AEPD (Spain) - PS/00244/2021

From GDPRhub
AEPD (Spain) - PS/00244/2021
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 6 GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published: 29.09.2021
Fine: 5.000 EUR
Parties: CYNGASA, S.L.
National Case Number/Name: PS/00244/2021
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: CSO

The Spanish DPA (AEPD) fined a company €5,000 for transferring the data of an employee without the employee's consent.

English Summary

Facts

An employee signed an employment contract with the company Cyngasa, S.L. Some time later, the employee asked the Spanish Social Security for a employment history report. In this report, the employee found that, although he had signed the employment contract with Cyngasa, another company had registered him with the Social Security. That company was Calderería y soldadura de Estructuras Metálicas, S.L. Consequently, Cyngasa had transferred the employee's data to Calderería y soldadura de Estructuras Metálicas without justification and without the employee's consent.

Neither of the two companies involved responded to the requests of the AEPD.

Holding

The AEPD does not detail the reasons for the breach and simply points out that the transfer of an employee data to a third party company without consent is a breach of Article 6 GDPR.

Comment

This particular decision (PS/00244/2021) sanctions the company that transferred the data, but there is another decision of the AEPD in which it also sanctions the transferring company (PS/00245/2021).

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

                                                                                1/5










     Procedure No.: PS / 00244/2021


                RESOLUTION OF SANCTIONING PROCEDURE

Of the procedure instructed by the Spanish Agency for Data Protection and based on
to the following


                                  BACKGROUND

FIRST: A.A.A. (hereinafter, the claimant) dated December 28, 2020
filed a claim with the Spanish Data Protection Agency.


The claim is directed against CYNGASA, S.L. with CIF B70537774 (hereinafter, the
reclaimed).

The reasons on which the claim is based are that the claimant when requesting a report of
working life has been aware that although his employment relationship was

initially agreed with the company CYNGASA on 08/04/2020, this company
He was withdrawn from social security without his knowledge on 08/07/2020 and was given
registered again on 08/10/2020 in the company CALDERERIA Y SOLDADURA DE
STRUCTURAS METALICAS, S, L ', without the consent of the
claimant to CYNGASA for the transfer of their personal data, to said company.


Along with the claim, provide a work life report

SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5
December, Protection of Personal Data and guarantee of digital rights (in
hereinafter LOPDGDD), with reference number E / 01392/2021, a transfer of

said claim to the defendant on February 26, 2021, to proceed with its
analysis and inform this Agency within a month, of the actions taken
carried out to adapt to the requirements provided in the data protection regulations.

No response to this request has been received.


THIRD: On May 11, 2021, the Director of the Spanish Agency for
Data Protection agreed to accept for processing the claim presented by the
claimant.


FOURTH: On July 14, 2021, the Director of the Spanish Agency for
Data Protection agreed to initiate a sanctioning procedure for the complained party, by the
alleged violation of article 6 of the RGPD, typified in article 83.5 of the RGPD.

In view of all the actions, by the Spanish Agency for Data Protection
In this proceeding, the following are considered proven facts,






C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 2/5








                                        FACTS

FIRST: When requesting a work life report, the claimant has had knowledge of

that the company complained about transferred your personal data to a third company without your
consent.


SECOND: On July 25, 2021, the respondent is notified of the agreement of
initiation of this procedure, converting said agreement into a resolution proposal

in accordance with articles 64.2.f) and 85 of Law 39/2015, of October 1, on
Common Administrative Procedure of Public Administrations (LPACAP), at the
Failure to make the claimed allegations within the indicated period.

                           FOUNDATIONS OF LAW


                                            I

By virtue of the powers that article 58.2 of the RGPD recognizes to each authority of
control, and as established in articles 47 and 48 of the LOPDGDD, the Director
of the Spanish Data Protection Agency is competent to initiate and to

solve this procedure.

                                            II

Organic Law 3/2018, of December 5, on the Protection of Personal Data and

guarantee of digital rights, in its article 4.11 defines the consent of the
interested as “any manifestation of free will, specific, informed and
unequivocal by which the interested party accepts, either through a declaration or a
clear affirmative action, the processing of personal data that concerns you ”.


In this sense, article 6.1 of the RGPD establishes that “in accordance with
provided in article 4.11 of Regulation (EU) 2016/679, it is understood by
consent of the affected party any manifestation of free, specific will,
informed and unequivocal by which it accepts, either through a statement or
a clear affirmative action, the processing of personal data that concerns him ”.

                                             III

In accordance with the evidence available at the present time,

considers that the denounced events, that is, transferring the personal data of the
claimant to the company of BOILER AND WELDING OF STRUCTURES
METALICAS, S.L. without the prior consent of the owner of said personal data
constitute a violation of article 6 of the RGPD.


                                            IV

Article 72.1 b) of the LOPDGDD states that “depending on what is established in the
Article 83.5 of Regulation (EU) 2016/679, are considered very serious and will prescribe
At three years, the infractions that suppose a substantial violation of the
articles mentioned in that and in particular, the following:


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 3/5








c) The processing of personal data without any of the conditions of
legality of the treatment in article 6 of Regulation (EU) 2016/679. "


                                            V

Article 58.2 of the RGPD provides the following: “Each control authority will have
of all of the following corrective powers listed below:

b) direct a warning to any person in charge or in charge of the treatment when the

treatment operations have infringed the provisions of this Regulation;

d) order the person in charge of the treatment that the operations of
treatment comply with the provisions of this Regulation, where appropriate,
in a certain way and within a specified time frame;


i) impose an administrative fine in accordance with article 83, in addition to or instead of the
measures mentioned in this section, according to the circumstances of each case
particular;

                                            SAW


This offense can be sanctioned with a fine of € 20,000,000 maximum or,
in the case of a company, an amount equivalent to a maximum of 4% of the
total annual global business volume of the previous financial year, opting for the
of greater amount, in accordance with article 83.5 of the RGPD.


Likewise, it is considered that the sanction to be imposed should be adjusted in accordance with the
following criteria established in article 83.2 of the RGPD:

As aggravating factors the following:


     In the present case we are facing negligent action by the entity
    claimed (article 83.2 b) upon transferring the claimant's personal data to the
    company of BOILER AND WELDING OF METALLIC STRUCTURES,
    S.L. without the prior consent of the owner of said data.


     In addition, basic personal identifiers are affected, (art
    83.2 g), such as name and surname, your social security number, work life,
    and so on.


Therefore, in accordance with the applicable legislation and assessed the criteria of
graduation of sanctions whose existence has been proven,

the Director of the Spanish Data Protection Agency RESOLVES:


FIRST: IMPOSE CYNGASA, S.L., with CIF B70537774, for an infringement of the
Article 6 of the RGPD, typified in article 83.5 of the RGPD, a fine of 5,000 euros
(five thousand euros).

SECOND: NOTIFY this resolution to CYNGASA, S.L.

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 4/5









THIRD: Warn the sanctioned person that the sanction imposed by a
Once this resolution is enforceable, in accordance with the provisions of the

Article 98.1.b) of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations (hereinafter LPACAP), within the payment period
voluntary established in art. 68 of the General Collection Regulations, approved
by Royal Decree 939/2005, of July 29, in relation to article 62 of the Law
58/2003, of December 17, by means of your entry, indicating the NIF of the sanctioned person and
the procedure number at the top of this document, in

the restricted account number ES00 0000 0000 0000 0000 0000, opened in the name of the
Spanish Agency for Data Protection in the banking entity CAIXABANK, S.A ..
Otherwise, it will be collected in the executive period.

Received the notification and once executive, if the date of execution is found

Between the 1st and the 15th of each month, both inclusive, the deadline for making the payment
volunteer will be until the 20th of the following or immediately subsequent business month, and if
between the 16th and the last day of each month, both inclusive, the payment term
it will be until the 5th of the second following or immediately subsequent business month.

In accordance with the provisions of article 50 of the LOPDGDD, this

Resolution will be made public once it has been notified to the interested parties.

Against this resolution, which ends the administrative procedure in accordance with art. 48.6 of the
LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the
Interested parties may optionally file an appeal for reconsideration before the

Director of the Spanish Agency for Data Protection within a month to
counting from the day after the notification of this resolution or directly
contentious-administrative appeal before the Contentious-Administrative Chamber of the
National High Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the

Contentious-administrative jurisdiction, within two months from the
day following notification of this act, as provided in article 46.1 of the
referred Law.

Finally, it is pointed out that in accordance with the provisions of article 90.3 a) of the LPACAP,
The final resolution may be suspended provisionally through administrative channels if the

interested party expresses his intention to file contentious-administrative appeal.
If this is the case, the interested party must formally communicate this fact through
writing addressed to the Spanish Agency for Data Protection, presenting it through
of the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica-
web /], or through any of the other records provided for in article 16.4 of the

cited Law 39/2015, of October 1. You must also transfer to the Agency the
documentation that proves the effective filing of the contentious appeal-
administrative. If the Agency was not aware of the filing of the appeal
contentious-administrative within a period of two months from the day following the
notification of this resolution would terminate the precautionary suspension.



Mar Spain Martí
Director of the Spanish Agency for Data Protection

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 5/5


































































































C / Jorge Juan, 6 www.aepd.es

28001 - Madrid sedeagpd.gob.es