AEPD (Spain) - PS/00347/2020
|AEPD (Spain) - PS/00347/2020|
|Relevant Law:||Article 5(1)(c) GDPR|
Article 5(1)(f) GDPR
|Parties:||AYUNTAMIENTO DE EL ESCORIAL|
|National Case Number/Name:||PS/00347/2020|
|European Case Law Identifier:||n/a|
|Original Source:||AEPD (in ES)|
The Spanish DPA warned a City Council for infringing the integrity and confidentiality principle by publishing personal data related to a public grant procedure.
English Summary[edit | edit source]
Facts[edit | edit source]
A data subject filed a complaint with the Spanish DPA (AEPD) against a City Council, alleging that they had published a document with data related a public grant, that included their own personal data.
The Council alleged that they were, following their bylaw, obliged to publish such data so the rest of the participants in the grant procedure were able to contrast the data. However, they declared that they were willing to change the bylaw if the AEPD determined that such processing was unlawful.
Holding[edit | edit source]
The AEPD concluded that, even if it was justified by the nature of the proceeding and related procedural issues, and by the Transparency Act, to publish data related to the grants, it should be done following the data protection principles. Therefore, the minimization principle applied, so data such as the personal ID should not be published, as it does not add any necessary information to the grant procedure.
Additionally, the data should not have been accessible to all the workers and parties with access to the platform, but only to the ones that were involved and needed to access the data.
The DPA took into account the will of the Council to change their bylaw if necessary, and the lack of bad faith.
Therefore, the AEPD concluded that the Council had violated Article 5(1)(f) for breaching the confidentiality principle, and issued a warning against it.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/9 Procedure Nº: PS / 00347/2020 RESOLUTION OF SANCTIONING PROCEDURE Of the procedure instructed by the Spanish Agency for Data Protection and based on to the following: BACKGROUND FIRST: D. A.A.A. (hereinafter, the claimant), dated 02/14/2020, filed claim before the Spanish Agency for Data Protection. The claim is directed against the CITY COUNCIL OF EL ESCORIAL with NIF P2805400E (hereinafter, the claimed). The reasons on which the claim is based are: the claimant, worker of the City Council, states that by publishing the list of granting aid from social action violates data protection regulations; points out that in the list the amount assigned to each worker in relation to the requested aid is stated; according the claimant the list of aid has been sent to all workers of the consistory. Provides printing of the published list. SECOND: Upon receipt of the claim, the Subdirectorate General of Inspec- tion of Data proceeded to carry out the following actions: On 06/03/2020, the claim submitted for analysis was transferred to the defendant and communication to the claimant of the decision adopted in this regard. Likewise, he is required so that within one month it sent certain information to the Agency tion: - Copy of the communications, of the adopted decision that has been sent to the complainant maintain regarding the transfer of this claim, and accreditation that the claim- you have received the communication of that decision. - Report on the causes that have motivated the incident that has originated the claim. mation. - Report on the measures adopted to prevent similar incidents from occurring. lares. - Any other that you consider relevant. On 09/11/2020, the defendant sent a letter stating, in summary: that the The claim refers to the internal remission of provisional and definitive resolutions. of aid granted to municipal employees within the framework of the ac- municipal social organization and that said resolutions only contain the name, surname and amounts assigned to each worker and requirement of corrections in the contribution documentation. That it is necessary for the worker to know both data, otherwise it may be It would make sense to open a public information process and for the worker to know the specific allocation of amounts that would allow you to exercise your right to claim or correct the necessary documentation. In this sense, it should be noted that the Law 19/2013, of December 9, on transparency, access to public information and good C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 2/9 government, imposed mandatory advertising of all grants and other aid public. The notification of the resolutions does not allow to know any personal data protected or that violates the necessary confidentiality. That the granting and processing of the aid is carried out in accordance with the regulations in force You are approved by the social representation of which the claimant is part. This re- Regulation expressly establishes that the grants will be processed and studied by a commission made up of members representing the social part and company. The secretary in charge of the formalization of documents and publication of the grants falls on the social part. That it is not the City Council or the Delegated Department of Personnel and Human Resources the person in charge of the processing and resolution of these aids and therefore cannot to be responsible for the actions of this collegiate body. However, if this publication of names and assigned amounts were to be considered das could violate any precept of the data protection law, through the Presidency will propose to this body the modification of its management regulations so that in the future the secretary of this body may carry out the individual notification dualized to each worker of the assigned amount. THIRD: On 09/30/2020, in accordance with article 65 of the LOPDGDD, the Di- rector of the Spanish Agency for Data Protection agreed to admit to processing the re claim filed by the claimant against the defendant. FOURTH: On 11/16/2019, the Director of the Spanish Protection Agency of Data agreed to initiate a sanctioning procedure for the one claimed for the alleged infringement tion of article 5.1.f) of the RGPD, contemplated in article 83.5.a) of the aforementioned Regulation- ment. FIFTH: Once the initiation agreement was notified, the complainant, on 11/27/2020, presented brief of allegations stating that the process of granting aid is not of competitive competition, in accordance with the municipal regulations on the matter; that at no time was the information made public on freely accessible web pages by third parties; that said communication was made in order to comply with the specifications do in article 8.1.c) of Law 19/2013; that the modification of the regulation will be proposed. management process so that individualized notification is carried out for each job. jador of the assigned amount. SIXTH: On 12/14/2020, a test practice period began, according to the taking the following - To consider reproduced for evidentiary purposes the claim filed by the claimant and its documentation, the documents obtained and generated by the Inspection services that are part of file E / 10062/2019. - To consider reproduced for evidentiary purposes, the allegations to the initial agreement cio submitted by the claimed SEVENTH: On March 31, 2021, a resolution proposal was formulated, stating that the Director of the Spanish Agency for Data Protection sanctions C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 3/9 cite the CITY COUNCIL OF EL ESCORIAL, for an infraction of Article 5.1.f) of the RGPD, typified in Article 83.5 of the RGPD, with a warning sanction. PROVEN FACTS FIRST: On 12/03/2018 you have entry into the Spanish Agency for the Protection of Da- written by the claimant, President of the Works Council, stating that des- In 2016, the list with the list of aid from the denomination has been published. do Social Action Fund granted by the City Council containing the name and surnames of the workers who have applied for help, the amount they will receive from the Social Action Fund and providing information on whether the aid corresponds to gas- to dentistry, orthodontics, orthopedics, etc. SECOND: Screen printing is provided in excellent format of the List of grants awarded. THIRD: The complained party in writing dated 09/25/2020 has indicated that: ”the The granting and processing of the aid is carried out in accordance with current and approved regulations. by the social representation of which the claimant is a part. This regulation expressly establishes that the aid will be processed and studied by a commission made up of members representing the social and entrepreneurial part sa. The secretary in charge of the formalization of documents and publication of the aid falls on the social part ”. FOURTH: The respondent in writing dated 11/26/2020 states that: “However, and if consider that this publication of names and assigned amounts could violate any precept of the data protection law, through the presidency it is proposed will give this body the modification of its management regulations so that in the future the secretary of this body carry out the individualized notification to each worker of the assigned amount ”. FIFTH: The Joint Regulation of the Social Action Commission of the Official and Labor Personnel of the City Council of El Escorial and its Autonomous Body nomo. FOUNDATIONS OF LAW I By virtue of the powers that article 58.2 of the RGPD recognizes to each authority of control, and as established in articles 47 and 48 of the LOPDGDD, the Director of the Spanish Data Protection Agency is competent to initiate and to re- solve this procedure. II C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 4/9 The denounced facts materialize in the publication of the concession list of social action aids whose list contains personal data, as well as such as the amounts granted, causes for denial, etc., violating the duty of confidentiality. Article 58 of the RGPD, Powers, states: "two. Each supervisory authority shall have all the following powers co- Rectives listed below: (…) b) sanction any person responsible or in charge of the treatment with warning to when the treatment operations have infringed the provisions of this Regulation; (…) " Article 5, Principles relating to treatment, of the RGPD establishes that: "1. The personal data will be: (…) f) treated in such a way as to guarantee adequate security of the data personal coughs, including protection against unauthorized or unlawful processing to and against its loss, destruction or accidental damage, by applying appropriate technical or organizational measures ("integrity and confidentiality"). (…) Also article 5, Duty of confidentiality, of Organic Law 3/2018, of 5 of December, Protection of Personal Data and guarantee of digital rights (in hereinafter LOPDGDD), points out that: "1. Those responsible and in charge of data processing, as well as all The people who intervene in any phase of this will be subject to the duty of confidentiality referred to in article 5.1.f) of Regulation (EU) 2016/679. 2. The general obligation indicated in the previous section will be complementary of the duties of professional secrecy in accordance with its applicable regulations. 3. The obligations established in the previous sections will be maintained even when the relationship of the obligated party with the person in charge or manager has ended treatment ”. III On the other hand, article 83.5 a) of the RGPD, considers that the infringement of “the principles basic guidelines for the treatment, including the conditions for consent to nor of articles 5, 6, 7 and 9 ”is punishable, in accordance with section 5 of the mentioned cited article 83 of the aforementioned RGPD, “with administrative fines of € 20,000,000 C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 5/9 at most or, in the case of a company, of an amount equivalent to 4% as maximum total annual global business volume of the previous financial year, op- taking the highest amount ”. The LOPDGDD in its article 72 indicates: “Violations considered very serious: 1. In accordance with the provisions of article 83.5 of the Regulation (EU) 2016/679 are considered very serious and will prescribe after three years the infractions that suppose a substantial violation of the articles mentioned therein and, in part, ticular, the following: a) The processing of personal data violating the principles and guarantees es- established in article 5 of Regulation (EU) 2016/679. (…) IV The documentation in the file offers clear indications that the claimed, violated article 5 of the RGPD, principles relating to treatment, in in relation to article 5 of the LOPGDD, duty of confidentiality, when the publication of the list of granting aid for social action and, in addition, be sent to all workers the list of aid. This duty of confidentiality is an obligation that falls not only on the person responsible and in charge of the treatment but to everyone who intervenes in any phase of the treatment and complementary to the duty of professional secrecy. As already reported in the initiation agreement in the case of social assistance, there was to distinguish between those that are granted under competitive competition and non-competitive competition, thus distinguishing two scenarios: In cases of competitive competition, and therefore without a maximum number of requests to be accepted by the entity, the notification should be individualized according to so that personal data should not be accessible to third parties. In cases of non-competitive competition, applicants - never third parties at the procedure- they will be able to know the list of award of the aids, but not data not necessary or expendable (eg, DNI number). Consequently, entities that intend to grant aid from a fund social action can not publish the list of grants awarded and / or denied on a freely accessible web page, or on a notice board located in an area open to the public, because it would allow third parties outside the procedure to have access to personal data. The defendant in his response to the agreement to initiate the procedure indicated that the The procedure in question was not one of competitive concurrence, a reality that It could be verified after reading the JOINT REGULATION OF THE COMMISSION OF SOCIAL ACTION OF THE OFFICIAL AND LABOR STAFF OF THE CITY COUNCIL OF EL ESCORIAL AND ITS AUTONOMOUS ORGANISM. Likewise, it pointed out that the list containing the information related to the grants did not had been published on web pages freely accessible by third parties, but rather the C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 6/9 notification was made through the document manager program itself being necessary or have access to said software and in order to comply with what is specified in Article 8.1.c) of Law 19/2013, of December 9, on transparency, access to the public information and good governance that indicates: "1. Subjects included in the scope of this title must do public, at least, the information related to administrative management acts with economic or budgetary impact indicated below: (…) c) Subsidies and public aid granted with indication of their amount, objective or purpose and beneficiaries. (…) " In a report from the IGAE it is indicated that “the aid for Social Action and the advances non-refundable granted to the staff of public administrations are not subsidies or public aid, but fall within the remuneration scope of the personal, and have the fiscal and budgetary treatment of these expenses " The defendant indicates that, if it could be considered that said notification of names and assigned amounts could violate any precept of the law of protection of data, it would be proposed to modify its management regulations so that it is carried out carry out individualized notification to each worker of the assigned amount. With According to what is indicated, the aforementioned modification should be made. V The LOPDGDD in its article 77, Regime applicable to certain categories of res- those responsible or in charge of the treatment, establishes the following: "1. The regime established in this article will be applied to the treatments of those who are responsible or in charge: a) The constitutional bodies or those with constitutional relevance and the institutions tions of the autonomous communities analogous to them. b) The jurisdictional bodies. c) The General State Administration, the Administrations of the communities autonomous communities and the entities that make up the Local Administration. d) Public bodies and public law entities linked to or pending of the Public Administrations. e) The independent administrative authorities. f) The Bank of Spain. g) Public law corporations when the purposes of the treatment are related to the exercise of powers of public law. h) Public sector foundations. i) Public Universities. j) Consortia. k) The parliamentary groups of the Cortes Generales and the Legislative Assemblies autonomous communities, as well as the political groups of the Local Corporations. 2. When the managers or managers listed in section 1 commit- have any of the infractions referred to in articles 72 to 74 of this law C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 7/9 organic, the competent data protection authority will issue a resolution sanctioning them with warning. The resolution will also establish the measures to be adopted to stop the conduct or correct the effects cough of the offense that had been committed. The resolution will be notified to the person in charge of the treatment, to the earning that depends hierarchically, where appropriate, and those affected who had the condition of interested party, if applicable. 3. Without prejudice to the provisions of the previous section, the protection authority tion of data will also propose the initiation of disciplinary actions when there is sufficient evidence to do so. In this case, the procedure and the sanctions to apply will be those established in the legislation on disciplinary or sanctioning dor that is applicable. Likewise, when the infractions are attributable to authorities and managers, and the existence of technical reports or recommendations for treatment is accredited that had not been duly attended to, in the resolution imposing the The sanction will include a reprimand with the name of the responsible position and will order the publication in the Official Gazette of the State or regional gives. 4. The data protection authority must be informed of the resolutions tions that fall in relation to the measures and actions referred to in the previous sections. 5. They will be communicated to the Ombudsman or, where appropriate, to the institutions of the autonomous communities, the actions carried out and the resolutions rules issued under this article. 6. When the competent authority is the Spanish Agency for the Protection of Data, it will publish on its website with due separation the resolutions related to to the entities of section 1 of this article, with express indication of the identity of the person in charge or in charge of the treatment that had committed the infringement tion. When the competence corresponds to an autonomous protection authority of data will be, in terms of the publicity of these resolutions, to what is available its specific regulations ”. In the case under examination, the publication of data relating to the granting of aid in the field of social action violates the regulations on the protection of personal data as it is considered that it violates the principle of confidentiality. In accordance with the evidence available, such conduct constitutes, on the part of the claimed the infringement of the provisions of article 5.1.f) of the RGPD. However, it should be noted that the RGPD, without prejudice to what is established in its Article 83, contemplates in its article 77 the possibility of resorting to the sanction of warning to correct the processing of personal data that is not appropriate to their forecasts, when the managers or managers listed in section C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 8/9 1 commit any of the offenses referred to in articles 72 to 74 of this organic law. Likewise, it is contemplated that the resolution issued will establish the measures that proceed to adopt so that the conduct ceases, the effects of the offense that was committed and its adaptation to the requirements contemplated in article 5.1.f) of the RGPD of the RGPD, as well as the contribution of supporting means of the compliance with what is required. However, the defendant has informed this Agency of the circumstances in which that the incident that led to the claim occurred, as well as the measures to adopt in order to prevent events such as the one claimed from occurring again in the future, as it is that the modification of its management regulations will be proposed in order to carry out individualized notification to each worker of the assigned amount of the social action fund, so it is required to report if there were carried out or any other action taken. Likewise, taking into account the absence of bad faith in the aforementioned publication, which in At no time was the information made public on web pages freely accessible by third parties, that a notification was made through the manager's internal program documentary and that to access it it was necessary to have access to the software, considers that the answer has been reasonable, acknowledging the facts and trying correct the error made, not having evidence of other claims for part of the affected persons, so it is not appropriate to urge the claimed adoption of additional measures. Therefore, in accordance with the applicable legislation and the graduation criteria assessed tion of the sanctions whose existence has been proven, The Director of the Spanish Data Protection Agency RESOLVES: FIRST: IMPOSE THE CITY COUNCIL OF EL ESCORIAL, with NIF P2805400E, for a violation of Article 5.1.f) of the RGPD, typified in Article 83.5 of the RGPD, a warning sanction. SECOND: NOTIFY this resolution to the CITY OF EL ESCO- RIAL. THIRD: COMMUNICATE this resolution to the Ombudsman, of in accordance with the provisions of article 77.5 of the LOPDGDD. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which ends the administrative procedure in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the inte- Residents may file, optionally, an appeal for reconsideration before the Director of the Spanish Agency for Data Protection within a month from the day after notification of this resolution or directly contentious appeal administrative before the Contentious-Administrative Chamber of the National Court, in accordance with the provisions of article 25 and section 5 of the additional provision C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 9/9 Fourth nal of Law 29/1998, of July 13, regulating the Contentious Jurisdiction- administrative, within a period of two months from the day following the notification tion of this act, as provided in article 46.1 of the aforementioned Law. Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP, may provisionally suspend the final resolution through administrative channels if the interested party do manifests its intention to file a contentious-administrative appeal. Of being In this case, the interested party must formally communicate this fact in writing addressed to the Spanish Agency for Data Protection, presenting it through the Re- Electronic registry of the Agency [https://sedeagpd.gob.es/sede-electronica-web/], or to through any of the other records provided for in art. 16.4 of the aforementioned Law 39/2015, of October 1. You must also forward the documentation to the Agency that certifies the effective filing of the contentious-administrative appeal. If the Agency was not aware of the filing of the contentious-administrative appeal trative within two months from the day following notification of this resolution, would terminate the precautionary suspension. 938-131120 Mar Spain Martí Director of the Spanish Agency for Data Protection C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es