AEPD (Spain) - PS/00265/2022
|AEPD - PS/00265/2022|
|Relevant Law:||Article 9 GDPR|
Article 13 GDPR
Article 83(5)(a) GDPR
Article 83(5)(b) GDPR
|Parties:||Federación de Balonmano de Castilla y La Mancha|
|National Case Number/Name:||PS/00265/2022|
|European Case Law Identifier:||n/a|
|Original Source:||AEPD (in ES)|
The Spanish DPA fined €17,000 a local Handball Federation for requesting and processing health data of its participants in its competitions to discriminate on the basis of such data, violating Article 9 and Article 13 GDPR.
English Summary[edit | edit source]
Facts[edit | edit source]
On November 2021, in order to participate in a handball competition, the data subject was required to upload, on the Federación de Balonmano de Castilla y La Mancha website, a certificate of the complete vaccination against COVID or a certificate of having recovered from the disease or an antigen test with a negative result 48 hours prior to the sporting event.
Allegedly, the controller discriminated competitors based on health data they collected, given that only competitors with the presentation of the corresponding certificate of vaccination against COVID-19 or the presentation of antigen tests could play indoors without a mask.
Also, the controller also did not provide information on the data retention period and other aspects provided for in Article 13 GDPR.
In January 2022, the controller replied and in its response highlighted that due to the evolution of the epidemiological situation and the appearance of variants or the effectiveness, it has stopped processing the data related to COVID in order to participate in the competitions.
Holding[edit | edit source]
In its conclusion, the Spanish DPA considered that the requirement of submitting health data in order to participate in the competition without a mask by federated athletes does not fall under the requirements of EU Regulation 2021/953, which created and established the COVID certificate. Also, there is no other legal justification or basis for the processing, violating Article 9 GDPR.
AEPD highlighted that Recital 46 GDPR already recognizes that, in exceptional situations, such as an epidemic, the legal basis for processing may be multiple, based on both the public interest and the vital interest of the data subject or another natural person.
In this case, the data was collected in the private area of the website managed by the Federation as part of the "safe play without mask protocol-season 21/22". Despite the fact that the website could have provided information on the collection of data, there is no explanation or legal justification about such collection and there is no explanation about the establishment of the way and procedure for reporting the data, thus proving the non-compliance with Article 13 GDPR.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/21 File No.: EXP202105680 RESOLUTION OF SANCTIONING PROCEDURE From the procedure instructed by the Spanish Data Protection Agency and based on the following BACKGROUND FIRST: A.A.A. (hereinafter, the complaining party) on 11/24/2021 filed claim before the Spanish Data Protection Agency. The claim is directed against HANDBALL FEDERATION OF CASTILLA LA MANCHA with NIF G45046455 (in forward, the claimed part). It is claimed that the defendant requests and processes health data of the participants in their competitions, discriminating based on said data, given that they link the use of masks in the development of their competitions with the presentation of the corresponding certificate of vaccination against COVID-19, or the presentation of antigen tests. It also points out that they do not inform about the data retention period and other aspects. provided for in article 13 of the RGPD and lack a Data Protection Officer. Provides: -screen print with the logo of the claimed, no date is visible, which informs that “The Assembly has voted on the new regulations on the use of masks in competitions,” “You can say goodbye to it as long as the players present their certificate of vaccination with the complete schedule in all categories - in the school category it will not be It is necessary to present the vaccination schedule for the moment. Those who have not yet received the double vaccination schedule will be able to compete without mask as long as an antigen test is performed 48 hours before the game and present the test result. For any questions about the regulations you can contact via email with the Federation. SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5/12, of Protection of Personal Data and guarantee of digital rights (hereinafter LOPDGDD), Said claim was transferred to the claimed party on 12/23/2021, so that it could proceed to its analysis and inform this Agency within a period of one month, of the actions carried out to adapt to the requirements provided for in data protection regulations. was requested specific: “1.- The legal basis of the treatment and, if applicable, the circumstance that lifts the prohibition to process special categories of data, according to article 9 of the GDPR. 2.- The purpose of the treatment. 3.- The adequate guarantees implemented for the protection of rights and people's freedoms. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 2/21 4.- The categories of interested parties (workers, clients, users, etc.) and the information provided to them about the processing of the data. 5.- The Impact Assessment carried out or reasons why it has not been carried out (for know the list of personal data processing that requires an evaluation of impact, as well as any other information related to impact evaluations, You can consult the “Manage EIPD” tool at https://www.aepd.es/es/guias-y- tools/tools/manage-eipd) 6.- The decision adopted regarding this claim. 7.- Report on the causes that have motivated the incident that has caused the claim. 8.- Report on the measures adopted to prevent incidents from occurring similar, dates of implementation and controls carried out to verify their effectiveness. 9.- Any other that you consider relevant.” The transfer, which was carried out in accordance with the rules established in Law 39/2015, of 1/10, of the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP), was collected on 12/23/2021 as stated in the acknowledgment of receipt that is in the proceedings. On 01/27/2022, this Agency received a response letter, indicating: a) As the legal basis of the processing: “The processing of personal data referred to in the claim is regulated by Regulation 2021/953 of the European Parliament and of the Council relating to a framework for the issuance, verification and acceptance of COVID-19 certificates interoperable vaccination, diagnostic test and recovery-digital COVID certificate of the EU -, in order to facilitate free movement during the COVID-19 pandemic", with "the information that the certificate must contain about vaccination, test result diagnosis or recovery from the illness of the interested party.” Agrees that it is data from health included in article 9.1 of the RGPD. Reproduces recital 46 of the RGPD that alludes to various circumstances that may enable the legality of the treatment, highlighting: “when the the same is necessary to protect an essential public interest on the basis of the Law of the European Union or the Member States, which must be proportional to the objective persecuted”, and the “Protection of vital interests of the interested party or of another natural person”, “is justified, insofar as the situation experienced during these last two years has been exceptional, involving a high number of deaths, as well as multiple side effects less visible in the figures, caused by SARS-COV-2.” “This legitimizing basis is regulated by European Union Law, because the person responsible has simply processed data that is already regulated by Regulation (EU) 2021/953, instrument normative that has direct effect of application in Spain.” b) Regarding the purpose of the treatment: it is “to implement the measures that this person responsible is at your disposal, in accordance with current regulations” “limited to compliance with the health and prevention measures required, both by European and national regulations. autonomous. Said vaccination certificate regulated by the regulations, and the data contained in the same, will only be used to guarantee the safe practice of the sport, in accordance with the health and scientific tools that are displayed until now” You understand that said processing of personal data complies with the principles of effectiveness, necessity and proportionality. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 3/21 c) As guarantees implemented for the protection of the rights and freedoms of people, states that on 10/26/2021, he created the registry of treatment activities-RAT- that provided in document 2. The reference of the DPD does not appear in it, stating the treatment “FEDERATE” and “COVID 19 HEALTH CERTIFICATE” which highlights: “Description of the purpose and classification of the purpose: Protection of vital interests of the interested party or another natural person. In accordance with the legitimation basis that protects said processing of personal data, the purpose will be limited to compliance with the measures health and prevention measures required, both by European and national regulations. autonomous. Said vaccination certificate regulated by the regulations, and the data contained in the same, they will only be used to guarantee the safe practice of the sport in accordance with the health and scientific tools that are displayed until now. “Retention period: The data will be kept for the time necessary to comply with the purpose for which they were collected and to determine the possible responsibilities that may arise. may arise from said purpose and from the processing of the data. However, in this sense, in accordance with the provisions of Regulation (EU) 2021/953 itself, in its art. 17, I don't know will retain said data beyond the date of June 30, 2022, due to lack of application from that date." “Legal basis of legality or legitimacy: Art. 6.1 d) Protection of vital interests of the interested party or of another natural person. In this treatment, the vital interests to be protected are those of the people who practice the sport of Handball, under the scope of action of the Federation, whose scope is limited to the Autonomous Community of Castilla La Mancha and only in reference to the practice of said sport by all federated people.” “Typology or category of personal data: Specially protected data: Personal data health, d) Regarding the information provided to interested parties about the treatment, it does not indicate anything. e) Regarding the DPIA, it is estimated that “it is not mandatory at this time to carry out an evaluation of impact, without prejudice to the need to adopt other security measures.” f) Regarding the decision adopted regarding the claim, it states that “they have finalized said treatment activity”, due to the change in the epidemiological situation, as well as the appearance of variants, which “is leading the authorities to reconsider that said passport COVID has less efficacy, which implies that the principle of efficacy, necessity and proportionality that such treatment requires is not exceeded.” It states that an external DPO has been appointed to the entity on 01/26/2022. He states that “it must be appreciated that the HANDBALL FEDERATION OF CASTILLA LA MANCHA, provided several options to be able to practice this sport safely complying with the protocols required at that time, the only option being to share the COVID CERTIFICATE, but as evidenced in the different attached documents, “There were different ways such as performing a PCR or antigen 48 test before.” g) About the causes that motivated the incident that gave rise to the claim. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 4/21 It states that “the claim notified to this party has its origin in the decision reached dated 10/25/2021, by the Assembly of the HANDBALL FEDERATION OF CASTILLA LA MANCHA, recorded in the Minutes”, which is attached in DOCUMENT nº4. “It was agreed on point no. 1, the decision to demand the following requirements for the practice of said sport by the federated members of 14 years of age and older: “…it is determined that as of the date the matter of the mask will be as follows: “Boys and girls who or either present the COVID certificate (two complete guidelines or one guideline if the disease) or present a negative antigen test 48 hours before the match. In the event that there is any member of the team (including the coaching staff) who does not present the previously requested, said team will have to wear a mask.” “(Those under 12 years of age that depend directly on the JCCM do not have to comply with this rule)” “Regarding this Last statement, the HANDBALL FEDERATION OF CASTILLA LA MANCHA, clarifies that The age mentioned was an error recorded in the minutes, since the Responsible Party does not have competitions over those under 14 years of age” “the school categories (up to 14 years of age), are “They are governed by the direct instructions of the Community Board of Castilla La Mancha.” "To the Clubs belonging to the Federation, it was communicated on the 29th of the same month, with an explanatory note. from 4/11/2021, “the ways to be able to play” “without a mask, uploading the COVID certificate to the Federation page”, or “without a mask, performing a PCR with a negative result within 48 hours before the match - it will be certified in the manner explained above)”, and “with a mask if “either of the two previous requirements is not met” provide doc 6, informative note of 11/4/2021 to the teams indicating that the process was carried out through email the Federation, sending “a photograph of the test and a certificate that the test was negative”, to He then points out that he can also play without a mask, “uploading the COVID certificate to the Federation page -Also provides “safe game protocol without mask – 21/22 season” insert certificate “senior and youth category vaccination-completed schedule” in document 7, indicating: “Each youth or senior player/coach/delegate must enter the following link ***URL.1”” Club code you will have to give it to them. It is located on the intranet of each team and all players who have a valid record with that club will be able to submit the certificate without problem.”, continues with the DNI-NIE passport, date of birth, click to access. Next, “select and save the vaccination certificate.” “the HANDBALL FEDERATION OF CASTILLA LA MANCHA, implemented these options for the purposes of complying with the provisions of Royal Decree-Law 30/2021, of 12/23, by which urgent prevention and containment measures are adopted to confront the crisis health caused by COVID-19, specifically what is established in its art. 6.2, in which establishes the obligation to use a mask in closed public spaces and venues. Spaces and closed venues in which said sport is always celebrated.” h) Regarding the measures adopted, and controls carried out to verify their effectiveness, indicate the dates of the registration of treatment activity, the date of designation of the DPO, and completion of EIPD analysis. THIRD: On 02/24/2022, in accordance with article 65 of the LOPDGDD, admitted for processing the claim presented by the complaining party. FOURTH On 10/26/2022, the director of the AEPD agreed: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 5/21 “Initiate a sanctioning procedure against the person complained of, for the alleged violation of the RGPD in the following articles: -9, in accordance with article 83.5.a) of the RGPD and for the purposes of prescription in the article 72.1.e) of the LOPDGDD. -13, in accordance with article 83.5.a) of the RGPD and for the purposes of prescription in the article 72.1.h) of the LOPDGDD "For the purposes specified in the art. 64.2 b) of Law 39/2015, of 1/10, on Procedure Common Administrative Code of Public Administrations (hereinafter LPACP), the sanction that could correspond would be: -10,000 euros for a violation of article 9 of the RGPD. -7,000 euros for a violation of article 13 of the RGPD.” FIFTH: The initiation Agreement was notified to the representative of the defendant, without received allegations. SIXTH: On 06/12/2023, a proposed resolution is issued with the literal: “That the Director of the Spanish Data Protection Agency sanction HANDBALL FEDERATION OF CASTILLA LA MANCHA, with NIF G45046455, for the GDPR violation, articles: - 9 of the RGPD, in accordance with article 83.5.a) of the RGPD, and for the purposes of prescription classified as very serious in article 72.1. e) of the LOPDGDD, with an administrative fine of 10,000 euros. - 13 of the GDPR, in accordance with article 83.5 b) of the GDPR, and for the purposes of prescription classified as very serious in article 72.1.h) of the LOPDGDD, with an administrative fine of 7,000 euros. “ Notified on 06/12/2023, figure accepted on the same day. On 06/26/2023, the defendant makes allegations, indicating that the file would be expired as indicated in article 21 of the LPACAP, when mentioning the obligation of the Administration in issuing the resolution and informing regardless of its form of initiation, admitting that the initiation of the sanctioning procedure occurred on 10/27/2022 “although the proposal resolution took place on 06/12/2023” Subsequently, it requests that sanctions not be imposed on the basis that the infractions would be statute-barred. SIXTH: The following are declared accredited PROVEN FACTS 1) The claimant complains against the defendant on 11/24/2021 because for the practice of sport in the Castilla La Mancha competition, you are required to upload to the website of the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 6/21 claimed the COVID vaccination certificate with the complete schedule, or a certificate of having recovered from the disease or an antigen test with a result negative 48 hours before the sporting event. 2) On 12/23/2021, the claim is transferred to the claimed party, which collects the notification on same day, responding to the AEPD on 01/27/2022. In his response, among others manifestations, indicates that due to the evolution of the epidemiological situation and the appearance of variants or efficacy, has stopped processing COVID-related data in order to participate in competitions. 3) The Assembly of the HANDBALL FEDERATION OF CASTILLA LA MANCHA, dated of 10/25/2021, decided to require federated members aged 14 and over and coaches and delegates (all members of the team) to practice said sport in the competition, the possibility of playing without a mask (it is always in closed spaces, not outside) although only to those who present the COVID certificate (two complete guidelines or one guideline if it has been after the disease) or present a negative antigen test 48 hours before the meeting. This information was transferred to the Clubs belonging to the Federation, on 10/29/2021, with a note clarification dated 11/4/2021, indicating that the process was carried out through email of the Federation, sending “a photograph of the test and a certificate that the test was negative”, to He then points out that he can also play without a mask, “uploading the COVID certificate to the Federation page 4) The defendant provided “safe game protocol without mask – 21/22 season””insert vaccination certificate senior and youth category-completed schedule” in document 7, indicating that by entering their page ***URL.2 in which each athlete identifies and authenticate your data, access the personal area and select and upload the vaccination certificate or the antigen test in this case before each match as a limit, on Friday before 7 p.m. hours. 5) As the legal basis for the treatment, the defendant indicated Regulation 2021/953 of the European Parliament and of the Council on a framework for the issuance, verification and acceptance of interoperable COVID-19 certificates for vaccination, diagnostic testing and recovery - EU digital COVID certificate -, in order to facilitate free movement during the COVID-19 pandemic, commonly known as “COVID passport”, or “COVID certificate” EU digital. Adds article 9.2.g) of the RGPD: “the treatment is necessary for reasons of an essential public interest, on the basis of Union or State law members, which must be proportional to the objective pursued, essentially respect the right to data protection and establish appropriate and specific measures to protect the interests and fundamental rights of the interested party”; and article 9.2.c): “the treatment is necessary to protect vital interests of the interested party or another natural person, in the event that the interested party is not physically or legally capable of giving consent." 6) The defendant, on 10/26/2021, created the registry of treatment activities-RAT. “COVID 19 HEALTH CERTIFICATE” which highlights: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 7/21 “Description of the purpose and classification of the purpose: Protection of vital interests of the interested party or another natural person. In accordance with the legitimation basis that protects said processing of personal data, the purpose will be limited to compliance with the measures health and prevention measures required, both by European and national regulations. autonomous. Said vaccination certificate regulated by the regulations, and the data contained in the same, they will only be used to guarantee the safe practice of the sport in accordance with the health and scientific tools that are displayed until now. “Retention period: The data will be kept for the time necessary to comply with the purpose for which they were collected and to determine the possible responsibilities that may arise. could arise from said purpose and from the processing of the data. However, in this sense, in accordance with the provisions of Regulation (EU) 2021/953 itself, in its art. 17, I don't know will retain said data beyond the date of June 30, 2022, due to lack of application from that date." “Legal basis of legality or legitimacy: Art. 6.1 d) Protection of vital interests of the interested party or of another natural person. In this treatment, the vital interests to be protected are those of the people who practice the sport of Handball, under the scope of action of the Federation, whose scope is limited to the Autonomous Community of Castilla La Mancha and only in reference to the practice of said sport by all federated people.” “Typology or category of personal data: Specially protected data: Personal data health, 7) The defendant was asked for the information provided to the federated athletes of her Federation in the collection of data related to COVID 19, without providing a response related to that aspect. FOUNDATIONS OF LAW Yo In accordance with the powers that article 58.2 of Regulation (EU) 2016/679 (Regulation General Data Protection, hereinafter RGPD), grants each control authority and according to the provisions of articles 47, 48.1, 64.2 and 68.1 of Organic Law 3/2018, of 5/12 Protection of Personal Data and guarantee of digital rights (hereinafter, LOPDGDD), The Director of the Spanish Agency for Human Rights is competent to initiate and resolve this procedure. Data Protection. Likewise, article 63.2 of the LOPDGDD determines that: "The procedures processed by The Spanish Data Protection Agency will be governed by the provisions of the Regulation (EU) 2016/679, in this organic law, by the regulatory provisions issued in its development and, insofar as they do not contradict them, on a subsidiary basis, by the general rules on administrative procedures." II Article 4 of the GDPR defines: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 8/21 “For the purposes of this Regulation it will be understood as: 1) personal data: any information about an identified or identifiable natural person ("the interested"); An identifiable natural person will be considered any person whose identity can be determined, directly or indirectly, in particular by means of an identifier, such as example a name, an identification number, location data, an online identifier or one or more elements specific to the physical, physiological, genetic, psychological, economic, cultural or social of said person; 2) processing: any operation or set of operations performed on data personal data or sets of personal data, whether by automated procedures or not, such as the collection, registration, organization, structuring, conservation, adaptation or modification, extraction, consultation, use, communication by transmission, dissemination or any other form of enabling access, collating or interconnecting, limiting, deleting or destruction; 15) data relating to health: personal data relating to the physical or mental health of a natural person, including the provision of health care services, who discloses information about his state of health;” The processing of personal data in health emergency situations continues to be The personal data protection regulations (RGPD and LOPDGDD) are applicable, so All its principles, contained in article 5 of the RGPD, are applied, including the treatment ment of personal data with legality, loyalty and transparency, limitation of purpose, principle of limitation of the conservation period, and of course, and we must pay special attention I fell into it, the principle of data minimization. Furthermore, it must be taken into account that the specific purpose related to the competition and health to preserve the health of athletes other than what may be the activity of treatment for the purpose of obtaining a federal license, from which categories of data, different risks for the rights and freedoms of those affected, and emerge some powers derived from the exercise of specific rights that deal with the transpar- rence and information contained in articles 12 and 13 of the GDPR. In the situation of health crisis caused by COVID19, the defendant adopts the measures aimed at preventing new infections of COVID-19, under your instructions. Athletes who belong to the claimed Federation have varied options to climb the data to the website of the claimed party for the purposes decided by it. The collection, storage ment and use of these data means that the claimant carries out processing of personal data of athletes, health data on which in principle there should be legal cause for tra- treatment and one of the causes that enables the specific processing of these health data. III The GDPR establishes a very broad concept of health data, and gives it a specific regime. specific, that corresponding to the so-called “special categories of data” referred to. re article 9 of the regulatory text. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 9/21 This article 9 GDPR states: "1. The processing of personal data that reveals ethnic or racial origin is prohibited, political opinions, religious or philosophical convictions, or union membership, and the processing of genetic data, biometric data aimed at uniquely identifying a natural person, data relating to health or data relating to sexual life or orientation “sexuality of a natural person.” Article 9.2 of the GDPR however means that: “Section 1 will not apply when one of the following circumstances occurs:” which cover article 9.2.a) to 9.2 j) and which will be examined in the following foundation Thus, such processing requires both a legal basis under Article 6 of the GDPR, such as compliance with one of the conditions of article 9.2 of the GDPR. The Data controllers must be aware of the need to comply with both requirements for processing these special categories of personal data. Article 6.1 of the RGPD establishes the assumptions that allow the treatment to be considered lawful. of personal data. 1. Treatment will only be legal if at least one of the following conditions is met: a) the interested party gave his or her consent to the processing of his or her personal data for one or several specific purposes; b) the processing is necessary for the execution of a contract to which the interested party is a party or for the application at his request of pre-contractual measures; c) the processing is necessary for compliance with a legal obligation applicable to the treatment saber; d) the processing is necessary to protect the vital interests of the interested party or another person physical; e) the processing is necessary for the fulfillment of a mission carried out in the public interest or in the exercise of public powers conferred on the data controller; f) the processing is necessary for the satisfaction of legitimate interests pursued by the res- responsible for the treatment or by a third party, provided that said interests do not prevail the interests or fundamental rights and freedoms of the interested party that require protection. tion of personal data, particularly when the interested party is a child. The provisions of letter f) of the first paragraph will not apply to the treatment carried out by public authorities in the exercise of their functions The membership of people in the claimed Federation presupposes in its normal regime, that Your data may be processed for the purpose of your associative relationship, for the purpose of promotion and extension of ordinary sports activity, a purpose that marks the origin of the processing of that data. Additionally, for the case presented of making competitive sports practice compatible with health in times of pandemic, and try to contain the spread of the infection among C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 10/21 participants, the claimed adds the legal basis for the treatment due to the vital interest of the article 6.1.d) of the GDPR, “the processing is necessary to protect the vital interests of the interested party or another natural person.” Recital (46) of the GDPR already recognizes that, in exceptional situations, such as an epi- demia, the legal basis of the treatments can be multiple, based both on the public interest co, as in the vital interest of the interested party or another natural person. (46) The processing of personal data should also be considered lawful when necessary to protect an interest essential to the life of the interested party or that of another natural person. In In principle, personal data should only be processed on the basis of the vital interest of another natural person when the processing cannot manifestly be based on a legal basis different. Certain types of treatment may respond to both important reasons of interest public and the vital interests of the interested party, such as when the treatment is necessary for humanitarian purposes, including the control of epidemics and their spread, or in humanitarian emergency situations, especially in the event of natural disasters or human origin. Article 6.1.d) of the GDPR considers not only that vital interest is a sufficient legal basis for treatment to protect the “interested party”, in this case the athletes who face each other yes, but that said legal basis can be used to protect the vital interests “of another natural person”, which by extension means that they can be either unidentified persons or identifiable, as unnamed, in terms of holding an interest worthy of being safeguarded. Furthermore, it does not follow, as stated in article 6.3 of the RGPD, that the need to that the basis of treatment for reasons of vital interest must be established by the right of Union or Member State law applicable to the controller, such as If it would be the case if the basis of legitimation were the fulfillment of a mission in the interest public. Having analyzed this basis of legitimation, it is considered that it would cover the treatment caused by the pandemic situation in the specific framework of the competition As an element to consider in the treatment carried out, it must also be assessed whether the claimed exceeds the following threshold that entails the prohibition of the processing of personal data. health of these federated athletes. That is, unless there are any of the circumstances halves and enumerated as established in point 2, the processing of health data will not be lawful IV Of the following articles included in article 9.2 of the RGPD, which are cited and which can prove the eventual legality of the processing of the data of the certificates required in competitions to athletes, those that according to the claim would be applicable will be analyzed to the specific case: “a) the interested party gave explicit consent for the processing of said personal data for one or more of the specified purposes, except where Union or State law Member States establish that the prohibition referred to in paragraph 1 cannot be levied raised by the interested party; […]” C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 11/21 c) the processing is necessary to protect the vital interests of the interested party or another person physical, in the event that the interested party is not capable, physically or legally, to give Your consent; […]” g) the processing is necessary for reasons of essential public interest, on the basis of the De- right of the Union or of the Member States, which must be proportional to the objective pursued. essential, respect the right to data protection and establish appropriate measures. given and specific to protect the interests and fundamental rights of the interested party; […]” i) the treatment is necessary for reasons of public interest in the field of public health, such as protection against serious cross-border health threats, or to ensure high levels of quality and safety of healthcare and medicines or medical devices, on the basis of Union or Member State law establish appropriate and specific measures to protect the rights and freedoms of the interest sado, in particular professional secrecy” The claimant states that the following would be applicable: a) In the RAT it only mentions “Art. 6.1 d) Protection of vital interests of the interested party or of another natural person. In this treatment, the vital interests to be protected are those of the people who practice the sport of Handball, and only in reference to the practice of said sport by all federated people.” However, the alleged provision is not one that allows this type of data processing. b) In its statements it includes it within the framework of Regulation 2021/953 (certificate EU digital COVID) and adds g) of article 9.2 of the GDPR “the treatment is necessary for reasons of essential public interest, on the basis of Union law or the Member States, which must be proportional to the objective pursued, essentially respect the right to data protection and establish appropriate and specific measures to protect the interests and fundamental rights of the interested party;” As for the first, the documentation known as a COVID passport, or COVID certificate digital of the EU, (derived from Regulation 2021/1953 that the defendant alleges) implies the possession of a document that certifies having the complete vaccine schedule, proof diagnosis of active infection -PDIA- or antigen test, and recovery from infection by The SARS-Cov.2 diagnosed, with respect to a temporal period, has as its original purpose the free movement of people within the territory of the EU. It is about the public service of health issues a certificate in cases of vaccination or recovery from the disease, and, In other cases, through the tests carried out, giving the Regulation validity to those certificates in the form stated and for the specific purposes for which said certificate was created. Regulation. Although the COVID certificate was initially approved with the purpose of guaranteeing the right fundamental to the free movement of citizens in the European Union, has been the subject of C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 12/21 subsequent use for other purposes in the generality of the Member States and, in particular in Spain, as one of the measures adopted by the health authorities in order to prevent the spread of infections in various establishments, through their display. Given the adoption by various Member States of unilateral initiatives to issue certificates COVID-19 cases that could imply restrictions on the right to free movement and make it difficult consequently the functioning of the internal market, the European Council took the initiative is about developing a common approach, as well as moving forward with urgency in the work on interoperable and non-discriminatory digital certificates in relation to COVID-19 19. As a result of this initiative, a proposal for a regulation relating to a framework for the issuance of verification and acceptance of interoperable COVID-19 vaccination certificates. nation of diagnostic testing and recovery in order to facilitate free movement during the pandemic. The legal basis of the proposal was article 21 of the Treaty on the Functioning of the Union European Union that recognizes and guarantees the right to free movement in the Union, the guarantees for free movement for reasons of public health must meet the criteria of necessity ity and proportionality. The entities that can access the certificate are limited to the competent authorities of the Member State of destination and to cross-border operators of passenger transportation services airlines and shipping companies that have the obligation to collaborate with said authorities. Regulation 2021/953 is related to the possibility of Member States to limit the fundamental right to free movement for reasons of public health, and culminates the approach coordinated restriction of the free movement of people in response to the pandemic within the EU. Its recital 48 indicates: “Regulation (EU) 2016/679 of the European Parliament and of the Council applies to the processing of personal data made when applying this Regulation. This Regulation establishes the legal basis for the processing of personal data within the meaning of the article 6(1)(c) and Article 9(2)(g) of Regulation (EU) 2016/679, necessary for the issuance and verification of the interoperable certificates established in this Regulation. It does not regulate the processing of personal data related to the documentation of a vaccination, diagnostic test or recovery for other purposes, such as pharmacovigilance or maintenance of personal medical records. The states Members may process personal data for other purposes if the legal basis for their processing for other purposes, including the corresponding retention periods, is established in the National law, which must comply with Union law on the protection of data and the principles of effectiveness, necessity and proportionality, and must include provisions that clearly determine the scope and scope of the treatment, the specific purpose in question, the categories of entities that can verify the certificate, as well as relevant safeguards to prevent discrimination and abuse, taking into account the risks to the rights and freedoms of the data subjects. When the certificate is used for non-medical purposes, personal data accessed during the verification process must not be kept, as provided in this Regulation.” Thus, the main objective of the Regulation is that identified in its article 1: “to establish a framework for the issuance, verification and acceptance of COVID-19 certificates to facilitate the free movement of its holders during the pandemic and contribute to the gradual elimination of restrictions established by the Member States. This purpose is not exhausted in facilitate freedom of movement in the strict sense, since these documents can be C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 13/21 required for related purposes, as happened, especially in some sectoral standards dictated by Health Departments of Autonomous Communities that regulated based on the situation of various establishments, or sectors as specific prevention measures, the necessary exhibition of this document to be able to access said establishments in depending on the epidemiological situation. The sentences that analyze its justification have considered according to its justification, that the request for this digital certificate or COVID passport It was motivated, and in other cases it was not, but in any case it comes from a rule of an authority health and its ratification approved by the judicial authority until the powers in which supported were declared unconstitutional, which does not happen in that case in which it is a federative entity, which, by organizing a competition, establishes certain requirements relying on a rule such as the Regulation that has its own purposes and is not can be transferred to the scope of the competition in which their federated members participate without any intervention by the health authority or regulation that supports it. In this case, the alleged Regulation EU 2021/953 does not justify the implementation of the health data requirement system for federated athletes to participate in the competition without mask. The defendant implements it motu proprio, without there being a standard. ad hoc applicable to the federated sports sector in the development of competitions. Regarding the added article 9.2.g) of the RGPD, there is no mention of the law of the Union or of the Member States that foresee the need for those reasons of essential public interest, and which should, on the other hand, essentially respect the right to data protection and establish measures. In addition, Order SND/344/2020, of 04/13, which establishes exceptional measures for the reinforcement of the National Health System and the containment of the health crisis caused due to COVID-19, agrees to both make available to the health authority of each Community Autonomous Authority of all diagnostic health centres, services and establishments. privately owned clinical co located in them, such as the submission of the performance of diagnostic tests for the detection of COVID-19 to the guidelines, instructions and criteria agreed for this purpose by the regional health authority, The Second basis of the aforementioned Order determines: “Requirements for carrying out tests diagnostic bases for the detection of COVID-19.”: The indication for performing tests diagnostic methods for the detection of COVID-19 must be prescribed by a medical doctor. in accordance with the guidelines, instructions and criteria agreed for this purpose by the health authority. “competent person.” “As indicated in the preamble of that standard, this is about limiting the realization of diagnostic tests for the detection of COVID-19 to those cases in which there is a prior prescription by a physician and conform to criteria established by the authority competent health service, thus subjecting the regime for carrying out this type of evidence of the prior existence of medical criteria that recommend its implementation.” Thus, it is considered that the defendant does not meet the requirement that it alleges as an exception to the processing of health data, considering that it violates article 9 of the RGPD. V C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 14/21 On the other hand, it follows that the claim considered in this case a purpose specifically related to COVID 19, has not proven that it reports the extremes that must contain the collection of data in this case, which would violate article 13 of the RGPD, which indicates: "1. When personal data relating to him or her is obtained from an interested party, the person responsible for the treatment, at the time these are obtained, it will provide you with all the information indicated below: a) the identity and contact details of the person responsible and, where applicable, their representative; b) the contact details of the data protection officer, if applicable; c) the purposes of the processing for which the personal data are intended and the legal basis of the treatment; d) where the processing is based on Article 6(1)(f), legitimate interests of the person responsible or a third party; e) the recipients or categories of recipients of the personal data, where applicable; f) where applicable, the intention of the controller to transfer personal data to a third country or international organization and the existence or absence of a decision on the adequacy of the Commission, or, in the case of transfers indicated in articles 46 or 47 or article 49, paragraph 1, second subparagraph, reference to adequate or appropriate guarantees and the means to obtain a copy of these or the fact that they have been provided. 2.In addition to the information mentioned in section 1, the data controller will provide the interested party, at the time the personal data is obtained, the following information necessary to guarantee fair and transparent data processing: a) the period for which the personal data will be kept or, when this is not possible, the criteria used to determine this period; b) the existence of the right to request access to the data from the data controller personal data relating to the interested party, and its rectification or deletion, or the limitation of its processing, or to oppose processing, as well as the right to data portability; c) when the processing is based on Article 6(1)(a) or Article 9, section 2, letter a), the existence of the right to withdraw consent at any time moment, without affecting the legality of the treatment based on prior consent upon his withdrawal; d) the right to file a claim with a supervisory authority; e) whether the communication of personal data is a legal or contractual requirement, or a requirement necessary to sign a contract, and if the interested party is obliged to provide the data personal and is informed of the possible consequences of not providing such data; f) the existence of automated decisions, including profiling, to which refers to article 22, paragraphs 1 and 4, and, at least in such cases, significant information about the logic applied, as well as the importance and intended consequences of said treatment for the interested party. 3.When the data controller plans the subsequent processing of personal data for a purpose other than that for which they were collected, will provide the interested party, with prior to such further processing, information about that other purpose and any additional information relevant under paragraph 2. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 15/21 4.The provisions of paragraphs 1, 2 and 3 shall not apply when and to the extent "that the interested party already has the information" Information on data collection is part of the content of the principle of transparency that enables stakeholders to hold those responsible accountable for exercise control over your personal data. The data collected is different from that which could have been processed previously as those referred to the federative license, due to its different purpose, and category and is imposes the need for explicit information that allows you to exercise your rights. Recital 39 of the GDPR is informative as to the meaning and effect of the principle of transparency in the context of data processing: “For natural persons it must be completely clear that they are collecting, using, consulting or otherwise processing personal data that concerns them, as well as the extent to which said data are or will be processed. The principle of transparency requires that all information and communication related to the processing of said data is easily accessible and easy to understand, and that simple and clear language is used. This principle refers to particular to the information of the interested parties on the identity of the person responsible for the treatment and the purposes thereof and the information added to guarantee fair and transparent with respect to the affected natural persons and their right to obtain confirmation and communication of personal data concerning them that are subject to treatment [...]". In this case, the data was collected in the private area of the application that manages the Federation as part of the “safe game protocol without a mask-season 21/22”” whose decision approved by the Assembly. Although this tool could have informed Regarding said collection, there is no explanation of the claim regarding the establishment of the mode and procedure for reporting the data implemented in the aforementioned measure, proving non-compliance with the aforementioned article 13 of the RGPD. SAW Regarding the allegation of the expiration of the procedure based on article 21 of the LPCAP, which points out 1“The Administration is obliged to issue an express resolution and notify it in all procedures. mentations whatever their form of initiation.” … 2“The maximum period in which the express resolution must be notified will be that established by the norm regulating the corresponding procedure. This period may not exceed six months unless a norm with the rank of Law establishes one greater or so is provided for in the Law of the European Union” Article 64 of the LOPDGDD, paragraph two, final, on the form of initiation and duration of the process yield prescribes: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 16/21 “The procedure will have a maximum duration of nine months from the date of the initiation agreement or, where applicable, the draft initiation agreement. After that period, will produce its expiration and, consequently, the archiving of actions.” Circumstance that is recorded in the initiation agreement notified to the defendant. Considering that the initiation agreement is issued on 10/26/2022, the maximum period provided for by the specific applicable rule cited, so it is not appropriate to accept said expiration. VII In accordance with the evidence available, it is considered that the facts exposed could violate the provisions of articles: 9 and 13 of the RGPD, with the scope expressed in the previous Fundamentals of Law, which means the commission of the infringements classified in article 83 section 5.a) and b) of the RGPD that under the rubric “General conditions for the imposition of administrative fines” provides that: “Infringements of the following provisions will be sanctioned, in accordance with section 2, with administrative fines of a maximum of EUR 20,000,000 or, in the case of a company, of an amount equivalent to a maximum of 4% of the total global annual turnover of the previous financial year, opting for the highest amount: a) the basic principles for processing, including the conditions for consent to wording of articles 5, 6, 7 and 9; b) the rights of the interested parties under articles 12 to 22.” In this regard, the LOPDGDD, in its article 71, establishes that “Infractions constitute acts and conduct referred to in sections 4, 5 and 6 of article 83 of the Regulation (EU) 2016/679, as well as those that are contrary to this organic law.” For the purposes of the limitation period, article 72 of the LOPDGDD, indicates: “Infringements considered very serious. "1. Based on what is established in article 83.5 of Regulation (EU) 2016/679, considered very serious and will prescribe after three years the infractions that involve a substantial violation of the articles mentioned therein and, in particular, the following: […] e) The processing of personal data of the categories referred to in article 9 of the Regulation (EU) 2016/679, without any of the circumstances provided for in said precept and in article 9 of this organic law. […] C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 17/21 d) The omission of the duty to inform the affected party about the processing of their personal data in accordance with the provisions of articles 13 and 14 of Regulation (EU) 2016/679 and 12 of this organic Law. (…)” Regarding the prescription of the infraction, considering that of article 9 as very serious, it corresponds to would consider a period for these purposes, as provided in article 72.1.e) of the RGPD of three years. The collection of data for the intended purpose begins in the 21/22 season, with a “game” protocol. go insurance” which is for that season and the claim is from 11/24/21. The Assembly decided the measure on 10/25/2021, which is transferred to the clubs within a few days for their information. In the respondent's response to the transfer, on 01/27/2022 she states that she ceased this type of treatment. Having signed the initiation agreement on 10/26/2022 and with the acceptance of the notice- fication on the same day, the infraction is not considered to be prescribed by the course of the established period. Regarding the prescription of the violation of article 13, failure to inform when carrying out the treatments for the purpose of the protocol developed in “safe play”, which involved the treatment ment of health data, the violation of omission of such duty also entails a period calculation of three years, so from the communication to the clubs to the date of reception tion of the initiation agreement is not considered to be time-barred. VIII Sections d) and i) of article 58.2 of the RGPD provide the following: “Each supervisory authority will have all the following corrective powers indicated below: continuation: (…) “d) order the person responsible or in charge of the treatment that the treatment operations are comply with the provisions of this Regulation, where applicable, of a particular manner and within a specified period;” “i) impose an administrative fine in accordance with article 83, in addition to or instead of the measures mentioned in this section, according to the circumstances of each case particular;" In this case, given the category of data that is collected and the risks of rights and freedoms that are compromised with them, and the broad group that it affects, proceeds administrative fine sanctioning procedure. IX The determination of the sanctions that should be imposed in the present case requires observing the provisions of articles 83.1) and 2) of the RGPD, provisions that, respectively, provide the next: "1. Each supervisory authority will ensure that the imposition of administrative fines with under this Article for violations of this Regulation indicated in the paragraphs 4, 5 and 6 are effective, proportionate and dissuasive in each individual case. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 18/21 2. Administrative fines will be imposed, depending on the circumstances of each case individually, as an additional or substitute for the measures contemplated in article 58, section 2, letters a) to h) and j). When deciding on the imposition of an administrative fine and its amount In each individual case due account will be taken of: a) the nature, severity and duration of the infringement, taking into account the nature, scope or purpose of the processing operation in question, as well as the number of interested parties affected and the level of damages they have suffered; b) intentionality or negligence in the infringement; c) any measure taken by the person responsible or in charge of the treatment to alleviate the damages and losses suffered by the interested parties; d) the degree of responsibility of the person responsible or in charge of the treatment, taking into account of the technical or organizational measures that have been applied under articles 25 and 32; e) any previous infringement committed by the controller or processor; f) the degree of cooperation with the supervisory authority in order to remedy the infringement and mitigate the possible adverse effects of the infringement; g) the categories of personal data affected by the infringement; h) the way in which the supervisory authority became aware of the infringement, in particular if the responsible or the person in charge notified the infringement and, if so, to what extent; i) when the measures indicated in Article 58, paragraph 2, have been ordered previously against the person responsible or the person in charge in question in relation to the same matter, compliance with said measures; j) adherence to codes of conduct under Article 40 or certification mechanisms approved in accordance with article 42, and k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits obtained or losses avoided, directly or indirectly, through the infringement.” Within this section, the LOPDGDD contemplates in its article 76, entitled: “Sanctions and corrective measures": "1. The sanctions provided for in sections 4, 5 and 6 of article 83 of the Regulation (EU) 2016/679 will be applied taking into account the graduation criteria established in the section 2 of the aforementioned article. 2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679 also may be taken into account: a) The continuous nature of the infringement. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 19/21 b) The linking of the offender's activity with the performance of data processing personal. c) The benefits obtained as a consequence of the commission of the infraction. d) The possibility that the conduct of the affected person could have induced the commission of the infringement. e) The existence of a merger by absorption process after the commission of the infraction, which cannot be attributed to the absorbing entity. f) The impact on the rights of minors. g) Have, when not mandatory, a data protection delegate. h) The submission by the person responsible or in charge, on a voluntary basis, to alternative conflict resolution mechanisms, in those cases in which there are disputes between them and any interested party. 3. It will be possible, complementary or alternatively, to adopt, when appropriate, the remaining corrective measures referred to in article 83.2 of the Regulation (EU) 2016/679.” In accordance with the transcribed precepts, for the purposes of setting the amounts of the sanctions of fine to be imposed in the present case typified in article 83.5.a) of the RGPD, of which holds the defendant responsible for the violation of article 9 of the RGPD, it is estimated concurrent as aggravating factors the following factors that reveal a greater illegality and/or culpability in the conduct of the defendant: -Article 83.2.a) RGPD “nature, severity and duration of the infringement, taking into account the nature, scope or purpose of the processing operation in question, as well as the number of interested parties affected and the level of damages they have suffered;”. The Data was collected over a period, approximately since November 2021, also for minors, and with the addition of the instruction that, if any member of the team does not present what was requested, certificate or evidence, the team will have to wear a mask, which It is a way to encourage testing and processing of that data in each occasion, or get the vaccine. With this factor, a penalty of 10,000 euros is imposed. For the violation of article 13 of the RGPD, concurrent factors are considered as aggravating factors. the following factors that reveal greater illegality and/or culpability in the conduct of the claimed: - Article 76.2.b) of the LOPDGDD, “The linking of the offender's activity with the carrying out personal data processing”, being an associative type entity composed of 4,895 federative licenses in 2021, according to the Ministry's publication of Culture and Sports, State, “Federated Sports Statistics 2021”, which groups 57 Clubs federated. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid Seeagpd.gob.es 20/21 For violation of article 13 of the GDPR, a fine of 7,000 euros is imposed. Therefore, in accordance with the applicable legislation and assessed the graduation criteria of the sanctions whose existence has been proven, the Director of the Spanish Data Protection Agency RESOLVES: FIRST: IMPOSE on the HANDBALL FEDERATION OF CASTILLA LA MANCHA, with NIF G45046455, two administrative fines, for the following violations of the RGPD: -article 9 of the RGPD, in accordance with article 83.5.a) of the RGPD, and for the purposes of prescription classified as very serious in article 72.1. e) from the LOPDGDD, with 10,000 euros. -article 13 of the GDPR, in accordance with article 83.5 b) of the GDPR, and for the purposes of prescription classified as very serious in article 72.1.h) of the LOPDGDD, with 7,000 euros. SECOND: NOTIFY this resolution to the HANDBALL FEDERATION OF CASTILLA LA MANCHA, through its representative, D. B.B.B. THIRD: Warn the sanctioned person that he must make the sanction imposed effective once This resolution is executive, in accordance with the provisions of art. 98.1.b) of the LPACAP, within the voluntary payment period established in art. 68 of the General Regulations of Collection, approved by Royal Decree 939/2005, of 07/29, in relation to art. 62 of the Law 58/2003, of 17/12, by entering it, indicating the NIF of the sanctioned person and the number of procedure that appears in the heading of this document, in the restricted account no. IBAN: ES00 0000 0000 0000 0000 0000, opened in the name of the Spanish Agency for Data Protection in the banking entity CAIXABANK, S.A.. Otherwise, we will proceed to its collection in the executive period. Once the notification is received and once enforceable, if the date of execution is between the days 1 and 15 of each month, both inclusive, the term to make the voluntary payment will be until on the 20th day of the following or immediately following business month, and if it is between the 16th and last of each month, both inclusive, the payment period will be until the 5th of the second month following or immediate subsequent business. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution is will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the interested parties may optionally file an appeal for reconsideration before the Director of the Agency Spanish Data Protection Agency within a period of one month from the day following the notification of this resolution or directly administrative contentious appeal before the Chamber of the Contentious-administrative of the National Court, in accordance with the provisions of the article 25 and in section 5 of the fourth additional provision of Law 29/1998, of 07/13, regulatory authority of the Contentious-Administrative Jurisdiction, within a period of two months from from the day following notification of this act, as provided for in article 46.1 of the referred Law. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 21/21 Finally, it is noted that in accordance with the provisions of art. 90.3 a) of the LPACAP, it may be provisionally suspend the final resolution through administrative channels if the interested party expresses his/her intention to file a contentious-administrative appeal. If this is the case, the interested party must formally communicate this fact in writing addressed to the Spanish Agency of Data Protection, presenting it through the Agency's Electronic Registry [https://sedeagpd.gob.es/sede-electronica-web/], or through any of the other registries provided for in art. 16.4 of the aforementioned LPCAP. You must also transfer to the Agency the documentation that proves the effective filing of the contentious-administrative appeal. Yeah the Agency was not aware of the filing of the contentious-administrative appeal within two months from the day following notification of this resolution, would end the precautionary suspension. 938-010623 Sea Spain Martí Director of the Spanish Data Protection Agency C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es