AEPD (Spain) - PS/00324/2021
|AEPD (Spain) - PS/00324/2021|
|Relevant Law:||Article 5(1)(c) GDPR|
Article 5(1)(b) GDPR
|Parties:||IZA OBRAS Y PROMOCIONES, S.A.|
|National Case Number/Name:||PS/00324/2021|
|European Case Law Identifier:||n/a|
|Original Source:||AEPD (in ES)|
|Initial Contributor:||Carmen Villarroel|
The Spanish DPA fined a controller €50,000 for sharing health data of one of their workers in the course of an administrative procedure in breach of the minimization principle, since such personal data was not strictly necessary for its defence in the procedure.
English Summary[edit | edit source]
Facts[edit | edit source]
The worker of a company filed a complaint against their employer company (a constructor) before the Spanish DPA (AEPD). The data subject claimed that the company had shared with a public housing business entity data referring to their medical leaves and their content, including covid-19 data, and their email address.
The controller alleged that it had shared such personal data in the course of an administrative procedure against the company.
Holding[edit | edit source]
The Spanish DPA first noted that health data fall under the category of special categories of personal data from Article 9 GDPR. According to the AEPD, even if the controller may had relied on the exemption on Article 9 GDPR(2)(f), since the data were shared in the course of an administrative procedure against the company, the general data protection principles from Article 5 GDPR still need to be complied with.
According to the DPA, the controller did not take into account the minimization principle, since the company did not need to share all the data subject's personal data it shared during the proceedings, specially taking into consideration the nature of health data. Even if the controller was entitled to process such data internally, they should not have shared it away without express consent of the data subject.
Additionally, the DPA remarked that the company should not have shared the worker's email either, since the email was collected with the sole purpose of communicating with the worker, and therefore sharing it with third parties infringed the purpose limitation principle.
Therefore, the DPA determined that the controller had infringed Article 5(1)(c) GDPR and fined the controller €50,000.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/10 File No.: PS / 00324/2021 - RESOLUTION OF SANCTIONING PROCEDURE Of the procedure instructed by the Spanish Agency for Data Protection and based on the following BACKGROUND FIRST: A.A.A. (hereinafter, the complaining party) dated February 16, 2021 filed a claim with the Spanish Data Protection Agency. The claim is directed against IZA OBRAS Y PROMOCIONES, S.A. with NIF A48820229 (hereinafter, the claimed party). The reason on which the claim is based is that the claimed entity has disclosed health data of the claimant to another company, as well as their email address personal, and all this without the consent of the claimant. SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5 December, Protection of Personal Data and guarantee of digital rights (in hereinafter LOPDGDD), on March 16, 2021, said claim was transferred to the claimed party, to proceed with its analysis and inform this Agency in the period of one month, of the actions carried out to adapt to the requirements provided for in the data protection regulations. On April 13, 2021, a written response is received at this Agency stating the following: 1.- On November 14, 2018, the Public Housing Business Entity- Donostiako Etxegintza, awarded IZA a construction works contract in Intxaurrondo. 2.- The claimant, an IZA employee, acts in said work by performing temporarily the function of project manager. 3.- The claimant, maintaining his status as an employee, reported IZA to the Public Housing Business Entity-Donostiako Etxegintza on July 14 and September 2020 due to lack of assignment of human and material resources, between others. 4.- In compliance with its power of control, the Public Business Entity of Housing-Donostiako Etxegintza required IZA, in accordance with article 55 of the Law 39/2015 of the Common Administrative Procedure of Public Administrations, information regarding the complaints filed. 5.- IZA receiving said communication, and in compliance with the obligation to collaboration with the Administration, stated the relevant facts that would explain the lack of assignment of material and human resources of the work, answering to the complaints of the claimant. This information included information about the claimant, justifying its referral in compliance with the legal obligation (Law C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 2/10 39/2015) as well as in the prerogatives of Law 9/2017 on sector contracts public. 6.- The submission of said information was considered confidential, following the channels of Electronic Entry Registration, in accordance with the Law. information held by the Public Housing Business Entity-Donostiako Etxegintza, and outside IZA's protection channels, it reached the claimant, as stated in your complaint. 7.- As a result of this, the breach protocol was activated, no data leak was detected from IZA, requesting clarification in this regard from Entidad Pública Empresarial de Housing-Donostiako Etxegintza, request that has not received a response. 8.- Regarding the information indicated by the claimant, IZA exclusively provided it to the administrative procedure, in the exercise of the competence and control of the Entity Public 9.- Regarding the use of the personal email of the complainant, informs that its use derives from the previous referral by it for 2 years as means of communicating with the company. Message headers are attached and matters to corroborate it, and that in case of needing the contents they would be sent to the Control Authority. THIRD: On June 18, 2021, the Director of the Spanish Agency for Data Protection agreed to accept for processing the claim presented by the party claimant. FOURTH: On October 13, 2021, the Director of the Spanish Agency for Data Protection agreed to initiate a sanctioning procedure for the claimed party, with in accordance with the provisions of articles 63 and 64 of Law 39/2015, of October 1, of the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP), for the alleged violation of article 5.1.c) of the RGPD, typified in the Article 83.5 of the RGPD. FIFTH: The aforementioned commencement agreement was notified, on October 25, 2021, the claimed submitted a brief of allegations in which, in summary, it states that it has not revealed personal information of the claimant to the Public Business Entity of Housing-Donostiako Etxegintza. He also expresses his confusion and asks this Agency to indicate what Especially sensitive information has been processed. And finally, he requests that the Donostia / San Sebastián City Council be required to recording of the session incorporated into the session diary of the Development Commission and Territory Planning dated December 9, 2020, where presumably the data of the claimant were released and disclosed. SIXTH: On October 27, 2021, the instructor of the procedure agreed to the opening of a period of practical tests, taking as incorporated the C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 3/10 preliminary investigation actions, E / 02987/2021, as well as the documents provided by the claimed. SEVENTH: On October 31, 2021, a resolution proposal is issued proposing that the Director of the Spanish Data Protection Agency sanction to IZA OBRAS Y PROMOCIONES, S.A., with NIF A48820229, for a violation of the article 5.1.c) of the RGPD, typified in article 83.5 of the RGPD, with a fine of € 50,000 (fifty thousand euros). EIGHTH: On November 15, 2021, allegations are presented to said motion for a resolution, reiterating the aforementioned allegations throughout of the procedure and specifically states the following: "The data of the claimant's personal email has not been disclosed, which is also found legitimate for the transfer of data -even if there were categories of data specially protected-, and that this whole procedure is unleashed by the leakage of information produced from the Public Housing Business Entity-Donostiako Etxegintza, its Board of Directors as well as from the Development and Planning of the Territory of the Donostia / San Sebastián City Council. " Of the actions carried out in this procedure and of the documentation Obrante in the file, the following have been accredited: PROVEN FACTS FIRST: The claimant states that the claimed entity has disclosed data from health of the claimant (specifically dates of medical leave, reasons, and leaves) to another company, as well as your personal email address, and all without your consent. The claimed entity provided not only the absences, but also the dates of the cancellations and permits with their respective causes, including COVID. This is stated in the letter sent by the claimed entity to the Public Entity Housing Business-Donostiako Etxegintza, on November 18, 2020, obrante in this file together with the documentation provided by the claimant in his writing Of claim. SECOND: The claimed entity was required by the Public Business Entity of Housing-Donostiako Etxegintza, to provide them with information regarding the complaints filed by the claimant on July 14 and September 9, 2020 by lack of assignment of human and material resources. The claimed entity responded to this request by providing information personal (personal email of the claimant, as well as dates of withdrawal medical reasons, the causes of these, and permits) which came to the knowledge of the latter and caused the present claim. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 4/10 FOUNDATIONS OF LAW I By virtue of the powers that article 58.2 of the RGPD recognizes to each authority of control, and as established in articles 47 and 48 of the LOPDGDD, the Director of the Spanish Data Protection Agency is competent to initiate and to solve this procedure. II The RGPD in its article 5, "Principles relating to treatment" says that "The data personal will be: a) treated in a lawful, loyal and transparent manner in relation to the interested party ("lawfulness, loyalty and transparency ”); b) collected for specific, explicit and legitimate purposes, and will not be processed subsequently in a manner incompatible with said purposes; in accordance with article 89, section 1, the further processing of personal data for archiving purposes in public interest, scientific and historical research purposes or statistical purposes are not deemed incompatible with the original purposes ("purpose limitation"); c) adequate, relevant and limited to what is necessary in relation to the purposes for which that they are processed ("data minimization"); d) accurate and, if necessary, up-to-date; all measures will be taken reasonable so that the personal data that are inaccurate with respect to the purposes for which they are processed ("accuracy"); e) maintained in a way that allows the identification of the interested parties during not longer than necessary for the purposes of processing personal data; the Personal data may be kept for longer periods provided that it is treat exclusively for archival purposes in the public interest, research purposes scientific or historical or statistical purposes, in accordance with article 89, paragraph 1, without prejudice to the application of the appropriate technical and organizational measures that imposes these Regulations in order to protect the rights and freedoms of the data subject ("limitation of the conservation period"); f) treated in such a way as to guarantee adequate data security personal data, including protection against unauthorized or illegal processing and against its loss, destruction or accidental damage, through the application of technical measures or appropriate organizational ("integrity and confidentiality"). 2. The person responsible for the treatment will be responsible for compliance with the provisions in section 1 and able to demonstrate it ('proactive responsibility'). " The offense for which the claimed person is held liable is provided for in article 83.5. of the RGPD that establishes: C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 5/10 "Violations of the following provisions will be sanctioned, in accordance with the section 2, with administrative fines of a maximum of 20,000,000 Eur or, in the case of of a company, of an amount equivalent to a maximum of 4% of the volume of total annual global business of the previous financial year, opting for the one with the highest amount: a) The basic principles for the treatment, including the conditions for the consent in accordance with articles 5,6,7 and 9. " In turn, the LOPDGDD in its article 72.1.a) qualifies as a very serious infringement, to prescription effects, "a) The processing of personal data violating the principles and guarantees established in article 5 of Regulation (EU) 2016/679. " III In the present case, the claimant's personal data has been disclosed, such as the personal email address and health data to the Public Entity Housing Business-Donostiako Etxegintza, without the consent of the claimant. Although the claimed party is recognized legitimacy to send the data necessary to defend against a sanctioning procedure or penalties that could be imposed derived from the breach of a contract administrative, it should not be forgotten that the RGPD includes health as a category of specially protected personal data, in accordance with article 9.1 of the RGPD, where the following is indicated: “The processing of personal data that reveals the ethnic origin or racial, political opinions, religious or philosophical convictions, or affiliation union, and the treatment of genetic data, biometric data aimed at identifying unequivocally to a natural person, data related to health or data related to the sexual life or sexual orientation of a natural person ”. In this sense, the claimed entity presents a written statement of allegations to the proposal resolution indicating that in accordance with article 9.2 f) of the RGPD the data Claimant's personal data were released for his defense against a claim. It should be noted that the literal tenor of said precept is as follows: "Section 1 will not apply when one of the circumstances occurs following: f) the treatment is necessary for the formulation, exercise or defense of claims or when the courts act in the exercise of their judicial function; " In this sense, it should be pointed out that although recital 52 of the RGPD in fine establishes with respect to this exception that “it must also be authorized to exceptional title the processing of said personal data when necessary for the formulation, exercise or defense of claims, either by a C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 6/10 judicial procedure or an administrative or extrajudicial procedure ”; but nevertheless, It must be taken into account that the use of health data, even when this exception, it is not covered if it violates article 5.1.c) of the RGPD and the data transferred are excessive in relation to the purpose, since the need to specify all vacations, permits and, especially since they are data health, casualties with their causes to seek their defense. On the other hand, the claimed entity also alleges in its brief of allegations to the motion for a resolution that evidence has been rejected by this body. In this sense, it should be noted that this Agency has not rejected any evidence presented by the claimed party, it has only been considered that with the evidence in this procedure, it is not necessary to request the City Council of Donostia / San Sebastián the recording of the session incorporated into the diary of sessions of the Territory Planning and Development Commission dated December 9, 2020. This is so because it has been proven that they have been transferred by the entity claimed, health data of the claimant, specifically dates of medical leave, reasons for the same and permissions, and therefore, the claimed entity has been exceeding the processing of the personal data of the claimed party, even if it has legitimacy for its internal use in its relations with the worker or claimant, but you have no legitimacy to use them beyond your employment relationship with the claimant, without your express consent. In another vein, it has also been found that in response to the requirement of the Public Housing Business Entity-Donostiako Etxegintza, as a result of the complaints filed by the claimant on July 14 and July 9 September 2020 due to lack of assignment of human and material resources, the claimed entity provided the claimant's email without having their consent. In this sense, the claimed entity claims to know the email of the complainant, because it was the form of company-worker communication, so at the facilitate the personal email of the claimant, to a third entity, has exceeded the purpose for which said personal data was provided, thereby violating the principle of purpose limitation, regulated in article 5.1 b) of the RGPD, indicated in the foundation of law II. Therefore, when the claimant's health data is transferred, (dates of medical leave, reasons for the same and permits with their respective causes, including COVID) and the personal email of the claimant, this Agency considers, on the one hand, that are treating specially protected data, in accordance with article 9 of the RGPD (health data), and on the other that personal data is being processed (personal email) for a purpose other than mere communication between the worker and the company, in accordance with article 5.1 b) of the RGPD. All this results in an excessive use of personal data by the claimed entity, since despite the fact that data protection regulations require that the processing of personal data is adequate, pertinent and limited to what C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 7/10 strictly necessary in relation to the purposes for which they are processed, such as consequence of the complaint filed by the claimant against the entity claimed before the Public Housing Business Entity-Donostiako Etxegintza by lack of assignment of human and material resources, the claimed entity has violated the principle of data minimization, by providing said public entity business for your defense, health data and personal email of the claimant, which makes us face an alleged violation of the article 5.1 c) of the RGPD, indicated in the basis of law II. Therefore, it is considered convenient to reiterate that it is not considered necessary to require the Donostia / San Sebastián City Council the contribution of the recording of the session incorporated into the journal of sessions of the Development and Planning Commission of the Territory dated December 9, 2020, as suggested by the claimed entity, since with the documentation in this file, the denounced events, which are ultimately an excess of personal data provided by the claimed entity to justify its action, to the detriment of the claimant, when processing especially sensitive data, and therefore especially protected, such as health data, in accordance with the provisions of the Article 9 of the RGPD. IV Article 58.2 of the RGPD provides the following: “Each supervisory authority will have of all of the following corrective powers listed below: b) direct a warning to any person in charge or in charge of the treatment when the treatment operations have infringed the provisions of this Regulation; d) order the person in charge of the treatment that the operations of treatment comply with the provisions of this Regulation, where appropriate, in a certain way and within a specified time; i) impose an administrative fine in accordance with article 83, in addition to or instead of the measures mentioned in this section, according to the circumstances of each case particular; V In order to determine the administrative fine to be imposed, the provisions of articles 83.1 and 83.2 of the RGPD, provisions that state: "Each control authority will guarantee that the imposition of administrative fines in accordance with this article for infringements of this Regulation indicated in sections 4, 5 and 6 are effective in each individual case, proportionate and dissuasive. " "Administrative fines will be imposed, depending on the circumstances of each individual case, as an additional or substitute for the measures contemplated in the Article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine administrative and its amount in each individual case will be duly taken into account: C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 8/10 a) the nature, severity and duration of the offense, taking into account the nature, scope or purpose of the processing operation in question as well such as the number of interested parties affected and the level of damages that have suffered; b) intentionality or negligence in the infringement; c) any measure taken by the person in charge or in charge of the treatment to mitigate the damages suffered by the interested parties; d) the degree of responsibility of the person in charge or the person in charge of the treatment, taking into account the technical or organizational measures that have been applied by virtue of of articles 25 and 32; e) any previous infringement committed by the person in charge or the person in charge of the treatment; f) the degree of cooperation with the supervisory authority in order to remedy the infringement and mitigate the possible adverse effects of the infringement; g) the categories of personal data affected by the infringement; h) the way in which the supervisory authority became aware of the infringement, in particular if the person in charge or the person in charge notified the infraction and, in such case, in what measure; i) when the measures indicated in article 58, paragraph 2, have been ordered previously against the person in charge or the person in charge in relation to the same issue, compliance with said measures; j) adherence to codes of conduct under Article 40 or to mechanisms of certification approved in accordance with Article 42, and k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits obtained or losses avoided, direct or indirectly, through the offense. " Regarding section k) of article 83.2 of the RGPD, the LOPDGDD, article 76, “Sanctions and corrective measures ”, provides: "two. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679 also may be taken into account: a) The continuing nature of the offense. b) The linking of the offender's activity with the performance of data processing personal. c) The benefits obtained as a result of the commission of the offense. d) The possibility that the affected person's conduct could have led to the commission of the infringement. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 9/10 e) The existence of a merger by absorption process after the commission of the infringement, which cannot be attributed to the absorbing entity. f) Affecting the rights of minors. g) Have, when not mandatory, a data protection officer. h) The submission by the person in charge or in charge, on a voluntary basis, to Alternative dispute resolution mechanisms, in those cases in which there are controversies between those and any interested party. " In accordance with the transcribed precepts, and without prejudice to what results from the instruction of the procedure, for the purpose of setting the amount of the fine to be imposed on IZA OBRAS Y PROMOCIONES, S.A. with NIF A48820229 as responsible for an infraction typified in article 83.5.a) of the RGPD, in an initial assessment, they are considered concurrent in the present case, as aggravating factors, the following factors: - A special category of personal data has been processed, such as health data, in accordance with article 9 of the RGPD. Therefore, in accordance with the applicable legislation and the criteria of graduation of sanctions whose existence has been proven, the Director of the Spanish Agency for Data Protection RESOLVES: FIRST: IMPOSE IZA OBRAS Y PROMOCIONES, S.A., with NIF A48820229, for an infringement of article 5.1.c) of the RGPD, typified in article 83.5 of the RGPD, a fine of € 50,000 (fifty thousand euros). SECOND: NOTIFY this resolution to IZA OBRAS Y PROMOCIONES, S.A. THIRD: Warn the sanctioned person that the sanction imposed by a Once this resolution is enforceable, in accordance with the provisions of the art. 98.1.b) of Law 39/2015, of October 1, on Administrative Procedure Common of Public Administrations (hereinafter LPACAP), within the payment term voluntary established in art. 68 of the General Collection Regulations, approved by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003, of December 17, by means of their entry, indicating the NIF of the sanctioned person and the number of procedure that appears in the heading of this document, in the account restricted number ES00 0000 0000 0000 0000 0000, opened in the name of the Agency Spanish Data Protection in the banking entity CAIXABANK, S.A .. In case Otherwise, it will be collected in the executive period. Received the notification and once executive, if the date of execution is found Between the 1st and the 15th of each month, both inclusive, the deadline to make the payment volunteer will be until the 20th day of the following or immediately subsequent business month, and if between the 16th and last days of each month, both inclusive, the payment term it will be until the 5th of the second following or immediate business month. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 10/10 In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which ends the administrative procedure in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the Interested parties may file, optionally, an appeal for reconsideration before the Director of the Spanish Agency for Data Protection within a month to counting from the day after notification of this resolution or directly Contentious-administrative appeal before the Contentious-Administrative Chamber of the National High Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-administrative jurisdiction, within a period of two months from the day following notification of this act, as provided in article 46.1 of the referred Law. Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP, may provisionally suspend the final resolution through administrative channels if the interested party expresses his intention to file contentious-administrative appeal. If this is the case, the interested party must formally communicate this fact through writing addressed to the Spanish Agency for Data Protection, presenting it through of the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica- web /], or through any of the other records provided for in art. 16.4 of the cited Law 39/2015, of October 1. You must also transfer to the Agency the documentation that proves the effective filing of the contentious appeal- administrative. If the Agency was not aware of the filing of the appeal contentious-administrative within a period of two months from the day following the notification of this resolution would terminate the precautionary suspension. Mar Spain Martí Director of the Spanish Agency for Data Protection C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es