AEPD (Spain) - PS/00267/2020: Difference between revisions

From GDPRhub
No edit summary
No edit summary
 
(9 intermediate revisions by one other user not shown)
Line 17: Line 17:
|Type=Complaint
|Type=Complaint
|Outcome=Upheld
|Outcome=Upheld
|Date_Started=
|Date_Started=28.11.2019
|Date_Decided=
|Date_Decided=
|Date_Published=11.02.2022
|Date_Published=11.02.2022
Line 55: Line 55:
|Appeal_To_Link=
|Appeal_To_Link=


|Initial_Contributor=Carmen Villarroel
|Initial_Contributor=[https://gdprhub.eu/index.php?title=User:Carmen.villarroel Carmen Villarroel]
|
|
}}
}}
Line 66: Line 66:
A Spanish union (Unión General de Trabajadores, 'UGT') filed a complaint with the Spanish DPA (AEPD) against Amazon Road Transport Spain (Amazon Road). They reported that in their hiring process, Amazon Road asked potential candidates to provide a criminal record certificate. Amazon claimed that they had a legitimate interest in verifying that their transport workers did not have past criminal offenses or convictions in order to protect their customer's safety and trust, since the delivery workers would be entering or coming in close proximity with their customer's households, and would be entrusted with handling products which at times could be of very high value.  
A Spanish union (Unión General de Trabajadores, 'UGT') filed a complaint with the Spanish DPA (AEPD) against Amazon Road Transport Spain (Amazon Road). They reported that in their hiring process, Amazon Road asked potential candidates to provide a criminal record certificate. Amazon claimed that they had a legitimate interest in verifying that their transport workers did not have past criminal offenses or convictions in order to protect their customer's safety and trust, since the delivery workers would be entering or coming in close proximity with their customer's households, and would be entrusted with handling products which at times could be of very high value.  


Amazon also claimed that processing the of the criminal record certification was necessary in order to perform a contract with the potential transport workers, and that this processing was based on the consent of the data subjects, which if hired would considered self-employed transporters by Amazon Road. As part of the hiring process, the candidates were required to download the 'Amazon Delivery' app and create an account. In order to advance in the process within the app (which would determine if they were suitable candidates for the job) the candidates were required to consent to the processing of personal data, which included the criminal record certificate.
Amazon also claimed that processing the of the criminal record certification was necessary in order to perform a contract with the potential transport workers, and that this processing was based on the consent of the data subjects, which if hired would be considered self-employed transporters by Amazon Road. As part of the hiring process, the candidates were required to download the 'Amazon Delivery' app and create an account. In order to advance in the process within the app (which would determine if they were suitable candidates for the job) the candidates were required to consent to the processing of personal data, which included the criminal record certificate.


This process also required candidates to consent to international transfers of their personal data with third parties. Specifically, Amazon Road asked for the candidates' consent to allow Amazon Road and its related entities (Amazon) to transfer their personal data to third parties outside the European Economic Area (EEA). Such consent allowed a third party located in the United States (Accurate Background) to process the candidates' data in order to verify their criminal records, and the processing of data by one of the company's subdivisions located in India for system support (Amazon Development Centre India - Amazon India). The general consent clause also stated that it would exonerate Amazon of any responsibility, damages claims, and other charges related to the processing and transfer of data as far as the law permitted it.
This process also required candidates to consent to international data transfers of their personal data with third parties. Specifically, Amazon Road asked for the candidates' consent to allow Amazon Road and its related entities (Amazon) to transfer their personal data to third parties outside the European Economic Area (EEA). Such consent allowed a third party located in the United States (Accurate Background) to process the candidates' data in order to verify their criminal records, and the processing of data by one of the company's subdivisions located in India (Amazon Development Centre India - Amazon India) for "support" with the collection, handling and storage of personal data. This general consent clause also stated that it would exonerate Amazon of any responsibility, damages claims, or other charges related to the processing and transfer of data as far as the law permits it.


Amazon Road established an Intra-Group Data Transfer and Processing Agreement with Amazon India and a Data Processing Agreement with Accurate Background, which both included Standard Contractual Clauses (SCC) with technical and organisational measures required for data processing. Additioanlly, Accurate Background was adhered to the EU-US Privacy Shield transatlantic data transfer framework.
Amazon Road established an Intra-Group Data Transfer and Processing Agreement with Amazon India and a Data Processing Agreement with Accurate Background, which both included Standard Contractual Clauses (SCCs) with technical and organisational measures required for data processing. Additionally, Accurate Background was adhered to the EU-US Privacy Shield transatlantic data transfer framework.


=== Holding ===
=== Holding ===
First, the AEPD dismissed Amazon's claims that a certificate of absence of criminal records did not amount to processing of personal data relating to criminal convictions and offences under Article 10 GDPR, since this was just a "negative certificate" that did not include the actual content of criminal convictions and offences, and was instead just a certification that there was an absence of any of these. The AEPD considered that a negative certification of absence of data relating to criminal convictions and offences in itself does constitute personal data related to these, and therefore should not be processed unless authorised by law according to [[Article 10 GDPR]] and Article 10 of the Spanish Data Protection Act (Ley Orgánica 3/2018 de Protección de Datos Personales y Garantía de los Derechos Digitales - LOPDGDD).
The AEPD dismissed Amazon's claims that a certificate of absence of criminal records did not amount to processing of personal data relating to criminal convictions and offences under [[Article 10 GDPR]]. According to Amazon, the requirement was limited to a "negative certificate" that did not include the actual content of any criminal convictions and offences, just a certification that there was an absence of these. The AEPD considered that this negative certificate to prove the absence of criminal convictions and offences in itself does constitute personal data related to these, and therefore should not be processed unless authorised by law according to [[Article 10 GDPR]] and Article 10 of the [https://www.boe.es/boe/dias/2018/12/06/pdfs/BOE-A-2018-16673.pdf Spanish Data Protection Act (Ley Orgánica 3/2018 de Protección de Datos Personales y Garantía de los Derechos Digitales - LOPDGDD).]


The AEPD held that there was no national law which Amazon could rely on in order to lawfully process this personal data. The AEPD also noted that not even the law under which the competent national authority in charge of issuing transport and delivery licenses (Real Decreto 1211/1990 por el que se aprueba el Reglamento de la Ley de Ordenación de los Transportes Terrestres - ROTT) established criminal records as a necessary requirement for carrying out these activities. Furthermore, the AEPD stated that admitting Amazon's reasoning would amount to permitting any entity to create a database of people with no criminal records, which would also be at odds with [[Article 10 GDPR]], which states that a register of criminal convictions should be kept only under the control of an official authority.
The AEPD held that there was no national law which Amazon could rely on in order to lawfully process this personal data. The AEPD also noted that not even the law under which the competent national authority issued transport licenses ([https://www.boe.es/eli/es/rd/1990/09/28/1211 Real Decreto 1211/1990 por el que se aprueba el Reglamento de la Ley de Ordenación de los Transportes Terrestres - ROTT]) established criminal records as a necessary requirement for carrying out these activities. Furthermore, the AEPD stated that admitting Amazon's reasoning would amount to permitting any entity to create a database of people with no criminal records, which would also be at odds with [[Article 10 GDPR]], which states that a register of criminal convictions should be kept only under the control of an official authority.


The AEPD noted that in light of the fact that the only valid legal basis for the processing of personal data related to criminal convictions and offences would be a specific law that authorised the processing of this type of data, it held that Amazon's arguments regarding the necessity of this processing for performance of a contract, its legitimate interest, or the data subject's consent as valid legal bases, were irrelevant in this case. However, the AEPD went on to make some pertinent observations related to Amazon's arguments in this sense. Regarding the necessity of requiring the criminal record certificate for the performance of a contract with the transport workers, the AEPD reiterated that since there was no national law that established this requirement, this was not a valid argument.
The AEPD held that in light of the fact that the only valid legal basis for the processing of personal data related to criminal convictions and offences would be a specific law that authorised the processing of this type of data, Amazon's arguments regarding the necessity of this processing for performance of a contract, its legitimate interest, or the data subject's consent as valid legal bases were irrelevant in this case. However, the AEPD went on to make some pertinent observations related to Amazon's arguments in this sense. Regarding the necessity of requiring the criminal record certificate for the performance of a contract with the transport workers, the AEPD reiterated that since there was no national law that established this requirement, this was not a valid argument.


With regards to the legitimate interest Amazon claimed to have to protect their customer's safety and trust, the AEPD noted that Amazon had not provided any proof that they had pondered this potential legitimate interest against the interests and fundamental rights of the candidates in the hiring process, as required by [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]]. The AEPD stated that because there was no evidence that this balancing exercise had actually been carried out, and that consequently the candidates had not been given any information related to this pondering of interests as a legal basis for processing their criminal record certificate, this could not be invoked as a justification for processing this personal data. Additionally, the AEPD cited the Court of Justice of the European Union (CJEU) in case C-13/16 – Rigas Satiksme when assessing the necessity of the processing for the purpose of Amazon's claimed legitimate interest, which must be interpreted according to the 'data minimisation' principle under [[Article 5 GDPR#1c|Article 5(1)(c) GDPR]]. Furthermore, the AEPD stated that necessity should not be interpreted strictly, and not as mere 'usefulness' or 'desirability'. According to these considerations, the AEPD stated that the collection and use of the criminal record certificate was excessive since there were less intrusive ways to protect the Amazon customers' safety and trust, and to guarantee that Amazon's position as a transport operator was not compromised.
With regards to the legitimate interest Amazon claimed to have to protect their customer's safety and trust, the AEPD noted that Amazon had not provided any proof that they had pondered this potential legitimate interest against the interests and fundamental rights of the candidates in the hiring process, as required by [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]]. The AEPD stated that because there was no evidence that this balancing exercise had actually been carried out, and that consequently the candidates had not been given any information related to this pondering of interests as a legal basis for processing their criminal record certificate, this could not be invoked as a justification for processing this personal data. Additionally, the AEPD cited the Court of Justice of the European Union (CJEU) [[CJEU - C‑13/16 - Rīgas satiksme|C-13/16 – Rigas Satiksme]] decision when assessing the necessity of the processing for Amazon's claimed legitimate interest, and stated that 'necessity' must be interpreted according to the 'data minimisation' principle under [[Article 5 GDPR#1c|Article 5(1)(c) GDPR]]. Furthermore, the AEPD stated that 'necessity' should be interpreted strictly, and not as mere 'usefulness' or 'desirability'. According the AEPD, the processing of the criminal record certificate in this case did not meet the CJEU proportionality doctrine (purpose test, necessity test, balancing test), and was excessive since there were less intrusive ways to protect Amazon customers' safety and trust, and to guarantee that Amazon's position as a transport operator was not compromised.


With regard to consent, the AEPD stated that it would have not been freely given or valid either in this case according to the requirements in [[Article 7 GDPR]], since the candidates did not have the option of refusing to consent to the processing of their criminal record within the contract in order to be hired. Additionally, the AEPD noted that candidates did not have an option to not consent separately for each particular processing, and that Amazon did not offer proper information about the processing under [[Article 13 GDPR]].
With regard to consent, the AEPD stated that it would have not been freely given or valid either in this case according to the requirements in [[Article 7 GDPR]]. Specifically, the candidates did not have the option of refusing to consent to the processing of their criminal record within the contract or in the hiring process through the mobile app, and did not have the option to consent separately for each particular processing. Additionally, the AEPD held that Amazon did not offer proper information about the collection of this personal data as required by [[Article 13 GDPR]].


The AEPD also evaluated the position of the three entities involved in the case, and held that according to the processing agreements that were in place, Amazon Road was the controller responsible for the processing carried out by Amazon India and Accurate Background.  Since both of these processors were located outside the EEA (in India and the United States respectively), international transfers of data were taking place. The AEPD found that in this case, data subjects' consent in accordance with [[Article 49 GDPR|Article 49(1) GDPR]]  and [[Article 7 GDPR]] was not valid, given the fact that it was included in the contract without an option to refuse, it was not explicit, and no information was given to the data subject regarding the risks of the data transfer. However, the AEPD found that the data transfers were lawful according to [[Article 46 GDPR]], since the SCCs in Amazon's processing agreements included appropriate technical and organisational measures, and Accurate Background was adhered to the EU-US Privacy Shield during the time that the data transfers took place.   
The AEPD also evaluated the position of the three entities involved in the case, and held that according to the processing agreements that were in place, Amazon Road was the controller responsible for the processing carried out by Amazon India and Accurate Background, and that because these processors were located outside the EEA (in India and the United States respectively), international data transfers were taking place. The AEPD found that, in this case, data subjects' consent to data transfers would not be valid in accordance with [[Article 49 GDPR|Article 49(1) GDPR]]  and [[Article 7 GDPR]], given that consent was required within the contract without an option to refuse, it was not explicit, and no information was given to the data subject regarding the risks of these data transfers. However, the AEPD found that the data transfers were lawful according to [[Article 46 GDPR]], since the SCCs in Amazon's processing agreements included appropriate technical and organisational data protection measures, and Accurate Background was adhered to the EU-US Privacy Shield during the time that the data transfers took place. The AEPD also noted that Amazon had stated it had already stopped requiring the negative criminal certificates in their hiring process before the date the Privacy Shield was invalidated by the [https://gdprhub.eu/index.php?title=CJEU_-_C-311/18_-_Schrems_II CJEU C-311/18 - Schrems II] decision, and if so, no unlawful data transfers to Accurate Background would have taken place.   


Accordingly, the Spanish DPA fined Amazon Road €2,000,000 for a violation of [[Article 6 GDPR]], [[Article 10 GDPR]] and [https://www.boe.es/boe/dias/2018/12/06/pdfs/BOE-A-2018-16673.pdf Article 10 LOPDGDD] and ordered the controller to come into compliance.
Accordingly, the Spanish DPA fined Amazon Road €2,000,000 for a violation of [[Article 6 GDPR#1|Article 6(1) GDPR]], [[Article 10 GDPR]] and [https://www.boe.es/boe/dias/2018/12/06/pdfs/BOE-A-2018-16673.pdf Article 10 LOPDGDD] for requesting criminal record certificates in their hiring process without a valid legal basis to do so. The AEPD also ordered Amazon Road to provide documentation to prove that their current practices are GDPR compliant. Specifically to prove that the criminal record certificate requirement for job applicants is no longer in place (both in the contract with transport workers as well as in the registration mobile app in their hiring process), that the data related to these certificates previously processed has been deleted, and that it provides workers with adequate information related to the nature and purpose of data transfers that are still being carried out with the processors in this case.


== Comment ==
== Comment ==
Line 97: Line 97:


<pre>
<pre>
                                                                                 1/10
                                                                                 1/64




Line 106: Line 106:




     File No.: PS / 00324/2021


                - RESOLUTION OF SANCTIONING PROCEDURE
     File No.: PS/00267/2020
 
 
 
                RESOLUTION OF PUNISHMENT PROCEDURE




Of the procedure instructed by the Spanish Agency for Data Protection and based on
Of the procedure instructed by the Spanish Agency for Data Protection and based on
the following
to the following
 


                                   BACKGROUND
                                   BACKGROUND




FIRST: A.A.A. (hereinafter, the complaining party) dated February 16, 2021
FIRST: A.A.A., on behalf of the General Union of Workers (in what
filed a claim with the Spanish Data Protection Agency.
 
hereafter, UGT, the claimant or claimant entity), on 11/28/2019 filed
claim before the Spanish Data Protection Agency. The claim is
directs against AMAZON ROAD TRANSPORT SPAIN, S.L with CIF B88405303 (in
hereafter, AMAZON ROAD, the respondent or respondent entity). The reasons in which
the claim is based on are as follows:
 
 
1. For the contracting of autonomous carriers as service providers,
(program “***PROGRAMA.1”), the respondent entity asks the candidates for various
documentation, including a certificate of absence of a criminal record
penalties.
 
 
2. AMAZON ROAD requires the consent of the candidates so that “Amazon”, and
any related entity, carry out transfers of personal data
to any related entity located outside the EEA to promote the interests
legitimate rights of "Amazon" and/or any related entity ("Entity means
Related “Amazon holding company, subsidiary company or affiliate of its holding company”
 
briefcase").
 
3. “Likewise, consent is required so that:
 
. Accurate Background is responsible for collecting and processing the information on behalf of
Amazon to perform the background checks detailed above.
 
 
. Amazon Development Center (India) Private Limited, in India, will be able to access
to the data provided by Amazon during this process to support the
information provided by me.
 
 
On the other hand, they require consent to exonerate “Amazon, Accurate
Fund, its affiliates and their respective agents that provide data reports on
me from any claims, damages, liabilities, costs and
expenses; or for any other charges or complaints arising from the collection, use of
processing or disclosure of any information or report, to the extent permitted
 
by the applicable legislation”.
 
The complainant indicates that these two companies do not have a physical or tax office in Spain.
or in the territory of the European Union.
 
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 2/64
 
 
 
 
 
 
 
 
 
 
The claimant considers that the following precepts are not complied with:
 
. Article 7.5 of Organic Law 15/1999, of December 13, on Data Protection
 
of Personal Character (LOPD), “Specially protected data”: those related to the
commission of criminal or administrative offenses.
. Article 10 of Organic Law 3/2018, of December 5, on Data Protection
Personal and guarantee of digital rights (hereinafter, LOPDGDD):
 
data processing of a criminal nature.
. Article 35.3 of Regulation (EU) 2016/679, of the European Parliament and of the Council,
of 04/27/2016, regarding the Protection of Natural Persons with regard to the
Processing of Personal Data and the Free Circulation of these Data (as
 
successive RGPD): cases in which the impact assessment is required.
 
With the claim, a copy, among others, of the following documents is provided:
 
 
1. Commercial contract (screenshot), which information on protection
of personal data addressed to carriers, whose detail is outlined in the
Proven fact 9.
 
 
2. Section of the application of "***PROGRAMA.1" related to the verification of
background (screenshot).
 
"Background Check
 
The background check may include, but is not limited to, the aspects
 
listed below.
 
I agree to assist Amazon and participate in conducting these checks in the manner
necessary to successfully complete my background check:
1. The certificate of my registration with Social Security.
2. A certificate from the Ministry of Justice confirming that I do not have a criminal record
penalties of any kind;
 
3. Checking against any terrorist and sanctions list; Y
4. Verification that I have a valid driving license
 
In connection with this process, I consent to the verifications
mentioned and others that are considered necessary for the position.
 
I understand and consent that Accurate Background is responsible for collecting and processing the information
on behalf of Amazon to perform detailed background checks
 
previously.
 
I understand that I will be informed of any omissions or falsehoods detected by me in the
background check process or any other supporting documentation
sent along with the collaboration request, and, in the absence of a satisfactory explanation, this
may constitute a reason for termination or non-contracting for the provision of the service or
collaboration.
 
 
I understand that information received from Amazon and any agents acting on its behalf
name will be kept confidential and used exclusively by Amazon and
any agents acting on your behalf for business purposes, and during the term
of my provision of services to Amazon if hired and to the extent permitted
 
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 3/64
 
 
 
 
 
 
 
 
 
by applicable law.
 
I confirm that I have been informed about the inclusion of my personal data in a file
controlled by Amazon, the purpose of such processing, the identity of the data controller
of the data and the recipients of my personal data, such as authorities and agents
premises, in order to comply with legal requirements (e.g., those established by the
 
Tax agency). I understand Amazon Development Center (India) Private Limited, in India,
may have access to the data you provide to Amazon during this process to give
support in the collection of the information provided by me, and I give my consent to
said access.
 
I have also been informed of my right to consult, rectify and cancel the data
information held about me by Amazon and any agents acting on its behalf
 
name, as well as to oppose their treatment. I am aware that I will be able to exercise
these rights at any time by writing a letter identifying the right you
I want to exercise and attaching a copy of my ID to Avda…
 
I release Amazon, Accurate Fund, their affiliates, and their respective agents for providing
data or reports about me of any claims, damages,
responsibilities, costs and expenses; or any other charges or complaints arising from the
 
collection, processing or disclosure of any information or report, to the extent
permitted by applicable law.
 
( ) By checking this box, I give my authorization.”
 
 
3. Copy of several emails sent from the address “***EMAIL.1”, in
which explains the process to complete the application in "*** PROGRAM.1" and the
documentation that must be provided. In one of these emails it is indicated:
 
 
“The verification process ends on the Accurate website.
You have not yet completed the verification process in Accurate. Check your email account
email and look for an email from “***EMAIL.2”, open it and click on the access link. You will see that
your request is in progress, click “in progress” to continue and finish the process”
 
 
4. Copy of an email sent by Accurate Background from the address
“***EMAIL.2” about the procedure to complete the request:
 
“***PROGRAMA.1 Spain invites you to fill out the Background Verification Form
 
online through Accurate Background as part of the onboarding process.
 
You will need to access the Accurate Background web page via the link below
to validate your personal data and complete the online application process. will have another 20
days to upload the required documents…
 
You will also be required to submit a copy of the criminal record certificate
 
It is confirmed that he has no criminal record. You can find instructions on how to get
this certificate in the following link….
 
SECOND: Prior to the acceptance of this claim for processing, it is
 
transferred to the claimed, in accordance with the provisions of article 65.4 the
LOPDGDD.


The claim is directed against IZA OBRAS Y PROMOCIONES, S.A. with NIF
AMAZON ROAD submitted a letter on 06/30/2020 in which it highlights the
A48820229 (hereinafter, the claimed party).


following:
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 4/64


The reason on which the claim is based is that the claimed entity has disclosed
health data of the claimant to another company, as well as their email address
personal, and all this without the consent of the claimant.




SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5
December, Protection of Personal Data and guarantee of digital rights (in
hereinafter LOPDGDD), on March 16, 2021, said claim was transferred to
the claimed party, to proceed with its analysis and inform this Agency in the
period of one month, of the actions carried out to adapt to the requirements


provided for in the data protection regulations.


On April 13, 2021, a written response is received at this Agency
stating the following:




1.- On November 14, 2018, the Public Housing Business Entity-
Donostiako Etxegintza, awarded IZA a construction works contract in
Intxaurrondo.


2.- The claimant, an IZA employee, acts in said work by performing


temporarily the function of project manager.
1. From Amazon Road, the program “***PROGRAMA.1” and other relevant information


3.- The claimant, maintaining his status as an employee, reported IZA to the
Public Housing Business Entity-Donostiako Etxegintza on July 14 and
September 2020 due to lack of assignment of human and material resources, between


others.
Amazon Road is an Amazon group company that provides
logistics and distribution to said group and that has the required license or
Authorization to carry out the activity of freight transport operator.


4.- In compliance with its power of control, the Public Business Entity of
Amazon Road is the entity in charge of managing the program “***PROGRAMA.1”
Housing-Donostiako Etxegintza required IZA, in accordance with article 55 of the Law
that allows autonomous carriers to register as service providers of
39/2015 of the Common Administrative Procedure of Public Administrations,


information regarding the complaints filed.
Amazon Road (“Autonomous Carriers”).


5.- IZA receiving said communication, and in compliance with the obligation to
In order to participate in this program, autonomous carriers must accept
collaboration with the Administration, stated the relevant facts that would explain
the terms and conditions that regulate said program, where they are informed of the
the lack of assignment of material and human resources of the work, answering to
data processing that the entity may carry out for the management of the program,


the complaints of the claimant. This information included information about the
and download the "Amazon Delivery" application on your mobile device.
claimant, justifying its referral in compliance with the legal obligation (Law
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 2/10


Through this application, Amazon Road collects the necessary data from the
Autonomous Carriers for the purpose of (i) verifying that they comply with the
requirements to be able to participate in the program, (ii) create the corresponding account
user necessary to be able to access the service offers and (iii) control the


development of service provision. Once registered in the system, the
Autonomous Carriers have access to the necessary information to be able to provide
services through the program “***PROGRAMA.1”.


Among the requirements that autonomous carriers must meet to participate in


the program is the need to have their own means of transport to carry out
deliveries, (car, van or light truck, all with a gross weight
maximum 2 tons).


The legitimating bases of the data processing that the aforementioned program entails,


depending on the type of data collected and the intended purposes, are the execution
of the contract between the carrier and the claimed party, the informed consent of the
autonomous carrier or the legitimate interest of AMAZON ROAD.


2. Of the information requested by AMAZON ROAD to be able to participate in the
program “***PROGRAM.1”: negative certificates


39/2015) as well as in the prerogatives of Law 9/2017 on sector contracts
public.


Among the information that is collected from autonomous carriers who want to
participate in the program "***PROGRAMA.1" is a certificate of absence
criminal record or negative certificate, similar to the one that must be provided by the
managers who want to provide transport services, in accordance with the regulations in


6.- The submission of said information was considered confidential, following the
matter of transportation, for the purpose of proving its honorability, but with a scope
channels of Electronic Entry Registration, in accordance with the Law.
more limited in that it only refers to the absence of a criminal record.
information held by the Public Housing Business Entity-Donostiako
Etxegintza, and outside IZA's protection channels, it reached the claimant,
as stated in your complaint.


This certificate does not provide criminal history information, but rather
consists of a "blank" certificate in which no information is contained


7.- As a result of this, the breach protocol was activated, no data leak was detected
relating to said type of data and which, therefore, cannot be equated to the certificate
from IZA, requesting clarification in this regard from Entidad Pública Empresarial de
"positive" criminal record, which does contain information regarding said
Housing-Donostiako Etxegintza, request that has not received a response.
antecedents, such as the type of crime committed, the date it was committed, the
sentence of conviction, the sentencing body or information about the sentence


8.- Regarding the information indicated by the claimant, IZA exclusively provided it to the
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 5/64


administrative procedure, in the exercise of the competence and control of the Entity
Public


9.- Regarding the use of the personal email of the complainant,
informs that its use derives from the previous referral by it for 2 years as
means of communicating with the company. Message headers are attached and


matters to corroborate it, and that in case of needing the contents they would be sent
to the Control Authority.


THIRD: On June 18, 2021, the Director of the Spanish Agency for


Data Protection agreed to accept for processing the claim presented by the party
claimant.


FOURTH: On October 13, 2021, the Director of the Spanish Agency for
 
Data Protection agreed to initiate a sanctioning procedure for the claimed party, with
 
imposed and its duration. None of this information appears on the certificates
require carriers, in which only their identification data and
the mention of the absence of a criminal record.
 
 
This documentation is part of the suitability assessments that the claimed
performs to potential carriers, considering that they are provided with
sensitive information of Amazon group customers (such as their data
contact and address) so that they can provide the contracted service (delivery of
goods).
 
 
3. When obtaining a negative certificate, data relating to convictions or
criminal infractions, since it does not contain any data related to the commission of
crimes.
 
 
On this issue, it points out that articles 10 of the RGPD and 10 of the LOPDGDD are not
refer specifically to criminal record data, but to data relating to
criminal convictions and infractions, which is a more specific concept that, therefore,
would not include a certificate of lack of criminal record.
 
Thus, from a literal interpretation of the provisions of said articles,
 
would infer that what they prohibit is only the processing of data
relating to criminal convictions and offenses, so that the treatment of
negative certificates would fall outside the scope of these two articles.
 
The only action that Amazon Road takes by processing such
 
certificates is to verify that there are no data related to convictions or infractions
penalties. And in the absence of such data, it can hardly be concluded that a
treatment of them.
 
The AEPD itself has been applying rigorous criteria in rating the
 
nature of the data when it comes to sensitive data, such as
be seen in Legal Report 0129/2005, issued by this AEPD prior to the
entry into force of the GDPR, which indicates what information should be considered
as health information. In that case, the AEPD concluded that the mere fact that a
person is a smoker, without being associated with other data that establish a
certain habit, does not imply the treatment of information directly related
 
with the health of the affected:
 
The same strict qualification criterion would apply in the case that we now
occupies: the mere knowledge of the non-existence of a criminal record cannot
considered as the treatment of data related to convictions or infractions
 
criminal, because this information, by itself, does not involve the treatment of this type of
data.
 
4. The treatment carried out with the collection of these negative certificates is
proportional and not excessive, which is covered by the concurrence of interest
 
legitimate, in accordance with the provisions of article 6.1.f) of the RGPD
 
Said treatment, not being included in what is established by the articles before
mentioned, you must only comply with the legality requirements of article 6 of the RGPD.
 
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 6/64
 
 
 
 
 
 
 
 
 
Access by Autonomous Carriers to the entrance of homes
particulars of the clients, for the purpose of carrying out the delivery of merchandise, and the
 
personal information of customers to which they have access in order to provide their
transport services entails an intrusion into the private and personal sphere of the
customers of the Amazon group, protected in accordance with the RGPD. It is a
interference that Amazon customers accept as a result of trust
that they have deposited in the group.
 
 
Therefore, it is important for AMAZON ROAD to protect that customer trust.
with the selection of carriers, taking extreme precautions regarding the suitability
of the same, for which it must adopt all the measures that are within its reach,
within the framework of current legislation, to guarantee the security and confidence of
Your clients. And one of these measures consists of requesting the certificates
 
negative criminal record.
 
When carrying out the weighting exercise of the rights and interests at stake in the
this case, Amazon Road has had its own interest, mentioned above, and the right
to the data protection of said autonomous carriers and, specifically, the right
unless it is known that they have no criminal record. For the purposes of
 
assess which right or interest should prevail, have been taken into account, among other
facts, the following:
 
. The nature of the services provided under the program “***PROGRAMA.1”, which
involves access to customer contact data and the movement of
 
suppliers to their private addresses in order to make deliveries;
 
. The risk inherent in the relationship of trust established by the people who
located within private homes, in relation to the Carriers
Freelancers of the program “***PROGRAMA.1”;
 
 
. The condition of depositaries of the merchandise acquired by carriers,
some of them high value, and the access they have to order inventory
managed by the claimed party, when they access the facilities of the latter to
order picking;
 
 
. AMAZON ROAD's obligation to ensure that the services are offered with all
guarantees and without any type of risk for customers; Y
 
. The slight intrusion and impact on the privacy of autonomous carriers who
supposes the fact that the claimed entity knows that they lack
 
criminal record.
 
The weighting carried out is similar to the proportionality judgment carried out by the AEPD
in the resolution to file the actions issued in file E/00037/2013,
in which the treatment by an employer of a certificate of
 
their workers about the lack of criminal records. In said resolution,
the AEPD concluded that the treatment by the employer of a declaration of
employees regarding the absence of a criminal record constituted a
proportional treatment that, taking into account the specific circumstances of the case, would
 
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 7/64
 
 
 
 
 
 
 
 
fit within “the business control measures appropriate to its activity with
Respect for human dignity".
 
 
In our opinion, the data processing carried out by AMAZON ROAD would exceed
the proportionality judgment indicated above, taking into account, in the first place, the
sensitivity of data processed by carriers; second, because it is
of a suitable measure for the purpose pursued by the company and non-invasive in the
sphere of the interested parties, since the information collected does not contain data
regarding criminal convictions or offenses; and, thirdly, by the obligation that
 
Amazon Road, as a transport operator, has to act diligently
and adopt all those measures that are within its reach to minimize the maximum
any risk to its clients as a result of the services provided.
 
5. The legitimate interest of the company in the processing of personal data
 
would also be justified by the provisions of the Law for the Organization of
Land Transport, whose article 119 subjects the activity of the operators of
transport to obtain an administrative authorization, with the same requirements
that are required for the public transport of goods.
 
Among these requirements, according to articles 42 et seq. of the Law for the Regulation of
 
Land Transport, and 33 of Royal Decree 1211/1991, of September 28, by
which approves the Land Transport Management Regulations,
meets the requirement of honorability, that is, not having been convicted by the
commission of crimes or criminal offenses or sanctioned for the commission of infractions
related to the commercial, social or labor fields, road safety or
 
management of land transport.
 
Well, by treating the carriers' negative certificates
participating in the “***PROGRAMA.1” program, AMAZON ROAD intends to ensure
because its position as a transport operator is not compromised by
 
those carriers. To this end, it applies a minimum standard of diligence. Hence
Amazon Road requests such negative certificates.
 
6. The treatment of negative certificates would also be necessary for the
execution of the contract concluded between the autonomous carriers and AMAZON
ROAD.
 
 
The treatment of negative certificates is the only means through which Amazon
Road can guarantee the application to the Autonomous Transporters of the same
standards of diligence that it applies to itself, as an operator of
transport and, at the same time, guarantee the maximum security and confidence of the
 
Amazon group customers.
 
For this reason, the treatment of repeated negative certificates, while
referring to information necessary to be able to assess the suitability of the
carriers for the provision of services, would also be covered by the
 
provided in article 6.1.b) of the RGPD, as it would be necessary for the execution
of the contract between the entity and the carriers.
 
7. AMAZON ROAD does not communicate to third parties the information collected through the
 
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 8/64
 
 
 
 
 
 
 
 
negative certificates, including companies belonging to the same group.
 
Notwithstanding the foregoing, it does have the help of companies that provide
 
services that assist you in some of the activities you carry out within the framework of the
program “***PROGRAM.1”, such as, among others, the initial checks
to ensure that the Autonomous Carriers meet the requirements or the
verifications of the records provided by the latter. between sayings
providers would be the entities Accurate Fund, Inc. and Amazon Development
Center (India) Private Limited, which the claimant cites in her brief.
 
 
However, these entities, as providers of services to AMAZON
ROAD, have signed the corresponding commission contracts with the claimed
under the provisions of the regulations on data protection, so it is not
may be considered as third-party companies to which personal data is transferred.
 
personal character. Likewise, the international transfer of data involved in the
access by said companies to AMAZON ROAD's data complies with the
requirements established in articles 44 and following of the RGPD.
 
8. Of the security measures applied in the treatment of data derived from the
program “***PROGRAM.1”.
 
 
AMAZON ROAD, as a company part of the Amazon group, has implemented
various internal policies aimed at guaranteeing the protection of data processing
personal data that it carries out, including the processing of data derived
of the “***PROGRAMA.1” program, which are also required of those suppliers
 
with whom it has signed custom treatment contracts.
 
All these measures have been adopted taking into account the nature of the
data to be processed and the risks associated with such processing, such as those derived from the
loss, communication or unauthorized access of data.
 
 
9. Lastly, the respondent states that since last March 2020 she has
temporarily suspended the processing of personal data relating to
the negative certificates of autonomous carriers as a result of the
situation caused by the COVID-19 pandemic, therefore being an activity that
not made at the date of filing your brief.
 
 
THIRD. The claim was admitted for processing by agreement on 08/12/2020.
 
FOURTH: On 05/12/2021, the Director of the Spanish Protection Agency
of Data agreed to initiate sanctioning proceedings against the entity AMAZON ROAD, with
 
in accordance with the provisions of articles 63 and 64 of Law 39/2015, of October 1, of the
in accordance with the provisions of articles 63 and 64 of Law 39/2015, of October 1, of the
Common Administrative Procedure of Public Administrations (hereinafter,
LPACAP), for the following alleged violations:
1. Breach of article 6.1 of the RGPD, in relation to article 10 of the RGPD and
of article 10 of the LOPDGDD, typified in article 83.5 of the RGPD and in article
71 of the LOPDGDD.
2. Breach of article 7 of the RGPD, in relation to article 6.1.a) of the same
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 9/64
Regulation, typified in article 83.5 of said legal text.
3. Breach of article 49.1 of the RGPD, typified in article 83.5 of the aforementioned
rule.
In the opening agreement it was determined that the sanction that could correspond,
attended the existing evidence at the time of opening and without prejudice to what
resulting from the investigation, would amount to a total of 3,300,000 euros (2,000,000
euros for the infringement of article 6.1 of the RGPD in relation to article 10 of the
same norm, as well as article 10 of the LOPDGDD; 300,000 euros for the infringement
of article 7 of the RGPD, in relation to article 6.1.a) of the same legal text; Y
1,000,000 euros for the infringement of article 49.1.a) of the RGPD).
In the same agreement to open the procedure, it was warned that the infractions
imputed, if confirmed, may lead to the imposition of measures, in accordance
with the provisions of the aforementioned article 58.2 d) of the RGPD.
FIFTH: Notification of the aforementioned initial agreement and extension of the term granted for
make allegations, AMAZON ROAD filed a brief dated 06/07/2021, in which
that requests the file of the sanctioning procedure or, subsidiarily, the
imposition of a minimum fine, in accordance with the considerations
following:
1. The certificate of absence of criminal records that must be provided by the
applicants to participate in the program "***PROGRAMA.1" does not contain data related to
criminal convictions and infractions, which are specifically referred to in the
Recital 75 and article 10 of the RGPD and article 10 of the LOPDGDD
(literal interpretation). The same was established in Directive 95/46/CE, in the
repealed Organic Law 15/1999 and also in Convention 108 of the Council of Europe.
All of these rules refer to data relating to criminal convictions and offenses and
not to data related to the existence or absence of a criminal record.
It is a “blank” certificate whose content is not comparable to a
“positive” criminal record certificate, which does include information on the type of
crime committed, date of commission, conviction and sentence imposed.
2. Cites a precedent of the AEPD, indicated with the file number
E/00037/2013, which dealt with the request for a responsible declaration in
the one that the subjects affirmed that they had no criminal record (not the request of the
certificate). According to Amazon, the Agency admitted in this precedent the treatment of
negative certificates issued by employees (statements) without subjecting them to the
specific regulation of data relating to criminal convictions.
In relation to this precedent, which was already cited by the respondent in the process of
Transfer, in the opening agreement it is answered that the Judgment of the Chamber of the
Social of the National Court 14/2020, of February 10, 2020, indicates that the
request for a responsible declaration on the lack of a criminal record
It must be considered a treatment of data related to criminal convictions. amazon
questions this argument by pointing out that the sentence is dictated by the jurisdiction
social, which is not competent to review the decisions of the Agency; and what a joy
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 10/64
sentence does not justify why a negative certificate constitutes treatment of
data relating to criminal convictions.
3. According to the entity claimed, other Member States have been accepting a
different interpretation in relation to the provisions of article 10 of the RGPD:
. The Netherlands accepts certificates that prove the absence of criminal records
penalties, known as “Verklaring omtrent gedrag” (VOG).
. In France, employers are authorized to request, during a process of
selection of job applicants, a certificate of their criminal record,
positive or negative (“Certificate B3”).
. In Germany it is allowed to ask the person to be hired for confirmation of
that you have no criminal record that is relevant to employment.
4. The most consistent interpretation with the spirit and purpose of the indicated standards
implies that its purpose is to prevent the creation of records of convictions and
criminal offenses.
5. Subsidiarily, he alleges lack of guilt in the imputed violation.
AMAZON ROAD understands that it has used the diligence that was required of it, having
taking into account the arguments made above. Add that only Accurate
Background accesses this data; and that it suspended the request for these certificates in
March 2020 due to the pandemic, not having resumed the treatment of
negative certificates in view of the interpretations of this Agency and the
Judgment cited above, as indicated in the process of transfer of the
claim.
6. There is no breach of the provisions of article 7 of the RGPD by the
processing activities carried out by Accurate Background Inc. and Amazon
Development Center (India) Private Limited, which is not acting as a third party nor is this
Intervention is based on the consent of the interested parties.
Amazon Road does not share negative certificate information with
any entity of the Group or with third parties. The aforementioned entities attend the
claimed as service providers in the initial checks
on the carriers participating in the program, by virtue of a contract of
treatment order signed by the intervening entities.
Thus, these companies cannot be considered as third parties and the
processing of data that they carry out does not require consent. This is already mentioned
in the registration process when informing “I understand and agree that Accurate
Background is responsible for collecting and processing the information on behalf of Amazon
to perform the background checks detailed above.”
It adds that Amazon Development Center (India) Private Limited acts as
responsible for the treatment of AMAZON ROAD for the registration process of the
participants in the program “***PROGRAMA.1”, but has never had access to the
negative criminal record certificates.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 11/64
7. On the imputation of a possible infringement of the provisions of article 49 of the
GDPR, after pointing out that the startup agreement does not clarify what you specify
international data transfers refers to the AEPD, alleges that the
international data transfers made to group companies or their
providers located outside the EEA are not based on the consent of the
interested parties and comply with the guarantees required by the RGPD.
It warns that it has signed with each entity the corresponding clauses
standard contracts approved by the European Commission through Decision
2010/87/UE, of February 5, 2010, relative to the standard contractual clauses for the
transfer of personal data to those in charge of the treatment established in
third countries, in accordance with Directive 95/46/EC, which are one of the
guarantees that can be offered by data controllers in accordance with the
provided in article 46 of the RGPD.
In relation to Accurate Background Inc. indicates that, since 2016, it was an entity
adhered to the EU-US Privacy Shield. And he clarifies that, although the Shield of
Privacy ceased to have effect with the Judgment of the CJEU of 07/16/2020, in this
date no longer requested or required the presentation of negative certificates of
criminal record.
8. In relation to the graduation of the sanctions, it alleges, subsidiarily, that
The following circumstances must be taken into account:
. Data processing related to negative background certificates
penalties only affected 16.76% of all last-mile drivers
registered in Spain, as the program “***PROGRAMA.1” represents a small
proportion of transport providers that make deliveries in Spain (never
have exceeded 5%).
. Data processing related to negative background certificates
criminal charges cannot be compared to the processing of data on convictions and
criminal offenses.
. The activity carried out by AMAZON ROAD, as a logistics company that acts
As a transport operator, it is not intensive in the processing of personal data, nor
is based on the exploitation of personal data. The treatment you perform, for
staff management and package management for delivery, is instrumental.
. The data processing object of the claim was suspended in March 2020 and
has not been resumed.
. AMAZON ROAD has not been penalized for violating the protection regulations
of personal data nor has it received any claim from any third party in
relation to negative criminal record certificates.


Common Administrative Procedure of Public Administrations (hereinafter,
LPACAP), for the alleged violation of article 5.1.c) of the RGPD, typified in the
Article 83.5 of the RGPD.


FIFTH: The aforementioned commencement agreement was notified, on October 25, 2021, the claimed


submitted a brief of allegations in which, in summary, it states that it has not revealed
With its allegations, AMAZON ROAD provides, among others, the following documents:
personal information of the claimant to the Public Business Entity of
 
Housing-Donostiako Etxegintza.
a) Provide a copy of the “Intra-Group Agreement for the Transfer and Treatment of
 
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 12/64
 
 
 
 
 
 
 
 
Data” (“Intra-Group Data Transfer and Processing Agreement”), dated 01/01/2019,
signed between different entities of the Amazon group, including the AMAZON entities
ROAD, as the “exporting” entity, and Amazon Development Center (India) Private
 
Limited, as the “importer/processor” entity.
 
The content of this "Agreement" is outlined in Proven Fact 3.
 
b) “Data Processing Agreement” of 10/18/2018,
signed by some entities of the Amazon group and Accurate Fund Inc. Among
 
those entities of the group include the entity Amazon Spain Fulfillment, S.L.U., which
was in charge of managing the half-mile and last-mile business (“business of
transport operator”).
 
The content of this "Agreement" is outlined in Proven Fact 4.
 
 
c) Project for the Partial Spin-off of Amazon Spain Fulfillment, S.L.U., dated 06/28/2019,
under which AMAZON ROAD received the “transportation operator business” and
produced a universal succession of all juridical relations affected by the
assets of the business.
 
 
d) Copy of the extract obtained from the website "www.privacyshield.gov" in relation
with Accurate Background Inc.'s adherence to the “EU-US Privacy Shield”. In
this document is indicated “Original certification date: 08/11/2016”.
 
e) Information obtained from the Mercantile Registry of Madrid regarding AMAZON ROAD.
 
The start date of operations is stated as 05/31/2019 and as corporate purpose “the
provision of logistics and distribution services, in particular transport,
handling and storage. The subscribed capital is 6,259.00 euros.
 
SIXTH: On 12/03/021, the instructor of the procedure agreed to open a
 
evidence practice period, considering as reproduced for evidentiary purposes the
claim filed and its documentation, as well as the documents obtained and
generated during the claim admission phase; and by presented
the allegations made by AMAZON ROAD to the agreement to initiate the procedure
and the accompanying documentation.
 
 
Likewise, it was agreed to include in the actions the information related to the entity
AMAZON ROAD in “Axesor” (“Monitoring report”). (...).
 
SEVENTH: On 12/29/2021, a resolution proposal was issued in the sense
following:
 
 
1. That the Director of the AEPD sanction the entity AMAZON ROAD, for a
infringement of article 6.1 of the RGPD, in relation to article 10 of the same
Regulation and article 10 of the LOPDGDD, typified in article 83.5 of the RGPD
and in article 71 of the LOPDGDD, and classified as very serious for the purposes of
 
prescription in article 72.1 of the LOPDGDD, with a fine amounting to
2,000,000 euros (two million euros).
 
2. That the Director of the AEPD impose on the entity AMAZON ROAD, in the
 
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 13/64
 
 
 
 
 
 
 
 
term to be determined, the adoption of the necessary measures to adapt its
action to the personal data protection regulations, with the scope expressed
in the Legal Basis VII of the proposed resolution.
 
 
EIGHTH: Notification of the proposed resolution and extension of the term granted for the
formulation of allegations, a letter was received from AMAZON ROAD requesting the
dismissal of the file or, subsidiarily, the imposition of a sanction in its
minimum amount, according to the following considerations:
 
 
1. Reiterates that a negative criminal record certificate does not entail a
processing of data relating to criminal convictions and offenses within the meaning of
article 10 of the RGPD and article 10 of the LOPDGDD, noting in this regard that the
Articles 136.4 of the Penal Code and 17 of Royal Decree 95/2009, nor the Judgment of the
National High Court of June 20, 2017, cited in Motion for Resolution no.
 
confirm that it is.
 
These articles refer to the issuance of these certificates, differentiating
between negative and positive certificates, the latter being the only ones that contain
data relating to criminal convictions and infractions. These articles, in the opinion of the
claimed, do not endorse what was stated in the resolution proposal.
 
 
It understands that the same conclusion results from the cited Judgment, which analyzes the
impossibility of omitting in a certificate data related to a foreign conviction, and
refers to positive certificates, by virtue of the provisions of article 17.2 of the Royal
Decree 95/2009.
 
 
2. It also reiterates that there is no unanimous and consolidated opinion among the States
members on the interpretation made by the AEPD.
 
As he already stated in the opening arguments, he points out that the authority of
 
Netherlands data protection accepts these negative certificates (Verklaring
omtrent gedrag or "VOG") and provides excerpts from the website of the Ministry of Justice of
that country with information on said document; and from the website of the authority of
control that admits its use when there is a legitimate interest of the employer.
 
In the French case, the control authority (CNIL) has included information on its website
 
according to which, in the absence of a specific rule that provides for verification of this type
background check, the employer may require an employee to submit an extract
your criminal record during an interview and make a note about it
“yes/no” verification, without obtaining a copy of the document. It is a treatment equivalent to
negative certificate that collects the claimed.
 
 
Based on this criterion, the most consistent interpretation with the spirit and purpose of
the rule is to avoid unjustified treatment and the creation of files with these
data.
 
 
3. Subsidiarily, alleges inexistence of guilt in the imputed violation,
also invoked in the arguments at the opening of the procedure, to which
expressly remits.
 
 
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 14/64
 
 
 
 
 
 
 
 
4. In the event that it is considered that there has been an infringement, allege the
following circumstances, to be taken into account in the graduation of the
sanction:
 
 
A) On the aggravating circumstances considered in the proposed resolution.
 
a) Duration of the infraction: the negative certificates that it was able to collect before
March 2020 were kept for 90 days for verification (provides
Accurate Background certification, dated 01/19/2022, in which it is shown
 
that, according to the instructions of the Amazon account, any data related to
candidates of the “***PROGRAMA.1” program is removed from the platform after 90 days,
including any documents provided as part of the process of
verification), so since May 2020 it does not have any data of this type.
This being the case, the existence of a permanent infringement cannot be considered.
 
 
b) Number of affected: although the proposal indicates that AMAZON ROAD did not contribute
evidence regarding the number of affected, in the pleadings brief at the opening
it was indicated that the program “***PROGRAMA.1” represents 5% of the suppliers
who make deliveries in Spain and, with regard to last-mile drivers,
only 16.7% are participants in this program.
 
 
c) Level of damages: does not understand to what extent the treatment of a
negative certificate has been able to condition the contracting options of the subjects
participants, given that the entity has contracted the carriers that had
this document, and those who did not have it have not been participants in the
 
Program.
 
d) Intentionality or negligence: The absence of a clear and solid criterion on the part of
this Agency when the entity began to require the certificates in question and the
subsequent appearance of the Judgment of the National High Court of February 10, 2020,
 
that would seem to endorse one of the possible interpretations of article 10 of the RGPD, not
can an entity that acted with all due diligence and ceased such activity
As soon as they became aware of the possible existence of a criterion contrary to the
interpretation that Amazon Road understood to be adjusted to the law, appropriate to the
activities that were going to be carried out under the program “***PROGRAMA.1”.
 
 
To the above it should be added that other data protection authorities subject to
RGPD, such as that of the Netherlands or France, do not consider this treatment to be
contrary to article 10 of the RGPD.
 
Likewise, there were resolutions of the Agency itself that endorsed the interpretation
 
that AMAZON ROAD made of article 10 of the RGPD and after making a consultation
phone call with the Ministry of Justice which, informally, endorsed said
proposal.
 
Therefore, being a disputed issue, in good faith he understood that his interpretation
 
was correct according to the information available at the time of starting
treatment and accommodated his behavior as soon as he became aware of the
interpretation supported by the Agency or by a Spanish judicial authority.
 
 
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 15/64
 
 
 
 
 
 
 
 
e) The degree of responsibility of the person in charge taking into account the technical measures
or organizational: the infringement declared by the Agency, resulting from a
interpretation of the standard, has nothing to do with the data management system
 
designed by AMAZON ROAD when collecting the data of the participants in the
Program. In this regard, it refers to its previous pleadings brief.
 
It adds that in its response to the transfer procedure, it explained the technical and
organizational measures implemented in relation to the processing of data derived from the
program “***PROGRAMA.1”, without the Resolution Proposal indicating that these
 
measures are insufficient or what would be the omitted measures.
 
f) Categories of personal data: the treatment of a
certificate indicating that a person is not registered in a register,
than the one that actually refers to criminal convictions and infractions, so that
 
the same aggravating circumstance cannot be applied. This interpretation coincides with that made by
the Dutch supervisory authority.
 
g) Link between the activity of AMAZON ROAD and the processing of personal data:
It is a logistics company that acts as a transport operator for
goods, whose activity is not intensive in the processing of personal data,
 
even if it involves the processing of personal data (basically for the management of
your own staff and for the management of packages for delivery), this is
instrumental without its main activity being based on the exploitation of data
personal, nor does it use them for purposes other than the management of its activity.
 
 
That treats a certain number of data of employees, clients and contractors not
should be reason to consider a "high" link, being only relevant the
nature of the activity carried out and, therefore, the impact or affectation that said
activity has in data processing.
 
 
In fact, in the Resolution of October 26, 2021, issued in the procedure
sanctioning PS/00050/2021, a low link between the person responsible and the performance
of data processing has been considered by this Agency as
mitigating factor: "On the other hand, it is observed that it concurs as a mitigating
that the claimed party is an entity in the logistics sector in which data of its
employees although there is no link between the offender's activity and the
 
processing of personal data (76.2.b LOPDGDD).
 
h) Condition of a large company and volume of business: the Agency takes into account
consideration the figures of the year 2020, in which it stopped treating the data of the
negative certificates. For this reason, it understands that it is more adjusted to the law to consider the data
 
accounts for 2019 and, therefore, (i) because 2019 is the year prior to the year in which the Agency
issued its request for information and (ii) because it was the year in which the
claim that has given rise to this sanctioning file. The turnover of
Amazon Road for the year 2019 amounted to 237,000,000 euros with a result of
exercise of 1,862,000 euros (provides an extract of the accounts).
 
 
B) Extenuating circumstances.
 
a) The data processing object of this claim was suspended in March
 
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 16/64
 
 
 
 
 
 
 
 
2020, as already indicated in the brief responding to the transfer and in the brief with allegations to
the opening of the procedure.
 
 
Attach the mail model that the entity sent in March 2020 to the users of the
Program “***PROGRAMA.1” that were in the registration process (although the email
It is dated 2022, this is due solely to the fact that for its contribution to this
procedure it has had to send the model template, leaving
as the date of shipment). As can be seen, it was the circumstances of the moment
(that is, Covid-19) which led the entity to temporarily suspend the
 
request for negative certificates.
 
This temporary suspension became definitive after becoming aware of the
Judgment of February 10, 2020, issued by the Social Chamber of the High Court
Nacional, although it did not share the interpretation contained in this Judgment, and the
 
negative certificate ceased to be requested, even from carriers who received that
mail. Although this part did not share this interpretation, the truth is that once
Once the sentence was known, the request for the negative certificates was definitively stopped.
 
All of this occurred before the agreement to open the procedure was issued and without
said decision was adopted as a result of the intervention of this Agency.
 
 
b) Any previous infraction committed by the data controller.
 
Contrary to what is indicated in the proposal, the resolutions of the AEPD issued in the
procedures PS/00165/2021, PS/00227/2021 and PS/00015/2021 consider as
 
extenuating the fact of not having been sanctioned previously:
 
Therefore, the respondent understands that, if said circumstance does not constitute a mitigating
in light of the provisions of article 83.2 e) of the RGPD, as indicated in the
Resolution Proposal, nothing prevents it from being constituted under the provisions of
 
Article 83.2 (k) of the RGPD, taking into account the practice of this Agency.
 
AMAZON ROAD has never been sanctioned for an infringement of the regulations on
data protection, nor has it received any claim from any third party in
regarding the treatment of negative certificates.
 
 
c) AMAZON ROAD has not obtained any benefit from the facts claimed.
 
Under the provisions of articles 83.2.k) of the RGPD and 76.2.c) of the
LOPDGDD, this party understands that in the present case it must also be of
application of this mitigating factor, since the treatment of negative certificates
 
has not reported any additional benefit.
 
This graduation factor has been considered by the Agency in its resolution of the
procedure indicated with the number PS/00227/2021.
 
 
d) The diligence present in the performance of AMAZON ROAD.
 
If for the AEPD the diligence with which AMAZON ROAD has acted at all times
in relation to the treatment of the data of the negative certificates is not
 
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 17/64
 
 
 
 
 
 
 
 
enough to consider that he concurs in a absence of guilt, as
maintains in its allegations, said diligence should be considered, as
less, as a mitigating factor under the provisions of article 83.2 sections b)
 
and/or k) of the RGPD, taking into consideration the following circumstances:
 
  . The literal interpretation of article 10 of the RGPD and 10 of the LOPDGDD suggested
  that said articles do not refer to any data related to antecedents
  but the data related to criminal convictions and infractions, which in the opinion
  of this part did not reach the confirmation of the absence of antecedents
 
  penalties.
  . The previous interpretation was consistent with the previous regulations on
  data protection applicable in Spanish territory.
  . There was no consolidated, express and public criterion on the part of the Agency in
  regarding the processing of data relating to the absence of a criminal record
 
  (not in relation to data relating to the commission of offenses and the existence of
  criminal convictions).
  . There were resolutions of the Agency itself that support the interpretation that
  AMAZON ROAD complied with article 10 of the RGPD.
  . AMAZON ROAD even made a telephone consultation with the Ministry
  of Justice that, informally, endorsed said proposal.
 
  . To proceed with the processing of data relating to negative certificates
  contracted an entity specialized in the selection and suitability control of the
  contractors.
  . The interpretation of article 10 of the RGPD given by other jurisdictions endorsed
  also the interpretation of AMAZON ROAD.
 
  . In March 2020 Amazon Road suspended the treatment of such certificates
  negative, as stated above.
 
These circumstances demonstrate that AMAZON ROAD's conduct cannot be
branded as reckless or irresponsible, but rather the opposite: diligent and
 
accommodating their behavior to the interpretation of the privacy protection regulations
data arising from the Agency itself and from the courts of Justice.
 
5. Of the corrective measures contained in the Resolution Proposal.
 
Well, having been accredited that it does not collect the negative certificates of
 
the participants in the program “***PROGRAMA.1” since March 2020 and neither
retains said certificates, understands that, in the event that it is finally
It is considered that there is an infringement of article 6.1 of the RGPD in relation to the
article 10 of the RGPD and article 10 of the LOPDGDD, none of the
proposed measures.
 
 
 
With your statement of arguments, you provide, among others, the following documents:
 
1) Extracts from the website of the Ministry of Justice of the Netherlands, together with its
 
translation, in which information about the "VOG" document is provided. In this
information is indicated:
 
“What is a VOG?
A Certificate of Good Conduct (VOG) is often required for a (new) job. In
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 18/64
 
 
 
 
 
 
 
 
 
some sectors, such as child care, this is even required by law. justice
handles VOG applications and is the only body in the Netherlands that issues the
VOG.
 
A VOG is a statement showing that your (judicial) past is not an obstacle
 
to fulfill a specific task or function in society. When evaluating a VOG request,
Justis checks if you have committed criminal offenses that represent a risk to the position or
purpose for which you are requesting the VOG.
 
Some criminal offenses constitute an objection to a job or internship, but not to
other… Do you have no criminal record or have you committed any criminal offense that is relevant
 
for the purpose of the application? You will then receive a VOG.”
 
“Why and when should you do a screening?
 
...As an employer, you have a great responsibility in evaluating the reliability of the
future staff. One of the instruments that you, as an organization, can use in your
 
integrity directive is the certificate of good conduct (VOG).
 
It is advisable to select for all positions where it is important that the employee is
trustworthy. Think about: managers with many powers; employees working with groups
vulnerable such as children, elderly, sick or people with a restriction; employees who
they work with money and goods; employees who can access confidential information…
 
 
That has to do with the powers and the nature of the work…
 
Rules for screening
Screening can be very drastic for the privacy of the applicant or employee. For the
Therefore, detection is only under certain legal conditions (General Protection Regulation
(GDPR))
 
 
permitted:
You must have a legitimate reason (legitimate interest) for the screening.
Screening must be necessary.
You must comply with the obligation to provide information.
You may not use the data obtained from the projection for any purpose other than
 
what you got them for.
You can only keep the data for as long as it is necessary for the purpose of the
screening. You must protect the data properly.
Not sure if you're allowed to test? For more information, visit the site
website of the “Dutch Data Protection Authority”.
 
 
By clicking on the link “Dutch Data Protection Authority” inserted at the end of the
text is accessed to the website of this entity, to the information provided by AMAZON
ROAD as “Document 2”.
 
 
2) Extracts from the website of the Control Authority of the Netherlands (Autoriteit
Persoonsgegevens), and its translation, in relation to the treatment of certificates
"VOG".
 
 
“Background investigation (screening)
It is important for employers to select and employ reliable employees. the screening
it is a tool to limit risks. For certain positions (for example, in the care of
children) screening is even required by law.
 
Screening means that an employer requests information about an applicant or employee
28001 – Madrid 6 sedeagpd.gob.es, 19/64
 
 
 
 
 
 
 
 
 
to estimate its integrity.
For example, calling an applicant's references or finding out if he or she is in a
"Blacklist".
 
 
Screening conditions
Screening can be very invasive to the privacy of the applicant or employee in question.
Therefore, screening is only allowed under certain “legal conditions”.
The most important conditions are that the employer has a legitimate reason (interest
legitimate), that the screening is necessary and that the employer adequately informs the
 
applicant or employee before and after.
 
legitimate interest
An employer's "legitimate interest" in a screening is generally that it should
be able to trust that your (future) employee is honest and trustworthy.
 
 
Need
The fact that screening must be "necessary" means, among other things, that the
employer must not be able to achieve his objective by less drastic means than
screening.
 
Report
 
The employer must inform the applicant or employee “about the screening”. The employer must
inform this person in advance that a screening will be carried out and then what are the
the results".
 
 
“Questions from employers about the screening
[…]
As an employer, how do I determine that screening is necessary?
You take an inventory of the risks associated with the various groups of functions within
of your organization. Then check to see if you can limit the risks other than by
through screening.
 
 
…For example, positions where staff work with sensitive information are
aware of the risk of selling or transmitting this information...
 
Risk mitigation
 
Have you mapped out the risks? Next, you need to set up your organization in such a way as to reduce
inventoried risks. You can think of strict internal controls or distribution of
powers. Good organizational measures can ensure that risks to your
organization are completely eliminated. Otherwise, screening may be necessary.
applicants or employees. [...]”.
 
 
“Requests…
 
Application data retention period
An applicant did not obtain the position? So, it is common for the organization to remove its
data no later than 4 weeks after the end of the application procedure.
Applicants can give permission to keep their data for a longer time. For
 
example, because a suitable position may become available at a later date. A
maximum period of 1 year after the completion of the application procedure is
reasonable for this.
 
“Questions about personal data in job applications…
 
 
Screening in the job application
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 20/64
 
 
 
 
 
 
 
 
 
It is important for employers to hire reliable employees. Therefore, the employer
the one you are applying for can decide to examine you…
 
legal screening
Screening is required by law for some positions, for example, in child care.
 
In the case of a legally required screening, the employer may request a Certificate
of Good Conduct (VOG).
In addition, special provisions apply to the screening of positions of trust, such as
police officers, employees of private security organizations, employees of
investigative agencies, aviation personnel, and some government posts.”
 
 
This Agency verifies the information provided by AMAZON ROAD.
Likewise, click on the link "legal conditions" that appears in the document
“Background investigation (screening)”, and access to the “Questions from the
 
employers on screening. In this section, in addition to what is indicated by the
claimed, the following should be noted:
 
“When you select candidates or employees, you are processing their personal data. This
 
means that the General Data Protection Regulation (GDPR) and the Data Protection Act apply.
AVG implementation (UAVG). As an employer, you are responsible for ensuring that
the evaluation meets the requirements of these laws.
In any case, the RGPD and the UAVG impose the following selection requirements:
  .Has a legitimate interest in the projection.
  . Screening is necessary. This means, among other things, that you cannot achieve your
 
  target in another way or through a less invasive means than screening.
  . You comply with the information obligation. This means that it informs the candidate
  or relevant employee in advance who is conducting an assessment and then
  what are the results.
  . It does not use the data obtained from the projection for any other purpose.
  . It does not store the data for longer than is necessary for the purpose of the
  evaluation.
 
  . The projection data is sufficient, it is relevant, and you do not collect more data from
  the necessary ones.
  . You protect the data well.
  . You assess whether you need to carry out a data protection impact assessment
  (DPIA), because detection is data processing with a high risk of
  Privacy.
 
  . Has the DPIA shown that the intended detection poses a high risk? And not
  find measures to limit this risk? Then you should check with the Authority of
  Dutch Data Protection (AP) before starting the selection. This is
  called prior consultation”.
 
 
“As an employer, can I review someone without telling them?
No, that is not allowed...
Pre-selection information
You must inform the applicant or employee in question in advance that you are taking
carry out an evaluation. In addition, you must state why an exam is necessary. Too
you should make it known what data you are researching and why it is relevant to the position in
question.
 
Post-Assessment Information…must inform the applicant or employee of the
evaluation results”.
 
 
Through the link “legitimate interest” that appears in the document “Investigation of
background (screening)”, the following information is accessed:
 
28001 – Madrid 6 sedeagpd.gob.es, 21/64
 
 
 
 
 
 
 
 
 
 
“When can I rely on the basis of legitimate interest?
You only have the right to process (ordinary) personal data if you can trust 1 of the 6
principles of the General Data Protection Regulation (GDPR). One of these bases is
 
that the processing of personal data is necessary to represent your interest
legitimate.
Every time you process personal data, this is an invasion of data privacy.
interested. These are the people whose data you process. Every human being has the right to
privacy, which is a right to privacy, which is a fundamental right.
But as an organization, you can also have the law on your side. That is the case if
 
has an interest that society considers so important that it has found recognition
In the law. And you can only represent this interest by processing personal data. we call
such interest a legitimate interest.
conflict of rights
This creates a situation in which their right "collides" with the fundamental right of
interested. It is then up to you to weigh these rights against each other and see what weighs
 
more, your interest or that of the parties involved.
Does his interest finally get the better of him? You can then base your processing on the basis
(necessary for the representation of a) legitimate interest”.
 
3) Extract from the website of the French Control Authority (CNIL), and its translation.
 
 
“Excerpt from criminal record: can the employer request and keep it?
In the absence of a specific text that provides for the verification of the criminal record of the
employees, the employer may ask a candidate or an employee to present the extract
of your criminal record (B3) during an interview, for example, to verify your
criminal history.
 
However, in this case, the entrepreneur cannot keep a copy or allow these
Data is subject to a specific treatment. The mention of the verification in the boxes of the
personnel management file in the form "yes/no" is sufficient.
For access to certain so-called "sensitive" functions, the texts may provide for the
verification, by the employer or certain authorities that issue
authorizations (for example, for security guards or babysitters), of the
 
criminal records of employees (B2 or B3 bulletins).
These texts may provide for the period during which the employer is obliged to keep
excerpt from criminal record (3 months is often used, particularly for
administrations). In the absence of details in the text, the document should not be kept.
When the verification is carried out by an authority, the employer does not need to consult the
criminal record since the verifications are carried out by an authorized authority and the
 
issuance of the authorization is by itself sufficient to ensure the capacity to occupy
the proposed job...".
 
4) Extract from the website of the Control Authority of the Netherlands (Autoriteit
 
Persoonsgegevens), together with its translation, in relation to the content of the
"VOG" certificates.
 
“As an employer, can I request criminal information during an evaluation?
 
For some positions, it may be necessary for you to know the criminal history of a
applicant or employee. In most cases, it is sufficient for the interested party to request a
certificate of good conduct (VOG).
 
VOG
A VOG is a statement showing that someone's past behavior is not
 
constitutes an obstacle to fulfilling a specific (future) position. A VOG is issued by
 
28001 – Madrid 6 sedeagpd.gob.es, 22/64
 
 
 
 
 
 
 
 
Justis of the Ministry of Justice and Security.
 
Selection of criminal data
Only if requesting a VOG is not enough, you can request (other) criminal data.
 
May process personal data of a criminal nature if this is necessary for the assessment
of a request from a data subject to make a decision about him or to provide him with a
service.
An example is a selection during an application procedure for a job
integrity. In certain circumstances, criminal personal data may be
treated for this purpose.”
 
 
5) Email template that AMAZON ROAD sent in March 2020 at
regarding the suspension of the request for negative certificates.
 
"Background Check
In order to complete the background check process, you need to upload a
copy of the certificate showing the absence of a criminal record.
 
Since it is currently not possible to obtain this certificate in person due to the
alarm state, we have allowed you to complete the verification without this document. No
However, you must upload this document within 60 days from the end of the
registration in ***PROGRAM.1. If after this period you have not uploaded the document, you will no longer be
eligible to participate in the program ***PROGRAM.1.
You must upload this document on the Accurate page.
Check the email periodically to follow instructions received from Accurate.
 
 
 
Of the actions carried out in this procedure and the documentation
in the file, the following have been accredited:
 
 
 
                                PROVEN FACTS
 
 
1. AMAZON ROAD is an Amazon group company that provides transportation services
 
logistics and distribution to said group. This entity began its operations on
05/31/2019 and its corporate purpose is "the provision of logistics services and
distribution, in particular transport, handling and storage”.
 
Following the spin-off of Amazon Spain Fulfillment, S.L.U., which took place on
 
06/28/2019, AMAZON ROAD received the “transport operator business” and it happened
to that entity in all legal relationships affected by the elements
business assets.
 
2. AMAZON ROAD is the entity in charge of managing the program
 
“***PROGRAMA.1”, whose purpose is to contract self-employed carriers
as service providers.
 
3. The entity Amazon Development Center (India) Private Limited, based in India,
 
provides services to the entity AMAZON ROAD in the management of the program
“***PROGRAMA.1” by virtue of the “Intra-Group Agreement for the Transfer and
Data Processing” (“Intra-Group Data Transfer and Processing Agreement”), of
dated 01/01/2019, signed between different entities of the Amazon group, including the
 
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 23/64
 
 
 
 
 
 
 
 
entities AMAZON ROAD, as an “exporting” entity, and Amazon Development
Center (India) Private Limited, as “importer/processor” entity.
By reason of this contract, the aforementioned service provider assists AMAZON ROAD
 
in the collection of information provided by autonomous carriers.
 
The aforementioned “Agreement” deals with access to personal data that entities
importers must make for the provision to the importing entities of the
services specified in Annex 1, including access to the
data of contractors and their employees and subcontractors.
 
 
It is established that the importing entities will process the data on behalf of the
responsible and in accordance with your instructions, in order to provide the services,
without being able to determine the purposes and the way in which the data is processed; and they come
obliged to notify the person in charge of any instruction that, in their opinion, violates the
 
applicable law, any data breach or claim you receive and to
provide the controller with full cooperation and assistance; as well as
establish the appropriate technical and organizational measures to protect the data. I know
It also provides that the person in charge of the treatment return to the person in charge all the
personal data or proceed to its destruction at the termination of the contract, at the option
of the data controller.
 
 
By virtue of this “Agreement”, the parties undertake to comply with “the terms of the
standard clauses for the transfer of personal data to those in charge of the
treatment established in third countries, approved by Decision of the
Commission of the CE of February 5, 2010” (standard contractual clauses for the
 
transfer of data), which are reproduced in Annex 3 of said Agreement
and are signed by signing the same Agreement or by means of a letter of adhesion
according to the form incorporated as Annex 6.
 
The technical and organizational measures to be applied and maintained by the person in charge of the
 
treatment are listed in Annex 2.
 
The entire content of this “Agreement” is declared to be reproduced in this act for purposes
evidence.
 
4. Accurate Background Inc., based in the United States, provides services to
 
the entity AMAZON ROAD in the management of the program “***PROGRAMA.1” under
of the "Data Processing Agreement" of 10/18/2018,
signed by some entities of the Amazon group and Accurate Fund Inc. Among
those entities of the group include the entity Amazon Spain Fulfillment, S.L.U., which
was in charge of managing the half-mile and last-mile business (“business of
 
transport operator”) until the date on which the spin-off of said business took place
in favor of AMAZON ROAD, in the year 2019. This Agreement is formalized by reason of the
Framework Agreement entered into between the parties on 03/05/2008 (it appears in the proceedings
copy of the Service Framework Agreement -“Master Service Agreement”- between Amazon
Corporate LLC and Accurate Background Inc. and the specific Work Order for
 
Spain, of 02/12/2017).
 
By reason of this contract, the aforementioned service provider assists AMAZON ROAD
in the collection of information provided by autonomous carriers, as well as
 
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 24/64
 


He also expresses his confusion and asks this Agency to indicate what


Especially sensitive information has been processed.


And finally, he requests that the Donostia / San Sebastián City Council be required to
recording of the session incorporated into the session diary of the Development Commission
and Territory Planning dated December 9, 2020, where presumably
the data of the claimant were released and disclosed.




SIXTH: On October 27, 2021, the instructor of the procedure agreed to the
opening of a period of practical tests, taking as incorporated the




C / Jorge Juan, 6 www.aepd.es
as in the verification of compliance with the requirements that this entity demands from
28001 - Madrid sedeagpd.gob.es 3/10
these carriers in order to participate in the program.


The aforementioned "Agreement" regulates access to personal data by Accurate
Background Inc. in its capacity as data processor and contemplates the signing of


the EU standard contractual clauses, incorporated as Annex 3.


Details about the processing activities to be carried out by the processor
are contained in Annex 1 of the "Agreement", including those related to the
selection process for personnel, contractors and subcontractors. It is established that the
importer receives information from third parties and collects the relevant data in reports of


job screening for which the data exporter assesses the applicant.


The content of this "Agreement", in terms of the obligations of the person in charge of the
treatment, is similar to that outlined in the Third Proven Fact and also includes a
Annex 2 in which the security measures to be applied are listed.




The entire content of this “Agreement” is declared to be reproduced in this act for purposes
evidence.


preliminary investigation actions, E / 02987/2021, as well as the documents
5. The entity Accurate Background Inc. appeared adhered to the "EU Privacy Shield-
provided by the claimed.
USA". The “original certification” of this adhesion is dated “08/11/2016”.




SEVENTH: On October 31, 2021, a resolution proposal is issued
6. In order to participate in the “***PROGRAMA.1” program, carriers
proposing that the Director of the Spanish Data Protection Agency sanction
Freelancers must download the “Amazon Delivery” app on their mobile device.
to IZA OBRAS Y PROMOCIONES, S.A., with NIF A48820229, for a violation of the
Through this application, AMAZON ROAD collects the necessary data from the
article 5.1.c) of the RGPD, typified in article 83.5 of the RGPD, with a fine of
autonomous carriers for the purpose of (i) verifying that they comply with the
€ 50,000 (fifty thousand euros).
requirements to be able to participate in the program, (ii) create the corresponding account


user necessary to be able to access the service offers and (iii) control the
development of service provision.


EIGHTH: On November 15, 2021, allegations are presented to said
This application provides information on the process of "verification of
motion for a resolution, reiterating the aforementioned allegations throughout
records" required of self-employed carriers, whose detail consists
of the procedure and specifically states the following:
outlined in the First Precedent. This application has a box


"The data of the claimant's personal email has not been disclosed, which is also
enabled so that carriers can give their consent to the actions
contained in said information (“By checking this box, I give my authorization”).


found legitimate for the transfer of data -even if there were categories of data
7. Carriers interested in participating in the program “***PROGRAMA.1”
specially protected-, and that this whole procedure is unleashed by the leakage of
They also have an online application process, through the website of
information produced from the Public Housing Business Entity-Donostiako
Accurate Background Inc., which includes an “Account Verification Form”
Etxegintza, its Board of Directors as well as from the Development and
Planning of the Territory of the Donostia / San Sebastián City Council. "


background".


Of the actions carried out in this procedure and of the documentation
8. For the contracting of autonomous carriers as service providers in
Obrante in the file, the following have been accredited:
the program “***PROGRAMA.1”, AMAZON ROAD asks candidates for a diverse
documentation, including a certificate of absence of a criminal record


                                PROVEN FACTS
criminal cases (“A certificate from the Ministry of Justice confirming that I do not have
criminal record of any kind”).


9. Carriers who complete the background check process and are
selected as AMAZON ROAD service providers sign a


FIRST: The claimant states that the claimed entity has disclosed data from
C/ Jorge Juan, 6 www.aepd.es
health of the claimant (specifically dates of medical leave, reasons, and leaves) to
28001 – Madrid sedeagpd.gob.es, 25/64
another company, as well as your personal email address, and all without your
consent.




The claimed entity provided not only the absences, but also the dates of the
cancellations and permits with their respective causes, including COVID.


This is stated in the letter sent by the claimed entity to the Public Entity
Housing Business-Donostiako Etxegintza, on November 18, 2020, obrante
in this file together with the documentation provided by the claimant in his writing


Of claim.


SECOND: The claimed entity was required by the Public Business Entity of
Housing-Donostiako Etxegintza, to provide them with information regarding the
complaints filed by the claimant on July 14 and September 9, 2020 by


lack of assignment of human and material resources.


The claimed entity responded to this request by providing information
personal (personal email of the claimant, as well as dates of withdrawal
medical reasons, the causes of these, and permits) which came to the knowledge of the latter and


caused the present claim.
commercial contract that includes the following information regarding the protection of


personal information:


“13. Data Protection.


a) Amazon may keep and process data related to you for the execution of the contract that
Amazon has entered into with you, and for legal, administrative, and management purposes, as


C / Jorge Juan, 6 www.aepd.es
described in more detail in Annex A.
28001 - Madrid sedeagpd.gob.es 4/10


b) You consent to Amazon and any Related Entities (as
such term is defined below) carries out the transfer of “personal data
personal” (in the sense foreseen in the RGPD and in the Organic Law 15/1999) related to you to
any Related Entity outside the EEA to further the legitimate interests of Amazon and/
or any Related Entity. For the purposes of this Clause 13, "Related Entity" means
means "holding company" of Amazon, any "affiliated company" or an affiliate of its company
portfolio.




c) The parties undertake to comply with all applicable regulations regarding the protection of
data…


I agree and accept the above.
ACCEPT AND CONTINUE
( ) I agree and accept the above”.




The entire content of this contract is declared reproduced in this act for the purposes of
evidence.




Line 321: Line 1,853:
                                               I
                                               I


By virtue of the powers that article 58.2 of the RGPD recognizes to each Authority of
Control and, as established in articles 47 and 48 of the LOPDGDD, the Director
of the Spanish Agency for Data Protection is competent to initiate and resolve
this procedure.
Article 63.2 of the LOPDGDD determines that: "The procedures processed by the
Spanish Agency for Data Protection will be governed by the provisions of the
Regulation (EU) 2016/679, in this organic law, by the provisions
regulations issued in its development and, as long as they do not contradict them, with a
subsidiary, by the general rules on administrative procedures.
                                              II
In this proceeding, it is necessary to analyze, in the first place, the presumed illegality
of data processing carried out by the claimed entity when requesting a certificate
of criminal records to self-employed carriers who have requested to subscribe
a service contract with the one in the program “***PROGRAMA.1”.
Article 5.1.a) of the RGPD, on the Principles related to treatment, establishes that
personal data will be “processed in a lawful, loyal and transparent manner in relation to
with the interested party (“lawfulness, loyalty and transparency”)” and article 6.1 specifies the
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 26/64
assumptions in which the treatment will be lawful:
“The treatment will only be lawful if at least one of the following conditions is met:
a) the interested party gave his consent for the treatment of his personal data for one or
various specific purposes;
b) the treatment is necessary for the execution of a contract in which the interested party is a party
or for the application at the request of the latter of pre-contractual measures;
c) the treatment is necessary for the fulfillment of a legal obligation applicable to the
data controller;
d) the processing is necessary to protect the vital interests of the data subject or another person
physical;
e) the treatment is necessary for the fulfillment of a mission carried out in the public interest
or in the exercise of public powers conferred on the data controller;
f) the treatment is necessary for the satisfaction of legitimate interests pursued by the
responsible for the treatment or by a third party, provided that said interests are not
prevail the interests or the fundamental rights and freedoms of the interested party that
require the protection of personal data, in particular when the interested party is a child
The provisions of letter f) of the first paragraph shall not apply to the treatment carried out by
public authorities in the exercise of their functions.
For its part, article 10 of the same rule refers to the processing of data
related to convictions and criminal offenses and provides the following:
“The processing of personal data related to criminal convictions and offenses or measures of
related security on the basis of article 6, paragraph 1, may only be carried out under the
supervision of public authorities or when authorized by the Law of the Union or of the
Member States that establish adequate guarantees for the rights and freedoms of
interested. A complete record of criminal convictions may only be kept under the control of
the public authorities”.
In our legal system, article 10 of the LOPDGDD provides:
"one. The processing of personal data related to criminal convictions and offenses, as well as to
procedures and precautionary and related security measures, for purposes other than those of
prevention, investigation, detection or prosecution of criminal or enforcement offenses
of criminal sanctions, it can only be carried out when it is covered by a
norm of Law of the Union, in this organic law or in other norms of legal rank.
2. The complete record of the data referring to criminal convictions and infractions, as well as to
procedures and precautionary and related security measures referred to in article 10 of the
Regulation (EU) 2016/679, may be carried out in accordance with the provisions of the regulation of the
System of administrative records to support the Administration of Justice.
3. Apart from the assumptions indicated in the previous sections, the data processing
referring to convictions and criminal offenses, as well as procedures and precautionary measures
and related security measures will only be possible when carried out by lawyers and
solicitors and have the purpose of collecting the information provided by their clients for the
exercise of their functions”.
28001 – Madrid 6 sedeagpd.gob.es, 27/64
The RGPD refers, in its Recital 75, to the possibility that
certain data processing may entail a risk to the rights and
freedoms of the people, among which are the data related to the
convictions and criminal offenses and related security measures, hence the
Article 10 of the legal text chooses (i) to confer the legitimacy of its treatment to the
public authorities or when there is an authorization under Union Law or a
national standard that provides adequate guarantees, and (ii) for assigning custody
of the registers where these data are recorded also to the public authorities.
This regulation, far from being new in Europe, was already manifested in
similar terms in Directive 95/46 CE, of the Parliament and of the Council, of 24
October 1995, on the protection of natural persons with regard to
processing of personal data and the free movement of such data.
The origin of this special guarantee can be found in Agreement No. 108 of the Council
of Europe, of January 28, 1981, for the protection of people with respect to
to the automated processing of personal data, which in its article 6
provides that certain categories of data, including data from
personal nature relating to criminal convictions, may not be automatically processed
unless domestic law provides adequate guarantees.
Article 10 of the LOPDGDD, for its part, specifies the reference to the Law of
Member States emphasizing that, when the treatment has a purpose
other than “prevention, investigation, detection or prosecution of criminal offenses
criminal or execution of criminal sanctions” - treatment excluded from the scope
material of the data protection regulations in application of article 2.1.d) of the
RGPD-, so that its treatment can be considered legitimate, it must be
covered by a European standard, the LOPDGDD or another standard with legal status.
Prior to examining the legitimacy of the treatment, it is necessary to analyze whether
requesting a "negative" criminal record certificate constitutes a
“processing of personal data related to criminal convictions and infractions”, according to
the wording of article 10 of the RGPD, and if said treatment is subject, not
only to the generic data protection regulations, but also to the
consideration of data included in the field of application of article 10 of the RGPD and
of article 10 of the LOPDGDD and, therefore, deserving of guarantees
specific.
The criminal record certificate is the public document that certifies the
lack or existence of criminal records that are registered in the Registry
Penitentiary Center. Criminal records are defined as resolutions
firm orders issued by the Judges and Courts of the criminal order for the commission of a
crime that imposes penalties or security measures that are in force
in accordance with the provisions of the Penal Code.
The information contained in the criminal record certificate subject to the
This procedure constitutes personal data in the light of the definition of article
4.1 of the RGPD since it is "information about a natural person
identified”, whether it is a certificate that refers to the existence of such
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 28/64
background as if it reveals your absence, and your request is a
data treatment.
In relation to the category of personal data on which that information relates,
is precisely the one related to the final criminal convictions of which he may have been
object (and are in force) a specific person, both to highlight
I manifest that there are those firm resolutions that impose penalties or measures and
what these are, to prove that they do not exist. That is, the information
is dealing with is the data related to criminal convictions -which includes the absence of
You are linked to a specific natural person.
Therefore, what is stated by the respondent in her allegations cannot be accepted.
when he points out that a criminal record certificate that shows
that a specific person lacks criminal convictions does not strictly collect
any data related to criminal convictions and infractions, since it is
doing by showing and proving that said person lacks them.
Admitting the position maintained by AMAZON ROAD in this regard would be equivalent to admitting that
any person or entity could create a registry of people without criminal records
criminal, despite the fact that it is a matter reserved for public authorities.
It also takes into account section 4 of article 136 of the Organic Law
10/1995, of November 23, of the Penal Code, which after pointing out that "The
registration of criminal records in the different sections of the Central Registry
of Prisoners and Rebels will not be public”, provides that “During its validity, only
will issue certifications with the limitations and guarantees provided for in their regulations
specific and in the cases established by law. This specific regulation is
contained in Royal Decree 95/2009, of February 6, which regulates the System
of administrative records to support the Administration of Justice, which in its
Article 17 establishes that "(...), the data related to
his person contained in the inscriptions of the Central Registries of Prisoners, of
Required Precautionary Measures and Non-Final Judgments, for the Protection of
Victims of Domestic Violence, of Sentences of Criminal Responsibility of the
Minors and Civil Rebels and sign negative certifications regarding
people who are not registered in them. Provided in section 2 of
this same article that “The positive certification will contain the transcript of the
registered data, as they exist in the Registry at the time of their issuance,
excluding inscriptions that, in accordance with a regulation with the force of Law, are found
available only to the courts.
Likewise, the National High Court in various sentences (for all the SAN of 20
June 2017) has stated that "There is no precept that establishes that the
criminal record certificate omit to refer to criminal record
that are duly registered, except in the case that a regulation with the rank of Law
so establishes it and this regardless of whether the certificate is requested for a
criminal proceedings or for a purpose other than criminal proceedings. From this it can be inferred
that the negative criminal record certificate is also considered a piece of information
relating to convictions and criminal offenses, as well as procedures and measures
Prudential and related security.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 29/64
Both the issuance of a positive criminal record certificate and that of a
certificate of the absence of such antecedents require, therefore, the consultation of the
mentioned public records. Therefore, it cannot be said that the certificates
negative or absence of criminal record do not contain information regarding
criminal convictions and offenses or related security measures.
An example that the negative criminal record certificate is a treatment
of personal data related to convictions and criminal offenses we can see it in
related to the certificate of crimes of a sexual nature. This certificate is similar to
that we are now examining, since it refers to the existence or non-existence of
final convictions issued by the judicial bodies, recorded in the Central Registry
of Sex Offenders. Thus, the certificate for crimes of a sexual nature is issued
indicating the existence or non-existence of criminal convictions on the date on which it is
issued.
In addition to the fact that this certificate can be requested in accordance with the provisions of the Law
Organic 8/2021, of June 4, on comprehensive protection for children and adolescents
against violence -norm of legal rank that enables their request in relation to the
access to professions, trades and activities that involve regular contact with
minors -, the truth is that the fact of obtaining a certificate
negative shows that someone lacks criminal convictions in relation to
crimes of a sexual nature. This implies processing personal data “related” to
criminal convictions, since the data contained in the aforementioned certificate, in the same way
that in the one now examined, have to do indissolubly with the existence of
criminal convictions. They are personal data related to criminal convictions either by their
possession or absence.
And the request made by AMAZON ROAD that by
part of this Agency a strict interpretation is made in a manner analogous to the
assumption included in the Legal Cabinet Report 0129/2005. In this sense, it
that came to show the mentioned report is that the data of "smoker"
considered by itself would not belong to the category of health data, for
when, in accordance with Recommendation No. R (97) 5, of the Committee of Ministers of the
Council of Europe, referring to the protection of medical data, the data referring to the
mere consumption of tobacco, without specifying the quantity consumed, would not be
principle a data linked to health, if it is not accompanied by a
complementary information that allows to determine that the situation of
“nicotine abuse”. However, in the case that is the subject of this proceeding, as
As has been stated, the relationship between a criminal record certificate and the
category of data relating to criminal convictions and offenses is unambiguous, since its
information refers to them, both to show their existence and
your absence.
It is also interesting to bring up at this point the file E/00037/2013 that the
claimed refers to in his reply to the transfer. In this
file, the issue was about the request for a responsible statement in
the one that the subjects affirmed that they had no criminal record (not the request of the
certificate). Well, on a case of a similar nature, the Judgment of the Chamber
of the Social of the National Court 14/2020, of February 10, 2020, indicates that
including the request for a responsible statement that there is no criminal record
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 30/64
criminal offenses must be considered as a treatment of data related to convictions
penalties.
AMAZON ROAD, in its arguments at the opening of the procedure, dismisses the
statement made by the National High Court in this Judgment stating that the
The same was issued by the Social Chamber, which is not competent to review the
decisions of this Agency, thereby denying the ability of judges and
courts to interpret the rules that are applicable to the alleged object of the
process in question.
Regarding this allegation, we must mean that, although the Social Chamber of the
The National Court is not competent to review administrative resolutions
dictated by the AEPD, in attention to the competence attributed to the social order, article
25 of the Organic Law 6/1985, of July 1, of the Judicial Power (LOPJ), this does not
prevents interpreting and applying the data protection regulations or any other that
could be relevant to the resolution of the disputed matter; moreover, the
Article 4.bis of the LOPJ mandates the application of the Law to judges and courts
of the European Union.
As a consequence of the foregoing, once established that the background certificate
criminal charges requested by AMAZON ROAD assumes information regarding the convictions
criminal of an identified natural person and, therefore, a personal data subject to the
special guarantees established by articles 10 of the RGPD and 10 of the LOPDGDD,
It is appropriate to examine whether there is an authorization that allows the entity claimed to treat
such information.
These precepts confer the treatment of said data to the public powers
restricting their treatment to individuals only for those cases in which
a rule of European law or a national rule with the force of law enable it
(in addition to what is established in point 10.3 for the processing of criminal data by
part of lawyers and solicitors).
Only, therefore, in those exceptional cases in which, authorized by
a Law and with the due guarantees, if said measure is contemplated, said
certificate; In this sense, there are specific regulations that, in different areas,
expressly contemplate. In relation to this point, there is no standard of the
Law of the Union or a legal norm of our system that allows carrying out
carry out the processing of criminal record data intended by the entity
claimed.
Analyzing the sectoral regulations brought up by the one claimed in his writing, the
Article 43.2 of Law 16/1987, of July 30, on Transport Planning
Terrestrial (hereinafter, LOTT) provides that "when the authorization enables the
performance of public passenger transport by bus or goods in vehicles
or groups of vehicles with own traction capacity whose maximum mass
authorized is greater than 3.5 tons, they must meet the requirements of
establishment, honorability, financial capacity and professional competence
required by the regulations of the European Union establishing standards
relating to the conditions that must be met for the exercise of the
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 31/64
profession of road carrier, in accordance with what in said
regulation is available and with what is established in this law and in its implementing regulations.
points out for the execution of such provisions”. Article 45 refers
specifically to the requirement of good repute, stating that "In accordance with the
provided in the regulations of the European Union establishing standards
relating to the conditions that must be met for the exercise of the
profession of road carrier, in order to meet the requirement of good repute,
Neither the company nor its transport manager may have been convicted of the
commission of crimes or criminal offenses or sanctioned for the commission of infractions
related to the commercial, social or labor fields, road safety or
management of land transport that gives rise to the loss of this requirement,
in accordance with the provisions of this law and in the regulations of the Union
European.
For its part, the Regulations of the Land Transport Planning Law
(ROTT), approved by Royal Decree 1211/1990, of September 28, collects in its
article 109 that “In accordance with the provisions of article 43.2 of the LOTT, for
Obtaining and maintaining authorizations for public passenger transport
by bus and public transport of goods in vehicles that can exceed
the 3.5 tons of maximum authorized mass, it must be proven that the
company complies, in addition to the conditions indicated in article 43.1 of the LOTT,
the requirements of establishment, professional competence, honor and capacity
financial, with the specifics indicated in these Regulations”; and in article 115
that “1. For the purposes of the provisions of article 45 of the LOTT, both the owner of the
the authorization, whether a natural or legal person, such as the transport manager of the
company in a personal capacity, must meet the requirement of good repute. 2. In the
verification of compliance with the conditions indicated in the previous section,
The competent body must exclusively refer to the data contained in the
Register of Transport Companies and Activities and in the European Register of
Road Transport Companies”. Articles 116 to 120 regulate
in detail the legal regime and the specifications to be taken into account regarding the
concept of honor.
Based on the foregoing, it can be deduced that only compliance
of the honorability requirement for those authorizations that imply the use of
vehicles whose maximum authorized mass is greater than 3.5 tonnes. Your exam
would correspond, in any case, to the competent Administration to grant and
manage transport authorizations, and also with the added limitation of
abide exclusively by what is registered in the Registry of Companies and Activities of
Transport and in the European Register of Road Transport Companies. Is
In other words, not even the competent Administration to manage the authorization can,
in these cases, request or enter to examine a criminal record certificate,
but must abide by the information that has been registered in the aforementioned
records. Furthermore, it means that not even the existence of a
criminal conviction or administrative sanction automatically determines the loss of
honorability necessary to be the holder of a transport authorization, since
there is a subsequent administrative procedure, once said sentence is registered or
resolution in the Registry of Transportation Companies and Activities, as
of articles 118 and 119 of the Regulations of the Law on Transport Management
Terrestrial (ROTT), according to which the competent authority of transport can
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 32/64
determine that even with said conviction or sanction, the consequence of the
loss of honor, and therefore of authorization, is disproportionate. The
ROTT itself additionally establishes a circumstance in which, even
sanctioning resolution, considers that in no case can the loss of the
honorability (article 119.3 of the ROTT). After these precepts it turns out that they can
exist carriers with convictions or sanctions that do not entail the loss of this
requirement.
In any case, it would only be in the event that AMAZON ROAD intended
sign contracts for the provision of services with autonomous carriers in which
the vehicles to be used by them had a maximum authorized mass greater than 3.5
tons (a situation that does not occur in this case because the mass
of vehicles admitted to the program must be less than 2 tons)
when data from certain criminal records, as components of the requirement of
honorability as defined in the LOTT, would come into play for the concession and
maintenance of the mandatory authorization by the Administration that
grants. However, the exclusive competence for its control corresponds to said
Administration with the limitations indicated above, and without in any case
there is legitimacy that enables the company to request a background certificate
criminal charges or to verify such information.
In the absence of legal authorization, it is not possible, in this case, to resort to other legal bases to
legitimize the processing of personal data related to convictions and offenses
penalties.
However, AMAZON ROAD, in its response to the process of transfer of the
claim, stated that the legitimizing bases of the data processing that
carried out, depending on the type of data collected and the intended purposes, are the
execution of the contract between the autonomous carrier and the entity, the consent
of those and the legitimate interest.
In relation to the processing of personal data contained in the certificates
of criminal records that it collects from the carriers that participate in the
"Amazon lex" program, states that the legal basis is the execution of the contract and the
legitimate interest of AMAZON ROAD in protecting the trust that customers have
deposited in the entity and in guaranteeing that its position as a transport operator
not be compromised.
On the other hand, in the information that is offered to the interested parties during the
"background check" (the details are outlined in the Background
First) it is indicated as the legal basis for those data treatments the
consent of the interested parties (“In relation to this process, I give my
consent to carry out the aforementioned checks…”, among which
figure “A certificate from the Ministry of Justice confirming that I do not have
criminal record of any kind”).
None of these legal bases can legitimize the processing of personal data
which, as has been said, can only be carried out in those cases in which
there is legal authorization, so its analysis is not necessary.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 33/64
However, it is considered appropriate to make some clarifications in this regard:
a) The entity complained against considers that the treatment of the certificates in question
it is necessary for the execution of the contract that you sign with the carriers
self-employed, to guarantee the security and confidence of the clients, to apply a
minimum standard of diligence in contracting services from suppliers and for
prevent your position as a transport operator from being compromised (the same
reasons that it gives to justify the legitimate interest).
This Agency does not share that the criminal record certificates that the
claimed requests autonomous carriers to be necessary for the execution of
this contract for the provision of services, for the reasons already stated when referring to the
regulations governing the transport of goods.
The public authorities are responsible for granting the necessary authorizations
for the public transport of goods, so that AMAZON ROAD only
It is up to him to verify that the autonomous carrier intends to contract has
this concession.
b) In relation to the legal basis of legitimate interest, article 6 of the RGPD
establishes:
"one. The treatment will only be lawful if at least one of the following conditions is met:
f) the treatment is necessary for the satisfaction of legitimate interests pursued by the
responsible for the treatment or by a third party, provided that said interests are not
prevail the interests or the fundamental rights and freedoms of the interested party that
require the protection of personal data, in particular when the interested party is a child...”.
Recital 47 of the RGPD specifies the content and scope of this base
legitimizer of the treatment:
“(47) The legitimate interest of a controller, including that of a controller to whom
may communicate personal data, or of a third party, may constitute a legal basis
for treatment, provided that the interests or the rights and freedoms of the user do not prevail.
data subject, taking into account the reasonable expectations of data subjects based on their
relationship with the person in charge. Such legitimate interest could occur, for example, when there is a
relevant and appropriate relationship between the data subject and the controller, such as in situations where
which the interested party is a client or is at the service of the person in charge. In any case, the
existence of a legitimate interest would require careful assessment, even if a
The interested party can reasonably foresee, at the time and in the context of the collection of
personal data, which may be processed for this purpose. In particular, the interests and
the fundamental rights of the interested party could prevail over the interests of the
responsible for the treatment when proceeding to the treatment of personal data in
circumstances in which the data subject does not reasonably expect that a
further treatment. Since it is up to the legislator to establish by law the legal basis for
the processing of personal data by public authorities, this legal basis does not
should apply to processing carried out by public authorities in the exercise of their duties.
functions. The processing of personal data strictly necessary for the
prevention of fraud also constitutes a legitimate interest of the data controller.
that it is The processing of personal data for direct marketing purposes may
be considered carried out for legitimate interest”.
The interpretative criteria that are extracted from this Considering are, among others, (i)
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 34/64
that the legitimate interest of the person in charge prevails over the interests or rights and
fundamental freedoms of the owner of the data, in view of the expectations
reasonable that he has, based on the relationship he maintains with the person in charge
of the treatment; (ii) it will be essential to carry out a "meticulous evaluation" of
the rights and interests at stake, also in those cases in which the
interested party can reasonably foresee, at the time and in the context of the
data collection, which may be processed for this purpose; (iii) interest and
fundamental rights of the owner of the personal data could prevail against
the legitimate interests of the person in charge when the processing of the data is carried out
in such circumstances in which the data subject "does not reasonably expect"
carry out further processing of your personal data.
The respondent entity did not carry out this prior analysis, although it refers to it in its
written arguments for the proposal, and there is no evidence that he has duly informed
stakeholders on this legitimate basis.
In the absence of information regarding the weighting test, the interested party is deprived
of their right to know the legal basis of the treatment alleged by the person in charge, and
specifically, when referring to the legitimate interest, he is deprived of his right to know
what are said legitimate interests alleged by the person in charge or by a third party that
would justify treatment.
In the same way, the interested party is deprived of his right to claim for what reasons
Said legitimate interest of the person in charge of the treatment could be counteracted by the
rights or interests of the interested party. Not having given the interested party an opportunity
to allege them against the person in charge, any weighing carried out by the person in charge
without taking into account the circumstances that the interested party could allege, to whom it was not
allowed to do so would be vitiated, as it is an act contrary to a mandatory norm.
It is not possible, therefore, to invoke this legal basis of legitimate interest on the occasion of a
administrative procedure, such as transfer of the claim. Accepting it would be so much
such as admitting a legitimate interest arising, or a posteriori, in respect of which no
have complied with the requirements set forth in the data protection regulations
personal and about which the interested parties are not informed.
Although the legitimate interest is not applicable, it is interesting to analyze the terms in which it must
carry out the weighting provided for in article 6.1.f) of the RGPD between the legitimate
interest of the person responsible for the data and the protection of personal data of the
interested, that is, how it plays said legitimate interest, if applicable.
The CJEU, in its ruling of 05/04/2017, C-13/16, Rigas Satskime, sections 28 to 34,
determined what are the requirements for a treatment to be lawful on
the basis of legitimate interest. The CJEU ruling of 07/29/2019, C-40/17, Fashion ID,
Echoing the sentence cited, it collects said requirements.
28. In this regard, article 7, letter f), of Directive 95/46 -(current article 6.1.f) of the RGPD)-
sets three cumulative requirements for the processing of personal data to be lawful:
first, that the data controller or the third party or third parties to whom they are communicated
the data pursues a legitimate interest; second, that the treatment is necessary for the
satisfaction of that legitimate interest and, third, that the rights and freedoms
fundamentals of the interested party in the protection of data.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 35/64
This legal basis requires the existence of real interests, not speculative and that,
Also, they are legitimate. And not only does the existence of that legitimate interest mean that
those treatment operations can be carried out. It is also necessary that these
treatments are necessary to satisfy that interest and consider the repercussion
for the interested party, the level of intrusion on their privacy and the effects that may
negatively impact it.
Even if the data controller has said legitimate interest, this does not, in itself, mean
considered, that this legal basis can simply be invoked as a basis
of the treatment. The legitimacy of this interest is only a starting point, one of only
items to be weighed.
In this case, it is considered that the processing of personal data carried out by
AMAZON ROAD is not necessary or strictly necessary for the satisfaction of the
alleged legitimate interest (the cited judgment of 05/04/2017, C-13/16, Rigas Satskime,
in its section 30, it declares “Regarding the requirement that the treatment of
data is necessary, it should be remembered that the exceptions and restrictions at the beginning
protection of personal data must be established without exceeding the
limits of what is strictly necessary”).
This principle, according to which the treatment must be strictly necessary for the
satisfaction of legitimate interest, it must be interpreted in accordance with what
established in article 5.1.c) RGPD, which refers to the principle of
data minimization, noting that personal data will be “adequate,
relevant and limited to what is necessary in relation to the purposes for which they are
treaties”.
Thus, less invasive means of serving a patient should always be preferred.
same end. Necessity implies here that the treatment is essential for the
satisfaction of said interest, so that, if said objective can be achieved
reasonable manner in another manner that is less impactful or less intrusive, the
Legitimate interest cannot be invoked.
The term “necessity” used in article 6.1 f) of the RGPD has, in the opinion of the CJEU, a
own and independent meaning in Community law. It's about a
“autonomous concept of Community Law” (STJUE of 12/16/2008, case C-
524/2006, section 52). On the other hand, the European Court of Human Rights
(ECHR) has also offered guidelines to interpret the concept of necessity. In
its Judgment of 03/25/1983 specified that, without prejudice to the treatment of
data of the claimants is "useful", "desirable" or "reasonable", as specified by the ECHR in
its Judgment of 3/25/1983, the term “necessary” does not have the flexibility that is
implicit in those expressions.
The more "negative" or "uncertain" the impact of treatment may be, the more
It is unlikely that the processing as a whole can be considered legitimate.
As can be seen, what was stated above is in line with the doctrine of
Constitutional Court on the proportionality trial that must be carried out on
a restrictive measure of a fundamental right. According to this doctrine, they should
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 36/64
three requirements must be verified: suitability (if the measure allows the objective
proposed); necessity (that there is no other more moderate measure); proportionality in
strict sense (more benefits or advantages than harm).
In short, it is understood that the collection and use of the background certificate
criminal charges that the claimed entity carries out involves the processing of personal data
excessive, considering that there are other less intrusive ways to protect the
trust that customers have deposited in the entity and to ensure that their
position as transport operator is not compromised.
Therefore, the legitimate interest invoked by AMAZON ROAD does not prevail against the
fundamental rights and freedoms of those interested in the protection of their data
personal, so it cannot be considered that the processing of personal data that
carried out is protected by the legitimate interest provided for in article 6.1.f) of the
GDPR.
c) And neither the acceptance by the interested carriers of the process of
“background check” implies a valid consent for the treatment of
personal data related to criminal records. According to what is stated in
the rules outlined, the processing of personal data subject to the claim
require the existence of a legal basis that legitimizes it, such as the consent of the
interested party validly provided, necessary when there is no other basis
legal of the one mentioned in article 6.1 of the RGPD or the treatment pursues a purpose
compatible with the one for which the data was collected, and provided that the treatment
does not require, as in this case, a legal authorization.
Article 4 of the GDPR defines "consent" in the following terms:
“Article 4 Definitions
For the purposes of this Regulation, the following shall be understood as:
11. «consent of the interested party»: any manifestation of free will, specific,
informed and unequivocal by which the interested party accepts, either by means of a declaration or a
clear affirmative action, the treatment of personal data that concerns you”.
In relation to the provision of consent, the following must be taken into account:
established in article 6 of the RGPD, already cited, and in articles 7 of the RGPD and 7 of
the LOPDGDD.
Article 7 “Conditions for consent” of the RGPD:
"one. When the treatment is based on the consent of the interested party, the person in charge must
be able to demonstrate that they consented to the processing of their personal data.
2. If the data subject's consent is given in the context of a written statement that
also refers to other matters, the request for consent will be presented in such a way
clearly distinguishable from other matters, in an intelligible and easily accessible manner and
using clear and simple language. No part of the declaration will be binding.
constitutes an infringement of this Regulation.
3. The interested party shall have the right to withdraw their consent at any time. The retreat
of consent will not affect the legality of the treatment based on the consent prior to
his withdrawal. Before giving their consent, the interested party will be informed of it. it will be so easy
Withdraw consent as give it.
4. When assessing whether consent has been freely given, it will be taken into account to the greatest
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 37/64
extent possible whether, among other things, the performance of a contract, including the
provision of a service, is subject to consent to the processing of personal data that
are not necessary for the execution of said contract”.
Article 6 “Treatment based on the consent of the affected party” of the LOPDGDD:
"one. In accordance with the provisions of article 4.11 of Regulation (EU) 2016/679,
consent of the affected party means any manifestation of free will, specific,
informed and unequivocal by which it accepts, either through a statement or a clear
affirmative action, the treatment of personal data that concerns you.
2. When the data processing is intended to be based on the consent of the affected party
for a plurality of purposes it will be necessary to state specifically and unequivocally
that said consent is granted for all of them.
3. The execution of the contract may not be subject to the affected party consenting to the treatment of
personal data for purposes that are not related to the maintenance, development
or control of the contractual relationship”.
Consent is understood as a clear affirmative act that reflects a
free, specific, informed and unequivocal manifestation of the interested party's
accept the treatment of personal data that concerns you, provided with
sufficient guarantees to prove that the interested party is aware of the fact that
you give your consent and the extent to which you do so. And it must be given to all
treatment activities carried out with the same or the same purposes, so that,
when the treatment has several purposes, consent must be given for all
them in a specific and unequivocal manner, without the execution of the
contract that the affected party consents to the processing of their personal data for
purposes that are not related to the maintenance, development or control of the
business relationship. In this regard, the legality of the treatment requires that the interested party be
informed about the purposes for which the data is intended (consent
informed).
Consent must be given freely. It is understood that consent
is free when the interested party does not enjoy true or free choice or cannot
deny or withdraw your consent without prejudice; or when you don't know
allows separate authorization of the different data processing operations
despite being appropriate in the specific case, or when the fulfillment of a
contract or provision of service is dependent on consent, even when it
not necessary for such compliance. This occurs when consent is
included as a non-negotiable part of the general conditions or when
imposes the obligation to agree to the use of additional personal data to
those strictly necessary.
Without these conditions, the provision of consent would not offer the data subject a
true control over your personal data and its destination, and this would
Illegal treatment activity.
The Article 29 Working Group analyzed these issues in its document
“Guidelines on consent under Regulation 2016/679”, revised and
approved on 04/10/2018; which has been updated by the European Committee for
Data Protection on 05/04/2020 through the document “Guidelines 05/2020 on
consent in accordance with Regulation 2016/679”. From what is stated in this
document, it is now interesting to highlight some aspects related to the validity of the
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 38/64
consent, specifically on the elements “specific”, “informed” and
"unequivocal":
“3.2. Specific declaration of will
Article 6, paragraph 1, letter a), confirms that the consent of the interested party for the
processing of your data must be given "for one or more specific purposes" and that an interested party
may choose with respect to each of such purposes. The requirement that consent
should be 'specific' is intended to ensure a level of control and transparency for the
interested. This requirement has not been changed by the GDPR and remains closely
linked to the requirement of “informed” consent. At the same time, it must be interpreted
in line with the “dissociation” requirement to obtain “free” consent. In sum,
In order to comply with the “specific” character, the data controller must apply:
i) specification of the purpose as a guarantee against deviation from use,
ii) dissociation in consent requests, and
iii) a clear separation between information related to obtaining consent
for data processing activities and information relating to other matters.
Ad. i): In accordance with article 5, paragraph 1, letter b), of the RGPD, obtaining the
Valid consent is always preceded by the determination of a specific, explicit and
legitimate for the intended treatment activity. The need for specific consent
in combination with the notion of purpose limitation in Article 5, paragraph
1, letter b), works as a guarantee against the gradual expansion or blurring of the purposes
for which the data processing is carried out once an interested party has given their
Authorization for the initial data collection. This phenomenon, also known as
deviation of the use, supposes a risk for the interested parties since it can give rise to a use
unforeseen personal data by the data controller or third parties
parties and the loss of control by the interested party.
If the data controller relies on Article 6(1)(a), the data subjects
They must always give their consent for a specific purpose for data processing.
In line with the concept of purpose limitation, with Article 5, paragraph 1, letter
b), and with recital 32, the consent may cover different operations, provided
that these operations have the same purpose. It goes without saying that the specific consent
can only be obtained when the interested parties are expressly informed about the purposes
provided for the use of data concerning them.
Without prejudice to the provisions on the compatibility of purposes, the consent must
Be specific for each purpose. The interested parties will give their consent on the understanding that they have
control over your data and that these will only be processed for those specific purposes. If a
responsible processes data based on consent and, in addition, wishes to process said data
for another purpose, you must obtain consent for that other purpose, unless there is another basis
law that best reflects the situation...
Ad. ii) Consent mechanisms should not only be separated in order to comply
the requirement of “free” consent, but must also comply with the requirement of
"specific" consent. This means that a data controller seeking the
consent for several different purposes, you must facilitate the possibility of opting for each purpose,
so that users can give specific consent for specific purposes.
Ad. iii) Finally, data controllers must provide, with each data request,
separate consent, specific information on the data to be processed for each purpose,
in order that the interested parties know the repercussion of the different options that
have. In this way, data subjects are allowed to give specific consent. Is
issue overlaps with the requirement that controllers provide clear information, as
as discussed above in section 3.3”.
“3.3. Manifestation of informed will
The GDPR reinforces the requirement that consent must be informed. in accordance
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 39/64
with article 5 of the RGPD, the requirement of transparency is one of the principles
fundamental, closely related to the principles of loyalty and legality. To ease
information to the interested parties before obtaining their consent is essential so that they can
make informed decisions, understand what they are authorizing and, for example,
exercise your right to withdraw your consent. If the controller does not provide information
accessible, user control will be illusory and consent will not constitute a valid basis
for data processing.
If the requirements for informed consent are not met, the consent is not
will be valid and the person in charge may be in breach of article 6 of the RGPD.
3.3.1. Minimum content requirements for consent to be “informed”
In order for the consent to be informed, it is necessary to communicate to the interested party certain
elements that are crucial to be able to choose. Therefore, the WG29 is of the opinion that it is required,
least, the following information to obtain valid consent:
i) the identity of the data controller,
ii) the purpose of each of the treatment operations for which the authorization is requested.
consent,
iii) what (type of) data will be collected and used,
iv) the existence of the right to withdraw consent,
v) information on the use of data for automated decisions in accordance with the
article 22, paragraph 2, letter c), when relevant, and
vi) information on the possible risks of data transfer due to the absence of
a decision of adequacy and adequate guarantees, as described in the article
46”.
In the alleged case, there is no evidence of the provision of a
valid consent on the part of the autonomous carriers participating in the
program "***PROGRAMA.1" that covers the processing of personal data that
AMAZON ROAD performs with the criminal record you request. this entity
does not even duly inform about this data processing, about its purpose and
legal basis or the right to withdraw consent, in accordance with the
established in article 13 of the RGPD; nor has it established any mechanism for
The interested parties can consent to this collection of personal data through an act
separate statement for these specific processing operations; neither him
consent can be considered free, by imposing the processing of personal data
as a requirement to access the contract.
It is significant that AMAZON ROAD, in its brief of arguments regarding the proposal for
resolution, has not made a single argument to the contrary on the
reasoning developed in this Law Foundation, either in
relation to the nature of personal data related to criminal convictions and offenses
that must be attributed to the negative background certificate, or to the non-existence of
Legal authorization that protects the data processing questioned in the proceedings.
Nor does it even mention the reasons given to justify the
impossibility of resorting, in this case, to other legal bases that could make it lawful
said data processing, such as the legitimate interest or the consent of the
interested party validly borrowed. It should be noted that he would have invoked the interest
legitimate as a legitimizing basis for the treatment and now, in its pleadings letter
to the motion for a resolution, do not make any statement that responds to the
previous arguments, which were already included in the proposal prepared by the instructor
of the procedure.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 40/64
In said written arguments for the proposal, AMAZON ROAD has limited itself to
affirm again, without providing any reasoning, that the certificate of absence
of criminal records does not involve the processing of data related to convictions and
criminal offenses and to point out in this regard that the Penal Code, the Royal Decree
95/2009 and the Judgment of the National Court of June 20, 2017 do not confirm
so be it.
However, what is stated by the respondent does not coincide with what is indicated in this
resolution and in the proposal. The above indicates that the Penal Code
establishes that the annotations in the "Central Registry of Prisoners and Rebels" are not
public; that Royal Decree 95/2009 provides for the issuance of certificates on the
inscriptions included in the records of support to the Administration of Justice and
"Negative certifications regarding people who are not registered in them",
that require a query to the same registers in both cases; and about the
Judgment cited, it is said that it is inferred that the background certificate
negative penalties is also considered a data relative to convictions and infractions
criminal, to the extent that it raises what information must be provided
by the Central Registry and that must be included in the background certificate
penalties.
On the other hand, in the aforementioned brief of arguments to the proposed resolution,
AMAZON ROAD alleges that there is no unanimous and consolidated criterion on the use
of negative criminal record certificates between Member States
on the interpretation made by the AEPD.
In the pleadings brief at the opening, he already raised this issue in relation to
Netherlands, France or Germany, pointing out that in these countries a
different interpretation in relation to the provisions of article 10 of the RGPD and
allow employers to confirm that a person applying for a job does not have
criminal record.
In the proposed resolution it was noted that the entity claimed had not contributed
no evidence on this allegation or verified if in said countries there is a
norm that enables this verification of data and in what cases, as is also the case
in our legal system for different areas of employment (among others,
lawyers, Lottery administrators and bookmakers, agencies in charge of
international adoptions, taxi drivers, some casino employees,
public officials, or the same drivers of passenger vehicles and
merchandise in the aforementioned cases).
Now, in response to what is stated in the proposal, AMAZON ROAD reiterates that the
Dutch data protection authority accepts these negative certificates
(Verklaring omtrent gedrag or "VOG") and provides excerpts from the Ministry of
Justice of that country with information on said document; and from the website of
control authority that admits its use when there is a legitimate interest of the
employer.
In relation to the French case, the claim indicates that the supervisory authority (CNIL)
has included information on its website according to which, in the absence of a specific rule that
provides for the verification of this type of background, the employer may request a
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 41/64
employee to present an abstract of his criminal record during a
interview and make a note about this “yes/no” verification, without obtaining a copy of the
document, which is equivalent, in his opinion, to the negative certificate obtained by the
claimed. And it provides information obtained from the CNIL website.
Nothing indicates this time, however, in relation to the position held on the matter by
Germany.
After analyzing the information obtained from the websites of the Ministry of Justice and the
Dutch data protection authority and the CNIL website, considers
this Agency that substantially coincides with what is argued in this
resolution.
In relation to the Netherlands, the respondent entity reaches a conclusion that does not


By virtue of the powers that article 58.2 of the RGPD recognizes to each authority of
considers some aspects reflected in the information provided by those
control, and as established in articles 47 and 48 of the LOPDGDD, the Director
entities, such as:
of the Spanish Data Protection Agency is competent to initiate and to
solve this procedure.


According to the information available on the website of the Ministry of Justice, the certificate
"VOG" issued by said Ministry verifies whether the interested party has committed criminal offenses
that represent a risk for the job in question.


                                            II


The RGPD in its article 5, "Principles relating to treatment" says that "The data
The employer is informed that this “VOG” certificate is one of the instruments that
personal will be:
can be used to assess the reliability of future staff, recommended for
positions where trust in the employee is important, although it is noted that this
evaluation affects the privacy of the employee and that, therefore, only that


evaluation under certain legal conditions, expressly mentioning the RGPD.


a) treated in a lawful, loyal and transparent manner in relation to the interested party ("lawfulness,
This information refers to legitimate interest, indicating that such interest must exist and
loyalty and transparency ”);
be necessary. And adds in this regard that the employer has the obligation to
provide information, not use the data for another purpose and keep the data


b) collected for specific, explicit and legitimate purposes, and will not be processed
just for as long as necessary.
subsequently in a manner incompatible with said purposes; in accordance with article 89,
section 1, the further processing of personal data for archiving purposes in


public interest, scientific and historical research purposes or statistical purposes are not
As for the Dutch data protection authority, it also informs
deemed incompatible with the original purposes ("purpose limitation");
through its website that the evaluation is only allowed under certain conditions
legal, being the most important that the employer has a legitimate reason,
requiring that the evaluation be necessary, that the


c) adequate, relevant and limited to what is necessary in relation to the purposes for which
applicant or employee, that the data collected is relevant, so that it is not
that they are processed ("data minimization");
collect more data than necessary, not use it for any other purpose and
weigh rights against each other to see whose interest weighs more, that of the employer or that of
employees or applicants.




d) accurate and, if necessary, up-to-date; all measures will be taken
But it is also indicated that the "VOG" can be requested for some cases in which
reasonable so that the personal data that
that the check is required by law. And that special provisions apply to
are inaccurate with respect to the purposes for which they are processed ("accuracy");
positions of trust, such as police officers, private security,
aviation and others.




e) maintained in a way that allows the identification of the interested parties during not
In relation to the legitimate interest and the meaning of that "necessity" requirement,
longer than necessary for the purposes of processing personal data; the
clarifies that the employer must not be able to achieve his objective with less
Personal data may be kept for longer periods provided that it is
drastic.
treat exclusively for archival purposes in the public interest, research purposes
scientific or historical or statistical purposes, in accordance with article 89, paragraph 1,
without prejudice to the application of the appropriate technical and organizational measures that


imposes these Regulations in order to protect the rights and freedoms of the
data subject ("limitation of the conservation period");


f) treated in such a way as to guarantee adequate data security
C/ Jorge Juan, 6 www.aepd.es
personal data, including protection against unauthorized or illegal processing and against
28001 – Madrid sedeagpd.gob.es, 42/64


its loss, destruction or accidental damage, through the application of technical measures
or appropriate organizational ("integrity and confidentiality").


2. The person responsible for the treatment will be responsible for compliance with the provisions
in section 1 and able to demonstrate it ('proactive responsibility'). "




The offense for which the claimed person is held liable is provided for in article 83.5.
of the RGPD that establishes:




C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 5/10




It also recommends carrying out an inventory of the risks associated with the
functions within your organization to verify whether these risks can be adequately limited.
a different way, highlighting that a good organization, with internal controls or


distribution of powers, you can ensure that the risks are completely eliminated and
not necessitate repeated evaluation of the employee.


On the other hand, the need to analyze whether it is appropriate to carry out an evaluation
of data protection impact and the possibility of sending a prior consultation to the
data protection authority if it cannot find a way to limit the risk.






In the French case, its regulations distinguish three types of background certificates
penalties, which he calls Bulletin nº 1, 2 and 3 (B1, B2 and B3). The first includes all
recorded convictions and decisions, and can only be handed over to authorities


"Violations of the following provisions will be sanctioned, in accordance with the
judicial and penitentiary establishments; B2 contains felony convictions
section 2, with administrative fines of a maximum of 20,000,000 Eur or, in the case of
police, suspended sentences, etc., and can be issued to certain authorities and
of a company, of an amount equivalent to a maximum of 4% of the volume of
private bodies for reasons listed exhaustively by law; and the B3
contains only the most serious sentences for crimes or misdemeanors, custodial sentences
liberty and certain ongoing disqualifications or disabilities, follow-up measures and
prohibitions to carry out an activity that implies contact with minors, which only


total annual global business of the previous financial year, opting for the one with the highest
It can be delivered to the interested party, at his request.
amount:


a) The basic principles for the treatment, including the conditions for the
The information offered by the CNIL entity on its website distinguishes two cases. For
consent in accordance with articles 5,6,7 and 9. "
On the other hand, the background check provided for in a regulation for certain
“sensitive” functions (bullets B2 and B3); and, on the other, in the absence of a rule that provides


background check, the possibility of the employer requesting a
candidate or employee an extract of their criminal record (B3) during a
interview, without the employer being able to obtain a copy or process the data (only write down the
verification in the boxes of the personnel management file the “yes/no” forms).




In turn, the LOPDGDD in its article 72.1.a) qualifies as a very serious infringement, to
But, contrary to what AMAZON ROAD indicates, it does not mention in the information
prescription effects, "a) The processing of personal data violating the
No legal basis has been provided to support this data processing.
principles and guarantees established in article 5 of Regulation (EU) 2016/679. "
 
This information is completed by pointing out that when the verification is carried out by a
authority, the employer does not need to check criminal records. As well
occurs in the case at hand, in which the transport sector regulations already
 
contemplates this verification for the cases in which it is necessary in order to issue
carrier authorization.
 
In accordance with all the foregoing, the claim made by
AMAZON ROAD on the absence of guilt.
 
 
Consequently, in accordance with the exposed evidence, the aforementioned facts
represent a violation of the provisions of article 6 of the RGPD, which gives rise to the
application of the corrective powers that article 58 of the aforementioned Regulation grants to
the Spanish Data Protection Agency.
 




                                             III
                                             III


In the present case, the claimant's personal data has been disclosed, such as the
personal email address and health data to the Public Entity
Housing Business-Donostiako Etxegintza, without the consent of the


claimant.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 43/64


Although the claimed party is recognized legitimacy to send the data
necessary to defend against a sanctioning procedure or penalties
that could be imposed derived from the breach of a contract


administrative, it should not be forgotten that the RGPD includes health as a category of
specially protected personal data, in accordance with article 9.1 of the
RGPD, where the following is indicated:


“The processing of personal data that reveals the ethnic origin or
racial, political opinions, religious or philosophical convictions, or affiliation


union, and the treatment of genetic data, biometric data aimed at identifying
unequivocally to a natural person, data related to health or data related to
the sexual life or sexual orientation of a natural person ”.


In this sense, the claimed entity presents a written statement of allegations to the proposal


resolution indicating that in accordance with article 9.2 f) of the RGPD the data
Claimant's personal data were released for his defense against a claim.


It should be noted that the literal tenor of said precept is as follows:


The second aspect of those included in the claim to be analyzed is what makes
reference to the legal position that companies occupy in data processing
Accurate Fund, Inc. and Amazon Development Center (India) Private Limited.


"Section 1 will not apply when one of the circumstances occurs
following:


f) the treatment is necessary for the formulation, exercise or defense of
The information available comes from the text of the screenshots of the contract
claims or when the courts act in the exercise of their judicial function; "
business, from the background check section of the application (provided by
the claimant next to the claim) and the responses provided by the
claimed in his briefs of 06/30/2020 and 06/07/2021, in response to the transfer and
arguments at the opening of the procedure.
 
 
Clause 4(d) of the contract states that the participant undertakes “to
provide complete and accurate answers to all questions related to
verifying your professional history and providing a certificate of absence from
criminal record and information about your driving license.” And in the
 
clause 13 it is reported that the data of the participants are treated for the execution
of the contract and for legal, administrative and management purposes.
 
For its part, in the background check section of the application, which
appears configured as a procedure in which the suitability of the
participants to determine their admission to participate in the program
 
"*** PROGRAM.1" and carry out the provision of services, reference is made to the
entities Accurate Fund, Inc. and Amazon Development Center (India) Private
Limited under the following terms:
 
“I understand and consent that Accurate Background is responsible for collecting and treating the
information on behalf of Amazon to perform detailed background checks
previously".
 
 
“I understand Amazon Development Center (India) Private Limited, in India, will be able to access
to the data you provide to Amazon during this process to support the collection of
the information provided by me, and I consent to such access”.
 
From the transcribed texts it is evident that they intervene in the verification process
background checks of the commercial companies Accurate Background, Inc. (collection and treatment
 
of information) and Amazon Development Center (India) Private Limited (access to
data to support its collection).
 
Now, some confusion results from the fact that background checks
is presented as an obligation arising from the contract while on the screen of
background check the consent of the participant is requested for this
 
process and for those entities to collect and process your information or give
medium.
 
And this confusion increases if we consider the doubts generated by the paragraphs
transcribed, indicating that Accurate Background, Inc. collects and processes the
 
information “on behalf of Amazon” and that Amazon Development Center (India)
Private Limited may have access to the information to provide “support” to “Amazon”;
along with AMAZON ROAD's representations contained in its statement of
response of 06/30/2020, according to which those entities hold the nature
of treatment managers.
 
 
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 44/64
 
 
 
 
 
 
 
 
This uncertainty about the condition under which the repeated
mercantile and the inexistence of any proof that accredited the access on the part of
 
these to the personal data as in charge of the treatment (the claimed did not provide
no documentation in this regard with his letter of 06/30/2020), motivated that in
the opening agreement of this sanctioning procedure will be qualified to the
aforementioned entities as “third parties” in relation to data processing, and determined
the imputation of an infraction for the alleged non-compliance with the provisions of the
 
article 7 of the RGPD, in relation to article 6.1.a) of the same legal text.
 
Under this premise, said imputation was based on the fact that the treatment
of the personal data of the participants in the program “***PROGRAMA.1” by
part of Accurate Fund, Inc. and Amazon Development Center (India) Private
 
Limited required the consent of the data subjects; and that the consent
provided in this case did not meet the requirements for it to be considered
a valid consent, since it would not be free nor could it be considered informed, in the
meaning expressed in article 7 and Recitals 32, 42 and 43 of the RGPD, article 6
of the LOPDGDD and according to the interpretations of the European Committee for the Protection of
 
Data contained in Guidelines 5/2020.
 
However, AMAZON ROAD, with its pleadings brief at the opening of the
procedure has provided a copy of the treatment commission contracts signed
with Accurate Fund, Inc. and Amazon Development Center (India) Private Limited,
 
in which it is stipulated that these entities will process the data on behalf of AMAZON
ROAD and in accordance with its instructions, in order to provide the services.
According to these contracts, those entities intervene as responsible for the
treatment and, as such, are obliged to notify the person in charge of any instruction
that, in your opinion, violates applicable law, any data breach or
 
claim it receives and to provide the responsible party with cooperation and assistance
full; as well as to establish the appropriate technical and organizational measures to
protect data. It is also expected that the person in charge of the treatment returns to the
responsible for all personal data or proceed to its destruction upon completion
of the contract, at the choice of the data controller.
 
 
These are, therefore, companies that provide services to AMAZON ROAD in the
initial checks on carriers participating in the program
“***PROGRAMA.1”, for which they have signed a treatment order contract.
 
 
In accordance with this, the aforementioned entities cannot be considered as third parties.
and the treatment of the data they carry out does not require the consent of the users.
interested.
 
The figures of "responsible for the treatment" and "in charge of the treatment" are defined
 
in article 4 of the RGPD as follows:
 
. “Responsible for the treatment or responsible: the natural or legal person, public authority,
service or other body which, alone or jointly with others, determines the ends and means of the
treatment; if the law of the Union or of the Member States determines the ends and means
of the treatment, the person in charge of the treatment or the specific criteria for their appointment
may be established by the Law of the Union or of the Member States”.
 
. “In charge of the treatment or in charge: the natural or legal person, public authority,
 
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 45/64
 
 
 
 
 
 
 
 
 
service or other body that processes personal data on behalf of the person responsible for the
treatment".
 
The concepts of controller and processor are not formal, but
functional and must attend to the specific case, to the specific activities in a
 
specific context.
 
The data controller is from the moment it decides the purposes and
means of treatment, not losing such condition the fact of leaving a certain margin of
 
action to the person in charge of the treatment. This is unquestionably expressed in the
Guidelines 07/2020 of the European Committee for Data Protection (CEPD) on the
Concepts of data controller and manager in the GDPR:
 
“A data controller is one who determines the purposes and means of processing.
 
treatment, that is, the why and how of the treatment. The data controller must
decide on both ends and means. However, some more practical aspects of
implementation ("non-essential means") can be left to the person in charge of the
treatment. It is not necessary that the person in charge actually has access to the data that is
they are trying to qualify themselves as responsible” (the translation is ours).
 
 
In the present case, it is clear that AMAZON ROAD is responsible for the
data processing now analyzed, since, as defined in article 4.7
of the RGPD, is the entity that determines the purpose and means of the treatments
made. In its capacity as data controller, it is obliged to comply with
 
the provisions of the transcribed article 24 of the RGPD and, in particular, regarding the control
effective and continued implementation of the “appropriate technical and organizational measures in order to
guarantee and be able to demonstrate that the treatment is in accordance with this
Regulation”, among which are those provided in article 28 of the RGPD
 
in relation to those in charge of the treatments that act in the name and on behalf of
of the person in charge. Section 3 of this article 28 establishes the following:
 
"3. The treatment by the person in charge will be governed by a contract or other legal act in accordance with the
Law of the Union or of the Member States, which binds the person in charge with respect to the
 
responsible and establishes the object, duration, nature and purpose of the treatment, the
type of personal data and categories of interested parties, and the obligations and rights of the
responsable. Said contract or legal act shall stipulate, in particular, that the person in charge:
 
a) will process personal data only following documented instructions of the
responsible, including with respect to transfers of personal data to a third country or
an international organisation, unless required to do so under Union law
or of the Member States that applies to the person in charge; in such a case, the person in charge will inform the
 
responsible for that legal requirement prior to treatment, unless such Law prohibits it by
important reasons of public interest;
b) will guarantee that the persons authorized to process personal data have
committed to respecting confidentiality or are subject to an obligation of
confidentiality of a statutory nature;
c) take all necessary measures in accordance with article 32;
d) will respect the conditions indicated in sections 2 and 4 to resort to another person in charge of the
 
treatment;
e) will assist the person in charge, taking into account the nature of the treatment, through measures
appropriate technical and organizational measures, whenever possible, so that it can comply with
their obligation to respond to requests that have as their object the exercise of rights
of the interested parties established in chapter III;
 
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 46/64
 
 
 
 
 
 
 
 
f) will help the person in charge to guarantee the fulfillment of the obligations established in the
articles 32 to 36, taking into account the nature of the treatment and the information to
disposal of the manager;
g) at the choice of the person in charge, will delete or return all personal data once
 
ends the provision of treatment services, and will delete existing copies unless
that the conservation of personal data is required by virtue of the Law of the Union or of
the member states;
h) will make available to the person in charge all the information necessary to demonstrate the
compliance with the obligations established in this article, as well as to allow and
contribute to the performance of audits, including inspections, by the person in charge or
another auditor authorized by said person in charge.
 
In relation to the provisions of letter h) of the first paragraph, the person in charge will inform
 
immediately to the controller if, in his opinion, an instruction violates this
Regulation or other provisions on data protection of the Union or of the
Member states".
 
It is AMAZON ROAD, as responsible, which can decide to carry out by itself
certain treatment operations or contract all or part of the
 
treatment with a manager.
 
The essence of the function of the person in charge of the treatment is that the personal data
are processed in the name and on behalf of the data controller. In practice,
it is the person in charge who determines the purpose and the means, at least the essential ones,
 
while the person in charge of the treatment has the function of providing services to the
responsible for the treatment. In other words, “acting in the name and on behalf of
of the data controller” means that the data controller is at the
servicing the interest of the controller in carrying out a task
 
and that, therefore, follows the instructions established by it, at least in
what refers to the purpose and the essential means of the entrusted treatment.
 
The person in charge of the treatment is the one who has the obligation to guarantee the application
of the data protection regulations and the protection of the rights of the
 
interested, as well as being able to demonstrate it (articles 5.2, 24, 28 and 32 of the RGPD).
The control of compliance with the law extends throughout the treatment,
From the beginning to the end. The data controller must act, in
in any case, in a diligent, conscious, committed and active manner.
 
 
This mandate of the legislator is independent of whether the treatment is carried out
directly the person in charge of the treatment or that it is carried out using a
treatment manager.
 
 
In addition, the treatment carried out materially by a treatment manager for
account of the person in charge of the treatment belongs to the sphere of action of this
last, in the same way as if he did it directly himself. The person in charge of
treatment, in the case examined, is an extension of the person responsible for the
treatment.
 
 
In light of the principle of proactive responsibility (art 5.2 RGPD), the person in charge of the
treatment must be able to demonstrate that it has taken into account all the elements
provided for in the GDPR. Before outsourcing a treatment and in order to avoid possible
 
violations of the rights and freedoms of those affected, the person responsible for the
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 47/64
 
 
 
 
 
 
 
 
treatment must enter into a contract, other legal act or a binding agreement with the
another entity that establishes clear and precise obligations regarding the protection of
 
data.
 
The person in charge of the treatment can only carry out treatments on the instructions
documentation of the controller, unless required to do so by law
of the Union or of a Member State, which is not the case. In this regard, article 29
 
of the RGPD refers to the “Processing under the authority of the person in charge or the person in charge
of treatment” in the following terms:
 
“The person in charge of the treatment and any person acting under the authority of the person in charge
or the person in charge and has access to personal data may only process said data following
instructions of the person in charge, unless they are obliged to do so under the Law of the
Union or of the Member States.
 
 
The person in charge of the treatment also has the obligation to collaborate with the
responsible for guaranteeing the rights of the interested parties and fulfilling the obligations
of the person in charge of the treatment in accordance with the provisions of the aforementioned article 28 of the
GDPR (and related).
 
 
Therefore, the data controller must establish clear modalities for
said assistance and give precise instructions to the person in charge of the treatment on how
comply with them adequately and previously document it through a contract or
or in another (binding) agreement and check at all times of the development of the
 
contract its fulfillment in the manner established therein.
 
In the present case, the intervening entities have formalized the corresponding
treatment contract, which includes the provisions of article 28 of the
RGPD, and have arranged the technical and organizational measures that must be applied and
 
maintain the entity in charge of the treatment.
 
It is concluded, therefore, that the facts that determined the opening of the
sanctioning procedure, in relation to the access and treatment of data by
part of Accurate Fund, Inc. and Amazon Development Center (India) Private
 
Limited, are not constitutive of an infringement of the provisions of article 7 of the
RGPD, in relation to article 6.1.a) of the same Regulation.
 
 
                                            IV
 
 
The RGPD, as a common standard and directly applicable to the Member States
of the European Union, establishes a system of protection in those cases in which
that the international transfer of personal data covered by your
regulation. The purpose of this system is to guarantee that the protection
 
granted by the community standard is not diminished by the export of said data to
countries outside the European Union.
 
The general principle of this protection system, established in article 44 of the
RGPD, is that the data can only be exported if, on the one hand, the
 
treatment object of the transfer is lawful and complies with the provisions of the RGPD and,
on the other, if it complies with the conditions established in Chapter V of the same
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 48/64
 
 
 
 
 
 
 
 
 
legal text (articles 44 to 50).
 
Article 45 of the RGPD establishes, as a main rule, that a
transfer of personal data if the country, territory or international organization
 
addressee guarantees an adequate level of protection recognized by a decision of
adequacy dictated by the European Commission.
 
In the absence of said adequacy decision, article 46 of the RGPD authorizes
 
carry out transfers if the person in charge or the person in charge had offered guarantees
adequate. These adequate guarantees, which can materialize through a
series of instruments referred to in the same article, are subdivided in turn into two
groups: those to which the RGPD itself grants the nature of adequate guarantee
 
by themselves, and those who will additionally need the authorization of the
competent control authority.
 
The following scenario contemplated by the RGPD, in the absence of a decision to
 
adequacy and adequate safeguards (including binding corporate rules)
is to allow transfers to be made if any of the conditions
stated in article 49.1. of the RGPD, which establishes the following:
 
"one. In the absence of an adequacy decision in accordance with Article 45(3),
 
or adequate guarantees in accordance with article 46, including corporate rules
binding, a transfer or set of transfers of personal data to a third party
country or international organization will only be carried out if any of the
following conditions:
 
a) the data subject has explicitly consented to the proposed transfer, after
have been informed of the possible risks to him of such transfers due to the
 
absence of an adequacy decision and adequate guarantees;
 
b) the transfer is necessary for the execution of a contract between the interested party and the
responsible for the treatment or for the execution of pre-contractual measures adopted to
request of the interested party;
 
c) the transfer is necessary for the conclusion or execution of a contract, in the interest of the
interested party, between the data controller and another natural or legal person;
 
 
d) the transfer is necessary for important reasons of public interest;
 
e) the transfer is necessary for the formulation, exercise or defense of
claims;
 
f) the transfer is necessary to protect the vital interests of the interested party or of other
 
persons, when the interested party is physically or legally incapable of giving his
consent;
 
g) the transfer is made from a public registry which, in accordance with Union Law
or of the Member States, is intended to provide information to the public and is open to
consultation of the general public or of any person who can prove a legitimate interest,
but only to the extent that, in each particular case, the conditions that
establishes the Law of the Union or of the Member States for consultation.
 
 
When a transfer cannot be based on the provisions of articles 45 or 46,
 
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 49/64
 
 
 
 
 
 
 
 
including the provisions on binding corporate rules, and no applicable
of the exceptions for specific situations referred to in the first paragraph of the
this section, it can only be carried out if it is not repetitive, affects only a number
limited number of data subjects, is necessary for the purposes of compelling legitimate interests pursued
 
by the person in charge of the treatment over which the interests or rights do not prevail and
freedoms of the data subject, and the data controller assessed all the circumstances
concurrent in the transfer of data and, based on this evaluation, offered guarantees
appropriate with respect to the protection of personal data. The data controller
will inform the control authority of the transfer. In addition to the information they do
reference to articles 13 and 14, the data controller shall inform the interested party of the
transfer and the compelling legitimate interests pursued.
 
 
In this case, as already stated in Basis of Law III, the prior process
background check requests the consent of the interested parties for the
communication of data to the merchants Accurate Background, Inc. and Amazon
Development Center (India) Private Limited. When these companies are located
 
in the United States and India, respectively, there would be a transfer
international data collection for whose execution it would be necessary to comply with the requirements
that around this figure establishes the RGPD.
 
In addition, the service contract that AMAZON ROAD and the participants in the
 
program “***PROGRAMA.1” sign, in its clause 13(b), refers to the
issue of international transfers as follows:
 
“You consent to Amazon and any Related Entities (as
such term is defined below) carries out the transfer of “personal data
personal” (in the sense provided for in the General Data Protection Regulation –
Regulation (EU) 2016/679 and Organic Law 15/1999, of December 13, on the Protection of
 
Personal Data relating to you to any Related Entity located outside the
European Economic Area (the “EEA”) to promote the legitimate interests of Amazon and/or
any Related Entity […] “Related Entity” is understood as the “holding company”
of Amazon, any “affiliated company” or an affiliate of its holding company.”
 
From this it seems to be inferred, in principle, that the entity claimed intends to
 
base the international transfer of personal data on the figure of the
consent of the interested party, which article 49.1.a) of the RGPD configures as a
of the conditions that, exceptionally, allow transfers to be made
in the absence of an adequacy decision and adequate guarantees.
 
 
Now, for this circumstance to occur, this consent must
not only comply with the general requirements that the RGPD imposes in relation to the
consent (free, informed, specific and unequivocal), but would also have
to be granted explicitly and the information to be provided in advance
should refer to the risks for the interested party about the realization of
 
an international transfer in the absence of adequacy decision and guarantees
adequate.
 
The additional requirement that consent in this circumstance be
 
formality of being explicit is equivalent, in accordance with Guidelines 5/2020 of the Committee
European Data Protection, to make an express declaration of the
consent. The most obvious way would be to make a written declaration,
although in the digital or online environment forms can be enabled that could
 
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 50/64
 
 
 
 
 
 
 
 
valid explicit consent, such as filling out an electronic form
or use the electronic signature. Likewise, in the case of web pages, this
 
explicit consent could be collected by inserting some boxes with the options
to accept and not accept together with a text referring to consent that is clear to
the interested party, provided that appropriate security measures are adopted for the environment in which
which consent is given.
 
 
In this case, taking into account what has been stated about the requirements that the
consent, in the agreement to open the procedure an analysis of the
clauses of the contract in reference to international transfers (clause
13.b), resulting in the requested consent not being in accordance with the provisions of
the RGPD, taking into account the indefinite information provided to the interested parties and that
 
only the final acceptance of the clauses of the contract is enabled. For this reason,
said opening agreement contains an imputation for infraction of what is established in
article 49.1 of the RGPD, typified in article 83.5 of the same norm.
 
Subsequently, on the occasion of the processing of allegations at the opening, AMAZON ROAD
 
has stated that the international transfers it makes to companies in the
group or its suppliers located outside the EEA are not based on the
consent of the interested party and comply with the guarantees required by the RGPD.
 
And it points out in this regard that it has signed with each entity the corresponding
 
standard contractual clauses approved by the European Commission through Decision
2010/87/UE, of February 5, 2010, relative to the standard contractual clauses for the
transfer of personal data to those in charge of the treatment established in
third countries, in accordance with Directive 95/46/CE, which constitute a
of the guarantees that can be offered by data controllers in accordance with


the provisions of article 46 of the RGPD.


In this sense, it should be pointed out that although recital 52 of the
In addition, it has proven that Accurate Background Inc, since 08/11/2016, was a
RGPD in fine establishes with respect to this exception that “it must also be authorized to
Entity adhered to the EU-US Privacy Shield.
exceptional title the processing of said personal data when necessary
for the formulation, exercise or defense of claims, either by a


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 6/10


With the allegations to the opening, it has provided the commission contracts of the
treatment, the standard clauses signed and the measures that must be applied. sayings
standard contractual clauses correspond to those approved by the Commission
European through Decision 2010/87/EU.




As stated above, article 46 of the RGPD admits that they may
international transfers, without requiring any authorization
of a control authority, when the person in charge or the person in charge offers
adequate guarantees. This article establishes the following:


“Article 46. Transfers through adequate guarantees


1. In the absence of a decision pursuant to Article 45(3), the controller or processor
treatment may only transmit personal data to a third country or international organization
if it had offered adequate guarantees and provided that the interested parties have
enforceable rights and effective legal actions.


2. Adequate guarantees in accordance with paragraph 1 may be provided, without
requires no express authorization from a control authority, by:




judicial procedure or an administrative or extrajudicial procedure ”; but nevertheless,
C/ Jorge Juan, 6 www.aepd.es
It must be taken into account that the use of health data, even when this
28001 – Madrid sedeagpd.gob.es, 51/64
exception, it is not covered if it violates article 5.1.c) of the RGPD and the data


transferred are excessive in relation to the purpose, since the
need to specify all vacations, permits and, especially since they are data
health, casualties with their causes to seek their defense.


On the other hand, the claimed entity also alleges in its brief of allegations to the
motion for a resolution that evidence has been rejected by this body.




In this sense, it should be noted that this Agency has not rejected any evidence
presented by the claimed party, it has only been considered that with the
evidence in this procedure, it is not necessary to request the City Council of
Donostia / San Sebastián the recording of the session incorporated into the diary of sessions of


the Territory Planning and Development Commission dated December 9,
2020.


This is so because it has been proven that they have been transferred by the entity
claimed, health data of the claimant, specifically dates of medical leave,
reasons for the same and permissions, and therefore, the claimed entity has been


exceeding the processing of the personal data of the claimed party, even if it has
legitimacy for its internal use in its relations with the worker or claimant, but
you have no legitimacy to use them beyond your employment relationship with the claimant,
without your express consent.


[…]


In another vein, it has also been found that in response to the
d) standard data protection clauses adopted by a supervisory authority and approved
requirement of the Public Housing Business Entity-Donostiako Etxegintza,
by the Commission in accordance with the review procedure referred to in Article 93,
as a result of the complaints filed by the claimant on July 14 and July 9
September 2020 due to lack of assignment of human and material resources, the
claimed entity provided the claimant's email without having their


consent.
section 2;


In this sense, the claimed entity claims to know the email of the
[...]”.
complainant, because it was the form of company-worker communication, so at the
facilitate the personal email of the claimant, to a third entity, has
exceeded the purpose for which said personal data was provided, thereby violating the


principle of purpose limitation, regulated in article 5.1 b) of the RGPD,
This would be the case of transfers covered by the guarantees provided
indicated in the foundation of law II.
for contracts based on the standard contractual clauses of the Decision


Therefore, when the claimant's health data is transferred, (dates of medical leave,
2010/87/EU, such as those signed by AMAZON ROAD, which remain in force.
reasons for the same and permits with their respective causes, including COVID) and the


personal email of the claimant, this Agency considers, on the one hand, that
The Execution Decision (EU) 2021/914, of the Commission, of June 4, 2021, which
are treating specially protected data, in accordance with article 9 of the
approves the new standard contractual clauses for the transfer of data
RGPD (health data), and on the other that personal data is being processed
(personal email) for a purpose other than mere communication between
the worker and the company, in accordance with article 5.1 b) of the RGPD.


data to third countries in accordance with the RGPD, establishes a period of
transitory validity for contracts concluded within the framework of decision 2010/87/EU
until 09/27/2022 (this decision is repealed with effect from 09/27/2021, but
contracts concluded before this date are considered to offer guarantees
adequate in the sense of article 46.1 of the RGPD until 09/27/2022, provided that


All this results in an excessive use of personal data by the
the treatment operations that are the object of the contract remain unchanged
claimed entity, since despite the fact that data protection regulations require that
and that the standard contractual clauses guarantee that the transfer of data
the processing of personal data is adequate, pertinent and limited to what
is subject to adequate guarantees - Article 4 of the Execution Decision
(EU) 2021/914).


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 7/10


Consequently, in accordance with the foregoing, international transfers
object of the actions do not require the interested party to give their consent, since
that this consent only operates, according to article 49.1.a) of the RGPD, as a
exception that would enable to carry out this transfer in the absence of a decision


specific adequacy and adequate guarantees in accordance with article 46
of the same regulation.


It is appropriate to conclude, therefore, that the facts that determined the opening of the
sanctioning procedure, in relation to international transfers that


AMAZON carries out within the framework of the “***PROGRAMA.1” program, they are not
constituting an infringement of the provisions of article 49.1 of the RGPD.






                                            v


strictly necessary in relation to the purposes for which they are processed, such as
In the event that there is an infringement of the provisions of the RGPD, between the
consequence of the complaint filed by the claimant against the entity
corrective powers available to the Spanish Data Protection Agency,
claimed before the Public Housing Business Entity-Donostiako Etxegintza by
as a control authority, article 58.2 of said Regulation contemplates the


lack of assignment of human and material resources, the claimed entity has
following:
violated the principle of data minimization, by providing said public entity
business for your defense, health data and personal email of the
claimant, which makes us face an alleged violation of the
article 5.1 c) of the RGPD, indicated in the basis of law II.


“2 Each control authority will have all the following corrective powers indicated below:
continuation:
(…)
b) sanction any person responsible or in charge of the treatment with a warning when the
treatment operations have violated the provisions of this Regulation;”
(...)


Therefore, it is considered convenient to reiterate that it is not considered necessary to require the
d) order the person responsible or in charge of the treatment that the treatment operations be
Donostia / San Sebastián City Council the contribution of the recording of the session
comply with the provisions of this Regulation, where appropriate, of a given
incorporated into the journal of sessions of the Development and Planning Commission of the
C/ Jorge Juan, 6 www.aepd.es
Territory dated December 9, 2020, as suggested by the claimed entity,
28001 – Madrid sedeagpd.gob.es, 52/64
since with the documentation in this file, the


denounced events, which are ultimately an excess of personal data provided
by the claimed entity to justify its action, to the detriment of the
claimant, when processing especially sensitive data, and therefore especially
protected, such as health data, in accordance with the provisions of the
Article 9 of the RGPD.




                                          IV


Article 58.2 of the RGPD provides the following: “Each supervisory authority will have
of all of the following corrective powers listed below:




b) direct a warning to any person in charge or in charge of the treatment when the
treatment operations have infringed the provisions of this Regulation;


d) order the person in charge of the treatment that the operations of
treatment comply with the provisions of this Regulation, where appropriate,


in a certain way and within a specified time;


i) impose an administrative fine in accordance with article 83, in addition to or instead of the
manner and within a specified time;
(…)
i) impose an administrative fine under article 83, in addition to or instead of the
measures mentioned in this section, according to the circumstances of each case
measures mentioned in this section, according to the circumstances of each case
particular;
particular;".
 
 
According to the provisions of article 83.2 of the RGPD, the measure provided for in letter d)
above is compatible with the sanction consisting of an administrative fine.
 
 
 
                                              SAW
 
The exposed facts do not comply with the provisions of article 6.1 of the RGPD, in
relation to article 10 of the same law, as well as article 10 of the
LOPDGDD, in relation to the processing of personal data related to convictions and
 
criminal offences, which supposes the commission of an infraction typified in the
article 83.5 of the RGPD and in article 71 of the LOPDGDD.
 
Article 83 of the RGPD, under the heading "General conditions for the imposition of
 
administrative fines” provides the following:
 
"5. Violations of the following provisions will be sanctioned, in accordance with the
section 2, with administrative fines of a maximum of EUR 20,000,000 or, in the case of a
company, of an amount equivalent to a maximum of 4% of the total annual turnover
 
of the previous financial year, opting for the highest amount:
 
a) the basic principles for the treatment, including the conditions for the consent to
tenor of articles 5, 6, 7 and 9”.
 
Likewise, article 71 of the LOPDGDD states that "Infractions are those
 
acts and conduct referred to in sections 4, 5 and 6 of article 83 of the
Regulation (EU) 2016/679, as well as those that are contrary to this law
organic.”
 
 
For its part, article 72.1 of the LOPDGDD considers as "very serious", for the purposes of
of the limitation period for infractions:
 
"one. Based on the provisions of article 83.5 of Regulation (EU) 2016/679,
considered very serious and will prescribe after three years the infractions that suppose a
 
substantial violation of the articles mentioned therein and, in particular, the following:
 
b) The processing of personal data without the concurrence of any of the conditions of legality of the
treatment established in article 6 of Regulation (EU) 2016/679.
 
[…]
 
f) The processing of personal data related to convictions and criminal offenses or measures of


related security outside the cases allowed by article 10 of the Regulation (EU)
2016/679 and in article 10 of this organic law.


                                          V
[...]”.


In order to determine the administrative fine to be imposed, the
In order to determine the administrative fine to be imposed, the
provisions of articles 83.1 and 83.2 of the RGPD, provisions that state:
 
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 53/64
 
 
 
 
 
 




"Each control authority will guarantee that the imposition of administrative fines
in accordance with this article for infringements of this Regulation
indicated in sections 4, 5 and 6 are effective in each individual case,
proportionate and dissuasive. "


provisions of articles 83.1 and 83.2 of the RGPD, precepts that indicate:


"Administrative fines will be imposed, depending on the circumstances of each
"one. Each control authority will guarantee that the imposition of administrative fines with


individual case, as an additional or substitute for the measures contemplated in the
in accordance with this article for the infringements of this Regulation indicated in the
Article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine
sections 4, 9 and 6 are in each individual case effective, proportionate and dissuasive.
administrative and its amount in each individual case will be duly taken into account:
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 8/10


2. Administrative fines will be imposed, depending on the circumstances of each case
individually, in addition to or as a substitute for the measures referred to in article 58,
section 2, letters a) to h) and j). When deciding to impose an administrative fine and its amount


In each individual case, due account shall be taken of:
a) the nature, seriousness and duration of the offence, taking into account the nature,
scope or purpose of the treatment operation in question as well as the number of
affected parties and the level of damages they have suffered;
b) intentionality or negligence in the infringement;
c) any measure taken by the person responsible or in charge of the treatment to alleviate the
damages suffered by the interested parties;


d) the degree of responsibility of the data controller or processor, taking into account
of the technical or organizational measures that they have applied by virtue of articles 25 and 32;
e) any previous infringement committed by the person in charge or the person in charge of the treatment;
f) the degree of cooperation with the supervisory authority in order to remedy the
infringement and mitigate the possible adverse effects of the infringement;
g) the categories of personal data affected by the infringement;


h) the way in which the supervisory authority became aware of the infringement, in particular if the
The person responsible or the person in charge notified the infringement and, if so, to what extent;
i) when the measures indicated in article 58, section 2, have been ordered
previously against the person in charge or the person in charge in question in relation to the same
matter, compliance with said measures;
j) adherence to codes of conduct under Article 40 or certification mechanisms


approved under article 42, and
k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as
financial benefits obtained or losses avoided, directly or indirectly, through
the infraction”.


For its part, article 76 “Sanctions and corrective measures” of the LOPDGDD


has:


a) the nature, severity and duration of the offense, taking into account the
"one. The sanctions provided for in sections 4, 5 and 6 of article 83 of the Regulation (EU)
nature, scope or purpose of the processing operation in question as well
2016/679 will be applied taking into account the graduation criteria established in the
such as the number of interested parties affected and the level of damages that


have suffered;
section 2 of the aforementioned article.
2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679, also
may be taken into account:


b) intentionality or negligence in the infringement;
a) The continuing nature of the offence.
b) The link between the activity of the offender and the performance of data processing
personal.
 
c) The profits obtained as a result of committing the offence.
d) The possibility that the conduct of the affected party could have induced the commission of the crime.
infringement.
e) The existence of a merger by absorption process subsequent to the commission of the infraction,
that cannot be attributed to the absorbing entity.
f) Affectation of the rights of minors.
 
g) Have, when not mandatory, a data protection delegate.
h) Submission by the person in charge or person in charge, on a voluntary basis, to
alternative conflict resolution mechanisms, in those cases in which there are
controversies between them and any interested party”.
 
28001 – Madrid 6 sedeagpd.gob.es, 54/64
 
 
 
 
 
 
 
 
 
In this case, considering the seriousness of the infringement found, the
imposition of a fine and, where appropriate, the adoption of measures. In this regard, the fine
 
imposed must be, in each individual case, effective, proportionate and
dissuasive, in accordance with the provisions of article 83.1 of the RGPD.
 
In accordance with the precepts indicated, in order to set the amount of the penalties
to impose in the present case, it is considered appropriate to graduate the fines of
according to the following criteria:
 
 
1. Infringement of article 6.1 of the RGPD in relation to article 10 of the same
standard, as well as article 10 of the LOPDGDD, typified in article 83.5.a) and in the
Article 71 of the LOPDGDD, and classified as very serious for the purposes of prescription in
Article 72.1 of the LOPDGDD:
 
 
The following graduation criteria are considered concurrent as aggravating:
 
    . Article 83.2.a) of the RGPD: “a) the nature, seriousness and duration of the
    infringement, taking into account the nature, scope or purpose of the operation
    of treatment in question as well as the number of interested parties affected and the
 
    level of damages they have suffered.
 
        . The nature and seriousness of the infringement, taking into account the nature of the
        personal information to which the offending conduct refers.
 
 
        . The duration of the infringement, considering the period during which
        AMAZON ROAD required carriers to provide a certificate of absence of
        criminal record.
        In addition, the infraction that is sanctioned has the character of an infraction
        permanent, considering that its effects are maintained over time
 
        beyond the initial act and throughout the duration of the offending conduct.
        With the collection and preservation of the certificate of absence of criminal records
        penalties creates an unlawful state that lasts over time, whose
        cessation depends on who commits the infraction. On this concept,
        Judgment of 05/27/2006, the TS has declared that "they constitute infractions
        those unlawful conducts that persist over time and do not
 
        are exhausted with a single act, determining the maintenance of the situation
        unlawful at the will of the author, case of development at the time of
        activities without the required authorizations and other similar assumptions.
 
        In relation to this graduation factor, the respondent has argued that the
 
        negative certificates were kept for 90 days to carry out the
        verification, so currently and since May 2020 (three months
        after suspending the collection of these certificates in March 2020),
        does not have any data of this type. As proof, it provides a “certification” of
        Accurate Background, of 01/19/2022, in which it declares that any data
 
        relative to the candidates of the program “***PROGRAMA.1” is eliminated at 90
        days, according to the instructions of the Amazon account. So understand that
        entity that the infringement cannot be classified as permanent.
 
 
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 55/64
 
 
 
 
 
 
 
 
        However, these circumstances do not conform to the findings made
        manifested in the proceedings, nor had they been manifested by AMAZON
        ROAD previously. The only instructions given by that entity to
 
        Accurate Background on the treatment of the data are those that consist
        in the treatment contract, which, in terms of the
        conservation of the data, stipulate that the person in charge of the treatment
        return all the personal data to the person in charge or proceed to its
        destruction at the termination of the contract, at the choice of the person responsible for the
        treatment, and that the personal data will be treated by the person in charge of the
 
        treatment during the term of the services.
 
        In addition, as it was a requirement that conditioned the hiring, since
        the claimant knows that carriers adhering to the program
        “***PROGRAMA.1” do not have a criminal record.
 
 
        In any case, the infraction would not lose its permanent character, in the
        extent to which it has been occurring since AMAZON ROAD received the
        “transport operator business” and succeeded Amazon Spain Fulfillment,
        S.L.U. in all legal relationships affected by said business, after the
        split that took place on 06/28/2019.
 
 
        . The number of interested parties: the treatment operations that incur the
        indicated infraction derive from a general procedure established by the
        claimed that affects all applicants to participate in the program
        “***PROGRAMA.1”, with respect to which the certificate of
 
        criminal record.
 
        The respondent has stated that the processing of data related to the
        negative criminal record certificates only affected 16.76%
        of all registered last-mile drivers in Spain, at
 
        represent the program “***PROGRAM.1” a small proportion of the
        transport providers that deliver in Spain (they have never
        exceeded 5%). However, it does not provide any evidence in this regard or detail
        how much are those affected that are included in such percentages.
 
        In the allegations to the proposal, the respondent insists on the figures
 
        indicated, but without providing any evidence and without specifying the number of
        affected that supposedly represent these percentages, despite the fact that
        this lack of justification and detail was already evident in the proposal for
        resolution.
 
 
        . The level of damages suffered by the interested parties, to the extent
        that the processing of data relating to criminal records has
        conditioned their hiring options and has increased the risks
        about your privacy.
 
 
        Regarding this aggravating factor, AMAZON ROAD points out that requiring the
        negative criminal record certification has not harmed the
        participants in the program because it contracted with all the carriers that
        they had that document, which implies, on the contrary, that he did not hire
 
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 56/64
 
 
 
 
 
 
 
 
        those who did not have such a document when they applied for the job;
        Likewise, it does not consider possible interested parties who could choose not to
        attend the program for this reason.
 
 
        Nothing alleges, however, about the intrusion into the privacy of the interested parties
        and the risks that this certificate represents for it.
 
    . Article 83.2.b) of the RGPD: "b) the intention or negligence in the infringement".
 
 
    The negligence found in the commission of the offence, taking into account that
    the requirements demanded by the claimed entity to the carriers go beyond
    of what is required by the regulations governing the transport of goods.
 
    This circumstance, in addition to the meanings in the previous section, highlight
 
    manifest the negligent action of AMAZON ROAD. In this regard, one has
    taking into account what was declared in the Judgment of the National High Court of 10/17/2007 (rec.
    63/2006) that, based on the fact that these are entities whose activity has
    coupled with continuous data processing, indicates that “…the Supreme Court
    has come to understand that recklessness exists whenever a duty is neglected
    legal care, that is, when the offender does not behave with due diligence
 
    required. And in assessing the degree of diligence, it must be weighed
    especially the professionalism or not of the subject, and there is no doubt that, in the
    case now examined, when the activity of the appellant is constant and
    abundant handling of personal data, it must be insisted on the rigor and
    exquisite care to adjust to the legal precautions in this regard”.
 
 
    It is a company that processes personal data in a
    systematic and continuous and that it must take extreme care in the fulfillment of its
    data protection obligations.
 
 
    AMAZON ROAD questions the negligence appreciated in the commission of the
    infraction and considers, even, that his action cannot be branded as
    reckless or irresponsible, but diligent and worthy of being valued as
    a mitigating factor, having accommodated his behavior to the interpretation of the
    data protection regulations arising from the Agency itself and from the courts
    of Justice.
 
 
    According to said entity, it began to require certificates of absence of
    criminal record before the Agency had a clear criterion,
    consolidated, express and public in this regard, which, moreover, does not coincide with that of
    other data protection authorities; and before it was issued
 
    Judgment of the National Court of February 10, 2020; having ceased
    in this collection of the certificate as soon as it became aware of the existence of a criterion
    Contrary to the interpretation that, in good faith, it understood appropriate to the activities
    that were going to take place.
 
 
    Likewise, it alleges in this regard that there were resolutions of the Agency itself that
    endorsed the interpretation that Amazon Road made of article 10 of the RGPD;
    made a telephone inquiry to the Ministry of Justice which, informally,
    endorsed said proposal; that the literal interpretation of article 10 of the RGPD and 10
 
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 57/64
 
 
 
 
 
 
 
 
    of the LOPDGDD suggested that these articles do not refer to any data
    related to criminal records, but data related to convictions and
    criminal offenses; that this interpretation is supported by other jurisdictions;
 
    and it was in accordance with the previous regulations on data protection; and what in
    March 2020 suspended the treatment of such negative certificates.
 
    AMAZON ROAD's claim cannot be accepted. Understand this Agency
    that the diligence must be deduced from conclusive facts, which
    duly accredited and directly related to the elements that
 
    constitute the infraction in the current regulations, in such a way that it can be deduced
    that it has occurred despite all the means provided by the
    responsible to avoid it.
 
    In this case, this Agency does not understand that the arguments defended by the
 
    claimed entity have that character.
 
    Said entity does not explain how it can be accepted that its conduct has been diligent
    for being adjusted to a regulation that is not in force, in the event that it were so, that
    it is not. In the foundations of this resolution it has already been explained that the
    Previous regulations already contemplated the prohibition of processing personal data
 
    relating to criminal offences, with express reference to Directive 95/46/EC and
    to Convention No. 108 of the Council of Europe. The repealed Organic Law 15/1999,
    of December 13, on the protection of personal data, in its article
    7.5, established that these data could only be recorded in records of the
    Competent Public Administrations.
 
 
    Nor does AMAZON ROAD explain what other jurisdictions have endorsed its
    “interpretation” of the applicable norms.
 
    It is even less acceptable to defend that diligence on the basis of a supposed consultation
 
    that the respondent entity itself qualifies as "informal". Facing it,
    The RGPD has provided for a mechanism such as "prior consultation" so that the
    Those responsible can consult the supervisory authority before carrying out a
    high-risk data processing.
 
    It is confirmed, on the other hand, that the suspension in the collection of the
 
    criminal record certificates was adopted in March on a temporary basis,
    but for reasons other than those stated. This decision was made by the
    state of alarm situation and the difficulty of obtaining repeated certificates
    during this period.
 
 
    Nothing is said, on the other hand, about the previous analyzes carried out to determine the
    feasibility of data processing and its legal basis; nothing about the risks
    entails and the impact assessments carried out; and not about the
    weighting of interests at stake that requires data processing based on
    in the legitimate interest of the controller.
 
 
    AMAZON ROAD has generally sought to reduce the issue raised, also
    in relation to diligence, to an interpretive question of the norm, but
    omitting substantial aspects of it that would also determine the
 
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 58/64
 
 
 
 
 
 
 
 
    unlawfulness of the processing of personal data, even if the "interpretation"
    of the claimed. It does not deny that personal data is processed, but it omits that the
    The processing of these data requires in any case a legal basis and omits
 
    also all the arguments that are exposed in this respect in the
    Legal foundations of this act. According to these arguments,
    sufficiently developed, which have been completely ignored by
    AMAZON ROAD, it cannot be concluded that the actions of this entity have been
    diligent.
 
 
    . Article 83.2.d) of the RGPD: “d) the degree of responsibility of the person in charge or of the
    data processor, taking into account the technical or organizational measures
    that they have applied by virtue of articles 25 and 32”.
 
    The imputed entity does not have adequate procedures in place for
 
    performance in the collection and processing of personal data, in what
    refers to the collection and processing of personal data of carriers
    applicants to participate in the program "***PROGRAMA.1", so that the
    infringement is not the consequence of an anomaly in the functioning of said
    procedures but a defect in the personal data management system
    designed by the person in charge. Said procedure was adopted by the respondent to
 
    own initiative establishing requirements that exceeded the forecasts
    applicable regulations.
 
    In the opinion of AMAZON ROAD, the infringement results from an interpretation of the
    standard and has nothing to do with the personal data management system
 
    designed by the same, and adds that in his previous writings he exposed the
    technical and organizational measures implemented. However, what is here
    values has to do, as has been well expressed above, with the decision
    adopted by the claimed entity itself, within its scope of responsibility,
    include the collection of the criminal record certificates in question between the
 
    documentation that a participant in “***PROGRAMA.1” had to provide. The
    infringement responds, therefore, to a procedural decision and not to a
    point anomaly. As has been said, that decision is taken beyond what
    required by the regulatory framework that regulates the activity of contractors.
 
    . Article 83.2.g) of the RGPD: “g) the categories of personal data
 
    affected by the infringement.
 
    Personal data related to convictions and
    criminal offences, a category especially deserving of guarantees.
 
 
    AMAZON ROAD alleges that the data processing related to the
    negative criminal record certificates cannot be compared with the
    processing of data on convictions and criminal offenses. In this regard, we
    we refer to what is expressed in the Law Foundations of this act.
 
 
    . Article 76.2.b) of the LOPDGDD: “b) The link between the activity of the offender
    with the processing of personal data”.
 
    The high link between the activity of the offender and the performance of treatment
 
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 59/64
 
 
 
 
 
 
 
 
    of personal data, considering the level of implementation of the entity and the
    activity that it develops, in which the personal data of thousands of
 
    of interested parties, whether they are clients receiving the shipment, employees or
    self-employed contractors. This circumstance determines a higher degree of
    demand and professionalism and, consequently, of responsibility of the
    entity claimed in relation to the processing of the data.
 
 
    The respondent points out in this regard that her activity is related to the
    logistics, as a transport operator, and not with the exploitation of databases.
    However, this fact does not contradict the circumstances considered in the
    previous paragraph, which entail the requirement of a high degree of
    professionalism in the treatment of personal data.
 
 
    The same can be said, specifically, in relation to data processing
    in the workplace, considering the number of employees available and
    professionals who serve you.
 
 
    Nothing to do with the precedent that he cites in his allegations, referring to a
    company with a single client, compared to the thousands served by AMAZON ROAD.
 
    . Article 83.2.k) of the RGPD: “k) any other aggravating or mitigating factor
    applicable to the circumstances of the case, such as the financial benefits obtained
 
    or losses avoided, directly or indirectly, through the infringement”.
 
    AMAZON ROAD's status as a large company and volume of business. consists
    in the actions that said entity has the status of (...).
 
 
    AMAZON ROAD requests that this aggravating circumstance be assessed based on
    the figures for the 2019 financial year, lower than those offered in 2020, but it does not consider
    said entity that the period of development of operations in 2019 is less than
    six months, counted from the date you received from Amazon Spain Fulfillment,
    S.L.U. the transport operator business. Extrapolating the 2019 figures to a
 
    period of one year, the differences with 2020 are not significant.
 
Considering the exposed factors, the valuation reached by the fine, for the
Violation of article 6.1 of the RGPD in relation to article 10 of the same rule,
as well as article 10 of the LOPDGDD, is 2,000,000 euros (two million
 
euros).
 
None of the considered graduation factors is attenuated by the fact that
that the claimed entity has not been subject to a sanctioning procedure with
previously, a circumstance that has been alleged by the claimed entity so that
 
be considered a mitigating factor.
 
In this regard, the AN Judgment of 05/05/2021, rec. 1437/2020, indicates:
 
“Considers, on the other hand, that the non-commission of a crime should be considered as mitigating
previous offense. Well, article 83.2 of the RGPD establishes that it must be taken into account
for the imposition of the administrative fine, among others, the circumstance "e) any infraction
 
committed by the person in charge or the person in charge of the treatment". This is a
aggravating circumstance, the fact that the budget for its application does not concur
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 60/64
 
 
 
 
 
 
 
 
entails that it cannot be taken into consideration, but does not imply or allow, as intended
the plaintiff, its application as a mitigating factor.”
 
According to the aforementioned article 83.2 of the RGPD, when deciding to impose a fine
 
administrative and its amount must take into account "all previous infractions committed
by the person responsible”. It is a normative provision that does not include the inexistence of
previous infractions as a grading factor of the fine, which must
be understood as a criterion close to recidivism, although broader.
 
 
The same can be said regarding the absence of benefits also alleged as
mitigation by the entity claimed. On this criterion, article 76.2 of the
LOPDGDD, in its letter c), includes among the criteria that must be weighed when
set the amount of the sanction "the benefits obtained as a result of the
commission of the infraction” and not the absence of these benefits. The same sentence of
the aforementioned National Court, of 05/05/2021, refers to the need for
 
the "budget" in fact contemplated in the norm so that a
certain graduation criterion, and, as has been said, the absence of benefits does not
is among the circumstances regulated in the cited article.
 
This graduation criterion is established in the LOPDGDD in accordance with the provisions
 
in article 83.2.k) of the RGPD, according to which administrative fines will be imposed
taking into account any “aggravating or mitigating factor applicable to the
circumstances of the case, such as the financial benefits obtained or the losses
avoided, directly or indirectly, through the infraction”, it being understood that avoiding
a loss has the same nature for these purposes as a gain.
 
 
If we add to this that the sanctions must be effective "in each individual case",
proportionate and dissuasive, in accordance with the provisions of article 83.1 of the RGPD,
admitting the absence of benefits as a mitigating factor is not only contrary to the
presuppositions of facts contemplated in article 76.2.c), but also contrary to
what is established in article 83.2.k) of the RGPD and the indicated principles.
 
 
Thus, assessing the absence of benefits as a mitigating factor would nullify the effect
dissuasive of the fine, to the extent that it reduces the effect of the circumstances that
effectively affect its quantification, reporting to the person in charge a benefit to the
that has not been deserved. It would be an artificial reduction of the sanction that can
 
lead to understand that violating the norm without obtaining benefits, financial or of the type
Whatever it may be, it will not produce a negative effect proportional to the seriousness of the act
offender.
 
In any case, the administrative fines established in the RGPD, in accordance with the
established in its article 83.2, are imposed based on the circumstances of each
 
individual case and, at present, the absence of benefits is not considered to be a
adequate and decisive grading factor to assess the seriousness of the behavior
offending Only in the event that this absence of benefits is relevant to
determine the degree of unlawfulness and culpability present in the specific
infringing action may be considered as a mitigating action, in application of article
 
83.2.k) of the RGPD, which refers to “any other aggravating or mitigating factor
applicable to the circumstances of the case.
 
 
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 61/64
 
 
 
 
 
 
 
 
Regarding the fact that the defendant has not been sanctioned previously, in its
latest allegations, cites three precedents in which this Agency has considered
this circumstance as an extenuating circumstance. One of these precedents is also invoked
 
to request that the non-obtaining of any benefit by the
claimed facts.
 
In this regard, the provisions of article 35.1.c) of Law 39/2015 are considered,
of October 1, of the Common Administrative Procedure of the Administrations
Public, according to which an administrative act can be separated from the criteria followed in
 
preceding actions, provided that said decision is properly motivated
 
On the other hand, in order for it to be considered a mitigating circumstance,
the respondent has stated that the processing of data object of the claim was
suspended in March 2020 and has not been resumed. On this matter, you should
 
It should be noted that the aforementioned entity has not provided any evidence; that said decision
confirmed, it would have been adopted with the prior intervention of the AEPD and for reasons
of the claim that has motivated the actions; and that is insufficient for
“to remedy the infringement and mitigate the possible adverse effects of the infringement”,
according to the terms of article 83.2.f) of the RGPD, or “to mitigate the damages
suffered by the interested parties”, according to section 2.c) of the same article. Can not
 
be understood as mitigating, in no case, the cessation of the offending behavior
of the legal system. Mitigate adverse effects or mitigate damages
caused imply actions greater than the mere cessation of the conduct, to the
effects of restoring, to the extent possible, the rights of the interested parties.
 
 
AMAZON ROAD insists on this fact in the written arguments for the proposal,
clarifying that this decision was motivated by the circumstances of the moment, in
express reference to the pandemic situation, and that this was communicated to users
of the program “***PROGRAMA.1” by email in March 2020.
 
 
It also points out that said temporary suspension became definitive after
know the Judgment of 02/10/2020, issued by the Social Chamber of the High Court
Nacional, without specifying when that decision was made; and that all this happened before the
opening of the sanctioning procedure.
 
Provides a copy of the mail supposedly sent to the carriers in March, but
 
no proof of its effective shipment. In any case, it should be noted that, according to
expressed in the text of the email provided, the temporary suspension of the collection of the
criminal record certificate is adopted due to the impossibility of obtaining it due to
to the state of alarm. In this same email, the recipients are summoned to provide the
criminal record certificate within 60 days (“However, you must
 
upload this document within 60 days from the end of the registration in
***PROGRAM.1. If after this period you have not uploaded the document, you will no longer be
eligible to participate in the program ***PROGRAM.1”).
 
It should also be noted that AMAZON ROAD, in the response letter to the transfer
 
of the claim, dated 06/30/2020, still qualified that suspension as
temporary. Then, the decision not to collect those certificates is made once
known the claim through this Agency.


c) any measure taken by the person in charge or in charge of the treatment to
mitigate the damages suffered by the interested parties;


d) the degree of responsibility of the person in charge or the person in charge of the treatment,
C/ Jorge Juan, 6 www.aepd.es
taking into account the technical or organizational measures that have been applied by virtue of
28001 – Madrid sedeagpd.gob.es, 62/64
of articles 25 and 32;




e) any previous infringement committed by the person in charge or the person in charge of the treatment;


f) the degree of cooperation with the supervisory authority in order to remedy the
infringement and mitigate the possible adverse effects of the infringement;


g) the categories of personal data affected by the infringement;


h) the way in which the supervisory authority became aware of the infringement, in
particular if the person in charge or the person in charge notified the infraction and, in such case, in what
measure;




i) when the measures indicated in article 58, paragraph 2, have been ordered
previously against the person in charge or the person in charge in relation to the
same issue, compliance with said measures;


j) adherence to codes of conduct under Article 40 or to mechanisms of
certification approved in accordance with Article 42, and


k) any other aggravating or mitigating factor applicable to the circumstances of the case,
                                          7th


such as financial benefits obtained or losses avoided, direct or
indirectly, through the offense. "


The infraction committed may lead to the imposition of the person responsible for the adoption of
appropriate measures to adjust their actions to the regulations mentioned in this
act, in accordance with the provisions of the aforementioned article 58.2.d) of the RGPD, according to the
which each control authority may “order the person in charge or in charge of the
treatment that the treatment operations comply with the provisions of the
this Regulation, where appropriate, in a certain way and within a


Regarding section k) of article 83.2 of the RGPD, the LOPDGDD, article 76, “Sanctions and
specified period […]”.
corrective measures ”, provides:


"two. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679 also
Thus, it is appropriate to require the responsible entity so that, within the period indicated in
may be taken into account:
the operative part, adapt to the personal data protection regulations the
treatment operations that it carries out and the information that it provides to the interested parties,


with the scope expressed in the Legal Basis of this agreement.


a) The continuing nature of the offense.
Specifically, it is appropriate to require AMAZON ROAD to cease the conduct
offender, regarding the requirement of a certificate of absence of criminal record
penalties for applicants in the program “***PROGRAMA.1”; correct the effects of
the infraction that had been committed, which entails the suppression of all the


b) The linking of the offender's activity with the performance of data processing
information regarding said certificates that could have been provided by the
personal.
contracted or would-be carriers; and the necessary adaptation is carried out, in
this case, to the requirements contemplated in articles 6.1 of the RGPD, in relation to
with article 10 of the same norm, and article 10 of the LOPDGDD.


c) The benefits obtained as a result of the commission of the offense.


The entity claimed affirms that it does not collect the negative certificates of the
participants in the program “***PROGRAMA.1” since March 2020 and that neither
keeps said certificates, alleging that they were only kept for 60 days
from the background check. However, he has not provided any
documentation in this regard that proves that you have actually adopted these


d) The possibility that the affected person's conduct could have led to the commission of the
measures, having eliminated this requirement in the selection processes that follow
infringement.
nowadays. Thus, it does not appear in the proceedings that he has rectified the information
regarding these processes or the registration process in your mobile application, the contract
that is signed with the interested parties, etc.


Regarding the elimination of criminal record certificates after 90 days, it has already been


C / Jorge Juan, 6 www.aepd.es
has previously said that this supposed elimination does not conform to the
28001 - Madrid sedeagpd.gob.es 9/10
stipulations that appear in the contracts signed by AMAZON ROAD with the
in charge of the treatment, who is entrusted with the function of collecting and analyzing the
documentation of applicants to the program “***PROGRAMA.1”. Not included or provided
accredited that AMAZON ROAD has modified its initial instructions to


respect.


On the other hand, said entity must make the appropriate clarifications in the
information on the protection of personal data that it provides to users
stakeholders, in relation to the nature attributed to the intervention in the


data processing by Accurate Background, Inc. and Amazon
Development Center (India) Private Limited and on the circumstances serving as
based on international data transfers.




C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 63/64






e) The existence of a merger by absorption process after the commission of the
infringement, which cannot be attributed to the absorbing entity.


f) Affecting the rights of minors.




g) Have, when not mandatory, a data protection officer.


h) The submission by the person in charge or in charge, on a voluntary basis, to
Alternative dispute resolution mechanisms, in those cases in which
there are controversies between those and any interested party. "


AMAZON ROAD must also provide the means of proof of compliance
of what is required.


In accordance with the transcribed precepts, and without prejudice to what results from the instruction
of the procedure, for the purpose of setting the amount of the fine to be imposed on IZA
OBRAS Y PROMOCIONES, S.A. with NIF A48820229 as responsible for an infraction
typified in article 83.5.a) of the RGPD, in an initial assessment, they are considered concurrent


in the present case, as aggravating factors, the following factors:
In this regard, it is noted that failure to comply with the requirements of this
organism can be considered as a serious administrative infraction to “not
cooperate with the Control Authority” in the face of such requirements, and may be assessed
such conduct at the time of opening an administrative sanctioning procedure
with a pecuniary fine.


- A special category of personal data has been processed, such as
health data, in accordance with article 9 of the RGPD.




Therefore, in accordance with the applicable legislation and the criteria of
Therefore, in accordance with the applicable legislation and having assessed the criteria for
graduation of sanctions whose existence has been proven,
graduation of sanctions whose existence has been proven,
the Director of the Spanish Data Protection Agency RESOLVES:
FIRST: IMPOSE the entity AMAZON ROAD TRANSPORT SPAIN, S.L., with
CIF B88405303, for an infringement of article 6.1 of the RGPD, in relation to the
article 10 of the RGPD and article 10 of the LOPDGDD, typified in article 83.5
of the RGPD and in article 71 of the LOPDGDD, and qualified as very serious for the purposes
of prescription in article 72.1 of the LOPDGDD, a fine of 2,000,000 euros
(Two millions of euros).


the Director of the Spanish Agency for Data Protection RESOLVES:


SECOND: DECLARE the non-existence of infractions in relation to the imputation
to the entity AMAZON ROAD TRANSPORT SPAIN, S.L. of a possible violation of
what is established in articles 7 and 49.1 of the RGPD.


FIRST: IMPOSE IZA OBRAS Y PROMOCIONES, S.A., with NIF A48820229,
for an infringement of article 5.1.c) of the RGPD, typified in article 83.5 of the RGPD,
a fine of € 50,000 (fifty thousand euros).


SECOND: NOTIFY this resolution to IZA OBRAS Y PROMOCIONES,
THIRD: REQUEST the entity AMAZON ROAD TRANSPORT SPAIN, S.L., to
that, within a period of one month, counted from the notification of this resolution,
adapt to the personal data protection regulations the operations of
treatment that it carries out and the information that it facilitates to the interested parties, with the scope
expressed in Legal Basis VII of this resolution. Within the specified period,


S.A.
AMAZON ROAD TRANSPORT SPAIN, S.L. must justify before this Agency
Spanish Data Protection the attention of this requirement.


THIRD: Warn the sanctioned person that the sanction imposed by a
FOURTH: NOTIFY this resolution to the entity AMAZON ROAD
TRANSPORT SPAIN, S.L.
 
 
FIFTH: Warn the sanctioned party that he must make the imposed sanction effective once
Once this resolution is enforceable, in accordance with the provisions of the
Once this resolution is enforceable, in accordance with the provisions of the
art. 98.1.b) of Law 39/2015, of October 1, on Administrative Procedure
art. 98.1.b) of Law 39/2015, of October 1, on Administrative Procedure
Common Public Administrations (hereinafter LPACAP), within the payment term
voluntary established in art. 68 of the General Collection Regulations, approved


Common of Public Administrations (hereinafter LPACAP), within the payment term
voluntary established in art. 68 of the General Collection Regulations, approved
by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003,
by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003,
of December 17, by means of their entry, indicating the NIF of the sanctioned person and the number
of December 17, through its entry, indicating the NIF of the sanctioned and the number
of procedure that appears in the heading of this document, in the account
of procedure that appears in the heading of this document, in the account
restricted number ES00 0000 0000 0000 0000 0000, opened in the name of the Agency
restricted number ES00 0000 0000 0000 0000 0000, opened on behalf of the Agency
Spanish Department of Data Protection in the banking entity CAIXABANK, S.A.. In case


Spanish Data Protection in the banking entity CAIXABANK, S.A .. In case
Otherwise, it will be collected in the executive period.
Otherwise, it will be collected in the executive period.


Received the notification and once executive, if the date of execution is found
Received the notification and once executed, if the date of execution is
Between the 1st and the 15th of each month, both inclusive, the deadline to make the payment
between the 1st and 15th of each month, both inclusive, the term to make the payment


volunteer will be until the 20th day of the following or immediately subsequent business month, and if
C/ Jorge Juan, 6 www.aepd.es
between the 16th and last days of each month, both inclusive, the payment term
28001 – Madrid sedeagpd.gob.es, 64/64
it will be until the 5th of the second following or immediate business month.




C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 10/10




Line 735: Line 4,600:




voluntary will be until the 20th day of the following month or immediately after, and if
between the 16th and last day of each month, both inclusive, the payment term


It will be until the 5th of the second following month or immediately after.


In accordance with the provisions of article 50 of the LOPDGDD, this
In accordance with the provisions of article 50 of the LOPDGDD, this
Line 741: Line 4,609:




Against this resolution, which ends the administrative procedure in accordance with art. 48.6 of the
In accordance with the provisions of article 76.4 of the LOPDGDD and given that the
amount of the sanction imposed is greater than one million euros, it will be subject to
publication in the Official State Gazette of the information that identifies the offender, the
offense committed and the amount of the penalty.
 
 
Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the
LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the
LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the
Interested parties may file, optionally, an appeal for reconsideration before the
Interested parties may optionally file an appeal for reconsideration before the
Director of the Spanish Agency for Data Protection within a month to
Director of the Spanish Agency for Data Protection within a month from
counting from the day following the notification of this resolution or directly


counting from the day after notification of this resolution or directly
contentious-administrative appeal before the Contentious-Administrative Chamber of the
Contentious-administrative appeal before the Contentious-Administrative Chamber of the
National Court, in accordance with the provisions of article 25 and section 5 of
National High Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-administrative jurisdiction, within a period of two months from the
Contentious-administrative jurisdiction, within a period of two months from the
day following the notification of this act, as provided in article 46.1 of the


day following notification of this act, as provided in article 46.1 of the
aforementioned Law.
referred Law.


Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP,
Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP,
may provisionally suspend the final resolution through administrative channels if the
may provisionally suspend the firm resolution in administrative proceedings if the
The interested party expresses his intention to file a contentious-administrative appeal.


interested party expresses his intention to file contentious-administrative appeal.
If this is the case, the interested party must formally communicate this fact by
If this is the case, the interested party must formally communicate this fact through
writing addressed to the Spanish Agency for Data Protection, presenting it through
writing addressed to the Spanish Agency for Data Protection, presenting it through
of the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica-
Electronic Register of the Agency [https://sedeagpd.gob.es/sede-electronica-
web /], or through any of the other records provided for in art. 16.4 of the
web/], or through any of the other registers provided for in art. 16.4 of the
aforementioned Law 39/2015, of October 1. You must also transfer to the Agency the


cited Law 39/2015, of October 1. You must also transfer to the Agency the
documentation proving the effective filing of the contentious appeal-
documentation that proves the effective filing of the contentious appeal-
administrative. If the Agency was not aware of the filing of the appeal
administrative. If the Agency was not aware of the filing of the appeal
contentious-administrative within a period of two months from the day following the
contentious-administrative within a period of two months from the day following the
notification of this resolution would terminate the precautionary suspension.
notification of this resolution would end the precautionary suspension.
 
 
 
Mar Spain Martí
Director of the Spanish Agency for Data Protection
 
 
 
 
 
 
 
 
 


                                                                                  938-231221
Sea Spain Marti


Director of the Spanish Data Protection Agency




Line 798: Line 4,661:




C / Jorge Juan, 6 www.aepd.es
C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es
28001 Madrid sedeagpd.gob.es
</pre>
</pre>

Latest revision as of 14:25, 24 November 2022

AEPD (Spain) - PS/00267/2020
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 6(1) GDPR
Article 7 GDPR
Article 10 GDPR
Article 49 GDPR
Article 46 GDPR
Article 10 LOPDGDD
Type: Complaint
Outcome: Upheld
Started: 28.11.2019
Decided:
Published: 11.02.2022
Fine: 2000000 EUR
Parties: AMAZON ROAD TRANSPORT SPAIN, S.L.
Unión General de Trabajadores
National Case Number/Name: PS/00267/2020
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: Carmen Villarroel

The Spanish DPA fined Amazon Road Transport Spain €2,000,000 for violating Article 10 GDPR by requesting criminal record certificates in their hiring process.

English Summary

Facts

A Spanish union (Unión General de Trabajadores, 'UGT') filed a complaint with the Spanish DPA (AEPD) against Amazon Road Transport Spain (Amazon Road). They reported that in their hiring process, Amazon Road asked potential candidates to provide a criminal record certificate. Amazon claimed that they had a legitimate interest in verifying that their transport workers did not have past criminal offenses or convictions in order to protect their customer's safety and trust, since the delivery workers would be entering or coming in close proximity with their customer's households, and would be entrusted with handling products which at times could be of very high value.

Amazon also claimed that processing the of the criminal record certification was necessary in order to perform a contract with the potential transport workers, and that this processing was based on the consent of the data subjects, which if hired would be considered self-employed transporters by Amazon Road. As part of the hiring process, the candidates were required to download the 'Amazon Delivery' app and create an account. In order to advance in the process within the app (which would determine if they were suitable candidates for the job) the candidates were required to consent to the processing of personal data, which included the criminal record certificate.

This process also required candidates to consent to international data transfers of their personal data with third parties. Specifically, Amazon Road asked for the candidates' consent to allow Amazon Road and its related entities (Amazon) to transfer their personal data to third parties outside the European Economic Area (EEA). Such consent allowed a third party located in the United States (Accurate Background) to process the candidates' data in order to verify their criminal records, and the processing of data by one of the company's subdivisions located in India (Amazon Development Centre India - Amazon India) for "support" with the collection, handling and storage of personal data. This general consent clause also stated that it would exonerate Amazon of any responsibility, damages claims, or other charges related to the processing and transfer of data as far as the law permits it.

Amazon Road established an Intra-Group Data Transfer and Processing Agreement with Amazon India and a Data Processing Agreement with Accurate Background, which both included Standard Contractual Clauses (SCCs) with technical and organisational measures required for data processing. Additionally, Accurate Background was adhered to the EU-US Privacy Shield transatlantic data transfer framework.

Holding

The AEPD dismissed Amazon's claims that a certificate of absence of criminal records did not amount to processing of personal data relating to criminal convictions and offences under Article 10 GDPR. According to Amazon, the requirement was limited to a "negative certificate" that did not include the actual content of any criminal convictions and offences, just a certification that there was an absence of these. The AEPD considered that this negative certificate to prove the absence of criminal convictions and offences in itself does constitute personal data related to these, and therefore should not be processed unless authorised by law according to Article 10 GDPR and Article 10 of the Spanish Data Protection Act (Ley Orgánica 3/2018 de Protección de Datos Personales y Garantía de los Derechos Digitales - LOPDGDD).

The AEPD held that there was no national law which Amazon could rely on in order to lawfully process this personal data. The AEPD also noted that not even the law under which the competent national authority issued transport licenses (Real Decreto 1211/1990 por el que se aprueba el Reglamento de la Ley de Ordenación de los Transportes Terrestres - ROTT) established criminal records as a necessary requirement for carrying out these activities. Furthermore, the AEPD stated that admitting Amazon's reasoning would amount to permitting any entity to create a database of people with no criminal records, which would also be at odds with Article 10 GDPR, which states that a register of criminal convictions should be kept only under the control of an official authority.

The AEPD held that in light of the fact that the only valid legal basis for the processing of personal data related to criminal convictions and offences would be a specific law that authorised the processing of this type of data, Amazon's arguments regarding the necessity of this processing for performance of a contract, its legitimate interest, or the data subject's consent as valid legal bases were irrelevant in this case. However, the AEPD went on to make some pertinent observations related to Amazon's arguments in this sense. Regarding the necessity of requiring the criminal record certificate for the performance of a contract with the transport workers, the AEPD reiterated that since there was no national law that established this requirement, this was not a valid argument.

With regards to the legitimate interest Amazon claimed to have to protect their customer's safety and trust, the AEPD noted that Amazon had not provided any proof that they had pondered this potential legitimate interest against the interests and fundamental rights of the candidates in the hiring process, as required by Article 6(1)(f) GDPR. The AEPD stated that because there was no evidence that this balancing exercise had actually been carried out, and that consequently the candidates had not been given any information related to this pondering of interests as a legal basis for processing their criminal record certificate, this could not be invoked as a justification for processing this personal data. Additionally, the AEPD cited the Court of Justice of the European Union (CJEU) C-13/16 – Rigas Satiksme decision when assessing the necessity of the processing for Amazon's claimed legitimate interest, and stated that 'necessity' must be interpreted according to the 'data minimisation' principle under Article 5(1)(c) GDPR. Furthermore, the AEPD stated that 'necessity' should be interpreted strictly, and not as mere 'usefulness' or 'desirability'. According the AEPD, the processing of the criminal record certificate in this case did not meet the CJEU proportionality doctrine (purpose test, necessity test, balancing test), and was excessive since there were less intrusive ways to protect Amazon customers' safety and trust, and to guarantee that Amazon's position as a transport operator was not compromised.

With regard to consent, the AEPD stated that it would have not been freely given or valid either in this case according to the requirements in Article 7 GDPR. Specifically, the candidates did not have the option of refusing to consent to the processing of their criminal record within the contract or in the hiring process through the mobile app, and did not have the option to consent separately for each particular processing. Additionally, the AEPD held that Amazon did not offer proper information about the collection of this personal data as required by Article 13 GDPR.

The AEPD also evaluated the position of the three entities involved in the case, and held that according to the processing agreements that were in place, Amazon Road was the controller responsible for the processing carried out by Amazon India and Accurate Background, and that because these processors were located outside the EEA (in India and the United States respectively), international data transfers were taking place. The AEPD found that, in this case, data subjects' consent to data transfers would not be valid in accordance with Article 49(1) GDPR and Article 7 GDPR, given that consent was required within the contract without an option to refuse, it was not explicit, and no information was given to the data subject regarding the risks of these data transfers. However, the AEPD found that the data transfers were lawful according to Article 46 GDPR, since the SCCs in Amazon's processing agreements included appropriate technical and organisational data protection measures, and Accurate Background was adhered to the EU-US Privacy Shield during the time that the data transfers took place. The AEPD also noted that Amazon had stated it had already stopped requiring the negative criminal certificates in their hiring process before the date the Privacy Shield was invalidated by the CJEU C-311/18 - Schrems II decision, and if so, no unlawful data transfers to Accurate Background would have taken place.

Accordingly, the Spanish DPA fined Amazon Road €2,000,000 for a violation of Article 6(1) GDPR, Article 10 GDPR and Article 10 LOPDGDD for requesting criminal record certificates in their hiring process without a valid legal basis to do so. The AEPD also ordered Amazon Road to provide documentation to prove that their current practices are GDPR compliant. Specifically to prove that the criminal record certificate requirement for job applicants is no longer in place (both in the contract with transport workers as well as in the registration mobile app in their hiring process), that the data related to these certificates previously processed has been deleted, and that it provides workers with adequate information related to the nature and purpose of data transfers that are still being carried out with the processors in this case.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

                                                                                 1/64









     File No.: PS/00267/2020



                RESOLUTION OF PUNISHMENT PROCEDURE


Of the procedure instructed by the Spanish Agency for Data Protection and based on
to the following


                                   BACKGROUND


FIRST: A.A.A., on behalf of the General Union of Workers (in what

hereafter, UGT, the claimant or claimant entity), on 11/28/2019 filed
claim before the Spanish Data Protection Agency. The claim is
directs against AMAZON ROAD TRANSPORT SPAIN, S.L with CIF B88405303 (in
hereafter, AMAZON ROAD, the respondent or respondent entity). The reasons in which
the claim is based on are as follows:


1. For the contracting of autonomous carriers as service providers,
(program “***PROGRAMA.1”), the respondent entity asks the candidates for various
documentation, including a certificate of absence of a criminal record
penalties.


2. AMAZON ROAD requires the consent of the candidates so that “Amazon”, and
any related entity, carry out transfers of personal data
to any related entity located outside the EEA to promote the interests
legitimate rights of "Amazon" and/or any related entity ("Entity means
Related “Amazon holding company, subsidiary company or affiliate of its holding company”

briefcase").

3. “Likewise, consent is required so that:

. Accurate Background is responsible for collecting and processing the information on behalf of
Amazon to perform the background checks detailed above.


. Amazon Development Center (India) Private Limited, in India, will be able to access
to the data provided by Amazon during this process to support the
information provided by me.


On the other hand, they require consent to exonerate “Amazon, Accurate
Fund, its affiliates and their respective agents that provide data reports on
me from any claims, damages, liabilities, costs and
expenses; or for any other charges or complaints arising from the collection, use of
processing or disclosure of any information or report, to the extent permitted

by the applicable legislation”.

The complainant indicates that these two companies do not have a physical or tax office in Spain.
or in the territory of the European Union.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 2/64










The claimant considers that the following precepts are not complied with:

. Article 7.5 of Organic Law 15/1999, of December 13, on Data Protection

of Personal Character (LOPD), “Specially protected data”: those related to the
commission of criminal or administrative offenses.
. Article 10 of Organic Law 3/2018, of December 5, on Data Protection
Personal and guarantee of digital rights (hereinafter, LOPDGDD):

data processing of a criminal nature.
. Article 35.3 of Regulation (EU) 2016/679, of the European Parliament and of the Council,
of 04/27/2016, regarding the Protection of Natural Persons with regard to the
Processing of Personal Data and the Free Circulation of these Data (as

successive RGPD): cases in which the impact assessment is required.

With the claim, a copy, among others, of the following documents is provided:


1. Commercial contract (screenshot), which information on protection
of personal data addressed to carriers, whose detail is outlined in the
Proven fact 9.


2. Section of the application of "***PROGRAMA.1" related to the verification of
background (screenshot).

"Background Check

The background check may include, but is not limited to, the aspects

listed below.

I agree to assist Amazon and participate in conducting these checks in the manner
necessary to successfully complete my background check:
1. The certificate of my registration with Social Security.
2. A certificate from the Ministry of Justice confirming that I do not have a criminal record
penalties of any kind;

3. Checking against any terrorist and sanctions list; Y
4. Verification that I have a valid driving license

In connection with this process, I consent to the verifications
mentioned and others that are considered necessary for the position.

I understand and consent that Accurate Background is responsible for collecting and processing the information
on behalf of Amazon to perform detailed background checks

previously.

I understand that I will be informed of any omissions or falsehoods detected by me in the
background check process or any other supporting documentation
sent along with the collaboration request, and, in the absence of a satisfactory explanation, this
may constitute a reason for termination or non-contracting for the provision of the service or
collaboration.


I understand that information received from Amazon and any agents acting on its behalf
name will be kept confidential and used exclusively by Amazon and
any agents acting on your behalf for business purposes, and during the term
of my provision of services to Amazon if hired and to the extent permitted

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 3/64









by applicable law.

I confirm that I have been informed about the inclusion of my personal data in a file
controlled by Amazon, the purpose of such processing, the identity of the data controller
of the data and the recipients of my personal data, such as authorities and agents
premises, in order to comply with legal requirements (e.g., those established by the

Tax agency). I understand Amazon Development Center (India) Private Limited, in India,
may have access to the data you provide to Amazon during this process to give
support in the collection of the information provided by me, and I give my consent to
said access.

I have also been informed of my right to consult, rectify and cancel the data
information held about me by Amazon and any agents acting on its behalf

name, as well as to oppose their treatment. I am aware that I will be able to exercise
these rights at any time by writing a letter identifying the right you
I want to exercise and attaching a copy of my ID to Avda…

I release Amazon, Accurate Fund, their affiliates, and their respective agents for providing
data or reports about me of any claims, damages,
responsibilities, costs and expenses; or any other charges or complaints arising from the

collection, processing or disclosure of any information or report, to the extent
permitted by applicable law.

( ) By checking this box, I give my authorization.”


3. Copy of several emails sent from the address “***EMAIL.1”, in
which explains the process to complete the application in "*** PROGRAM.1" and the
documentation that must be provided. In one of these emails it is indicated:


“The verification process ends on the Accurate website.
You have not yet completed the verification process in Accurate. Check your email account
email and look for an email from “***EMAIL.2”, open it and click on the access link. You will see that
your request is in progress, click “in progress” to continue and finish the process”


4. Copy of an email sent by Accurate Background from the address
“***EMAIL.2” about the procedure to complete the request:

“***PROGRAMA.1 Spain invites you to fill out the Background Verification Form

online through Accurate Background as part of the onboarding process.

You will need to access the Accurate Background web page via the link below
to validate your personal data and complete the online application process. will have another 20
days to upload the required documents…

You will also be required to submit a copy of the criminal record certificate

It is confirmed that he has no criminal record. You can find instructions on how to get
this certificate in the following link….

SECOND: Prior to the acceptance of this claim for processing, it is

transferred to the claimed, in accordance with the provisions of article 65.4 the
LOPDGDD.

AMAZON ROAD submitted a letter on 06/30/2020 in which it highlights the

following:
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 4/64









1. From Amazon Road, the program “***PROGRAMA.1” and other relevant information


Amazon Road is an Amazon group company that provides
logistics and distribution to said group and that has the required license or
Authorization to carry out the activity of freight transport operator.

Amazon Road is the entity in charge of managing the program “***PROGRAMA.1”
that allows autonomous carriers to register as service providers of

Amazon Road (“Autonomous Carriers”).

In order to participate in this program, autonomous carriers must accept
the terms and conditions that regulate said program, where they are informed of the
data processing that the entity may carry out for the management of the program,

and download the "Amazon Delivery" application on your mobile device.

Through this application, Amazon Road collects the necessary data from the
Autonomous Carriers for the purpose of (i) verifying that they comply with the
requirements to be able to participate in the program, (ii) create the corresponding account
user necessary to be able to access the service offers and (iii) control the

development of service provision. Once registered in the system, the
Autonomous Carriers have access to the necessary information to be able to provide
services through the program “***PROGRAMA.1”.

Among the requirements that autonomous carriers must meet to participate in

the program is the need to have their own means of transport to carry out
deliveries, (car, van or light truck, all with a gross weight
maximum 2 tons).

The legitimating bases of the data processing that the aforementioned program entails,

depending on the type of data collected and the intended purposes, are the execution
of the contract between the carrier and the claimed party, the informed consent of the
autonomous carrier or the legitimate interest of AMAZON ROAD.

2. Of the information requested by AMAZON ROAD to be able to participate in the
program “***PROGRAM.1”: negative certificates


Among the information that is collected from autonomous carriers who want to
participate in the program "***PROGRAMA.1" is a certificate of absence
criminal record or negative certificate, similar to the one that must be provided by the
managers who want to provide transport services, in accordance with the regulations in

matter of transportation, for the purpose of proving its honorability, but with a scope
more limited in that it only refers to the absence of a criminal record.

This certificate does not provide criminal history information, but rather
consists of a "blank" certificate in which no information is contained

relating to said type of data and which, therefore, cannot be equated to the certificate
"positive" criminal record, which does contain information regarding said
antecedents, such as the type of crime committed, the date it was committed, the
sentence of conviction, the sentencing body or information about the sentence

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 5/64








imposed and its duration. None of this information appears on the certificates
require carriers, in which only their identification data and
the mention of the absence of a criminal record.


This documentation is part of the suitability assessments that the claimed
performs to potential carriers, considering that they are provided with
sensitive information of Amazon group customers (such as their data
contact and address) so that they can provide the contracted service (delivery of
goods).


3. When obtaining a negative certificate, data relating to convictions or
criminal infractions, since it does not contain any data related to the commission of
crimes.


On this issue, it points out that articles 10 of the RGPD and 10 of the LOPDGDD are not
refer specifically to criminal record data, but to data relating to
criminal convictions and infractions, which is a more specific concept that, therefore,
would not include a certificate of lack of criminal record.

Thus, from a literal interpretation of the provisions of said articles,

would infer that what they prohibit is only the processing of data
relating to criminal convictions and offenses, so that the treatment of
negative certificates would fall outside the scope of these two articles.

The only action that Amazon Road takes by processing such

certificates is to verify that there are no data related to convictions or infractions
penalties. And in the absence of such data, it can hardly be concluded that a
treatment of them.

The AEPD itself has been applying rigorous criteria in rating the

nature of the data when it comes to sensitive data, such as
be seen in Legal Report 0129/2005, issued by this AEPD prior to the
entry into force of the GDPR, which indicates what information should be considered
as health information. In that case, the AEPD concluded that the mere fact that a
person is a smoker, without being associated with other data that establish a
certain habit, does not imply the treatment of information directly related

with the health of the affected:

The same strict qualification criterion would apply in the case that we now
occupies: the mere knowledge of the non-existence of a criminal record cannot
considered as the treatment of data related to convictions or infractions

criminal, because this information, by itself, does not involve the treatment of this type of
data.

4. The treatment carried out with the collection of these negative certificates is
proportional and not excessive, which is covered by the concurrence of interest

legitimate, in accordance with the provisions of article 6.1.f) of the RGPD

Said treatment, not being included in what is established by the articles before
mentioned, you must only comply with the legality requirements of article 6 of the RGPD.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 6/64









Access by Autonomous Carriers to the entrance of homes
particulars of the clients, for the purpose of carrying out the delivery of merchandise, and the

personal information of customers to which they have access in order to provide their
transport services entails an intrusion into the private and personal sphere of the
customers of the Amazon group, protected in accordance with the RGPD. It is a
interference that Amazon customers accept as a result of trust
that they have deposited in the group.


Therefore, it is important for AMAZON ROAD to protect that customer trust.
with the selection of carriers, taking extreme precautions regarding the suitability
of the same, for which it must adopt all the measures that are within its reach,
within the framework of current legislation, to guarantee the security and confidence of
Your clients. And one of these measures consists of requesting the certificates

negative criminal record.

When carrying out the weighting exercise of the rights and interests at stake in the
this case, Amazon Road has had its own interest, mentioned above, and the right
to the data protection of said autonomous carriers and, specifically, the right
unless it is known that they have no criminal record. For the purposes of

assess which right or interest should prevail, have been taken into account, among other
facts, the following:

. The nature of the services provided under the program “***PROGRAMA.1”, which
involves access to customer contact data and the movement of

suppliers to their private addresses in order to make deliveries;

. The risk inherent in the relationship of trust established by the people who
located within private homes, in relation to the Carriers
Freelancers of the program “***PROGRAMA.1”;


. The condition of depositaries of the merchandise acquired by carriers,
some of them high value, and the access they have to order inventory
managed by the claimed party, when they access the facilities of the latter to
order picking;


. AMAZON ROAD's obligation to ensure that the services are offered with all
guarantees and without any type of risk for customers; Y

. The slight intrusion and impact on the privacy of autonomous carriers who
supposes the fact that the claimed entity knows that they lack

criminal record.

The weighting carried out is similar to the proportionality judgment carried out by the AEPD
in the resolution to file the actions issued in file E/00037/2013,
in which the treatment by an employer of a certificate of

their workers about the lack of criminal records. In said resolution,
the AEPD concluded that the treatment by the employer of a declaration of
employees regarding the absence of a criminal record constituted a
proportional treatment that, taking into account the specific circumstances of the case, would

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 7/64








fit within “the business control measures appropriate to its activity with
Respect for human dignity".


In our opinion, the data processing carried out by AMAZON ROAD would exceed
the proportionality judgment indicated above, taking into account, in the first place, the
sensitivity of data processed by carriers; second, because it is
of a suitable measure for the purpose pursued by the company and non-invasive in the
sphere of the interested parties, since the information collected does not contain data
regarding criminal convictions or offenses; and, thirdly, by the obligation that

Amazon Road, as a transport operator, has to act diligently
and adopt all those measures that are within its reach to minimize the maximum
any risk to its clients as a result of the services provided.

5. The legitimate interest of the company in the processing of personal data

would also be justified by the provisions of the Law for the Organization of
Land Transport, whose article 119 subjects the activity of the operators of
transport to obtain an administrative authorization, with the same requirements
that are required for the public transport of goods.

Among these requirements, according to articles 42 et seq. of the Law for the Regulation of

Land Transport, and 33 of Royal Decree 1211/1991, of September 28, by
which approves the Land Transport Management Regulations,
meets the requirement of honorability, that is, not having been convicted by the
commission of crimes or criminal offenses or sanctioned for the commission of infractions
related to the commercial, social or labor fields, road safety or

management of land transport.

Well, by treating the carriers' negative certificates
participating in the “***PROGRAMA.1” program, AMAZON ROAD intends to ensure
because its position as a transport operator is not compromised by

those carriers. To this end, it applies a minimum standard of diligence. Hence
Amazon Road requests such negative certificates.

6. The treatment of negative certificates would also be necessary for the
execution of the contract concluded between the autonomous carriers and AMAZON
ROAD.


The treatment of negative certificates is the only means through which Amazon
Road can guarantee the application to the Autonomous Transporters of the same
standards of diligence that it applies to itself, as an operator of
transport and, at the same time, guarantee the maximum security and confidence of the

Amazon group customers.

For this reason, the treatment of repeated negative certificates, while
referring to information necessary to be able to assess the suitability of the
carriers for the provision of services, would also be covered by the

provided in article 6.1.b) of the RGPD, as it would be necessary for the execution
of the contract between the entity and the carriers.

7. AMAZON ROAD does not communicate to third parties the information collected through the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 8/64








negative certificates, including companies belonging to the same group.

Notwithstanding the foregoing, it does have the help of companies that provide

services that assist you in some of the activities you carry out within the framework of the
program “***PROGRAM.1”, such as, among others, the initial checks
to ensure that the Autonomous Carriers meet the requirements or the
verifications of the records provided by the latter. between sayings
providers would be the entities Accurate Fund, Inc. and Amazon Development
Center (India) Private Limited, which the claimant cites in her brief.


However, these entities, as providers of services to AMAZON
ROAD, have signed the corresponding commission contracts with the claimed
under the provisions of the regulations on data protection, so it is not
may be considered as third-party companies to which personal data is transferred.

personal character. Likewise, the international transfer of data involved in the
access by said companies to AMAZON ROAD's data complies with the
requirements established in articles 44 and following of the RGPD.

8. Of the security measures applied in the treatment of data derived from the
program “***PROGRAM.1”.


AMAZON ROAD, as a company part of the Amazon group, has implemented
various internal policies aimed at guaranteeing the protection of data processing
personal data that it carries out, including the processing of data derived
of the “***PROGRAMA.1” program, which are also required of those suppliers

with whom it has signed custom treatment contracts.

All these measures have been adopted taking into account the nature of the
data to be processed and the risks associated with such processing, such as those derived from the
loss, communication or unauthorized access of data.


9. Lastly, the respondent states that since last March 2020 she has
temporarily suspended the processing of personal data relating to
the negative certificates of autonomous carriers as a result of the
situation caused by the COVID-19 pandemic, therefore being an activity that
not made at the date of filing your brief.


THIRD. The claim was admitted for processing by agreement on 08/12/2020.

FOURTH: On 05/12/2021, the Director of the Spanish Protection Agency
of Data agreed to initiate sanctioning proceedings against the entity AMAZON ROAD, with

in accordance with the provisions of articles 63 and 64 of Law 39/2015, of October 1, of the
Common Administrative Procedure of Public Administrations (hereinafter,
LPACAP), for the following alleged violations:

1. Breach of article 6.1 of the RGPD, in relation to article 10 of the RGPD and

of article 10 of the LOPDGDD, typified in article 83.5 of the RGPD and in article
71 of the LOPDGDD.

2. Breach of article 7 of the RGPD, in relation to article 6.1.a) of the same

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 9/64








Regulation, typified in article 83.5 of said legal text.

3. Breach of article 49.1 of the RGPD, typified in article 83.5 of the aforementioned

rule.

In the opening agreement it was determined that the sanction that could correspond,
attended the existing evidence at the time of opening and without prejudice to what
resulting from the investigation, would amount to a total of 3,300,000 euros (2,000,000
euros for the infringement of article 6.1 of the RGPD in relation to article 10 of the

same norm, as well as article 10 of the LOPDGDD; 300,000 euros for the infringement
of article 7 of the RGPD, in relation to article 6.1.a) of the same legal text; Y
1,000,000 euros for the infringement of article 49.1.a) of the RGPD).

In the same agreement to open the procedure, it was warned that the infractions

imputed, if confirmed, may lead to the imposition of measures, in accordance
with the provisions of the aforementioned article 58.2 d) of the RGPD.

FIFTH: Notification of the aforementioned initial agreement and extension of the term granted for
make allegations, AMAZON ROAD filed a brief dated 06/07/2021, in which
that requests the file of the sanctioning procedure or, subsidiarily, the

imposition of a minimum fine, in accordance with the considerations
following:

1. The certificate of absence of criminal records that must be provided by the
applicants to participate in the program "***PROGRAMA.1" does not contain data related to

criminal convictions and infractions, which are specifically referred to in the
Recital 75 and article 10 of the RGPD and article 10 of the LOPDGDD
(literal interpretation). The same was established in Directive 95/46/CE, in the
repealed Organic Law 15/1999 and also in Convention 108 of the Council of Europe.
All of these rules refer to data relating to criminal convictions and offenses and
not to data related to the existence or absence of a criminal record.


It is a “blank” certificate whose content is not comparable to a
“positive” criminal record certificate, which does include information on the type of
crime committed, date of commission, conviction and sentence imposed.


2. Cites a precedent of the AEPD, indicated with the file number
E/00037/2013, which dealt with the request for a responsible declaration in
the one that the subjects affirmed that they had no criminal record (not the request of the
certificate). According to Amazon, the Agency admitted in this precedent the treatment of
negative certificates issued by employees (statements) without subjecting them to the
specific regulation of data relating to criminal convictions.


In relation to this precedent, which was already cited by the respondent in the process of
Transfer, in the opening agreement it is answered that the Judgment of the Chamber of the
Social of the National Court 14/2020, of February 10, 2020, indicates that the
request for a responsible declaration on the lack of a criminal record

It must be considered a treatment of data related to criminal convictions. amazon
questions this argument by pointing out that the sentence is dictated by the jurisdiction
social, which is not competent to review the decisions of the Agency; and what a joy

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 10/64








sentence does not justify why a negative certificate constitutes treatment of
data relating to criminal convictions.


3. According to the entity claimed, other Member States have been accepting a
different interpretation in relation to the provisions of article 10 of the RGPD:

. The Netherlands accepts certificates that prove the absence of criminal records
penalties, known as “Verklaring omtrent gedrag” (VOG).
. In France, employers are authorized to request, during a process of

selection of job applicants, a certificate of their criminal record,
positive or negative (“Certificate B3”).
. In Germany it is allowed to ask the person to be hired for confirmation of
that you have no criminal record that is relevant to employment.


4. The most consistent interpretation with the spirit and purpose of the indicated standards
implies that its purpose is to prevent the creation of records of convictions and
criminal offenses.

5. Subsidiarily, he alleges lack of guilt in the imputed violation.


AMAZON ROAD understands that it has used the diligence that was required of it, having
taking into account the arguments made above. Add that only Accurate
Background accesses this data; and that it suspended the request for these certificates in
March 2020 due to the pandemic, not having resumed the treatment of
negative certificates in view of the interpretations of this Agency and the

Judgment cited above, as indicated in the process of transfer of the
claim.

6. There is no breach of the provisions of article 7 of the RGPD by the
processing activities carried out by Accurate Background Inc. and Amazon

Development Center (India) Private Limited, which is not acting as a third party nor is this
Intervention is based on the consent of the interested parties.

Amazon Road does not share negative certificate information with
any entity of the Group or with third parties. The aforementioned entities attend the
claimed as service providers in the initial checks

on the carriers participating in the program, by virtue of a contract of
treatment order signed by the intervening entities.

Thus, these companies cannot be considered as third parties and the
processing of data that they carry out does not require consent. This is already mentioned

in the registration process when informing “I understand and agree that Accurate
Background is responsible for collecting and processing the information on behalf of Amazon
to perform the background checks detailed above.”

It adds that Amazon Development Center (India) Private Limited acts as

responsible for the treatment of AMAZON ROAD for the registration process of the
participants in the program “***PROGRAMA.1”, but has never had access to the
negative criminal record certificates.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 11/64








7. On the imputation of a possible infringement of the provisions of article 49 of the
GDPR, after pointing out that the startup agreement does not clarify what you specify
international data transfers refers to the AEPD, alleges that the

international data transfers made to group companies or their
providers located outside the EEA are not based on the consent of the
interested parties and comply with the guarantees required by the RGPD.

It warns that it has signed with each entity the corresponding clauses
standard contracts approved by the European Commission through Decision

2010/87/UE, of February 5, 2010, relative to the standard contractual clauses for the
transfer of personal data to those in charge of the treatment established in
third countries, in accordance with Directive 95/46/EC, which are one of the
guarantees that can be offered by data controllers in accordance with the
provided in article 46 of the RGPD.


In relation to Accurate Background Inc. indicates that, since 2016, it was an entity
adhered to the EU-US Privacy Shield. And he clarifies that, although the Shield of
Privacy ceased to have effect with the Judgment of the CJEU of 07/16/2020, in this
date no longer requested or required the presentation of negative certificates of
criminal record.


8. In relation to the graduation of the sanctions, it alleges, subsidiarily, that
The following circumstances must be taken into account:

. Data processing related to negative background certificates

penalties only affected 16.76% of all last-mile drivers
registered in Spain, as the program “***PROGRAMA.1” represents a small
proportion of transport providers that make deliveries in Spain (never
have exceeded 5%).


. Data processing related to negative background certificates
criminal charges cannot be compared to the processing of data on convictions and
criminal offenses.

. The activity carried out by AMAZON ROAD, as a logistics company that acts
As a transport operator, it is not intensive in the processing of personal data, nor

is based on the exploitation of personal data. The treatment you perform, for
staff management and package management for delivery, is instrumental.

. The data processing object of the claim was suspended in March 2020 and
has not been resumed.


. AMAZON ROAD has not been penalized for violating the protection regulations
of personal data nor has it received any claim from any third party in
relation to negative criminal record certificates.



With its allegations, AMAZON ROAD provides, among others, the following documents:

a) Provide a copy of the “Intra-Group Agreement for the Transfer and Treatment of

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 12/64








Data” (“Intra-Group Data Transfer and Processing Agreement”), dated 01/01/2019,
signed between different entities of the Amazon group, including the AMAZON entities
ROAD, as the “exporting” entity, and Amazon Development Center (India) Private

Limited, as the “importer/processor” entity.

The content of this "Agreement" is outlined in Proven Fact 3.

b) “Data Processing Agreement” of 10/18/2018,
signed by some entities of the Amazon group and Accurate Fund Inc. Among

those entities of the group include the entity Amazon Spain Fulfillment, S.L.U., which
was in charge of managing the half-mile and last-mile business (“business of
transport operator”).

The content of this "Agreement" is outlined in Proven Fact 4.


c) Project for the Partial Spin-off of Amazon Spain Fulfillment, S.L.U., dated 06/28/2019,
under which AMAZON ROAD received the “transportation operator business” and
produced a universal succession of all juridical relations affected by the
assets of the business.


d) Copy of the extract obtained from the website "www.privacyshield.gov" in relation
with Accurate Background Inc.'s adherence to the “EU-US Privacy Shield”. In
this document is indicated “Original certification date: 08/11/2016”.

e) Information obtained from the Mercantile Registry of Madrid regarding AMAZON ROAD.

The start date of operations is stated as 05/31/2019 and as corporate purpose “the
provision of logistics and distribution services, in particular transport,
handling and storage. The subscribed capital is 6,259.00 euros.

SIXTH: On 12/03/021, the instructor of the procedure agreed to open a

evidence practice period, considering as reproduced for evidentiary purposes the
claim filed and its documentation, as well as the documents obtained and
generated during the claim admission phase; and by presented
the allegations made by AMAZON ROAD to the agreement to initiate the procedure
and the accompanying documentation.


Likewise, it was agreed to include in the actions the information related to the entity
AMAZON ROAD in “Axesor” (“Monitoring report”). (...).

SEVENTH: On 12/29/2021, a resolution proposal was issued in the sense
following:


1. That the Director of the AEPD sanction the entity AMAZON ROAD, for a
infringement of article 6.1 of the RGPD, in relation to article 10 of the same
Regulation and article 10 of the LOPDGDD, typified in article 83.5 of the RGPD
and in article 71 of the LOPDGDD, and classified as very serious for the purposes of

prescription in article 72.1 of the LOPDGDD, with a fine amounting to
2,000,000 euros (two million euros).

2. That the Director of the AEPD impose on the entity AMAZON ROAD, in the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 13/64








term to be determined, the adoption of the necessary measures to adapt its
action to the personal data protection regulations, with the scope expressed
in the Legal Basis VII of the proposed resolution.


EIGHTH: Notification of the proposed resolution and extension of the term granted for the
formulation of allegations, a letter was received from AMAZON ROAD requesting the
dismissal of the file or, subsidiarily, the imposition of a sanction in its
minimum amount, according to the following considerations:


1. Reiterates that a negative criminal record certificate does not entail a
processing of data relating to criminal convictions and offenses within the meaning of
article 10 of the RGPD and article 10 of the LOPDGDD, noting in this regard that the
Articles 136.4 of the Penal Code and 17 of Royal Decree 95/2009, nor the Judgment of the
National High Court of June 20, 2017, cited in Motion for Resolution no.

confirm that it is.

These articles refer to the issuance of these certificates, differentiating
between negative and positive certificates, the latter being the only ones that contain
data relating to criminal convictions and infractions. These articles, in the opinion of the
claimed, do not endorse what was stated in the resolution proposal.


It understands that the same conclusion results from the cited Judgment, which analyzes the
impossibility of omitting in a certificate data related to a foreign conviction, and
refers to positive certificates, by virtue of the provisions of article 17.2 of the Royal
Decree 95/2009.


2. It also reiterates that there is no unanimous and consolidated opinion among the States
members on the interpretation made by the AEPD.

As he already stated in the opening arguments, he points out that the authority of

Netherlands data protection accepts these negative certificates (Verklaring
omtrent gedrag or "VOG") and provides excerpts from the website of the Ministry of Justice of
that country with information on said document; and from the website of the authority of
control that admits its use when there is a legitimate interest of the employer.

In the French case, the control authority (CNIL) has included information on its website

according to which, in the absence of a specific rule that provides for verification of this type
background check, the employer may require an employee to submit an extract
your criminal record during an interview and make a note about it
“yes/no” verification, without obtaining a copy of the document. It is a treatment equivalent to
negative certificate that collects the claimed.


Based on this criterion, the most consistent interpretation with the spirit and purpose of
the rule is to avoid unjustified treatment and the creation of files with these
data.


3. Subsidiarily, alleges inexistence of guilt in the imputed violation,
also invoked in the arguments at the opening of the procedure, to which
expressly remits.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 14/64








4. In the event that it is considered that there has been an infringement, allege the
following circumstances, to be taken into account in the graduation of the
sanction:


A) On the aggravating circumstances considered in the proposed resolution.

a) Duration of the infraction: the negative certificates that it was able to collect before
March 2020 were kept for 90 days for verification (provides
Accurate Background certification, dated 01/19/2022, in which it is shown

that, according to the instructions of the Amazon account, any data related to
candidates of the “***PROGRAMA.1” program is removed from the platform after 90 days,
including any documents provided as part of the process of
verification), so since May 2020 it does not have any data of this type.
This being the case, the existence of a permanent infringement cannot be considered.


b) Number of affected: although the proposal indicates that AMAZON ROAD did not contribute
evidence regarding the number of affected, in the pleadings brief at the opening
it was indicated that the program “***PROGRAMA.1” represents 5% of the suppliers
who make deliveries in Spain and, with regard to last-mile drivers,
only 16.7% are participants in this program.


c) Level of damages: does not understand to what extent the treatment of a
negative certificate has been able to condition the contracting options of the subjects
participants, given that the entity has contracted the carriers that had
this document, and those who did not have it have not been participants in the

Program.

d) Intentionality or negligence: The absence of a clear and solid criterion on the part of
this Agency when the entity began to require the certificates in question and the
subsequent appearance of the Judgment of the National High Court of February 10, 2020,

that would seem to endorse one of the possible interpretations of article 10 of the RGPD, not
can an entity that acted with all due diligence and ceased such activity
As soon as they became aware of the possible existence of a criterion contrary to the
interpretation that Amazon Road understood to be adjusted to the law, appropriate to the
activities that were going to be carried out under the program “***PROGRAMA.1”.


To the above it should be added that other data protection authorities subject to
RGPD, such as that of the Netherlands or France, do not consider this treatment to be
contrary to article 10 of the RGPD.

Likewise, there were resolutions of the Agency itself that endorsed the interpretation

that AMAZON ROAD made of article 10 of the RGPD and after making a consultation
phone call with the Ministry of Justice which, informally, endorsed said
proposal.

Therefore, being a disputed issue, in good faith he understood that his interpretation

was correct according to the information available at the time of starting
treatment and accommodated his behavior as soon as he became aware of the
interpretation supported by the Agency or by a Spanish judicial authority.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 15/64








e) The degree of responsibility of the person in charge taking into account the technical measures
or organizational: the infringement declared by the Agency, resulting from a
interpretation of the standard, has nothing to do with the data management system

designed by AMAZON ROAD when collecting the data of the participants in the
Program. In this regard, it refers to its previous pleadings brief.

It adds that in its response to the transfer procedure, it explained the technical and
organizational measures implemented in relation to the processing of data derived from the
program “***PROGRAMA.1”, without the Resolution Proposal indicating that these

measures are insufficient or what would be the omitted measures.

f) Categories of personal data: the treatment of a
certificate indicating that a person is not registered in a register,
than the one that actually refers to criminal convictions and infractions, so that

the same aggravating circumstance cannot be applied. This interpretation coincides with that made by
the Dutch supervisory authority.

g) Link between the activity of AMAZON ROAD and the processing of personal data:
It is a logistics company that acts as a transport operator for
goods, whose activity is not intensive in the processing of personal data,

even if it involves the processing of personal data (basically for the management of
your own staff and for the management of packages for delivery), this is
instrumental without its main activity being based on the exploitation of data
personal, nor does it use them for purposes other than the management of its activity.


That treats a certain number of data of employees, clients and contractors not
should be reason to consider a "high" link, being only relevant the
nature of the activity carried out and, therefore, the impact or affectation that said
activity has in data processing.


In fact, in the Resolution of October 26, 2021, issued in the procedure
sanctioning PS/00050/2021, a low link between the person responsible and the performance
of data processing has been considered by this Agency as
mitigating factor: "On the other hand, it is observed that it concurs as a mitigating
that the claimed party is an entity in the logistics sector in which data of its
employees although there is no link between the offender's activity and the

processing of personal data (76.2.b LOPDGDD).

h) Condition of a large company and volume of business: the Agency takes into account
consideration the figures of the year 2020, in which it stopped treating the data of the
negative certificates. For this reason, it understands that it is more adjusted to the law to consider the data

accounts for 2019 and, therefore, (i) because 2019 is the year prior to the year in which the Agency
issued its request for information and (ii) because it was the year in which the
claim that has given rise to this sanctioning file. The turnover of
Amazon Road for the year 2019 amounted to 237,000,000 euros with a result of
exercise of 1,862,000 euros (provides an extract of the accounts).


B) Extenuating circumstances.

a) The data processing object of this claim was suspended in March

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 16/64








2020, as already indicated in the brief responding to the transfer and in the brief with allegations to
the opening of the procedure.


Attach the mail model that the entity sent in March 2020 to the users of the
Program “***PROGRAMA.1” that were in the registration process (although the email
It is dated 2022, this is due solely to the fact that for its contribution to this
procedure it has had to send the model template, leaving
as the date of shipment). As can be seen, it was the circumstances of the moment
(that is, Covid-19) which led the entity to temporarily suspend the

request for negative certificates.

This temporary suspension became definitive after becoming aware of the
Judgment of February 10, 2020, issued by the Social Chamber of the High Court
Nacional, although it did not share the interpretation contained in this Judgment, and the

negative certificate ceased to be requested, even from carriers who received that
mail. Although this part did not share this interpretation, the truth is that once
Once the sentence was known, the request for the negative certificates was definitively stopped.

All of this occurred before the agreement to open the procedure was issued and without
said decision was adopted as a result of the intervention of this Agency.


b) Any previous infraction committed by the data controller.

Contrary to what is indicated in the proposal, the resolutions of the AEPD issued in the
procedures PS/00165/2021, PS/00227/2021 and PS/00015/2021 consider as

extenuating the fact of not having been sanctioned previously:

Therefore, the respondent understands that, if said circumstance does not constitute a mitigating
in light of the provisions of article 83.2 e) of the RGPD, as indicated in the
Resolution Proposal, nothing prevents it from being constituted under the provisions of

Article 83.2 (k) of the RGPD, taking into account the practice of this Agency.

AMAZON ROAD has never been sanctioned for an infringement of the regulations on
data protection, nor has it received any claim from any third party in
regarding the treatment of negative certificates.


c) AMAZON ROAD has not obtained any benefit from the facts claimed.

Under the provisions of articles 83.2.k) of the RGPD and 76.2.c) of the
LOPDGDD, this party understands that in the present case it must also be of
application of this mitigating factor, since the treatment of negative certificates

has not reported any additional benefit.

This graduation factor has been considered by the Agency in its resolution of the
procedure indicated with the number PS/00227/2021.


d) The diligence present in the performance of AMAZON ROAD.

If for the AEPD the diligence with which AMAZON ROAD has acted at all times
in relation to the treatment of the data of the negative certificates is not

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 17/64








enough to consider that he concurs in a absence of guilt, as
maintains in its allegations, said diligence should be considered, as
less, as a mitigating factor under the provisions of article 83.2 sections b)

and/or k) of the RGPD, taking into consideration the following circumstances:

   . The literal interpretation of article 10 of the RGPD and 10 of the LOPDGDD suggested
   that said articles do not refer to any data related to antecedents
   but the data related to criminal convictions and infractions, which in the opinion
   of this part did not reach the confirmation of the absence of antecedents

   penalties.
   . The previous interpretation was consistent with the previous regulations on
   data protection applicable in Spanish territory.
   . There was no consolidated, express and public criterion on the part of the Agency in
   regarding the processing of data relating to the absence of a criminal record

   (not in relation to data relating to the commission of offenses and the existence of
   criminal convictions).
   . There were resolutions of the Agency itself that support the interpretation that
   AMAZON ROAD complied with article 10 of the RGPD.
   . AMAZON ROAD even made a telephone consultation with the Ministry
   of Justice that, informally, endorsed said proposal.

   . To proceed with the processing of data relating to negative certificates
   contracted an entity specialized in the selection and suitability control of the
   contractors.
   . The interpretation of article 10 of the RGPD given by other jurisdictions endorsed
   also the interpretation of AMAZON ROAD.

   . In March 2020 Amazon Road suspended the treatment of such certificates
   negative, as stated above.

These circumstances demonstrate that AMAZON ROAD's conduct cannot be
branded as reckless or irresponsible, but rather the opposite: diligent and

accommodating their behavior to the interpretation of the privacy protection regulations
data arising from the Agency itself and from the courts of Justice.

5. Of the corrective measures contained in the Resolution Proposal.

Well, having been accredited that it does not collect the negative certificates of

the participants in the program “***PROGRAMA.1” since March 2020 and neither
retains said certificates, understands that, in the event that it is finally
It is considered that there is an infringement of article 6.1 of the RGPD in relation to the
article 10 of the RGPD and article 10 of the LOPDGDD, none of the
proposed measures.



With your statement of arguments, you provide, among others, the following documents:

1) Extracts from the website of the Ministry of Justice of the Netherlands, together with its

translation, in which information about the "VOG" document is provided. In this
information is indicated:

“What is a VOG?
A Certificate of Good Conduct (VOG) is often required for a (new) job. In
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 18/64









some sectors, such as child care, this is even required by law. justice
handles VOG applications and is the only body in the Netherlands that issues the
VOG.

A VOG is a statement showing that your (judicial) past is not an obstacle

to fulfill a specific task or function in society. When evaluating a VOG request,
Justis checks if you have committed criminal offenses that represent a risk to the position or
purpose for which you are requesting the VOG.

Some criminal offenses constitute an objection to a job or internship, but not to
other… Do you have no criminal record or have you committed any criminal offense that is relevant

for the purpose of the application? You will then receive a VOG.”

“Why and when should you do a screening?

...As an employer, you have a great responsibility in evaluating the reliability of the
future staff. One of the instruments that you, as an organization, can use in your

integrity directive is the certificate of good conduct (VOG).

It is advisable to select for all positions where it is important that the employee is
trustworthy. Think about: managers with many powers; employees working with groups
vulnerable such as children, elderly, sick or people with a restriction; employees who
they work with money and goods; employees who can access confidential information…


That has to do with the powers and the nature of the work…

Rules for screening
Screening can be very drastic for the privacy of the applicant or employee. For the
Therefore, detection is only under certain legal conditions (General Protection Regulation
(GDPR))


permitted:
You must have a legitimate reason (legitimate interest) for the screening.
Screening must be necessary.
You must comply with the obligation to provide information.
You may not use the data obtained from the projection for any purpose other than

what you got them for.
You can only keep the data for as long as it is necessary for the purpose of the
screening. You must protect the data properly.
Not sure if you're allowed to test? For more information, visit the site
website of the “Dutch Data Protection Authority”.


By clicking on the link “Dutch Data Protection Authority” inserted at the end of the
text is accessed to the website of this entity, to the information provided by AMAZON
ROAD as “Document 2”.


2) Extracts from the website of the Control Authority of the Netherlands (Autoriteit
Persoonsgegevens), and its translation, in relation to the treatment of certificates
"VOG".


“Background investigation (screening)
It is important for employers to select and employ reliable employees. the screening
it is a tool to limit risks. For certain positions (for example, in the care of
children) screening is even required by law.

Screening means that an employer requests information about an applicant or employee
28001 – Madrid 6 sedeagpd.gob.es, 19/64









to estimate its integrity.
For example, calling an applicant's references or finding out if he or she is in a
"Blacklist".


Screening conditions
Screening can be very invasive to the privacy of the applicant or employee in question.
Therefore, screening is only allowed under certain “legal conditions”.
The most important conditions are that the employer has a legitimate reason (interest
legitimate), that the screening is necessary and that the employer adequately informs the

applicant or employee before and after.

legitimate interest
An employer's "legitimate interest" in a screening is generally that it should
be able to trust that your (future) employee is honest and trustworthy.


Need
The fact that screening must be "necessary" means, among other things, that the
employer must not be able to achieve his objective by less drastic means than
screening.

Report

The employer must inform the applicant or employee “about the screening”. The employer must
inform this person in advance that a screening will be carried out and then what are the
the results".


“Questions from employers about the screening
[…]
As an employer, how do I determine that screening is necessary?
You take an inventory of the risks associated with the various groups of functions within
of your organization. Then check to see if you can limit the risks other than by
through screening.


…For example, positions where staff work with sensitive information are
aware of the risk of selling or transmitting this information...

Risk mitigation

Have you mapped out the risks? Next, you need to set up your organization in such a way as to reduce
inventoried risks. You can think of strict internal controls or distribution of
powers. Good organizational measures can ensure that risks to your
organization are completely eliminated. Otherwise, screening may be necessary.
applicants or employees. [...]”.


“Requests…

Application data retention period
An applicant did not obtain the position? So, it is common for the organization to remove its
data no later than 4 weeks after the end of the application procedure.
Applicants can give permission to keep their data for a longer time. For

example, because a suitable position may become available at a later date. A
maximum period of 1 year after the completion of the application procedure is
reasonable for this.

“Questions about personal data in job applications…


Screening in the job application
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 20/64









It is important for employers to hire reliable employees. Therefore, the employer
the one you are applying for can decide to examine you…

legal screening
Screening is required by law for some positions, for example, in child care.

In the case of a legally required screening, the employer may request a Certificate
of Good Conduct (VOG).
In addition, special provisions apply to the screening of positions of trust, such as
police officers, employees of private security organizations, employees of
investigative agencies, aviation personnel, and some government posts.”


This Agency verifies the information provided by AMAZON ROAD.
Likewise, click on the link "legal conditions" that appears in the document
“Background investigation (screening)”, and access to the “Questions from the

employers on screening. In this section, in addition to what is indicated by the
claimed, the following should be noted:

“When you select candidates or employees, you are processing their personal data. This

means that the General Data Protection Regulation (GDPR) and the Data Protection Act apply.
AVG implementation (UAVG). As an employer, you are responsible for ensuring that
the evaluation meets the requirements of these laws.
In any case, the RGPD and the UAVG impose the following selection requirements:
   .Has a legitimate interest in the projection.
   . Screening is necessary. This means, among other things, that you cannot achieve your

   target in another way or through a less invasive means than screening.
   . You comply with the information obligation. This means that it informs the candidate
   or relevant employee in advance who is conducting an assessment and then
   what are the results.
   . It does not use the data obtained from the projection for any other purpose.
   . It does not store the data for longer than is necessary for the purpose of the
   evaluation.

   . The projection data is sufficient, it is relevant, and you do not collect more data from
   the necessary ones.
   . You protect the data well.
   . You assess whether you need to carry out a data protection impact assessment
   (DPIA), because detection is data processing with a high risk of
   Privacy.

   . Has the DPIA shown that the intended detection poses a high risk? And not
   find measures to limit this risk? Then you should check with the Authority of
   Dutch Data Protection (AP) before starting the selection. This is
   called prior consultation”.


“As an employer, can I review someone without telling them?
No, that is not allowed...
Pre-selection information
You must inform the applicant or employee in question in advance that you are taking
carry out an evaluation. In addition, you must state why an exam is necessary. Too
you should make it known what data you are researching and why it is relevant to the position in
question.

Post-Assessment Information…must inform the applicant or employee of the
evaluation results”.


Through the link “legitimate interest” that appears in the document “Investigation of
background (screening)”, the following information is accessed:

28001 – Madrid 6 sedeagpd.gob.es, 21/64










“When can I rely on the basis of legitimate interest?
You only have the right to process (ordinary) personal data if you can trust 1 of the 6
principles of the General Data Protection Regulation (GDPR). One of these bases is

that the processing of personal data is necessary to represent your interest
legitimate.
Every time you process personal data, this is an invasion of data privacy.
interested. These are the people whose data you process. Every human being has the right to
privacy, which is a right to privacy, which is a fundamental right.
But as an organization, you can also have the law on your side. That is the case if

has an interest that society considers so important that it has found recognition
In the law. And you can only represent this interest by processing personal data. we call
such interest a legitimate interest.
conflict of rights
This creates a situation in which their right "collides" with the fundamental right of
interested. It is then up to you to weigh these rights against each other and see what weighs

more, your interest or that of the parties involved.
Does his interest finally get the better of him? You can then base your processing on the basis
(necessary for the representation of a) legitimate interest”.

3) Extract from the website of the French Control Authority (CNIL), and its translation.


“Excerpt from criminal record: can the employer request and keep it?
In the absence of a specific text that provides for the verification of the criminal record of the
employees, the employer may ask a candidate or an employee to present the extract
of your criminal record (B3) during an interview, for example, to verify your
criminal history.

However, in this case, the entrepreneur cannot keep a copy or allow these
Data is subject to a specific treatment. The mention of the verification in the boxes of the
personnel management file in the form "yes/no" is sufficient.
For access to certain so-called "sensitive" functions, the texts may provide for the
verification, by the employer or certain authorities that issue
authorizations (for example, for security guards or babysitters), of the

criminal records of employees (B2 or B3 bulletins).
These texts may provide for the period during which the employer is obliged to keep
excerpt from criminal record (3 months is often used, particularly for
administrations). In the absence of details in the text, the document should not be kept.
When the verification is carried out by an authority, the employer does not need to consult the
criminal record since the verifications are carried out by an authorized authority and the

issuance of the authorization is by itself sufficient to ensure the capacity to occupy
the proposed job...".

4) Extract from the website of the Control Authority of the Netherlands (Autoriteit

Persoonsgegevens), together with its translation, in relation to the content of the
"VOG" certificates.

“As an employer, can I request criminal information during an evaluation?

For some positions, it may be necessary for you to know the criminal history of a
applicant or employee. In most cases, it is sufficient for the interested party to request a
certificate of good conduct (VOG).

VOG
A VOG is a statement showing that someone's past behavior is not

constitutes an obstacle to fulfilling a specific (future) position. A VOG is issued by

28001 – Madrid 6 sedeagpd.gob.es, 22/64








Justis of the Ministry of Justice and Security.

Selection of criminal data
Only if requesting a VOG is not enough, you can request (other) criminal data.

May process personal data of a criminal nature if this is necessary for the assessment
of a request from a data subject to make a decision about him or to provide him with a
service.
An example is a selection during an application procedure for a job
integrity. In certain circumstances, criminal personal data may be
treated for this purpose.”


5) Email template that AMAZON ROAD sent in March 2020 at
regarding the suspension of the request for negative certificates.

"Background Check
In order to complete the background check process, you need to upload a
copy of the certificate showing the absence of a criminal record.

Since it is currently not possible to obtain this certificate in person due to the
alarm state, we have allowed you to complete the verification without this document. No
However, you must upload this document within 60 days from the end of the
registration in ***PROGRAM.1. If after this period you have not uploaded the document, you will no longer be
eligible to participate in the program ***PROGRAM.1.
You must upload this document on the Accurate page.
Check the email periodically to follow instructions received from Accurate.



Of the actions carried out in this procedure and the documentation
in the file, the following have been accredited:



                                 PROVEN FACTS


1. AMAZON ROAD is an Amazon group company that provides transportation services

logistics and distribution to said group. This entity began its operations on
05/31/2019 and its corporate purpose is "the provision of logistics services and
distribution, in particular transport, handling and storage”.

Following the spin-off of Amazon Spain Fulfillment, S.L.U., which took place on

06/28/2019, AMAZON ROAD received the “transport operator business” and it happened
to that entity in all legal relationships affected by the elements
business assets.

2. AMAZON ROAD is the entity in charge of managing the program

“***PROGRAMA.1”, whose purpose is to contract self-employed carriers
as service providers.

3. The entity Amazon Development Center (India) Private Limited, based in India,

provides services to the entity AMAZON ROAD in the management of the program
“***PROGRAMA.1” by virtue of the “Intra-Group Agreement for the Transfer and
Data Processing” (“Intra-Group Data Transfer and Processing Agreement”), of
dated 01/01/2019, signed between different entities of the Amazon group, including the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 23/64








entities AMAZON ROAD, as an “exporting” entity, and Amazon Development
Center (India) Private Limited, as “importer/processor” entity.
By reason of this contract, the aforementioned service provider assists AMAZON ROAD

in the collection of information provided by autonomous carriers.

The aforementioned “Agreement” deals with access to personal data that entities
importers must make for the provision to the importing entities of the
services specified in Annex 1, including access to the
data of contractors and their employees and subcontractors.


It is established that the importing entities will process the data on behalf of the
responsible and in accordance with your instructions, in order to provide the services,
without being able to determine the purposes and the way in which the data is processed; and they come
obliged to notify the person in charge of any instruction that, in their opinion, violates the

applicable law, any data breach or claim you receive and to
provide the controller with full cooperation and assistance; as well as
establish the appropriate technical and organizational measures to protect the data. I know
It also provides that the person in charge of the treatment return to the person in charge all the
personal data or proceed to its destruction at the termination of the contract, at the option
of the data controller.


By virtue of this “Agreement”, the parties undertake to comply with “the terms of the
standard clauses for the transfer of personal data to those in charge of the
treatment established in third countries, approved by Decision of the
Commission of the CE of February 5, 2010” (standard contractual clauses for the

transfer of data), which are reproduced in Annex 3 of said Agreement
and are signed by signing the same Agreement or by means of a letter of adhesion
according to the form incorporated as Annex 6.

The technical and organizational measures to be applied and maintained by the person in charge of the

treatment are listed in Annex 2.

The entire content of this “Agreement” is declared to be reproduced in this act for purposes
evidence.

4. Accurate Background Inc., based in the United States, provides services to

the entity AMAZON ROAD in the management of the program “***PROGRAMA.1” under
of the "Data Processing Agreement" of 10/18/2018,
signed by some entities of the Amazon group and Accurate Fund Inc. Among
those entities of the group include the entity Amazon Spain Fulfillment, S.L.U., which
was in charge of managing the half-mile and last-mile business (“business of

transport operator”) until the date on which the spin-off of said business took place
in favor of AMAZON ROAD, in the year 2019. This Agreement is formalized by reason of the
Framework Agreement entered into between the parties on 03/05/2008 (it appears in the proceedings
copy of the Service Framework Agreement -“Master Service Agreement”- between Amazon
Corporate LLC and Accurate Background Inc. and the specific Work Order for

Spain, of 02/12/2017).

By reason of this contract, the aforementioned service provider assists AMAZON ROAD
in the collection of information provided by autonomous carriers, as well as

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 24/64








as in the verification of compliance with the requirements that this entity demands from
these carriers in order to participate in the program.

The aforementioned "Agreement" regulates access to personal data by Accurate
Background Inc. in its capacity as data processor and contemplates the signing of

the EU standard contractual clauses, incorporated as Annex 3.

Details about the processing activities to be carried out by the processor
are contained in Annex 1 of the "Agreement", including those related to the
selection process for personnel, contractors and subcontractors. It is established that the
importer receives information from third parties and collects the relevant data in reports of

job screening for which the data exporter assesses the applicant.

The content of this "Agreement", in terms of the obligations of the person in charge of the
treatment, is similar to that outlined in the Third Proven Fact and also includes a
Annex 2 in which the security measures to be applied are listed.


The entire content of this “Agreement” is declared to be reproduced in this act for purposes
evidence.

5. The entity Accurate Background Inc. appeared adhered to the "EU Privacy Shield-
USA". The “original certification” of this adhesion is dated “08/11/2016”.


6. In order to participate in the “***PROGRAMA.1” program, carriers
Freelancers must download the “Amazon Delivery” app on their mobile device.
Through this application, AMAZON ROAD collects the necessary data from the
autonomous carriers for the purpose of (i) verifying that they comply with the
requirements to be able to participate in the program, (ii) create the corresponding account

user necessary to be able to access the service offers and (iii) control the
development of service provision.

This application provides information on the process of "verification of
records" required of self-employed carriers, whose detail consists
outlined in the First Precedent. This application has a box

enabled so that carriers can give their consent to the actions
contained in said information (“By checking this box, I give my authorization”).

7. Carriers interested in participating in the program “***PROGRAMA.1”
They also have an online application process, through the website of
Accurate Background Inc., which includes an “Account Verification Form”

background".

8. For the contracting of autonomous carriers as service providers in
the program “***PROGRAMA.1”, AMAZON ROAD asks candidates for a diverse
documentation, including a certificate of absence of a criminal record

criminal cases (“A certificate from the Ministry of Justice confirming that I do not have
criminal record of any kind”).

9. Carriers who complete the background check process and are
selected as AMAZON ROAD service providers sign a

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 25/64








commercial contract that includes the following information regarding the protection of

personal information:

“13. Data Protection.

a) Amazon may keep and process data related to you for the execution of the contract that
Amazon has entered into with you, and for legal, administrative, and management purposes, as

described in more detail in Annex A.

b) You consent to Amazon and any Related Entities (as
such term is defined below) carries out the transfer of “personal data
personal” (in the sense foreseen in the RGPD and in the Organic Law 15/1999) related to you to
any Related Entity outside the EEA to further the legitimate interests of Amazon and/
or any Related Entity. For the purposes of this Clause 13, "Related Entity" means
means "holding company" of Amazon, any "affiliated company" or an affiliate of its company
portfolio.


c) The parties undertake to comply with all applicable regulations regarding the protection of
data…

I agree and accept the above.
ACCEPT AND CONTINUE
( ) I agree and accept the above”.


The entire content of this contract is declared reproduced in this act for the purposes of
evidence.


                             FOUNDATIONS OF LAW

                                              I

By virtue of the powers that article 58.2 of the RGPD recognizes to each Authority of

Control and, as established in articles 47 and 48 of the LOPDGDD, the Director
of the Spanish Agency for Data Protection is competent to initiate and resolve
this procedure.


Article 63.2 of the LOPDGDD determines that: "The procedures processed by the
Spanish Agency for Data Protection will be governed by the provisions of the
Regulation (EU) 2016/679, in this organic law, by the provisions
regulations issued in its development and, as long as they do not contradict them, with a

subsidiary, by the general rules on administrative procedures.

                                              II


In this proceeding, it is necessary to analyze, in the first place, the presumed illegality
of data processing carried out by the claimed entity when requesting a certificate
of criminal records to self-employed carriers who have requested to subscribe
a service contract with the one in the program “***PROGRAMA.1”.


Article 5.1.a) of the RGPD, on the Principles related to treatment, establishes that
personal data will be “processed in a lawful, loyal and transparent manner in relation to
with the interested party (“lawfulness, loyalty and transparency”)” and article 6.1 specifies the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 26/64









assumptions in which the treatment will be lawful:

“The treatment will only be lawful if at least one of the following conditions is met:


a) the interested party gave his consent for the treatment of his personal data for one or
various specific purposes;

b) the treatment is necessary for the execution of a contract in which the interested party is a party
or for the application at the request of the latter of pre-contractual measures;

c) the treatment is necessary for the fulfillment of a legal obligation applicable to the

data controller;

d) the processing is necessary to protect the vital interests of the data subject or another person
physical;

e) the treatment is necessary for the fulfillment of a mission carried out in the public interest

or in the exercise of public powers conferred on the data controller;

f) the treatment is necessary for the satisfaction of legitimate interests pursued by the
responsible for the treatment or by a third party, provided that said interests are not
prevail the interests or the fundamental rights and freedoms of the interested party that
require the protection of personal data, in particular when the interested party is a child


 The provisions of letter f) of the first paragraph shall not apply to the treatment carried out by
public authorities in the exercise of their functions.

For its part, article 10 of the same rule refers to the processing of data

related to convictions and criminal offenses and provides the following:

“The processing of personal data related to criminal convictions and offenses or measures of
related security on the basis of article 6, paragraph 1, may only be carried out under the

supervision of public authorities or when authorized by the Law of the Union or of the
Member States that establish adequate guarantees for the rights and freedoms of
interested. A complete record of criminal convictions may only be kept under the control of
the public authorities”.


In our legal system, article 10 of the LOPDGDD provides:

"one. The processing of personal data related to criminal convictions and offenses, as well as to
procedures and precautionary and related security measures, for purposes other than those of
prevention, investigation, detection or prosecution of criminal or enforcement offenses
of criminal sanctions, it can only be carried out when it is covered by a

norm of Law of the Union, in this organic law or in other norms of legal rank.

2. The complete record of the data referring to criminal convictions and infractions, as well as to
procedures and precautionary and related security measures referred to in article 10 of the
Regulation (EU) 2016/679, may be carried out in accordance with the provisions of the regulation of the
System of administrative records to support the Administration of Justice.


3. Apart from the assumptions indicated in the previous sections, the data processing
referring to convictions and criminal offenses, as well as procedures and precautionary measures
and related security measures will only be possible when carried out by lawyers and
solicitors and have the purpose of collecting the information provided by their clients for the
exercise of their functions”.

28001 – Madrid 6 sedeagpd.gob.es, 27/64









The RGPD refers, in its Recital 75, to the possibility that
certain data processing may entail a risk to the rights and

freedoms of the people, among which are the data related to the
convictions and criminal offenses and related security measures, hence the
Article 10 of the legal text chooses (i) to confer the legitimacy of its treatment to the
public authorities or when there is an authorization under Union Law or a
national standard that provides adequate guarantees, and (ii) for assigning custody
of the registers where these data are recorded also to the public authorities.

This regulation, far from being new in Europe, was already manifested in
similar terms in Directive 95/46 CE, of the Parliament and of the Council, of 24
October 1995, on the protection of natural persons with regard to
processing of personal data and the free movement of such data.


The origin of this special guarantee can be found in Agreement No. 108 of the Council
of Europe, of January 28, 1981, for the protection of people with respect to
to the automated processing of personal data, which in its article 6
provides that certain categories of data, including data from
personal nature relating to criminal convictions, may not be automatically processed
unless domestic law provides adequate guarantees.


Article 10 of the LOPDGDD, for its part, specifies the reference to the Law of
Member States emphasizing that, when the treatment has a purpose
other than “prevention, investigation, detection or prosecution of criminal offenses
criminal or execution of criminal sanctions” - treatment excluded from the scope

material of the data protection regulations in application of article 2.1.d) of the
RGPD-, so that its treatment can be considered legitimate, it must be
covered by a European standard, the LOPDGDD or another standard with legal status.



Prior to examining the legitimacy of the treatment, it is necessary to analyze whether
requesting a "negative" criminal record certificate constitutes a
“processing of personal data related to criminal convictions and infractions”, according to
the wording of article 10 of the RGPD, and if said treatment is subject, not
only to the generic data protection regulations, but also to the
consideration of data included in the field of application of article 10 of the RGPD and

of article 10 of the LOPDGDD and, therefore, deserving of guarantees
specific.

The criminal record certificate is the public document that certifies the
lack or existence of criminal records that are registered in the Registry

Penitentiary Center. Criminal records are defined as resolutions
firm orders issued by the Judges and Courts of the criminal order for the commission of a
crime that imposes penalties or security measures that are in force
in accordance with the provisions of the Penal Code.


The information contained in the criminal record certificate subject to the
This procedure constitutes personal data in the light of the definition of article
4.1 of the RGPD since it is "information about a natural person
identified”, whether it is a certificate that refers to the existence of such

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 28/64








background as if it reveals your absence, and your request is a
data treatment.


In relation to the category of personal data on which that information relates,
is precisely the one related to the final criminal convictions of which he may have been
object (and are in force) a specific person, both to highlight
I manifest that there are those firm resolutions that impose penalties or measures and
what these are, to prove that they do not exist. That is, the information
is dealing with is the data related to criminal convictions -which includes the absence of

You are linked to a specific natural person.

Therefore, what is stated by the respondent in her allegations cannot be accepted.
when he points out that a criminal record certificate that shows
that a specific person lacks criminal convictions does not strictly collect

any data related to criminal convictions and infractions, since it is
doing by showing and proving that said person lacks them.

Admitting the position maintained by AMAZON ROAD in this regard would be equivalent to admitting that
any person or entity could create a registry of people without criminal records
criminal, despite the fact that it is a matter reserved for public authorities.


It also takes into account section 4 of article 136 of the Organic Law
10/1995, of November 23, of the Penal Code, which after pointing out that "The
registration of criminal records in the different sections of the Central Registry
of Prisoners and Rebels will not be public”, provides that “During its validity, only

will issue certifications with the limitations and guarantees provided for in their regulations
specific and in the cases established by law. This specific regulation is
contained in Royal Decree 95/2009, of February 6, which regulates the System
of administrative records to support the Administration of Justice, which in its
Article 17 establishes that "(...), the data related to

his person contained in the inscriptions of the Central Registries of Prisoners, of
Required Precautionary Measures and Non-Final Judgments, for the Protection of
Victims of Domestic Violence, of Sentences of Criminal Responsibility of the
Minors and Civil Rebels and sign negative certifications regarding
people who are not registered in them. Provided in section 2 of
this same article that “The positive certification will contain the transcript of the

registered data, as they exist in the Registry at the time of their issuance,
excluding inscriptions that, in accordance with a regulation with the force of Law, are found
available only to the courts.

Likewise, the National High Court in various sentences (for all the SAN of 20

June 2017) has stated that "There is no precept that establishes that the
criminal record certificate omit to refer to criminal record
that are duly registered, except in the case that a regulation with the rank of Law
so establishes it and this regardless of whether the certificate is requested for a
criminal proceedings or for a purpose other than criminal proceedings. From this it can be inferred

that the negative criminal record certificate is also considered a piece of information
relating to convictions and criminal offenses, as well as procedures and measures
Prudential and related security.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 29/64








Both the issuance of a positive criminal record certificate and that of a
certificate of the absence of such antecedents require, therefore, the consultation of the
mentioned public records. Therefore, it cannot be said that the certificates

negative or absence of criminal record do not contain information regarding
criminal convictions and offenses or related security measures.

An example that the negative criminal record certificate is a treatment
of personal data related to convictions and criminal offenses we can see it in
related to the certificate of crimes of a sexual nature. This certificate is similar to

that we are now examining, since it refers to the existence or non-existence of
final convictions issued by the judicial bodies, recorded in the Central Registry
of Sex Offenders. Thus, the certificate for crimes of a sexual nature is issued
indicating the existence or non-existence of criminal convictions on the date on which it is
issued.


In addition to the fact that this certificate can be requested in accordance with the provisions of the Law
Organic 8/2021, of June 4, on comprehensive protection for children and adolescents
against violence -norm of legal rank that enables their request in relation to the
access to professions, trades and activities that involve regular contact with
minors -, the truth is that the fact of obtaining a certificate

negative shows that someone lacks criminal convictions in relation to
crimes of a sexual nature. This implies processing personal data “related” to
criminal convictions, since the data contained in the aforementioned certificate, in the same way
that in the one now examined, have to do indissolubly with the existence of
criminal convictions. They are personal data related to criminal convictions either by their

possession or absence.

And the request made by AMAZON ROAD that by
part of this Agency a strict interpretation is made in a manner analogous to the
assumption included in the Legal Cabinet Report 0129/2005. In this sense, it

that came to show the mentioned report is that the data of "smoker"
considered by itself would not belong to the category of health data, for
when, in accordance with Recommendation No. R (97) 5, of the Committee of Ministers of the
Council of Europe, referring to the protection of medical data, the data referring to the
mere consumption of tobacco, without specifying the quantity consumed, would not be
principle a data linked to health, if it is not accompanied by a

complementary information that allows to determine that the situation of
“nicotine abuse”. However, in the case that is the subject of this proceeding, as
As has been stated, the relationship between a criminal record certificate and the
category of data relating to criminal convictions and offenses is unambiguous, since its
information refers to them, both to show their existence and

your absence.

It is also interesting to bring up at this point the file E/00037/2013 that the
claimed refers to in his reply to the transfer. In this
file, the issue was about the request for a responsible statement in

the one that the subjects affirmed that they had no criminal record (not the request of the
certificate). Well, on a case of a similar nature, the Judgment of the Chamber
of the Social of the National Court 14/2020, of February 10, 2020, indicates that
including the request for a responsible statement that there is no criminal record

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 30/64








criminal offenses must be considered as a treatment of data related to convictions
penalties.


AMAZON ROAD, in its arguments at the opening of the procedure, dismisses the
statement made by the National High Court in this Judgment stating that the
The same was issued by the Social Chamber, which is not competent to review the
decisions of this Agency, thereby denying the ability of judges and
courts to interpret the rules that are applicable to the alleged object of the
process in question.


Regarding this allegation, we must mean that, although the Social Chamber of the
The National Court is not competent to review administrative resolutions
dictated by the AEPD, in attention to the competence attributed to the social order, article
25 of the Organic Law 6/1985, of July 1, of the Judicial Power (LOPJ), this does not

prevents interpreting and applying the data protection regulations or any other that
could be relevant to the resolution of the disputed matter; moreover, the
Article 4.bis of the LOPJ mandates the application of the Law to judges and courts
of the European Union.



As a consequence of the foregoing, once established that the background certificate
criminal charges requested by AMAZON ROAD assumes information regarding the convictions
criminal of an identified natural person and, therefore, a personal data subject to the
special guarantees established by articles 10 of the RGPD and 10 of the LOPDGDD,
It is appropriate to examine whether there is an authorization that allows the entity claimed to treat

such information.

These precepts confer the treatment of said data to the public powers
restricting their treatment to individuals only for those cases in which
a rule of European law or a national rule with the force of law enable it

(in addition to what is established in point 10.3 for the processing of criminal data by
part of lawyers and solicitors).

Only, therefore, in those exceptional cases in which, authorized by
a Law and with the due guarantees, if said measure is contemplated, said
certificate; In this sense, there are specific regulations that, in different areas,

expressly contemplate. In relation to this point, there is no standard of the
Law of the Union or a legal norm of our system that allows carrying out
carry out the processing of criminal record data intended by the entity
claimed.


Analyzing the sectoral regulations brought up by the one claimed in his writing, the
Article 43.2 of Law 16/1987, of July 30, on Transport Planning
Terrestrial (hereinafter, LOTT) provides that "when the authorization enables the
performance of public passenger transport by bus or goods in vehicles
or groups of vehicles with own traction capacity whose maximum mass

authorized is greater than 3.5 tons, they must meet the requirements of
establishment, honorability, financial capacity and professional competence
required by the regulations of the European Union establishing standards
relating to the conditions that must be met for the exercise of the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 31/64








profession of road carrier, in accordance with what in said
regulation is available and with what is established in this law and in its implementing regulations.
points out for the execution of such provisions”. Article 45 refers

specifically to the requirement of good repute, stating that "In accordance with the
provided in the regulations of the European Union establishing standards
relating to the conditions that must be met for the exercise of the
profession of road carrier, in order to meet the requirement of good repute,
Neither the company nor its transport manager may have been convicted of the
commission of crimes or criminal offenses or sanctioned for the commission of infractions

related to the commercial, social or labor fields, road safety or
management of land transport that gives rise to the loss of this requirement,
in accordance with the provisions of this law and in the regulations of the Union
European.


For its part, the Regulations of the Land Transport Planning Law
(ROTT), approved by Royal Decree 1211/1990, of September 28, collects in its
article 109 that “In accordance with the provisions of article 43.2 of the LOTT, for
Obtaining and maintaining authorizations for public passenger transport
by bus and public transport of goods in vehicles that can exceed
the 3.5 tons of maximum authorized mass, it must be proven that the

company complies, in addition to the conditions indicated in article 43.1 of the LOTT,
the requirements of establishment, professional competence, honor and capacity
financial, with the specifics indicated in these Regulations”; and in article 115
that “1. For the purposes of the provisions of article 45 of the LOTT, both the owner of the
the authorization, whether a natural or legal person, such as the transport manager of the

company in a personal capacity, must meet the requirement of good repute. 2. In the
verification of compliance with the conditions indicated in the previous section,
The competent body must exclusively refer to the data contained in the
Register of Transport Companies and Activities and in the European Register of
Road Transport Companies”. Articles 116 to 120 regulate

in detail the legal regime and the specifications to be taken into account regarding the
concept of honor.

Based on the foregoing, it can be deduced that only compliance
of the honorability requirement for those authorizations that imply the use of
vehicles whose maximum authorized mass is greater than 3.5 tonnes. Your exam

would correspond, in any case, to the competent Administration to grant and
manage transport authorizations, and also with the added limitation of
abide exclusively by what is registered in the Registry of Companies and Activities of
Transport and in the European Register of Road Transport Companies. Is
In other words, not even the competent Administration to manage the authorization can,

in these cases, request or enter to examine a criminal record certificate,
but must abide by the information that has been registered in the aforementioned
records. Furthermore, it means that not even the existence of a
criminal conviction or administrative sanction automatically determines the loss of
honorability necessary to be the holder of a transport authorization, since

there is a subsequent administrative procedure, once said sentence is registered or
resolution in the Registry of Transportation Companies and Activities, as
of articles 118 and 119 of the Regulations of the Law on Transport Management
Terrestrial (ROTT), according to which the competent authority of transport can

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 32/64








determine that even with said conviction or sanction, the consequence of the
loss of honor, and therefore of authorization, is disproportionate. The
ROTT itself additionally establishes a circumstance in which, even

sanctioning resolution, considers that in no case can the loss of the
honorability (article 119.3 of the ROTT). After these precepts it turns out that they can
exist carriers with convictions or sanctions that do not entail the loss of this
requirement.

In any case, it would only be in the event that AMAZON ROAD intended

sign contracts for the provision of services with autonomous carriers in which
the vehicles to be used by them had a maximum authorized mass greater than 3.5
tons (a situation that does not occur in this case because the mass
of vehicles admitted to the program must be less than 2 tons)
when data from certain criminal records, as components of the requirement of

honorability as defined in the LOTT, would come into play for the concession and
maintenance of the mandatory authorization by the Administration that
grants. However, the exclusive competence for its control corresponds to said
Administration with the limitations indicated above, and without in any case
there is legitimacy that enables the company to request a background certificate
criminal charges or to verify such information.


In the absence of legal authorization, it is not possible, in this case, to resort to other legal bases to
legitimize the processing of personal data related to convictions and offenses
penalties.


However, AMAZON ROAD, in its response to the process of transfer of the
claim, stated that the legitimizing bases of the data processing that
carried out, depending on the type of data collected and the intended purposes, are the
execution of the contract between the autonomous carrier and the entity, the consent
of those and the legitimate interest.


In relation to the processing of personal data contained in the certificates
of criminal records that it collects from the carriers that participate in the
"Amazon lex" program, states that the legal basis is the execution of the contract and the
legitimate interest of AMAZON ROAD in protecting the trust that customers have
deposited in the entity and in guaranteeing that its position as a transport operator

not be compromised.

On the other hand, in the information that is offered to the interested parties during the
"background check" (the details are outlined in the Background
First) it is indicated as the legal basis for those data treatments the

consent of the interested parties (“In relation to this process, I give my
consent to carry out the aforementioned checks…”, among which
figure “A certificate from the Ministry of Justice confirming that I do not have
criminal record of any kind”).


None of these legal bases can legitimize the processing of personal data
which, as has been said, can only be carried out in those cases in which
there is legal authorization, so its analysis is not necessary.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 33/64









However, it is considered appropriate to make some clarifications in this regard:

a) The entity complained against considers that the treatment of the certificates in question
it is necessary for the execution of the contract that you sign with the carriers

self-employed, to guarantee the security and confidence of the clients, to apply a
minimum standard of diligence in contracting services from suppliers and for
prevent your position as a transport operator from being compromised (the same
reasons that it gives to justify the legitimate interest).


This Agency does not share that the criminal record certificates that the
claimed requests autonomous carriers to be necessary for the execution of
this contract for the provision of services, for the reasons already stated when referring to the

regulations governing the transport of goods.

The public authorities are responsible for granting the necessary authorizations
for the public transport of goods, so that AMAZON ROAD only

It is up to him to verify that the autonomous carrier intends to contract has
this concession.

b) In relation to the legal basis of legitimate interest, article 6 of the RGPD

establishes:

"one. The treatment will only be lawful if at least one of the following conditions is met:
f) the treatment is necessary for the satisfaction of legitimate interests pursued by the
responsible for the treatment or by a third party, provided that said interests are not
prevail the interests or the fundamental rights and freedoms of the interested party that
require the protection of personal data, in particular when the interested party is a child...”.


Recital 47 of the RGPD specifies the content and scope of this base
legitimizer of the treatment:


“(47) The legitimate interest of a controller, including that of a controller to whom
may communicate personal data, or of a third party, may constitute a legal basis
for treatment, provided that the interests or the rights and freedoms of the user do not prevail.
data subject, taking into account the reasonable expectations of data subjects based on their
relationship with the person in charge. Such legitimate interest could occur, for example, when there is a
relevant and appropriate relationship between the data subject and the controller, such as in situations where
which the interested party is a client or is at the service of the person in charge. In any case, the

existence of a legitimate interest would require careful assessment, even if a
The interested party can reasonably foresee, at the time and in the context of the collection of
personal data, which may be processed for this purpose. In particular, the interests and
the fundamental rights of the interested party could prevail over the interests of the
responsible for the treatment when proceeding to the treatment of personal data in
circumstances in which the data subject does not reasonably expect that a
further treatment. Since it is up to the legislator to establish by law the legal basis for
the processing of personal data by public authorities, this legal basis does not

should apply to processing carried out by public authorities in the exercise of their duties.
functions. The processing of personal data strictly necessary for the
prevention of fraud also constitutes a legitimate interest of the data controller.
that it is The processing of personal data for direct marketing purposes may
be considered carried out for legitimate interest”.


The interpretative criteria that are extracted from this Considering are, among others, (i)
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 34/64








that the legitimate interest of the person in charge prevails over the interests or rights and
fundamental freedoms of the owner of the data, in view of the expectations

reasonable that he has, based on the relationship he maintains with the person in charge
of the treatment; (ii) it will be essential to carry out a "meticulous evaluation" of
the rights and interests at stake, also in those cases in which the
interested party can reasonably foresee, at the time and in the context of the
data collection, which may be processed for this purpose; (iii) interest and

fundamental rights of the owner of the personal data could prevail against
the legitimate interests of the person in charge when the processing of the data is carried out
in such circumstances in which the data subject "does not reasonably expect"
carry out further processing of your personal data.


The respondent entity did not carry out this prior analysis, although it refers to it in its
written arguments for the proposal, and there is no evidence that he has duly informed
stakeholders on this legitimate basis.

In the absence of information regarding the weighting test, the interested party is deprived

of their right to know the legal basis of the treatment alleged by the person in charge, and
specifically, when referring to the legitimate interest, he is deprived of his right to know
what are said legitimate interests alleged by the person in charge or by a third party that
would justify treatment.


In the same way, the interested party is deprived of his right to claim for what reasons
Said legitimate interest of the person in charge of the treatment could be counteracted by the
rights or interests of the interested party. Not having given the interested party an opportunity
to allege them against the person in charge, any weighing carried out by the person in charge
without taking into account the circumstances that the interested party could allege, to whom it was not

allowed to do so would be vitiated, as it is an act contrary to a mandatory norm.

It is not possible, therefore, to invoke this legal basis of legitimate interest on the occasion of a
administrative procedure, such as transfer of the claim. Accepting it would be so much
such as admitting a legitimate interest arising, or a posteriori, in respect of which no

have complied with the requirements set forth in the data protection regulations
personal and about which the interested parties are not informed.

Although the legitimate interest is not applicable, it is interesting to analyze the terms in which it must
carry out the weighting provided for in article 6.1.f) of the RGPD between the legitimate

interest of the person responsible for the data and the protection of personal data of the
interested, that is, how it plays said legitimate interest, if applicable.

The CJEU, in its ruling of 05/04/2017, C-13/16, Rigas Satskime, sections 28 to 34,
determined what are the requirements for a treatment to be lawful on

the basis of legitimate interest. The CJEU ruling of 07/29/2019, C-40/17, Fashion ID,
Echoing the sentence cited, it collects said requirements.

28. In this regard, article 7, letter f), of Directive 95/46 -(current article 6.1.f) of the RGPD)-
sets three cumulative requirements for the processing of personal data to be lawful:
first, that the data controller or the third party or third parties to whom they are communicated
the data pursues a legitimate interest; second, that the treatment is necessary for the
satisfaction of that legitimate interest and, third, that the rights and freedoms

fundamentals of the interested party in the protection of data.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 35/64









This legal basis requires the existence of real interests, not speculative and that,
Also, they are legitimate. And not only does the existence of that legitimate interest mean that

those treatment operations can be carried out. It is also necessary that these
treatments are necessary to satisfy that interest and consider the repercussion
for the interested party, the level of intrusion on their privacy and the effects that may
negatively impact it.

Even if the data controller has said legitimate interest, this does not, in itself, mean

considered, that this legal basis can simply be invoked as a basis
of the treatment. The legitimacy of this interest is only a starting point, one of only
items to be weighed.

In this case, it is considered that the processing of personal data carried out by

AMAZON ROAD is not necessary or strictly necessary for the satisfaction of the
alleged legitimate interest (the cited judgment of 05/04/2017, C-13/16, Rigas Satskime,
in its section 30, it declares “Regarding the requirement that the treatment of
data is necessary, it should be remembered that the exceptions and restrictions at the beginning
protection of personal data must be established without exceeding the
limits of what is strictly necessary”).


This principle, according to which the treatment must be strictly necessary for the
satisfaction of legitimate interest, it must be interpreted in accordance with what
established in article 5.1.c) RGPD, which refers to the principle of
data minimization, noting that personal data will be “adequate,

relevant and limited to what is necessary in relation to the purposes for which they are
treaties”.

Thus, less invasive means of serving a patient should always be preferred.
same end. Necessity implies here that the treatment is essential for the

satisfaction of said interest, so that, if said objective can be achieved
reasonable manner in another manner that is less impactful or less intrusive, the
Legitimate interest cannot be invoked.

The term “necessity” used in article 6.1 f) of the RGPD has, in the opinion of the CJEU, a
own and independent meaning in Community law. It's about a

“autonomous concept of Community Law” (STJUE of 12/16/2008, case C-
524/2006, section 52). On the other hand, the European Court of Human Rights
(ECHR) has also offered guidelines to interpret the concept of necessity. In
its Judgment of 03/25/1983 specified that, without prejudice to the treatment of
data of the claimants is "useful", "desirable" or "reasonable", as specified by the ECHR in

its Judgment of 3/25/1983, the term “necessary” does not have the flexibility that is
implicit in those expressions.

The more "negative" or "uncertain" the impact of treatment may be, the more
It is unlikely that the processing as a whole can be considered legitimate.


As can be seen, what was stated above is in line with the doctrine of
Constitutional Court on the proportionality trial that must be carried out on
a restrictive measure of a fundamental right. According to this doctrine, they should

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 36/64








three requirements must be verified: suitability (if the measure allows the objective
proposed); necessity (that there is no other more moderate measure); proportionality in

strict sense (more benefits or advantages than harm).

In short, it is understood that the collection and use of the background certificate
criminal charges that the claimed entity carries out involves the processing of personal data

excessive, considering that there are other less intrusive ways to protect the
trust that customers have deposited in the entity and to ensure that their
position as transport operator is not compromised.

Therefore, the legitimate interest invoked by AMAZON ROAD does not prevail against the

fundamental rights and freedoms of those interested in the protection of their data
personal, so it cannot be considered that the processing of personal data that
carried out is protected by the legitimate interest provided for in article 6.1.f) of the
GDPR.


c) And neither the acceptance by the interested carriers of the process of
“background check” implies a valid consent for the treatment of
personal data related to criminal records. According to what is stated in
the rules outlined, the processing of personal data subject to the claim

require the existence of a legal basis that legitimizes it, such as the consent of the
interested party validly provided, necessary when there is no other basis
legal of the one mentioned in article 6.1 of the RGPD or the treatment pursues a purpose
compatible with the one for which the data was collected, and provided that the treatment
does not require, as in this case, a legal authorization.


Article 4 of the GDPR defines "consent" in the following terms:

“Article 4 Definitions
For the purposes of this Regulation, the following shall be understood as:
11. «consent of the interested party»: any manifestation of free will, specific,

informed and unequivocal by which the interested party accepts, either by means of a declaration or a
clear affirmative action, the treatment of personal data that concerns you”.

In relation to the provision of consent, the following must be taken into account:
established in article 6 of the RGPD, already cited, and in articles 7 of the RGPD and 7 of

the LOPDGDD.

Article 7 “Conditions for consent” of the RGPD:

"one. When the treatment is based on the consent of the interested party, the person in charge must
be able to demonstrate that they consented to the processing of their personal data.

2. If the data subject's consent is given in the context of a written statement that
also refers to other matters, the request for consent will be presented in such a way
clearly distinguishable from other matters, in an intelligible and easily accessible manner and
using clear and simple language. No part of the declaration will be binding.
constitutes an infringement of this Regulation.
3. The interested party shall have the right to withdraw their consent at any time. The retreat
of consent will not affect the legality of the treatment based on the consent prior to
his withdrawal. Before giving their consent, the interested party will be informed of it. it will be so easy
Withdraw consent as give it.
4. When assessing whether consent has been freely given, it will be taken into account to the greatest

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 37/64








extent possible whether, among other things, the performance of a contract, including the
provision of a service, is subject to consent to the processing of personal data that
are not necessary for the execution of said contract”.


Article 6 “Treatment based on the consent of the affected party” of the LOPDGDD:

"one. In accordance with the provisions of article 4.11 of Regulation (EU) 2016/679,
consent of the affected party means any manifestation of free will, specific,
informed and unequivocal by which it accepts, either through a statement or a clear
affirmative action, the treatment of personal data that concerns you.
2. When the data processing is intended to be based on the consent of the affected party

for a plurality of purposes it will be necessary to state specifically and unequivocally
that said consent is granted for all of them.
3. The execution of the contract may not be subject to the affected party consenting to the treatment of
personal data for purposes that are not related to the maintenance, development
or control of the contractual relationship”.

Consent is understood as a clear affirmative act that reflects a

free, specific, informed and unequivocal manifestation of the interested party's
accept the treatment of personal data that concerns you, provided with
sufficient guarantees to prove that the interested party is aware of the fact that
you give your consent and the extent to which you do so. And it must be given to all
treatment activities carried out with the same or the same purposes, so that,

when the treatment has several purposes, consent must be given for all
them in a specific and unequivocal manner, without the execution of the
contract that the affected party consents to the processing of their personal data for
purposes that are not related to the maintenance, development or control of the

business relationship. In this regard, the legality of the treatment requires that the interested party be
informed about the purposes for which the data is intended (consent
informed).

Consent must be given freely. It is understood that consent

is free when the interested party does not enjoy true or free choice or cannot
deny or withdraw your consent without prejudice; or when you don't know
allows separate authorization of the different data processing operations
despite being appropriate in the specific case, or when the fulfillment of a

contract or provision of service is dependent on consent, even when it
not necessary for such compliance. This occurs when consent is
included as a non-negotiable part of the general conditions or when
imposes the obligation to agree to the use of additional personal data to
those strictly necessary.


Without these conditions, the provision of consent would not offer the data subject a
true control over your personal data and its destination, and this would
Illegal treatment activity.


The Article 29 Working Group analyzed these issues in its document
“Guidelines on consent under Regulation 2016/679”, revised and
approved on 04/10/2018; which has been updated by the European Committee for
Data Protection on 05/04/2020 through the document “Guidelines 05/2020 on

consent in accordance with Regulation 2016/679”. From what is stated in this
document, it is now interesting to highlight some aspects related to the validity of the
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 38/64









consent, specifically on the elements “specific”, “informed” and
"unequivocal":


“3.2. Specific declaration of will
Article 6, paragraph 1, letter a), confirms that the consent of the interested party for the
processing of your data must be given "for one or more specific purposes" and that an interested party
may choose with respect to each of such purposes. The requirement that consent

should be 'specific' is intended to ensure a level of control and transparency for the
interested. This requirement has not been changed by the GDPR and remains closely
linked to the requirement of “informed” consent. At the same time, it must be interpreted
in line with the “dissociation” requirement to obtain “free” consent. In sum,
In order to comply with the “specific” character, the data controller must apply:


i) specification of the purpose as a guarantee against deviation from use,
ii) dissociation in consent requests, and
iii) a clear separation between information related to obtaining consent
for data processing activities and information relating to other matters.

Ad. i): In accordance with article 5, paragraph 1, letter b), of the RGPD, obtaining the

Valid consent is always preceded by the determination of a specific, explicit and
legitimate for the intended treatment activity. The need for specific consent
in combination with the notion of purpose limitation in Article 5, paragraph
1, letter b), works as a guarantee against the gradual expansion or blurring of the purposes
for which the data processing is carried out once an interested party has given their

Authorization for the initial data collection. This phenomenon, also known as
deviation of the use, supposes a risk for the interested parties since it can give rise to a use
unforeseen personal data by the data controller or third parties
parties and the loss of control by the interested party.
If the data controller relies on Article 6(1)(a), the data subjects
They must always give their consent for a specific purpose for data processing.

In line with the concept of purpose limitation, with Article 5, paragraph 1, letter
b), and with recital 32, the consent may cover different operations, provided
that these operations have the same purpose. It goes without saying that the specific consent
can only be obtained when the interested parties are expressly informed about the purposes
provided for the use of data concerning them.
Without prejudice to the provisions on the compatibility of purposes, the consent must

Be specific for each purpose. The interested parties will give their consent on the understanding that they have
control over your data and that these will only be processed for those specific purposes. If a
responsible processes data based on consent and, in addition, wishes to process said data
for another purpose, you must obtain consent for that other purpose, unless there is another basis
law that best reflects the situation...

Ad. ii) Consent mechanisms should not only be separated in order to comply
the requirement of “free” consent, but must also comply with the requirement of
"specific" consent. This means that a data controller seeking the
consent for several different purposes, you must facilitate the possibility of opting for each purpose,
so that users can give specific consent for specific purposes.
Ad. iii) Finally, data controllers must provide, with each data request,

separate consent, specific information on the data to be processed for each purpose,
in order that the interested parties know the repercussion of the different options that
have. In this way, data subjects are allowed to give specific consent. Is
issue overlaps with the requirement that controllers provide clear information, as
as discussed above in section 3.3”.


“3.3. Manifestation of informed will
The GDPR reinforces the requirement that consent must be informed. in accordance
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 39/64








with article 5 of the RGPD, the requirement of transparency is one of the principles
fundamental, closely related to the principles of loyalty and legality. To ease

information to the interested parties before obtaining their consent is essential so that they can
make informed decisions, understand what they are authorizing and, for example,
exercise your right to withdraw your consent. If the controller does not provide information
accessible, user control will be illusory and consent will not constitute a valid basis
for data processing.
If the requirements for informed consent are not met, the consent is not
will be valid and the person in charge may be in breach of article 6 of the RGPD.


3.3.1. Minimum content requirements for consent to be “informed”
In order for the consent to be informed, it is necessary to communicate to the interested party certain
elements that are crucial to be able to choose. Therefore, the WG29 is of the opinion that it is required,
least, the following information to obtain valid consent:
i) the identity of the data controller,
ii) the purpose of each of the treatment operations for which the authorization is requested.
consent,
iii) what (type of) data will be collected and used,

iv) the existence of the right to withdraw consent,
v) information on the use of data for automated decisions in accordance with the
article 22, paragraph 2, letter c), when relevant, and
vi) information on the possible risks of data transfer due to the absence of
a decision of adequacy and adequate guarantees, as described in the article
46”.


In the alleged case, there is no evidence of the provision of a
valid consent on the part of the autonomous carriers participating in the
program "***PROGRAMA.1" that covers the processing of personal data that
AMAZON ROAD performs with the criminal record you request. this entity
does not even duly inform about this data processing, about its purpose and

legal basis or the right to withdraw consent, in accordance with the
established in article 13 of the RGPD; nor has it established any mechanism for
The interested parties can consent to this collection of personal data through an act
separate statement for these specific processing operations; neither him

consent can be considered free, by imposing the processing of personal data
as a requirement to access the contract.



It is significant that AMAZON ROAD, in its brief of arguments regarding the proposal for
resolution, has not made a single argument to the contrary on the
reasoning developed in this Law Foundation, either in
relation to the nature of personal data related to criminal convictions and offenses
that must be attributed to the negative background certificate, or to the non-existence of

Legal authorization that protects the data processing questioned in the proceedings.
Nor does it even mention the reasons given to justify the
impossibility of resorting, in this case, to other legal bases that could make it lawful
said data processing, such as the legitimate interest or the consent of the

interested party validly borrowed. It should be noted that he would have invoked the interest
legitimate as a legitimizing basis for the treatment and now, in its pleadings letter
to the motion for a resolution, do not make any statement that responds to the
previous arguments, which were already included in the proposal prepared by the instructor

of the procedure.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 40/64








In said written arguments for the proposal, AMAZON ROAD has limited itself to
affirm again, without providing any reasoning, that the certificate of absence
of criminal records does not involve the processing of data related to convictions and

criminal offenses and to point out in this regard that the Penal Code, the Royal Decree
95/2009 and the Judgment of the National Court of June 20, 2017 do not confirm
so be it.

However, what is stated by the respondent does not coincide with what is indicated in this
resolution and in the proposal. The above indicates that the Penal Code

establishes that the annotations in the "Central Registry of Prisoners and Rebels" are not
public; that Royal Decree 95/2009 provides for the issuance of certificates on the
inscriptions included in the records of support to the Administration of Justice and
"Negative certifications regarding people who are not registered in them",
that require a query to the same registers in both cases; and about the

Judgment cited, it is said that it is inferred that the background certificate
negative penalties is also considered a data relative to convictions and infractions
criminal, to the extent that it raises what information must be provided
by the Central Registry and that must be included in the background certificate
penalties.


On the other hand, in the aforementioned brief of arguments to the proposed resolution,
AMAZON ROAD alleges that there is no unanimous and consolidated criterion on the use
of negative criminal record certificates between Member States
on the interpretation made by the AEPD.


In the pleadings brief at the opening, he already raised this issue in relation to
Netherlands, France or Germany, pointing out that in these countries a
different interpretation in relation to the provisions of article 10 of the RGPD and
allow employers to confirm that a person applying for a job does not have
criminal record.


In the proposed resolution it was noted that the entity claimed had not contributed
no evidence on this allegation or verified if in said countries there is a
norm that enables this verification of data and in what cases, as is also the case
in our legal system for different areas of employment (among others,
lawyers, Lottery administrators and bookmakers, agencies in charge of

international adoptions, taxi drivers, some casino employees,
public officials, or the same drivers of passenger vehicles and
merchandise in the aforementioned cases).

Now, in response to what is stated in the proposal, AMAZON ROAD reiterates that the

Dutch data protection authority accepts these negative certificates
(Verklaring omtrent gedrag or "VOG") and provides excerpts from the Ministry of
Justice of that country with information on said document; and from the website of
control authority that admits its use when there is a legitimate interest of the
employer.


In relation to the French case, the claim indicates that the supervisory authority (CNIL)
has included information on its website according to which, in the absence of a specific rule that
provides for the verification of this type of background, the employer may request a

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 41/64








employee to present an abstract of his criminal record during a
interview and make a note about this “yes/no” verification, without obtaining a copy of the
document, which is equivalent, in his opinion, to the negative certificate obtained by the

claimed. And it provides information obtained from the CNIL website.

Nothing indicates this time, however, in relation to the position held on the matter by
Germany.

After analyzing the information obtained from the websites of the Ministry of Justice and the

Dutch data protection authority and the CNIL website, considers
this Agency that substantially coincides with what is argued in this
resolution.

In relation to the Netherlands, the respondent entity reaches a conclusion that does not

considers some aspects reflected in the information provided by those
entities, such as:

According to the information available on the website of the Ministry of Justice, the certificate
"VOG" issued by said Ministry verifies whether the interested party has committed criminal offenses
that represent a risk for the job in question.


The employer is informed that this “VOG” certificate is one of the instruments that
can be used to assess the reliability of future staff, recommended for
positions where trust in the employee is important, although it is noted that this
evaluation affects the privacy of the employee and that, therefore, only that

evaluation under certain legal conditions, expressly mentioning the RGPD.

This information refers to legitimate interest, indicating that such interest must exist and
be necessary. And adds in this regard that the employer has the obligation to
provide information, not use the data for another purpose and keep the data

just for as long as necessary.

As for the Dutch data protection authority, it also informs
through its website that the evaluation is only allowed under certain conditions
legal, being the most important that the employer has a legitimate reason,
requiring that the evaluation be necessary, that the

applicant or employee, that the data collected is relevant, so that it is not
collect more data than necessary, not use it for any other purpose and
weigh rights against each other to see whose interest weighs more, that of the employer or that of
employees or applicants.


But it is also indicated that the "VOG" can be requested for some cases in which
that the check is required by law. And that special provisions apply to
positions of trust, such as police officers, private security,
aviation and others.


In relation to the legitimate interest and the meaning of that "necessity" requirement,
clarifies that the employer must not be able to achieve his objective with less
drastic.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 42/64








It also recommends carrying out an inventory of the risks associated with the
functions within your organization to verify whether these risks can be adequately limited.
a different way, highlighting that a good organization, with internal controls or

distribution of powers, you can ensure that the risks are completely eliminated and
not necessitate repeated evaluation of the employee.

On the other hand, the need to analyze whether it is appropriate to carry out an evaluation
of data protection impact and the possibility of sending a prior consultation to the
data protection authority if it cannot find a way to limit the risk.



In the French case, its regulations distinguish three types of background certificates
penalties, which he calls Bulletin nº 1, 2 and 3 (B1, B2 and B3). The first includes all
recorded convictions and decisions, and can only be handed over to authorities

judicial and penitentiary establishments; B2 contains felony convictions
police, suspended sentences, etc., and can be issued to certain authorities and
private bodies for reasons listed exhaustively by law; and the B3
contains only the most serious sentences for crimes or misdemeanors, custodial sentences
liberty and certain ongoing disqualifications or disabilities, follow-up measures and
prohibitions to carry out an activity that implies contact with minors, which only

It can be delivered to the interested party, at his request.

The information offered by the CNIL entity on its website distinguishes two cases. For
On the other hand, the background check provided for in a regulation for certain
“sensitive” functions (bullets B2 and B3); and, on the other, in the absence of a rule that provides

background check, the possibility of the employer requesting a
candidate or employee an extract of their criminal record (B3) during a
interview, without the employer being able to obtain a copy or process the data (only write down the
verification in the boxes of the personnel management file the “yes/no” forms).


But, contrary to what AMAZON ROAD indicates, it does not mention in the information
No legal basis has been provided to support this data processing.

This information is completed by pointing out that when the verification is carried out by a
authority, the employer does not need to check criminal records. As well
occurs in the case at hand, in which the transport sector regulations already

contemplates this verification for the cases in which it is necessary in order to issue
carrier authorization.

In accordance with all the foregoing, the claim made by
AMAZON ROAD on the absence of guilt.


Consequently, in accordance with the exposed evidence, the aforementioned facts
represent a violation of the provisions of article 6 of the RGPD, which gives rise to the
application of the corrective powers that article 58 of the aforementioned Regulation grants to
the Spanish Data Protection Agency.



                                            III


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 43/64








The second aspect of those included in the claim to be analyzed is what makes
reference to the legal position that companies occupy in data processing
Accurate Fund, Inc. and Amazon Development Center (India) Private Limited.


The information available comes from the text of the screenshots of the contract
business, from the background check section of the application (provided by
the claimant next to the claim) and the responses provided by the
claimed in his briefs of 06/30/2020 and 06/07/2021, in response to the transfer and
arguments at the opening of the procedure.


Clause 4(d) of the contract states that the participant undertakes “to
provide complete and accurate answers to all questions related to
verifying your professional history and providing a certificate of absence from
criminal record and information about your driving license.” And in the

clause 13 it is reported that the data of the participants are treated for the execution
of the contract and for legal, administrative and management purposes.

For its part, in the background check section of the application, which
appears configured as a procedure in which the suitability of the
participants to determine their admission to participate in the program

"*** PROGRAM.1" and carry out the provision of services, reference is made to the
entities Accurate Fund, Inc. and Amazon Development Center (India) Private
Limited under the following terms:

“I understand and consent that Accurate Background is responsible for collecting and treating the
information on behalf of Amazon to perform detailed background checks
previously".


“I understand Amazon Development Center (India) Private Limited, in India, will be able to access
to the data you provide to Amazon during this process to support the collection of
the information provided by me, and I consent to such access”.

From the transcribed texts it is evident that they intervene in the verification process
background checks of the commercial companies Accurate Background, Inc. (collection and treatment

of information) and Amazon Development Center (India) Private Limited (access to
data to support its collection).

Now, some confusion results from the fact that background checks
is presented as an obligation arising from the contract while on the screen of
background check the consent of the participant is requested for this

process and for those entities to collect and process your information or give
medium.

And this confusion increases if we consider the doubts generated by the paragraphs
transcribed, indicating that Accurate Background, Inc. collects and processes the

information “on behalf of Amazon” and that Amazon Development Center (India)
Private Limited may have access to the information to provide “support” to “Amazon”;
along with AMAZON ROAD's representations contained in its statement of
response of 06/30/2020, according to which those entities hold the nature
of treatment managers.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 44/64








This uncertainty about the condition under which the repeated
mercantile and the inexistence of any proof that accredited the access on the part of

these to the personal data as in charge of the treatment (the claimed did not provide
no documentation in this regard with his letter of 06/30/2020), motivated that in
the opening agreement of this sanctioning procedure will be qualified to the
aforementioned entities as “third parties” in relation to data processing, and determined
the imputation of an infraction for the alleged non-compliance with the provisions of the

article 7 of the RGPD, in relation to article 6.1.a) of the same legal text.

Under this premise, said imputation was based on the fact that the treatment
of the personal data of the participants in the program “***PROGRAMA.1” by
part of Accurate Fund, Inc. and Amazon Development Center (India) Private

Limited required the consent of the data subjects; and that the consent
provided in this case did not meet the requirements for it to be considered
a valid consent, since it would not be free nor could it be considered informed, in the
meaning expressed in article 7 and Recitals 32, 42 and 43 of the RGPD, article 6
of the LOPDGDD and according to the interpretations of the European Committee for the Protection of

Data contained in Guidelines 5/2020.

However, AMAZON ROAD, with its pleadings brief at the opening of the
procedure has provided a copy of the treatment commission contracts signed
with Accurate Fund, Inc. and Amazon Development Center (India) Private Limited,

in which it is stipulated that these entities will process the data on behalf of AMAZON
ROAD and in accordance with its instructions, in order to provide the services.
According to these contracts, those entities intervene as responsible for the
treatment and, as such, are obliged to notify the person in charge of any instruction
that, in your opinion, violates applicable law, any data breach or

claim it receives and to provide the responsible party with cooperation and assistance
full; as well as to establish the appropriate technical and organizational measures to
protect data. It is also expected that the person in charge of the treatment returns to the
responsible for all personal data or proceed to its destruction upon completion
of the contract, at the choice of the data controller.


These are, therefore, companies that provide services to AMAZON ROAD in the
initial checks on carriers participating in the program
“***PROGRAMA.1”, for which they have signed a treatment order contract.


In accordance with this, the aforementioned entities cannot be considered as third parties.
and the treatment of the data they carry out does not require the consent of the users.
interested.

The figures of "responsible for the treatment" and "in charge of the treatment" are defined

in article 4 of the RGPD as follows:

. “Responsible for the treatment or responsible: the natural or legal person, public authority,
service or other body which, alone or jointly with others, determines the ends and means of the
treatment; if the law of the Union or of the Member States determines the ends and means
of the treatment, the person in charge of the treatment or the specific criteria for their appointment
may be established by the Law of the Union or of the Member States”.

. “In charge of the treatment or in charge: the natural or legal person, public authority,

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 45/64









service or other body that processes personal data on behalf of the person responsible for the
treatment".

The concepts of controller and processor are not formal, but
functional and must attend to the specific case, to the specific activities in a

specific context.

The data controller is from the moment it decides the purposes and
means of treatment, not losing such condition the fact of leaving a certain margin of

action to the person in charge of the treatment. This is unquestionably expressed in the
Guidelines 07/2020 of the European Committee for Data Protection (CEPD) on the
Concepts of data controller and manager in the GDPR:

“A data controller is one who determines the purposes and means of processing.

treatment, that is, the why and how of the treatment. The data controller must
decide on both ends and means. However, some more practical aspects of
implementation ("non-essential means") can be left to the person in charge of the
treatment. It is not necessary that the person in charge actually has access to the data that is
they are trying to qualify themselves as responsible” (the translation is ours).


In the present case, it is clear that AMAZON ROAD is responsible for the
data processing now analyzed, since, as defined in article 4.7
of the RGPD, is the entity that determines the purpose and means of the treatments
made. In its capacity as data controller, it is obliged to comply with

the provisions of the transcribed article 24 of the RGPD and, in particular, regarding the control
effective and continued implementation of the “appropriate technical and organizational measures in order to
guarantee and be able to demonstrate that the treatment is in accordance with this
Regulation”, among which are those provided in article 28 of the RGPD

in relation to those in charge of the treatments that act in the name and on behalf of
of the person in charge. Section 3 of this article 28 establishes the following:

"3. The treatment by the person in charge will be governed by a contract or other legal act in accordance with the
Law of the Union or of the Member States, which binds the person in charge with respect to the

responsible and establishes the object, duration, nature and purpose of the treatment, the
type of personal data and categories of interested parties, and the obligations and rights of the
responsable. Said contract or legal act shall stipulate, in particular, that the person in charge:

a) will process personal data only following documented instructions of the
responsible, including with respect to transfers of personal data to a third country or
an international organisation, unless required to do so under Union law
or of the Member States that applies to the person in charge; in such a case, the person in charge will inform the

responsible for that legal requirement prior to treatment, unless such Law prohibits it by
important reasons of public interest;
b) will guarantee that the persons authorized to process personal data have
committed to respecting confidentiality or are subject to an obligation of
confidentiality of a statutory nature;
c) take all necessary measures in accordance with article 32;
d) will respect the conditions indicated in sections 2 and 4 to resort to another person in charge of the

treatment;
e) will assist the person in charge, taking into account the nature of the treatment, through measures
appropriate technical and organizational measures, whenever possible, so that it can comply with
their obligation to respond to requests that have as their object the exercise of rights
of the interested parties established in chapter III;

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 46/64








f) will help the person in charge to guarantee the fulfillment of the obligations established in the
articles 32 to 36, taking into account the nature of the treatment and the information to
disposal of the manager;
g) at the choice of the person in charge, will delete or return all personal data once

ends the provision of treatment services, and will delete existing copies unless
that the conservation of personal data is required by virtue of the Law of the Union or of
the member states;
h) will make available to the person in charge all the information necessary to demonstrate the
compliance with the obligations established in this article, as well as to allow and
contribute to the performance of audits, including inspections, by the person in charge or
another auditor authorized by said person in charge.

In relation to the provisions of letter h) of the first paragraph, the person in charge will inform

immediately to the controller if, in his opinion, an instruction violates this
Regulation or other provisions on data protection of the Union or of the
Member states".

It is AMAZON ROAD, as responsible, which can decide to carry out by itself
certain treatment operations or contract all or part of the

treatment with a manager.

The essence of the function of the person in charge of the treatment is that the personal data
are processed in the name and on behalf of the data controller. In practice,
it is the person in charge who determines the purpose and the means, at least the essential ones,

while the person in charge of the treatment has the function of providing services to the
responsible for the treatment. In other words, “acting in the name and on behalf of
of the data controller” means that the data controller is at the
servicing the interest of the controller in carrying out a task

and that, therefore, follows the instructions established by it, at least in
what refers to the purpose and the essential means of the entrusted treatment.

The person in charge of the treatment is the one who has the obligation to guarantee the application
of the data protection regulations and the protection of the rights of the

interested, as well as being able to demonstrate it (articles 5.2, 24, 28 and 32 of the RGPD).
The control of compliance with the law extends throughout the treatment,
From the beginning to the end. The data controller must act, in
in any case, in a diligent, conscious, committed and active manner.


This mandate of the legislator is independent of whether the treatment is carried out
directly the person in charge of the treatment or that it is carried out using a
treatment manager.


In addition, the treatment carried out materially by a treatment manager for
account of the person in charge of the treatment belongs to the sphere of action of this
last, in the same way as if he did it directly himself. The person in charge of
treatment, in the case examined, is an extension of the person responsible for the
treatment.


In light of the principle of proactive responsibility (art 5.2 RGPD), the person in charge of the
treatment must be able to demonstrate that it has taken into account all the elements
provided for in the GDPR. Before outsourcing a treatment and in order to avoid possible

violations of the rights and freedoms of those affected, the person responsible for the
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 47/64








treatment must enter into a contract, other legal act or a binding agreement with the
another entity that establishes clear and precise obligations regarding the protection of

data.

The person in charge of the treatment can only carry out treatments on the instructions
documentation of the controller, unless required to do so by law
of the Union or of a Member State, which is not the case. In this regard, article 29

of the RGPD refers to the “Processing under the authority of the person in charge or the person in charge
of treatment” in the following terms:

“The person in charge of the treatment and any person acting under the authority of the person in charge
or the person in charge and has access to personal data may only process said data following
instructions of the person in charge, unless they are obliged to do so under the Law of the
Union or of the Member States.


The person in charge of the treatment also has the obligation to collaborate with the
responsible for guaranteeing the rights of the interested parties and fulfilling the obligations
of the person in charge of the treatment in accordance with the provisions of the aforementioned article 28 of the
GDPR (and related).


Therefore, the data controller must establish clear modalities for
said assistance and give precise instructions to the person in charge of the treatment on how
comply with them adequately and previously document it through a contract or
or in another (binding) agreement and check at all times of the development of the

contract its fulfillment in the manner established therein.

In the present case, the intervening entities have formalized the corresponding
treatment contract, which includes the provisions of article 28 of the
RGPD, and have arranged the technical and organizational measures that must be applied and

maintain the entity in charge of the treatment.

It is concluded, therefore, that the facts that determined the opening of the
sanctioning procedure, in relation to the access and treatment of data by
part of Accurate Fund, Inc. and Amazon Development Center (India) Private

Limited, are not constitutive of an infringement of the provisions of article 7 of the
RGPD, in relation to article 6.1.a) of the same Regulation.


                                            IV


The RGPD, as a common standard and directly applicable to the Member States
of the European Union, establishes a system of protection in those cases in which
that the international transfer of personal data covered by your
regulation. The purpose of this system is to guarantee that the protection

granted by the community standard is not diminished by the export of said data to
countries outside the European Union.

The general principle of this protection system, established in article 44 of the
RGPD, is that the data can only be exported if, on the one hand, the

treatment object of the transfer is lawful and complies with the provisions of the RGPD and,
on the other, if it complies with the conditions established in Chapter V of the same
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 48/64









legal text (articles 44 to 50).

Article 45 of the RGPD establishes, as a main rule, that a
transfer of personal data if the country, territory or international organization

addressee guarantees an adequate level of protection recognized by a decision of
adequacy dictated by the European Commission.

In the absence of said adequacy decision, article 46 of the RGPD authorizes

carry out transfers if the person in charge or the person in charge had offered guarantees
adequate. These adequate guarantees, which can materialize through a
series of instruments referred to in the same article, are subdivided in turn into two
groups: those to which the RGPD itself grants the nature of adequate guarantee

by themselves, and those who will additionally need the authorization of the
competent control authority.

The following scenario contemplated by the RGPD, in the absence of a decision to

adequacy and adequate safeguards (including binding corporate rules)
is to allow transfers to be made if any of the conditions
stated in article 49.1. of the RGPD, which establishes the following:

"one. In the absence of an adequacy decision in accordance with Article 45(3),

or adequate guarantees in accordance with article 46, including corporate rules
binding, a transfer or set of transfers of personal data to a third party
country or international organization will only be carried out if any of the
following conditions:

a) the data subject has explicitly consented to the proposed transfer, after
have been informed of the possible risks to him of such transfers due to the

absence of an adequacy decision and adequate guarantees;

b) the transfer is necessary for the execution of a contract between the interested party and the
responsible for the treatment or for the execution of pre-contractual measures adopted to
request of the interested party;

c) the transfer is necessary for the conclusion or execution of a contract, in the interest of the
interested party, between the data controller and another natural or legal person;


d) the transfer is necessary for important reasons of public interest;

e) the transfer is necessary for the formulation, exercise or defense of
claims;

f) the transfer is necessary to protect the vital interests of the interested party or of other

persons, when the interested party is physically or legally incapable of giving his
consent;

g) the transfer is made from a public registry which, in accordance with Union Law
or of the Member States, is intended to provide information to the public and is open to
consultation of the general public or of any person who can prove a legitimate interest,
but only to the extent that, in each particular case, the conditions that
establishes the Law of the Union or of the Member States for consultation.


When a transfer cannot be based on the provisions of articles 45 or 46,

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 49/64








including the provisions on binding corporate rules, and no applicable
of the exceptions for specific situations referred to in the first paragraph of the
this section, it can only be carried out if it is not repetitive, affects only a number
limited number of data subjects, is necessary for the purposes of compelling legitimate interests pursued

by the person in charge of the treatment over which the interests or rights do not prevail and
freedoms of the data subject, and the data controller assessed all the circumstances
concurrent in the transfer of data and, based on this evaluation, offered guarantees
appropriate with respect to the protection of personal data. The data controller
will inform the control authority of the transfer. In addition to the information they do
reference to articles 13 and 14, the data controller shall inform the interested party of the
transfer and the compelling legitimate interests pursued.


In this case, as already stated in Basis of Law III, the prior process
background check requests the consent of the interested parties for the
communication of data to the merchants Accurate Background, Inc. and Amazon
Development Center (India) Private Limited. When these companies are located

in the United States and India, respectively, there would be a transfer
international data collection for whose execution it would be necessary to comply with the requirements
that around this figure establishes the RGPD.

In addition, the service contract that AMAZON ROAD and the participants in the

program “***PROGRAMA.1” sign, in its clause 13(b), refers to the
issue of international transfers as follows:

“You consent to Amazon and any Related Entities (as
such term is defined below) carries out the transfer of “personal data
personal” (in the sense provided for in the General Data Protection Regulation –
Regulation (EU) 2016/679 and Organic Law 15/1999, of December 13, on the Protection of

Personal Data relating to you to any Related Entity located outside the
European Economic Area (the “EEA”) to promote the legitimate interests of Amazon and/or
any Related Entity […] “Related Entity” is understood as the “holding company”
of Amazon, any “affiliated company” or an affiliate of its holding company.”

From this it seems to be inferred, in principle, that the entity claimed intends to

base the international transfer of personal data on the figure of the
consent of the interested party, which article 49.1.a) of the RGPD configures as a
of the conditions that, exceptionally, allow transfers to be made
in the absence of an adequacy decision and adequate guarantees.


Now, for this circumstance to occur, this consent must
not only comply with the general requirements that the RGPD imposes in relation to the
consent (free, informed, specific and unequivocal), but would also have
to be granted explicitly and the information to be provided in advance
should refer to the risks for the interested party about the realization of

an international transfer in the absence of adequacy decision and guarantees
adequate.

The additional requirement that consent in this circumstance be

formality of being explicit is equivalent, in accordance with Guidelines 5/2020 of the Committee
European Data Protection, to make an express declaration of the
consent. The most obvious way would be to make a written declaration,
although in the digital or online environment forms can be enabled that could

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 50/64








valid explicit consent, such as filling out an electronic form
or use the electronic signature. Likewise, in the case of web pages, this

explicit consent could be collected by inserting some boxes with the options
to accept and not accept together with a text referring to consent that is clear to
the interested party, provided that appropriate security measures are adopted for the environment in which
which consent is given.


In this case, taking into account what has been stated about the requirements that the
consent, in the agreement to open the procedure an analysis of the
clauses of the contract in reference to international transfers (clause
13.b), resulting in the requested consent not being in accordance with the provisions of
the RGPD, taking into account the indefinite information provided to the interested parties and that

only the final acceptance of the clauses of the contract is enabled. For this reason,
said opening agreement contains an imputation for infraction of what is established in
article 49.1 of the RGPD, typified in article 83.5 of the same norm.

Subsequently, on the occasion of the processing of allegations at the opening, AMAZON ROAD

has stated that the international transfers it makes to companies in the
group or its suppliers located outside the EEA are not based on the
consent of the interested party and comply with the guarantees required by the RGPD.

And it points out in this regard that it has signed with each entity the corresponding

standard contractual clauses approved by the European Commission through Decision
2010/87/UE, of February 5, 2010, relative to the standard contractual clauses for the
transfer of personal data to those in charge of the treatment established in
third countries, in accordance with Directive 95/46/CE, which constitute a
of the guarantees that can be offered by data controllers in accordance with

the provisions of article 46 of the RGPD.

In addition, it has proven that Accurate Background Inc, since 08/11/2016, was a
Entity adhered to the EU-US Privacy Shield.


With the allegations to the opening, it has provided the commission contracts of the
treatment, the standard clauses signed and the measures that must be applied. sayings
standard contractual clauses correspond to those approved by the Commission
European through Decision 2010/87/EU.


As stated above, article 46 of the RGPD admits that they may
international transfers, without requiring any authorization
of a control authority, when the person in charge or the person in charge offers
adequate guarantees. This article establishes the following:

“Article 46. Transfers through adequate guarantees

1. In the absence of a decision pursuant to Article 45(3), the controller or processor
treatment may only transmit personal data to a third country or international organization
if it had offered adequate guarantees and provided that the interested parties have
enforceable rights and effective legal actions.

2. Adequate guarantees in accordance with paragraph 1 may be provided, without
requires no express authorization from a control authority, by:


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 51/64








[…]

d) standard data protection clauses adopted by a supervisory authority and approved
by the Commission in accordance with the review procedure referred to in Article 93,

section 2;

[...]”.

This would be the case of transfers covered by the guarantees provided
for contracts based on the standard contractual clauses of the Decision

2010/87/EU, such as those signed by AMAZON ROAD, which remain in force.

The Execution Decision (EU) 2021/914, of the Commission, of June 4, 2021, which
approves the new standard contractual clauses for the transfer of data

data to third countries in accordance with the RGPD, establishes a period of
transitory validity for contracts concluded within the framework of decision 2010/87/EU
until 09/27/2022 (this decision is repealed with effect from 09/27/2021, but
contracts concluded before this date are considered to offer guarantees
adequate in the sense of article 46.1 of the RGPD until 09/27/2022, provided that

the treatment operations that are the object of the contract remain unchanged
and that the standard contractual clauses guarantee that the transfer of data
is subject to adequate guarantees - Article 4 of the Execution Decision
(EU) 2021/914).


Consequently, in accordance with the foregoing, international transfers
object of the actions do not require the interested party to give their consent, since
that this consent only operates, according to article 49.1.a) of the RGPD, as a
exception that would enable to carry out this transfer in the absence of a decision

specific adequacy and adequate guarantees in accordance with article 46
of the same regulation.

It is appropriate to conclude, therefore, that the facts that determined the opening of the
sanctioning procedure, in relation to international transfers that

AMAZON carries out within the framework of the “***PROGRAMA.1” program, they are not
constituting an infringement of the provisions of article 49.1 of the RGPD.



                                            v

In the event that there is an infringement of the provisions of the RGPD, between the
corrective powers available to the Spanish Data Protection Agency,
as a control authority, article 58.2 of said Regulation contemplates the

following:

“2 Each control authority will have all the following corrective powers indicated below:
continuation:
(…)
b) sanction any person responsible or in charge of the treatment with a warning when the
treatment operations have violated the provisions of this Regulation;”
(...)

d) order the person responsible or in charge of the treatment that the treatment operations be
comply with the provisions of this Regulation, where appropriate, of a given
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 52/64









manner and within a specified time;
(…)
i) impose an administrative fine under article 83, in addition to or instead of the
measures mentioned in this section, according to the circumstances of each case
particular;".


According to the provisions of article 83.2 of the RGPD, the measure provided for in letter d)
above is compatible with the sanction consisting of an administrative fine.



                                              SAW

The exposed facts do not comply with the provisions of article 6.1 of the RGPD, in
relation to article 10 of the same law, as well as article 10 of the
LOPDGDD, in relation to the processing of personal data related to convictions and

criminal offences, which supposes the commission of an infraction typified in the
article 83.5 of the RGPD and in article 71 of the LOPDGDD.

Article 83 of the RGPD, under the heading "General conditions for the imposition of

administrative fines” provides the following:

"5. Violations of the following provisions will be sanctioned, in accordance with the
section 2, with administrative fines of a maximum of EUR 20,000,000 or, in the case of a
company, of an amount equivalent to a maximum of 4% of the total annual turnover

of the previous financial year, opting for the highest amount:

a) the basic principles for the treatment, including the conditions for the consent to
tenor of articles 5, 6, 7 and 9”.

Likewise, article 71 of the LOPDGDD states that "Infractions are those

acts and conduct referred to in sections 4, 5 and 6 of article 83 of the
Regulation (EU) 2016/679, as well as those that are contrary to this law
organic.”


For its part, article 72.1 of the LOPDGDD considers as "very serious", for the purposes of
of the limitation period for infractions:

"one. Based on the provisions of article 83.5 of Regulation (EU) 2016/679,
considered very serious and will prescribe after three years the infractions that suppose a

substantial violation of the articles mentioned therein and, in particular, the following:

b) The processing of personal data without the concurrence of any of the conditions of legality of the
treatment established in article 6 of Regulation (EU) 2016/679.

[…]

f) The processing of personal data related to convictions and criminal offenses or measures of

related security outside the cases allowed by article 10 of the Regulation (EU)
2016/679 and in article 10 of this organic law.

[...]”.

In order to determine the administrative fine to be imposed, the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 53/64









provisions of articles 83.1 and 83.2 of the RGPD, precepts that indicate:

"one. Each control authority will guarantee that the imposition of administrative fines with

in accordance with this article for the infringements of this Regulation indicated in the
sections 4, 9 and 6 are in each individual case effective, proportionate and dissuasive.

2. Administrative fines will be imposed, depending on the circumstances of each case
individually, in addition to or as a substitute for the measures referred to in article 58,
section 2, letters a) to h) and j). When deciding to impose an administrative fine and its amount

In each individual case, due account shall be taken of:
a) the nature, seriousness and duration of the offence, taking into account the nature,
scope or purpose of the treatment operation in question as well as the number of
affected parties and the level of damages they have suffered;
b) intentionality or negligence in the infringement;
c) any measure taken by the person responsible or in charge of the treatment to alleviate the
damages suffered by the interested parties;

d) the degree of responsibility of the data controller or processor, taking into account
of the technical or organizational measures that they have applied by virtue of articles 25 and 32;
e) any previous infringement committed by the person in charge or the person in charge of the treatment;
f) the degree of cooperation with the supervisory authority in order to remedy the
infringement and mitigate the possible adverse effects of the infringement;
g) the categories of personal data affected by the infringement;

h) the way in which the supervisory authority became aware of the infringement, in particular if the
The person responsible or the person in charge notified the infringement and, if so, to what extent;
i) when the measures indicated in article 58, section 2, have been ordered
previously against the person in charge or the person in charge in question in relation to the same
matter, compliance with said measures;
j) adherence to codes of conduct under Article 40 or certification mechanisms

approved under article 42, and
k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as
financial benefits obtained or losses avoided, directly or indirectly, through
the infraction”.

For its part, article 76 “Sanctions and corrective measures” of the LOPDGDD

has:

"one. The sanctions provided for in sections 4, 5 and 6 of article 83 of the Regulation (EU)
2016/679 will be applied taking into account the graduation criteria established in the

section 2 of the aforementioned article.
2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679, also
may be taken into account:

a) The continuing nature of the offence.
b) The link between the activity of the offender and the performance of data processing
personal.

c) The profits obtained as a result of committing the offence.
d) The possibility that the conduct of the affected party could have induced the commission of the crime.
infringement.
e) The existence of a merger by absorption process subsequent to the commission of the infraction,
that cannot be attributed to the absorbing entity.
f) Affectation of the rights of minors.

g) Have, when not mandatory, a data protection delegate.
h) Submission by the person in charge or person in charge, on a voluntary basis, to
alternative conflict resolution mechanisms, in those cases in which there are
controversies between them and any interested party”.

28001 – Madrid 6 sedeagpd.gob.es, 54/64









In this case, considering the seriousness of the infringement found, the
imposition of a fine and, where appropriate, the adoption of measures. In this regard, the fine

imposed must be, in each individual case, effective, proportionate and
dissuasive, in accordance with the provisions of article 83.1 of the RGPD.

In accordance with the precepts indicated, in order to set the amount of the penalties
to impose in the present case, it is considered appropriate to graduate the fines of
according to the following criteria:


1. Infringement of article 6.1 of the RGPD in relation to article 10 of the same
standard, as well as article 10 of the LOPDGDD, typified in article 83.5.a) and in the
Article 71 of the LOPDGDD, and classified as very serious for the purposes of prescription in
Article 72.1 of the LOPDGDD:


The following graduation criteria are considered concurrent as aggravating:

    . Article 83.2.a) of the RGPD: “a) the nature, seriousness and duration of the
    infringement, taking into account the nature, scope or purpose of the operation
    of treatment in question as well as the number of interested parties affected and the

    level of damages they have suffered.

         . The nature and seriousness of the infringement, taking into account the nature of the
         personal information to which the offending conduct refers.


         . The duration of the infringement, considering the period during which
         AMAZON ROAD required carriers to provide a certificate of absence of
         criminal record.
         In addition, the infraction that is sanctioned has the character of an infraction
         permanent, considering that its effects are maintained over time

         beyond the initial act and throughout the duration of the offending conduct.
         With the collection and preservation of the certificate of absence of criminal records
         penalties creates an unlawful state that lasts over time, whose
         cessation depends on who commits the infraction. On this concept,
         Judgment of 05/27/2006, the TS has declared that "they constitute infractions
         those unlawful conducts that persist over time and do not

         are exhausted with a single act, determining the maintenance of the situation
         unlawful at the will of the author, case of development at the time of
         activities without the required authorizations and other similar assumptions.

         In relation to this graduation factor, the respondent has argued that the

         negative certificates were kept for 90 days to carry out the
         verification, so currently and since May 2020 (three months
         after suspending the collection of these certificates in March 2020),
         does not have any data of this type. As proof, it provides a “certification” of
         Accurate Background, of 01/19/2022, in which it declares that any data

         relative to the candidates of the program “***PROGRAMA.1” is eliminated at 90
         days, according to the instructions of the Amazon account. So understand that
         entity that the infringement cannot be classified as permanent.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 55/64








         However, these circumstances do not conform to the findings made
         manifested in the proceedings, nor had they been manifested by AMAZON
         ROAD previously. The only instructions given by that entity to

         Accurate Background on the treatment of the data are those that consist
         in the treatment contract, which, in terms of the
         conservation of the data, stipulate that the person in charge of the treatment
         return all the personal data to the person in charge or proceed to its
         destruction at the termination of the contract, at the choice of the person responsible for the
         treatment, and that the personal data will be treated by the person in charge of the

         treatment during the term of the services.

         In addition, as it was a requirement that conditioned the hiring, since
         the claimant knows that carriers adhering to the program
         “***PROGRAMA.1” do not have a criminal record.


         In any case, the infraction would not lose its permanent character, in the
         extent to which it has been occurring since AMAZON ROAD received the
         “transport operator business” and succeeded Amazon Spain Fulfillment,
         S.L.U. in all legal relationships affected by said business, after the
         split that took place on 06/28/2019.


         . The number of interested parties: the treatment operations that incur the
         indicated infraction derive from a general procedure established by the
         claimed that affects all applicants to participate in the program
         “***PROGRAMA.1”, with respect to which the certificate of

         criminal record.

         The respondent has stated that the processing of data related to the
         negative criminal record certificates only affected 16.76%
         of all registered last-mile drivers in Spain, at

         represent the program “***PROGRAM.1” a small proportion of the
         transport providers that deliver in Spain (they have never
         exceeded 5%). However, it does not provide any evidence in this regard or detail
         how much are those affected that are included in such percentages.

         In the allegations to the proposal, the respondent insists on the figures

         indicated, but without providing any evidence and without specifying the number of
         affected that supposedly represent these percentages, despite the fact that
         this lack of justification and detail was already evident in the proposal for
         resolution.


         . The level of damages suffered by the interested parties, to the extent
         that the processing of data relating to criminal records has
         conditioned their hiring options and has increased the risks
         about your privacy.


         Regarding this aggravating factor, AMAZON ROAD points out that requiring the
         negative criminal record certification has not harmed the
         participants in the program because it contracted with all the carriers that
         they had that document, which implies, on the contrary, that he did not hire

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 56/64








         those who did not have such a document when they applied for the job;
         Likewise, it does not consider possible interested parties who could choose not to
         attend the program for this reason.


         Nothing alleges, however, about the intrusion into the privacy of the interested parties
         and the risks that this certificate represents for it.

    . Article 83.2.b) of the RGPD: "b) the intention or negligence in the infringement".


    The negligence found in the commission of the offence, taking into account that
    the requirements demanded by the claimed entity to the carriers go beyond
    of what is required by the regulations governing the transport of goods.

    This circumstance, in addition to the meanings in the previous section, highlight

    manifest the negligent action of AMAZON ROAD. In this regard, one has
    taking into account what was declared in the Judgment of the National High Court of 10/17/2007 (rec.
    63/2006) that, based on the fact that these are entities whose activity has
    coupled with continuous data processing, indicates that “…the Supreme Court
    has come to understand that recklessness exists whenever a duty is neglected
    legal care, that is, when the offender does not behave with due diligence

    required. And in assessing the degree of diligence, it must be weighed
    especially the professionalism or not of the subject, and there is no doubt that, in the
    case now examined, when the activity of the appellant is constant and
    abundant handling of personal data, it must be insisted on the rigor and
    exquisite care to adjust to the legal precautions in this regard”.


    It is a company that processes personal data in a
    systematic and continuous and that it must take extreme care in the fulfillment of its
    data protection obligations.


    AMAZON ROAD questions the negligence appreciated in the commission of the
    infraction and considers, even, that his action cannot be branded as
    reckless or irresponsible, but diligent and worthy of being valued as
    a mitigating factor, having accommodated his behavior to the interpretation of the
    data protection regulations arising from the Agency itself and from the courts
    of Justice.


    According to said entity, it began to require certificates of absence of
    criminal record before the Agency had a clear criterion,
    consolidated, express and public in this regard, which, moreover, does not coincide with that of
    other data protection authorities; and before it was issued

    Judgment of the National Court of February 10, 2020; having ceased
    in this collection of the certificate as soon as it became aware of the existence of a criterion
    Contrary to the interpretation that, in good faith, it understood appropriate to the activities
    that were going to take place.


    Likewise, it alleges in this regard that there were resolutions of the Agency itself that
    endorsed the interpretation that Amazon Road made of article 10 of the RGPD;
    made a telephone inquiry to the Ministry of Justice which, informally,
    endorsed said proposal; that the literal interpretation of article 10 of the RGPD and 10

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 57/64








    of the LOPDGDD suggested that these articles do not refer to any data
    related to criminal records, but data related to convictions and
    criminal offenses; that this interpretation is supported by other jurisdictions;

    and it was in accordance with the previous regulations on data protection; and what in
    March 2020 suspended the treatment of such negative certificates.

    AMAZON ROAD's claim cannot be accepted. Understand this Agency
    that the diligence must be deduced from conclusive facts, which
    duly accredited and directly related to the elements that

    constitute the infraction in the current regulations, in such a way that it can be deduced
    that it has occurred despite all the means provided by the
    responsible to avoid it.

    In this case, this Agency does not understand that the arguments defended by the

    claimed entity have that character.

    Said entity does not explain how it can be accepted that its conduct has been diligent
    for being adjusted to a regulation that is not in force, in the event that it were so, that
    it is not. In the foundations of this resolution it has already been explained that the
    Previous regulations already contemplated the prohibition of processing personal data

    relating to criminal offences, with express reference to Directive 95/46/EC and
    to Convention No. 108 of the Council of Europe. The repealed Organic Law 15/1999,
    of December 13, on the protection of personal data, in its article
    7.5, established that these data could only be recorded in records of the
    Competent Public Administrations.


    Nor does AMAZON ROAD explain what other jurisdictions have endorsed its
    “interpretation” of the applicable norms.

    It is even less acceptable to defend that diligence on the basis of a supposed consultation

    that the respondent entity itself qualifies as "informal". Facing it,
    The RGPD has provided for a mechanism such as "prior consultation" so that the
    Those responsible can consult the supervisory authority before carrying out a
    high-risk data processing.

    It is confirmed, on the other hand, that the suspension in the collection of the

    criminal record certificates was adopted in March on a temporary basis,
    but for reasons other than those stated. This decision was made by the
    state of alarm situation and the difficulty of obtaining repeated certificates
    during this period.


    Nothing is said, on the other hand, about the previous analyzes carried out to determine the
    feasibility of data processing and its legal basis; nothing about the risks
    entails and the impact assessments carried out; and not about the
    weighting of interests at stake that requires data processing based on
    in the legitimate interest of the controller.


    AMAZON ROAD has generally sought to reduce the issue raised, also
    in relation to diligence, to an interpretive question of the norm, but
    omitting substantial aspects of it that would also determine the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 58/64








    unlawfulness of the processing of personal data, even if the "interpretation"
    of the claimed. It does not deny that personal data is processed, but it omits that the
    The processing of these data requires in any case a legal basis and omits

    also all the arguments that are exposed in this respect in the
    Legal foundations of this act. According to these arguments,
    sufficiently developed, which have been completely ignored by
    AMAZON ROAD, it cannot be concluded that the actions of this entity have been
    diligent.


    . Article 83.2.d) of the RGPD: “d) the degree of responsibility of the person in charge or of the
    data processor, taking into account the technical or organizational measures
    that they have applied by virtue of articles 25 and 32”.

    The imputed entity does not have adequate procedures in place for

    performance in the collection and processing of personal data, in what
    refers to the collection and processing of personal data of carriers
    applicants to participate in the program "***PROGRAMA.1", so that the
    infringement is not the consequence of an anomaly in the functioning of said
    procedures but a defect in the personal data management system
    designed by the person in charge. Said procedure was adopted by the respondent to

    own initiative establishing requirements that exceeded the forecasts
    applicable regulations.

    In the opinion of AMAZON ROAD, the infringement results from an interpretation of the
    standard and has nothing to do with the personal data management system

    designed by the same, and adds that in his previous writings he exposed the
    technical and organizational measures implemented. However, what is here
    values has to do, as has been well expressed above, with the decision
    adopted by the claimed entity itself, within its scope of responsibility,
    include the collection of the criminal record certificates in question between the

    documentation that a participant in “***PROGRAMA.1” had to provide. The
    infringement responds, therefore, to a procedural decision and not to a
    point anomaly. As has been said, that decision is taken beyond what
    required by the regulatory framework that regulates the activity of contractors.

    . Article 83.2.g) of the RGPD: “g) the categories of personal data

    affected by the infringement.

    Personal data related to convictions and
    criminal offences, a category especially deserving of guarantees.


    AMAZON ROAD alleges that the data processing related to the
    negative criminal record certificates cannot be compared with the
    processing of data on convictions and criminal offenses. In this regard, we
    we refer to what is expressed in the Law Foundations of this act.


    . Article 76.2.b) of the LOPDGDD: “b) The link between the activity of the offender
    with the processing of personal data”.

    The high link between the activity of the offender and the performance of treatment

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 59/64








    of personal data, considering the level of implementation of the entity and the
    activity that it develops, in which the personal data of thousands of

    of interested parties, whether they are clients receiving the shipment, employees or
    self-employed contractors. This circumstance determines a higher degree of
    demand and professionalism and, consequently, of responsibility of the
    entity claimed in relation to the processing of the data.


    The respondent points out in this regard that her activity is related to the
    logistics, as a transport operator, and not with the exploitation of databases.
    However, this fact does not contradict the circumstances considered in the
    previous paragraph, which entail the requirement of a high degree of
    professionalism in the treatment of personal data.


    The same can be said, specifically, in relation to data processing
    in the workplace, considering the number of employees available and
    professionals who serve you.


    Nothing to do with the precedent that he cites in his allegations, referring to a
    company with a single client, compared to the thousands served by AMAZON ROAD.

    . Article 83.2.k) of the RGPD: “k) any other aggravating or mitigating factor
    applicable to the circumstances of the case, such as the financial benefits obtained

    or losses avoided, directly or indirectly, through the infringement”.

    AMAZON ROAD's status as a large company and volume of business. consists
    in the actions that said entity has the status of (...).


    AMAZON ROAD requests that this aggravating circumstance be assessed based on
    the figures for the 2019 financial year, lower than those offered in 2020, but it does not consider
    said entity that the period of development of operations in 2019 is less than
    six months, counted from the date you received from Amazon Spain Fulfillment,
    S.L.U. the transport operator business. Extrapolating the 2019 figures to a

    period of one year, the differences with 2020 are not significant.

Considering the exposed factors, the valuation reached by the fine, for the
Violation of article 6.1 of the RGPD in relation to article 10 of the same rule,
as well as article 10 of the LOPDGDD, is 2,000,000 euros (two million

euros).

None of the considered graduation factors is attenuated by the fact that
that the claimed entity has not been subject to a sanctioning procedure with
previously, a circumstance that has been alleged by the claimed entity so that

be considered a mitigating factor.

In this regard, the AN Judgment of 05/05/2021, rec. 1437/2020, indicates:

“Considers, on the other hand, that the non-commission of a crime should be considered as mitigating
previous offense. Well, article 83.2 of the RGPD establishes that it must be taken into account
for the imposition of the administrative fine, among others, the circumstance "e) any infraction

committed by the person in charge or the person in charge of the treatment". This is a
aggravating circumstance, the fact that the budget for its application does not concur
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 60/64








entails that it cannot be taken into consideration, but does not imply or allow, as intended
the plaintiff, its application as a mitigating factor.”

According to the aforementioned article 83.2 of the RGPD, when deciding to impose a fine

administrative and its amount must take into account "all previous infractions committed
by the person responsible”. It is a normative provision that does not include the inexistence of
previous infractions as a grading factor of the fine, which must
be understood as a criterion close to recidivism, although broader.


The same can be said regarding the absence of benefits also alleged as
mitigation by the entity claimed. On this criterion, article 76.2 of the
LOPDGDD, in its letter c), includes among the criteria that must be weighed when
set the amount of the sanction "the benefits obtained as a result of the
commission of the infraction” and not the absence of these benefits. The same sentence of
the aforementioned National Court, of 05/05/2021, refers to the need for

the "budget" in fact contemplated in the norm so that a
certain graduation criterion, and, as has been said, the absence of benefits does not
is among the circumstances regulated in the cited article.

This graduation criterion is established in the LOPDGDD in accordance with the provisions

in article 83.2.k) of the RGPD, according to which administrative fines will be imposed
taking into account any “aggravating or mitigating factor applicable to the
circumstances of the case, such as the financial benefits obtained or the losses
avoided, directly or indirectly, through the infraction”, it being understood that avoiding
a loss has the same nature for these purposes as a gain.


If we add to this that the sanctions must be effective "in each individual case",
proportionate and dissuasive, in accordance with the provisions of article 83.1 of the RGPD,
admitting the absence of benefits as a mitigating factor is not only contrary to the
presuppositions of facts contemplated in article 76.2.c), but also contrary to
what is established in article 83.2.k) of the RGPD and the indicated principles.


Thus, assessing the absence of benefits as a mitigating factor would nullify the effect
dissuasive of the fine, to the extent that it reduces the effect of the circumstances that
effectively affect its quantification, reporting to the person in charge a benefit to the
that has not been deserved. It would be an artificial reduction of the sanction that can

lead to understand that violating the norm without obtaining benefits, financial or of the type
Whatever it may be, it will not produce a negative effect proportional to the seriousness of the act
offender.

In any case, the administrative fines established in the RGPD, in accordance with the
established in its article 83.2, are imposed based on the circumstances of each

individual case and, at present, the absence of benefits is not considered to be a
adequate and decisive grading factor to assess the seriousness of the behavior
offending Only in the event that this absence of benefits is relevant to
determine the degree of unlawfulness and culpability present in the specific
infringing action may be considered as a mitigating action, in application of article

83.2.k) of the RGPD, which refers to “any other aggravating or mitigating factor
applicable to the circumstances of the case.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 61/64








Regarding the fact that the defendant has not been sanctioned previously, in its
latest allegations, cites three precedents in which this Agency has considered
this circumstance as an extenuating circumstance. One of these precedents is also invoked

to request that the non-obtaining of any benefit by the
claimed facts.

In this regard, the provisions of article 35.1.c) of Law 39/2015 are considered,
of October 1, of the Common Administrative Procedure of the Administrations
Public, according to which an administrative act can be separated from the criteria followed in

preceding actions, provided that said decision is properly motivated

On the other hand, in order for it to be considered a mitigating circumstance,
the respondent has stated that the processing of data object of the claim was
suspended in March 2020 and has not been resumed. On this matter, you should

It should be noted that the aforementioned entity has not provided any evidence; that said decision
confirmed, it would have been adopted with the prior intervention of the AEPD and for reasons
of the claim that has motivated the actions; and that is insufficient for
“to remedy the infringement and mitigate the possible adverse effects of the infringement”,
according to the terms of article 83.2.f) of the RGPD, or “to mitigate the damages
suffered by the interested parties”, according to section 2.c) of the same article. Can not

be understood as mitigating, in no case, the cessation of the offending behavior
of the legal system. Mitigate adverse effects or mitigate damages
caused imply actions greater than the mere cessation of the conduct, to the
effects of restoring, to the extent possible, the rights of the interested parties.


AMAZON ROAD insists on this fact in the written arguments for the proposal,
clarifying that this decision was motivated by the circumstances of the moment, in
express reference to the pandemic situation, and that this was communicated to users
of the program “***PROGRAMA.1” by email in March 2020.


It also points out that said temporary suspension became definitive after
know the Judgment of 02/10/2020, issued by the Social Chamber of the High Court
Nacional, without specifying when that decision was made; and that all this happened before the
opening of the sanctioning procedure.

Provides a copy of the mail supposedly sent to the carriers in March, but

no proof of its effective shipment. In any case, it should be noted that, according to
expressed in the text of the email provided, the temporary suspension of the collection of the
criminal record certificate is adopted due to the impossibility of obtaining it due to
to the state of alarm. In this same email, the recipients are summoned to provide the
criminal record certificate within 60 days (“However, you must

upload this document within 60 days from the end of the registration in
***PROGRAM.1. If after this period you have not uploaded the document, you will no longer be
eligible to participate in the program ***PROGRAM.1”).

It should also be noted that AMAZON ROAD, in the response letter to the transfer

of the claim, dated 06/30/2020, still qualified that suspension as
temporary. Then, the decision not to collect those certificates is made once
known the claim through this Agency.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 62/64









                                          7th


The infraction committed may lead to the imposition of the person responsible for the adoption of
appropriate measures to adjust their actions to the regulations mentioned in this
act, in accordance with the provisions of the aforementioned article 58.2.d) of the RGPD, according to the
which each control authority may “order the person in charge or in charge of the
treatment that the treatment operations comply with the provisions of the
this Regulation, where appropriate, in a certain way and within a

specified period […]”.

Thus, it is appropriate to require the responsible entity so that, within the period indicated in
the operative part, adapt to the personal data protection regulations the
treatment operations that it carries out and the information that it provides to the interested parties,

with the scope expressed in the Legal Basis of this agreement.

Specifically, it is appropriate to require AMAZON ROAD to cease the conduct
offender, regarding the requirement of a certificate of absence of criminal record
penalties for applicants in the program “***PROGRAMA.1”; correct the effects of
the infraction that had been committed, which entails the suppression of all the

information regarding said certificates that could have been provided by the
contracted or would-be carriers; and the necessary adaptation is carried out, in
this case, to the requirements contemplated in articles 6.1 of the RGPD, in relation to
with article 10 of the same norm, and article 10 of the LOPDGDD.


The entity claimed affirms that it does not collect the negative certificates of the
participants in the program “***PROGRAMA.1” since March 2020 and that neither
keeps said certificates, alleging that they were only kept for 60 days
from the background check. However, he has not provided any
documentation in this regard that proves that you have actually adopted these

measures, having eliminated this requirement in the selection processes that follow
nowadays. Thus, it does not appear in the proceedings that he has rectified the information
regarding these processes or the registration process in your mobile application, the contract
that is signed with the interested parties, etc.

Regarding the elimination of criminal record certificates after 90 days, it has already been

has previously said that this supposed elimination does not conform to the
stipulations that appear in the contracts signed by AMAZON ROAD with the
in charge of the treatment, who is entrusted with the function of collecting and analyzing the
documentation of applicants to the program “***PROGRAMA.1”. Not included or provided
accredited that AMAZON ROAD has modified its initial instructions to

respect.

On the other hand, said entity must make the appropriate clarifications in the
information on the protection of personal data that it provides to users
stakeholders, in relation to the nature attributed to the intervention in the

data processing by Accurate Background, Inc. and Amazon
Development Center (India) Private Limited and on the circumstances serving as
based on international data transfers.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 63/64








AMAZON ROAD must also provide the means of proof of compliance
of what is required.


In this regard, it is noted that failure to comply with the requirements of this
organism can be considered as a serious administrative infraction to “not
cooperate with the Control Authority” in the face of such requirements, and may be assessed
such conduct at the time of opening an administrative sanctioning procedure
with a pecuniary fine.



Therefore, in accordance with the applicable legislation and having assessed the criteria for
graduation of sanctions whose existence has been proven,
the Director of the Spanish Data Protection Agency RESOLVES:


FIRST: IMPOSE the entity AMAZON ROAD TRANSPORT SPAIN, S.L., with
CIF B88405303, for an infringement of article 6.1 of the RGPD, in relation to the
article 10 of the RGPD and article 10 of the LOPDGDD, typified in article 83.5
of the RGPD and in article 71 of the LOPDGDD, and qualified as very serious for the purposes
of prescription in article 72.1 of the LOPDGDD, a fine of 2,000,000 euros
(Two millions of euros).


SECOND: DECLARE the non-existence of infractions in relation to the imputation
to the entity AMAZON ROAD TRANSPORT SPAIN, S.L. of a possible violation of
what is established in articles 7 and 49.1 of the RGPD.


THIRD: REQUEST the entity AMAZON ROAD TRANSPORT SPAIN, S.L., to
that, within a period of one month, counted from the notification of this resolution,
adapt to the personal data protection regulations the operations of
treatment that it carries out and the information that it facilitates to the interested parties, with the scope
expressed in Legal Basis VII of this resolution. Within the specified period,

AMAZON ROAD TRANSPORT SPAIN, S.L. must justify before this Agency
Spanish Data Protection the attention of this requirement.

FOURTH: NOTIFY this resolution to the entity AMAZON ROAD
TRANSPORT SPAIN, S.L.


FIFTH: Warn the sanctioned party that he must make the imposed sanction effective once
Once this resolution is enforceable, in accordance with the provisions of the
art. 98.1.b) of Law 39/2015, of October 1, on Administrative Procedure
Common Public Administrations (hereinafter LPACAP), within the payment term
voluntary established in art. 68 of the General Collection Regulations, approved

by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003,
of December 17, through its entry, indicating the NIF of the sanctioned and the number
of procedure that appears in the heading of this document, in the account
restricted number ES00 0000 0000 0000 0000 0000, opened on behalf of the Agency
Spanish Department of Data Protection in the banking entity CAIXABANK, S.A.. In case

Otherwise, it will be collected in the executive period.

Received the notification and once executed, if the date of execution is
between the 1st and 15th of each month, both inclusive, the term to make the payment

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 64/64








voluntary will be until the 20th day of the following month or immediately after, and if
between the 16th and last day of each month, both inclusive, the payment term

It will be until the 5th of the second following month or immediately after.

In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.


In accordance with the provisions of article 76.4 of the LOPDGDD and given that the
amount of the sanction imposed is greater than one million euros, it will be subject to
publication in the Official State Gazette of the information that identifies the offender, the
offense committed and the amount of the penalty.


Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the
LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the
Interested parties may optionally file an appeal for reconsideration before the
Director of the Spanish Agency for Data Protection within a month from
counting from the day following the notification of this resolution or directly

contentious-administrative appeal before the Contentious-Administrative Chamber of the
National Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-administrative jurisdiction, within a period of two months from the
day following the notification of this act, as provided in article 46.1 of the

aforementioned Law.

Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP,
may provisionally suspend the firm resolution in administrative proceedings if the
The interested party expresses his intention to file a contentious-administrative appeal.

If this is the case, the interested party must formally communicate this fact by
writing addressed to the Spanish Agency for Data Protection, presenting it through
Electronic Register of the Agency [https://sedeagpd.gob.es/sede-electronica-
web/], or through any of the other registers provided for in art. 16.4 of the
aforementioned Law 39/2015, of October 1. You must also transfer to the Agency the

documentation proving the effective filing of the contentious appeal-
administrative. If the Agency was not aware of the filing of the appeal
contentious-administrative within a period of two months from the day following the
notification of this resolution would end the precautionary suspension.

                                                                                   938-231221
Sea Spain Marti

Director of the Spanish Data Protection Agency













C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es