AEPD (Spain) - PS/00314/2021

From GDPRhub
Revision as of 15:10, 8 November 2021 by Laurap (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoES.jpg |DPA_Abbrevation=AEPD (Spain) |DPA_With_Country=AEPD (Spain) |Case_Number_Na...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
AEPD (Spain) - PS/00314/2021
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 37 GDPR
Article 83(4)(a) GDPR
Article 83(4)(a) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published: 04.10.2021
Fine: None
Parties: AYUNTAMIENTO DE MOLINA DE SEGURA
National Case Number/Name: PS/00314/2021
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: n/a

The complainant has reported that the Ayuntamiento de Molina de Segura was lacking a DPO: at first the DPO duties were temporarily assigned to a specific person, then the DPO functions were not exercised anymore. The Spanish DPA clarified that public sector bodies and agencies are obliged (as per article 37 GDPR) to appoint a suitably qualified DPO, to provide him/her with the necessary means, and to notify the AEPD of the designation for their inclusion in the Public Register of DPOs.

English Summary

Facts

The Spanish DPA issued a reprimand on the municipality Ayuntamiento de Molina de Segura for lacking a DPO.

Holding

The Spanish DPA found that the Ayuntamiento de Molina de Segura did not have a DPO as requested by Article 37 GDPR. As a consequence, the AEPD issued a reprimand on the municipality.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

                                                                               1/9








     Procedure No.: PS / 00314/2021

               RESOLUTION OF SANCTIONING PROCEDURE


Of the procedure instructed by the Spanish Agency for Data Protection and based on
to the following

                                  BACKGROUND


FIRST: A.A.A. (hereinafter, the complaining party) dated December 21,
2020 filed a claim with the Spanish Data Protection Agency. The
claim is directed against MOLINA DE SEGURA CITY COUNCIL with NIF
P3002700G (hereinafter, the claimed part). The reasons on which the
claim are the following: that currently said Administration lacks

Data Protection Officer as required by data protection regulations.
The person who exercised the position and functions of DPD were attributed to him in a
temporary and for more than a year these functions have not been carried out
producing violation of rights.


SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5
December, Protection of Personal Data and guarantee of digital rights (in
hereinafter LOPDGDD), said claim was transmitted to the claimed party, to
to proceed with its analysis and inform this Agency within a month of the
actions carried out to adapt to the requirements set forth in the regulations of

Data Protection.
There is no response from the claimed entity.

THIRD: On 06/17/2021 the Director of the Spanish Protection Agency
of Data agreed to admit to processing the claim presented by the complaining party.


FOURTH: On 09/22/2021, the Director of the Spanish Protection Agency
of Data agreed to initiate a sanctioning procedure for the claimed party, for the alleged
infringement of article 37 of the RGPD, typified in article 83.4.a) RGPD,
considering that the sanction that could correspond would be of APERCIBIMENTO.


FIFTH: Notified the initiation agreement, the one claimed at the time of the present
resolution has not submitted a brief of allegations, so it is applicable
indicated in article 64 of Law 39/2015, of October 1, on the Procedure
Common Administrative of Public Administrations, which in its section f)
establishes that in case of not making allegations within the term provided on the

content of the initiation agreement, it may be considered a proposal for
resolution when it contains a precise pronouncement about the responsibility
imputed, for which a Resolution is issued.

SIXTH: Of the actions carried out in this proceeding, there have been
accredited the following:






C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 2/9








                                PROVEN FACTS

FIRST: On 12/21/2020 the claimant has a written entry in the AEPD

stating that the complained party lacks a Data Protection Delegate and that the
person who held the position and functions of DPD were attributed to him in a
temporary and that for more than a year the functions of the
charge resulting in violation of rights.

SECOND: It is provided by the claimed Resolution No. 2018002623 issued by

the one claimed on 06/04/2018, on temporary assignment of functions, for a maximum term
one year extendable for another, corresponding to the data protection officer
established in art. 39 of the General Data Protection Regulation, (…), by
have the requisites, knowledge and skills necessary for the good
performance of these functions.


THIRD: The retirement resolution of 11/26/2019 of the person has been provided
that temporarily held the functions of DPD.


                           FOUNDATIONS OF LAW


                                            I
       By virtue of the powers that article 58.2 of the RGPD recognizes to each
control authority, and as established in art. 47 of Organic Law 3/2018, of
December 5, Protection of Personal Data and guarantee of rights

digital (hereinafter LOPDGDD), the Director of the Spanish Agency for
Data Protection is competent to resolve this procedure.

                                           II
       Law 39/2015, of October 1, on the Common Administrative Procedure of

the Public Administrations, in its article 64 “Agreement of initiation in the
procedures of a sanctioning nature ”, provides:

       "1. The initiation agreement will be communicated to the instructor of the procedure, with
transfer of how many actions exist in this regard, and the interested parties will be notified,
understanding in any case the accused as such.

       Likewise, the initiation will be communicated to the complainant when the regulations
regulations of the procedure provide for it.

       2. The initiation agreement must contain at least:
       a) Identification of the person or persons allegedly responsible.

       b) The facts that motivate the initiation of the procedure, its possible
       qualification and the sanctions that may correspond, without prejudice to what
       result of the instruction.
       c) Identification of the instructor and, where appropriate, Secretary of the procedure, with
       express indication of the regime of challenge of the same.

       d) Competent body for the resolution of the procedure and regulation that
       attributes such competence, indicating the possibility that the alleged
       responsible can voluntarily acknowledge their responsibility, with the
       effects provided for in article 85.

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 3/9








       e) Provisional measures that have been agreed by the body
       competent to initiate the sanctioning procedure, without prejudice to those that
       can be adopted during the same in accordance with article 56.

       f) Indication of the right to make allegations and to the hearing in the
       procedure and the deadlines for its exercise, as well as an indication that, in
       case of not making allegations within the term provided on the content of the
       initiation agreement, this may be considered a resolution proposal
       when it contains a precise statement about liability
       charged.


       3. Exceptionally, when at the time of issuing the initiation agreement
there are not enough elements for the initial qualification of the facts that motivate
the initiation of the procedure, the aforementioned qualification may be carried out in a phase
later by preparing a Statement of Charges, which must be notified to

the interested".

       In application of the previous precept and taking into account that they have not
formulated allegations to the initiation agreement, it is necessary to resolve the procedure initiated.



                                            III
       The denounced facts materialize in that the defendant lacks a DPD
in contradiction with what is indicated and required by the data protection regulations.

       Article 58.2 of the RGPD establishes that “Each control authority shall have

of all of the following corrective powers listed below:

       (...)
       b) punish any person in charge or in charge of treatment with
awareness

       when the processing operations have infringed the provisions of the
       these Regulations;
       (...)
       d) order the person in charge of the treatment that the operations of
       treatment comply with the provisions of this Regulation, when
       proceed, in a certain way and within a specified timeframe;

       (...)

       It should be noted that the Public Administrations act as responsible
of the processing of personal data and, on occasions, exercise functions of
those in charge of the treatment so, following the principle of responsibility

proactively, they are responsible for meeting the obligations detailed in the RGPD, among which
includes appointing a data protection officer, making your data public
contact and communicate them to the AEPD (article 37 RGPD).

       Article 37 RGPD, paragraphs 1 and 7 refer to these obligations and

establish, respectively:

       "1. The person in charge and the person in charge of the treatment will designate a delegate of
data protection provided that:

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 4/9








       a) the treatment is carried out by a public authority or body, except those
       courts that act in the exercise of their judicial function; ”.
       (…)


       "7. The person in charge or the person in charge of treatment will publish the data of
Contact
of the data protection officer and will communicate them to the control authority. "

       On the appointment of the data protection officer, sections 3 and 5

of article 37 of the RGPD state that:

       "3. When the person in charge or the person in charge of the treatment is an authority or
public body, a single data protection delegate may be appointed to
several of these authorities or bodies, taking into account their structure

organizational and size ”.

       "5. The data protection officer may be part of the staff of the
controller or processor or perform their functions within the framework
of a service contract. "


       For its part, the LOPDGDD dedicates article 34 to the “Designation of a
data protection officer ”, provision that provides:

       "1. Those responsible and in charge of the treatment must designate a
data protection officer in the cases provided for in article 37.1 of the

Regulation (EU) 2016/679 and (...) "
       (…)
       "3. Those responsible and in charge of the treatment will communicate within the period of
ten days to the Spanish Data Protection Agency or, where appropriate, to the
Autonomous data protection authorities, the designations, appointments and

terminations of the data protection delegates both in the cases in which
are obliged to their designation as in the case in which it is voluntary ”.

                                           IV
       The organs and agencies of the Public Sector are obliged to designate a
DPD that has the due qualification, to guarantee the necessary means

for the exercise of its functions and to notify the designation to the AEPD for its
inclusion in the Public Registry of DPD.

       The DPO will perform its functions paying due attention to the risks
associated with treatment operations, taking into account the nature, the

scope, context and purposes of the treatment.

       The DPD has no personal responsibility, for this mere fact, for the
possible data protection infringements committed by your
organization.


       The DPD of the Public Sector body or body must receive the
claims addressed to them by the companies, when they choose this route before


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 5/9








file a claim with the AEPD, and communicate the decision taken to the
administered within a maximum period of two months.
       Likewise, the DPD must receive the claims that the AEPD decides

transfer you prior to the initiation of a sanctioning file. The delegate
must communicate the decision taken to the company and the AEPD within the maximum term
of one month.
       In this way, in general, if the DPO achieves that the person responsible
resolve the claim by either of these two ways, and without prejudice to the fact that the
The interested party later goes to the AEPD, a file of

declaration of infringement of that Public Administration.

                                            V
       Article 83.5 b) of the RGPD, considers that the infringement of “the obligations
of the person in charge and the person in charge in accordance with articles 8, 11, 25 to 39, 42 and 43 ”, is

punishable, in accordance with section 4 of the aforementioned article 83 of the aforementioned
Regulation, “with administrative fines of 10,000,000 EUR maximum or,
in the case of a company, an amount equivalent to a maximum of 2% of the
total annual global business volume of the previous financial year, opting for
the highest amount ”.


       The LOPDGDD in its article 71, Infractions, states that:

       “The acts and conducts referred to in the
paragraphs 4, 5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that
are contrary to this organic law ”.


       The LOPDGDD indicates in article 73, "Violations considered serious":

       "Based on the provisions of article 83.4 of Regulation (EU) 2016/679
are considered serious and will prescribe after two years the infractions that suppose a

substantial violation of the articles mentioned therein and, in particular, the
following:

       (...)
       v) Failure to comply with the obligation to designate a delegate for the protection of
       data when their appointment is required in accordance with article 37 of the

       Regulation (EU) 2016/679 and article 34 of this organic law. "

                                           SAW
       On the other hand, article 83.7 of the RGPD, which indicates that “Without prejudice to the
corrective powers of the supervisory authorities pursuant to Article 58 (2),

Each Member State may lay down rules on whether and to what extent,
impose administrative fines on public authorities and bodies established in
said Member State ”.

       In accordance with this authorization granted by the RGPD, the LOPDGDD has

provided in its article 77, “Regime applicable to certain categories of
responsible or data controller ", the following:



C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 6/9








       "1. The regime established in this article will be applied to the treatments
of those who are responsible or in charge:


       a) The constitutional bodies or those with constitutional relevance and the
       institutions of the autonomous communities analogous to them.
       b) The jurisdictional bodies.
       c) The General State Administration, the Administrations of the
       autonomous communities and the entities that make up the Local Administration.
       d) Public bodies and public law entities linked to or

       dependent on Public Administrations.
       e) The independent administrative authorities.
       f) The Bank of Spain.
       g) Public law corporations when the purposes of the treatment
       are related to the exercise of powers of public law.

       h) Public sector foundations.
       i) Public Universities.
       j) Consortia.
       k) The parliamentary groups of the Cortes Generales and the Assemblies
       Legislative autonomic, as well as the political groups of the Corporations
       Local.


       2. When the managers or managers listed in section 1
commit any of the offenses referred to in articles 72 to 74 of
this organic law, the competent data protection authority will dictate
resolution sanctioning them with warning. The resolution will establish

Likewise, the measures to be adopted to stop the behavior or to correct it
the effects of the offense that had been committed.

       The resolution will be notified to the person in charge of the treatment, at
body on which it depends hierarchically, where appropriate, and those affected who have

the condition of interested party, if applicable.

       3. Without prejudice to the provisions of the previous section, the authority of
data protection will also propose the initiation of disciplinary actions
when there is sufficient evidence to do so. In this case, the procedure and
Sanctions to be applied will be those established in the legislation on disciplinary regime

or sanctioner that results from application.

       Likewise, when the infractions are attributable to authorities and managers,
and the existence of technical reports or recommendations for treatment is accredited
that had not been duly attended to, in the resolution imposing the

The sanction will include a reprimand with the name of the responsible position and
will order the publication in the Official Gazette of the State or Autonomous
corresponds.

       4. The data protection authority must be notified of the

resolutions that fall in relation to the measures and actions to which they refer
the previous sections.



C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 7/9








       5. They will be communicated to the Ombudsman or, where appropriate, to the institutions
analogous of the autonomous communities the actions carried out and the

Resolutions issued under this article.

       6. When the competent authority is the Spanish Agency for the Protection of
Data, it will publish on its website with due separation the resolutions
referring to the entities of section 1 of this article, with express indication of the

identity of the person in charge or in charge of the treatment that had committed the
infringement.

       When the competence corresponds to an autonomous protection authority
of data will be, in terms of the publicity of these resolutions, to what is available

its specific regulations ”(the underlining corresponds to the AEPD).

       In accordance with the available evidence, the conduct of the
claimed constitutes an infringement of the provisions of article 37 of the RGPD.


       It should be noted that the RGPD and without prejudice to what is established in its article
83, contemplates in its article 77 the possibility of resorting to the sanction of warning
to correct the processing of personal data that does not suit their
provisions, when the managers or managers listed in section 1
commit any of the offenses referred to in articles 72 to 74 of

this organic law.

       Likewise, it is contemplated that the resolution issued will establish the measures
that is appropriate to adopt so that the conduct ceases, the effects of the offense are corrected
that had been committed and its adaptation to the requirements contemplated in the

Articles 37 of the RGPD, as well as the contribution of supporting means of the
compliance with what is required.

       In this sense, article 58.2 d) of the RGPD, states that each
control authority may “order the person in charge of the treatment to

the processing operations are in accordance with the provisions of this
Regulation, where appropriate, in a certain way and within a period of time
specified […] ”.



















C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 8/9








       The defendant is obliged in accordance with the provisions of article 37
of the RGPD to appoint a DPD since the treatment is carried out by an authority or
public organization. The modality of their hiring, appointment and employment relationship

is very broad, you can choose the most appropriate for your specific situation.

       Consequently, the defendant breaches the obligation established in article
37 of the RGPD and sanctioned in article 83.4.a) thereof.

       Therefore, in accordance with the applicable legislation and assessed the criteria of

graduation of sanctions whose existence has been proven,

       The Director of the Spanish Data Protection Agency RESOLVES:

FIRST: IMPOSE MOLINA DE SEGURA CITY COUNCIL, with NIF

P3002700G, for a violation of Article 37 of the RGPD, typified in Article 83.4
of the RGPD, a warning sanction.

SECOND: REQUEST MOLINA DE SEGURA CITY COUNCIL, with NIF
P3002700G.


1. The appointment of the Data Protection Delegate.

You must inform this Agency within a month from the notification
of this Resolution.


THIRD: NOTIFY this resolution to the CITY COUNCIL OF MOLINA DE
SEGURA, with NIF P3002700G.

FOURTH: COMMUNICATE this resolution to the Ombudsman, of
in accordance with the provisions of article 77.5 of the LOPDGDD.


In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.

Against this resolution, which ends the administrative procedure in accordance with art. 48.6 of the
LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the

Interested parties may optionally file an appeal for reconsideration before the
Director of the Spanish Agency for Data Protection within a month to
counting from the day after the notification of this resolution or directly
contentious-administrative appeal before the Contentious-Administrative Chamber of the
National High Court, in accordance with the provisions of article 25 and section 5 of

the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-administrative jurisdiction, within two months from the
day following notification of this act, as provided in article 46.1 of the
referred Law.


Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP,
may provisionally suspend the final resolution through administrative channels if the
interested party expresses his intention to file contentious-administrative appeal.
If this is the case, the interested party must formally communicate this fact through

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 9/9









writing addressed to the Spanish Agency for Data Protection, presenting it through
of the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica-
web /], or through any of the other records provided for in art. 16.4 of the

cited Law 39/2015, of October 1. You must also transfer to the Agency the
documentation that proves the effective filing of the contentious appeal-
administrative. If the Agency is not aware of the filing of the appeal
contentious-administrative within a period of two months from the day following the

notification of this resolution would terminate the precautionary suspension.


                                                                          Mar Spain Martí

                                                                     Director of the AEPD,
 P.O. the Deputy Director General of Data Inspection, Olga Pérez Sanjuan, Resolution
                                                                                   10/4/2021















































C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es