AEPD (Spain) - PS/00128/2020: Difference between revisions

From GDPRhub
(minor)
 
(No difference)

Latest revision as of 14:02, 13 December 2023

AEPD - PS/00128/2020
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 4(13) GDPR
Article 6(1)(b) GDPR
Article 9(2)(b) GDPR
Article 13 GDPR
Article 83(5)(b) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 25.02.2021
Published:
Fine: None
Parties: n/a
National Case Number/Name: PS/00128/2020
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: Francesc Julve Falcó

The Spanish Data Protection Agency (AEDP) imposed a warning sanction on a local council for using a biometric control system to monitor the working hours of employees without having informed them in accordance with Article 13 GDPR.

English Summary

Facts

The AEPD received a letter filed by the interested party against the respondent stating that on 20 March 2019, he addressed requesting information on the fingerprint clocking control in accordance with the provisions of the regulations on the protection of personal data, without having received a response to this request.

The AEPD initiated an investigation procedure, to which the City Council responded with a Security Document in which it reports in accordance with the provisions of the GDPR and points out, among other things, that the body used a fingerprint detection system to control presence and access to its facilities, which does not perform a biometric analysis at any time, but rather produces an identification algorithm based on a reading of several points of the personal fingerprint and that the algorithm data cannot be decrypted or disassembled by any unauthorized entity.

And in response to a new request for information, the Council sent a report including the impact assessment on the processing of fingerprint data for the control of employee presence.

Dispute

Is the use of biometric data to monitor working time without informing data subjects a breach of Article 13 GDPR?

Holding

The AEPD held that the facts complained of involving the violation by the City Council of the provisions of Article 13 of the RGPD, by not informing of the processing provided for in relation to the fingerprint clocking control.

As the investigated party is a public administration, the AEPD applies Article 77 LOPDGDD, according to which a warning sanction must be applied when the offence is committed by a public administration.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

                                                                                 1/13
















     Procedure No.: PS / 00128/2020


                RESOLUTION OF SANCTIONING PROCEDURE

Of the procedure instructed by the Spanish Agency for Data Protection and based on
to the following


                                   BACKGROUND

FIRST: The claim filed by D. A.A.A. (hereinafter, the claimant)
has entry dated 05/07/2019 in the Spanish Agency for Data Protection.
The claim is directed against CITY COUNCIL OF *** LOCALIDAD.1, with NIF

P3002000B (hereinafter, the claimed one). The reasons on which you base the claim are
In short: that on 03/20/2019 he wrote to the complained party requesting information
on certain questions related to the control of transfer by fingerprint
fingerprint, without a response to the request made to date.


SECOND: Upon receipt of the claim, the General Sub-Directorate of
Data Inspection proceeded to carry out the following actions:

On 07/01/2019, the claim submitted for analysis was transferred to the defendant
and communication to the complainant of the decision taken in this regard. Likewise,
required him to send within a month to the determined Agency

information:

       - Copy of the communications, of the adopted decision that has been sent to the
       claimant regarding the transfer of this claim, and accreditation that
       the claimant has received the communication of that decision.

       - Report on the causes that have motivated the incidence that has originated the
       claim.
       - Report on the measures adopted to prevent the occurrence of
       similar incidents.
       - Any other that you consider relevant.


On 08/08/2019, in response to the request for information, a document is provided
Security where it is reported in accordance with the provisions of the RGPD and indicates,
among others, that the agency used as a control of presence and access to its
facilities a fingerprint detection system that does not perform in any
moment a biometric analysis, but elaborates an identification algorithm as a result of

a multi-point reading of the personal fingerprint and that the algorithm data does not
they can be decrypted or disassembled by any unauthorized entity.



C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 2/13








And in response to a new request for information, in writing dated 10/21/2019, it provided the
report on impact evaluation on the treatment of fingerprint data
to control the presence of employees.


THIRD: On 11/25/2019, in accordance with article 65 of the LOPDGDD, the
Director of the Spanish Agency for Data Protection agreed to admit for processing the
claim filed.

FOURTH: On 09/30/2020, the Director of the Spanish Protection Agency

of Data agreed to initiate a sanctioning procedure for the claimed party, for the alleged
infringement of article 13 of the RGPD, contemplated in article 83.5.b) of the aforementioned
Regulation, considering that the sanction that could correspond would be that of
awareness.


FIFTH: Notified the initiation agreement, the one claimed at the time of the present
resolution has not submitted a brief of allegations, so it is applicable
indicated in article 64 of Law 39/2015, of October 1, on the Procedure
Common Administrative of Public Administrations, which in its section f)
establishes that in case of not making allegations within the term provided on the
content of the initiation agreement, it may be considered a proposal for

resolution when it contains a precise statement about the responsibility
imputed, for which a Resolution is issued.

SIXTH: Of the actions carried out in this proceeding, there have been
accredited the following:



                                PROVEN FACTS

FIRST: The 05/07/2019 has a written entry in the AEPD presented by the

interested party against the defendant stating that on 03/20/2019 he addressed the same
requesting information on the control of transfer by fingerprint of
in accordance with the provisions of the regulations on data protection of
personal character, without a response to said
request.


SECOND: It is provided by the claimant a letter addressed to the defendant requesting
the information in accordance with the GDPR.

THIRD: It is provided by the complained party by writing of 10/21/2019 Report
of Impact Evaluation of the treatment of the fingerprint data for control of

presence of employees. It also provides a security document and document
Syon Company, Soluciones & Identification, on the fingerprints of the
workers.



                           FOUNDATIONS OF LAW

                                           I


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 3/13








        By virtue of the powers that article 58.2 of the RGPD recognizes to each
control authority, and as established in articles 47 and 48 of the LOPDGDD,
the Director of the Spanish Data Protection Agency is competent to initiate

and to solve this procedure.

                                             II
        Law 39/2015, of October 1, on the Common Administrative Procedure of
the Public Administrations, in its article 64 “Agreement of initiation in the
procedures of a sanctioning nature ”, provides:


        "1. The initiation agreement will be communicated to the instructor of the procedure, with
transfer of how many actions exist in this regard, and the interested parties will be notified,
understanding in any case the accused as such.
        Likewise, the initiation will be communicated to the complainant when the regulations

regulating the procedure so provide.

        2. The initiation agreement must contain at least:

        a) Identification of the person or persons allegedly responsible.
        b) The facts that motivate the initiation of the procedure, its possible

        qualification and the sanctions that may correspond, without prejudice to what
        result of the instruction.
        c) Identification of the instructor and, where appropriate, Secretary of the procedure, with
        express indication of the regime of challenge of the same.
        d) Competent body for the resolution of the procedure and regulation that

        attributes such competence, indicating the possibility that the alleged
        responsible can voluntarily acknowledge their responsibility, with the
        effects provided for in article 85.
        e) Provisional measures that have been agreed by the body
        competent to initiate the sanctioning procedure, without prejudice to those that

        can be adopted during the same in accordance with article 56.
        f) Indication of the right to make allegations and to the hearing in the
        procedure and the deadlines for its exercise, as well as an indication that, in
        case of not making allegations within the term provided on the content of the
        initiation agreement, this may be considered a resolution proposal
        when it contains a precise statement about liability

        charged.

        3. Exceptionally, when at the time of issuing the initiation agreement
there are not enough elements for the initial qualification of the facts that motivate
the initiation of the procedure, the aforementioned qualification may be carried out in a phase

later by preparing a Statement of Charges, which must be notified to
the interested".

        In application of the previous precept and taking into account that they have not
formulated allegations to the initiation agreement, it is necessary to resolve the procedure initiated.


                                            III
        The legitimacy for the treatment of the fingerprint for the control of the
workers by the employer we must look for it in article 9 and 6 of the RGPD.

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 4/13









       Article 9 of the RGPD establishes in its sections 1 and 2.b) the following:


       "1. The processing of personal data that reveal the origin is prohibited
ethnic or racial, political opinions, religious or philosophical convictions, or
union membership, and the treatment of genetic data, biometric data directed to
uniquely identify a natural person, data related to health or data
relating to the sexual life or sexual orientations of a natural person.


       2. Section 1 shall not apply when one of the
following circumstances:

       b) the treatment is necessary for the fulfillment of obligations and the
exercise of specific rights of the person responsible for the treatment or of the interested party

the field of labor law and social security and protection, insofar as
authorized by the law of the Union of the Member States or a convention
collective agreement in accordance with the law of the Member States that establishes guarantees
adequate respect for fundamental rights and the interests of the
interested."


       Article 6.1.b) of the RGPD indicates:

       "1. The treatment will only be lawful if at least one of the following is met
terms:


       b) the treatment is necessary for the performance of a contract in which the
interested is part or for the application at the request of this of measures
pre-contractual. "

       The defendant has legitimacy, based on the indicated regulations, to

carry out labor control of its workers, provided that it meets the requirements
indicated in the sixth Law Foundation.

       The facts claimed imply the violation by the City Council of
what is indicated in article 13 of the RGPD, by not informing about the treatment provided in
regarding the fingerprint check-in control, in accordance with the

pronouncements established in the aforementioned article.

       This article determines the information that must be provided to the interested party.
at the time of data collection, establishing the following:


       Article 13. Information that must be provided when personal data is
obtained from the interested party.

       1. When personal data relating to him are obtained from an interested party, the
responsible for the treatment, at the time these are obtained, will provide

all the information indicated below:

       a) the identity and contact details of the person in charge and, where appropriate, of their
       representative;

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 5/13








        b) the contact details of the data protection officer, if applicable;
        c) the purposes of the treatment to which the personal data are destined and the basis
        legal treatment;

        d) when the treatment is based on article 6, paragraph 1, letter f), the
        legitimate interests of the person in charge or of a third party;
        e) the recipients or categories of recipients of personal data,
        in your case;
        f) where appropriate, the intention of the person responsible to transfer personal data to a
        third country or international organization and the existence or absence of a

        Commission adequacy decision, or, in the case of transfers
        indicated in articles 46 or 47 or article 49, paragraph 1, second paragraph,
        reference to adequate or appropriate guarantees and means of obtaining
        a copy of these or the fact that they have been loaned.


        2. In addition to the information mentioned in section 1, the person responsible for the
treatment will facilitate the interested party, at the time the data is obtained
personal information, the following information necessary to guarantee data processing
loyal and transparent:

        a) the period during which the personal data will be kept or, when not

        where possible, the criteria used to determine this deadline;
        b) the existence of the right to request the data controller for access
        to the personal data relating to the interested party, and its rectification or deletion, or
        the limitation of its treatment, or to oppose the treatment, as well as the
        right to data portability;

        c) when the treatment is based on article 6, paragraph 1, letter a), or the
        Article 9, paragraph 2, letter a), the existence of the right to withdraw the
        consent at any time, without affecting the legality of the
        treatment based on consent prior to withdrawal;
        d) the right to file a claim with a supervisory authority;

        e) if the communication of personal data is a legal or contractual requirement, or
        a necessary requirement to enter into a contract, and if the interested party is
        obliged to provide personal data and is informed of the possible
        consequences of not providing such data;
        f) the existence of automated decisions, including profiling, to
        referred to in article 22, paragraphs 1 and 4, and, at least in such cases,

        meaningful information about the applied logic, as well as the importance and
        expected consequences of said treatment for the interested party.

        3. When the person responsible for the treatment plans the subsequent treatment of
personal data for a purpose other than that for which it was collected,

will provide the interested party, prior to said further processing, information
on that other purpose and any additional relevant information pursuant to section 2.

        4. The provisions of sections 1, 2 and 3 shall not apply when and in
the extent to which the interested party already has the information ”.


                                            IV
        In the present case, the claimant wrote to the defendant
requesting information on fingerprint control,

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 6/13








Considering that the regulations regarding the protection of
data without obtaining a response to said request.


       The documentation provided to the file does not contain the answer offered to the
claimant and, as stated in the second precedent in response to the
informative request sent by the AEPD the claimed provides Document is
Security in accordance with the provisions of the RGPD, noting that the body
local used this system of presence and access control to its facilities that
does not involve a biometric analysis at any time, but rather a

identification algorithm as a result of a reading of several points of the personal fingerprint and
that the algorithm data cannot be decrypted or disassembled by any
unauthorized entity. The report on Impact Assessment was also provided
in the treatment of the fingerprint data to control the presence of the
employees.


       In relation to the issues raised in this case, first of all
It should be noted that the implementation and integration of a time control system
based on the employer's fingerprint, must be informed to the
employees in a complete, clear, concise manner and, in addition, the aforementioned information must
be completed with reference to both the legal bases that cover said type

access control, as well as the basic information referred to in the
Article 13 of the RGPD.

       In the case examined, it is true that the respondent's response to the
writing submitted by the claimant in which he requested to be informed of the moment in

that the information was provided to the workers of the fingerprint check-in system
fingerprint and reiterate such information.

       Second, the installation of a control system based on the collection
and treatment of the fingerprint of the employees implies the treatment of their data

personal since personal data is all that information about a person
physical identified or identifiable in accordance with article 4.1 of the RGPD.

       As for the fingerprint, it is also data that must be qualified.
two as biometric data and in accordance with article 4.14 of the RGPD have this
consideration when they have been “obtained from a technical treatment

specific, relating to the physical, physiological or behavioral characteristics of a
natural person that allow or confirm the unique identification of said person,
such as facial images or fingerprint data ”.

       This means that, in accordance with article 9.1 of the RGPD, in the case

present, the specific regime provided for special categories is applied to them
of data provided for in article 9 of the RGPD.

       In this sense, recital 51 of the RGPD highlights the nature of
restrictive with which the processing of these data can be admitted:


       “(51) ... Such personal data should not be processed, unless it is allowed
its treatment in specific situations contemplated in this Regulation,
given that Member States may lay down provisions

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 7/13








specific data protection in order to adapt the application of the
rules of this Regulation to the fulfillment of a legal obligation or to the
fulfillment of a mission carried out in the public interest or in the exercise of powers

public conferred to the person in charge of the treatment. In addition to the requirements
specific to that treatment, the general principles and other
rules of this Regulation, especially with regard to the conditions of
legality of the treatment. Exceptions to the
general prohibition of treatment of these special categories of personal data,
among other things when the interested party gives their explicit consent or in the case of

specific needs, in particular when the treatment is carried out in the
framework of legitimate activities by certain associations or foundations whose
The objective is to allow the exercise of fundamental freedoms.

       And recital 52 indicates that


       “(52) Likewise, exceptions to the prohibition to treat
special categories of personal data when established by the Law of the
Union or Member States and provided that appropriate guarantees are given, in order to
to protect personal data and other fundamental rights, when it is in the interest
public, in particular the processing of personal data in the field of legislation

labor law, legislation on social protection, including pensions and for the purposes of
safety, supervision and health alert, prevention or control of diseases
communicable and other serious threats to health ... "

       In accordance with these considerations, the processing of biometric data from

special categories will require, in addition to the concurrence of one of the bases
legal provisions established in article 6 of the RGPD, any of the exceptions provided
in article 9.2 of the RGPD.

       The analysis of the legal basis of legitimacy to carry out this treatment comes

of article 6 of the RGPD, regarding the legality of the treatment, which in its section 1, letter
b) states: “The treatment will be lawful if at least one of the following is met
conditions: (…) b) the treatment is necessary for the execution of a contract in the
that the interested party is part of or for the application at his request of measures
pre-contractual (…) ”.


       By virtue of this precept, the treatment would be lawful and would not require the
consent, when the data processing is carried out for the fulfillment of
contractual relationships of a labor nature.

       This precept would also cover the data processing of the

public employees, even if their relationship is not strictly contractual. There are
It should be noted that on occasions, in order to fulfill its obligations in relation to
with public employees, the Administration has to carry out treatment of
certain data referred to in the RGPD, in its article 9, as "categories
special data ”.


       On the other hand, and as highlighted in recital 51 of the same RGPD,
insofar as biometric data is of a special category in the cases
of biometric identification (art. 9.1 RGPD), it will be necessary for one of the

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 8/13








the exceptions provided in article 9.2 of the RGPD that would allow lifting the
general prohibition of the treatment of these types of data established in the article
9.1.


       At this point, special mention must be made of letter b) of article 9.2 of the
RGPD, according to which the general prohibition of biometric data processing does not
it will be applied when “the treatment is necessary for the fulfillment of
obligations and the exercise of specific rights of the person responsible for the treatment or
of the interested party in the field of labor law and social security and protection,

to the extent authorized by the Union law of the Member States or
a collective agreement in accordance with the law of the Member States that establishes
adequate guarantees of respect for fundamental rights and the interests of the
interested".


       In Spanish law, article 20 of the Consolidated Text of the Statute of
workers (TE), approved by Royal Legislative Decree 2/2015, of 23
October, foresees the possibility for the employer to adopt surveillance measures and
control to verify compliance with the labor obligations of their
workers:


       "3. The employer may adopt the measures he deems most appropriate in
surveillance and control to verify compliance by the worker with his obligations
and labor duties, keeping in their adoption and application the consideration due to
their dignity and taking into account, where appropriate, the actual capacity of the workers
with disabilities ”.


       And in the Basic Statute of the Public Employee, approved by Royal Decree
Legislative 5/2015, of October 30, in its article 54 in relation to the principles of
conduct of public employees indicates: “The unemployment of the tasks
corresponding to your job will be diligently enhanced and complying with the

established day and schedule "

       It should also be noted that the basic legislation of the local government attributes the
Mayor President of the Corporation the direction of the government and administration
municipal as well as to exercise the superior direction of the personnel at the service of the
Municipal administration.


       The possibility of using data-based systems is undeniable
biometric to carry out access and time control, although it does not seem
that is or should be the only system that can be used: thus the use of cards
personal codes, the use of personal codes, the direct visualization of the

marking, etc., which may constitute, by themselves or in combination with any of the
the other systems available, equally effective measures to carry out the
control.

       In any case, prior to the decision on the start-up

of such a control system and taking into account its implications,
processing of biometric data aimed at uniquely identifying a
natural person, it would be mandatory to carry out an impact assessment regarding the
protection of personal data to evaluate both the legitimacy of the

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 9/13








treatment and its proportionality as the determination of the existing risks and
the measures to mitigate them in accordance with the provisions of article 35 RGPD.


       In the present case, it must be stated that the entity has accredited the
mandatory impact assessment related to data protection regulated in the
Article 35 of the RGPD providing the corresponding document.


                                            SAW

       Biometric data is closely linked to a person, given
who can use a certain unique property of an individual for their
identification or authentication.

       According to Opinion 3/2012 on the evolution of biometric technologies,

“Biometric data irrevocably changes the relationship between the body and the
identity, as they make the characteristics of the human body legible
by machines and are subject to further use. "

       In relation to them, the Opinion specifies that it is possible to distinguish different types of
treatments by stating that “Biometric data can be processed and stored in

different ways. Sometimes the biometric information captured from a person is
stored and treated raw, allowing the source from which it came to be recognized without
special knowledge; for example, a photograph of a face, a photograph of a
fingerprint or voice recording. Other times, raw biometric information
captured is treated in such a way that only certain characteristics or traits are extracted and

they are saved as a biometric template. "

       The processing of these data is expressly permitted by the RGPD
when the employer has a legal basis, which is usually his own
Work contract. In this regard, the STS of July 2, 2007 (Rec. 5017/2003), has

legitimately understood the treatment of biometric data carried out by the Administration
for the time control of its public employees, without requiring the
prior consent of workers.

       However, the following should be noted:


       O The worker must be informed about these treatments.

       O The principles of limitation of the purpose, necessity,
proportionality and data minimization.


       In any case, the treatment must also be adequate, pertinent and not
excessive in relation to that purpose. Therefore, biometric data other than
necessary for that purpose should be suppressed and creation will not always be justified.
of a biometric database (Opinion 3/2012 of the Art. 29 Working Group).


       O Use of biometric templates: Biometric data must be stored
as biometric templates whenever possible. The template should be taken from
a way that is specific to the biometric system in question and not used
by other data controllers of similar systems in order to ensure that

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 10/13








a person can only be identified in biometric systems that have
a legal basis for this operation.


       O The biometric system used and the security measures chosen must
ensure that reuse of the biometric data in question is not possible
for another purpose.

       O Mechanisms based on encryption technologies should be used, in order to
prevent unauthorized reading, copying, modification or deletion of biometric data.


       O Biometric systems should be designed so that they can be revoked
the identity bond.

       O You must choose to use data formats or specific technologies that

make it impossible to interconnect biometric databases and disclose data
not verified.

       O Biometric data should be deleted when they are not linked to the
purpose that motivated their treatment and, if possible, they should be implemented
automated data deletion mechanisms.


                                               SAW
       Article 83.5. b) of the RGPD, considers that the infringement of “the rights of
the interested parties according to articles 12 to 22 ”, is punishable, in accordance with the
paragraph 5 of the aforementioned article 83 of the aforementioned Regulation, “with fines

administrative fees of € 20,000,000 maximum or, in the case of a company, a
an amount equivalent to a maximum of 4% of the total global annual business volume of the
previous financial year, opting for the one with the highest amount ”.

       The LOPDGDD in its article 71, Infractions, states that:


       “The acts and conducts referred to in the
paragraphs 4, 5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that
are contrary to this organic law ”.

       The LOPDGDD in its article 72 indicates for the purposes of prescription: "Infractions

considered very serious:

       "1. Based on the provisions of article 83.5 of the Regulation (EU)
2016/679 are considered very serious and will prescribe after three years the infractions that
suppose a substantial violation of the articles mentioned in that and, in

in particular, the following:
       (…)
       h) The omission of the duty to inform the affected party about the treatment of their
       personal data in accordance with the provisions of articles 13 and 14 of the
       Regulation (EU) 2016/679 and 12 of this organic law.

       (…) "

                                           VII


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 11/13








       However, the LOPDGDD in its article 77, Regime applicable to
certain categories of controllers or those in charge of the treatment, establishes the
following:


       "1. The regime established in this article will be applied to the treatments
of those who are responsible or in charge:

       a) The constitutional bodies or those with constitutional relevance and the
       institutions of the autonomous communities analogous to them.

       b) The jurisdictional bodies.
       c) The General State Administration, the Administrations of the
       autonomous communities and the entities that make up the Local Administration.
       d) Public bodies and public law entities linked to or
       dependent on Public Administrations.

       e) The independent administrative authorities.
       f) The Bank of Spain.
       g) Public law corporations when the purposes of the treatment
       are related to the exercise of powers of public law.
       h) Public sector foundations.
       i) Public Universities.

       j) Consortia.
       k) The parliamentary groups of the Cortes Generales and the Assemblies
       Legislative autonomic, as well as the political groups of the Corporations
       Local.


       2. When the managers or managers listed in section 1
commit any of the offenses referred to in articles 72 to 74 of
this organic law, the competent data protection authority will dictate
resolution sanctioning them with warning. The resolution will establish
Likewise, the measures to be adopted to stop the behavior or to correct it

the effects of the offense that had been committed.

       The resolution will be notified to the person in charge of the treatment, at
body on which it depends hierarchically, where appropriate, and those affected who have
the condition of interested party, if applicable.


       3. Without prejudice to the provisions of the previous section, the authority of
data protection will also propose the initiation of disciplinary actions
when there is sufficient evidence to do so. In this case, the procedure and
Sanctions to be applied will be those established in the legislation on disciplinary regime
or sanctioner that is applicable.


       Likewise, when the infractions are attributable to authorities and managers,
and the existence of technical reports or recommendations for treatment is accredited
that had not been duly attended to, in the resolution imposing the
The sanction will include a reprimand with the name of the responsible position and

will order the publication in the Official Gazette of the State or Autonomous
corresponds.



C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 12/13








       4. The data protection authority must be notified of the
resolutions that fall in relation to the measures and actions to which they refer
the previous sections.

       5. They will be communicated to the Ombudsman or, where appropriate, to the institutions

analogous of the autonomous communities the actions carried out and the
Resolutions issued under this article.

       6. When the competent authority is the Spanish Agency for the Protection of
Data, it will publish on its website with due separation the resolutions
referring to the entities of section 1 of this article, with express indication of the

identity of the person in charge or in charge of the treatment that had committed the
infringement.

       When the competence corresponds to an autonomous protection authority
of data will be, in terms of the publicity of these resolutions, to what is available

its specific regulations ”.

       In the case that concerns us and as indicated previously, the
This sanctioning procedure shows that the defendant has not reported
appropriately in relation to the control of presence and access to its facilities
municipalities through a fingerprint system, an arbitrated procedure where the

affected develops its activity.

       In accordance with the evidence available for such conduct
constitutes an infringement of the provisions of article 13 of the RGPD.

       However, the RGPD, without prejudice to the provisions of its article 83,

contemplates in its article 77 the possibility of resorting to the sanction of warning
to correct the processing of personal data that does not suit their
provisions, when the managers or managers listed in section 1
commit any of the offenses referred to in articles 72 to 74 of
this organic law.


       Therefore, in accordance with the applicable legislation and assessed the criteria of
graduation of sanctions whose existence has been proven,

       The Director of the Spanish Data Protection Agency RESOLVES:

FIRST: IMPOSE THE CITY COUNCIL OF *** LOCALITY. 1, with NIF

P3002000B, for an infringement of article 13 of the RGPD, typified in article
83.5.b) of the RGPD, a warning sanction in accordance with article 77.2
of the LOPDGDD.

SECOND: NOTIFY this resolution to the CITY COUNCIL OF

*** LOCALIDAD.1, with NIF P3002000B.

THIRD: REQUEST the CITY COUNCIL OF *** LOCALITY. 1, with NIF
P3002000B, so that within one month from the notification of this resolution,
accredit before the AEPD the adoption of the necessary and pertinent measures to

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 13/13








correct the processing of personal data that does not conform to the regulations in
matter of protection of personal data and prevent it from reoccurring
violations such as those that have given rise to the claim, correcting the effects of

the offense, establishing the necessary measures to adapt to the requirements
contemplated in article 13 of the RGPD.

FOURTH: COMMUNICATE this resolution to the Ombudsman, of
in accordance with the provisions of article 77.5 of the LOPDGDD.


       In accordance with the provisions of article 50 of the LOPDGDD, the
This Resolution will be made public once it has been notified to the interested parties.

       Against this resolution, which ends the administrative procedure in accordance with art.
48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the

LPACAP, the interested parties may file, optionally, an appeal for reversal
before the Director of the Spanish Agency for Data Protection within a period of
month from the day following notification of this resolution or directly
contentious-administrative appeal before the Contentious-Administrative Chamber of the
National High Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the

Contentious-administrative jurisdiction, within two months from the
day following notification of this act, as provided in article 46.1 of the
referred Law.

       Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the

LPACAP, the firm resolution may be suspended in an administrative way
If the interested party expresses his intention to file a contentious appeal-
administrative. If this is the case, the interested party must formally communicate this
made by writing to the Spanish Data Protection Agency,
Presenting it through the Electronic Registry of the Agency

[https://sedeagpd.gob.es/sede-electronica-web/], or through any of the rest
records provided for in art. 16.4 of the aforementioned Law 39/2015, of October 1. As well
must forward to the Agency the documentation that proves the effective filing
of the contentious-administrative appeal. If the Agency is not aware of the
filing of the contentious-administrative appeal within a period of two months from the
day after the notification of this resolution, I would terminate the

precautionary suspension.

                                                                      Mar Spain Martí
                              Director of the Spanish Agency for Data Protection













C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es