AEPD (Spain) - PS/00314/2021
|AEPD (Spain) - PS/00314/2021|
|Relevant Law:||Article 37 GDPR|
Article 83(4)(a) GDPR
Article 83(4)(a) GDPR
|Parties:||AYUNTAMIENTO DE MOLINA DE SEGURA|
|National Case Number/Name:||PS/00314/2021|
|European Case Law Identifier:||n/a|
|Original Source:||AEPD (in ES)|
The Spanish DPA issued a reprimand on the municipality Ayuntamiento de Molina de Segura for lacking a DPO.
The complainant has reported that the Ayuntamiento de Molina de Segura was lacking a DPO: at first the DPO duties were temporarily assigned to a specific person, then the DPO functions were not exercised anymore. The Spanish DPA clarified that public sector bodies and agencies are obliged (as per article 37 GDPR) to appoint a suitably qualified DPO, to provide him/her with the necessary means, and to notify the AEPD of the designation for their inclusion in the Public Register of DPOs.
The Spanish DPA found that the Ayuntamiento de Molina de Segura did not have a DPO as requested by Article 37 GDPR. As a consequence, the AEPD issued a reprimand on the municipality.
Share your comments here!
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/9 Procedure No.: PS / 00314/2021 RESOLUTION OF SANCTIONING PROCEDURE Of the procedure instructed by the Spanish Agency for Data Protection and based on to the following BACKGROUND FIRST: A.A.A. (hereinafter, the complaining party) dated December 21, 2020 filed a claim with the Spanish Data Protection Agency. The claim is directed against MOLINA DE SEGURA CITY COUNCIL with NIF P3002700G (hereinafter, the claimed part). The reasons on which the claim are the following: that currently said Administration lacks Data Protection Officer as required by data protection regulations. The person who exercised the position and functions of DPD were attributed to him in a temporary and for more than a year these functions have not been carried out producing violation of rights. SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5 December, Protection of Personal Data and guarantee of digital rights (in hereinafter LOPDGDD), said claim was transmitted to the claimed party, to to proceed with its analysis and inform this Agency within a month of the actions carried out to adapt to the requirements set forth in the regulations of Data Protection. There is no response from the claimed entity. THIRD: On 06/17/2021 the Director of the Spanish Protection Agency of Data agreed to admit to processing the claim presented by the complaining party. FOURTH: On 09/22/2021, the Director of the Spanish Protection Agency of Data agreed to initiate a sanctioning procedure for the claimed party, for the alleged infringement of article 37 of the RGPD, typified in article 83.4.a) RGPD, considering that the sanction that could correspond would be of APERCIBIMENTO. FIFTH: Notified the initiation agreement, the one claimed at the time of the present resolution has not submitted a brief of allegations, so it is applicable indicated in article 64 of Law 39/2015, of October 1, on the Procedure Common Administrative of Public Administrations, which in its section f) establishes that in case of not making allegations within the term provided on the content of the initiation agreement, it may be considered a proposal for resolution when it contains a precise pronouncement about the responsibility imputed, for which a Resolution is issued. SIXTH: Of the actions carried out in this proceeding, there have been accredited the following: C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 2/9 PROVEN FACTS FIRST: On 12/21/2020 the claimant has a written entry in the AEPD stating that the complained party lacks a Data Protection Delegate and that the person who held the position and functions of DPD were attributed to him in a temporary and that for more than a year the functions of the charge resulting in violation of rights. SECOND: It is provided by the claimed Resolution No. 2018002623 issued by the one claimed on 06/04/2018, on temporary assignment of functions, for a maximum term one year extendable for another, corresponding to the data protection officer established in art. 39 of the General Data Protection Regulation, (…), by have the requisites, knowledge and skills necessary for the good performance of these functions. THIRD: The retirement resolution of 11/26/2019 of the person has been provided that temporarily held the functions of DPD. FOUNDATIONS OF LAW I By virtue of the powers that article 58.2 of the RGPD recognizes to each control authority, and as established in art. 47 of Organic Law 3/2018, of December 5, Protection of Personal Data and guarantee of rights digital (hereinafter LOPDGDD), the Director of the Spanish Agency for Data Protection is competent to resolve this procedure. II Law 39/2015, of October 1, on the Common Administrative Procedure of the Public Administrations, in its article 64 “Agreement of initiation in the procedures of a sanctioning nature ”, provides: "1. The initiation agreement will be communicated to the instructor of the procedure, with transfer of how many actions exist in this regard, and the interested parties will be notified, understanding in any case the accused as such. Likewise, the initiation will be communicated to the complainant when the regulations regulations of the procedure provide for it. 2. The initiation agreement must contain at least: a) Identification of the person or persons allegedly responsible. b) The facts that motivate the initiation of the procedure, its possible qualification and the sanctions that may correspond, without prejudice to what result of the instruction. c) Identification of the instructor and, where appropriate, Secretary of the procedure, with express indication of the regime of challenge of the same. d) Competent body for the resolution of the procedure and regulation that attributes such competence, indicating the possibility that the alleged responsible can voluntarily acknowledge their responsibility, with the effects provided for in article 85. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 3/9 e) Provisional measures that have been agreed by the body competent to initiate the sanctioning procedure, without prejudice to those that can be adopted during the same in accordance with article 56. f) Indication of the right to make allegations and to the hearing in the procedure and the deadlines for its exercise, as well as an indication that, in case of not making allegations within the term provided on the content of the initiation agreement, this may be considered a resolution proposal when it contains a precise statement about liability charged. 3. Exceptionally, when at the time of issuing the initiation agreement there are not enough elements for the initial qualification of the facts that motivate the initiation of the procedure, the aforementioned qualification may be carried out in a phase later by preparing a Statement of Charges, which must be notified to the interested". In application of the previous precept and taking into account that they have not formulated allegations to the initiation agreement, it is necessary to resolve the procedure initiated. III The denounced facts materialize in that the defendant lacks a DPD in contradiction with what is indicated and required by the data protection regulations. Article 58.2 of the RGPD establishes that “Each control authority shall have of all of the following corrective powers listed below: (...) b) punish any person in charge or in charge of treatment with awareness when the processing operations have infringed the provisions of the these Regulations; (...) d) order the person in charge of the treatment that the operations of treatment comply with the provisions of this Regulation, when proceed, in a certain way and within a specified timeframe; (...) It should be noted that the Public Administrations act as responsible of the processing of personal data and, on occasions, exercise functions of those in charge of the treatment so, following the principle of responsibility proactively, they are responsible for meeting the obligations detailed in the RGPD, among which includes appointing a data protection officer, making your data public contact and communicate them to the AEPD (article 37 RGPD). Article 37 RGPD, paragraphs 1 and 7 refer to these obligations and establish, respectively: "1. The person in charge and the person in charge of the treatment will designate a delegate of data protection provided that: C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 4/9 a) the treatment is carried out by a public authority or body, except those courts that act in the exercise of their judicial function; ”. (…) "7. The person in charge or the person in charge of treatment will publish the data of Contact of the data protection officer and will communicate them to the control authority. " On the appointment of the data protection officer, sections 3 and 5 of article 37 of the RGPD state that: "3. When the person in charge or the person in charge of the treatment is an authority or public body, a single data protection delegate may be appointed to several of these authorities or bodies, taking into account their structure organizational and size ”. "5. The data protection officer may be part of the staff of the controller or processor or perform their functions within the framework of a service contract. " For its part, the LOPDGDD dedicates article 34 to the “Designation of a data protection officer ”, provision that provides: "1. Those responsible and in charge of the treatment must designate a data protection officer in the cases provided for in article 37.1 of the Regulation (EU) 2016/679 and (...) " (…) "3. Those responsible and in charge of the treatment will communicate within the period of ten days to the Spanish Data Protection Agency or, where appropriate, to the Autonomous data protection authorities, the designations, appointments and terminations of the data protection delegates both in the cases in which are obliged to their designation as in the case in which it is voluntary ”. IV The organs and agencies of the Public Sector are obliged to designate a DPD that has the due qualification, to guarantee the necessary means for the exercise of its functions and to notify the designation to the AEPD for its inclusion in the Public Registry of DPD. The DPO will perform its functions paying due attention to the risks associated with treatment operations, taking into account the nature, the scope, context and purposes of the treatment. The DPD has no personal responsibility, for this mere fact, for the possible data protection infringements committed by your organization. The DPD of the Public Sector body or body must receive the claims addressed to them by the companies, when they choose this route before C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 5/9 file a claim with the AEPD, and communicate the decision taken to the administered within a maximum period of two months. Likewise, the DPD must receive the claims that the AEPD decides transfer you prior to the initiation of a sanctioning file. The delegate must communicate the decision taken to the company and the AEPD within the maximum term of one month. In this way, in general, if the DPO achieves that the person responsible resolve the claim by either of these two ways, and without prejudice to the fact that the The interested party later goes to the AEPD, a file of declaration of infringement of that Public Administration. V Article 83.5 b) of the RGPD, considers that the infringement of “the obligations of the person in charge and the person in charge in accordance with articles 8, 11, 25 to 39, 42 and 43 ”, is punishable, in accordance with section 4 of the aforementioned article 83 of the aforementioned Regulation, “with administrative fines of 10,000,000 EUR maximum or, in the case of a company, an amount equivalent to a maximum of 2% of the total annual global business volume of the previous financial year, opting for the highest amount ”. The LOPDGDD in its article 71, Infractions, states that: “The acts and conducts referred to in the paragraphs 4, 5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that are contrary to this organic law ”. The LOPDGDD indicates in article 73, "Violations considered serious": "Based on the provisions of article 83.4 of Regulation (EU) 2016/679 are considered serious and will prescribe after two years the infractions that suppose a substantial violation of the articles mentioned therein and, in particular, the following: (...) v) Failure to comply with the obligation to designate a delegate for the protection of data when their appointment is required in accordance with article 37 of the Regulation (EU) 2016/679 and article 34 of this organic law. " SAW On the other hand, article 83.7 of the RGPD, which indicates that “Without prejudice to the corrective powers of the supervisory authorities pursuant to Article 58 (2), Each Member State may lay down rules on whether and to what extent, impose administrative fines on public authorities and bodies established in said Member State ”. In accordance with this authorization granted by the RGPD, the LOPDGDD has provided in its article 77, “Regime applicable to certain categories of responsible or data controller ", the following: C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 6/9 "1. The regime established in this article will be applied to the treatments of those who are responsible or in charge: a) The constitutional bodies or those with constitutional relevance and the institutions of the autonomous communities analogous to them. b) The jurisdictional bodies. c) The General State Administration, the Administrations of the autonomous communities and the entities that make up the Local Administration. d) Public bodies and public law entities linked to or dependent on Public Administrations. e) The independent administrative authorities. f) The Bank of Spain. g) Public law corporations when the purposes of the treatment are related to the exercise of powers of public law. h) Public sector foundations. i) Public Universities. j) Consortia. k) The parliamentary groups of the Cortes Generales and the Assemblies Legislative autonomic, as well as the political groups of the Corporations Local. 2. When the managers or managers listed in section 1 commit any of the offenses referred to in articles 72 to 74 of this organic law, the competent data protection authority will dictate resolution sanctioning them with warning. The resolution will establish Likewise, the measures to be adopted to stop the behavior or to correct it the effects of the offense that had been committed. The resolution will be notified to the person in charge of the treatment, at body on which it depends hierarchically, where appropriate, and those affected who have the condition of interested party, if applicable. 3. Without prejudice to the provisions of the previous section, the authority of data protection will also propose the initiation of disciplinary actions when there is sufficient evidence to do so. In this case, the procedure and Sanctions to be applied will be those established in the legislation on disciplinary regime or sanctioner that results from application. Likewise, when the infractions are attributable to authorities and managers, and the existence of technical reports or recommendations for treatment is accredited that had not been duly attended to, in the resolution imposing the The sanction will include a reprimand with the name of the responsible position and will order the publication in the Official Gazette of the State or Autonomous corresponds. 4. The data protection authority must be notified of the resolutions that fall in relation to the measures and actions to which they refer the previous sections. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 7/9 5. They will be communicated to the Ombudsman or, where appropriate, to the institutions analogous of the autonomous communities the actions carried out and the Resolutions issued under this article. 6. When the competent authority is the Spanish Agency for the Protection of Data, it will publish on its website with due separation the resolutions referring to the entities of section 1 of this article, with express indication of the identity of the person in charge or in charge of the treatment that had committed the infringement. When the competence corresponds to an autonomous protection authority of data will be, in terms of the publicity of these resolutions, to what is available its specific regulations ”(the underlining corresponds to the AEPD). In accordance with the available evidence, the conduct of the claimed constitutes an infringement of the provisions of article 37 of the RGPD. It should be noted that the RGPD and without prejudice to what is established in its article 83, contemplates in its article 77 the possibility of resorting to the sanction of warning to correct the processing of personal data that does not suit their provisions, when the managers or managers listed in section 1 commit any of the offenses referred to in articles 72 to 74 of this organic law. Likewise, it is contemplated that the resolution issued will establish the measures that is appropriate to adopt so that the conduct ceases, the effects of the offense are corrected that had been committed and its adaptation to the requirements contemplated in the Articles 37 of the RGPD, as well as the contribution of supporting means of the compliance with what is required. In this sense, article 58.2 d) of the RGPD, states that each control authority may “order the person in charge of the treatment to the processing operations are in accordance with the provisions of this Regulation, where appropriate, in a certain way and within a period of time specified […] ”. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 8/9 The defendant is obliged in accordance with the provisions of article 37 of the RGPD to appoint a DPD since the treatment is carried out by an authority or public organization. The modality of their hiring, appointment and employment relationship is very broad, you can choose the most appropriate for your specific situation. Consequently, the defendant breaches the obligation established in article 37 of the RGPD and sanctioned in article 83.4.a) thereof. Therefore, in accordance with the applicable legislation and assessed the criteria of graduation of sanctions whose existence has been proven, The Director of the Spanish Data Protection Agency RESOLVES: FIRST: IMPOSE MOLINA DE SEGURA CITY COUNCIL, with NIF P3002700G, for a violation of Article 37 of the RGPD, typified in Article 83.4 of the RGPD, a warning sanction. SECOND: REQUEST MOLINA DE SEGURA CITY COUNCIL, with NIF P3002700G. 1. The appointment of the Data Protection Delegate. You must inform this Agency within a month from the notification of this Resolution. THIRD: NOTIFY this resolution to the CITY COUNCIL OF MOLINA DE SEGURA, with NIF P3002700G. FOURTH: COMMUNICATE this resolution to the Ombudsman, of in accordance with the provisions of article 77.5 of the LOPDGDD. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which ends the administrative procedure in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the Interested parties may optionally file an appeal for reconsideration before the Director of the Spanish Agency for Data Protection within a month to counting from the day after the notification of this resolution or directly contentious-administrative appeal before the Contentious-Administrative Chamber of the National High Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-administrative jurisdiction, within two months from the day following notification of this act, as provided in article 46.1 of the referred Law. Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP, may provisionally suspend the final resolution through administrative channels if the interested party expresses his intention to file contentious-administrative appeal. If this is the case, the interested party must formally communicate this fact through C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 9/9 writing addressed to the Spanish Agency for Data Protection, presenting it through of the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica- web /], or through any of the other records provided for in art. 16.4 of the cited Law 39/2015, of October 1. You must also transfer to the Agency the documentation that proves the effective filing of the contentious appeal- administrative. If the Agency is not aware of the filing of the appeal contentious-administrative within a period of two months from the day following the notification of this resolution would terminate the precautionary suspension. Mar Spain Martí Director of the AEPD, P.O. the Deputy Director General of Data Inspection, Olga Pérez Sanjuan, Resolution 10/4/2021 C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es