AEPD (Spain) - PS/00095/2020

From GDPRhub
AEPD - PS/00095/2020
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 5(1)(b) GDPR
Article 5(1)(f) GDPR
Article 83(5) GDPR
Type: Investigation
Outcome: Violation Found
Decided: 21.08.2020
Published: 21.08.2020
Fine: None
Parties: Ayuntamiento de Burgos (Burgos City Hall)
National Case Number/Name: PS/00095/2020
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: Francesc Julve Falcó

The Spanish DPA held that sending an e-mail without using the BCC (Blind Carbon Copy) option is an infringement of Article 5(1)(b) and (f) GDPR. In particular, the sharing of the complainant's e-mail address with third parties without the owner's prior consent is unlawful.

English Summary


In the context of a conciliation procedure, the Burgos City Council summoned the conflicting parties via email. In doing so, the Council did not use the BCC option therefore disclosing the email address of one of the parties involved and other personal data. The affected party filed a complaint with the Spanish DPA.


Is the sharing via email of the ID card and a complaint made with the parties of an arbitration settlement without using the BCC option a violation of Article 5 (1) GDPR?


The Spanish DPA imposed a warning penalty on the Municipality of Burgos, under Article 83 (5) GDPR, for infringing Articles 5(1)(b) GDPR and 5(1)(f) GDPR. The Spanish DPA also requested Burgos City Council to prove within one month that it had adopted the necessary measures to comply with the principles of "purpose limitation" and "integrity and confidentiality" under Article 5(1)(b) and (f) of the GDPR.


Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

Style ID: PS/00095/2020
From the procedure instructed by the Spanish Data Protection Agency and in
based on the following
FIRST: A.A.A. (hereinafter the complainant) dated 3 October 2019 filed a claim before the Spanish Data Protection Agency. The claim is addressed against CITY COUNCIL OF BURGOS with NIF P0906100C (hereinafter the claimed).
The reasons on which the complaint is based are that, together with the summons of the act of
conciliation sent by e-mail to the parties, the Arbitration Board sent the complaint made and a copy of your ID card. The complainant states that it has been revealed your e-mail address to the defendant by not using the BCC option to make the shipment.

SECOND: This claim was transferred to the respondent on 20 November 2019, requesting it to submit within one month to this Agency, information on the response given to the complainant on the facts denounced, as well as the causes that have led to the impact and the measures taken.

They reply that they have sent all the information to the parties and to the court, so as not to cause defenselessness.

THIRD: On 9 June 2020, the Director of the Spanish Data Protection agreed to initiate sanctioning procedures against the respondent, by the alleged violation of Article 5.1(f) of the GDPR, Article 5.1(b) of the GDPR, as set out in Article 83.5 of the GDPR.

FOURTH: On 10 June 2020, the agreement to initiate this procedure, the same becoming a motion for a resolution in accordance with Articles 64.2.f) and 85 of Law 39/2015 of 1 October on Procedure Common Administration of Public Administration (LPACAP), as it does not allegations within the above-mentioned time limit.

In the light of the above, the following are considered to be proven facts in these proceedings,
FIRST: It is reported that as a consequence of the summons of the conciliation act, the by not using the BCC option to send this complaint, has given to make his e-mail address known to the other parties to the proceedings in which is incurred, without his consent.

SECOND: the complainant has not made any allegations during the procedure.

By virtue of the powers conferred on each authority by Article 58(2) of the GPRS control, and in accordance with Articles 47 and 48.1 of the LOPDPGDD, the Director of the Spanish Data Protection Agency is competent to resolve this procedure.
Article 6.1 of the RGPD establishes the cases in which the following may be considered lawful processing of personal data.
For its part, Article 5 of the RGPD establishes that personal data will be "(a) processed in a lawful, fair and transparent manner in relation to the data subject ("legality, fairness and transparency");
(b) collected for specified, explicit and legitimate purposes and not treated subsequently in a manner incompatible with those purposes; in accordance with Article 89,
paragraph 1, the further processing of personal data for archiving purposes in the interest public, scientific and historical research or statistical purposes shall not be considered incompatible with the initial purposes ("purpose limitation");
(c) adequate, relevant and limited to what is necessary in relation to the purposes for those that are processed ("data minimization");
(d) accurate and, where necessary, updated; all measures shall be taken to have personal data deleted or rectified without delay if they are inaccurate with respect to the purposes for which they are intended ("accuracy");
(e) kept in a form which permits identification of the data subjects during no longer than is necessary for the purposes of processing the personal data; the personal data may be kept for longer periods provided that they are processed exclusively for archiving purposes in the public interest, for scientific research purposes or historical or statistical purposes, in accordance with Article 89(1), without prejudice the implementation of the appropriate technical and organisational measures imposed by this Regulation to protect the rights and freedoms of the data subject ("time limit of conservation");
(f) processed in such a way as to ensure adequate security of the data including the protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, through the application of technical or appropriate organisational arrangements ("integrity and confidentiality").

The controller shall be responsible for compliance with the provisions in paragraph 1 and able to demonstrate it ("proactive responsibility")."

On the basis of the evidence available, it is considered that the reported facts, that is, to send the e-mail address and the ID card of the without using the BCC option to make the delivery, it is a violation of the
principles of "purpose limitation" and "integrity and confidentiality" regulated in the Article 5.1 b) and f) of the RGPD, as well as the proactive responsibility of the person in charge of attempt to demonstrate compliance.

Article 58(2) of the GDPR provides: "Each supervisory authority shall have all of the following corrective powers listed below: 

(b) sanction any controller or processor with a warning where processing operations have infringed the provisions of this Regulation;

(d) instruct the controller or processor to ensure that the processing operations treatment in accordance with the provisions of this Regulation, where appropriate, of in a certain way and within a specified time frame;

(i) impose an administrative fine in accordance with Article 83, in addition to or instead of the measures referred to in this paragraph, according to the circumstances of each case particular; Article 83.5 of the GDPR establishes that infringements affecting "(a) the basic principles for processing, including the conditions for
consent under articles 5, 6, 7 and 9; Article 72.1.a) of the LOPDGDD states that "in accordance with the
Article 83(5) of Regulation (EU) 2016/679 is considered very serious and will be prescribed to three years for infringements involving a substantial breach of the articles mentioned in that one and, in particular, the following:

a) The processing of personal data in violation of the principles and guarantees set out in Article 5 of Regulation (EU) 2016/679

The LOPDGDD in its Article 77, Regime applicable to certain categories of the Spanish Data Protection Authority, which is responsible for or in charge of the processing, establishes the following:

"1. The regime established in this Article shall be applicable to the processing of those who are responsible or in charge:
a) The constitutional or constitutionally relevant bodies and institutions of the autonomous communities analogous to them. 
b) The courts.
c) The General State Administration, the Administrations of the Communities
The local authorities and the entities that make up the local administration.
d) Public bodies and public law entities linked to or
dependent on the Public Administrations.
e) The independent administrative authorities.
f) The Banco de España.
g) public law corporations when the purpose of the processing related to the exercise of public law powers.
h) Public sector foundations.
i) Public universities.
j) Consortia.
k) Parliamentary groups in the Cortes Generales and the Assemblies Autonomous Community legislation, as well as the political groups of the Corporations Premises.

2. When the persons responsible or in charge listed in paragraph 1committed any of the offences referred to in Articles 72 to 74 of this law, the competent data protection authority shall issue resolution sanctioning them with a warning. The resolution will establish also the measures to be taken to bring about the cessation of the conduct or the correction of effects of the infringement that has been committed.

The decision will be notified to the controller or processor, to the on which it is hierarchically dependent if any, and to those affected who have the status of an interested party, if any. 

Without prejudice to the provisions of the previous paragraph, the protection authority shall also propose the initiation of disciplinary proceedings where there is sufficient evidence for this. In this case, the procedure and sanctions to be applied shall be those laid down in the legislation on disciplinary or sanctioning regimes that is applicable.
Likewise, when the infringements are attributable to authorities and managers and prove the existence of technical reports or recommendations for treatment that do not have been properly addressed, the resolution imposing the sanction shall include a warning with the name of the responsible position and order the publication in the corresponding Official State or Autonomous Community Gazette.
4. Resolutions shall be communicated to the data protection authority to be imposed in respect of the measures and actions referred to in paragraphs previous.
5. The following shall be communicated to the Ombudsman or, where appropriate, to the institutions
the actions are taken and the resolutions adopted by the autonomous communities issued under this article.
6. When the competent authority is the Spanish Agency for the Protection of Data, it will publish on its website with due separation the resolutions referring to the entities in paragraph 1 of this article, with the express indication of the identity of the controller or processor who committed the breach.
When the competence corresponds to an autonomous authority for the protection as far as the publicity of these resolutions is concerned, the provisions of the specific regulations".
Among the corrective powers provided for in Article 58 of the GDPR, in its paragraph 2(d) provides that each supervisory authority may "instruct the person responsible or processing operations in accordance with the rules of the European Union provisions of this Regulation, where appropriate, in a certain way and
within a specified time frame...". The imposition of this measure is compatible with the Penalty consisting of an administrative fine, as provided for in Article 83.2 of the GDPR.

Therefore, in accordance with the applicable legislation and assessed graduation of penalties whose existence has been established, the Director of the Spanish Data Protection Agency RESOLVES:

FIRST: TO IMPOSE on the CITY COUNCIL OF BURGOS, with NIF P0906100C, an infringement of Article 5.1.f) of the GPRS, and Article 5.1.b) of the GPRS, as defined in Article 83.5 of the RGPD, a warning sanction.

SECOND: REQUIRE the party complained of to prove within one month before this body to comply with:
the adoption of all necessary measures to ensure that the entity denounced acts in accordance with the principles of "purpose limitation" and "integrity and confidentiality" of art. 5.1 b) and f) of the RGPD respectively.

THIRD: To communicate this resolution to the Ombudsman, in accordance with the provisions of Article 77.5 of the LOPDGDD.


In accordance with the provisions of Article 50 of the LOPDGDD, this decision will be made public after it has been notified to the interested parties.

Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of
the LOPDGDD, and in accordance with Article 123 of the LPACAP, the parties concerned may lodge an appeal for reconsideration with the Director of the Spanish Data Protection Agency within one month of
day after notification of this decision or directly by way of an appeal before the Administrative Chamber of the National Court of Justice, in accordance with Article 25 and the fourth additional provision, paragraph 5
of Law 29/1998, of 13 July, regulating the Contentious-Administrative Jurisdiction, within two months of notification of this act, in accordance with the provisions of Article 46.1 of the aforementioned Law.

Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP the final decision may be suspended as a precautionary measure through administrative channels if the interested party
expresses its intention to lodge an administrative appeal. In this case, the interested party must formally communicate this fact in writing to the Spanish Data Protection Agency, presenting it through the Registry
Electronic Agency [], or through any of the other registers provided for in Article 16.4 of the aforementioned Law 39/2015, of 1 October. 

You must also send the Agency the documentation proving the effective filing of the contentious-administrative appeal. If the Agency does not have knowledge of the lodging of the contentious-administrative appeal within two months from the day following the notification of this resolution, I would the precautionary suspension has ended.

Mar España Martí
Director of the Spanish Data Protection Agency