AEPD (Spain) - PS/00098/2019: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX <!--Information about the DPA--> |Jurisdiction=Spain |DPA-BG-Color=#ffffff; |DPAlogo=logoES.jpg |DPA_Abbrevation=AEPD |DPA_With_Country=AEPD (Spain) <!--Inf...")
 
 
(6 intermediate revisions by 2 users not shown)
Line 9: Line 9:


<!--Information about the decision-->
<!--Information about the decision-->
|Case_Number_Name=PS/00406/2019
|Case_Number_Name=PS/00098/2019
|ECLI=n/a
|ECLI=n/a


|Original_Source_Name_1=AEPD
|Original_Source_Name_1=AEPD
|Original_Source_Link_1=https://www.aepd.es/es/documento/ps-00406-2019.pdf
|Original_Source_Link_1=https://www.aepd.es/es/documento/ps-00098-2019.pdf
|Original_Source_Language_1=Spanish
|Original_Source_Language_1=Spanish
|Original_Source_Language__Code_1=es
|Original_Source_Language__Code_1=es
Line 25: Line 25:
|Outcome=Upheld
|Outcome=Upheld
|Date_Decided=n/a
|Date_Decided=n/a
|Date_Published=21. 2.2020
|Date_Published=25. 2.2020
|Year=2020
|Year=2020
|Fine=2.500
|Fine=none
|Currency=
|Currency=


<!--Information about the applied law-->
<!--Information about the applied law-->
|GDPR_Article_1=Article 5(1)(f) GDPR
|GDPR_Article_1=Article 13 GDPR
|GDPR_Article_Link_1=Article 5 GDPR#1f
|GDPR_Article_Link_1=Article 13 GDPR
|GDPR_Article_2=Article 83(5)(a) GDPR
|GDPR_Article_2=
|GDPR_Article_Link_2=Article 83 GDPR#5a
|GDPR_Article_Link_2=
|GDPR_Article_3=
|GDPR_Article_3=
|GDPR_Article_Link_3=
|GDPR_Article_Link_3=
Line 72: Line 72:
|GDPR_Article_Link_20=
|GDPR_Article_Link_20=


|Party_Name_1=Anoymous Vs. Electric Renting Groups, S.L
|Party_Name_1=Anoymous  
|Party_Link_1=
|Party_Link_1=
|Party_Name_2=
|Party_Name_2=Vs. DIRECCIÓN  GENERAL DE LA GUARDIA  CIVI
|Party_Link_2=
|Party_Link_2=
|Party_Name_3=
|Party_Name_3=
Line 83: Line 83:
|Party_Link_5=
|Party_Link_5=


n/a
<!--Information about a possible appeal-->
| n/a}}
|Appeal_To_Body=n/a
|Appeal_To_Case_Number_Name=
|Appeal_To_Status=
|Appeal_To_Link=
|
}}


The APED fined 2.500 € a data controller for sending advertisement email without blind carbon copy (Bcc) the email recipients. By disclosing the email addresses of the recipient, the company violated the principle of integrity and confidentiality – Article 5(1)(f) GDPR-.  
The AEPD issued a reprimand to the Directorate-General of the Spanish Civil Guard for a lack of transparency. The data controller did not provide information to the data subjects who filled out the travel permit form with their personal data, as required by Article 13 GDPR.


==English Summary==
==English Summary==


===Facts===
===Facts===
A citizen filed a complaint with the AEPD against Electric Renting Groups, S.L for sending an advertisement email and disclosing the recipients of this email. Indeed, the company, which acted as a data controller, sent the email without confining the dozens of email recipients in blind carbon copy (Bcc:).
A citizen had to give his personal details, as well as his daughter’s personal details when filling the official form aimed at authorizing underage children travelling (“travel permit”) provided by the Directorate-General of the Spanish Civil Guard. While completing the travel permit with the personal data required, the citizen noticed that no information was given regarding the collection of personal data, and the purposes of the processing, or about the recipients. The citizen – the complainant – filed a complaint with the AEPD claiming the unlawfulness due to the lack of information concerning personal data required, under Article 13 GDPR.  
 
The AEPD informed the controller about the complaint and give them 1 month to reply.
 
After not obtaining any reply from the controller, the AEPD agreed to initiate investigations against the data controller for the alleged infringement of Article 5(1)(f) GDPR, the principle of integrity and confidentiality. The AEPD gave the controller another 10 days to reply to the allegations.
 
The controller failed to reply to the AEPD.


===Dispute===
===Dispute===
Does the disclosure of dozens email addresses constitute a GDPR violation?  
Does the travel permit form provide for the mandatory information, as foreseen by Article 13 GDPR?  


===Holding===
===Holding===
The AEPD ruled that the sending of email without Bcc: the email recipients constituted a violation of the principle of integrity and confidentiality (Article 5(1)(f) GDPR), as well as the principle of proactive responsibility of the data controller.  
The AEPD ruled that the form used to allow underage children travelling did not provide the mandatory information, as required by Article 13 GDPR.  


Consequently, the APED decided to issue a fine of 2.500 € for the violation of the principle of integrity and confidentiality, pursuant to Article 83(5)(a) GDPR.  
As a consequence, the AEPD issued a reprimand to the Directorate-General of the Spanish Civil Guard for the violation of Article 13 GDPR.  
   
   
==Comment==
==Comment==

Latest revision as of 13:59, 13 December 2023

AEPD - PS/00098/2019
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 13 GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: n/a
Published: 25. 2.2020
Fine: none
Parties: Anoymous
Vs. DIRECCIÓN GENERAL DE LA GUARDIA CIVI
National Case Number/Name: PS/00098/2019
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD (in es)
Initial Contributor: n/a

The AEPD issued a reprimand to the Directorate-General of the Spanish Civil Guard for a lack of transparency. The data controller did not provide information to the data subjects who filled out the travel permit form with their personal data, as required by Article 13 GDPR.

English Summary

Facts

A citizen had to give his personal details, as well as his daughter’s personal details when filling the official form aimed at authorizing underage children travelling (“travel permit”) provided by the Directorate-General of the Spanish Civil Guard. While completing the travel permit with the personal data required, the citizen noticed that no information was given regarding the collection of personal data, and the purposes of the processing, or about the recipients. The citizen – the complainant – filed a complaint with the AEPD claiming the unlawfulness due to the lack of information concerning personal data required, under Article 13 GDPR.

Dispute

Does the travel permit form provide for the mandatory information, as foreseen by Article 13 GDPR?

Holding

The AEPD ruled that the form used to allow underage children travelling did not provide the mandatory information, as required by Article 13 GDPR.

As a consequence, the AEPD issued a reprimand to the Directorate-General of the Spanish Civil Guard for the violation of Article 13 GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the **Spanish** original. Please refer to the **Spanish** original for more details.

to be completed