AEPD (Spain) - PS/00058/2020

From GDPRhub
AEPD - PS/00058/2020
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 5(1)(f) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published:
Fine: 5000 EUR
Parties: n/a
Caja Rural
National Case Number/Name: PS/00058/2020
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: Jazmin Sol Terroso

The Spanish DPA (AEPD) imposed a €5000 fine on Caja Rural San Jose de Nules (Caja Rural), a credit cooperative, for the publication of the plaintiff’s personal data on a member’s bulletin board, in violation of Article 5(1)(f) GDPR.

English Summary

Facts

The Spanish DPA received a complaint in November 2019 against Caja Rural for the publication of the plaintiff’s personal data on the cooperative’s bulletin board. The plaintiff stated that the bulletin board, where the information was published, is located in the Caja Rural social centre’s cafeteria, which is a public meeting point for local residents.

The information published on the bulletin board made it possible for any neighbour to identify the plaintiff being part of a group of members expelled for having breached financial obligations with Caja Rural cooperative.

In addition, the plaintiff filed requirements to the Caja Rural’s Governing Council and to the Data Protection Delegate for the bulletin board to be withdrawn.

Dispute

Does the publication of personal data on a bulletin board violate Article 5(1)(f) GDPR?

Holding

The Spanish DPA found Caja Rural had published the plaintiff’s and other member’s personal data in a public document on the bulletin board located in the Caja Rural social centre’s cafeteria, without their consent.

The DPA found the documentation in file provides clear indications that the actions taken by Caja Rural constituted a breach of Article 5(1)(f) GDPR.

In addition, the DPA found the defendant’s actions contravened principles related to the treatment of personal data and the duty of confidentiality by publishing personal information from a list of members, including the plaintiff. This justified imposing a fine pursuant to Article 5(1)(f) GDPR.

Therefore, in light of the violation, the Spanish DPA imposed a €5000 fine in the Caja Rural and ordered the defendant must comply with the technical and organizational measures that guarantee the protection of the member’s personal data.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

Procedure No.: PS / 00058/2020
938-300320

RESOLUTION OF SANCTIONING PROCEDURE
Of the procedure instructed by the Spanish Agency for Data Protection and
based on the following:

BACKGROUND

FIRST: Mrs. A.A.A. (hereinafter, the claimant) dated November 13,
2019 filed a complaint with the Spanish Agency for Data Protection. The
The claim is directed against Caja Rural San José de Nules S. Cooperativa de Crédito of the Valencian Community with NIF F12013140 (hereinafter, Caja Rural).

The reasons on which the claim is based are that the Caja Rural is the owner
from a bar located on the ground floor of the offices where your home is located
social, it is a public establishment that is a meeting point of rooted custom
in Nules.

He states that in the dining room of said bar the Caja Rural has installed a
notice board, a list of partners referred to by said advertisement (in total 76) the personal data of the claimant clearly appears identifiable, with their surname and first name (in alphabetical order), (…).

It adds that with this publication, your personal data has been transferred,
so that any neighbor of Nules has identified him as one of the expelled for having breached financial obligations with the Caja Rural.

Thus, Caja Rural in addition to transferring their data to anyone personnel have publicly reported their financial situation.

In addition, it states that said ad has been published at least since last October 25, although the Governing Council adopted said Agreement on October 21 October 2019.

 Along with the claim, the claimant also provides a photograph of the notice board of the Caja Rural, copy of the requirements directed by a part to the Governing Council on November 4 and 5, 2019 and on the other on November 2019 addressed to the Delegate of Data Protection to withdraw the ad.

SECOND: In accordance with article 65.4 of the LOPGDD, which has provided a
mechanism prior to the admission for processing of claims made before the AEPD, consisting of transferring them to the Data Protection Delegates designated by those responsible or in charge of the treatment, for the intended purposes in article 37 of the aforementioned norm, or to these when it has not designated them,

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es
1/10

transfer of the claim to the claimed entity to proceed with its analysis and respond to the complaining party and this Agency within one month.

As a result of this process, dated February 11, 2020 Caja Rural states that the Council itself agreed to notify its agreement by edict on the notice board of the registered office of the Entity, in execution of which, on October 21, 2019, with notarial intervention to attest based on the proceedings, the Entity published its decision by edict on said notice board, which is that of its social center located at its registered office.

In addition to having been the means of notification specifically agreed upon by the Advice in this case for the publication of your agreement, the notice board of the Social center is the means that the Entity's own partners have provided to the publication of any news and information of interest and is, therefore, known by all of them and always used for this purpose.

Once the 15-day hearing period required by the Articles 17.2 of the Statutes and 22.5 of the Decree, the Entity proceeded to withdraw the announcement on November 5, 2019.

As for the place where the notice board is located, it is the center company of the Entity, intended for its partners, as reported on the poster located at your input and in your own rules of use and enjoyment.

The claimant addressed the Governing Council of the Entity, through written Date 4 and 5/11/2019, to the DPD, by email dated 6/11/2019.

In response to these writings and email, on 11/22/2019 the Entity delivered by hand to the person authorized by the claimant the answer to your claim. And, it provides the following documentation:

Statutes of the Caja Rural.
Minutes of the Governing Council meeting and notarial certificate attesting to what was done.
Photo of the entrance sign to the social center.
Copy of the poster of the rules of use and enjoyment of said premises.
Copy of the regulatory contract for the cafeteria service.
Answer to the claimant.

On February 19, 2020, the Director of the Spanish Agency for the Protection of
Data, you agree to accept this claim for processing.

THIRD: On March 11, 2020, the Director of the Spanish Agency for Data Protection, agreed to initiate a sanctioning procedure against Caja Rural, with
in accordance with the provisions of articles 63 and 64 of Law 39/2015, of October 1, of the Common Administrative Procedure of Public Administrations (hereinafter LPACAP), for the alleged violation of article 5.1f) of the RGPD in relation to the Article 5 of the LOPDGDD, typified in article 83.5 a) of the RGPD.

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es
2/10

FOURTH: Once the aforementioned starting agreement was notified, Caja Rural presented a written allegations in which, in summary, it states that it is a credit union, that, at its own registered office, it has a social center at the exclusive disposal of ist partners.

He adds that the notice board used by Caja Rural for the purpose of informing
and notify your partners is in your social center, it is not a bar.

It also states that the resolutions adopted by the Governing Board of Caja Rural have complied, in any case, with the provisions of the regulatory provisions and
statutory that as a credit union are applicable.

Finally, it indicates that the actions of Caja Rural have in no case been negligent, but diligent, compliant and careful in the best interest of one's own sanctioned and their other partners.

FIFTH: On July 9, 2020, the instructor of the procedure agreed to the opening of a period of practical tests, taking as incorporated the preliminary investigation actions, E / 00091/2020, as well as the documents contributed by Caja Rural.

SIXTH: On September 8, 2020, a resolution proposal is formulated in the following terms:

That the Director of the Spanish Data Protection Agency sanction a Caja Rural San José de Nules S. Coop. Credit of the Valencian Community, with NIF F12013140, for an infringement of Article 5.1.f) of the RGPD, typified in Article 83.5 of the RGPD, a fine of 5,000 euros (five thousand euros).

The proposed resolution was notified electronically to the complainant, being the date of availability on September 18, 2020 and the date of acceptance
the same day.

SEVENTH: On October 2, 2020 they have entry into the electronic headquarters of this Agency the allegations of the claimed to the resolution proposal in which
requests that the procedure be filed for having acted, he says, according to
to Right.

In defense of his claim, the respondent reiterates the allegations so far formulated in the initial agreement and, in summary, it adduces the following arguments: “Caixa Rural de Nules carries out its activity at its registered office, established in Nules, province of Castellón, on Calle Mayor No. 66, as provided in article 6 of its Statutes.

The use and enjoyment of the social center is intended solely and exclusively
to members of the Caja Rural San José de Nules. Allow the placement of informational posters of the Entity on the notice board announcements of the social premises.

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es
3/10

The only reality is that it is a private establishment, intended only and exclusively to the partners.

People who acquire the status of partner of Caixa Rural de Nules, as was the case of the Claimant, they are subject to the rights and obligations provided for in the Statutes of the Entity.

Regarding the initiation of the disciplinary proceedings against the partners of the Entity, that according to article 17 of the Statutes, the partners will have
moment of communication of the initiation of the sanctioning file, which will be carried out by publication of an edict on the notice board of the registered office of the Entity, within a period of 15 calendar days so that the interested parties can carry out the corresponding allegations.

In accordance with this, the Entity published its decision by edict in said board that is the one of its social center located in its registered office, located in the street Mayor, number 66 of the municipality of Nules, province of Castellón.

The personal data that was included in the Council's agreement, including
two of the claimant, were basic data, included the name and surname and only four NIF numbers, the rest of the numbers were hidden with an asterisk in the
random.

In our case, in the same way, when publishing the data, we did it in a scope
for the exclusive use of our partners and by the means by which we also carry out other similar publications known to our partners, such as the list of
partners with voting rights, and as contemplated in the additional provision
third of the Statutes.

Caixa Rural has not acted negligently, it has done so following the legal and statutory procedures to which it is subject as a cooperative of credit".

Of the actions carried out in this procedure and of the documentation in the file, the following have been accredited:

PROVEN FACTS

FIRST: On November 13, 2019, the claimant states that Caja Rural is owner of a social center with cafeteria located on the ground floor of the offices where its registered office is located, is a public establishment that is a point of custom meeting rooted in Nules.

In the dining room of said social center with cafeteria, Caja Rural, has installed
a bulletin board, in this a list of partners was published and the data personal data of the claimant clearly identifiable, with their surname and first name (for
alphabetical order), (…).

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es
 4/10

With this publication, your personal data has been transferred, so that any Nules neighbor has identified him as one of those expelled for having unfulfilled financial obligations with Caja Rural.

SECOND: The ad has been published at least since the 25th of October, although the Governing Council adopted said Agreement on October 21, 2019.

THIRD: The photograph on the notice board of the Caja Rural shows that the
personal data of the claimant.

FOURTH: The requirements made by the claimant by a party to the Governing Council of November 4 and 5, 2019 and on the other of November 6 of 2019 addressed to the Delegate of Data Protection so that the advertisement was withdrawn.

FOUNDATIONS OF LAW

I
By virtue of the powers that article 58.2 of the RGPD recognizes to each control authority, and as established in arts. 47 and 48.1 of the LOPDGDD, the Director of the Spanish Agency for Data Protection is competent to resolve this procedure.

II
Caja Rural is accused of committing an offense for violation of the Article 5.1.f) of the RGPD, which states that:

"1. The personal data will be:
(…)
f) treated in such a way as to guarantee adequate data security personal data, including protection against unauthorized or illegal processing and against
its loss, destruction or accidental damage, through the application of technical measures or appropriate organizational ("integrity and confidentiality").
(…) "
Article 5, Duty of confidentiality, of the new Organic Law 3/2018, of 5 of December, Protection of Personal Data and guarantee of digital rights (in
hereinafter LOPDGDD), points out that:

"1. Those responsible and in charge of data processing as well as all people who intervene in any phase of this will be subject to the duty of confidentiality referred to in article 5.1.f) of Regulation (EU) 2016/679.

2. The general obligation indicated in the previous section will be complementary to the duties of professional secrecy in accordance with its applicable regulations.

3. The obligations established in the previous sections will be maintained even
when the relationship between the obligated party and the person in charge of the treatment".

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es
5/10

On the other hand, article 83.5 a) of the RGPD, considers that the infringement of “the basic principles for processing, including conditions for consent pursuant to articles 5, 6, 7 and 9 ”is punishable, in accordance with section 5 of the mentioned article 83 of the aforementioned RGPD, “with administrative fines of € 20,000,000 at most or, in the case of a company, an amount equivalent to 4% as maximum total annual global business volume of the previous financial year,
opting for the highest amount ”.

The regulation of infractions in the LOPDGDD is more precise in terms of the
situations that give rise to an infringement and its consideration, so that it is
much easier to know the statute of limitations for that offense (that is, if it is
considered mild, serious or very serious) and in view of the administrative sanction to be imposed for its breach.

The LOPDGDD in its article 72, for the purposes of prescription, indicates that they are: "Violations considered very serious:

1. In accordance with the provisions of article 83.5 of Regulation (EU) 2016/679
are considered very serious and will prescribe after three years the infractions that suppose a substantial violation of the articles mentioned therein and, in particular, the following:

a) The processing of personal data violating the principles and guarantees
established in article 5 of Regulation (EU) 2016/679.
(…) "

III
The documentation in the file offers clear indications that Caja Rural violated article 5 of the RGPD, principles relating to treatment, in relation with article 5 of the LOPGDD, duty of confidentiality, when considering proven the public exposure of a document on the notice board of the cafeteria of the Caja Rural premises a list of partners (among them is the claimant), showing their personal data, and therefore it is understood that the entity claimed violated article 5.1 f) of the RGPD, which governs the principles of integrity and confidentiality of personal data, as well as the proactive responsibility of the responsible for the treatment to demonstrate its compliance.

It is important to note that Caja Rural recognizes that the notice board is
always used for this purpose, and that once the period of fifteen days of
audience, the entity proceeded to withdraw the advertisement; and in this sense you have to point out that the hearing procedure is only for those interested, not for everyone who stop by the cafeteria and be unaffected. This is why the
Article 5.1 f) of the RGPD.

The claimant provided the photograph of the Caja Rural notice board, where the data of the claimant, which is perfectly identifiable, where their surnames and names are listed (in alphabetical order) (…).

The duty of confidentiality, previously the duty of secrecy, must It is understood that its purpose is to prevent leaks of data not consented by the owners thereof.

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es
6/10

Therefore, this duty of confidentiality is an obligation incumbent upon not
only to the person in charge and in charge of the treatment but to everyone who intervenes in any phase of the treatment and complementary to the duty of professional secrecy.

Regarding what is alleged by Caja Rural, it is clear that in this specific case,
acted contrary to the principle of confidentiality enshrined in article 5.1.f) of the RGPD, in relation to article 5 of the LOPDGDD, since Caja Rural revealed through the public exhibition of a document on the notice board announcements of the personal data of the claimant.

IV
Article 58.2 of the RGPD provides the following: “Each control authority
will have all of the following corrective powers listed below:
b) sanction any person responsible or in charge of the treatment with
warning when the processing operations have violated the provisions of
these Regulations;
d) order the person in charge of the treatment that the operations of
processing are in accordance with the provisions of this Regulation, where appropriate, in a certain way and within a specified time;
i) impose an administrative fine in accordance with article 83, in addition or in
place of the measures mentioned in this section, depending on the circumstances
of each particular case.

In the present case, it is taken into account that the exposure on the notice board
Ads by Caja Rural, a document with personal data can suppose an omission of the duty to adopt or observe the technical measures and organizational that guarantee the security of said data, avoiding its theft loss or improper access; fact that led to the initiation of this proceeding sanctioner.

In this specific case, Caja Rural must prove that it has adopted a series
of adequate measures to guarantee the security and confidentiality of the data.

V
In determining the administrative fine to be imposed, the provisions of articles 83.1 and 83.2 of the RGPD, precepts that indicate:

"Each supervisory authority will guarantee that the imposition of fines administrative under this article for the infractions of this Regulations indicated in paragraphs 4, 9 and 6 are in each individual case effective, proportionate and dissuasive. "

"Administrative fines will be imposed, depending on the circumstances of
each individual case, as an additional or substitute for the measures contemplated in the Article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine administrative and its amount in each individual case will be duly taken into account:

a) the nature, severity and duration of the offense, taking into account the

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es
7/10

nature, scope or purpose of the processing operation in question as well as the number of affected stakeholders and the level of damage and damages they have suffered;
b) intentionality or negligence in the infringement;
c) any measure taken by the controller or processor to mitigate the damages suffered by the interested parties;
d) the degree of responsibility of the person in charge of the treatment, taking into account the technical or organizational measures that have
applied by virtue of articles 25 and 32;
e) any previous infringement committed by the person in charge or the person in charge of the treatment;
 f) the degree of cooperation with the supervisory authority in order to remedy the violation and mitigate the possible adverse effects of the violation;
g) the categories of personal data affected by the infringement;
h) the way in which the supervisory authority learned of the infringement,
in particular if the person in charge or the person in charge notified the infraction and, in such case, to what extent;
i) when the measures indicated in article 58 (2) have been previously ordered against the person in charge or the person in charge in relation to the same matter, compliance with said measures;
j) adherence to codes of conduct under Article 40 or to mechanisms certification approved in accordance with Article 42, and
k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits obtained or losses avoided, direct or indirectly, through the infringement. "

Regarding section k) of article 83.2 of the RGPD, the LOPDGDD, article 76,
"Sanctions and corrective measures", provides:

"2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679 The following may also be taken into account:

a) The continuing nature of the offense.
b) The linking of the offender's activity with the performance of treatments
of personal data.
c) The benefits obtained as a result of the commission of the offense.
d) The possibility that the affected person's conduct could have led to the
commission of the offense.
e) The existence of a merger process by absorption after the commission
of the infringement, which cannot be attributed to the absorbing entity.
f) Affecting the rights of minors.
g) Have, when not mandatory, a delegate for the protection of data.
h) The submission by the person in charge or in charge, with character voluntary, alternative dispute resolution mechanisms, in those cases in which there are controversies between those and any interested."

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es
8/10

VI
When deciding the imposition of an administrative fine and its amount, in each case individual will take into account the aggravating and mitigating factors that are indicated in art. 83.2 of the RGPD, as well as any other that may be applicable to the circumstances of the case.

Consequently, the following have been taken into account as aggravating factors:

 In the present case we are dealing with unintentional but significant negligent action (article 83.2 b).
 Basic personal identifiers are affected, according to the article 83.2g).

Therefore, in accordance with the applicable legislation and the criteria of graduation of the sanctions whose existence has been accredited, the Director of the Spanish Agency for Data Protection RESOLVES:

FIRST: IMPOSE CAJA RURAL SAN JOSE DE NULES S COOP. OF CREDIT OF THE VALENCIAN COMMUNITY, with NIF F12013140, for an infraction of the Article 5.1.f) of the RGPD, typified in Article 83.5 of the RGPD, a fine of 5,000 euros (five thousand euros).

SECOND: ORDER from CAJA RURAL SAN JOSE DE NULES S COOP. OF CREDITO DE LA COMUNIDAD VALENCIANA, that the document with data from personal character object of this procedure; must adopt and observe the measures technical and organizational that guarantee the security of the data, avoiding its
theft, loss or improper access; fact that motivated the beginning of the present
sanctioning procedure; having to inform this Agency of this within a period of
month.

THIRD: NOTIFY this resolution to CAJA RURAL SAN JOSE DE NULES S COOP. OF CREDIT OF THE VALENCIAN COMMUNITY, with NIF F12013140.

FOURTH: Warn the sanctioned person that the sanction imposed a Once this resolution is enforceable, in accordance with the provisions of the
art. 98.1.b) of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations (hereinafter LPACAP), within the payment period voluntary established in art. 68 of the General Collection Regulations, approved by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003, of December 17, by means of their entry, indicating the NIF of the sanctioned person and the number of procedure that appears in the heading of this document, in the account restricted number ES00 0000 0000 0000 0000 0000, opened in the name of the Agency Spanish Data Protection Agency in the bank CAIXABANK, S.A .. In case Otherwise, it will be collected in the executive period.

Once the notification has been received and once it is executed, if the date of execution is finds between the 1st and 15th of each month, both inclusive, the deadline to carry out the voluntary payment will be until the 20th of the following or immediately subsequent business month, and if

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.e
9/10

is between the 16th and last days of each month, both inclusive, the term of the
Payment will be up to the 5th of the second following or immediate business month.

In accordance with the provisions of article 50 of the LOPDGDD, This Resolution will be made public once it has been notified to the interested parties.

Against this resolution, which ends the administrative procedure in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the interested parties may optionally file an appeal for reversal before the Director of the Spanish Agency for Data Protection within a period of month from the day after notification of this resolution or directly
contentious-administrative appeal before the Contentious-Administrative Chamber of the National High Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-administrative jurisdiction, within a period of two months from the day following notification of this act, as provided in article 46.1 of the referred Law.

Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP, the firm resolution may be suspended in an administrative way
if the interested party expresses his intention to file a contentious-administrative appeal. If this is the case, the interested party must formally communicate this
made by writing to the Spanish Agency for Data Protection, Presenting it through the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica-web/], or through any of the rest records provided for in art. 16.4 of the aforementioned Law 39/2015, of October 1. Too must forward to the Agency the documentation proving the effective filing of the contentious-administrative appeal. If the Agency is not aware of the filing of the contentious-administrative appeal within a period of two months from the day after the notification of this resolution, would terminate the precautionary suspension.

Mar Spain Martí
Director of the Spanish Agency for Data Protection

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es
 10/10