AEPD (Spain) - PS/00324/2021: Difference between revisions

From GDPRhub
No edit summary
No edit summary
Line 17: Line 17:
|Type=Complaint
|Type=Complaint
|Outcome=Upheld
|Outcome=Upheld
|Date_Decided=14.12.2021
|Date_Decided=
|Date_Published=
|Date_Published=14.01.2022
|Year=2021
|Year=
|Fine=50,000
|Fine=50000
|Currency=EUR
|Currency=EUR


|GDPR_Article_1=Article 5(1)(b) GDPR
|GDPR_Article_1=Article 5(1)(c) GDPR
|GDPR_Article_Link_1=Article 5 GDPR#1b
|GDPR_Article_Link_1=Article 5 GDPR#1c
|GDPR_Article_2=Article 5(1)(c) GDPR
|GDPR_Article_2=Article 5(1)(b) GDPR
|GDPR_Article_Link_2=Article 5 GDPR#1c
|GDPR_Article_Link_2=Article 5 GDPR#1b
|GDPR_Article_3=Article 9(2)(f) GDPR
|GDPR_Article_Link_3=Article 9 GDPR#2f






|Party_Name_1=
|Party_Name_1=IZA OBRAS Y PROMOCIONES, S.A.
|Party_Link_1=
|Party_Link_1=
|Party_Name_2=
|Party_Name_2=
Line 48: Line 46:
|Appeal_To_Link=
|Appeal_To_Link=


|Initial_Contributor=Cesar Manso-Sayao
|Initial_Contributor=Carmen Villarroel
|
|
}}
}}


The Spanish DPA fined a construction company €50,000 for violating [[Article 5 GDPR#1c|Article 5(1)(c) GDPR]] by disclosing an employee's personal and medical data within a procedure before a public housing entity related to a labour dispute.
The Spanish DPA fined a controller €50,000 for sharing health data of one of their workers in the course of an administrative procedure in breach of the minimization principle, since such personal data was not strictly necessary for its defence in the procedure.


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
Iza Obras y Promociones, S.A. (construction company) was awarded a construction contract by Entidad Pública Empresarial de Vivienda-Donostiako Etxegintz (public housing entity). An employee of the construction company filed a complaint before the public housing entity alleging the construction company failed to provide sufficient human and material means for the execution of a construction he was working on as a construction manager.
The worker of a company filed a complaint against their employer company (a constructor) before the Spanish DPA (AEPD). The data subject claimed that the company had shared with a public housing business entity data referring to their medical leaves and their content, including covid-19 data, and their email address.


In their response to this complaint, the construction company included personal data belonging to the employee. Among this data was the employee’s email, as well as sensitive medical data related to sick leaves, including dates, permissions, and motives. When the employee found out that this data had been disclosed within that procedure without their consent, they subsequently filed a claim against the construction company with the Spanish DPA (AEPD).
The controller alleged that it had shared such personal data in the course of an administrative procedure against the company.


In their response to this claim before the AEPD, the construction company stated that they had disclosed the claimant’s email because this was the regular communication channel established within their employment relationship. Additionally, the construction company justified the disclosure of the claimant’s medical data on the grounds of [[Article 9 GDPR#2f|Article 9(2)(f) GDPR]], arguing it was part of a legal defence in the initial labour dispute claim before the public housing entity.
=== Holding ===
The Spanish DPA first noted that health data fall under the category of special categories of personal data from [[Article 9 GDPR|Article 9 GDPR]]. According to the AEPD, even if the controller may had relied on the exemption on Article 9(2)(f), since the data were shared in the course of an administrative procedure against the company, the general data protection principles from [[Article 5 GDPR|Article 5 GDPR]] still need to be complied with.


=== Holding ===
According to the DPA, the controller did not take into account the minimization principle, since the company did not need to share all the data subject's personal data it shared during the proceedings, specially taking into consideration the nature of health data. Even if the controller was entitled to process such data internally, they should not have shared it away without express consent of the data subject.
The AEPD held that the construction company violated [[Article 5 GDPR#1b|Article 5(1)(b) GDPR]] by disclosing the claimant’s email on the grounds that it exceeded the original purpose for the processing of that personal data, which was circumscribed to the communication between both parts within their employment relationship.


The AEDP also held that although [[Article 9 GDPR#2f|Article 9(2)(f) GDPR]] and Recital 52 GDPR indeed establish an exception for the processing of special categories of data when it is part of a legal defence within court or administrative procedures, this processing must still be done in accordance with [[Article 5 GDPR#1c|Article 5(1)(c) GDPR]]. The AEDP considered that in this case the construction company has not been able to justify the adequacy, relevance or need to disclose the claimant’s medical data as part of that legal defence.
Additionally, the DPA remarked that the company should not have shared the worker's email either, since the email was collected with the sole purpose of communicating with the worker, and therefore sharing it with third parties infringed the purpose limitation principle.


The AEDP concluded that processing of the claimant’s email and medical data within the procedure before the public housing entity without the claimant’s consent breached the principle of data minimisation and issued a €50,000 fine to the construction company for violating [[Article 5 GDPR#1c|Article 5(1)(c) GDPR]].
Therefore, the DPA determined that the controller had infringed [[Article 5 GDPR#1c|Article 5(1)(c) GDPR]] and fined the controller €50,000.


== Comment ==
== Comment ==
Line 425: Line 423:




In this sense, it should be noted that although recital 52 of the
In this sense, it should be pointed out that although recital 52 of the
RGPD in fine establishes with respect to this exception that “it must also be authorized to
RGPD in fine establishes with respect to this exception that “it must also be authorized to
exceptional title the processing of said personal data when necessary
exceptional title the processing of said personal data when necessary
Line 707: Line 705:
volunteer will be until the 20th day of the following or immediately subsequent business month, and if
volunteer will be until the 20th day of the following or immediately subsequent business month, and if
between the 16th and last days of each month, both inclusive, the payment term
between the 16th and last days of each month, both inclusive, the payment term
It will be until the 5th of the second following or immediate business month.
it will be until the 5th of the second following or immediate business month.





Revision as of 17:45, 7 January 2022

AEPD (Spain) - PS/00324/2021
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 5(1)(c) GDPR
Article 5(1)(b) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published: 14.01.2022
Fine: 50000 EUR
Parties: IZA OBRAS Y PROMOCIONES, S.A.
National Case Number/Name: PS/00324/2021
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: Carmen Villarroel

The Spanish DPA fined a controller €50,000 for sharing health data of one of their workers in the course of an administrative procedure in breach of the minimization principle, since such personal data was not strictly necessary for its defence in the procedure.

English Summary

Facts

The worker of a company filed a complaint against their employer company (a constructor) before the Spanish DPA (AEPD). The data subject claimed that the company had shared with a public housing business entity data referring to their medical leaves and their content, including covid-19 data, and their email address.

The controller alleged that it had shared such personal data in the course of an administrative procedure against the company.

Holding

The Spanish DPA first noted that health data fall under the category of special categories of personal data from Article 9 GDPR. According to the AEPD, even if the controller may had relied on the exemption on Article 9(2)(f), since the data were shared in the course of an administrative procedure against the company, the general data protection principles from Article 5 GDPR still need to be complied with.

According to the DPA, the controller did not take into account the minimization principle, since the company did not need to share all the data subject's personal data it shared during the proceedings, specially taking into consideration the nature of health data. Even if the controller was entitled to process such data internally, they should not have shared it away without express consent of the data subject.

Additionally, the DPA remarked that the company should not have shared the worker's email either, since the email was collected with the sole purpose of communicating with the worker, and therefore sharing it with third parties infringed the purpose limitation principle.

Therefore, the DPA determined that the controller had infringed Article 5(1)(c) GDPR and fined the controller €50,000.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

                                                                                 1/10








     File No.: PS / 00324/2021

                 - RESOLUTION OF SANCTIONING PROCEDURE


Of the procedure instructed by the Spanish Agency for Data Protection and based on
the following

                                   BACKGROUND


FIRST: A.A.A. (hereinafter, the complaining party) dated February 16, 2021
filed a claim with the Spanish Data Protection Agency.

The claim is directed against IZA OBRAS Y PROMOCIONES, S.A. with NIF
A48820229 (hereinafter, the claimed party).


The reason on which the claim is based is that the claimed entity has disclosed
health data of the claimant to another company, as well as their email address
personal, and all this without the consent of the claimant.


SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5
December, Protection of Personal Data and guarantee of digital rights (in
hereinafter LOPDGDD), on March 16, 2021, said claim was transferred to
the claimed party, to proceed with its analysis and inform this Agency in the
period of one month, of the actions carried out to adapt to the requirements

provided for in the data protection regulations.

On April 13, 2021, a written response is received at this Agency
stating the following:


1.- On November 14, 2018, the Public Housing Business Entity-
Donostiako Etxegintza, awarded IZA a construction works contract in
Intxaurrondo.

2.- The claimant, an IZA employee, acts in said work by performing

temporarily the function of project manager.

3.- The claimant, maintaining his status as an employee, reported IZA to the
Public Housing Business Entity-Donostiako Etxegintza on July 14 and
September 2020 due to lack of assignment of human and material resources, between

others.

4.- In compliance with its power of control, the Public Business Entity of
Housing-Donostiako Etxegintza required IZA, in accordance with article 55 of the Law
39/2015 of the Common Administrative Procedure of Public Administrations,

information regarding the complaints filed.

5.- IZA receiving said communication, and in compliance with the obligation to
collaboration with the Administration, stated the relevant facts that would explain
the lack of assignment of material and human resources of the work, answering to

the complaints of the claimant. This information included information about the
claimant, justifying its referral in compliance with the legal obligation (Law
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 2/10








39/2015) as well as in the prerogatives of Law 9/2017 on sector contracts
public.


6.- The submission of said information was considered confidential, following the
channels of Electronic Entry Registration, in accordance with the Law.
information held by the Public Housing Business Entity-Donostiako
Etxegintza, and outside IZA's protection channels, it reached the claimant,
as stated in your complaint.


7.- As a result of this, the breach protocol was activated, no data leak was detected
from IZA, requesting clarification in this regard from Entidad Pública Empresarial de
Housing-Donostiako Etxegintza, request that has not received a response.

8.- Regarding the information indicated by the claimant, IZA exclusively provided it to the

administrative procedure, in the exercise of the competence and control of the Entity
Public

9.- Regarding the use of the personal email of the complainant,
informs that its use derives from the previous referral by it for 2 years as
means of communicating with the company. Message headers are attached and

matters to corroborate it, and that in case of needing the contents they would be sent
to the Control Authority.

THIRD: On June 18, 2021, the Director of the Spanish Agency for

Data Protection agreed to accept for processing the claim presented by the party
claimant.

FOURTH: On October 13, 2021, the Director of the Spanish Agency for
Data Protection agreed to initiate a sanctioning procedure for the claimed party, with
in accordance with the provisions of articles 63 and 64 of Law 39/2015, of October 1, of the

Common Administrative Procedure of Public Administrations (hereinafter,
LPACAP), for the alleged violation of article 5.1.c) of the RGPD, typified in the
Article 83.5 of the RGPD.

FIFTH: The aforementioned commencement agreement was notified, on October 25, 2021, the claimed

submitted a brief of allegations in which, in summary, it states that it has not revealed
personal information of the claimant to the Public Business Entity of
Housing-Donostiako Etxegintza.

He also expresses his confusion and asks this Agency to indicate what

Especially sensitive information has been processed.

And finally, he requests that the Donostia / San Sebastián City Council be required to
recording of the session incorporated into the session diary of the Development Commission
and Territory Planning dated December 9, 2020, where presumably
the data of the claimant were released and disclosed.


SIXTH: On October 27, 2021, the instructor of the procedure agreed to the
opening of a period of practical tests, taking as incorporated the


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 3/10








preliminary investigation actions, E / 02987/2021, as well as the documents
provided by the claimed.


SEVENTH: On October 31, 2021, a resolution proposal is issued
proposing that the Director of the Spanish Data Protection Agency sanction
to IZA OBRAS Y PROMOCIONES, S.A., with NIF A48820229, for a violation of the
article 5.1.c) of the RGPD, typified in article 83.5 of the RGPD, with a fine of
€ 50,000 (fifty thousand euros).


EIGHTH: On November 15, 2021, allegations are presented to said
motion for a resolution, reiterating the aforementioned allegations throughout
of the procedure and specifically states the following:

"The data of the claimant's personal email has not been disclosed, which is also

found legitimate for the transfer of data -even if there were categories of data
specially protected-, and that this whole procedure is unleashed by the leakage of
information produced from the Public Housing Business Entity-Donostiako
Etxegintza, its Board of Directors as well as from the Development and
Planning of the Territory of the Donostia / San Sebastián City Council. "


Of the actions carried out in this procedure and of the documentation
Obrante in the file, the following have been accredited:

                                PROVEN FACTS


FIRST: The claimant states that the claimed entity has disclosed data from
health of the claimant (specifically dates of medical leave, reasons, and leaves) to
another company, as well as your personal email address, and all without your
consent.


The claimed entity provided not only the absences, but also the dates of the
cancellations and permits with their respective causes, including COVID.

This is stated in the letter sent by the claimed entity to the Public Entity
Housing Business-Donostiako Etxegintza, on November 18, 2020, obrante
in this file together with the documentation provided by the claimant in his writing

Of claim.

SECOND: The claimed entity was required by the Public Business Entity of
Housing-Donostiako Etxegintza, to provide them with information regarding the
complaints filed by the claimant on July 14 and September 9, 2020 by

lack of assignment of human and material resources.

The claimed entity responded to this request by providing information
personal (personal email of the claimant, as well as dates of withdrawal
medical reasons, the causes of these, and permits) which came to the knowledge of the latter and

caused the present claim.




C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 4/10








                             FOUNDATIONS OF LAW

                                              I


By virtue of the powers that article 58.2 of the RGPD recognizes to each authority of
control, and as established in articles 47 and 48 of the LOPDGDD, the Director
of the Spanish Data Protection Agency is competent to initiate and to
solve this procedure.


                                             II

The RGPD in its article 5, "Principles relating to treatment" says that "The data
personal will be:


a) treated in a lawful, loyal and transparent manner in relation to the interested party ("lawfulness,
loyalty and transparency ”);

b) collected for specific, explicit and legitimate purposes, and will not be processed
subsequently in a manner incompatible with said purposes; in accordance with article 89,
section 1, the further processing of personal data for archiving purposes in

public interest, scientific and historical research purposes or statistical purposes are not
deemed incompatible with the original purposes ("purpose limitation");

c) adequate, relevant and limited to what is necessary in relation to the purposes for which
that they are processed ("data minimization");


d) accurate and, if necessary, up-to-date; all measures will be taken
reasonable so that the personal data that
are inaccurate with respect to the purposes for which they are processed ("accuracy");


e) maintained in a way that allows the identification of the interested parties during not
longer than necessary for the purposes of processing personal data; the
Personal data may be kept for longer periods provided that it is
treat exclusively for archival purposes in the public interest, research purposes
scientific or historical or statistical purposes, in accordance with article 89, paragraph 1,
without prejudice to the application of the appropriate technical and organizational measures that

imposes these Regulations in order to protect the rights and freedoms of the
data subject ("limitation of the conservation period");

f) treated in such a way as to guarantee adequate data security
personal data, including protection against unauthorized or illegal processing and against

its loss, destruction or accidental damage, through the application of technical measures
or appropriate organizational ("integrity and confidentiality").

2. The person responsible for the treatment will be responsible for compliance with the provisions
in section 1 and able to demonstrate it ('proactive responsibility'). "


The offense for which the claimed person is held liable is provided for in article 83.5.
of the RGPD that establishes:


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 5/10








"Violations of the following provisions will be sanctioned, in accordance with the
section 2, with administrative fines of a maximum of 20,000,000 Eur or, in the case of
of a company, of an amount equivalent to a maximum of 4% of the volume of

total annual global business of the previous financial year, opting for the one with the highest
amount:

a) The basic principles for the treatment, including the conditions for the
consent in accordance with articles 5,6,7 and 9. "



In turn, the LOPDGDD in its article 72.1.a) qualifies as a very serious infringement, to
prescription effects, "a) The processing of personal data violating the
principles and guarantees established in article 5 of Regulation (EU) 2016/679. "


                                            III

In the present case, the claimant's personal data has been disclosed, such as the
personal email address and health data to the Public Entity
Housing Business-Donostiako Etxegintza, without the consent of the

claimant.

Although the claimed party is recognized legitimacy to send the data
necessary to defend against a sanctioning procedure or penalties
that could be imposed derived from the breach of a contract

administrative, it should not be forgotten that the RGPD includes health as a category of
specially protected personal data, in accordance with article 9.1 of the
RGPD, where the following is indicated:

“The processing of personal data that reveals the ethnic origin or
racial, political opinions, religious or philosophical convictions, or affiliation

union, and the treatment of genetic data, biometric data aimed at identifying
unequivocally to a natural person, data related to health or data related to
the sexual life or sexual orientation of a natural person ”.

In this sense, the claimed entity presents a written statement of allegations to the proposal

resolution indicating that in accordance with article 9.2 f) of the RGPD the data
Claimant's personal data were released for his defense against a claim.

It should be noted that the literal tenor of said precept is as follows:


"Section 1 will not apply when one of the circumstances occurs
following:

f) the treatment is necessary for the formulation, exercise or defense of
claims or when the courts act in the exercise of their judicial function; "


In this sense, it should be pointed out that although recital 52 of the
RGPD in fine establishes with respect to this exception that “it must also be authorized to
exceptional title the processing of said personal data when necessary
for the formulation, exercise or defense of claims, either by a

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 6/10








judicial procedure or an administrative or extrajudicial procedure ”; but nevertheless,
It must be taken into account that the use of health data, even when this
exception, it is not covered if it violates article 5.1.c) of the RGPD and the data

transferred are excessive in relation to the purpose, since the
need to specify all vacations, permits and, especially since they are data
health, casualties with their causes to seek their defense.

On the other hand, the claimed entity also alleges in its brief of allegations to the
motion for a resolution that evidence has been rejected by this body.


In this sense, it should be noted that this Agency has not rejected any evidence
presented by the claimed party, it has only been considered that with the
evidence in this procedure, it is not necessary to request the City Council of
Donostia / San Sebastián the recording of the session incorporated into the diary of sessions of

the Territory Planning and Development Commission dated December 9,
2020.

This is so because it has been proven that they have been transferred by the entity
claimed, health data of the claimant, specifically dates of medical leave,
reasons for the same and permissions, and therefore, the claimed entity has been

exceeding the processing of the personal data of the claimed party, even if it has
legitimacy for its internal use in its relations with the worker or claimant, but
you have no legitimacy to use them beyond your employment relationship with the claimant,
without your express consent.


In another vein, it has also been found that in response to the
requirement of the Public Housing Business Entity-Donostiako Etxegintza,
as a result of the complaints filed by the claimant on July 14 and July 9
September 2020 due to lack of assignment of human and material resources, the
claimed entity provided the claimant's email without having their

consent.

In this sense, the claimed entity claims to know the email of the
complainant, because it was the form of company-worker communication, so at the
facilitate the personal email of the claimant, to a third entity, has
exceeded the purpose for which said personal data was provided, thereby violating the

principle of purpose limitation, regulated in article 5.1 b) of the RGPD,
indicated in the foundation of law II.

Therefore, when the claimant's health data is transferred, (dates of medical leave,
reasons for the same and permits with their respective causes, including COVID) and the

personal email of the claimant, this Agency considers, on the one hand, that
are treating specially protected data, in accordance with article 9 of the
RGPD (health data), and on the other that personal data is being processed
(personal email) for a purpose other than mere communication between
the worker and the company, in accordance with article 5.1 b) of the RGPD.


All this results in an excessive use of personal data by the
claimed entity, since despite the fact that data protection regulations require that
the processing of personal data is adequate, pertinent and limited to what

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 7/10








strictly necessary in relation to the purposes for which they are processed, such as
consequence of the complaint filed by the claimant against the entity
claimed before the Public Housing Business Entity-Donostiako Etxegintza by

lack of assignment of human and material resources, the claimed entity has
violated the principle of data minimization, by providing said public entity
business for your defense, health data and personal email of the
claimant, which makes us face an alleged violation of the
article 5.1 c) of the RGPD, indicated in the basis of law II.


Therefore, it is considered convenient to reiterate that it is not considered necessary to require the
Donostia / San Sebastián City Council the contribution of the recording of the session
incorporated into the journal of sessions of the Development and Planning Commission of the
Territory dated December 9, 2020, as suggested by the claimed entity,
since with the documentation in this file, the

denounced events, which are ultimately an excess of personal data provided
by the claimed entity to justify its action, to the detriment of the
claimant, when processing especially sensitive data, and therefore especially
protected, such as health data, in accordance with the provisions of the
Article 9 of the RGPD.


                                           IV

Article 58.2 of the RGPD provides the following: “Each supervisory authority will have
of all of the following corrective powers listed below:


b) direct a warning to any person in charge or in charge of the treatment when the
treatment operations have infringed the provisions of this Regulation;

d) order the person in charge of the treatment that the operations of
treatment comply with the provisions of this Regulation, where appropriate,

in a certain way and within a specified time;

i) impose an administrative fine in accordance with article 83, in addition to or instead of the
measures mentioned in this section, according to the circumstances of each case
particular;


                                           V

In order to determine the administrative fine to be imposed, the
provisions of articles 83.1 and 83.2 of the RGPD, provisions that state:


"Each control authority will guarantee that the imposition of administrative fines
in accordance with this article for infringements of this Regulation
indicated in sections 4, 5 and 6 are effective in each individual case,
proportionate and dissuasive. "


"Administrative fines will be imposed, depending on the circumstances of each

individual case, as an additional or substitute for the measures contemplated in the
Article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine
administrative and its amount in each individual case will be duly taken into account:
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 8/10








a) the nature, severity and duration of the offense, taking into account the
nature, scope or purpose of the processing operation in question as well
such as the number of interested parties affected and the level of damages that

have suffered;

b) intentionality or negligence in the infringement;

c) any measure taken by the person in charge or in charge of the treatment to
mitigate the damages suffered by the interested parties;

d) the degree of responsibility of the person in charge or the person in charge of the treatment,
taking into account the technical or organizational measures that have been applied by virtue of
of articles 25 and 32;


e) any previous infringement committed by the person in charge or the person in charge of the treatment;

 f) the degree of cooperation with the supervisory authority in order to remedy the
infringement and mitigate the possible adverse effects of the infringement;

g) the categories of personal data affected by the infringement;

h) the way in which the supervisory authority became aware of the infringement, in
particular if the person in charge or the person in charge notified the infraction and, in such case, in what
measure;


i) when the measures indicated in article 58, paragraph 2, have been ordered
previously against the person in charge or the person in charge in relation to the
same issue, compliance with said measures;

j) adherence to codes of conduct under Article 40 or to mechanisms of
certification approved in accordance with Article 42, and

k) any other aggravating or mitigating factor applicable to the circumstances of the case,

such as financial benefits obtained or losses avoided, direct or
indirectly, through the offense. "


Regarding section k) of article 83.2 of the RGPD, the LOPDGDD, article 76, “Sanctions and
corrective measures ”, provides:

"two. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679 also
may be taken into account:


a) The continuing nature of the offense.

b) The linking of the offender's activity with the performance of data processing
personal.

c) The benefits obtained as a result of the commission of the offense.


d) The possibility that the affected person's conduct could have led to the commission of the
infringement.


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 9/10








e) The existence of a merger by absorption process after the commission of the
infringement, which cannot be attributed to the absorbing entity.

f) Affecting the rights of minors.


g) Have, when not mandatory, a data protection officer.

h) The submission by the person in charge or in charge, on a voluntary basis, to
Alternative dispute resolution mechanisms, in those cases in which
there are controversies between those and any interested party. "


In accordance with the transcribed precepts, and without prejudice to what results from the instruction
of the procedure, for the purpose of setting the amount of the fine to be imposed on IZA
OBRAS Y PROMOCIONES, S.A. with NIF A48820229 as responsible for an infraction
typified in article 83.5.a) of the RGPD, in an initial assessment, they are considered concurrent

in the present case, as aggravating factors, the following factors:

- A special category of personal data has been processed, such as
health data, in accordance with article 9 of the RGPD.


Therefore, in accordance with the applicable legislation and the criteria of
graduation of sanctions whose existence has been proven,

the Director of the Spanish Agency for Data Protection RESOLVES:


FIRST: IMPOSE IZA OBRAS Y PROMOCIONES, S.A., with NIF A48820229,
for an infringement of article 5.1.c) of the RGPD, typified in article 83.5 of the RGPD,
a fine of € 50,000 (fifty thousand euros).

SECOND: NOTIFY this resolution to IZA OBRAS Y PROMOCIONES,

S.A.

THIRD: Warn the sanctioned person that the sanction imposed by a
Once this resolution is enforceable, in accordance with the provisions of the
art. 98.1.b) of Law 39/2015, of October 1, on Administrative Procedure

Common of Public Administrations (hereinafter LPACAP), within the payment term
voluntary established in art. 68 of the General Collection Regulations, approved
by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003,
of December 17, by means of their entry, indicating the NIF of the sanctioned person and the number
of procedure that appears in the heading of this document, in the account
restricted number ES00 0000 0000 0000 0000 0000, opened in the name of the Agency

Spanish Data Protection in the banking entity CAIXABANK, S.A .. In case
Otherwise, it will be collected in the executive period.

Received the notification and once executive, if the date of execution is found
Between the 1st and the 15th of each month, both inclusive, the deadline to make the payment

volunteer will be until the 20th day of the following or immediately subsequent business month, and if
between the 16th and last days of each month, both inclusive, the payment term
it will be until the 5th of the second following or immediate business month.


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 10/10








In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.


Against this resolution, which ends the administrative procedure in accordance with art. 48.6 of the
LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the
Interested parties may file, optionally, an appeal for reconsideration before the
Director of the Spanish Agency for Data Protection within a month to

counting from the day after notification of this resolution or directly
Contentious-administrative appeal before the Contentious-Administrative Chamber of the
National High Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-administrative jurisdiction, within a period of two months from the

day following notification of this act, as provided in article 46.1 of the
referred Law.

Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP,
may provisionally suspend the final resolution through administrative channels if the

interested party expresses his intention to file contentious-administrative appeal.
If this is the case, the interested party must formally communicate this fact through
writing addressed to the Spanish Agency for Data Protection, presenting it through
of the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica-
web /], or through any of the other records provided for in art. 16.4 of the

cited Law 39/2015, of October 1. You must also transfer to the Agency the
documentation that proves the effective filing of the contentious appeal-
administrative. If the Agency was not aware of the filing of the appeal
contentious-administrative within a period of two months from the day following the
notification of this resolution would terminate the precautionary suspension.



Mar Spain Martí
Director of the Spanish Agency for Data Protection
























C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es