AEPD (Spain) - PS/00267/2020: Difference between revisions

From GDPRhub
Line 32: Line 32:
|GDPR_Article_4=Article 49 GDPR
|GDPR_Article_4=Article 49 GDPR
|GDPR_Article_Link_4=Article 49 GDPR
|GDPR_Article_Link_4=Article 49 GDPR
|GDPR_Article_5=Article 46 GDPR
|GDPR_Article_Link_5=Article 46 GDPR




Line 90: Line 92:
Lastly, the Spanish DPA addressed international transfers. Since both processors (Amazon India and Accurate Background Inc) were located outside the EEA (in India and the USA, respectively), there was an internacional transfer of data. For this, Amazon relied on data subjects' consent. In accordance with [[Article 49 GDPR|Article 49(1) GDPR]], the data subject's consent shall be explicit, and the data subject must be informed about the possible risks of the transfer. Consent shall also be given as required by [[Article 7 GDPR]]. Therefore, since consent was not valid, given the fact that it was included in the contract, without an option for refusing, it was not specific and there was no information about the risks.
Lastly, the Spanish DPA addressed international transfers. Since both processors (Amazon India and Accurate Background Inc) were located outside the EEA (in India and the USA, respectively), there was an internacional transfer of data. For this, Amazon relied on data subjects' consent. In accordance with [[Article 49 GDPR|Article 49(1) GDPR]], the data subject's consent shall be explicit, and the data subject must be informed about the possible risks of the transfer. Consent shall also be given as required by [[Article 7 GDPR]]. Therefore, since consent was not valid, given the fact that it was included in the contract, without an option for refusing, it was not specific and there was no information about the risks.


Yet, Amazon alleged that they were not relying on consent, but they were using the SCCs, with technical and organisational measures, and Accurate Background Inc was adhered to the Privacy Shield. The Spanish DPA considered that this was in line with Article 46 GDPR, and therefore found no breach whatsoever in this respect.
Yet, Amazon alleged that they were not relying on consent, but they were using the SCCs, with technical and organisational measures, and Accurate Background Inc was adhered to the Privacy Shield. The Spanish DPA considered that this was in line with [[Article 46 GDPR]], and therefore found no breach whatsoever in this respect.


Accordingly, the Spanish DPA fined Amazon Road €2,000,000 for a violation of [[Article 6 GDPR]], [[Article 10 GDPR]] and [https://www.boe.es/boe/dias/2018/12/06/pdfs/BOE-A-2018-16673.pdf Article 10 LOPDGDD] and ordered the controller to come into compliance.
Accordingly, the Spanish DPA fined Amazon Road €2,000,000 for a violation of [[Article 6 GDPR]], [[Article 10 GDPR]] and [https://www.boe.es/boe/dias/2018/12/06/pdfs/BOE-A-2018-16673.pdf Article 10 LOPDGDD] and ordered the controller to come into compliance.

Revision as of 09:53, 17 February 2022

AEPD (Spain) - PS/00267/2020
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 6(1) GDPR
Article 7 GDPR
Article 10 GDPR
Article 49 GDPR
Article 46 GDPR
Article 10 LOPDGDD
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published: 11.02.2022
Fine: 2000000 EUR
Parties: AMAZON ROAD TRANSPORT SPAIN, S.L.
Unión General de Trabajadores
National Case Number/Name: PS/00267/2020
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: Carmen Villarroel

The Spanish DPA fined Amazon Road Transport Spain €2,000,000 for requesting candidates a certificate of absence of criminal records. The Spanish DPA also determined that the controller reliance on SCCs for the international transfer of data to the United States and India was valid.

English Summary

Facts

A Spanish union (Unión General de Trabajadores, 'UGT') filed a complaint with the Spanish DPA (AEPD) against Amazon Road Transport Spain (Amazon Road). They reported that Amazon Road asked that candidates in their hiring process to provide a criminal record certificate.

Amazon Road also asked for the candidates' consent so Amazon and its related entities (Amazon) could transfer personal data to the outside the European Economic Area (EEA) to promote Amazon's legitimate interests. Such consent allowed a third party located in the United States (Accurate Background Inc) to process the data in order to verify the criminal records, and the processing of data by one of the company's divisions in India for system support (Amazon Development Centre India - 'Amazon India'). The consent in the contract also stated it would exonerate Amazon of any responsibility, damages claims,

The Indian processor had an intragroup data transfer and processing agreement (IGA) with Amazon, while the other controller also had a data processing agreement (DPA) in place, that regulated, among others, international transfers between them and Amazon.

The IGA included SCCs, with technical and organisational measures for the controller to implement. The DPA relied again on the SCCs. Accurate Background Inc was also adhered to the Privacy Shield.

The candidates are meant to be self-employed transporters. If they want to apply for the position, they shall download an app called 'Amazon Delivery' where they should create and account, and where the application would determine whether they were suitable for continuing forward in the application process. In order to continue, they would need to consent the processing of data, including international transfers to the United States by Amazon and to upload their certificate of absence of criminal records.

The international transfers clause and the consent to process their personal data as explained was included in the contract to be signed with Amazon, giving the applicants no other options but to accept.

Holding

First, the AEPD dismissed Amazon's reasoning, that alleged that a certificate of absence of criminal records does not amount to processing of personal data relating to criminal convictions and offences, since it does not contain data relating to criminal convictions and offences. The authority considered that the fact of processing the absence of data relating to criminal convictions and offences constitutes information about the criminal convictions and offences related to a person. Therefore, a certificate of absence of criminal records constitutes personal data that shall not be processed except where permitted by Article 10 GDPR.

According to the AEPD, admitting Amazon's reasoning would amount to permitting that any entity could create a database of people with no criminal records.

The AEPD examined afterwards whether Amazon Road could have relied on one of the exceptions from Article 10 GDPR or Article 10 LOPDGDD (the Spanish Act implementing the GDPR). To be able to do this, there should have existed a law that permitted Amazon to process such data. However, the AEPD considered that there is no law or regulation whatsoever on which Amazon could rely for this kind of processing.

The authority also disregarded Amazon's allegations about its legitimate bases to process such data. Amazon mentioned the performance of the contract with the data subjects, its legitimate interest and the consent of the data subjects. However, any of this cannot overcome the prohibition from Article 10 GDPR. However, the AEPD noted that Amazon, that was relying on a legitimate interest, had not carried out the mandatory balancing test, nor had provided the data subjects with information about its legitimate interest, nor had given them an option to object to the processing. A legitimate interest cannot be invoked a posteriori. Additionally, the authority considered that, anyway, the processing of such data would not have been strictly necessary to achieve Amazon's interest, since the minimization principle shall also be taken into account, and as indicated in C-13/16 – Rigas Satiksme. 'Necessity' shall not be amounted to 'usefulness' or 'desirability'. Also, the impact in the data subject's rights and freedoms shall be considered. In this case, the processing of data relating to criminal convictions and offences is to be considered particularly intrusive. Therefore, Amazon's legitimate interest would not have prevailed.

With regard to consent, it would have not been valid either, since it cannot be deemed to be freely given, since candidates could not refuse giving consent without consequences, since consent was included in the contract, and since candidates could not consent separately for each particular processing. Additionally, Amazon did not offer proper information about the processing and what Article 13 GDPR requires.

The Spanish DPA also analysed the positions of other DPAs (CNIL and AP) with respect to these practices. Finally, the authority considered that Amazon Road had breached Articles 6 and 10 GDPR, for processing personal data relating to criminal convictions and offences against the prohibition from Article 10 GDPR and without a legal basis.

The AEPD also evaluated the position of the three actors: Amazon Road, Accurate Background Inc and Amazon India. The AEPD considered that, given the DPA and IGA that were in place, respectively, Amazon Road was proved to be the controller and was thus responsible for the processing carried out by both processors, also taking into account Amazon Road's obligation to demonstrate compliance, pursuing Article 5(2) GDPR.

Lastly, the Spanish DPA addressed international transfers. Since both processors (Amazon India and Accurate Background Inc) were located outside the EEA (in India and the USA, respectively), there was an internacional transfer of data. For this, Amazon relied on data subjects' consent. In accordance with Article 49(1) GDPR, the data subject's consent shall be explicit, and the data subject must be informed about the possible risks of the transfer. Consent shall also be given as required by Article 7 GDPR. Therefore, since consent was not valid, given the fact that it was included in the contract, without an option for refusing, it was not specific and there was no information about the risks.

Yet, Amazon alleged that they were not relying on consent, but they were using the SCCs, with technical and organisational measures, and Accurate Background Inc was adhered to the Privacy Shield. The Spanish DPA considered that this was in line with Article 46 GDPR, and therefore found no breach whatsoever in this respect.

Accordingly, the Spanish DPA fined Amazon Road €2,000,000 for a violation of Article 6 GDPR, Article 10 GDPR and Article 10 LOPDGDD and ordered the controller to come into compliance.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

                                                                                 1/10








     File No.: PS / 00324/2021

                 - RESOLUTION OF SANCTIONING PROCEDURE


Of the procedure instructed by the Spanish Agency for Data Protection and based on
the following

                                   BACKGROUND


FIRST: A.A.A. (hereinafter, the complaining party) dated February 16, 2021
filed a claim with the Spanish Data Protection Agency.

The claim is directed against IZA OBRAS Y PROMOCIONES, S.A. with NIF
A48820229 (hereinafter, the claimed party).


The reason on which the claim is based is that the claimed entity has disclosed
health data of the claimant to another company, as well as their email address
personal, and all this without the consent of the claimant.


SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5
December, Protection of Personal Data and guarantee of digital rights (in
hereinafter LOPDGDD), on March 16, 2021, said claim was transferred to
the claimed party, to proceed with its analysis and inform this Agency in the
period of one month, of the actions carried out to adapt to the requirements

provided for in the data protection regulations.

On April 13, 2021, a written response is received at this Agency
stating the following:


1.- On November 14, 2018, the Public Housing Business Entity-
Donostiako Etxegintza, awarded IZA a construction works contract in
Intxaurrondo.

2.- The claimant, an IZA employee, acts in said work by performing

temporarily the function of project manager.

3.- The claimant, maintaining his status as an employee, reported IZA to the
Public Housing Business Entity-Donostiako Etxegintza on July 14 and
September 2020 due to lack of assignment of human and material resources, between

others.

4.- In compliance with its power of control, the Public Business Entity of
Housing-Donostiako Etxegintza required IZA, in accordance with article 55 of the Law
39/2015 of the Common Administrative Procedure of Public Administrations,

information regarding the complaints filed.

5.- IZA receiving said communication, and in compliance with the obligation to
collaboration with the Administration, stated the relevant facts that would explain
the lack of assignment of material and human resources of the work, answering to

the complaints of the claimant. This information included information about the
claimant, justifying its referral in compliance with the legal obligation (Law
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 2/10








39/2015) as well as in the prerogatives of Law 9/2017 on sector contracts
public.


6.- The submission of said information was considered confidential, following the
channels of Electronic Entry Registration, in accordance with the Law.
information held by the Public Housing Business Entity-Donostiako
Etxegintza, and outside IZA's protection channels, it reached the claimant,
as stated in your complaint.


7.- As a result of this, the breach protocol was activated, no data leak was detected
from IZA, requesting clarification in this regard from Entidad Pública Empresarial de
Housing-Donostiako Etxegintza, request that has not received a response.

8.- Regarding the information indicated by the claimant, IZA exclusively provided it to the

administrative procedure, in the exercise of the competence and control of the Entity
Public

9.- Regarding the use of the personal email of the complainant,
informs that its use derives from the previous referral by it for 2 years as
means of communicating with the company. Message headers are attached and

matters to corroborate it, and that in case of needing the contents they would be sent
to the Control Authority.

THIRD: On June 18, 2021, the Director of the Spanish Agency for

Data Protection agreed to accept for processing the claim presented by the party
claimant.

FOURTH: On October 13, 2021, the Director of the Spanish Agency for
Data Protection agreed to initiate a sanctioning procedure for the claimed party, with
in accordance with the provisions of articles 63 and 64 of Law 39/2015, of October 1, of the

Common Administrative Procedure of Public Administrations (hereinafter,
LPACAP), for the alleged violation of article 5.1.c) of the RGPD, typified in the
Article 83.5 of the RGPD.

FIFTH: The aforementioned commencement agreement was notified, on October 25, 2021, the claimed

submitted a brief of allegations in which, in summary, it states that it has not revealed
personal information of the claimant to the Public Business Entity of
Housing-Donostiako Etxegintza.

He also expresses his confusion and asks this Agency to indicate what

Especially sensitive information has been processed.

And finally, he requests that the Donostia / San Sebastián City Council be required to
recording of the session incorporated into the session diary of the Development Commission
and Territory Planning dated December 9, 2020, where presumably
the data of the claimant were released and disclosed.


SIXTH: On October 27, 2021, the instructor of the procedure agreed to the
opening of a period of practical tests, taking as incorporated the


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 3/10








preliminary investigation actions, E / 02987/2021, as well as the documents
provided by the claimed.


SEVENTH: On October 31, 2021, a resolution proposal is issued
proposing that the Director of the Spanish Data Protection Agency sanction
to IZA OBRAS Y PROMOCIONES, S.A., with NIF A48820229, for a violation of the
article 5.1.c) of the RGPD, typified in article 83.5 of the RGPD, with a fine of
€ 50,000 (fifty thousand euros).


EIGHTH: On November 15, 2021, allegations are presented to said
motion for a resolution, reiterating the aforementioned allegations throughout
of the procedure and specifically states the following:

"The data of the claimant's personal email has not been disclosed, which is also

found legitimate for the transfer of data -even if there were categories of data
specially protected-, and that this whole procedure is unleashed by the leakage of
information produced from the Public Housing Business Entity-Donostiako
Etxegintza, its Board of Directors as well as from the Development and
Planning of the Territory of the Donostia / San Sebastián City Council. "


Of the actions carried out in this procedure and of the documentation
Obrante in the file, the following have been accredited:

                                PROVEN FACTS


FIRST: The claimant states that the claimed entity has disclosed data from
health of the claimant (specifically dates of medical leave, reasons, and leaves) to
another company, as well as your personal email address, and all without your
consent.


The claimed entity provided not only the absences, but also the dates of the
cancellations and permits with their respective causes, including COVID.

This is stated in the letter sent by the claimed entity to the Public Entity
Housing Business-Donostiako Etxegintza, on November 18, 2020, obrante
in this file together with the documentation provided by the claimant in his writing

Of claim.

SECOND: The claimed entity was required by the Public Business Entity of
Housing-Donostiako Etxegintza, to provide them with information regarding the
complaints filed by the claimant on July 14 and September 9, 2020 by

lack of assignment of human and material resources.

The claimed entity responded to this request by providing information
personal (personal email of the claimant, as well as dates of withdrawal
medical reasons, the causes of these, and permits) which came to the knowledge of the latter and

caused the present claim.




C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 4/10








                             FOUNDATIONS OF LAW

                                              I


By virtue of the powers that article 58.2 of the RGPD recognizes to each authority of
control, and as established in articles 47 and 48 of the LOPDGDD, the Director
of the Spanish Data Protection Agency is competent to initiate and to
solve this procedure.


                                             II

The RGPD in its article 5, "Principles relating to treatment" says that "The data
personal will be:


a) treated in a lawful, loyal and transparent manner in relation to the interested party ("lawfulness,
loyalty and transparency ”);

b) collected for specific, explicit and legitimate purposes, and will not be processed
subsequently in a manner incompatible with said purposes; in accordance with article 89,
section 1, the further processing of personal data for archiving purposes in

public interest, scientific and historical research purposes or statistical purposes are not
deemed incompatible with the original purposes ("purpose limitation");

c) adequate, relevant and limited to what is necessary in relation to the purposes for which
that they are processed ("data minimization");


d) accurate and, if necessary, up-to-date; all measures will be taken
reasonable so that the personal data that
are inaccurate with respect to the purposes for which they are processed ("accuracy");


e) maintained in a way that allows the identification of the interested parties during not
longer than necessary for the purposes of processing personal data; the
Personal data may be kept for longer periods provided that it is
treat exclusively for archival purposes in the public interest, research purposes
scientific or historical or statistical purposes, in accordance with article 89, paragraph 1,
without prejudice to the application of the appropriate technical and organizational measures that

imposes these Regulations in order to protect the rights and freedoms of the
data subject ("limitation of the conservation period");

f) treated in such a way as to guarantee adequate data security
personal data, including protection against unauthorized or illegal processing and against

its loss, destruction or accidental damage, through the application of technical measures
or appropriate organizational ("integrity and confidentiality").

2. The person responsible for the treatment will be responsible for compliance with the provisions
in section 1 and able to demonstrate it ('proactive responsibility'). "


The offense for which the claimed person is held liable is provided for in article 83.5.
of the RGPD that establishes:


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 5/10








"Violations of the following provisions will be sanctioned, in accordance with the
section 2, with administrative fines of a maximum of 20,000,000 Eur or, in the case of
of a company, of an amount equivalent to a maximum of 4% of the volume of

total annual global business of the previous financial year, opting for the one with the highest
amount:

a) The basic principles for the treatment, including the conditions for the
consent in accordance with articles 5,6,7 and 9. "



In turn, the LOPDGDD in its article 72.1.a) qualifies as a very serious infringement, to
prescription effects, "a) The processing of personal data violating the
principles and guarantees established in article 5 of Regulation (EU) 2016/679. "


                                            III

In the present case, the claimant's personal data has been disclosed, such as the
personal email address and health data to the Public Entity
Housing Business-Donostiako Etxegintza, without the consent of the

claimant.

Although the claimed party is recognized legitimacy to send the data
necessary to defend against a sanctioning procedure or penalties
that could be imposed derived from the breach of a contract

administrative, it should not be forgotten that the RGPD includes health as a category of
specially protected personal data, in accordance with article 9.1 of the
RGPD, where the following is indicated:

“The processing of personal data that reveals the ethnic origin or
racial, political opinions, religious or philosophical convictions, or affiliation

union, and the treatment of genetic data, biometric data aimed at identifying
unequivocally to a natural person, data related to health or data related to
the sexual life or sexual orientation of a natural person ”.

In this sense, the claimed entity presents a written statement of allegations to the proposal

resolution indicating that in accordance with article 9.2 f) of the RGPD the data
Claimant's personal data were released for his defense against a claim.

It should be noted that the literal tenor of said precept is as follows:


"Section 1 will not apply when one of the circumstances occurs
following:

f) the treatment is necessary for the formulation, exercise or defense of
claims or when the courts act in the exercise of their judicial function; "


In this sense, it should be pointed out that although recital 52 of the
RGPD in fine establishes with respect to this exception that “it must also be authorized to
exceptional title the processing of said personal data when necessary
for the formulation, exercise or defense of claims, either by a

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 6/10








judicial procedure or an administrative or extrajudicial procedure ”; but nevertheless,
It must be taken into account that the use of health data, even when this
exception, it is not covered if it violates article 5.1.c) of the RGPD and the data

transferred are excessive in relation to the purpose, since the
need to specify all vacations, permits and, especially since they are data
health, casualties with their causes to seek their defense.

On the other hand, the claimed entity also alleges in its brief of allegations to the
motion for a resolution that evidence has been rejected by this body.


In this sense, it should be noted that this Agency has not rejected any evidence
presented by the claimed party, it has only been considered that with the
evidence in this procedure, it is not necessary to request the City Council of
Donostia / San Sebastián the recording of the session incorporated into the diary of sessions of

the Territory Planning and Development Commission dated December 9,
2020.

This is so because it has been proven that they have been transferred by the entity
claimed, health data of the claimant, specifically dates of medical leave,
reasons for the same and permissions, and therefore, the claimed entity has been

exceeding the processing of the personal data of the claimed party, even if it has
legitimacy for its internal use in its relations with the worker or claimant, but
you have no legitimacy to use them beyond your employment relationship with the claimant,
without your express consent.


In another vein, it has also been found that in response to the
requirement of the Public Housing Business Entity-Donostiako Etxegintza,
as a result of the complaints filed by the claimant on July 14 and July 9
September 2020 due to lack of assignment of human and material resources, the
claimed entity provided the claimant's email without having their

consent.

In this sense, the claimed entity claims to know the email of the
complainant, because it was the form of company-worker communication, so at the
facilitate the personal email of the claimant, to a third entity, has
exceeded the purpose for which said personal data was provided, thereby violating the

principle of purpose limitation, regulated in article 5.1 b) of the RGPD,
indicated in the foundation of law II.

Therefore, when the claimant's health data is transferred, (dates of medical leave,
reasons for the same and permits with their respective causes, including COVID) and the

personal email of the claimant, this Agency considers, on the one hand, that
are treating specially protected data, in accordance with article 9 of the
RGPD (health data), and on the other that personal data is being processed
(personal email) for a purpose other than mere communication between
the worker and the company, in accordance with article 5.1 b) of the RGPD.


All this results in an excessive use of personal data by the
claimed entity, since despite the fact that data protection regulations require that
the processing of personal data is adequate, pertinent and limited to what

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 7/10








strictly necessary in relation to the purposes for which they are processed, such as
consequence of the complaint filed by the claimant against the entity
claimed before the Public Housing Business Entity-Donostiako Etxegintza by

lack of assignment of human and material resources, the claimed entity has
violated the principle of data minimization, by providing said public entity
business for your defense, health data and personal email of the
claimant, which makes us face an alleged violation of the
article 5.1 c) of the RGPD, indicated in the basis of law II.


Therefore, it is considered convenient to reiterate that it is not considered necessary to require the
Donostia / San Sebastián City Council the contribution of the recording of the session
incorporated into the journal of sessions of the Development and Planning Commission of the
Territory dated December 9, 2020, as suggested by the claimed entity,
since with the documentation in this file, the

denounced events, which are ultimately an excess of personal data provided
by the claimed entity to justify its action, to the detriment of the
claimant, when processing especially sensitive data, and therefore especially
protected, such as health data, in accordance with the provisions of the
Article 9 of the RGPD.


                                           IV

Article 58.2 of the RGPD provides the following: “Each supervisory authority will have
of all of the following corrective powers listed below:


b) direct a warning to any person in charge or in charge of the treatment when the
treatment operations have infringed the provisions of this Regulation;

d) order the person in charge of the treatment that the operations of
treatment comply with the provisions of this Regulation, where appropriate,

in a certain way and within a specified time;

i) impose an administrative fine in accordance with article 83, in addition to or instead of the
measures mentioned in this section, according to the circumstances of each case
particular;


                                           V

In order to determine the administrative fine to be imposed, the
provisions of articles 83.1 and 83.2 of the RGPD, provisions that state:


"Each control authority will guarantee that the imposition of administrative fines
in accordance with this article for infringements of this Regulation
indicated in sections 4, 5 and 6 are effective in each individual case,
proportionate and dissuasive. "


"Administrative fines will be imposed, depending on the circumstances of each

individual case, as an additional or substitute for the measures contemplated in the
Article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine
administrative and its amount in each individual case will be duly taken into account:
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 8/10








a) the nature, severity and duration of the offense, taking into account the
nature, scope or purpose of the processing operation in question as well
such as the number of interested parties affected and the level of damages that

have suffered;

b) intentionality or negligence in the infringement;

c) any measure taken by the person in charge or in charge of the treatment to
mitigate the damages suffered by the interested parties;

d) the degree of responsibility of the person in charge or the person in charge of the treatment,
taking into account the technical or organizational measures that have been applied by virtue of
of articles 25 and 32;


e) any previous infringement committed by the person in charge or the person in charge of the treatment;

 f) the degree of cooperation with the supervisory authority in order to remedy the
infringement and mitigate the possible adverse effects of the infringement;

g) the categories of personal data affected by the infringement;

h) the way in which the supervisory authority became aware of the infringement, in
particular if the person in charge or the person in charge notified the infraction and, in such case, in what
measure;


i) when the measures indicated in article 58, paragraph 2, have been ordered
previously against the person in charge or the person in charge in relation to the
same issue, compliance with said measures;

j) adherence to codes of conduct under Article 40 or to mechanisms of
certification approved in accordance with Article 42, and

k) any other aggravating or mitigating factor applicable to the circumstances of the case,

such as financial benefits obtained or losses avoided, direct or
indirectly, through the offense. "


Regarding section k) of article 83.2 of the RGPD, the LOPDGDD, article 76, “Sanctions and
corrective measures ”, provides:

"two. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679 also
may be taken into account:


a) The continuing nature of the offense.

b) The linking of the offender's activity with the performance of data processing
personal.

c) The benefits obtained as a result of the commission of the offense.


d) The possibility that the affected person's conduct could have led to the commission of the
infringement.


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 9/10








e) The existence of a merger by absorption process after the commission of the
infringement, which cannot be attributed to the absorbing entity.

f) Affecting the rights of minors.


g) Have, when not mandatory, a data protection officer.

h) The submission by the person in charge or in charge, on a voluntary basis, to
Alternative dispute resolution mechanisms, in those cases in which
there are controversies between those and any interested party. "


In accordance with the transcribed precepts, and without prejudice to what results from the instruction
of the procedure, for the purpose of setting the amount of the fine to be imposed on IZA
OBRAS Y PROMOCIONES, S.A. with NIF A48820229 as responsible for an infraction
typified in article 83.5.a) of the RGPD, in an initial assessment, they are considered concurrent

in the present case, as aggravating factors, the following factors:

- A special category of personal data has been processed, such as
health data, in accordance with article 9 of the RGPD.


Therefore, in accordance with the applicable legislation and the criteria of
graduation of sanctions whose existence has been proven,

the Director of the Spanish Agency for Data Protection RESOLVES:


FIRST: IMPOSE IZA OBRAS Y PROMOCIONES, S.A., with NIF A48820229,
for an infringement of article 5.1.c) of the RGPD, typified in article 83.5 of the RGPD,
a fine of € 50,000 (fifty thousand euros).

SECOND: NOTIFY this resolution to IZA OBRAS Y PROMOCIONES,

S.A.

THIRD: Warn the sanctioned person that the sanction imposed by a
Once this resolution is enforceable, in accordance with the provisions of the
art. 98.1.b) of Law 39/2015, of October 1, on Administrative Procedure

Common of Public Administrations (hereinafter LPACAP), within the payment term
voluntary established in art. 68 of the General Collection Regulations, approved
by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003,
of December 17, by means of their entry, indicating the NIF of the sanctioned person and the number
of procedure that appears in the heading of this document, in the account
restricted number ES00 0000 0000 0000 0000 0000, opened in the name of the Agency

Spanish Data Protection in the banking entity CAIXABANK, S.A .. In case
Otherwise, it will be collected in the executive period.

Received the notification and once executive, if the date of execution is found
Between the 1st and the 15th of each month, both inclusive, the deadline to make the payment

volunteer will be until the 20th day of the following or immediately subsequent business month, and if
between the 16th and last days of each month, both inclusive, the payment term
it will be until the 5th of the second following or immediate business month.


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 10/10








In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.


Against this resolution, which ends the administrative procedure in accordance with art. 48.6 of the
LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the
Interested parties may file, optionally, an appeal for reconsideration before the
Director of the Spanish Agency for Data Protection within a month to

counting from the day after notification of this resolution or directly
Contentious-administrative appeal before the Contentious-Administrative Chamber of the
National High Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-administrative jurisdiction, within a period of two months from the

day following notification of this act, as provided in article 46.1 of the
referred Law.

Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP,
may provisionally suspend the final resolution through administrative channels if the

interested party expresses his intention to file contentious-administrative appeal.
If this is the case, the interested party must formally communicate this fact through
writing addressed to the Spanish Agency for Data Protection, presenting it through
of the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica-
web /], or through any of the other records provided for in art. 16.4 of the

cited Law 39/2015, of October 1. You must also transfer to the Agency the
documentation that proves the effective filing of the contentious appeal-
administrative. If the Agency was not aware of the filing of the appeal
contentious-administrative within a period of two months from the day following the
notification of this resolution would terminate the precautionary suspension.



Mar Spain Martí
Director of the Spanish Agency for Data Protection
























C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es