account. intrusive coughs that are used, the risks and guarantees established. In the first place, as in any type of treatment that is carried out, it is necessary to accredit the need for data processing through fingerprint registration and provide purpose for the fulfillment of the legal obligation to register the working day. Is considered that there may be alternative systems to the one used that comply with the principles of proportionality, necessity and minimization in data processing. It is not explained why the identification system is necessary and preferable to the verification system. To be able to use this system, in accordance with the parameters established in the RGPD, companies or organizations Organizations need to demonstrate high levels of proactive responsibility and design for Data Protection defect from before the treatment, including the fact of being able to justify that the system used is necessary, provided in each context in which it is going to be implemented and certify that less intrusive technical measures you do not exist or would not work. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 16/25 Opinion 3/2012, on the evolution of biometric technologies, adopted on 04/27/2012, and that has led the community legislator itself to include these data among the special categories of data in the RGPD states that: “When analyzing the proportionality of a proposed biometric system, it is necessary to first consider whether the system is necessary to respond to the identified need, that is, if it is essential to meet that need, and not just the most suitable or profitable. A second factor to be taken into account is the probability that the system will be effective in respond to the need in question in light of the specific characteristics of the biometric technology to be used. A third aspect to ponder is whether the loss The resulting intimacy is proportional to the expected benefits. If the benefit is relatively minor, such as greater comfort or slight savings, then the loss privacy is not appropriate. The fourth aspect to evaluate the adequacy of a system biometric is to consider whether a less invasive means of privacy would achieve the end wanted". The Opinion 2/2017 on the treatment of data in the work of the WG29 (adopted the 06/08/2017) states that “although the use of these technologies may be useful to detect o prevent the loss of intellectual and material property of the company, improving the productivity of workers and protecting the personal data of those who are commissioned by the controller, it also poses significant challenges in terms of privacy and data protection. Therefore, a new evaluation of the balance between the legitimate interest of the employer to protect his company and the expectation reasonable privacy of the interested parties: the workers ”. Therefore, “Regardless of the legal basis for said treatment, before its initiation A proportionality test should be performed in order to determine if the treatment is necessary to achieve a legitimate purpose, as well as the measures to be taken to guarantee that violations of the rights to privacy and to the secrecy of communications are limited to a minimum. This may be part of an assessment of impact relative to data protection (EIPD) ”. Before implementing a fingerprint recognition system, the person in charge must to assess whether there is another less intrusive system with which the same purpose is obtained. The section 72 of CEPD Guide 3/2019 “on processing of personal data through video devices ”, establishes in this sense that:“ The use of biometric data and in particular facial re cognition entail heightened risks for data subjects ’rights. It is crucial that recourse to such technologies takes place with due respect to the principles of lawfulness, necessity, proportionality and data minimization as set forth in the GDPR. Whereas the use of these technologies can be perceived as particularly effective, controllers should first of all assess the impact on fundamental rights and freedoms and consider less intrusive means to achieve their legitimate purpose of the processing ”. (“The use of biometric data and, in particular, facial recognition entails greater risks for the rights of the interested parties. It is essential that the use of these technologies take place respecting the principles of legality, necessity, proportionality and minimization of the data established in the RGPD. Considering that the use of these technologies can be perceived as especially effective, those responsible should, firstly, assess the impact on fundamental rights and freedoms and C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 17/25 consider less intrusive means to achieve your legitimate goal of transformation ”. The translation is from the AEPD). In this case, the respondent indicates that the legitimizing basis of the treatment, based on those established in article 6.1 of the RGPD, would be that of express consent. Has not been provided the informative clause that includes the wording of the terms of the collection of said express consent. He adds that there are two others, the fulfillment of an obligation legal tion, 6.1.c) of the RGPD and maintenance of compliance with the contractual relationship, 6.1 b) although the obligation does not derive from the contract but from a rule. Thus, for example, in the employment context, the treatment of information on wages and salaries derives from the contract. bank account details so that the salary can be paid, so that there is a direct and objective link between the processing of the data and the purpose of the execution of the contract. The registration of the fingerprint for the fulfillment of the registration obligation working hours as stated by the claimed, if the prerequisites are met, it is not necessary to necessary for the execution of the contract but, where appropriate, it would be for the fulfillment of a legal obligation that must be adapted to the general principles of data processing, previous overcoming of the prohibition of the treatment for the causes assessed in article 9 GDPR Notwithstanding what has been said, consent within an employment relationship is a legal basis. exceptional shaker by: -The very definition of consent, “any manifestation of free will, specific, informed and unequivocal by which the interested party accepts, either through a statement or a clear affirmative action, the processing of personal data that concerns you ”is not part of an equilibrium position in the relationship. As the GT29 has underlined in various opinions, consent can only be valid if the interested party can actually elect gir and there is no risk of deception, intimidation, coercion or significant negative consequences. costs (for example substantial additional costs) if you do not consent. The con- feeling will not be free in those cases where there is an element of compulsion, pressure or inability to exercise free will. -The fact that it can be withdrawn when the owner wishes, an element that must be cluir in the clause before it is provided, counting on the withdrawal of consent will not entail any cost for the interested party and, therefore, no disadvantage for those who ns withdraw consent. -The possibility of not granting the same must be given, and therefore offer alternatives. -Articles 16 to 20 of the RGPD indicate that (when the data processing is based on the consent) the interested parties have the right to the deletion of the data when the feeling has withdrawn. III The respondent was charged that, treating personal data of a special category, and there is an obligation to have an Impact Assessment on the Protection of the Personal Data (EIPD) breached article 35 of the RGPD: C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 18/25 "1. Where a type of treatment is likely, particularly if it uses newer technologies, logies, by their nature, scope, context or purposes, entails a high risk for the rights of chos and freedoms of natural persons, the person responsible for the treatment will, before treatment, an evaluation of the impact of treatment operations on the protection tion of personal data. A single evaluation may address a series of operations similar treatments that carry similar high risks. 2. The person responsible for the treatment will seek the advice of the protection delegate data, if appointed, when conducting the impact assessment relating to the protection of data. 3. The impact assessment relating to the protection of the data referred to in the ap- tado 1 will be required in particular in case of: a) systematic and exhaustive evaluation of personal aspects of natural persons who is based on an automated treatment, such as the elaboration of profiles, and on whose basis decisions are made that produce legal effects for individuals or that affect them significantly in a similar way; b) large-scale treatment of the special categories of data referred to in the art. Article 9, paragraph 1, or personal data related to criminal convictions and offenses referred to in article 10, or c) large-scale systematic observation of a public access area. 4. The supervisory authority shall establish and publish a list of the types of operations of treatment that require an impact assessment related to data protection in accordance with paragraph 1. The supervisory authority shall communicate these lists to the Commission tea referred to in article 68. 5. The supervisory authority may also establish and publish the list of types of processing that does not require impact assessments related to data protection. The supervisory authority will communicate these lists to the Committee. 6. Before adopting the lists referred to in paragraphs 4 and 5, the inspection authority The competent authority shall apply the coherence mechanism contemplated in Article 63 if these lists include processing activities related to the supply of goods or services to interested parties or with the observation of their behavior in various States two members, or processing activities that may substantially affect the free circulation of personal data in the Union. 7. The evaluation must include as a minimum: a) a systematic description of the planned processing operations and the purposes treatment, including, where appropriate, the legitimate interest pursued by the person responsible ble of the treatment; b) an assessment of the necessity and proportionality of the treatment operations with respect to its purpose; c) an assessment of the risks to the rights and freedoms of the interested parties to whom C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 19/25 referred to in paragraph 1, and d) the measures envisaged to deal with the risks, including guarantees, security measures rity and mechanisms that guarantee the protection of personal data, and to demonstrate the in accordance with this Regulation, taking into account the legal rights and interests gitimos of the interested parties and other affected persons. 8. Compliance with the approved codes of conduct referred to in article 40 by the corresponding managers or managers, due account shall be taken of the evaluate the repercussions of the processing operations carried out by said respon- officers or managers, in particular for the purposes of the impact assessment related to the data protection. 9. When appropriate, the person in charge will seek the opinion of the interested parties or their re- applicants in relation to the planned treatment, without prejudice to the protection of the public or commercial cattle or the security of treatment operations. 10. When the treatment in accordance with article 6, paragraph 1, letters c) or e), has its legal basis in Union law or in the law of the Member State that applies to the person responsible for the treatment, such Law regulates the specific operation of treatment or set of operations in question, and an evaluation has already been carried out data protection impact assessment as part of a general impact assessment neral in the context of the adoption of that legal basis, paragraphs 1 to 7 shall not be application unless the Member States consider it necessary to carry out such an assessment. prior to treatment activities. 11. If necessary, the controller will examine whether the treatment is in accordance with the impact assessment relating to data protection, at least when there is a change of the risk represented by the treatment operations. " In the development of paragraph 4, the director of the AEPD as a non-exhaustive list, the Direc- AEP organizer published an indicative list of types of treatment that require an evaluation impact assessment relative to data protection, stating: “At the time of analysis To process data, it will be necessary to carry out a DPIA in most cases in those that said treatment meets two or more criteria from the list set out below. unless the treatment is on the list of treatments that do not require EIPD referred to in article 35.5 of the RGPD. " "4. Treatments that involve the use of special categories of data to which refers to article 9.1 of the RGPD, data related to convictions or criminal offenses to the referred to in article 10 of the RGPD or data that allow determining the financial situation financial or financial solvency or deduce information about people related to special categories of data. 5. Treatments that involve the use of biometric data for the purpose of identifying tify a natural person in a unique way. " The purpose of the impact assessment, within the regulatory compliance process Accountability implies taking responsibility for what is done with data. personal coughs and how the principles are complied with, incorporating appropriate measures and C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 20/25 records to be able to demonstrate compliance. Organizations should show that they are complying with the standard, including documentation measures on how the data is processed, for what purpose, until when, and document the treatment procedures and procedures to focus the issue from an early point in the con- construction of the treatment system. Its implementation makes it possible to minimize risks at the time of processing the data, taking into account their proportionality, the amount of data, etc. Within the DPIA, there would be the guarantees of the rights that are affected, the analysis of how the right is affected, so that before pro- transfer to the treatment, a document is available that endorses the subsequent management, helps- do to identify and minimize the risks of a data processing project that is going to put or affect in this case a high degree of risk to individuals, employees of the claimed, given the specific form of the treatment, the nature of the context and the sites. The EIPD is a necessary step for data processing, and it is not the only one required, it is a budget to which the rest of the legal requirements for the treatment must be added, legitimizing basis and respect for the fundamental principles of data processing seen in article 5 of the RGPD. From the documentation in the file and as inferred from the probable facts two, there is no evidence of the performance of the impact assessment of protection of data. IV The RGPD determines in article 83.4 a): "Violations of the following provisions will be sanctioned, in accordance with section 2, with administrative fines of 10 000 000 EUR maximum or, in the case of a company, of an amount equivalent to 2% as a maximum of the total annual global business volume of the previous financial year, opting for the highest amount: the obligations of the person in charge and the person in charge in accordance with articles 8, 11, 25 a 39, 42 and 43; " The LOPDGDD establishes in its article 73.t): "Based on what is established in article 83.4 of Regulation (EU) 2016/679, considered serious and will prescribe after two years the infractions that suppose a vulnerability substantial ration of the articles mentioned therein and, in particular, the following: t) The processing of personal data without having carried out the evaluation of the pact of the treatment operations in the protection of personal data in the su- positions in which it is required. " V Article 58.2 of the RGPD provides the following: “Each supervisory authority will have all two the following corrective powers listed below: d) order the person in charge or in charge of the treatment that the tra- C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 21/25 compliance with the provisions of this Regulation, where appropriate, of a a certain way and within a specified time; i) impose an administrative fine in accordance with article 83, in addition to or instead of the measures mentioned in this section, according to the circumstances of each case particular;" SAW The determination of the sanction to be imposed for the violation of article 35 of the RGPD in the present case requires observing the provisions of articles 83.1 and 2 of the RGPD, precepts that, respectively, provide the following: "1. Each supervisory authority will guarantee that the imposition of administrative fines in accordance with this article for the infractions of this Regulation indicated in Sections 4, 9 and 6 are in each individual case effective, proportionate and dissuasive. rias. " "2. Administrative fines will be imposed, depending on the circumstances of each individual case, as an additional or substitute for the measures contemplated in article 58, section 2, letters a) to h) and j). When deciding to impose an administrative fine and its amount in each individual case will be duly taken into account: a) the nature, severity and duration of the offense, taking into account the nature, scope or purpose of the processing operation in question, as well as the number of affected stakeholders and the level of damages they have suffered; b) intentionality or negligence in the infringement; c) Any measure taken by the person in charge or in charge of the treatment to alleviate the damages suffered by the interested parties; d) the degree of responsibility of the person in charge or the person in charge of the treatment, given account of the technical or organizational measures that have been applied by virtue of the articles 25 and 32; e) any previous infringement committed by the person in charge or the person in charge of the treatment; f) the degree of cooperation with the supervisory authority in order to remedy the infringement fraction and mitigate the possible adverse effects of the infringement; a) the categories of personal data affected by the infringement; b) the way in which the supervisory authority became aware of the infringement, in particular if the controller or the processor notified the infringement and, if so, to what extent; c) when the measures indicated in article 58, paragraph 2, have been ordered previously against the person in charge or the person in charge in relation to the same my matter, the fulfillment of said measures; d) adherence to codes of conduct under article 40 or to certification mechanisms cation approved in accordance with article 42, and e) any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits obtained or losses avoided, directly or indirectly. you, through the infraction. " Within this section, the LOPDGDD contemplates in its article 76, entitled “Sanctions and C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 22/25 corrective measures": "1. The sanctions provided for in paragraphs 4, 5 and 6 of article 83 of the Regulation (EU) 2016/679 will be applied taking into account the graduation criteria established in the section 2 of the aforementioned article. 2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679 also may be taken into account: a) The continuing nature of the offense. b) The linking of the activity of the offender with the performance of data processing personal. c) The benefits obtained as a result of the commission of the offense. d) The possibility that the affected person's conduct could have led to the commission of the infringement. e) The existence of a merger by absorption process after the commission of the infringement. This cannot be attributed to the absorbing entity. f) Affecting the rights of minors. g) Have, when not mandatory, a data protection officer. h) The submission by the person in charge or in charge, on a voluntary basis, to me- canisms for alternative conflict resolution, in those cases in which there are controversies between those and any interested party. 3. It will be possible, complementary or alternatively, the adoption, when appropriate, of the remaining corrective measures referred to in article 83.2 of the Regulation (EU) 2016/679. " For the assessment of the sanction, the following aggravating factors are considered: -The nature, severity and duration of the offense, taking into account the nature, al- cance or the purpose of the treatment operation that affects the entire workforce, about 500 employees; (83.2.a RGPD), although the complainant indicates that not all made use of the paw print. The use of the system does not reach two months (01/16 to 03/14/2020, although I don't know if it's still being used.) -It includes a lack of diligence, since it prepared in advance the implantation of the system. ma and did not foresee the impact of the implanted system (83.2.b RGPD, 83.2.d) RGPD). Has not been provided the impact assessment document that declares it was carried out. On the other hand, it is observed that it concurs as a mitigating factor that the claimed is an entity of the logistics sector in which data of its employees is processed although it does not concurs “b) The linking of the activity of the offender with the performance of treatments of personal data. (76.2.b LOPDGDD). As a consequence, the sanction is quantified at 20,000 euros. On the reasons alleged by the complainant that she contracted with a Spanish company recognized that provides software and access control terminals in its activity of “Development, installation and maintenance of access control systems, la- boral and security systems ”which also has ISO (ENAC) certificates and she C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 23/25 It has another certificate, it should be noted that the prohibition of data with exceptions and a treatment designed from the caution of the type of data that were treated, offering guarantees, elements that are not related to the Infringement charged, and for this reason it is not possible to reduce the amount proposed. In view of the above, the following is issued: MOTION FOR A RESOLUTION That the Director of the Spanish Data Protection Agency sanctions SERVICIOS LOGÍSTICOS MARTORELL SIGLO XXI, S.L., with CIF B65050247, for a infringement of article 35 of the RGPD, in accordance with article 83.4 a) of the RGPD, with a fine of 20,000 euros. Likewise, in accordance with the provisions of article 85.2 of the LPACAP, informs that you may, at any time prior to the resolution of this procedure, carry out the voluntary payment of the proposed sanction, which will mean a reduction of 20% of the amount thereof. With the application of this reduction, the The penalty would be set at 16,000 euros, and its payment will imply the termination of the process. The effectiveness of this reduction will be conditioned to the withdrawal or waiver of any action or appeal in administrative proceedings against the sanction. In case you choose to proceed to the voluntary payment of the specified amount above, in accordance with the provisions of the aforementioned article 85.2, you must make it effective by entering the restricted account number ES00 0000 0000 0000 0000 0000 open to name of the Spanish Agency for Data Protection in the bank CAIXABANK, S.A., indicating in the concept the reference number of the procedure that appears in the heading of this document and the cause, by voluntary payment, of reduction of the amount of the sanction. Likewise, you must send proof of admission to the Subdirectorate General of Inspection to proceed to close the file. By virtue of this, you are notified of the foregoing, and the procedure is revealed to you so that within TEN DAYS you can claim whatever you consider in your defense and present the documents and information it deems pertinent, in accordance with the article 89.2 of the LPACAP). 926-280721 Angel Carralero Fernandez INSPECTOR / INSTRUCTOR >> SECOND: On October 19, 2021, the claimed party has made the payment of the sanction in the amount of 16,000 euros making use of the reduction foreseen in the proposed resolution transcribed above. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 24/25 THIRD: The payment made entails the waiver of any action or recourse in progress. administrative against the sanction, in relation to the facts to which the motion for resolution. FOUNDATIONS OF LAW I By virtue of the powers that article 58.2 of the RGPD recognizes to each authority of control, and as established in art. 47 of Organic Law 3/2018, of 5 of December, Protection of Personal Data and guarantee of digital rights (in hereinafter LOPDGDD), the Director of the Spanish Agency for Data Protection is competent to sanction the infractions that are committed against said Regulation; infractions of article 48 of Law 9/2014, of May 9, General of Telecommunications (hereinafter LGT), in accordance with the provisions of the article 84.3 of the LGT, and the offenses typified in articles 38.3 c), d) and i) and 38.4 d), g) and h) of Law 34/2002, of July 11, on services of the company of the information and electronic commerce (hereinafter LSSI), as provided in article 43.1 of said Law. II Article 85 of Law 39/2015, of October 1, on Administrative Procedure Common of Public Administrations (hereinafter LPACAP), under the rubric "Termination of sanctioning procedures" provides the following: "1. Initiated a sanctioning procedure, if the offender acknowledges his responsibility, the procedure may be resolved with the imposition of the appropriate sanction. 2. When the sanction is solely of a pecuniary nature or it is possible to impose a pecuniary sanction and other non-pecuniary sanction but the inadmissibility of the second, the voluntary payment by the presumed responsible, in any time prior to the resolution, will imply the termination of the procedure, except in relation to the replacement of the altered situation or to the determination of the compensation for damages caused by the commission of the offense. 3. In both cases, when the sanction is solely of a pecuniary nature, the competent body to resolve the procedure will apply reductions of, at least, 20% on the amount of the proposed sanction, these being cumulative among themselves. The aforementioned reductions must be determined in the notice of initiation of the procedure and its effectiveness will be conditional on the withdrawal or resignation of any action or appeal in administrative proceedings against the sanction. The percentage of reduction foreseen in this section may be increased regulations. " C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 25/25 In accordance with the above, the Director of the Spanish Agency for the Protection of Data RESOLVES: FIRST: DECLARE the termination of procedure PS / 00050/2021, of in accordance with the provisions of article 85 of the LPACAP. SECOND: NOTIFY this resolution to LOGISTICS SERVICES MARTORELL SIGLO XXI, S.L .. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure as prescribed by the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure Common of Public Administrations, interested parties may file an appeal administrative litigation before the Contentious-Administrative Chamber of the National High Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-Administrative Jurisdiction, within a period of two months from the day following notification of this act, as provided in article 46.1 of the referred Law. 968-160721 Mar Spain Martí Director of the AEPD, P.O. the Deputy Director General of Data Inspection, Olga Pérez Sanjuán, Resolution 4/10/2021 C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es