AEPD (Spain) - PS/00384/2020

From GDPRhub
AEPD (Spain) - PS/00384/2020
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 5(1)(f) GDPR
Article 32 GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 28.06.2021
Published: 02.07.2021
Fine: None
Parties: DIRECCIÓN GENERAL DE LA GUARDIA CIVIL
National Case Number/Name: PS/00384/2020
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: Paola L.

The Spanish DPA issued a warning to a Directorate of the Spanish Police Force for infringing the principle of integrity and confidentiality by sending an email containing sensitive personal data about the data subject to the generic email address of an unrelated police unit (which was accessible by third parties).

English Summary

Facts

The Spanish DPA (AEPD) received a complaint against a Directorate from the Spanish Police Force (Guardia Civil) indicating that an email containing an agreement to commence a procedure for the suspension of the data subject's firearm license was sent to a generic email address of a different unit which did not have any relation to the procedure, other than notifying the data subject, and that could be accessed by third parties.

The email was accessible by the whole police unit, while the purpose of the sending was only to notify the data subject about the commencement of the procedure.

Holding

The AEPD held that the facts constituted an infringement of Article 5(1)(f) GDPR for violating the principle of confidentiality and Article 32 GDPR for failing to implement appropriate technical and organisational measures according to the risk and sensitivity of the personal data processed, since third parties that was not in charge of the procedure and did not need to access the data had access to it.

The AEPD warned the directorate and provided them with one month to review its processes and bring them into compliance with GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

                                                                                1/12








     Procedure No.: PS / 00384/2020



                RESOLUTION OF SANCTIONING PROCEDURE


Of the procedure instructed by the Spanish Agency for Data Protection and based on
to the following


                                  BACKGROUND


FIRST: D. A.A.A., in the name and on behalf of D. B.B.B. (hereinafter, the
claimant) on 07/30/2019 filed a claim with the Spanish Agency for

Data Protection. The claim is directed against the GENERAL DIRECTORATE OF THE
CIVIL GUARD with NIF S2816003D (hereinafter, the claimed one). The reasons on which
bases the claim are, in summary: the transfer without consent and the dissemination of
personal information of the affected party contained in the agreement to initiate suspension of
your weapons license, when this document is attached in an email

sent on 09/17/2018 from the generic account, al-cmd-almeria-ia@guardiacivil.org,
ownership of the Weapons Intervention Unit of the Civil Guard of Almería, to the
generic account al-pto-canjayar@guardiacivil.es, owned by the Unit of the
Canjayar, in order to notify the interested party.


After the resolution of inadmissibility for processing, dated 09/06/2019, the claimant
files an appeal for reversal alleging that the email was sent in the
scope of work to generic recipients with sensitive personal data. That the
Sender and recipient email accounts are not personal but accounts
of certain departments of the Civil Guard being able to be consulted by
indeterminate and numerous people who are part of them.

On 10/16/2019 an estimate resolution was issued.

SECOND: In view of the facts denounced in the claim and the
documents provided by the claimant, the Subdirectorate General for Inspection of
Data proceeded to carry out preliminary investigation actions for the

clarification of the facts in question, by virtue of the powers of investigation
granted to the control authorities in article 57.1 of the Regulation (EU)
2016/679 (General Data Protection Regulation, hereinafter RGPD), and of
in accordance with the provisions of Title VII, Chapter I, Second Section, of the Law
Organic 3/2018, of December 5, Protection of Personal Data and guarantee of

digital rights (hereinafter LOPDGDD).

On 12/04/2019, the complained party sent this Agency the following information:

1. That what is called in the complaint a generic email account
it is not such. That the CIVIL GUARD has an isolated private communication network

from abroad and which can only be accessed from official media within which
there is a messaging system called GroupWise in which each Unit or
Workstation may be assigned an address for exclusive use by the
personnel of that Unit for internal communications and which is accessed after

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 2/12








Identify yourself with a smart card and an individual password.

2. That this system is used on a regular basis for communications between the

different Units, as it is guaranteed that any communication or
documentation that is sent through it is isolated from the outside and
maintains its level of confidentiality.

3. Shows your disagreement in relation to the indiscriminate transfer of data
personal. It indicates that the instruction of an administrative procedure requires that

between the different bodies or departments involved in it is shared
information in order to carry out the function assigned to the Administration (the
control of the documentation that authorizes the possession of small arms to guarantee
the proper use of the same and by derivation the security of third parties) and the right
of the administered to know the facts on which such action is based and receive

complete information in this regard.

4. That the complainant himself was one of those who accessed said system of
courier service on the date of submission of the same together with the Sergeant Commander of
post and four other civil guards. That the fact of having access to the
messaging does not imply that such an act was carried out.


5. That if, after more than one year of said communication, the
The complainant does not indicate that it has had significance and with it a damage
For him, it is to be assumed that the person who agreed to it was he or those in charge of
notify you of the initiation of the procedure.


6. That regarding the Sender's Weapons Intervention, access to said system of
messaging was within the reach of the personnel assigned to that unit, a total of eleven
people, which, as in the previous case, does not mean that they agreed to
said document.


THIRD: On 11/08/2020, the Director of the Spanish Protection Agency
of Data agreed to initiate a sanctioning procedure for the claimed party, for the alleged
infringement of articles 5.1.f) and 32.1 of the RGPD, sanctioned in accordance with
provided in article 58.2.b) of the RGPD.


FOURTH: Notified the start agreement, the claimed on 11/30/2020 presented a written
of allegations, noting that the allegations made on the
05/30/2020 and that the complainant's complaint refers to a mere possibility that
someone had accessed your personal data without being able to affirm it, so
the alleged infractions have not materialized.


FIFTH: On 12/14/2020 a test practice period began,
remembering the following:

- To consider reproduced for evidentiary purposes the claim filed by the

claimant and its documentation, the documents obtained and generated by the
Inspection services that are part of file E / 10062/2019.
- To consider reproduced for evidentiary purposes, the allegations to the initiation agreement
presented by the claimed

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 12/3








- Request the claimant a copy of the documentation in their possession related to the

sanctioning procedure that for any reason had not been provided in the
moment of the claim or, if deemed appropriate, any other manifestation in
relation to the facts denounced.


SIXTH: On 05/27/2021 a resolution proposal was formulated in the sense
following:

1. That the Director of the Spanish Agency for Data Protection is addressed

warning against the defendant, for the violation of articles 5.1.f) and 32 of the
RGPD, typified, respectively, in articles 83.5.a) and 83.4.a) of the same
Regulation.

2. That the defendant be required to, within the period to be determined, adopt the

necessary measures to adapt the treatment operations carried out to the
regulations for the protection of personal data, with the scope expressed in the
Fundamentals of Rights of the proposed resolution.


SEVENTH: Notified the claimed entity of the aforementioned resolution proposal, with
On 06/07/2021, this Agency received a written statement of allegations in which
states again that it has not been proven that a third party has had
knowledge of personal data, nor the damage caused to the claimant.


On the other hand, in relation to the transfer of information from one management body to another,
Actions have been put in place to avoid future repetitions, such as the Circular
prepared by the Data Protection Delegate (DPD), indicated with the number
DPD 1-2020, of 12/01/2020, which has been disseminated to all Units and

It is available on the DPD Intranet.

Provide a copy of this Circular, which states the following:

“Regarding the first question, guarantee confidentiality, provided that it is attached to a

electronic communication documentation that includes personal data, especially when the
They contain health data (medical, psychological or health documentation of any
kind); related to criminal or administrative sanctions (sentences, notification of sanctions,
disciplinary procedures); or referring to actions derived from the foregoing (withdrawal of
weapons, summons to appear, etc.), must be sent in encrypted folders with
password that will be provided after identifying the applicant as belonging to the
Unit or recipient body as the one that must resolve the issue, not having to be facilitated
to units or intermediary bodies that do not need to know the specific content of the
documentation for processing, limiting as much as possible the number of people who

access it and should be able if necessary to respond to a
It denounces identifying those who have accessed it.

In those cases in which it is documentation that must be delivered to the
interested party, it will be ensured that said delivery is made guaranteeing the maximum possible reserve and
that this is carried out by their direct command, avoiding that it is carried out by personnel who
performs bureaucratic tasks, unless said delivery is materialized in a sealed envelope; on
In these cases, it must be stated on the receipt that the recipient receives the documentation with

such guarantees of confidentiality.

When, in the case of documents that must be signed by the interested party and returned to the

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 4/12








sending unit or body, the provisions of the previous paragraph will be observed for the delivery and
firm; and the aforementioned measures will be adopted for their return through
electronic communications.


In those cases in which other means of communication are used, postal, etc.,
adopt analogous measures adapted to the environment always with the aim of guaranteeing the
confidentiality of personal data.

Improper practices such as printing and keeping copies of documentation should be avoided
sent or delivered, which compromise and make it difficult to maintain the confidentiality of said
information over time ”.



Of the actions carried out in this proceeding, there have been
accredited the following:


                                 PROVEN FACTS


FIRST: Dated 09/17/2018, from the email address al-cmd-
almeria-ia@guardiacivil.org, assigned to the Weapons Intervention Unit of the

Civil Guard of Almería, an email was sent to the address al-pto-
canjayar@guardiacivil.es, belonging to the Canjayar Post Unit, with the
subject “Rdo. Agreement to start suspension of weapons license type ... (type license, name,
surname and ID of the claimant) for notification to the interested party ”.


The text of the message is as follows:

"Notification is sent for delivery to the interested party, having to send a dated copy and
signed upon receipt to this I.A., for submission to the Zone Headquarters, such as

indicated in the c.e. attached".

This email attached the document to which its subject refers, which corresponds to the
agreement to initiate the procedure for suspending the weapons license initiated at the
claimant by the General Directorate of the Civil Guard. This document includes

the identifying data of the claimant, their administrative situation and destination, as well as
all the factual circumstances that determined the initiation of said
procedure (police and judicial actions taken against the claimant for
gender violence).


SECOND: The respondent has informed this Agency that it has a system of
courier that assigns each unit or post an address for exclusive use by the
staff of the unit in question. In the case of the email address
corresponding to the Unit of the Canjayar Post, it is indicated that it could be

accessed by the Sergeant Commander of the post, the claimant and four guards
more civilians.







C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 5/12









                              FOUNDATIONS OF LAW

                                                I


By virtue of the powers that article 58.2 of the RGPD recognizes to each authority of
control, and as established in articles 47 and 48 of the LOPDGDD, the Director
of the Spanish Data Protection Agency is competent to initiate and to
solve this procedure.


                                               II

Article 58 of the RGPD, Powers, states:


"two. Each supervisory authority shall have all the following corrective powers indicated at
continuation:
(…)
b) punish any person in charge or in charge of the treatment with warning when the
treatment operations have infringed the provisions of this Regulation;
(…) ”.


First, article 5 of the RGPD establishes the principles that must govern the
treatment of personal data and mentions among them that of "integrity and
confidentiality ”:


"1. The personal data will be:
(…)
f) treated in such a way as to guarantee adequate security of personal data,
including protection against unauthorized or illegal processing and against its loss,
accidental destruction or damage, through the application of technical or organizational measures
appropriate ("integrity and confidentiality").

(…) ”.

Article 5, Duty of confidentiality, of the LOPDGDD, states that:

"1. Those responsible and in charge of data processing as well as all the people who

intervene in any phase of this will be subject to the duty of confidentiality to which
refers to article 5.1.f) of Regulation (EU) 2016/679.

2. The general obligation indicated in the previous section will be complementary to the duties
of professional secrecy in accordance with its applicable regulations.

3. The obligations established in the previous sections will be maintained even when

the relationship between the obliged party and the person in charge of the treatment would have ended ”.


                                               III


The documentation in the file proves that the defendant violated the
Article 5 of the RGPD, principles relating to treatment, in relation to Article 5 of
the LOPGDD, duty of confidentiality, materialized in the dissemination of data from

personal character relating to the claimant contained in the agreement to initiate
suspension of his gun license, attached to an email that was

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 6/12








sent to the generic account al-pto-canjayar@guardiacivil.es, which is owned by the
Unit of the Canjayar Post (Almería), which was within reach and could be
accessed by the personnel assigned to said unit, a total of five people,

in addition to the claimant.

This duty of confidentiality, previously the duty of secrecy, is intended to
prevent leakage of data not consented to by the owners of the
themselves.


Therefore, this duty of confidentiality is an obligation that is incumbent not only on the
responsible and in charge of the treatment but to everyone who intervenes in any
treatment phase and complementary to the duty of professional secrecy.

The respondent has alleged that there is no indiscriminate transfer of data

personal and that the instruction of an administrative procedure requires that
different administrative units or departments share information. Without
However, what happens in this case does not conform to this scheme, since the
Information regarding the complainant is not forwarded to an intervening unit
formally in the procedure followed against it.


Likewise, the defendant has stated that the proceedings do not prove that a
third party has accessed confidential information related to the claimant. However,
does not take into account the factual circumstances that have given rise to the present
process. In this case, it is established that the notification of the opening agreement
of a gun license suspension procedure, followed against the

claimant, was forwarded to a generic email account, owned by the
Unit of the Canjayar Post, in order for it to be delivered to the interested party,
that is, the claimant. This shipment, in itself considered, already constitutes an infringement
to the personal data protection regulations, insofar as it enables the
access to information related to the claimant by third parties. Besides, the

formalization or completion of this procedure, with the delivery of the agreement to the
claimant, implies that a third party or several accessed the information. To this
In this regard, it is advisable to reproduce again the instructions contained in the
mentioned email about the delivery of documentation:

"Notification is sent for delivery to the interested party, having to send a dated copy and

signed upon receipt to this I.A., for submission to the Zone Headquarters, such as
indicated in the c.e. attached".

                                           IV


Article 83.5 a) of the RGPD, considers that the infringement of "the basic principles
for the treatment, including the conditions for consent under the
Articles 5, 6, 7 and 9 ”is punishable, in accordance with section 5 of the aforementioned
Article 83 of the aforementioned RGPD, “with administrative fines of € 20,000,000 as
maximum or, in the case of a company, of an amount equivalent to 4% as

maximum total annual global business volume of the previous financial year,
opting for the highest amount ”.

On the other hand, the LOPDGDD, for prescription purposes, in its article 72 indicates:

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 7/12









“Violations considered very serious:

"1. In accordance with the provisions of article 83.5 of Regulation (EU) 2016/679,

considered very serious and will prescribe after three years the infractions that suppose a
substantial violation of the articles mentioned therein and, in particular, the following:

a) The processing of personal data violating the principles and guarantees established in the
Article 5 of Regulation (EU) 2016/679.
(…) ”.

                                                V

Second, article 32 of the RGPD "Security of treatment", establishes that:


 "1. Taking into account the state of the art, the costs of application, and the nature, the
scope, context and purposes of the treatment, as well as risks of probability and severity
variables for the rights and freedoms of individuals, the person in charge and the person in charge
of the treatment will apply appropriate technical and organizational measures to guarantee a level
security appropriate to the risk, which, where appropriate, includes, among others:


a) pseudonymisation and encryption of personal data;
b) the ability to ensure confidentiality, integrity, availability and resilience
permanent treatment systems and services;
c) the ability to restore the availability and access to personal data in a manner
fast in the event of a physical or technical incident;
d) a process of regular verification, evaluation and assessment of the effectiveness of the measures

technical and organizational to guarantee the security of the treatment.

2. When evaluating the adequacy of the security level, particular account shall be taken of the
risks posed by data processing, in particular as a consequence of the
accidental or illegal destruction, loss or alteration of transmitted personal data,
stored or otherwise processed, or unauthorized communication or access to said

data.

3. Adherence to a code of conduct approved in accordance with article 40 or to a mechanism of
certification approved pursuant to article 42 may serve as an element to demonstrate the
compliance with the requirements established in section 1 of this article.


4. The person in charge and the person in charge of the treatment will take measures to guarantee that
any person acting under the authority of the controller or processor and has access
personal data can only process said data following instructions from the person in charge,
unless it is obliged to do so by virtue of the law of the Union or of the Member States ”.


The violation of article 32 of the RGPD is classified in article 83.4.a)
of the aforementioned RGPD in the following terms:

"4. Violations of the following provisions will be sanctioned, in accordance with the

paragraph 2, with administrative fines of a maximum of EUR 10 000 000 or, in the case of a
company, of an amount equivalent to a maximum of 2% of the total annual business volume
overall for the previous financial year, opting for the one with the highest amount:

a) the obligations of the controller and the person in charge pursuant to articles 8, 11, 25 to 39, 42 and
43.

(…) ”.


28001 - Madrid 6 sedeagpd.gob.es 8/12








For its part, the LOPDGDD in its article 71, Infractions, states that:

“The acts and conducts referred to in sections 4, 5 and 6 of the

Article 83 of Regulation (EU) 2016/679, as well as those that are contrary to this
organic Law.

And in its article 73, for the purposes of prescription, it qualifies as “Infractions considered
serious ”:


"Based on what is established in article 83.4 of Regulation (EU) 2016/679, they are considered
serious and will prescribe after two years the infractions that suppose a substantial violation
of the articles mentioned therein and, in particular, the following:
(…)
g) The breach, as a consequence of the lack of due diligence, of the measures
technical and organizational that have been implemented as required by article 32.1
of Regulation (EU) 2016/679.
(…) ”.

                                             SAW

The GDPR defines personal data security breaches as “all
those security violations that cause destruction, loss or
accidental or illegal alteration of personal data transmitted, stored or processed

otherwise, or unauthorized communication or access to said data ”.

From the documentation in the file, it is proven that the claimed person has
Article 32.1 of the RGPD has been violated, when a security incident occurs
consisting of transferring the claimant's data by means of a corporate email

that it was accessible to all members of the target unit.

It should be noted that the RGPD in the aforementioned precept does not establish a list of the
security measures that are applicable according to the data that are the object
of treatment, but establishes that the person in charge and the person in charge of the treatment

apply technical and organizational measures that are appropriate to the risk involved
the treatment, taking into account the state of the art, the application costs, the
nature, scope, context and purposes of the treatment, the risks of probability
and seriousness for the rights and freedoms of the interested persons.


Likewise, the security measures must be adequate and proportionate to the
risk detected, noting that the determination of the technical measures and
organizational must be carried out taking into account: pseudonymisation and encryption,
ability to guarantee confidentiality, integrity, availability and resilience, the
ability to restore availability and access to data after an incident, process

verification (not audit), evaluation and assessment of the effectiveness of
measures.

In any case, when evaluating the adequacy of the security level, the
particularly take into account the risks presented by data processing, such as

consequence of accidental or illegal destruction, loss or alteration of data
personal data transmitted, preserved or otherwise processed, or the communication or
unauthorized access to said data and that could cause damages
physical, material or immaterial.

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 9/12










In this same sense, recital 83 of the RGPD states that:

“(83) In order to maintain security and prevent the treatment from violating the provisions of the
this Regulation, the person in charge or the person in charge must assess the risks inherent
treatment and apply measures to mitigate them, such as encryption. These measures should guarantee
an adequate level of security, including confidentiality, taking into account the state of

the technique and the cost of its application with respect to the risks and the nature of the data
personnel to be protected. When assessing the risk in relation to the safety of the
data, the risks arising from the processing of the data must be taken into account
personal data, such as accidental or unlawful destruction, loss or alteration of personal data
transmitted, stored or otherwise processed, or unauthorized communication or access
to said data, susceptible in particular to causing physical, material or
immaterial ”.


In the present case, as stated in the facts and in the framework of the case file
investigation E / 10062/2019, the claim presented was transferred to the defendant
for its analysis, requesting the contribution of information related to the incident
claimed in which it shows its disagreement with the indiscriminate transfer of data,

Although it states that access to the internal messaging system was within the reach of the
personnel assigned to that unit.

The responsibility of the claimed person is determined by the security bankruptcy

revealed by the claimant. The respondent is responsible for taking
decisions aimed at effectively implementing technical measures and
appropriate organizational arrangements to ensure a level of security appropriate to the risk
to ensure the confidentiality of the data and, among them, those aimed at restoring the

availability and access to data quickly in the event of a physical incident or
technical. However, from the documentation provided prior to processing
of the procedure, it is not known whether any measure had been taken in order to
end to incidents such as the one that gave rise to the claim.


In accordance with the foregoing, it appears that the defendant is responsible for the
infringement of the RGPD for the violation of article 32, infringement typified in the
Article 83.4.a) of the same Regulation.


                                              VII

However, also the LOPDGDD in its article 77, “Regime applicable to
certain categories of controllers or those in charge of the treatment ”, establishes the

following:

"1. The regime established in this article will be applicable to the treatments of which
are responsible or in charge:

a) The constitutional bodies or those with constitutional relevance and the institutions of the
autonomous communities analogous to them.

b) The jurisdictional bodies.
c) The General State Administration, the Administrations of the autonomous communities
and the entities that make up the Local Administration.
d) Public bodies and public law entities linked or dependent on the
Public administrations.

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 10/12









e) The independent administrative authorities.
f) The Bank of Spain.
g) Public law corporations when the purposes of the treatment are related
with the exercise of powers of public law.
h) Public sector foundations.

i) Public Universities.
j) Consortia.
k) The parliamentary groups of the Cortes Generales and the Legislative Assemblies
autonomic, as well as the political groups of the Local Corporations.

2. When the managers or managers listed in section 1 commit any of the

offenses referred to in articles 72 to 74 of this organic law, the authority of
data protection that is competent shall issue a resolution sanctioning them with
warning. The resolution will also establish the measures to be adopted so that
the conduct ceases or the effects of the offense that had been committed are corrected.

The resolution will be notified to the person in charge or in charge of the treatment, the body of which

hierarchically depends, where appropriate, and those affected who had the status of
interested, if applicable.

3. Without prejudice to the provisions of the previous section, the data protection authority
will also propose the initiation of disciplinary actions when there are indications
enough for it. In this case, the procedure and the sanctions to be applied will be the

established in the legislation on disciplinary or sanctioning regime that results from
app.

Likewise, when the infractions are attributable to authorities and managers, and the
existence of technical reports or recommendations for treatment that had not been
duly attended to, the resolution imposing the sanction will include a
reprimand with the name of the responsible position and the publication will be ordered in the

Official Gazette of the State or autonomous region that corresponds.

4. The data protection authority must be notified of the resolutions that fall
in relation to the measures and actions referred to in the previous sections.

5. They will be communicated to the Ombudsman or, where appropriate, to the analogous institutions of the

autonomous communities the actions carried out and the resolutions issued under the
this article.

6. When the competent authority is the Spanish Agency for Data Protection, this
will publish on its website with due separation the resolutions referring to the entities
of section 1 of this article, expressly indicating the identity of the person responsible or

person in charge of the treatment that had committed the infringement.

When the competence corresponds to an autonomous data protection authority,
it will be, in terms of the publicity of these resolutions, to what its regulations provide
specific ”.


It should be noted that the LOPDGDD contemplates in its article 77 the possibility of
warn the person responsible for the infringement and require him to adapt the treatments
of personal data that do not conform to their forecasts, when those responsible or

those in charge of the treatment listed in section 1 commit any of the
offenses referred to in articles 72 to 74 of this Organic Law.


For this reason, a resolution proposal was prepared to agree to require the
28001 - Madrid 6 sedeagpd.gob.es 11/12








responsible entity the adoption of the necessary measures to carry out that
adaptation to the personal data protection regulations, preventing the
administrative actions carried out can be accessed by people who do not

they intervene directly in its formalization. Specifically, in the case of
administrative notifications, it was advised that such notifications be delivered
directly to the interested party, without the intermediation of other units outside the
are entrusted with the action in question; or, to try that
notification with the collaboration of some other unit, always avoiding that it
can access the content of the act that is notified.


Knowing this response by the claimed, on the occasion of the hearing process
granted, provided a copy of a "Circular" issued by the DPD, regarding the sending of
documentation through electronic communications. After analyzing this Circular,
find some improvements in their forecasts, such as the encryption of folders to which

It will be accessed using the password provided to the interested party. However, there are
other instructions that do not meet the requirements mentioned above, such as
are the delivery of documentation through the "direct command" of the interested party or the
Sending documents "open" to be signed by the interested party and
returned to the sending unit. The same Circular warns about “practices
inadequate such as printing or keeping a copy ”of the documentation submitted, which

is equivalent to recognizing that the possibility that a third party can access the
documentation is maintained.

Therefore, it is considered appropriate to require the defendant so that the notifications
that must practice guarantee the confidentiality of the personal data that

they contain.

In this regard, it is noted that not meeting the requirements of this body
can be considered as a serious administrative offense by “not cooperating with
the Control Authority ”before the requirements made, being able to be valued as

conduct at the time of the opening of an administrative sanctioning procedure.


Therefore, in accordance with the applicable legislation and assessed the criteria of
graduation of sanctions whose existence has been proven,
the Director of the Spanish Data Protection Agency RESOLVES:


FIRST: DIRECT AN APPOINTMENT to the entity DIRECTORATE GENERAL OF
LA GUARDIA CIVIL, with NIF S2816003D, for a violation of articles 5.1.f) and
32 of the RGPD, typified in articles 83.5.a) and 83.4.a) of the RGPD, respectively.


SECOND: REQUEST the entity DIRECTORATE GENERAL OF THE CIVIL GUARD,
so that, within a period of one month, counted from the notification of this
resolution, adapt to the personal data protection regulations the operations
processing of personal data carried out, with the scope expressed in the
Basis of Law VII. Within the indicated period, the GENERAL DIRECTORATE OF THE

GUARDIA CIVIL must justify before this Spanish Agency for Data Protection
attention to this requirement.



C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 12/12








THIRD: NOTIFY this resolution to the GENERAL DIRECTORATE OF THE
CIVIL GUARD.


FOURTH: COMMUNICATE this resolution to the Ombudsman, of
in accordance with the provisions of article 77.5 of the LOPDGDD.

In accordance with the provisions of article 50 of the LOPDGDD, this

Resolution will be made public once it has been notified to the interested parties.

Against this resolution, which ends the administrative procedure in accordance with art. 48.6 of the
LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the
Interested parties may optionally file an appeal for reconsideration before the

Director of the Spanish Agency for Data Protection within a month to
counting from the day after the notification of this resolution or directly
contentious-administrative appeal before the Contentious-Administrative Chamber of the
National High Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the

Contentious-administrative jurisdiction, within two months from the
day following notification of this act, as provided in article 46.1 of the
referred Law.

Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP,

may provisionally suspend the final resolution through administrative channels if the
interested party expresses his intention to file contentious-administrative appeal.
If this is the case, the interested party must formally communicate this fact through
writing addressed to the Spanish Agency for Data Protection, presenting it through
of the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica-

web /], or through any of the other records provided for in art. 16.4 of the
cited Law 39/2015, of October 1. You must also transfer to the Agency the
documentation that proves the effective filing of the contentious appeal-
administrative. If the Agency is not aware of the filing of the appeal
contentious-administrative within a period of two months from the day following the

notification of this resolution would terminate the precautionary suspension.

                                                                                  938-131120
Mar Spain Martí
Director of the Spanish Agency for Data Protection

















C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es