AEPD (Spain) - PS/00178/2021

From GDPRhub
AEPD (Spain) - PS/00178/2021
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 5(1)(f) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published: 14.12.2021
Fine: 2000 EUR
Parties: CEYLLE SOLUTIONS & DEVELOPMENT S.L.
National Case Number/Name: PS/00178/2021
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: Carmen Villarroel

The Spanish DPA fined a controller €2000 for sharing with third parties judicial documents containing personal data without the data subject's consent.

English Summary[edit | edit source]

Facts[edit | edit source]

A wife and a husband were both administrators of a company. During a judicial procedure between both of them, the wife sent, as the administrator of the company, a series of emails containing some documents related to the proceedings, revealing details about several alleged crimes, to other companies that had a commercial relationship with the company. The husband (as data subject) filed a complaint with the Spanish DPA (AEPD) against the company for sharing the documents containing his personal data without consent.

Holding[edit | edit source]

The AEPD established that the facts were a violation of the confidentiality principle, since, even if the company was authorised to process such personal data, being it involved in the judicial proceedings, it should not have shared such personal data without the data subject's consent.

Therefore, the AEPD fined the controller €2000 for a violation of Article 5(1)(f) GDPR. In order to determine the amount of the fine, the DPA took into account, among other factors, the small size of the company and the limited number of data subjects affected (1), as well as the limited impact of the behaviour, since it was only local.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

                                                                               1/7








     File No.: PS / 00178/2021

                RESOLUTION OF SANCTIONING PROCEDURE


Of the procedure instructed by the Spanish Agency for Data Protection and based on
to the following

                                  BACKGROUND


FIRST: On October 23, 2020, D. A.A.A. (hereinafter, the claimant)
filed a claim with the Spanish Data Protection Agency, against
CEYLLE SOLUTIONS & DEVELOPMENT S.L. with NIF B39764691 (hereinafter, the
reclaimed).


The claimant states that his ex-wife, administrator of the company CEYLLE
SOLUTIONS & DEVELOPMENT S.L. of which both are partners, sent various
emails to companies with which the entity had a commercial relationship, attaching
documentation about legal proceedings between her and the claimant,
revealing information and data of this, such as the Order of admission of the complaint
against the claimant for misappropriation of Ceylle assets and the complaint by the

misappropriation of a vehicle. A record of the emails sent is attached and
of the documentation submitted.

SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5
December, Protection of Personal Data and Guarantee of Digital Rights

(hereinafter LOPDGDD), said claim was transferred to the defendant, so that
proceed to its analysis and inform this Agency within a month, of the
actions carried out to adapt to the requirements set forth in the regulations of
Data Protection.


On February 10, 2021, a response is received from the claimed party stating
manifest that he sent the emails to companies with which the entity had a relationship
commercial, to prevent them from continuing to serve as suppliers, due to the
economic insolvency that he suffered.

THIRD: On April 15, 2021, in accordance with article 65 of the

LOPDGDD, the Director of the Spanish Agency for Data Protection agreed
admit for processing the claim presented by the claimant against the defendant.

FOURTH: On May 31, 2021, the Director of the Spanish Agency for
Data Protection agreed to initiate a sanctioning procedure against the claimed party,

for the alleged violation of article 32 of the RGPD and article 5.1.f) of the RGPD,
typified in article 83.5 of the RGPD.

FIFTH: The initiation agreement was notified to the claimed by electronic means in
dated August 8, 2021, as ten calendar days have elapsed since it was

available for access, according to paragraph 2, article 43, of Law 39/2015, of 1
October, of the Common Administrative Procedure of Public Administrations.



C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 2/7








SIXTH: Notified of the aforementioned initiation agreement and not having presented any allegations,
of the documentation in the file, and in accordance with the provisions of
Article 89.3 of Law 39/2015, of October 1, on Administrative Procedure

Common of Public Administrations, on October 11, 2021, it was formulated
proposed resolution, with a fine of two thousand euros (€ 2,000), for violation of the
article 5.1.f) of the RGPD, typified in article 83.5 of the RGPD, considered very
serious for the purposes of prescription in article 72.1.i) of the LOPDGDD.

SEVENTH: The complained entity has not submitted allegations to the Proposal for

Resolution.

In view of all the actions, by the Spanish Agency for Data Protection
In this proceeding, the following are considered proven facts,

                                       FACTS


FIRST: On October 23, 2020, the claimant filed a claim with
the Spanish Agency for Data Protection, stating that his ex-wife,
administrator of the company of which both were partners, sent several emails to
companies with which the entity had a commercial relationship, attaching documentation

that revealed information and personal data of this.

SECOND: On February 10, 2021, the respondent received a response in the
which shows that he sent the emails to companies with which the entity had
commercial relationship, to prevent them from continuing to serve as suppliers, due to the

economic insolvency suffered by society.

                           FOUNDATIONS OF LAW

FIRST: By virtue of the powers that Article 58.2 Regulation (EU) 2016/679
(General Data Protection Regulation, hereinafter RGPD) recognizes each

control authority, and as established in articles 47 and 48 of the Organic Law
3/2018, of December 5, Protection of Personal Data and Guarantee of
Digital Rights (hereinafter, LOPDGDD), the Director of the Spanish Agency
Data Protection is competent to resolve this procedure.


SECOND: Article 5 of the RGPD, whose heading is entitled “Principles relating to the
treatment ”establishes in letter f) of its section 1 that personal data will be
"Treated in such a way as to guarantee adequate data security
personal data, including protection against unauthorized or illegal processing and against
its loss, destruction or accidental damage, through the application of technical measures
or appropriate organizational ('integrity and confidentiality'). "


In relation to this principle, Recital 39 of the aforementioned RGPD states that:

“[…] Personal data must be treated in a way that guarantees security and
adequate confidentiality of personal data, including to prevent access

or unauthorized use of said data and of the equipment used in the treatment ”.

For its part, the LOPDGDD, in its article 5 provides that:

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 3/7









 "one. Those responsible and in charge of data processing, as well as all
people who intervene in any phase of this will be subject to the duty of

confidentiality referred to in article 5.1.f) of Regulation (EU) 2016/679.

 2. The general obligation indicated in the previous section will be complementary to the
duties of professional secrecy in accordance with its applicable regulations.

3. The obligations established in the previous sections will be maintained even

when the relationship of the obligated party with the person in charge or in charge of the
treatment".

THIRD: The claim is based on the presumed illegality of the
knowledge to third parties, by the claimed party, of the claimant's data, through

emails sent to other companies, revealing information and
documentation related to legal proceedings between claimant and claimed.

The documentation in the file provides clear indications that the claim-
violated article 5 of the RGPD, principles relating to treatment, in relation to
with article 5 of the LOPGDD, duty of confidentiality, revealing information and

personal data to third parties. The dissemination of these data by whoever was a member
and administrator of the company (with respect to whom their legitimacy is not
timation to dispose of them and treat them in the exercise of the rights that may
correspond) to third parties, implies a violation of the principle of confidentiality
ciality established by the RGPD in the processing of personal data, general obligation

General that highlights article 5 of the LOPDGDD, without it being understood to be reduced to
duty of professional secrecy.

This duty of confidentiality must be understood to be intended to prevent
leaks of the data not consented to by the owners of these are made.


Therefore, this duty of confidentiality is an obligation that is incumbent not only on the
responsible and in charge of the treatment, but to everyone who intervenes in
any phase of the treatment and complementary to the duty of professional secrecy.

FOURTH: Article 83.5 of the RGPD, which provides the following:


"Violations of the following provisions will be sanctioned, in accordance with the
paragraph 2, with administrative fines of a maximum of EUR 20,000,000 or,
in the case of a company, an amount equivalent to a maximum of 4% of the
global total annual business volume of the previous financial year, opting for

the highest amount:

    a) the basic principles for the treatment, including the conditions for the
       consent in accordance with articles 5, 6, 7 and 9; […] "


For the purposes of the statute of limitations for infractions, the infraction indicated in the
previous paragraph is considered very serious and prescribes after three years, according to the
Article 72.1 of the LOPDGDD, which establishes that:


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 4/7








 "Based on what is established in article 83.5 of Regulation (EU) 2016/679,
they consider very serious and will prescribe after three years the infractions that suppose
a substantial violation of the articles mentioned therein and, in particular, the

following:

    i) The violation of the duty of confidentiality established in article 5 of

            this organic law. "


FIFTH: In order to determine the administrative fine to be imposed, the
provisions of articles 83.1 and 83.2 of the RGPD, provisions that state:

"one. Each control authority will guarantee that the imposition of fines
administrative pursuant to this article for the infractions of this
Regulations indicated in paragraphs 4, 5 and 6 are in each individual case

effective, proportionate and dissuasive.

2. Administrative fines will be imposed, depending on the circumstances of each
individual case, as an additional or substitute for the measures contemplated in the
Article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine

administrative and its amount in each individual case will be duly taken into account:

a) the nature, seriousness and duration of the offense, taking into account the nature of
The scope, scope or purpose of the processing operation in question, as well as the number
number of interested parties affected and the level of damages they have suffered;

b) intentionality or negligence in the infringement;
c) any measure taken by the person in charge or in charge of the treatment to pa-
bundle the damages and losses suffered by the interested parties;
d) the degree of responsibility of the person in charge or the person in charge of the treatment,
gives an account of the technical or organizational measures that have been applied by virtue of the
articles 25 and 32;

e) any previous infringement committed by the person in charge or the person in charge of the treatment;
f) the degree of cooperation with the supervisory authority in order to remedy the
infringement and mitigate the possible adverse effects of the infringement;
g) the categories of personal data affected by the infringement;
h) the way in which the supervisory authority learned of the infringement, in particular

cular if the person in charge or the person in charge notified the infringement and, if so, in what measure
gives; i) when the measures indicated in article 58, paragraph 2, have been ordered
previously filed against the person in charge or the person in charge in relation to
the same matter, the fulfillment of said measures;
j) adherence to codes of conduct under article 40 or to certification mechanisms

fication approved in accordance with article 42,
k) any other aggravating or mitigating factor applicable to the circumstances of the case,
such as the financial benefits obtained or the losses avoided, directly or indirectly-
mind, through the offense. "

For its part, article 76 "Sanctions and corrective measures" of the LOPDGDD

has:

"one. The sanctions provided for in sections 4, 5 and 6 of article 83 of the Regulation

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 5/7








(EU) 2016/679 will be applied taking into account the graduation criteria
established in section 2 of the aforementioned article.


2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679
The following may also be taken into account:

       a) The continuing nature of the offense.
       b) The linking of the activity of the offender with the performance of treatments
       of personal data.

       c) The benefits obtained as a result of the commission of the offense.
       d) The possibility that the affected person's conduct could have led to the
       commission of the offense.
       e) The existence of a merger process by absorption after the commission
       of the infringement, which cannot be attributed to the absorbing entity.

       f) Affecting the rights of minors.
       g) Have, when not mandatory, a delegate for the protection of
data.
       h) The submission by the person in charge or in charge, with character
       voluntary, to alternative dispute resolution mechanisms, in those
       assumptions in which there are controversies between those and any

       interested."

In accordance with the transcribed precepts, in order to set the amount of the penalty for
infraction of article 5.1 f), the fine should be adjusted taking into account:


-The scope in a local environment of the treatment carried out by the entity
claimed.
-The number of affected is limited to a single person, the claimant.
-The claimed entity is a small company.


Considering the exposed factors, the assessment that reaches the amount of the fine
is € 2,000 for violation of article 5.1 f) of the RGPD.

SIXTH: Establishes Law 40/2015, of October 1, on the Legal Regime of the Sector
Public, in Chapter III relative to the “Principles of the sanctioning power”, in the
Article 28 under the heading "Responsibility", the following:


"one. They can only be sanctioned for acts constituting an administrative offense.
natural and legal persons, as well as, when a Law recognizes their capacity to
act, the affected groups, the unions and entities without legal personality and the
independent or autonomous patrimonies, which are responsible for them to

title of fraud or guilt. "

Therefore, in accordance with the applicable legislation and the criteria of
graduation of the sanctions whose existence has been accredited, the Director of the
Spanish Agency for Data Protection RESOLVES:


FIRST: IMPOSE CEYLLE SOLUTIONS & DEVELOPMENT S.L., with NIF
B39764691, for a violation of article 5.1. f) of the RGPD, typified in the article
83.5 of the RGPD, a fine of TWO THOUSAND EUROS (€ 2,000).

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 6/7









SECOND: NOTIFY this resolution to CEYLLE SOLUTIONS &
DEVELOPMENT S.L.


THIRD: Warn the sanctioned person that the sanction imposed by a
Once this resolution is enforceable, in accordance with the provisions of the
art. 98.1.b) of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations (hereinafter LPACAP), within the payment term
voluntary established in art. 68 of the General Collection Regulations, approved

by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003,
of December 17, by means of their entry, indicating the NIF of the sanctioned person and the number
of procedure that appears in the heading of this document, in the account
restricted number ES00 0000 0000 0000 0000 0000, opened in the name of the Agency
Spanish Data Protection in the banking entity CAIXABANK, S.A .. In case

Otherwise, it will be collected in the executive period.

Received the notification and once executive, if the date of execution is found
Between the 1st and the 15th of each month, both inclusive, the deadline to make the payment
volunteer will be until the 20th day of the following or immediately subsequent business month, and if
between the 16th and last days of each month, both inclusive, the payment term

It will be until the 5th of the second following or immediate business month.

In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.


Against this resolution, which ends the administrative procedure in accordance with art. 48.6 of the
LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the
Interested parties may file, optionally, an appeal for reconsideration before the
Director of the Spanish Agency for Data Protection within a month to
counting from the day after notification of this resolution or directly

Contentious-administrative appeal before the Contentious-Administrative Chamber of the
National High Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-administrative jurisdiction, within a period of two months from the
day following notification of this act, as provided in article 46.1 of the
referred Law.


Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP,
may provisionally suspend the final resolution through administrative channels if the
interested party expresses his intention to file contentious-administrative appeal.
If this is the case, the interested party must formally communicate this fact through

writing addressed to the Spanish Agency for Data Protection, presenting it through
of the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica-
web /], or through any of the other records provided for in art. 16.4 of the
cited Law 39/2015, of October 1. You must also transfer to the Agency the
documentation that proves the effective filing of the contentious appeal-

administrative. If the Agency was not aware of the filing of the appeal
contentious-administrative within a period of two months from the day following the
notification of this resolution would terminate the precautionary suspension.


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 7/7










                                                                                                  938-26102021

Mar Spain Martí
Director of the Spanish Agency for Data Protection










































































C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es