AEPD (Spain) - PS/00381/2019

From GDPRhub
AEPD - PS/00381/2019
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 5(1)(f) GDPR
Article 83(5)(a) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published: 23.07.2020
Fine: None
Parties: Congosto de Valdavia City Council
National Case Number/Name: PS/00381/2019
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: n/a

The Spanish data protection authority (AEPD) held that a city council was in breach of GDPR data integrity and confidentiality principles by publishing a census containing individuals' names, surnames and ID card numbers online and on the council notice board.

English Summary

Facts

The City Council (the respondents) published on their website and on their notice board copies of the census of common agricultural uses. The census contained the name, surnames and ID card number of the complainant. The respondents argued that the copies were removed from the website and notice board by the current mayor's office immediately after becoming aware of the issue; they also argued that the previous mayor's office were the party who had actually published the copies of the census. However, by the time respondents made these submissions to the AEPD, the complainant had already filed a complaint with the AEPD, the previous mayor's office had failed to reply to requests from the AEPD about the complaint, and the AEPD had already initiated proceedings against the council on the question of whether the publication of the copies of the census were in breach of Article 5(1)(f) GDPR.

Dispute

Was the publication of the census copies a breach of the data integrity and confidentiality principle under Article 5(1)(f) GDPR?

Holding

The AEPD held that the City Council had breached Article 5(1)(f), because a "duty" of confidentiality ("deber de confidencialidad") must be understood as having the purpose of avoiding leaks of personal data that occur without the consent of data subjects. They also noted that this duty is incumbent on all those involved at any stage of the processing.

The AEPD subsequently issued a reprimand to the Council and notified the Spanish Ombudsman (Defensor del Pueblo) of the case.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

Product ID.: PS/00381/2019
DECISION ON DISCIPLINARY PROCEEDINGS
From the procedure instructed by the Spanish Data Protection Agency and based on the following
BACKGROUND
FIRST: Mrs. A.A.A. (hereinafter, the complainant) on 13/03/2019 filed a complaint with the Spanish Data Protection Agency. The claim is directed against CONGOSTO DE VALDAVIA CITY COUNCIL with NIF P3406300H (from now on the claimed or CITY COUNCIL). The reasons on which the claim is based are based on the fact that the claimant has published the census of communal agricultural uses on the notice board of the town council and on its website; the name, surname and ID card of the claimants are included in the aforementioned document. 
SECOND: After receiving the complaint, the Subdirectorate General for Data Inspection proceeded to carry out the following actions:
On 14/05/2019, and again on 27/05/2019, the letter submitted for analysis and communication to the complainant of the decision taken in this regard was transferred to the respondent. The complainant was also required to provide the Agency with certain information within one month:
-	A copy of the communications, of the decision taken that has been sent to the complainant regarding the transfer of this complaint, and proof that the complainant has received the communication of that decision.
-	Report on the causes that have led to the incidence that has originated the claim.
-	Report on measures taken to prevent similar incidents from occurring.
-	Any others you consider relevant.
There is no evidence that the respondent has responded to the request made by the Spanish Data Protection Agency.
THIRD: On 22/10/2019, in accordance with Article 65 of the LOPDGDD, the Director of the Spanish Data Protection Agency agreed to admit the claim presented by the claimant against the respondent for processing.
FOURTH: On December 18, 2019, the Director of the Spanish Data Protection Agency agreed to initiate sanctioning proceedings against the defendant for the alleged infringement of Article 5(1)(f) of the RGPD, as provided for in Article 83(5)(a) of those Regulations.
FIFTH: Once the agreement to initiate the proceedings had been notified, the respondent presented a written statement of allegations, stating, in summary: that the current mayor's office had not previously been informed of the complaint filed either by the outgoing corporation or by the secretary who occupied the post in the Town Hall at that time; that until 29/10/2019, the Town Hall had not had a secretary and the current secretary had taken possession of the post on that date. It was then, when the mayor was informed of the existence of the writings of the AEPD; that the request for information by the Spanish Data Protection Agency has been complied with and the complainant has been given a reply based on a report drawn up by the Data Protection Delegate appointed by this Town Hall, of the decisions that have been taken in this respect in relation to the complaint, stating that 
a)	A copy of the census of communal agricultural use was immediately removed from the town hall bulletin boards and the municipal web page.
b)	That the claimant was not demanding any right, only denounces a fact, although it is communicated to him that can exercise the rights to accede, to rectify and to suppress the data, as well as other rights, indicated in the additional information, that can exercise going to the City council of Congosto de Valdavia and can consult in its page Web
c)	As for the measures taken as a result of their complaint, they acknowledge the error made, based on the principle of publicity. Error for not having used the necessary measures for the anonymization of personal data.
d)	At present, the City Council is immersed in the implementation of theRGPD and in the training of the City Council staff in order to avoid incidents similar to this claim and to comply with the provisions of Law 3/2018 of December 5, which should have been done earlier, but, like so many other things, had not been done. 
SIXTH: On June 2, 1920, a motion for resolution was issued to sanction the defendant with a warning for violation of Article 5.1.f) of the RGPD, typified in Article 83.5.a) of said Regulation and sanctioned in accordance with Article 77.2 of the LOPDGDD.
On the expiry of the time limit set for this purpose, the respondent has not submitted any written arguments at the time of this decision.
SEVENTH: Of the actions carried out in the present procedure, the following have been accredited,
PROVEN FACTS
FIRST. The 13/03/2019 has written entry of the claimant stating that the City Council of Congosto de Valdavia, has published on the bulletin board of the town, edict by which opens the period for updating the census of the petitioners for the award of the same during the period 2019-2024 and giving deadline for submission of applications; on 31/01/2019, the updating of the census of communal agricultural uses is published by the claimant, both on the notice board and on the website of the same, which consists of a list of the applicants with their name, surname and complete ID number; considering that this publication of personal data breaches the principle of confidentiality.
SECOND: The Update of the Census of Communal Agricultural Uses for the period 2019 to 2024, approved by Plenary Agreement dated January 28, 2019, has been provided, where the names and complete numbers of the petitioners' NICs are included, including that of the claimant.
THIRD: It is provided by the claimant image of the Edict Board and the Electronic Headquarters of the Corporation where the mentioned Census of Exploitations is published, including names, surnames and IDs.
FOURTH: The City council of Congosto de Valdavia declares to have withdrawn from the notice boards of the city council and the municipal web page immediately, the copy of the census of communal agricultural use and informed the claimant.
LEGAL FOUNDATIONS
I
By virtue of the powers that Article 58.2 of the RGPD grants to each supervisory authority, and as established in Articles 47 and 48 of the LOPDGDD, the Director of the Spanish Data Protection Agency is competent to initiate and resolve this procedure.
II
The facts reported are specified in the publication on the bulletin board of the City Council and on its website of personal data (name and surname and complete ID number of applicants) that may be known by third parties, contained in the census of communal agricultural use, violating the duty of confidentiality. 
Article 5, Principles relating to treatment, of the RGPD states that:
"1. The personal data shall be:
(…)
(f) processed in a way that ensures appropriate security of personal data, including protection against unauthorised or unlawful processing and accidental loss, destruction or damage, through the implementation of appropriate technical or organisational measures ('integrity and confidentiality'). 
(…)”
Article 5, Duty of Confidentiality, of the new Organic Law 3/2018 of 5 December on the Protection of Personal Data and Guarantee of Digital Rights (hereinafter LOPDGDD), states that
"Data controllers and processors and all persons involved at any stage of the processing shall be bound by the duty of confidentiality referred to in Article 5(1)(f) of Regulation (EU) 2016/679.
2.	The general obligation indicated in the previous section shall be complementary to the duties of professional secrecy in accordance with the applicable regulations.
3.	The obligations established in the previous paragraphs shall be maintained even when the relationship of the data subject with the data controller or processor has ended".
III
The documentation in the file provides evidence that the defendant violated Article 5 of the RGPD, principles relating to the treatment, in relation to Article 5 of the LOPGDD, duty of confidentiality, by publishing personal data that may be known by third parties, contained in the census of communal agricultural uses.
This duty of confidentiality, previously a duty of secrecy, must be understood as having the purpose of preventing leaks of the data not consented to by the holders of the same. 
This duty of confidentiality is therefore an obligation incumbent not only on the controller and processor but also on all those involved at any stage of the processing, and is complementary to the duty of professional secrecy.
The claimant has provided images of the Edict Board and the City Council's website where the Update of the Census of Communal Agricultural Uses for the period 2019 to 2024, which was approved by a Plenary Agreement dated 28/01/2019, contains a list of the names, surnames and complete numbers of the petitioners' IDs, including that of the claimant.
The complainant himself stated in writing that he had immediately removed the copy of the census of communal agricultural use from the council notice boards and the municipal website and that he had taken the appropriate technical and organisational measures to ensure that incidents such as the one complained of would not occur again in the future, acknowledging the error made; that they are immersed in the implementation of the RGPD as well as the training of the City Council staff in the field of data protection to avoid the occurrence of incidents such as those claimed and to comply with the provisions of both the RGPD and the LOPDGDD, claims that should have been made previously but which, like so many other things, had not been carried out as the Mayor's Office and the City Council Secretariat were in the process of change.
However, it is clear from the established facts that the defendant's action constitutes a breach of Article 5(1)(f) 
IV
Article 83.5 a) of the RGPD, considers that the infringement of "the basic principles for processing, including the conditions for consent under Articles 5, 6, 7 and 9" is punishable, in accordance with paragraph 5 of the aforementioned Article 83 of the RGPD, "with administrative fines of a maximum of 20,000,000 euros or, in the case of a company, of an amount equivalent to a maximum of 4% of the total annual turnover of the previous financial year, whichever is greater".
On the other hand, the LOPDGDD, for the purposes of prescription, in its article 72 indicates:
"Violations considered very serious:
1. In accordance with Article 83(5) of Regulation (EU) 2016/679, infringements that substantially infringe the articles mentioned therein, and in particular the following, are considered very serious and shall be subject to a three-year limitation period:
a) The processing of personal data in violation of the principles and guarantees
laid down in Article 5 of Regulation (EU) 2016/679.
(…)”
However, the LOPDGDD in its Article 77, Regime applicable to certain categories of persons responsible or in charge of the processing, establishes the following:
"The rules laid down in this Article shall apply to processing operations for which they are responsible or in charge:
a) The constitutional bodies or bodies with constitutional relevance and the institutions of the autonomous communities analogous to them. b) The jurisdictional bodies.
c)	The General State Administration, the Administrations of the Autonomous Communities and the entities that make up the Local Administration.
d)	Public bodies and public law entities linked to or dependent on the Public Administration.
e)	The independent administrative authorities.
f)	The Bank of Spain.
g)	Public law corporations when the purposes of the treatment are related to the exercise of public law powers. h) Public sector foundations.
i)	The Public Universities.
j)	The consortia.
k)	The parliamentary groups of the General Courts and the Autonomous Legislative Assemblies, as well as the political groups of the Local Corporations.
2.	When the persons responsible or in charge listed in paragraph 1 commit any of the offences referred to in Articles 72 to 74 of this Organic Law, the competent data protection authority shall issue a decision punishing them with a warning. The decision shall also establish the measures to be adopted to cease the conduct or to correct the effects of the infringement that has been committed.
The decision shall be notified to the controller or person responsible for the processing, to the body to which he or she reports, if any, and to the data subjects who are data subjects, if any.
3.	Without prejudice to the provisions of the previous paragraph, the data protection authority shall also propose the initiation of disciplinary proceedings when there is sufficient evidence to do so. In this case, the procedure and the sanctions to be applied shall be those established in the legislation on the disciplinary or sanctioning regime that is applicable.
Likewise, when the infringements are attributable to authorities and directors, and the existence of technical reports or recommendations for treatment that have not been duly addressed is accredited, the resolution imposing the penalty shall include a warning with the name of the responsible position and shall order publication in the corresponding Official State or Autonomous Community Gazette.
4.	The data protection authority must be notified of any decisions relating to the measures and actions referred to in the previous paragraphs.
5.	The Ombudsman or, as the case may be, the autonomous community institutions shall be informed of the actions taken and the resolutions issued under this article.
6.	When the competent authority is the Spanish Data Protection Agency, it shall publish on its website, with due separation, the resolutions referring to the entities in paragraph 1 of this Article, with express indication of the identity of the controller or processor who has committed the infringement.
When the competence corresponds to an autonomous data protection authority, the publicity of these resolutions will be in accordance with the specific regulations of that authority".
In accordance with the evidence available and such conduct constitutes a breach of Article 5.1(f) of the RGPD.
It should be noted that the LOPDGDD, without prejudice to the provisions of Article 83 of the RGPD, provides in Article 77 for the possibility of using the sanction of a warning to correct the processing of personal data that does not comply with its provisions, when the persons responsible or in charge listed in paragraph 1 commit any of the offences referred to in Articles 72 to 74 of this Organic Law.
In the present case, taking into account the nature of the infringement and given that the complaint in writing dated 13/03/2019 has informed this Agency of the particular and specific circumstances in which the incident that led to the complaint occurred, as well as the measures adopted to prevent such events from occurring again, and that once the current government team had been granted access to the municipal government and the new Secretary had taken office, it was possible to comply immediately with both the request for information by the Spanish Data Protection Agency, and to the same claimant on the basis of a report drawn up by the Data Protection Delegate appointed by the City Council, regarding the decisions that have been gradually adopted in relation to the complaint filed and indicating: that the copy of the census of communal agricultural use had been removed from the town hall notice boards and the municipal website; that although the claimant was not demanding any rights and was reporting an event, she was informed about the possibility of exercising the rights of access, rectification, correction and suppression of personal data as well as other rights indicated in the additional information provided, which could be exercised by contacting the CITY COUNCIL and which could be consulted on its website; that they recognise the error made by not having used the necessary measures for the anonymisation of personal data and that they are currently immersed in the implementation of the measures established in the RGPD and in the training of the Town Hall staff to avoid the occurrence of incidents similar to those that have led to the complaint being lodged and to comply with the provisions of the regulations on data protection.
Therefore, it is considered that the response of the claimant has been reasonably diligent, recognizing the facts and immediately correcting the errors made, not having any other claims from the affected persons and adopting adequate measures to avoid any anomaly or future incidence that may occur. 
 
Therefore, in accordance with the applicable legislation and assessed the criteria for the graduation of the sanctions whose existence has been accredited, 
The Director of the Spanish Data Protection Agency RESOLVES:
FIRST: TO IMPOSE on the CITY COUNCIL OF CONGOSTO DE VALDAVIA, with NIF
P3406300H, for an infringement of Article 5.1.f) of the RGPD, typified in Article 83.5 of the RGPD, a warning sanction in accordance with the provisions of Article 77.2 of the LOPDGDD.
SECOND: TO NOTIFY this resolution to the CITY COUNCIL OF CONGOSTO DE VALDAVIA, with NIF P3406300H.
 THIRD : TO COMMUNICATE this resolution to the Ombudsman, in accordance with the provisions of Article 77.5 of the LOPDGDD
In accordance with the provisions of Article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. 
Against this resolution, which puts an end to the administrative procedure in accordance with Article 48.6 of the LOPDGDD, and in accordance with the provisions of Article 123 of the LPACAP, data subjects may, optionally, lodge an appeal for reversal with the Director of the Spanish Data Protection Agency within a period of one month from the day following notification of this decision or directly lodge an administrative appeal with the Administrative Chamber of the National Court, in accordance with the provisions of Article 25 and paragraph 5 of the fourth additional provision of Law 29/1998 of 13 July 1998, regulating the Contentious-Administrative Jurisdiction, within a period of two months from the day following notification of this act, as provided for in Article 46.1 of the aforementioned Law.
Finally, it is noted that in accordance with the provisions of art. 90.3 a) of the LPACAP, the final resolution may be suspended as a precautionary measure through administrative channels if the interested party expresses its intention to file a contentious-administrative appeal. If this is the case, the interested party must formally notify this fact in writing to the Spanish Data Protection Agency, submitting it through the Agency's Electronic Register [https://sedeagpd.gob.es/sede-electronica-web/], or through any of the other registers provided for in Article 16.4 of the aforementioned Law 39/2015, of October 1. You must also send the Agency the documentation that accredits the effective filing of the contentious-administrative appeal. If the Agency is not aware of the lodging of the contentious-administrative appeal within two months from the day following the notification of the present resolution, it will terminate the precautionary suspension.
Mar España Martí 
Director of the Spanish Data Protection Agency