AEPD (Spain) - PS/00257/2020: Difference between revisions

Latest revision as of 14:23, 13 December 2023

AEPD - PS/00257/2020

Authority:	AEPD (Spain)
Jurisdiction:	Spain
Relevant Law:	Article 37 GDPR LOPDGDD
Type:	Investigation
Outcome:	Violation Found
Started:
Decided:
Published:	11.01.2021
Fine:	None
Parties:	Ayuntamiento de Arroyomolinos
National Case Number/Name:	PS/00257/2020
European Case Law Identifier:	n/a
Appeal:	n/a
Original Language(s):	Spanish
Original Source:	AEPD (in ES)
Initial Contributor:	n/a

The Spanish DPA (AEPD) issued a reprimand against the Spanish municipality Ayuntamiento de Arroyomolinos for lacking a Data Protection Officer (DPO) for more than two years after the entry into force of the GDPR. This breached Article 37 GDPR.

English Summary

Facts

Ayuntamiento de Arroyomolinos was found lacking a Data Protection Officer (DPO).

The defendant has since adopted corrective measures. A DPO has been appointed pursuant to a service contract from 28.09.2020.

Dispute

Was the municipality Ayuntamiento de Arroyomolinos under the obligation to appoint a DPO?

Holding

The Spanish DPA recalled that the public administrations act as controllers for the processing of personal data and on some occasions as processors. As a result, they are subject to the GDPR and must fulfill all its obligations, including the obligation to appoint a data protection officer (Article 37 GDPR). This obligation had to be fulfilled starting from 28.05.2018, the date of entry into force of the GDPR.

The Spanish DPA issued a reprimand against Ayuntamiento de Arroyomolinos for violating Article 37 GDPR. The reprimand was issued by virtue of the power conferred by Article 58(2)(b) GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

                                                                                1/7


    Procedure No.: PS/00257/2020

                RESOLUTION OF SANCTIONING PROCEDURE


From the procedure instructed by the Spanish Data Protection Agency and based
to the following:

                                  BACKGROUND



FIRST: D. A.A.A. (hereinafter the complainant) dated 20 January 2020
filed a complaint with the Spanish Data Protection Agency. The
claim is directed against the Town Hall of Arroyomolinos with NIF P2801500F
(hereinafter referred to as the Respondent).


       The complainant states that he received on his behalf a notification from
City Council, and it contains the data and facts that motivate the imposition
from a sanction to another person.


       On the other hand, it points out that the consistory does not have a Delegate for the Protection of
Data.

       Together with the complaint, you will provide the notification that you have been sent.


SECOND: In view of the facts denounced in the complaint and the
the documents provided by the claimant are transferred to the claimant.

       On 24 July 2020, the petitioner states: "that on 20 January
2020 the complainant was informed that on the day of notification of the Resolution there was
a computer failure, and in the notification of its procedure the body of the

resolution of the previous notification. The department proceeded to review
the notifications generated, finding none more erroneous, also
proceeded to add further revision controls on the documents generated so that
this situation will not be repeated.


       You were also informed that your data have not been transferred to third parties,
have only been used for the notification of the procedure between
claimant and this Town Hall".

THIRD: On 25 September 2020, the Director of the Spanish Agency

of Data Protection agreed to initiate sanctioning proceedings against the respondent, with
in accordance with Articles 63 and 64 of Law 39/2015 of 1 October on the
Common Administrative Procedure for Public Administrations (hereinafter referred to as the "Common Administrative Procedure"),
LPACAP), for the alleged violation of Article 37 of the GPRS, typified in Article
83.4 of the RGPD.


FOURTH: Once the above-mentioned agreement to initiate the proceedings had been notified, the respondent submitted a letter of
in which he stated, in summary: "that on 28 September
2020 was awarded by Decree No 2497/2020 for technical assistance services
for information security (ENS) support and updating, and

C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 2/7








protection of personal data (RGPD-LOPDGDD) and Delegate Service of
Data Protection, for a period of 12 months.


       In good time before the date of termination of the contract and having
on the basis of the work carried out by the DPD during this time, it is already planned to call for tenders
publicly for a maximum of 4 years the Data Protection Delegate, with
the aim is for this Town Hall to have this figure permanently.

       In compliance with the duty to communicate the appointment of the DPD by

this City Council to the AEPD in accordance with the provisions of Article 34.3 LOPDGDD, is
the following information is provided: START UP, S.L. CIF B33667494

       Attached to this letter: Decree No. 2497/2020 on the award of
service contract and technical-economic proposal of the company Start up CDF S.L.

which details the content of the services to be provided".

FIFTH: On 13 October 2020, the instructor of the procedure agreed on the
opening of a trial period, with the incorporation of the
preliminary investigation proceedings, E/02287/2020, as well as documents
provided by the respondent on 8 October 2020.


SIXTH: A motion for resolution was tabled on 18 November 2020,
proposing to sanction the Town Hall of Arroyomolinos with a warning
NIF P2801500F, for an infringement of Article 37 of the RGPD, typified in Article
83.4 of the RGPD.


SEVENTH: After notification of the motion for a resolution, the respondent submitted a letter of
allegations in which, in summary, he stated

"FIRST - That on September 28, 2020, it was awarded by Decree No
2497/2020 technical assistance service contract for support and updates in

information security (ENS) and personal data protection
(RGPD-LOPGDD) and the Data Protection Officer Service, for a period of
12 months to the company Start up CDF S.L.

SECOND: The duty to communicate the appointment of the

DPD by this City Council to the AEPD in accordance with the provisions of Article 34.3
LOPDGDD.

THIRD: The proposal for a resolution of the AEPD indicates that "In this case
the evidence is based on the documents provided with their
allegations to the agreement of initiation that the respondent has appointed as Delegate of

Data Protection: START UP, S.L. CIF B33667494."

FOURTH - Taking into consideration the Judgment of the Audiencia Nacional de
29/11/2013, (ECR 455/2011), on the basis of the Sixth
warning regulated in article 45.6 of the LOPD and regarding its nature

legal warns that it "does not constitute a penalty" and that these are "measures
corrective measures for the cessation of the activity constituting the infringement" replacing
sanction. The Decision understands that Article 45.6 of the LOPD confers on the AEPD

C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 3/7








a "power" different from the sanctioning power, the exercise of which is conditional on the
concurrence of the special circumstances described in the precept. At
congruence with the nature attributed to the warning as an alternative to

penalty when, in view of the circumstances of the case, the subject of the offence is not
and considering that the object of the warning is the
imposition of corrective measures, the above-mentioned SAN concludes that where these measures have already
have been adopted, it is appropriate in law to agree to the closure of the
performances".


In view of all that has been done, by the Spanish Data Protection Agency
the following are regarded as established facts in these proceedings,


                                      FACTS


FIRST: The person claimed lacks the figure of a data protection representative.

SECOND: The City Council of Arroyomolinos, has contributed in the present
the measures it has taken, including the penalties it has imposed:

       Technical assistance service contract for support and updates in

information security (ENS) and personal data protection
(RGPD-LOPDGDD) and the Data Protection Officer Service, for a period of
12 months.

       Communication of the appointment of the Data Protection Officer: START

UP, S.L. CIF B33667494

       Decree No 2497/2020 on the award of service contracts and proposals
technical-economic of the company START UP CDF S.L.



                           LEGAL FOUNDATIONS

                                           I

By virtue of the powers conferred on each authority in Article 58(2) of the GPRS

control, and in accordance with the provisions of Articles 47 and 48.1 of the LOPDGDD, the
the Spanish Data Protection Agency is competent to resolve this
procedure.
                                           II


Public administrations act as data controllers of

and, in some cases, they are in charge of the management of the
processing, for which they are responsible, in accordance with the principle of
proactive, to meet the obligations detailed in the RGPD, including the
obligation to appoint a data protection officer and to notify the latter of his or her
AEPD

The obligation is imposed by Article 37 of the RGPD, which states

C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 4/7








"1. The data controller and the processor shall appoint a delegate of
data protection whenever:

(a) the processing is carried out by a public authority or body, except

courts acting in their judicial capacity

Article 37.3 and 4 of the RGPD states about the designation of the DPD "When the
the controller or the person responsible for the processing is a public authority or
may appoint a single data protection officer for several of these

authorities or bodies, taking into account their organisational structure and size.

4. In cases other than those referred to in paragraph 1, the person responsible or
processing agent or associations and other bodies representing
categories of managers or supervisors may appoint a delegate of protection
or must designate it if required by Union or national law

members. The Data Protection Officer may act on behalf of these
associations and other bodies representing decision-makers or managers"

The LOPDGDD determines in its article 34.1 and 3: "Designation of a delegate of

data protection "

1. Data controllers and processors must appoint a delegate of
data protection in the cases provided for in article 37.1 of the Regulation
(EU) 2016/679 and, in any case, in the case of the following entities:

3. Data controllers and processors shall communicate within ten
days to the Spanish Data Protection Agency or, where appropriate, to the authorities

data protection, appointments, appointments and dismissals of employees
the data protection delegates both in cases where they are
obliged to be appointed as in the case of voluntary appointment.



The infringement is contemplated as such in Article 83.4.a of the RGPD which states: "4. The
infringements of the following provisions shall be penalised in accordance with the
paragraph 2, with administrative fines of up to EUR 10 000 000 or
in the case of an enterprise, an amount equivalent to a maximum of 2 % of
total annual turnover for the previous financial year, opting for
the largest:


(a) the obligations of the person responsible and of the person appointed under Articles 8, 11, 25 to
39, 42 y 43;”


Article 83.7 of the RGPD states:

"Without prejudice to the corrective powers of the supervisory authorities under the ar-
in accordance with Article 58(2), each Member State may lay down rules as to whether or not a
of, and to what extent, imposing administrative fines on public authorities and bodies

public bodies established in that Member State"


Article 58(2) of the GPRS states: "Each supervisory authority shall have all the
C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 5/7








the following corrective powers are indicated below:

(b) sanction any person responsible for or in charge of the processing, with a warning as to how
if the processing operations have infringed the provisions of this Regulation, the
mento;

(d) order the controller or processor to carry out the processing operations
treatment are in accordance with the provisions of this Regulation, where appropriate,
in a certain way and within a specified time".


In this sense, Article 77.1 c) and 2, 4 and 5 of the LOPGDD, indicates:

1. The regime established in this article shall apply to the processing of
who are responsible or in charge:

c) The General State Administration, the Community Administrations

the local authorities and the entities that make up the local administration.

2 "Where the persons responsible for, or in charge of, the activities listed in paragraph 1 commit
any of the offences referred to in articles 72 to 74 of this law
authority shall issue an opinion on the matter
resolution sanctioning them with a warning. The resolution will establish

also the measures to be taken to ensure that the conduct ceases or is corrected
the effects of the infringement that has been committed.

The decision shall be notified to the controller or processor, to the
that is hierarchically dependent, where appropriate, and to those affected who have the status
of interested party, if any."


4.The data protection authority must be informed of decisions that
be made in connection with the measures and actions referred to in paragraphs
previous.

5.They shall be communicated to the Ombudsman or, where appropriate, to similar institutions

of the autonomous communities the actions taken and the decisions handed down
under this article."


                                             III


Article 73 of the LOPDDG states Infringements considered serious:

"In accordance with Article 83(4) of Regulation (EU) 2016/679, the
consider serious and will prescribe after two years any infringements involving a
substantial breach of the articles mentioned in that one, and in particular the

following:

(v) Failure to comply with the obligation to appoint a data protection representative
when his appointment is required in accordance with Article 37 of the Regulation
(EU) 2016/679 and article 34 of this organic law"



C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 6/7








By means of a statement of claim, the respondent has stated that he has already designated
Data Protection Delegate.




In spite of this, the Spanish Data Protection Agency has sanctioned the complainant with
a penalty of a warning, since the latter must have had a delegate from
data protection in accordance with article 37 of the RGPD,
from 25 May 2018, when the RGPD came into force.




Therefore, in accordance with the applicable legislation and assessed on the basis of
graduation of the sanctions whose existence has been accredited, the Director of
Spanish Data Protection Agency RESOLVES:


FIRST: IMPOSE on the ARROYOMOLINOS CITY COUNCIL, with NIF
P2801500F, for a violation of Article 37 of the GPRS, as defined in Article 83.4
of the RGPD, a warning sanction.


SECOND: TO NOTIFY this resolution to the CITY COUNCIL OF
ARROYOMOLINOS.

THIRD: To communicate this resolution to the Ombudsman, of

in accordance with the provisions of Article 77.5 of the LOPDGDD

In accordance with the provisions of Article 50 of the LOPDGDD, this
The decision will be made public after it has been notified to the interested parties.

Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the

LOPDGDD, and in accordance with Article 123 of the LPACAP, the
the interested parties may, on an optional basis, lodge an appeal for reversal with the
Director of the Spanish Data Protection Agency within one month to
counting from the day following notification of this resolution or directly
contentious-administrative appeal to the Administrative Chamber of the

Audiencia Nacional, in accordance with Article 25 and paragraph 5 of
the fourth additional provision of Law 29/1998 of 13 July 1998, regulating
Contentious-Administrative Jurisdiction, within two months from
day following notification of this act, as provided for in Article 46(1) of the
referred to Law.


Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP, it is
may suspend, as a precautionary measure, the final administrative decision if the
the applicant states that he intends to bring an administrative appeal.
If this is the case, the interested party must formally communicate this fact by
written to the Spanish Data Protection Agency, submitting it through

from the Agency's Electronic Register [https://sedeagpd.gob.es/sede-electronica-
web/], or through any of the other registers provided for in Article 16.4 of the
the aforementioned Law 39/2015 of 1 October. It must also transfer to the Agency the
documentation proving the effective filing of the contentious action
administrative. If the Agency is not aware that the action has been brought

administrative proceedings within two months of the day following the
notification of the present resolution, would terminate the precautionary suspension.
                                                                                              938-131120
Mar Spain Martí

Director of the Spanish Data Protection Agency

@@ Line 50: / Line 50: @@
 }}
-The Spanish DPA (AEPD) issued a reprimand to the Spanish municipality Ayuntamiento de Arroyomolinos for lacking a DPO for more than two years after the entry into force of the GDPR.
+The Spanish DPA (AEPD) issued a reprimand against the Spanish municipality Ayuntamiento de Arroyomolinos for lacking a Data Protection Officer (DPO) for more than two years after the entry into force of the GDPR. This breached Article 37 GDPR.
-== English Summary ==
+==English Summary==
-=== Facts ===
+===Facts===
-Ayuntamiento de Arroyomolinos was found lacking a DPO.
+Ayuntamiento de Arroyomolinos was found lacking a Data Protection Officer (DPO).
-The defendant has provided the measures it has in the meantime adopted: with a service contract from 28.09.2020 a DPO has been appointed.
+The defendant has since adopted corrective measures. A DPO has been appointed pursuant to a service contract from 28.09.2020.
+===Dispute===
+Was the municipality Ayuntamiento de Arroyomolinos under the obligation to appoint a DPO?
+===Holding===
+The Spanish DPA recalled that the public administrations act as controllers for the processing of personal data and on some occasions as processors. As a result, they are subject to the GDPR and must fulfill all its obligations, including the obligation to appoint a data protection officer (Article 37 GDPR). This obligation had to be fulfilled starting from 28.05.2018, the date of entry into force of the GDPR.
-=== Dispute ===
+The Spanish DPA issued a reprimand against Ayuntamiento de Arroyomolinos for violating Article 37 GDPR. The reprimand was issued by virtue of the power conferred by Article 58(2)(b) GDPR.
-Was this municipality under the obligation of appointing a DPO?
+==Comment==
-=== Holding ===
-The Spanish DPA recalled that the public administrations act as controllers for the processing of personal data and on some occasions as processors. As a result, they are subject to the GDPR and must fulfill all its obligations, including the obligation to appoint a data protection officer. This obligation had to be fulfilled starting from 28.05.2018, the date of entry into force of the GDPR.
-The Spanish DPA issued a reprimand to Ayuntamiento de Arroyomolinos for violating Article 37 GDPR.
-The reprimand was issued by virtue of the power conferred by Article 58(2)(b) GDPR.
-== Comment ==
 ''Share your comments here!''
-== Further Resources ==
+==Further Resources==
 ''Share blogs or news articles here!''
-== English Machine Translation of the Decision ==
+==English Machine Translation of the Decision==
 The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
 <pre>
 /7
- Procedimiento Nº: PS/00257/2020
-RESOLUCIÓN DE PROCEDIMIENTO SANCIONADOR
-Del procedimiento instruido por la Agencia Española de Protección de Datos y en base
+    Procedure No.: PS/00257/2020
-a los siguientes:
-ANTECEDENTES
+                RESOLUTION OF SANCTIONING PROCEDURE
-PRIMERO: D. A.A.A. (en adelante, el reclamante) con fecha 20 de enero de 2020
-interpuso reclamación ante la Agencia Española de Protección de Datos. La
-reclamación se dirige contra el Ayuntamiento de Arroyomolinos con NIF P2801500F
+From the procedure instructed by the Spanish Data Protection Agency and based
-(en adelante, el reclamado).
+to the following:
-El reclamante manifiesta que recibió a su nombre una notificación del
-Ayuntamiento, y en la misma constan los datos y los hechos que motivan la imposición
+                                  BACKGROUND
-de una sanción a otra persona.
-Por otra parte, señala que el consistorio no tiene Delegado de Protección de
-Datos.
-Junto a la reclamación aporta la notificación que le han remitido.
+FIRST: D. A.A.A. (hereinafter the complainant) dated 20 January 2020
-SEGUNDO: A la vista de los hechos denunciados en la reclamación y de los
+filed a complaint with the Spanish Data Protection Agency. The
-documentos aportados por el reclamante se traslada al reclamado la reclamación.
+claim is directed against the Town Hall of Arroyomolinos with NIF P2801500F
-Con fecha 24 de julio de 2020 el reclamado manifiesta: “que el 20 de enero de
+(hereinafter referred to as the Respondent).
-se le comunico al reclamante que el día de la notificación de la Resolución hubo
-un fallo informático, y en la notificación de su procedimiento se fusionó el cuerpo de la
-resolución de la anterior notificación. Se procedió por parte del departamento a revisar
+       The complainant states that he received on his behalf a notification from
-las notificaciones generadas, no encontrando ninguna más errónea, asimismo se
+City Council, and it contains the data and facts that motivate the imposition
-procedió a añadir más controles revisorios de los documentos generados para que
+from a sanction to another person.
-esta situación no se repita.
-Asimismo, se le comunicó que sus datos no han sido cedidos a terceros,
-únicamente han sido utilizados para la notificación del procedimiento entre el
+       On the other hand, it points out that the consistory does not have a Delegate for the Protection of
-reclamante y este Ayuntamiento”.
+Data.
-TERCERO: Con fecha 25 de septiembre de 2020, la Directora de la Agencia Española
-de Protección de Datos acordó iniciar procedimiento sancionador al reclamado, con
+       Together with the complaint, you will provide the notification that you have been sent.
-arreglo a lo dispuesto en los artículos 63 y 64 de la Ley 39/2015, de 1 de octubre, del
-Procedimiento Administrativo Común de las Administraciones Públicas (en adelante,
-LPACAP), por la presunta infracción del Artículo 37 del RGPD, tipificada en el Artículo
+SECOND: In view of the facts denounced in the complaint and the
-.4 del RGPD.
+the documents provided by the claimant are transferred to the claimant.
-CUARTO: Notificado el citado acuerdo de inicio, el reclamado presentó escrito de
-alegaciones en el que, en síntesis, manifestaba: “que con fecha 28 de septiembre de
+       On 24 July 2020, the petitioner states: "that on 20 January
-se adjudicó por Decreto nº 2497/2020 contrato de servicios de asistencia técnica
+the complainant was informed that on the day of notification of the Resolution there was
-para el soporte y actualización en materia de seguridad de la información (ENS) y
+a computer failure, and in the notification of its procedure the body of the
+resolution of the previous notification. The department proceeded to review
+the notifications generated, finding none more erroneous, also
+proceeded to add further revision controls on the documents generated so that
+this situation will not be repeated.
+       You were also informed that your data have not been transferred to third parties,
+have only been used for the notification of the procedure between
+claimant and this Town Hall".
+THIRD: On 25 September 2020, the Director of the Spanish Agency
+of Data Protection agreed to initiate sanctioning proceedings against the respondent, with
+in accordance with Articles 63 and 64 of Law 39/2015 of 1 October on the
+Common Administrative Procedure for Public Administrations (hereinafter referred to as the "Common Administrative Procedure"),
+LPACAP), for the alleged violation of Article 37 of the GPRS, typified in Article
+.4 of the RGPD.
+FOURTH: Once the above-mentioned agreement to initiate the proceedings had been notified, the respondent submitted a letter of
+in which he stated, in summary: "that on 28 September
+was awarded by Decree No 2497/2020 for technical assistance services
+for information security (ENS) support and updating, and
 C/ Jorge Juan, 6 www.aepd.es
-– Madrid sedeagpd.gob.es
+- Madrid sedeagpd.gob.es 2/7
-/7
-protección de datos personales (RGPD-LOPDGDD) y Servicio de Delegado de
-Protección de Datos, por un período de 12 meses.
-Con antelación suficiente a la fecha de finalización del contrato y teniendo
-como base el trabajo realizado por el DPD durante ese tiempo, ya está previsto licitar
-públicamente por un máximo de 4 años el Delegado de Protección de Datos, con
-objeto de que este Ayuntamiento cuente permanente con dicha figura.
-En cumplimiento con el deber de comunicación de la designación del DPD por
-este Ayuntamiento a la AEPD a tenor de lo previsto en el artículo 34.3 LOPDGDD, se
+protection of personal data (RGPD-LOPDGDD) and Delegate Service of
-le indican a continuación los datos del mismo: START UP, S.L. CIF B33667494
+Data Protection, for a period of 12 months.
-Se adjunta al presente escrito: Decreto nº 2497/2020 de adjudicación de
-contrato de servicio y propuesta técnica-económica de la empresa Start up CDF S.L.
-en la que se detalla el contenido de las prestaciones a realizar”.
+       In good time before the date of termination of the contract and having
-QUINTO: Con fecha 13 de octubre de 2020, el instructor del procedimiento acordó la
+on the basis of the work carried out by the DPD during this time, it is already planned to call for tenders
-apertura de un período de práctica de pruebas, teniéndose por incorporadas las
+publicly for a maximum of 4 years the Data Protection Delegate, with
-actuaciones previas de investigación, E/02287/2020, así como los documentos
+the aim is for this Town Hall to have this figure permanently.
-aportados por el reclamado en fecha 8 de octubre de 2020.
-SEXTO: Con fecha 18 de noviembre de 2020 se formuló propuesta de resolución,
+       In compliance with the duty to communicate the appointment of the DPD by
-proponiendo se sancione con apercibimiento al Ayuntamiento de Arroyomolinos con
-NIF P2801500F, por una infracción del Artículo 37 del RGPD, tipificada en el Artículo
+this City Council to the AEPD in accordance with the provisions of Article 34.3 LOPDGDD, is
-.4 del RGPD.
+the following information is provided: START UP, S.L. CIF B33667494
-SÉPTIMO: Notificada la propuesta de resolución, el reclamado presentó escrito de
-alegaciones en el que, en síntesis, manifestaba:
+       Attached to this letter: Decree No. 2497/2020 on the award of
-“PRIMERO.- Que con fecha 28 de septiembre de 2020 se adjudicó por Decreto nº
+service contract and technical-economic proposal of the company Start up CDF S.L.
-/2020 contrato de servicio de asistencia técnica para el soporte y actualización en
-materia de seguridad de la información (ENS) y protección de datos personales
+which details the content of the services to be provided".
-(RGPD-LOPGDD) y Servicio de Delegado de Protección de Datos, por un periodo de
-meses a la empresa Start up CDF S.L.
+FIFTH: On 13 October 2020, the instructor of the procedure agreed on the
-SEGUNDO.- Se dio cumplimiento al deber de comunicación de la designación del
+opening of a trial period, with the incorporation of the
-DPD por este Ayuntamiento a la AEPD a tenor de lo previsto en el artículo 34.3
+preliminary investigation proceedings, E/02287/2020, as well as documents
+provided by the respondent on 8 October 2020.
+SIXTH: A motion for resolution was tabled on 18 November 2020,
+proposing to sanction the Town Hall of Arroyomolinos with a warning
+NIF P2801500F, for an infringement of Article 37 of the RGPD, typified in Article
+.4 of the RGPD.
+SEVENTH: After notification of the motion for a resolution, the respondent submitted a letter of
+allegations in which, in summary, he stated
+"FIRST - That on September 28, 2020, it was awarded by Decree No
+/2020 technical assistance service contract for support and updates in
+information security (ENS) and personal data protection
+(RGPD-LOPGDD) and the Data Protection Officer Service, for a period of
+months to the company Start up CDF S.L.
+SECOND: The duty to communicate the appointment of the
+DPD by this City Council to the AEPD in accordance with the provisions of Article 34.3
 LOPDGDD.
-TERCERO.- En la propuesta de resolución de la AEPD se indica que “En este caso
-concreto, se ha acreditado en virtud de los documentos aportados con sus
+THIRD: The proposal for a resolution of the AEPD indicates that "In this case
-alegaciones al acuerdo de inicio que el reclamado ha designado Delegado de
+the evidence is based on the documents provided with their
-Protección de Datos: START UP, S.L. CIF B33667494.”
+allegations to the agreement of initiation that the respondent has appointed as Delegate of
-CUARTO.- Tomando en consideración la Sentencia de la Audiencia Nacional de
-/11/2013, (Rec. 455/2011), Fundamento de Derecho Sexto, que sobre el
+Data Protection: START UP, S.L. CIF B33667494."
-apercibimiento regulado en el artículo 45.6 de la LOPD y a propósito de su naturaleza
-jurídica advierte que “no constituye una sanción” y que se trata de “medidas
+FOURTH - Taking into consideration the Judgment of the Audiencia Nacional de
-correctoras de cesación de la actividad constitutiva de la infracción” que sustituyen a la
+/11/2013, (ECR 455/2011), on the basis of the Sixth
-sanción. La Sentencia entiende que el artículo 45.6 de la LOPD confiere a la AEPD
+warning regulated in article 45.6 of the LOPD and regarding its nature
+legal warns that it "does not constitute a penalty" and that these are "measures
+corrective measures for the cessation of the activity constituting the infringement" replacing
+sanction. The Decision understands that Article 45.6 of the LOPD confers on the AEPD
 C/ Jorge Juan, 6 www.aepd.es
-– Madrid sedeagpd.gob.es
+- Madrid sedeagpd.gob.es 3/7
-/7
-una “potestad” diferente de la sancionadora cuyo ejercicio se condiciona a la
-concurrencia de las especiales circunstancias descritas en el precepto. En
-congruencia con la naturaleza atribuida al apercibimiento como una alternativa a la
-sanción cuando, atendidas las circunstancias del caso, el sujeto de la infracción no es
-merecedor de aquella, y considerando que el objeto del apercibimiento es la
-imposición de medidas correctoras, la SAN citada concluye que cuando éstas ya
-hubieran sido adoptadas, lo procedente en Derecho es acordar el archivo de las
-actuaciones”.
+a "power" different from the sanctioning power, the exercise of which is conditional on the
-A la vista de todo lo actuado, por parte de la Agencia Española de Protección de Datos
+concurrence of the special circumstances described in the precept. At
-en el presente procedimiento se consideran hechos probados los siguientes,
+congruence with the nature attributed to the warning as an alternative to
-HECHOS
-PRIMERO: El reclamado carece de la figura de delegado de protección de datos.
+penalty when, in view of the circumstances of the case, the subject of the offence is not
-SEGUNDO: El Ayuntamiento de Arroyomolinos, ha aportado en el presente
+and considering that the object of the warning is the
-procedimiento sancionador las medidas que ha adoptado, entre las mismas consta:
+imposition of corrective measures, the above-mentioned SAN concludes that where these measures have already
-Contrato de servicios de asistencia técnica para el soporte y actualización en
+have been adopted, it is appropriate in law to agree to the closure of the
-materia de seguridad de la información (ENS) y protección de datos personales
+performances".
-(RGPD-LOPDGDD) y Servicio de Delegado de Protección de Datos, por un período de
-meses.
-Comunicación de la designación del Delegado de Protección de Datos: START
+In view of all that has been done, by the Spanish Data Protection Agency
+the following are regarded as established facts in these proceedings,
+                                      FACTS
+FIRST: The person claimed lacks the figure of a data protection representative.
+SECOND: The City Council of Arroyomolinos, has contributed in the present
+the measures it has taken, including the penalties it has imposed:
+       Technical assistance service contract for support and updates in
+information security (ENS) and personal data protection
+(RGPD-LOPDGDD) and the Data Protection Officer Service, for a period of
+months.
+       Communication of the appointment of the Data Protection Officer: START
 UP, S.L. CIF B33667494
-Decreto nº 2497/2020 de adjudicación de contrato de servicio y propuesta
-técnica-económica de la empresa START UP CDF S.L.
+       Decree No 2497/2020 on the award of service contracts and proposals
-FUNDAMENTOS DE DERECHO
+technical-economic of the company START UP CDF S.L.
-I
-En virtud de los poderes que el artículo 58.2 del RGPD reconoce a cada autoridad de
-control, y según lo establecido en los arts. 47 y 48.1 de la LOPDGDD, la Directora de
-la Agencia Española de Protección de Datos es competente para resolver este
+                           LEGAL FOUNDATIONS
-procedimiento.
-II
+                                           I
-Las Administraciones públicas actúan como responsables de tratamientos de datos de
-carácter personal y, en algunas ocasiones, ejercen funciones de encargados de
+By virtue of the powers conferred on each authority in Article 58(2) of the GPRS
-tratamiento, por lo que les corresponde, siguiendo el principio de responsabilidad
-proactiva, atender las obligaciones que el RGPD detalla, entre las que se incluye, la
+control, and in accordance with the provisions of Articles 47 and 48.1 of the LOPDGDD, the
-obligación de nombrar a un delegado de protección de datos y comunicarlo a esta
+the Spanish Data Protection Agency is competent to resolve this
+procedure.
+                                           II
+Public administrations act as data controllers of
+and, in some cases, they are in charge of the management of the
+processing, for which they are responsible, in accordance with the principle of
+proactive, to meet the obligations detailed in the RGPD, including the
+obligation to appoint a data protection officer and to notify the latter of his or her
 AEPD
-La obligación viene impuesta por el artículo 37 del RGPD, que indica:
+The obligation is imposed by Article 37 of the RGPD, which states
 C/ Jorge Juan, 6 www.aepd.es
-– Madrid sedeagpd.gob.es
+- Madrid sedeagpd.gob.es 4/7
-/7
-“1. El responsable y el encargado del tratamiento designarán un delegado de
-protección de datos siempre que:
-a) el tratamiento lo lleve a cabo una autoridad u organismo público, excepto los
-tribunales que actúen en ejercicio de su función judicial;”
-El Articulo 37.3 y 4 del RGPD señala sobre la designación del DPD “Cuando el
-responsable o el encargado del tratamiento sea una autoridad u organismo público, se
-podrá designar un único delegado de protección de datos para varias de estas
-autoridades u organismos, teniendo en cuenta su estructura organizativa y tamaño.
+"1. The data controller and the processor shall appoint a delegate of
-. En casos distintos de los contemplados en el apartado 1, el responsable o el
+data protection whenever:
-encargado del tratamiento o las asociaciones y otros organismos que representen a
-categorías de responsables o encargados podrán designar un delegado de protección
+(a) the processing is carried out by a public authority or body, except
-de datos o deberán designarlo si así lo exige el Derecho de la Unión o de los Estados
-miembros. El delegado de protección de datos podrá actuar por cuenta de estas
+courts acting in their judicial capacity
-asociaciones y otros organismos que representen a responsables o encargados.”
-La LOPDGDD determina en su artículo 34.1 y 3: ”Designación de un delegado de
+Article 37.3 and 4 of the RGPD states about the designation of the DPD "When the
-protección de datos “
+the controller or the person responsible for the processing is a public authority or
-. Los responsables y encargados del tratamiento deberán designar un delegado de
+may appoint a single data protection officer for several of these
-protección de datos en los supuestos previstos en el artículo 37.1 del Reglamento
-(UE) 2016/679 y, en todo caso, cuando se trate de las siguientes entidades:
+authorities or bodies, taking into account their organisational structure and size.
-. Los responsables y encargados del tratamiento comunicarán en el plazo de diez
-días a la Agencia Española de Protección de Datos o, en su caso, a las autoridades
+. In cases other than those referred to in paragraph 1, the person responsible or
-autonómicas de protección de datos, las designaciones, nombramientos y ceses de
+processing agent or associations and other bodies representing
-los delegados de protección de datos tanto en los supuestos en que se encuentren
+categories of managers or supervisors may appoint a delegate of protection
-obligadas a su designación como en el caso en que sea voluntaria.
+or must designate it if required by Union or national law
-La infracción se contempla como tal en el artículo 83.4.a del RGPD que señala:”4. Las
-infracciones de las disposiciones siguientes se sancionarán, de acuerdo con el
+members. The Data Protection Officer may act on behalf of these
-apartado 2, con multas administrativas de 10 000 000 EUR como máximo o,
+associations and other bodies representing decision-makers or managers"
-tratándose de una empresa, de una cuantía equivalente al 2 % como máximo del
-volumen de negocio total anual global del ejercicio financiero anterior, optándose por
+The LOPDGDD determines in its article 34.1 and 3: "Designation of a delegate of
-la de mayor cuantía:
-a) las obligaciones del responsable y del encargado a tenor de los artículos 8, 11, 25 a
+data protection "
+. Data controllers and processors must appoint a delegate of
+data protection in the cases provided for in article 37.1 of the Regulation
+(EU) 2016/679 and, in any case, in the case of the following entities:
+. Data controllers and processors shall communicate within ten
+days to the Spanish Data Protection Agency or, where appropriate, to the authorities
+data protection, appointments, appointments and dismissals of employees
+the data protection delegates both in cases where they are
+obliged to be appointed as in the case of voluntary appointment.
+The infringement is contemplated as such in Article 83.4.a of the RGPD which states: "4. The
+infringements of the following provisions shall be penalised in accordance with the
+paragraph 2, with administrative fines of up to EUR 10 000 000 or
+in the case of an enterprise, an amount equivalent to a maximum of 2 % of
+total annual turnover for the previous financial year, opting for
+the largest:
+(a) the obligations of the person responsible and of the person appointed under Articles 8, 11, 25 to
 , 42 y 43;”
-El artículo 83.7 del RGPD indica:
-“Sin perjuicio de los poderes correctivos de las autoridades de control en virtud del artículo 58, apartado 2, cada Estado miembro podrá establecer normas sobre si se puede, y en qué medida, imponer multas administrativas a autoridades y organismos públicos establecidos en dicho Estado miembro”
-El artículo 58.2 del RGPD indica: “Cada autoridad de control dispondrá de todos los
+Article 83.7 of the RGPD states:
+"Without prejudice to the corrective powers of the supervisory authorities under the ar-
+in accordance with Article 58(2), each Member State may lay down rules as to whether or not a
+of, and to what extent, imposing administrative fines on public authorities and bodies
+public bodies established in that Member State"
+Article 58(2) of the GPRS states: "Each supervisory authority shall have all the
 C/ Jorge Juan, 6 www.aepd.es
-– Madrid sedeagpd.gob.es
+- Madrid sedeagpd.gob.es 5/7
-/7
-siguientes poderes correctivos indicados a continuación:
-b) sancionar a todo responsable o encargado del tratamiento con apercibimiento cuando las operaciones de tratamiento hayan infringido lo dispuesto en el presente Reglamento;
-d) ordenar al responsable o encargado del tratamiento que las operaciones de
-tratamiento se ajusten a las disposiciones del presente Reglamento, cuando proceda,
-de una determinada manera y dentro de un plazo especificado”.
-En tal sentido, el artículo 77.1 c) y 2, 4 y 5 de la LOPGDD, indica:
-. El régimen establecido en este artículo será de aplicación a los tratamientos de los
-que sean responsables o encargados:
+the following corrective powers are indicated below:
-c) La Administración General del Estado, las Administraciones de las Comunidades
-autónomas y las entidades que integran la Administración Local.
+(b) sanction any person responsible for or in charge of the processing, with a warning as to how
-“Cuando los responsables o encargados enumerados en el apartado 1 cometiesen
+if the processing operations have infringed the provisions of this Regulation, the
-alguna de las infracciones a las que se refieren los artículos 72 a 74 de esta ley
+mento;
-orgánica, la autoridad de protección de datos que resulte competente dictará
-resolución sancionando a las mismas con apercibimiento. La resolución establecerá
+(d) order the controller or processor to carry out the processing operations
-asimismo las medidas que proceda adoptar para que cese la conducta o se corrijan
+treatment are in accordance with the provisions of this Regulation, where appropriate,
-los efectos de la infracción que se hubiese cometido.
+in a certain way and within a specified time".
-La resolución se notificará al responsable o encargado del tratamiento, al órgano del
-que dependa jerárquicamente, en su caso, y a los afectados que tuvieran la condición
-de interesado, en su caso.”
+In this sense, Article 77.1 c) and 2, 4 and 5 of the LOPGDD, indicates:
-.Se deberán comunicar a la autoridad de protección de datos las resoluciones que
-recaigan en relación con las medidas y actuaciones a que se refieren los apartados
+. The regime established in this article shall apply to the processing of
-anteriores.
+who are responsible or in charge:
-.Se comunicarán al Defensor del Pueblo o, en su caso, a las instituciones análogas
-de las comunidades autónomas las actuaciones realizadas y las resoluciones dictadas
+c) The General State Administration, the Community Administrations
-al amparo de este artículo.”
-III
+the local authorities and the entities that make up the local administration.
-El artículo 73 de la LOPDDG indica: Infracciones consideradas graves:
-“En función de lo que establece el artículo 83.4 del Reglamento (UE) 2016/679 se
+"Where the persons responsible for, or in charge of, the activities listed in paragraph 1 commit
-consideran graves y prescribirán a los dos años las infracciones que supongan una
+any of the offences referred to in articles 72 to 74 of this law
-vulneración sustancial de los artículos mencionados en aquel y, en particular, las
+authority shall issue an opinion on the matter
-siguientes:
+resolution sanctioning them with a warning. The resolution will establish
-v) El incumplimiento de la obligación de designar un delegado de protección de datos
-cuando sea exigible su nombramiento de acuerdo con el artículo 37 del Reglamento
+also the measures to be taken to ensure that the conduct ceases or is corrected
-(UE) 2016/679 y el artículo 34 de esta ley orgánica.”
+the effects of the infringement that has been committed.
+The decision shall be notified to the controller or processor, to the
+that is hierarchically dependent, where appropriate, and to those affected who have the status
+of interested party, if any."
+.The data protection authority must be informed of decisions that
+be made in connection with the measures and actions referred to in paragraphs
+previous.
+.They shall be communicated to the Ombudsman or, where appropriate, to similar institutions
+of the autonomous communities the actions taken and the decisions handed down
+under this article."
+                                             III
+Article 73 of the LOPDDG states Infringements considered serious:
+"In accordance with Article 83(4) of Regulation (EU) 2016/679, the
+consider serious and will prescribe after two years any infringements involving a
+substantial breach of the articles mentioned in that one, and in particular the
+following:
+(v) Failure to comply with the obligation to appoint a data protection representative
+when his appointment is required in accordance with Article 37 of the Regulation
+(EU) 2016/679 and article 34 of this organic law"
 C/ Jorge Juan, 6 www.aepd.es
-– Madrid sedeagpd.gob.es
+- Madrid sedeagpd.gob.es 6/7
-/7
-Mediante escrito de alegaciones el reclamado, ha manifestado que tiene ya designado
-Delegado de Protección de Datos.
-Pese a ello, la Agencia Española de Protección de Datos, sanciona al reclamado con
-una sanción de apercibimiento ya que éste debió contar con un delegado de
-protección de datos de conformidad con lo establecido en el artículo 37 del RGPD,
-desde el 25 de mayo de 2018, momento en el que entró en vigor el RGPD.
-Por lo tanto, de acuerdo con la legislación aplicable y valorados los criterios de
-graduación de las sanciones cuya existencia ha quedado acreditada, la Directora de la
+By means of a statement of claim, the respondent has stated that he has already designated
-Agencia Española de Protección de Datos RESUELVE:
+Data Protection Delegate.
-PRIMERO: IMPONER al AYUNTAMIENTO DE ARROYOMOLINOS, con NIF
-P2801500F, por una infracción del Artículo 37 del RGPD, tipificada en el Artículo 83.4
-del RGPD, una sanción de apercibimiento.
-SEGUNDO: NOTIFICAR la presente resolución al AYUNTAMIENTO DE
+In spite of this, the Spanish Data Protection Agency has sanctioned the complainant with
+a penalty of a warning, since the latter must have had a delegate from
+data protection in accordance with article 37 of the RGPD,
+from 25 May 2018, when the RGPD came into force.
+Therefore, in accordance with the applicable legislation and assessed on the basis of
+graduation of the sanctions whose existence has been accredited, the Director of
+Spanish Data Protection Agency RESOLVES:
+FIRST: IMPOSE on the ARROYOMOLINOS CITY COUNCIL, with NIF
+P2801500F, for a violation of Article 37 of the GPRS, as defined in Article 83.4
+of the RGPD, a warning sanction.
+SECOND: TO NOTIFY this resolution to the CITY COUNCIL OF
 ARROYOMOLINOS.
- TERCERO: COMUNICAR la presente resolución al Defensor del Pueblo, de
-conformidad con lo establecido en el artículo 77.5 de la LOPDGDD.
+THIRD: To communicate this resolution to the Ombudsman, of
-De conformidad con lo establecido en el artículo 50 de la LOPDGDD, la presente
-Resolución se hará pública una vez haya sido notificada a los interesados.
+in accordance with the provisions of Article 77.5 of the LOPDGDD
-Contra esta resolución, que pone fin a la vía administrativa conforme al art. 48.6 de la
-LOPDGDD, y de acuerdo con lo establecido en el artículo 123 de la LPACAP, los
+In accordance with the provisions of Article 50 of the LOPDGDD, this
-interesados podrán interponer, potestativamente, recurso de reposición ante la
+The decision will be made public after it has been notified to the interested parties.
-Directora de la Agencia Española de Protección de Datos en el plazo de un mes a
-contar desde el día siguiente a la notificación de esta resolución o directamente
+Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the
-recurso contencioso administrativo ante la Sala de lo Contencioso-administrativo de la
-Audiencia Nacional, con arreglo a lo dispuesto en el artículo 25 y en el apartado 5 de
+LOPDGDD, and in accordance with Article 123 of the LPACAP, the
-la disposición adicional cuarta de la Ley 29/1998, de 13 de julio, reguladora de la
+the interested parties may, on an optional basis, lodge an appeal for reversal with the
-Jurisdicción Contencioso-administrativa, en el plazo de dos meses a contar desde el
+Director of the Spanish Data Protection Agency within one month to
-día siguiente a la notificación de este acto, según lo previsto en el artículo 46.1 de la
+counting from the day following notification of this resolution or directly
-referida Ley.
+contentious-administrative appeal to the Administrative Chamber of the
-Finalmente, se señala que conforme a lo previsto en el art. 90.3 a) de la LPACAP, se
-podrá suspender cautelarmente la resolución firme en vía administrativa si el
+Audiencia Nacional, in accordance with Article 25 and paragraph 5 of
-interesado manifiesta su intención de interponer recurso contencioso-administrativo.
+the fourth additional provision of Law 29/1998 of 13 July 1998, regulating
-De ser éste el caso, el interesado deberá comunicar formalmente este hecho mediante
+Contentious-Administrative Jurisdiction, within two months from
-escrito dirigido a la Agencia Española de Protección de Datos, presentándolo a través
+day following notification of this act, as provided for in Article 46(1) of the
-del Registro Electrónico de la Agencia [https://sedeagpd.gob.es/sede-electronicaweb/], o a través de alguno de los restantes registros previstos en el art. 16.4 de la
+referred to Law.
-citada Ley 39/2015, de 1 de octubre. También deberá trasladar a la Agencia la
-documentación que acredite la interposición efectiva del recurso contenciosoC/ Jorge Juan, 6 www.aepd.es
-– Madrid sedeagpd.gob.es
+Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP, it is
-/7
+may suspend, as a precautionary measure, the final administrative decision if the
-administrativo. Si la Agencia no tuviese conocimiento de la interposición del recurso
+the applicant states that he intends to bring an administrative appeal.
-contencioso-administrativo en el plazo de dos meses desde el día siguiente a la
+If this is the case, the interested party must formally communicate this fact by
-notificación de la presente resolución, daría por finalizada la suspensión cautelar.
+written to the Spanish Data Protection Agency, submitting it through
--131120
-Mar España Martí
+from the Agency's Electronic Register [https://sedeagpd.gob.es/sede-electronica-
-Directora de la Agencia Española de Protección de Datos
+web/], or through any of the other registers provided for in Article 16.4 of the
-C/ Jorge Juan, 6 www.aepd.es
+the aforementioned Law 39/2015 of 1 October. It must also transfer to the Agency the
-– Madrid sedeagpd.gob.es
+documentation proving the effective filing of the contentious action
+administrative. If the Agency is not aware that the action has been brought
+administrative proceedings within two months of the day following the
+notification of the present resolution, would terminate the precautionary suspension.
+-131120
+Mar Spain Martí
+Director of the Spanish Data Protection Agency
 </pre>