AEPD (Spain) - PS/00267/2020: Difference between revisions

From GDPRhub
No edit summary
No edit summary
Line 73: Line 73:


=== Holding ===
=== Holding ===
First, the AEPD dismissed Amazon's claims that a certificate of absence of criminal records did not amount to processing of personal data relating to criminal convictions and offences under Article 10 GDPR, since this was just a "negative certificate" that did not include the actual content of criminal convictions and offences, and was instead just a certification that there was an absence of any of these. The AEPD considered that a negative certification of absence of data relating to criminal convictions and offences in itself does constitute personal data related to these, and therefore should not be processed unless authorised by law according to [[Article 10 GDPR]] and Article 10 of the Spanish Data Protection Act (Ley Orgánica 3/2018 de Protección de Datos Personales y Garantía de los Derechos Digitales - LOPDGDD).
First, the AEPD dismissed Amazon's claims that a certificate of absence of criminal records did not amount to processing of personal data relating to criminal convictions and offences under Article 10 GDPR, since this was just a "negative certificate" that did not include the actual content of criminal convictions and offences, and was instead just a certification that there was an absence of any of these. The AEPD considered that a negative certification of absence of data relating to criminal convictions and offences in itself does constitute personal data related to these, and therefore should not be processed unless authorised by law according to [[Article 10 GDPR]] and Article 10 of the [https://www.boe.es/boe/dias/2018/12/06/pdfs/BOE-A-2018-16673.pdf Spanish Data Protection Act (Ley Orgánica 3/2018 de Protección de Datos Personales y Garantía de los Derechos Digitales - LOPDGDD).]


The AEPD held that there was no national law which Amazon could rely on in order to lawfully process this personal data. The AEPD also noted that not even the law under which the competent national authority in charge of issuing transport and delivery licenses (Real Decreto 1211/1990 por el que se aprueba el Reglamento de la Ley de Ordenación de los Transportes Terrestres - ROTT) established criminal records as a necessary requirement for carrying out these activities. Furthermore, the AEPD stated that admitting Amazon's reasoning would amount to permitting any entity to create a database of people with no criminal records, which would also be at odds with [[Article 10 GDPR]], which states that a register of criminal convictions should be kept only under the control of an official authority.
The AEPD held that there was no national law which Amazon could rely on in order to lawfully process this personal data. The AEPD also noted that not even the law under which the competent national authority in charge of issuing transport and delivery licenses (Real Decreto 1211/1990 por el que se aprueba el Reglamento de la Ley de Ordenación de los Transportes Terrestres - ROTT) established criminal records as a necessary requirement for carrying out these activities. Furthermore, the AEPD stated that admitting Amazon's reasoning would amount to permitting any entity to create a database of people with no criminal records, which would also be at odds with [[Article 10 GDPR]], which states that a register of criminal convictions should be kept only under the control of an official authority.
Line 85: Line 85:
The AEPD also evaluated the position of the three entities involved in the case, and held that according to the processing agreements that were in place, Amazon Road was the controller responsible for the processing carried out by Amazon India and Accurate Background.  Since both of these processors were located outside the EEA (in India and the United States respectively), international transfers of data were taking place. The AEPD found that in this case, data subjects' consent in accordance with [[Article 49 GDPR|Article 49(1) GDPR]]  and [[Article 7 GDPR]] was not valid, given the fact that it was included in the contract without an option to refuse, it was not explicit, and no information was given to the data subject regarding the risks of the data transfer. However, the AEPD found that the data transfers were lawful according to [[Article 46 GDPR]], since the SCCs in Amazon's processing agreements included appropriate technical and organisational measures,  and Accurate Background was adhered to the EU-US Privacy Shield during the time that the data transfers took place. The AEPD also noted that Amazon had already stopped requiring the negative criminal certificates in their hiring process before the date the Privacy Shield was invalidated by the [https://noyb.eu/files/CJEU/judgment.pdf CJEU Judgment of 16/07/2020] (also known as the Schrems II judgement), and therefore no unlawful transfers of data took place to Accurate Background.   
The AEPD also evaluated the position of the three entities involved in the case, and held that according to the processing agreements that were in place, Amazon Road was the controller responsible for the processing carried out by Amazon India and Accurate Background.  Since both of these processors were located outside the EEA (in India and the United States respectively), international transfers of data were taking place. The AEPD found that in this case, data subjects' consent in accordance with [[Article 49 GDPR|Article 49(1) GDPR]]  and [[Article 7 GDPR]] was not valid, given the fact that it was included in the contract without an option to refuse, it was not explicit, and no information was given to the data subject regarding the risks of the data transfer. However, the AEPD found that the data transfers were lawful according to [[Article 46 GDPR]], since the SCCs in Amazon's processing agreements included appropriate technical and organisational measures,  and Accurate Background was adhered to the EU-US Privacy Shield during the time that the data transfers took place. The AEPD also noted that Amazon had already stopped requiring the negative criminal certificates in their hiring process before the date the Privacy Shield was invalidated by the [https://noyb.eu/files/CJEU/judgment.pdf CJEU Judgment of 16/07/2020] (also known as the Schrems II judgement), and therefore no unlawful transfers of data took place to Accurate Background.   


Accordingly, the Spanish DPA fined Amazon Road €2,000,000 for a violation of [[Article 6 GDPR]], [[Article 10 GDPR]] and [https://www.boe.es/boe/dias/2018/12/06/pdfs/BOE-A-2018-16673.pdf Article 10 LOPDGDD] and ordered the controller to come into compliance.
Accordingly, the Spanish DPA fined Amazon Road €2,000,000 for a violation of [[Article 6 GDPR#1|Article 6(1) GDPR]], [[Article 10 GDPR]] and [https://www.boe.es/boe/dias/2018/12/06/pdfs/BOE-A-2018-16673.pdf Article 10 LOPDGDD] and ordered the controller to come into compliance.


== Comment ==
== Comment ==

Revision as of 15:56, 17 February 2022

AEPD (Spain) - PS/00267/2020
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 6(1) GDPR
Article 7 GDPR
Article 10 GDPR
Article 49 GDPR
Article 46 GDPR
Article 10 LOPDGDD
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published: 11.02.2022
Fine: 2000000 EUR
Parties: AMAZON ROAD TRANSPORT SPAIN, S.L.
Unión General de Trabajadores
National Case Number/Name: PS/00267/2020
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: Carmen Villarroel

The Spanish DPA fined Amazon Road Transport Spain €2,000,000 for violating Article 10 GDPR by requesting criminal record certificates in their hiring process.

English Summary

Facts

A Spanish union (Unión General de Trabajadores, 'UGT') filed a complaint with the Spanish DPA (AEPD) against Amazon Road Transport Spain (Amazon Road). They reported that in their hiring process, Amazon Road asked potential candidates to provide a criminal record certificate. Amazon claimed that they had a legitimate interest in verifying that their transport workers did not have past criminal offenses or convictions in order to protect their customer's safety and trust, since the delivery workers would be entering or coming in close proximity with their customer's households, and would be entrusted with handling products which at times could be of very high value.

Amazon also claimed that processing the of the criminal record certification was necessary in order to perform a contract with the potential transport workers, and that this processing was based on the consent of the data subjects, which if hired would considered self-employed transporters by Amazon Road. As part of the hiring process, the candidates were required to download the 'Amazon Delivery' app and create an account. In order to advance in the process within the app (which would determine if they were suitable candidates for the job) the candidates were required to consent to the processing of personal data, which included the criminal record certificate.

This process also required candidates to consent to international transfers of their personal data with third parties. Specifically, Amazon Road asked for the candidates' consent to allow Amazon Road and its related entities (Amazon) to transfer their personal data to third parties outside the European Economic Area (EEA). Such consent allowed a third party located in the United States (Accurate Background) to process the candidates' data in order to verify their criminal records, and the processing of data by one of the company's subdivisions located in India for system support (Amazon Development Centre India - Amazon India). The general consent clause also stated that it would exonerate Amazon of any responsibility, damages claims, and other charges related to the processing and transfer of data as far as the law permitted it.

Amazon Road established an Intra-Group Data Transfer and Processing Agreement with Amazon India and a Data Processing Agreement with Accurate Background, which both included Standard Contractual Clauses (SCC) with technical and organisational measures required for data processing. Additioanlly, Accurate Background was adhered to the EU-US Privacy Shield transatlantic data transfer framework.

Holding

First, the AEPD dismissed Amazon's claims that a certificate of absence of criminal records did not amount to processing of personal data relating to criminal convictions and offences under Article 10 GDPR, since this was just a "negative certificate" that did not include the actual content of criminal convictions and offences, and was instead just a certification that there was an absence of any of these. The AEPD considered that a negative certification of absence of data relating to criminal convictions and offences in itself does constitute personal data related to these, and therefore should not be processed unless authorised by law according to Article 10 GDPR and Article 10 of the Spanish Data Protection Act (Ley Orgánica 3/2018 de Protección de Datos Personales y Garantía de los Derechos Digitales - LOPDGDD).

The AEPD held that there was no national law which Amazon could rely on in order to lawfully process this personal data. The AEPD also noted that not even the law under which the competent national authority in charge of issuing transport and delivery licenses (Real Decreto 1211/1990 por el que se aprueba el Reglamento de la Ley de Ordenación de los Transportes Terrestres - ROTT) established criminal records as a necessary requirement for carrying out these activities. Furthermore, the AEPD stated that admitting Amazon's reasoning would amount to permitting any entity to create a database of people with no criminal records, which would also be at odds with Article 10 GDPR, which states that a register of criminal convictions should be kept only under the control of an official authority.

The AEPD noted that in light of the fact that the only valid legal basis for the processing of personal data related to criminal convictions and offences would be a specific law that authorised the processing of this type of data, it held that Amazon's arguments regarding the necessity of this processing for performance of a contract, its legitimate interest, or the data subject's consent as valid legal bases, were irrelevant in this case. However, the AEPD went on to make some pertinent observations related to Amazon's arguments in this sense. Regarding the necessity of requiring the criminal record certificate for the performance of a contract with the transport workers, the AEPD reiterated that since there was no national law that established this requirement, this was not a valid argument.

With regards to the legitimate interest Amazon claimed to have to protect their customer's safety and trust, the AEPD noted that Amazon had not provided any proof that they had pondered this potential legitimate interest against the interests and fundamental rights of the candidates in the hiring process, as required by Article 6(1)(f) GDPR. The AEPD stated that because there was no evidence that this balancing exercise had actually been carried out, and that consequently the candidates had not been given any information related to this pondering of interests as a legal basis for processing their criminal record certificate, this could not be invoked as a justification for processing this personal data. Additionally, the AEPD cited the Court of Justice of the European Union (CJEU) in case C-13/16 – Rigas Satiksme when assessing the necessity of the processing for the purpose of Amazon's claimed legitimate interest, which must be interpreted according to the 'data minimisation' principle under Article 5(1)(c) GDPR. Furthermore, the AEPD stated that necessity should not be interpreted strictly, and not as mere 'usefulness' or 'desirability'. According to these considerations, the AEPD stated that the collection and use of the criminal record certificate was excessive since there were less intrusive ways to protect the Amazon customers' safety and trust, and to guarantee that Amazon's position as a transport operator was not compromised.

With regard to consent, the AEPD stated that it would have not been freely given or valid either in this case according to the requirements in Article 7 GDPR, since the candidates did not have the option of refusing to consent to the processing of their criminal record within the contract in order to be hired. Additionally, the AEPD noted that candidates did not have an option to not consent separately for each particular processing, and that Amazon did not offer proper information about the processing under Article 13 GDPR.

The AEPD also evaluated the position of the three entities involved in the case, and held that according to the processing agreements that were in place, Amazon Road was the controller responsible for the processing carried out by Amazon India and Accurate Background. Since both of these processors were located outside the EEA (in India and the United States respectively), international transfers of data were taking place. The AEPD found that in this case, data subjects' consent in accordance with Article 49(1) GDPR and Article 7 GDPR was not valid, given the fact that it was included in the contract without an option to refuse, it was not explicit, and no information was given to the data subject regarding the risks of the data transfer. However, the AEPD found that the data transfers were lawful according to Article 46 GDPR, since the SCCs in Amazon's processing agreements included appropriate technical and organisational measures, and Accurate Background was adhered to the EU-US Privacy Shield during the time that the data transfers took place. The AEPD also noted that Amazon had already stopped requiring the negative criminal certificates in their hiring process before the date the Privacy Shield was invalidated by the CJEU Judgment of 16/07/2020 (also known as the Schrems II judgement), and therefore no unlawful transfers of data took place to Accurate Background.

Accordingly, the Spanish DPA fined Amazon Road €2,000,000 for a violation of Article 6(1) GDPR, Article 10 GDPR and Article 10 LOPDGDD and ordered the controller to come into compliance.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

                                                                                 1/10








     File No.: PS / 00324/2021

                 - RESOLUTION OF SANCTIONING PROCEDURE


Of the procedure instructed by the Spanish Agency for Data Protection and based on
the following

                                   BACKGROUND


FIRST: A.A.A. (hereinafter, the complaining party) dated February 16, 2021
filed a claim with the Spanish Data Protection Agency.

The claim is directed against IZA OBRAS Y PROMOCIONES, S.A. with NIF
A48820229 (hereinafter, the claimed party).


The reason on which the claim is based is that the claimed entity has disclosed
health data of the claimant to another company, as well as their email address
personal, and all this without the consent of the claimant.


SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5
December, Protection of Personal Data and guarantee of digital rights (in
hereinafter LOPDGDD), on March 16, 2021, said claim was transferred to
the claimed party, to proceed with its analysis and inform this Agency in the
period of one month, of the actions carried out to adapt to the requirements

provided for in the data protection regulations.

On April 13, 2021, a written response is received at this Agency
stating the following:


1.- On November 14, 2018, the Public Housing Business Entity-
Donostiako Etxegintza, awarded IZA a construction works contract in
Intxaurrondo.

2.- The claimant, an IZA employee, acts in said work by performing

temporarily the function of project manager.

3.- The claimant, maintaining his status as an employee, reported IZA to the
Public Housing Business Entity-Donostiako Etxegintza on July 14 and
September 2020 due to lack of assignment of human and material resources, between

others.

4.- In compliance with its power of control, the Public Business Entity of
Housing-Donostiako Etxegintza required IZA, in accordance with article 55 of the Law
39/2015 of the Common Administrative Procedure of Public Administrations,

information regarding the complaints filed.

5.- IZA receiving said communication, and in compliance with the obligation to
collaboration with the Administration, stated the relevant facts that would explain
the lack of assignment of material and human resources of the work, answering to

the complaints of the claimant. This information included information about the
claimant, justifying its referral in compliance with the legal obligation (Law
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 2/10








39/2015) as well as in the prerogatives of Law 9/2017 on sector contracts
public.


6.- The submission of said information was considered confidential, following the
channels of Electronic Entry Registration, in accordance with the Law.
information held by the Public Housing Business Entity-Donostiako
Etxegintza, and outside IZA's protection channels, it reached the claimant,
as stated in your complaint.


7.- As a result of this, the breach protocol was activated, no data leak was detected
from IZA, requesting clarification in this regard from Entidad Pública Empresarial de
Housing-Donostiako Etxegintza, request that has not received a response.

8.- Regarding the information indicated by the claimant, IZA exclusively provided it to the

administrative procedure, in the exercise of the competence and control of the Entity
Public

9.- Regarding the use of the personal email of the complainant,
informs that its use derives from the previous referral by it for 2 years as
means of communicating with the company. Message headers are attached and

matters to corroborate it, and that in case of needing the contents they would be sent
to the Control Authority.

THIRD: On June 18, 2021, the Director of the Spanish Agency for

Data Protection agreed to accept for processing the claim presented by the party
claimant.

FOURTH: On October 13, 2021, the Director of the Spanish Agency for
Data Protection agreed to initiate a sanctioning procedure for the claimed party, with
in accordance with the provisions of articles 63 and 64 of Law 39/2015, of October 1, of the

Common Administrative Procedure of Public Administrations (hereinafter,
LPACAP), for the alleged violation of article 5.1.c) of the RGPD, typified in the
Article 83.5 of the RGPD.

FIFTH: The aforementioned commencement agreement was notified, on October 25, 2021, the claimed

submitted a brief of allegations in which, in summary, it states that it has not revealed
personal information of the claimant to the Public Business Entity of
Housing-Donostiako Etxegintza.

He also expresses his confusion and asks this Agency to indicate what

Especially sensitive information has been processed.

And finally, he requests that the Donostia / San Sebastián City Council be required to
recording of the session incorporated into the session diary of the Development Commission
and Territory Planning dated December 9, 2020, where presumably
the data of the claimant were released and disclosed.


SIXTH: On October 27, 2021, the instructor of the procedure agreed to the
opening of a period of practical tests, taking as incorporated the


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 3/10








preliminary investigation actions, E / 02987/2021, as well as the documents
provided by the claimed.


SEVENTH: On October 31, 2021, a resolution proposal is issued
proposing that the Director of the Spanish Data Protection Agency sanction
to IZA OBRAS Y PROMOCIONES, S.A., with NIF A48820229, for a violation of the
article 5.1.c) of the RGPD, typified in article 83.5 of the RGPD, with a fine of
€ 50,000 (fifty thousand euros).


EIGHTH: On November 15, 2021, allegations are presented to said
motion for a resolution, reiterating the aforementioned allegations throughout
of the procedure and specifically states the following:

"The data of the claimant's personal email has not been disclosed, which is also

found legitimate for the transfer of data -even if there were categories of data
specially protected-, and that this whole procedure is unleashed by the leakage of
information produced from the Public Housing Business Entity-Donostiako
Etxegintza, its Board of Directors as well as from the Development and
Planning of the Territory of the Donostia / San Sebastián City Council. "


Of the actions carried out in this procedure and of the documentation
Obrante in the file, the following have been accredited:

                                PROVEN FACTS


FIRST: The claimant states that the claimed entity has disclosed data from
health of the claimant (specifically dates of medical leave, reasons, and leaves) to
another company, as well as your personal email address, and all without your
consent.


The claimed entity provided not only the absences, but also the dates of the
cancellations and permits with their respective causes, including COVID.

This is stated in the letter sent by the claimed entity to the Public Entity
Housing Business-Donostiako Etxegintza, on November 18, 2020, obrante
in this file together with the documentation provided by the claimant in his writing

Of claim.

SECOND: The claimed entity was required by the Public Business Entity of
Housing-Donostiako Etxegintza, to provide them with information regarding the
complaints filed by the claimant on July 14 and September 9, 2020 by

lack of assignment of human and material resources.

The claimed entity responded to this request by providing information
personal (personal email of the claimant, as well as dates of withdrawal
medical reasons, the causes of these, and permits) which came to the knowledge of the latter and

caused the present claim.




C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 4/10








                             FOUNDATIONS OF LAW

                                              I


By virtue of the powers that article 58.2 of the RGPD recognizes to each authority of
control, and as established in articles 47 and 48 of the LOPDGDD, the Director
of the Spanish Data Protection Agency is competent to initiate and to
solve this procedure.


                                             II

The RGPD in its article 5, "Principles relating to treatment" says that "The data
personal will be:


a) treated in a lawful, loyal and transparent manner in relation to the interested party ("lawfulness,
loyalty and transparency ”);

b) collected for specific, explicit and legitimate purposes, and will not be processed
subsequently in a manner incompatible with said purposes; in accordance with article 89,
section 1, the further processing of personal data for archiving purposes in

public interest, scientific and historical research purposes or statistical purposes are not
deemed incompatible with the original purposes ("purpose limitation");

c) adequate, relevant and limited to what is necessary in relation to the purposes for which
that they are processed ("data minimization");


d) accurate and, if necessary, up-to-date; all measures will be taken
reasonable so that the personal data that
are inaccurate with respect to the purposes for which they are processed ("accuracy");


e) maintained in a way that allows the identification of the interested parties during not
longer than necessary for the purposes of processing personal data; the
Personal data may be kept for longer periods provided that it is
treat exclusively for archival purposes in the public interest, research purposes
scientific or historical or statistical purposes, in accordance with article 89, paragraph 1,
without prejudice to the application of the appropriate technical and organizational measures that

imposes these Regulations in order to protect the rights and freedoms of the
data subject ("limitation of the conservation period");

f) treated in such a way as to guarantee adequate data security
personal data, including protection against unauthorized or illegal processing and against

its loss, destruction or accidental damage, through the application of technical measures
or appropriate organizational ("integrity and confidentiality").

2. The person responsible for the treatment will be responsible for compliance with the provisions
in section 1 and able to demonstrate it ('proactive responsibility'). "


The offense for which the claimed person is held liable is provided for in article 83.5.
of the RGPD that establishes:


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 5/10








"Violations of the following provisions will be sanctioned, in accordance with the
section 2, with administrative fines of a maximum of 20,000,000 Eur or, in the case of
of a company, of an amount equivalent to a maximum of 4% of the volume of

total annual global business of the previous financial year, opting for the one with the highest
amount:

a) The basic principles for the treatment, including the conditions for the
consent in accordance with articles 5,6,7 and 9. "



In turn, the LOPDGDD in its article 72.1.a) qualifies as a very serious infringement, to
prescription effects, "a) The processing of personal data violating the
principles and guarantees established in article 5 of Regulation (EU) 2016/679. "


                                            III

In the present case, the claimant's personal data has been disclosed, such as the
personal email address and health data to the Public Entity
Housing Business-Donostiako Etxegintza, without the consent of the

claimant.

Although the claimed party is recognized legitimacy to send the data
necessary to defend against a sanctioning procedure or penalties
that could be imposed derived from the breach of a contract

administrative, it should not be forgotten that the RGPD includes health as a category of
specially protected personal data, in accordance with article 9.1 of the
RGPD, where the following is indicated:

“The processing of personal data that reveals the ethnic origin or
racial, political opinions, religious or philosophical convictions, or affiliation

union, and the treatment of genetic data, biometric data aimed at identifying
unequivocally to a natural person, data related to health or data related to
the sexual life or sexual orientation of a natural person ”.

In this sense, the claimed entity presents a written statement of allegations to the proposal

resolution indicating that in accordance with article 9.2 f) of the RGPD the data
Claimant's personal data were released for his defense against a claim.

It should be noted that the literal tenor of said precept is as follows:


"Section 1 will not apply when one of the circumstances occurs
following:

f) the treatment is necessary for the formulation, exercise or defense of
claims or when the courts act in the exercise of their judicial function; "


In this sense, it should be pointed out that although recital 52 of the
RGPD in fine establishes with respect to this exception that “it must also be authorized to
exceptional title the processing of said personal data when necessary
for the formulation, exercise or defense of claims, either by a

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 6/10








judicial procedure or an administrative or extrajudicial procedure ”; but nevertheless,
It must be taken into account that the use of health data, even when this
exception, it is not covered if it violates article 5.1.c) of the RGPD and the data

transferred are excessive in relation to the purpose, since the
need to specify all vacations, permits and, especially since they are data
health, casualties with their causes to seek their defense.

On the other hand, the claimed entity also alleges in its brief of allegations to the
motion for a resolution that evidence has been rejected by this body.


In this sense, it should be noted that this Agency has not rejected any evidence
presented by the claimed party, it has only been considered that with the
evidence in this procedure, it is not necessary to request the City Council of
Donostia / San Sebastián the recording of the session incorporated into the diary of sessions of

the Territory Planning and Development Commission dated December 9,
2020.

This is so because it has been proven that they have been transferred by the entity
claimed, health data of the claimant, specifically dates of medical leave,
reasons for the same and permissions, and therefore, the claimed entity has been

exceeding the processing of the personal data of the claimed party, even if it has
legitimacy for its internal use in its relations with the worker or claimant, but
you have no legitimacy to use them beyond your employment relationship with the claimant,
without your express consent.


In another vein, it has also been found that in response to the
requirement of the Public Housing Business Entity-Donostiako Etxegintza,
as a result of the complaints filed by the claimant on July 14 and July 9
September 2020 due to lack of assignment of human and material resources, the
claimed entity provided the claimant's email without having their

consent.

In this sense, the claimed entity claims to know the email of the
complainant, because it was the form of company-worker communication, so at the
facilitate the personal email of the claimant, to a third entity, has
exceeded the purpose for which said personal data was provided, thereby violating the

principle of purpose limitation, regulated in article 5.1 b) of the RGPD,
indicated in the foundation of law II.

Therefore, when the claimant's health data is transferred, (dates of medical leave,
reasons for the same and permits with their respective causes, including COVID) and the

personal email of the claimant, this Agency considers, on the one hand, that
are treating specially protected data, in accordance with article 9 of the
RGPD (health data), and on the other that personal data is being processed
(personal email) for a purpose other than mere communication between
the worker and the company, in accordance with article 5.1 b) of the RGPD.


All this results in an excessive use of personal data by the
claimed entity, since despite the fact that data protection regulations require that
the processing of personal data is adequate, pertinent and limited to what

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 7/10








strictly necessary in relation to the purposes for which they are processed, such as
consequence of the complaint filed by the claimant against the entity
claimed before the Public Housing Business Entity-Donostiako Etxegintza by

lack of assignment of human and material resources, the claimed entity has
violated the principle of data minimization, by providing said public entity
business for your defense, health data and personal email of the
claimant, which makes us face an alleged violation of the
article 5.1 c) of the RGPD, indicated in the basis of law II.


Therefore, it is considered convenient to reiterate that it is not considered necessary to require the
Donostia / San Sebastián City Council the contribution of the recording of the session
incorporated into the journal of sessions of the Development and Planning Commission of the
Territory dated December 9, 2020, as suggested by the claimed entity,
since with the documentation in this file, the

denounced events, which are ultimately an excess of personal data provided
by the claimed entity to justify its action, to the detriment of the
claimant, when processing especially sensitive data, and therefore especially
protected, such as health data, in accordance with the provisions of the
Article 9 of the RGPD.


                                           IV

Article 58.2 of the RGPD provides the following: “Each supervisory authority will have
of all of the following corrective powers listed below:


b) direct a warning to any person in charge or in charge of the treatment when the
treatment operations have infringed the provisions of this Regulation;

d) order the person in charge of the treatment that the operations of
treatment comply with the provisions of this Regulation, where appropriate,

in a certain way and within a specified time;

i) impose an administrative fine in accordance with article 83, in addition to or instead of the
measures mentioned in this section, according to the circumstances of each case
particular;


                                           V

In order to determine the administrative fine to be imposed, the
provisions of articles 83.1 and 83.2 of the RGPD, provisions that state:


"Each control authority will guarantee that the imposition of administrative fines
in accordance with this article for infringements of this Regulation
indicated in sections 4, 5 and 6 are effective in each individual case,
proportionate and dissuasive. "


"Administrative fines will be imposed, depending on the circumstances of each

individual case, as an additional or substitute for the measures contemplated in the
Article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine
administrative and its amount in each individual case will be duly taken into account:
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 8/10








a) the nature, severity and duration of the offense, taking into account the
nature, scope or purpose of the processing operation in question as well
such as the number of interested parties affected and the level of damages that

have suffered;

b) intentionality or negligence in the infringement;

c) any measure taken by the person in charge or in charge of the treatment to
mitigate the damages suffered by the interested parties;

d) the degree of responsibility of the person in charge or the person in charge of the treatment,
taking into account the technical or organizational measures that have been applied by virtue of
of articles 25 and 32;


e) any previous infringement committed by the person in charge or the person in charge of the treatment;

 f) the degree of cooperation with the supervisory authority in order to remedy the
infringement and mitigate the possible adverse effects of the infringement;

g) the categories of personal data affected by the infringement;

h) the way in which the supervisory authority became aware of the infringement, in
particular if the person in charge or the person in charge notified the infraction and, in such case, in what
measure;


i) when the measures indicated in article 58, paragraph 2, have been ordered
previously against the person in charge or the person in charge in relation to the
same issue, compliance with said measures;

j) adherence to codes of conduct under Article 40 or to mechanisms of
certification approved in accordance with Article 42, and

k) any other aggravating or mitigating factor applicable to the circumstances of the case,

such as financial benefits obtained or losses avoided, direct or
indirectly, through the offense. "


Regarding section k) of article 83.2 of the RGPD, the LOPDGDD, article 76, “Sanctions and
corrective measures ”, provides:

"two. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679 also
may be taken into account:


a) The continuing nature of the offense.

b) The linking of the offender's activity with the performance of data processing
personal.

c) The benefits obtained as a result of the commission of the offense.


d) The possibility that the affected person's conduct could have led to the commission of the
infringement.


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 9/10








e) The existence of a merger by absorption process after the commission of the
infringement, which cannot be attributed to the absorbing entity.

f) Affecting the rights of minors.


g) Have, when not mandatory, a data protection officer.

h) The submission by the person in charge or in charge, on a voluntary basis, to
Alternative dispute resolution mechanisms, in those cases in which
there are controversies between those and any interested party. "


In accordance with the transcribed precepts, and without prejudice to what results from the instruction
of the procedure, for the purpose of setting the amount of the fine to be imposed on IZA
OBRAS Y PROMOCIONES, S.A. with NIF A48820229 as responsible for an infraction
typified in article 83.5.a) of the RGPD, in an initial assessment, they are considered concurrent

in the present case, as aggravating factors, the following factors:

- A special category of personal data has been processed, such as
health data, in accordance with article 9 of the RGPD.


Therefore, in accordance with the applicable legislation and the criteria of
graduation of sanctions whose existence has been proven,

the Director of the Spanish Agency for Data Protection RESOLVES:


FIRST: IMPOSE IZA OBRAS Y PROMOCIONES, S.A., with NIF A48820229,
for an infringement of article 5.1.c) of the RGPD, typified in article 83.5 of the RGPD,
a fine of € 50,000 (fifty thousand euros).

SECOND: NOTIFY this resolution to IZA OBRAS Y PROMOCIONES,

S.A.

THIRD: Warn the sanctioned person that the sanction imposed by a
Once this resolution is enforceable, in accordance with the provisions of the
art. 98.1.b) of Law 39/2015, of October 1, on Administrative Procedure

Common of Public Administrations (hereinafter LPACAP), within the payment term
voluntary established in art. 68 of the General Collection Regulations, approved
by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003,
of December 17, by means of their entry, indicating the NIF of the sanctioned person and the number
of procedure that appears in the heading of this document, in the account
restricted number ES00 0000 0000 0000 0000 0000, opened in the name of the Agency

Spanish Data Protection in the banking entity CAIXABANK, S.A .. In case
Otherwise, it will be collected in the executive period.

Received the notification and once executive, if the date of execution is found
Between the 1st and the 15th of each month, both inclusive, the deadline to make the payment

volunteer will be until the 20th day of the following or immediately subsequent business month, and if
between the 16th and last days of each month, both inclusive, the payment term
it will be until the 5th of the second following or immediate business month.


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 10/10








In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.


Against this resolution, which ends the administrative procedure in accordance with art. 48.6 of the
LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the
Interested parties may file, optionally, an appeal for reconsideration before the
Director of the Spanish Agency for Data Protection within a month to

counting from the day after notification of this resolution or directly
Contentious-administrative appeal before the Contentious-Administrative Chamber of the
National High Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-administrative jurisdiction, within a period of two months from the

day following notification of this act, as provided in article 46.1 of the
referred Law.

Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP,
may provisionally suspend the final resolution through administrative channels if the

interested party expresses his intention to file contentious-administrative appeal.
If this is the case, the interested party must formally communicate this fact through
writing addressed to the Spanish Agency for Data Protection, presenting it through
of the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica-
web /], or through any of the other records provided for in art. 16.4 of the

cited Law 39/2015, of October 1. You must also transfer to the Agency the
documentation that proves the effective filing of the contentious appeal-
administrative. If the Agency was not aware of the filing of the appeal
contentious-administrative within a period of two months from the day following the
notification of this resolution would terminate the precautionary suspension.



Mar Spain Martí
Director of the Spanish Agency for Data Protection
























C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es