AEPD (Spain) - PS/00129/2020
|AEPD (Spain) - PS/00129/2020
|Article 13 GDPR
|National Case Number/Name:
|European Case Law Identifier:
|AEPD (in ES)
The Spanish DPA determined that the Spanish Tax Authority had complied with GDPR requirements when introducing a new biometric system used to register employees' working hours and building access. It further determined that the Authority had given data subjects adequate information about the system.
English Summary[edit | edit source]
Facts[edit | edit source]
A civil servant of the Spanish Tax Authority complained about their employer beginning to use a biometric system to register access and working hours of employees without proper information to the affected data subjects.
The Tax Authority rejected the claim by providing evidence of the information provided to the employees before starting the collection of their fingerprints and the further information provided before starting to actually use the new system
Holding[edit | edit source]
The Spanish DPA held that the information provided by the Tax Authority to its employees was clear, precise and concise enough to satisfy the requirements of the GDPR. Furthermore, the Tax Authority also complied with the requirements of choosing the correct legal basis for the processing of sensitive data and of performing a Data Protection Impact Assessment.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/12 Procedure Nº: PS / 00129/2020 RESOLUTION OF SANCTIONING PROCEDURE Of the procedure instructed by the Spanish Agency for Data Protection and based on the following BACKGROUND FIRST: The claims filed by two CLAIMANTS, see ANNEX GENERAL have entry dates 04/10 and 05/13/2019, respectively, at the Agency Spanish Data Protection. The claim is directed against STATE AGENCY OF TAX ADMINISTRATION, with CIF Q2826000H (hereinafter, the one claimed). The reasons on which the claims are based are that in the Delegation of the State Agency of Tax Administration of *** LOCALIDAD.1, located at *** ADDRESS.1 of *** LOCALITY. 1, it is planned to install an access and time control system to officials and workforce based on a fingerprint system. The claimants state that “it has begun to require obtaining the signature of via email ”. They indicate that an attempt has been made to obtain information regarding the legality of the transfer of these data as well as the correct treatment of the same and that the data that the employer intends to obtain constitutes data especially protected (biometric data). Such data is described in article 9.1 of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 04/27/2016 on protection of natural persons with regard to the processing of personal data and the free circulation of these data (hereinafter, GDPR). Article 9.2.b of the RGPD exempts that prohibition of treatment if this is necessary for the fulfillment of obligations and the exercise of specific rights of the person responsible for the treatment or of the interested party in the field of labor law and social security and protection, insofar as it is authorized by the Union law of the Member States or a collective agreement with in accordance with the law of the Member States that establishes adequate guarantees, existing the mandatory impact assessment on the protection of data derived from said treatment violating the provisions of article 35 of the Regulation. They consider that the implementation of the system is not proportional and does not comply with the law planned. Claimant 1, who claims to be a civil servant (file E / 5312/2019) provides a copy of a e-mail "sent to the officials" of the claimed, of 04/10/2019, entitled “New fingerprint identification system for access control and schedule in the Delegation of *** LOCALIDAD.1 ”, in which it is reported: - The implementation of the system and that the employees will be summoned for the take of the footprint. The date on which it is summoned appears. -The collection system registers "certain minutiae of the fingerprint, not the image of it", "It is not possible to reconstruct the footprint they characterize." "This information is saved C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 2/12 encrypted " -The AEAT is responsible for the treatment, indicating that article 9.2.1 b) applies as exception for the aforementioned treatment as it is deemed necessary for the fulfillment of obligations and exercise of specific rights of the person in charge or the interested party in the field of labor law, to the extent authorized by Union or Member States or a collective agreement under State law members that establish adequate guarantees of respect for fundamental rights and of the interests of the interested party; ”, indicating that“ consent will not be required, when the data processing is carried out for the fulfillment of contractual relationships of a nature labor, "regardless of whether it is specially protected data or not" From of taking the fingerprint how each employee must sign in at the lathes, indistinctly with fingerprint or electronic ID for entering or leaving the workplace " A pdf ANNEX document is attached: "lathe information file" although it does not refer to its content so it cannot be read. -A letter is also added that is entitled "new identification system through fingerprint to control accesses and schedules in the *** LOCALIDAD.1 ”delegation, which contains information on legal coverage as well as “basic information on data protection ”, purpose, legal basis, person in charge, rights and additional information detailed by clicking link. -Copy of the document “Quick guide for the use of AEAT access control” that accompanies, and in addition to a graphic explanation of the position of the finger and pressure on the reader, figure that when the fingerprint is entered, “it is being checked against 1,000”, and “it ends when your DNI number appears on the screen " Claimant 2 (file E / 6247/2019), adds that the electronic DNI system of each worker is used if a fingerprint mechanism error occurs and the system is running. progressively implemented throughout Spain, and that not previously informed each worker of the purposes and other mandatory legal requirements for the treatment. SECOND: Upon receipt of the claim, the General Subdirectorate for Inspection of Data proceeded to carry out the following actions: The claims were transferred to the respondent for analysis and communication to the complainants of the decision taken in this regard. Likewise, he was required so that in the within a month send the Agency certain information: - Copy of the communications, of the adopted decision that has been sent to the claimant regarding the transfer of this claim, and accreditation that the claimant has received communication of that decision. - Report on the causes that have motivated the incidence that has originated the claim. - Report on the measures adopted to prevent incidents from occurring Similar. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 12/3 - Any other that you consider relevant. For claimant 2, the claim is transferred and responses are received on 07/29 and 10/10/2019. It is indicated that the processes respond to the need to homogenize the systems of access control and presence of personnel to the various buildings of the Tax Agency because in some there are lathes, while in others there are only wall-mounted devices for clocking, considering the fingerprint registration system easier to use than the system of magnetic stripe card readers, which was a weaker system and generated many incidents in the management of the life cycle of the cards, including the management of the loss erased and so on. With an environment of more than 26,000 employees and more than 400 buildings, the project began in 2016. This measure was selected by a series of guarantees such as that only a few minutiae are saved at the time the paw print. The minutiae are stored encrypted and kept in a decentralized system from where they are distributed to building lathes when employees are expressly authorized to access. Each employee is authorized to access the concrete buildings and in their lathes the encrypted minutiae are downloaded so that each time the user wants to enter or exit they can be compared with the footprint that is put on in the reader. In June 2017, the beginning of the deployment of the solution was addressed. In a pilot phase, carried out work by the working group to adapt to the General Regulations of Data Protection, of the security and control commission and tax informatics, arriving at the conclusion of its viability and proportionality on the basis of the legitimacy of the Tax Agency to control access and hours of its employees. When the RGPD came into force, the existence of biometric data in the personnel file and in the register of treatment activities. The implementation will be carried out gradually in all the buildings of the Tax Agency. It has no end date. Information and instructions were distributed to the offices where the implementation was to begin of the system for distribution to employees with system information and guarantees of each call of the employee to go through personnel to carry out the registration of the fingerprints before starting the integration the offices that have considered it timely. They have distributed this information in a personalized way by sending an email electronic to each employee. In ANNEX 1 attached in evidence of corporate mail with the information provided to employees used in the special delegation of *** LOCALITY. 1. Regarding the questions raised: -They consider that the information provided to the employees of the offices is complete clear and concise. The legal bases on which access control is carried out and The guarantees are explained and the basic information required by the regulations is provided. A link to the intranet of the Tax Agency was offered and more information is accessed detailed. You can consult the record of treatment activities C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 4/12 There is no request for more information on the system in the contact mailbox of queries made to the Data Protection Delegate -As for the consideration of excessive treatment when there are other alternatives stresses that employees are also informed that fingerprints are not stored fingerprints but only a few minutiae or traces that are contrasted at the time of performing the access control. From these minutiae it is not possible to reconstruct the complete footprint and these minutiae are stored encrypted. Provide a copy of ANNEX I that contains the same email provided by the claimant 1 of 04/10/2019 and the attached attachments. In ANNEX II, the informative content of the access to the link offered in the information. Provides ANNEX III, copy of the model call for fingerprint registration -which coincides with the provided by Claimant 1, "basic information on data protection", purpose, legal basis, person in charge, rights and additional detailed information by clicking on link the information is completed - informing among other points: "As an alternative to identification through fingerprint readers, for cases where technical recognition problems arise, the new system will allow also identification by electronic DNI. In this case the identification is based on the reading of the public part of this certificate, which allows consulting the basic data of identification (DNI number, name and surname), without the need for the worker provide the PIN that protects the use of the certificates for authentication purposes in electronic services or signature processes, nor will the data that may have archived the chip of the DNI. In this case, the legal coverage of the data processing is based on article 6.1.b) of Regulation (EU) 2016/679. " In ANNEX II, the result of accessing the link offered in the basic information about data protection, which generally informs about the processing of employee data public for the fulfillment of legal obligations in the matter of personnel, including among others the time control data. In the second shipment, he sends a copy of the EIPD. On 07/2 and 09/09/2019, the respondent responds to claim 1. Provide a copy of EIPD Fingerprint In response to the questions raised by the AEPD, it indicates that claimant 1 He is a worker of the AEAT and answers the questions with the same arguments as for claimant 2. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 5/12 THIRD: On 09/23 and 11/25/2019, in accordance with article 65 of the LOPDGDD, the Director of the Spanish Data Protection Agency agreed to admit for processing the claims filed. FOURTH: On 09/30/2020, the Director of the AEPD agreed: "INITIATE SANCTIONING PROCEDURE to the STATE ADMINISTRATIVE AGENCY TAX, with CIF Q2826000H, for the alleged violation of article 13 of the RGPD, contemplated in article 83.5.b) of the aforementioned Regulation. For the purposes specified in the art. 64.2 b) of Law 39/2015, of October 1, on Common Administrative Procedure of Public Administrations, the sanction that could correspond would be of Apercibimiento ”. FIFTH: The complainant dated 10/15/2019 presents the following allegations: Claimant 2 is not an employee of the Tax Agency and with respect to claimant 1, the 04/26/2019 you were sent, like others, in your same situation, email summoning you to register the minutiae of your fingerprint. They attach a copy of said email informing you of the operation of the system, responsible the Tax Agency, the legitimizing base and the indistinct system of the fingerprint or electronic ID for entering and leaving the workplace and you are summoned to take the fingerprint on 05/03. A document called "lathes information file" was also attached, with a informative content about the fingerprint system, which also contains basic information on Data Protection, with the person in charge, the purpose, the basis legal treatment, recipients and additional and detailed information with a link. This email was also received by claimant 1, including acknowledgment of receipt of 04/26/2019. -Adds that on the violation of article 13, which specifies the principle of transparency of the Article 5.1 a of the RGPD, consider that the data have been obtained directly from the interested and has been informed with basic information and with a link to access the simple way immediately to the rest of the information. The information is amply contained in the document in which each employee is summoned to take their biometric data as it refers that the person in charge is the Tax Agency, the purpose of the treatment and the possibility of exercising the rights therefore it is considered that they are fulfilled the requirements. Provides a new copy of the fingerprint EIP. As ANNEX 2, the information that appears by clicking the link that appears in the emails electronic information and communication to employees and that provides and extends the information on treatments related to human resources management. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 6/12 Provides a model call for fingerprint registration, which contains the information section Basic on Data Protection and the link that expands the details and information additional. In ANNEX 4 provides a call 04/26/2020 new identification system through fingerprint. It is an email sent on 04/26/2019 to Tax Agency personnel, stating among others the claimant 1. Again, the email contains information about the system, the legitimizing base and the indistinct alternative system of the electronic DNI and the pdf file called "lathe information file" of which a copy is provided for reading. The document coincides with the informative account of the system, and it contains the section on basic information on Data Protection and the link to additional information and detailed information on Data Protection, as well as a graphic scheme called "guide fast use of access control ”. It also provides a copy of the acknowledgment of receipt 04/26/2019 of the email sent to claimant 1. SIXTH: On 04/22/2021, the Director of the AEPD agreed to change the instructor. SEVENTH: A resolution proposal was issued with the following literal: “That the Director of the Spanish Agency for Data Protection declares the ARCHIVE of the procedure due to non-existence of infringement by the STATE AGENCY OF TAX ADMINISTRATION, with CIF Q2826000H, for the alleged violation of the article 13 of the RGPD, in accordance with article 83.5 b) of the RGPD. " Regarding the proposal, no allegations were received. PROVEN FACTS 1- In the Delegation of the State Tax Administration Agency of *** LOCALIDAD.1, *** ADDRESS.1 of *** LOCALITY.1, it is planned to install an access system, control and time registration for officials and workforce based on a system of fingerprint. Gradually, the system is being implemented throughout Spain, 2-It is proven that the claimed sends an email to the employees, being complainant 1 official, on 04/10/2019, entitled “new identification system through fingerprint for access control and schedule in the *** LOCALIDAD.1 ”Delegation, (model call for fingerprint registration) in which it is reported: - Of the implementation of the system for which it is responsible for the treatment, and of the next summons each employee to take the fingerprint. -The collection system registers "certain minutiae of the fingerprint, not the image of it", "It is not possible to reconstruct the footprint they characterize" and the "information is saved C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 7/12 encrypted " -The AEAT indicates that article 9.2.1 b) applies as an exception to the aforementioned treatment when understanding necessary for the fulfillment of obligations and exercise of specific rights of the person in charge or of the interested party in the field of labor law. It is accompanied by email: -An ANNEX pdf document: "lathe information file" entitled "new system of identification by fingerprint to control access and schedules in the delegation of *** LOCALIDAD.1 ”, which contains information on legal coverage as well as "Basic information on data protection", purpose, legal basis, responsible, rights and additional detailed information. There is also a reference to a link in the that by clicking on link information is added. The document "Quick guide for the use of AEAT access control" with an explanation graph of the position of the finger and pressure on the reader, figuring that when the fingerprint, “it is being checked against 1,000”, and “it ends when its number of DNI ”. 3- The complained party has a data protection impact assessment document about the collection system, fingerprint registration for the purpose of registration and control schedule. 4-The respondent provides a copy of the same content of the email provided by claimant 1, if Well, this shipment foresees another date for the call for fingerprint collection and your name and surnames as recipient, being sent on 04/26/2020. FOUNDATIONS OF LAW I By virtue of the powers that article 58.2 of the RGPD recognizes to each authority of control, and as established in arts. 47 and 48.1 of the LOPDGDD, the Director of the Spanish Data Protection Agency is competent to resolve this procedure. II Biometric data is closely linked to a person, since it can use a certain unique property of an individual for identification or authentication. According to Opinion 3/2012 on the evolution of biometric technologies, “The data biometrics irrevocably change the relationship between the body and identity, since make the characteristics of the human body machine-readable and subject to further use. " In relation to them, the Opinion specifies that it is possible to distinguish different types of treatment noting that “Biometric data can be processed and stored in different ways. Sometimes the biometric information captured from a person is stored and processed in C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 12/8 gross, which makes it possible to recognize the source from which it comes without special knowledge; For example, a photograph of a face, a photograph of a fingerprint, or a recording of voice. Other times, the raw biometric information captured is treated in such a way that only certain characteristics or traits are extracted and saved as a biometric template. " The processing of these data is expressly permitted by the RGPD when the The employer has a legal basis, which is usually the employment contract itself. TO In this regard, the STS of July 2, 2007 (Rec. 5017/2003), which has understood legitimate the treatment of biometric data carried out by the Administration for the time control of its public employees, without the prior consent of the workers being required. However, the following should be noted: - The worker must be informed about these treatments. - The principles of limitation of the purpose, necessity, proportionality and data minimization. In any case, the treatment must also be adequate, pertinent and not excessive in relation to said purpose. Therefore, biometric data that are not necessary for that purpose should be removed and the creation of a database will not always be justified biometrics (Opinion 3/2012 of the Art. 29 Working Group). - Use of biometric templates: Biometric data must be stored as biometric templates whenever possible. The template will need to be removed in a that is specific to the biometric system in question and not used by others data controllers of similar systems in order to ensure that a person only can be identified in biometric systems that have a legal basis for this operation. - The biometric system used and the security measures chosen must ensure that re-use of the biometric data in question is not possible for other purpose. - Mechanisms based on encryption technologies should be used in order to avoid the unauthorized reading, copying, modification or deletion of biometric data. - Biometric systems must be designed in such a way that the identity bond. - You must choose to use data formats or specific technologies that prevent the interconnection of biometric databases and the disclosure of data not proven. - Biometric data must be deleted when they are not linked to the purpose that motivated their treatment and, if possible, mechanisms should be implemented automated data deletion. III C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 9/12 The legitimacy for the treatment of the fingerprint for the control of the workers on the part of the employer we must look for it in article 9 and 6 of the RGPD. Article 9 of the RGPD establishes in its sections 1 and 2.b) the following: "1. The processing of personal data that reveal the origin is prohibited ethnic or racial, political opinions, religious or philosophical convictions, or affiliation union, and the treatment of genetic data, biometric data aimed at identifying uniquely to a natural person, data related to health or data related to life sexual or sexual orientations of a natural person. 2. Section 1 shall not apply when one of the circumstances occurs following: … B) the treatment is necessary for the fulfillment of obligations and the exercise of specific rights of the data controller or interested party in the field of Labor law and social security and protection, insofar as authorized by the Union law of the Member States or a collective agreement under the The law of the Member States that establishes adequate guarantees of respect for the fundamental rights and interests of the interested party. " Article 6.1.b) of the RGPD indicates: "1. The treatment will only be lawful if at least one of the following is met terms: b) the treatment is necessary for the performance of a contract in which the interested party is party or for the application at his request of pre-contractual measures. " The claimed has legitimacy, based on the indicated regulations, to carry out the labor control of its workers, as long as it meets the requirements indicated in the Second Law Foundation. The infringement imputed in the agreement to initiate article 13 of the RGPD, was for not informing with all the guarantees of the planned treatment, adoption of the mechanism for the control of schedule to employees by fingerprint. This article determines the information that must be provided to the interested party in the moment of collecting your data, establishing the following: "Article 13. Information to be provided when personal data is obtained Of the interested. 1. When personal data relating to him are obtained from an interested party, the responsible for the treatment, at the time these are obtained, will provide you with all the information listed below: a) the identity and contact details of the person in charge and, where appropriate, of their representative; b) the contact details of the data protection officer, if applicable; C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 10/12 c) the purposes of the treatment to which the personal data are destined and the legal basis of the treatment; 4.5.2016 L 119/40 Official Journal of the European Union EN d) when the treatment is based on article 6, paragraph 1, letter f), the interests legitimate of the person in charge or of a third party; e) the recipients or categories of recipients of personal data, in their case; f) where appropriate, the intention of the person responsible to transfer personal data to a third party country or international organization and the existence or absence of a decision of adequacy of the Commission, or, in the case of transfers indicated in the Articles 46 or 47 or Article 49, paragraph 1, second subparagraph, reference to the adequate or appropriate warranties and the means to obtain a copy of these or to the fact that they have been borrowed. 2. In addition to the information mentioned in section 1, the person responsible for the treatment will provide the interested party, at the time the personal data is obtained, the following information necessary to guarantee fair data processing and transparent: a) the period during which the personal data will be kept or, when it is not possible, the criteria used to determine this deadline; b) the existence of the right to request the data controller for access to the personal data relating to the interested party, and its rectification or deletion, or the limitation of its treatment, or to oppose the treatment, as well as the right to portability of the data; c) when the treatment is based on article 6, paragraph 1, letter a), or the Article 9, paragraph 2, letter a), the existence of the right to withdraw consent in at any time, without affecting the legality of the treatment based on the consent prior to its withdrawal; d) the right to file a claim with a supervisory authority; e) if the communication of personal data is a legal or contractual requirement, or a necessary requirement to sign a contract, and if the interested party is obliged to provide personal data and are informed of the possible consequences of not provide such data; f) the existence of automated decisions, including profiling, to which referred to in article 22, paragraphs 1 and 4, and, at least in such cases, information significant on the applied logic, as well as the importance and consequences provided for said treatment for the interested party. 3. When the data controller plans the further processing of data personal data for a purpose other than that for which they were collected, will provide the interested party, prior to said further processing, information on that other purpose and any additional relevant information pursuant to section 2. 4. The provisions of paragraphs 1, 2 and 3 shall not apply when and in the to the extent that the interested party already has the information ”. Regarding the alleged infraction of lack of information, it is proven not only that given, but rather the one that has been given before the data was collected, and it is estimated that C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 11/12 sufficient, adequate and comprehensive. It gives meaning and explains what the registration of the footprint, its purposes, and graphically the operation of the system. Although part of the claims, both allude to the fact that he had not obtained information additionally, it should be indicated that the information provided as well as the added links They are adequate and do not imply a reduction in the rights of those affected. The information that contemplates the RGPD and the LOPDGDD, warning that the claimed has been preparing the gradual application of the measures with the organizational adaptations and techniques that involve the deployment of the system, so the procedure must be filed as there is no violation. Therefore, in accordance with the applicable legislation, the Director of the Spanish Data Protection Agency RESOLVES: FIRST: DECLARE the FILE of the procedure for non-existence of infringement of the Article 13 of the RGPD of the STATE AGENCY OF TAX ADMINISTRATION, with CIF Q2826000H. SECOND: NOTIFY this resolution to the STATE AGENCY OF TAX ADMINISTRATION with the sending of the attached General Annex. THIRD: In accordance with the provisions of article 50 of the LOPDGDD, the This Resolution will be made public once it has been notified to the interested parties. Against this resolution, which ends the administrative procedure in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the Interested parties may optionally file an appeal for reconsideration before the Director of the Spanish Data Protection Agency within a month from the day following notification of this resolution or directly contentious appeal administrative law before the Contentious-Administrative Chamber of the National Court, with in accordance with the provisions of article 25 and paragraph 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-Administrative Jurisdiction, within two months from the day following notification of this act, as provided in article 46.1 of the aforementioned Law. Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP, you may provisionally suspend the final administrative resolution if the interested party manifests his intention to file a contentious-administrative appeal. If this is the case, the The interested party must formally communicate this fact by writing to the Agency Spanish Data Protection, presenting it through the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica-web/], or through any of the remaining records provided for in art. 16.4 of the aforementioned Law 39/2015, of October 1. You must also send the Agency the documentation that proves the filing effective contentious-administrative appeal. If the Agency is not aware of the filing of the contentious-administrative appeal within a period of two months from the date following the notification of this resolution, it would terminate the suspension precautionary. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 12/12 938-131120 Mar Spain Martí Director of the Spanish Agency for Data Protection GENERAL ANNEX CLAIMANT 1- D. A.A.A. CLAIMANT 2- D.B.B.B. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es