AEPD (Spain) - PS/00427/2020: Difference between revisions

From GDPRhub
No edit summary
 
Line 55: Line 55:


=== Facts ===
=== Facts ===
This decision is a consequence of a complaint submitted by a citizen stating that they requested via email the defendant’s Data Protection Officer access to the record of processing activities, but the controller never replied to the request. Four months after the request the claimant brought the dispute to the Spanish Data Protection Authority (AEPD).
This decision is a consequence of a complaint submitted by a citizen stating that they requested via email the defendant’s Data Protection Officer access to the record of processing activities, but the controller never replied to the request. Four months after the request the claimant brought the dispute to the Spanish Data Protection Authority (AEPD). The AEPD found that the Council did not have a record of processing activities, what was confirmed by the controller.
 
The AEPD found that the Council did not have a record of processing activities, what was confirmed by the controller.  


=== Dispute ===
=== Dispute ===

Latest revision as of 12:40, 7 July 2021

AEPD (Spain) - PS/00427/2020
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 30 GDPR
Article 31 Spanish Data Protection Act
Type: Complaint
Outcome: Upheld
Started:
Decided: 29.06.2021
Published: 01.07.2021
Fine: None
Parties: AYUNTAMIENTO DE GIJÓN
National Case Number/Name: PS/00427/2020
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: n/a

The Spanish DPA warned a Spanish city council for infringing Article 30 GDPR by not maintaining a record of its processing activities, and Article 31 of the Spanish Data Protection Act by not making a record of its processing activities available by electronic means.

English Summary

Facts

This decision is a consequence of a complaint submitted by a citizen stating that they requested via email the defendant’s Data Protection Officer access to the record of processing activities, but the controller never replied to the request. Four months after the request the claimant brought the dispute to the Spanish Data Protection Authority (AEPD). The AEPD found that the Council did not have a record of processing activities, what was confirmed by the controller.

Dispute

The controller answered to the AEPD's investigation requests confirming that it had not implemented a record of processing activities, due to political issues and the pandemic situation.

With regards to the lack of answer to the data subject, the controller stated that the request was not addressed by the means required by the Spanish Administrative Law.

The AEPD launched a sanctioning procedure, remaking that the GDPR entered into force in 2016 and is fully applicable since 2018, so the controller had had enough time to adapt to it.

Holding

In the allegations process, the controller argued that it had started implementing the record of processing activities during the duration of this procedure and was compliant with Article 30 GDPR and Article 31 of the Spanish Data Protection Act.

The DPA concluded that there had been no record of processing activities, and that consequently the controller had infringed Article 30 GDPR and Article 31 of the Spanish Data Protection Act. Since the City Council is a public body, the AEPD imposed a warning on the controller, and compelled it to comply with the GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

                                                                               1/11








     Procedure No.: PS / 00427/2020



                RESOLUTION OF SANCTIONING PROCEDURE


Of the procedure instructed by the Spanish Agency for Data Protection and based on
to the following


                                  BACKGROUND


FIRST: D. A.A.A. (hereinafter, the claimant) on 06/17/2020 filed
claim before the Spanish Agency for Data Protection. The claim is

directed against CITY COUNCIL OF GIJÓN, with NIF P3302400A (hereinafter, the
reclaimed). The reasons on which the claim is based are, in summary: that the
02/14/2020 sent an email to the DPD of the claimed person to check where the
can access the record of treatment activities and if the activities of
treatment of the Municipal Sports Board of the aforementioned City Council (which does not have

declared DPD) depend on the DPD itself (that of the City Council), and where it can
access them. There is no response from the DPD.

SECOND: On 08/14/2020, the claim was transferred to the defendant, from
in accordance with the provisions of article 65.4 of Organic Law 3/2018, of 5

December, Protection of Personal Data and guarantee of digital rights (in
hereinafter, LOPDGDD), in order to proceed with its analysis, notify the
complainant of the adopted decision and will provide this Agency with information in this regard.

On 09/22/2020, the respondent sent a response in which he sets out the functions of the DPO,
response times for the actions that concern you, how to contact. I know

It follows from this answer that the City Council has not established the registry of
treatment activities.

On the other hand, it points out that the query directed by the complainant to the DPD was not
produced by the means established by the local entity (municipal website or

citizen attention, as explained in the link “contact with the Delegate of
Data Protection ”), so it cannot be understood that there was a lack of response. Y
nor was there a breach of the deadline, foreseen solely for the purposes of
answer claims ex art.37 LOPDGDD; when the affected person goes to the DPD
in claim, the response period will be two months or one month, depending on

present directly or received through the AEPD; and for what they are not
claims (inquiries, resolution of doubts, etc.), it is a procedure without
term set by what will govern article 21.3 Law 39/2015.

It adds that it is the data controller who must provide the interested party with the
access to the register of treatment activities and that said register is in

validation and publication process; that to date the works related to
the record of treatment activities have not yet reached the publication phase,
due to the delays derived from the beginning of a new mandate of the corporation and
its consequent readjustments of competences, together with the difficulties of the current

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 2/11








socio-sanitary crisis.

THIRD: On 11/16/2020, in accordance with article 65 of the LOPDGDD, the

Director of the Spanish Agency for Data Protection agreed to admit for processing the
claim.

FOURTH: On 01/25/2021 the Director of the Spanish Data Protection Agency
agreed to initiate a sanctioning procedure for the claimed person for the alleged infraction of the
Article 30 of the RGPD, typified in article 83.4.a) of the aforementioned RGPD.


FIFTH: The commencement agreement was notified, dated 02/10/2021, the defendant presented
brief of allegations stating, in summary, the following:

. The GIJÓN CITY COUNCIL indicates that on 03/15/2019 the Roadmap was approved

for the adaptation to the new LOPDGDD, among whose measures was the
preparation of the RAT, and attach an email about the preparatory work carried out
finished. On this matter, it expressly states that “work has begun
even when you are not in a position to do so (the record of
treatment) accessible to the public through its publication ”;


. That the configuration of the municipal government team in mid-2019 entailed
a series of changes in the municipal internal organization. Thus, by agreement of
the Local Government Board of 07/28/2020, the list of jobs was approved,
eliminating the Planning and Modernization Service and creating the Service of
Strategy and Coordination of Resources, to whom is attributed the assistance, support

technical and material to the Data Protection Delegate;

. That the defendant has had limited staff growth in recent years and
difficulties in the optimal performance of services, to which the current
socio-sanitary crisis derived from COVI-19, which has caused delays in some

processes based on the most urgent and urgent needs;

. That, however, has decided to promote and implement the policies of
security and data protection by tendering a contract, currently in process, to
perimeter security management solutions, event correlation
security, training in security measures, adaptation to the National Scheme of

Security (ENS) and the General Data Protection Regulation (RGPD);

. That the immaturity of the RAT, which prevents its publication, contrasts with the commitment
of the claimed with the protection of the rights of minors, having adopted
measures aimed at proactively ensuring the protection of minors in

your relationship with the entity.

SIXTH: On 03/02/2021 a test practice period began,
remembering the following


- To consider reproduced for evidentiary purposes the claim filed by the
claimant and its documentation, the documents obtained and generated by the
Inspection services that are part of file E / 06737/2020.
- To consider reproduced for evidentiary purposes, the allegations to the initiation agreement

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 11/3








presented by the claimed and the accompanying documentation.

SEVENTH: On 06/03/2021 a resolution proposal was formulated in the sense of

that the Director of the Spanish Data Protection Agency addresses a
warning to the GIJÓN CITY COUNCIL, for an infringement of the
Articles 30 of the RGPD and 31 of the LOPDGDD, typified in Article 83.4.a) of the
GDPR.

Likewise, it was proposed that by the Director of the Spanish Agency for the Protection of

Data is required from the GIJÓN CITY COUNCIL so that, within the period established
determine, adopt the necessary measures to adapt its performance to the regulations
protection of personal data, with the scope expressed in the Fundamentals of
Rights of the aforementioned resolution proposal.


EIGHTH: GIJÓN CITY COUNCIL has been notified of the proposed
resolution, dated 06/17/2021, this Agency received a written statement of allegations in
the one that requests that the obligations regarding the registration of
treatment activities and the file of the actions is agreed based on the
following considerations:


. He questions what was expressed in the Second Proven Fact, since he understands that it does not include
the circumstances expressed in the allegations made to the agreement to initiate the
process. It considers that the process of adaptation to the
GDPR.


. In accordance with Recital 82 of the RGPD, the registration of activities of
Treatment is an instrument to prove that the action of the controller complies with the
normative, so that the mere absence of publicity of this inventory of
activities does not imply a breach. The opposite would suppose a luck of
strict liability.


. In the same way, the criteria for the imposition of a fine established in the
Article 83 of the RGPD are also revealing of the non-existence of conduct
punishable, including the means and measures implemented, as well as the practices of
treatment of the Municipal Sports Council that were provided as exemplary,
in accordance with the RGPD and with the principle of proactive responsibility.


. In any case, on 06/04/2021, by Resolution of the Mayor's Office, the
"Instruction 2/2021, on the Register of personal data processing activities",
according to which the Inventory of treatment activities will be proposed by the
General Directorate of Services for its final approval by Resolution of

Mayor's Office and Publication. The Inventory will be accessible by electronic means in various
official media and channels (Official Gazette of the Principality of Asturias, municipal website of
transparency and in the municipal Intranet); and will be kept up to date.

And on 06/16/2021 said “Inventory of the registry of

personal data processing activities ”by Resolution of the Mayor's Office, and
published in writing and in electronic format, as can be verified through the
web “gijon.es” (url “https://www.gijon.es/es/publicaciones/inventario-del-registro-de-
personal-data-processing-activities ”).

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 4/11









As indicated by the claimed, this Inventory, which is subject to a process of
adaptation and continuous improvement, groups the treatments by common and own subjects

of areas, services or administrative units, amounting to a total of
forty-five categories, which also include those that keep
relationship with the claim and initiation of the present sanctioning procedure, regarding
to the Municipal Sports Board.

The brief of allegations includes a link to the aforementioned "Inventory", in its initial edition,

which is accessible through the url mentioned above. It is found that for
Each treatment activity details its purpose, legal basis, category of data
personal, category of interested parties, recipients of communications,
international transfers, retention periods and technical measures and
organizational. The identity of the person responsible for the treatment is also detailed.

(GIJÓN CITY COUNCIL) and the contact details of the Protection Delegate
of data.


Of the actions carried out in this proceeding, there have been
accredited the following:


                                PROVEN FACTS


FIRST: On 06/17/2020 you have entry into the Spanish Agency for the Protection of

Written data of the claimant stating that on 02-14-2020 he sent mail
email to the DPD of the claimed party to see where the Registry can be accessed
of the entity's Treatment Activities.

SECOND: To date, the Gijón City Council does not have the Registry of

Treatment Activities. The claimed entity itself, in the writings that it has
addressed to the Spanish Agency for Data Protection on the occasion of the claim
outlined in the First Proven Fact, has recognized that the Activity Register
Treatment is in the process of validation and that the related works
with said Registry they have not reached the publication phase.



                           FOUNDATIONS OF LAW

                                            I


By virtue of the powers that article 58.2 of the RGPD recognizes to each authority of
control, and as established in articles 47 and 48 of the LOPDGDD, the Director
of the Spanish Data Protection Agency is competent to initiate and to
solve this procedure.


                                           II

The claimed facts materialize in the absence of the Registry of Activities of
Treatment by the claimed party.

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 5/11










Article 30, "Registration of treatment activities", of the RGPD establishes that:


"1. Each person in charge and, where appropriate, their representative will keep a record of the activities of
treatment carried out under your responsibility. Said record must contain all the
information listed below:

a) the name and contact details of the controller and, where appropriate, the joint controller, the
representative of the person in charge, and of the data protection delegate;

b) the purposes of the treatment;
c) a description of the categories of data subjects and of the categories of personal data;
d) the categories of recipients to whom the data was communicated or will be communicated
personal, including recipients in third countries or international organizations;
e) where appropriate, transfers of personal data to a third country or an organization
international organization, including the identification of said third country or international organization and, in the

In the case of transfers indicated in article 49, paragraph 1, second subparagraph, the
documentation of adequate guarantees;
f) When possible, the terms provided for the elimination of the different categories of
data;
g) where possible, a general description of the technical and organizational measures of
security referred to in article 32, paragraph 1.


2. Each manager and, where appropriate, the manager's representative, will keep a record of all
the categories of processing activities carried out on behalf of a controller who
contain:

a) the name and contact details of the person in charge or managers and of each person responsible for

account of which the person in charge acts, and, where appropriate, of the representative of the person in charge or of the
manager, and the data protection officer;
b) the categories of processing carried out on behalf of each controller;
c) where appropriate, transfers of personal data to a third country or organization
international organization, including the identification of said third country or international organization and, in the
In the case of transfers indicated in article 49, paragraph 1, second subparagraph, the
documentation of adequate guarantees;

d) where possible, a general description of the technical and organizational measures of
security referred to in article 30, paragraph 1.

3. The records referred to in sections 1 and 2 shall be in writing, including in the format
electronic.


4. The person in charge or the person in charge of the treatment and, where appropriate, the representative of the
The person in charge or the person in charge shall make the record available to the supervisory authority that
I requested.

5. The obligations indicated in sections 1 and 2 shall not apply to any company or
organization employing fewer than 250 people, unless the processing it performs

may involve a risk to the rights and freedoms of the interested parties, not occasional, or
include special categories of personal data indicated in article 9, paragraph 1, or
personal data related to convictions and criminal offenses referred to in article 10 ”.


On the other hand, article 31 of the LOPDGDD establishes the following:

"1. Those responsible and in charge of the treatment or, where appropriate, their representatives must
maintain the record of treatment activities referred to in article 30 of the
Regulation (EU) 2016/679, unless the exception provided for in its section applies

28001 - Madrid 6 sedeagpd.gob.es 6/11








5.

The registry, which may be organized around structured data sets, must
specify, according to their purposes, the processing activities carried out and the other

circumstances established in the aforementioned regulation.

When the person in charge or the person in charge of the treatment has designated a delegate of
data protection must notify you of any addition, modification or exclusion in the
registry content.

2. The subjects listed in article 77.1 of this organic law will make public an inventory
of its treatment activities accessible by electronic means, which will include the
information established in article 30 of Regulation (EU) 2016/679 and its legal basis ”.



                                            III

The aforementioned standards establish the obligation of those responsible and in charge of the

processing of personal data to keep a record of the activities of the
treatment. In addition, in the case of the subjects listed in article 77.1 of the
LOPDGDD, which includes the entities that make up the Administration
Local, like the one claimed, is also obliged to make said record public and accessible
by electronic means.


In this case, the documentation in the file certifies that the claimed
violated article 30 of the RGPD, "Registration of treatment activities", by not
have prepared and published this registry until June 2021. As recorded in the
brief of allegations to the proposal and in the attached documentation, the

"Inventory of the registry of personal data processing activities" of the
GIJÓN CITY COUNCIL was approved by Resolution of the Mayor's Office and
06/16/2021.


The defendant himself, prior to the aforementioned hearing procedure, had recognized
that it is the responsibility of the data controller to provide the interested party with access to the RAT;
and that, where appropriate, said record was in the process of validation, without
date on which he formulates his allegations at the opening of the procedure, the works
related to said registry have reached the publication phase. And raised

these initial allegations at the opening in accordance with this fact, noting that
This was due to delays derived from the beginning of a new mandate of the
municipal corporation in mid-2019, of its consequent readjustments
competences and the difficulties caused by the current socio-sanitary crisis.


According to the claimed entity, the configuration of the Municipal Government team to
mid-2019, motivated by local elections, led to a series of changes
in the municipal internal organization. Through the Governing Board Agreement
Local, of 07/28/2020, the current job list was approved,

eliminating the Planning and Modernization Service and creating the Service of
Strategy and Coordination of Resources, who is attributed, among others, the
assistance, technical and material support to the Data Protection Delegate for the
performance of their duties.


On the other hand, the defendant pointed out that he has seen how in recent years by
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 7/11








certain circumstances have imposed a series of limitations and difficulties
in the optimal performance of services, which has been joined by the current crisis
health care derived from COVI-19, which has caused delays in some processes

ongoing, based on more urgent and urgent needs.

The complainant explained that on 03/15/2019 he approved the "Roadmap" for adaptation to
the new LOPDGDD, among whose measures was the preparation of the registry of
treatment activities, and expressly stated that he was not in
conditions to make it accessible to citizens through publication.


He also reported that security and data protection policies were being
promoted through the tendering of a contract to try to provide solutions for
management derived from perimeter security, correlation of security events,
training in security measures, adaptation to the National Security Scheme

(ENS) and the RGPD, currently in process. Finally, I point out that "immaturity"
current record of treatment activities prevented its publication.

Ultimately, the defendant, in his responses to this body, attached evidence that
would show the existence of the preparatory work for the elaboration of the indicated
registration, although such work had not been completed at the time the

present procedure, so that said Registry had not been prepared at that time.
date, nor at the moment in which the allegations are presented at the opening.
It was expressly admitted that it was not in a position to make the
registration of treatment activities for citizens through publication.


These circumstances are referred to in the Second Proven Fact, which is
of the information provided by the claimed entity itself. They do not understand each other, in
Consequently, the allegations in the motion for a resolution question the
expressed in this proven fact.


Regarding the circumstances alleged to justify this delay in adapting to the
RGPD, the proposed resolution warned the defendant that said Regulation is
It has been in force since 05/24/2016 and fully applicable since 05/25/2018.
Therefore, the obligation to prepare the record of treatment activities is very
prior to the constitution of the new municipal corporation and the outbreak of the
pandemic. If the aforementioned City Council claimed, to overcome the alleged limitations,

recently started the procedures for the bidding of a contract that aims to
development of the necessary tasks to fulfill that adaptation to the RGPD, either
he could have formalized such a contract years before.

On the other hand, in its brief of allegations to the proposed resolution, the entity

complained considers that the lack of publicity of the record of activities of
treatment does not imply a breach, taking into account that this record is
configured in Recital 82 of the RGPD only as an instrument "(82)
To demonstrate compliance with these Regulations, the controller or the
processor must keep records of processing activities

under its responsibility".

This instrumental nature of the record of treatment activities is true, but
so is the obligation to maintain it. Failure to comply with this obligation is

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 8/11









constituting an infringement, as set out in the following Legal Basis.

Therefore, in the present case, the breach of the provisions is proven.
in articles 30 of the RGPD and 31 of the LOPDGDD.

                                             IV

Article 83.4 a) of the RGPD, considers that the infringement of “the obligations of the
responsible and the person in charge in accordance with articles 8, 11, 25 to 39, 42 and 43 ”is

punishable in accordance with section 4 of the aforementioned article 83 of the aforementioned
RGPD, “with administrative fines of a maximum of € 10,000,000 or, in the case of
a company, of an amount equivalent to a maximum of 2% of the turnover
global annual total for the previous financial year, opting for the highest amount ”.


In this regard, the LOPDGDD, in its article 71 establishes that “They constitute
offenses the acts and conducts referred to in sections 4, 5 and 6 of the
Article 83 of Regulation (EU) 2016/679, as well as those that are contrary to the

present organic law ”.

For the purposes of the statute of limitations, article 73 of the LOPDGDD indicates:

"Based on what is established in article 83.4 of Regulation (EU) 2016/679, they are considered
serious and will prescribe after two years the infractions that suppose a substantial violation

of the articles mentioned therein and, in particular, the following:
(…)
n) Not having the record of treatment activities established in article 30 of the
Regulation (EU) 2016/679.
(…) ”.
                                              V


The LOPDGDD in its article 77, “Regime applicable to certain categories of
responsible or in charge of the treatment ”, establishes the following:


"1. The regime established in this article will be applicable to the treatments of which
are responsible or in charge:
a) The constitutional bodies or those with constitutional relevance and the institutions of the
autonomous communities analogous to them.
b) The jurisdictional bodies.
c) The General State Administration, the Administrations of the autonomous communities
and the entities that make up the Local Administration.
d) Public bodies and public law entities linked or dependent on the

Public administrations.
e) The independent administrative authorities.
f) The Bank of Spain.
g) Public law corporations when the purposes of the treatment are related
with the exercise of powers of public law.
h) Public sector foundations.
i) Public Universities.

j) Consortia.
k) The parliamentary groups of the Cortes Generales and the Legislative Assemblies
autonomic, as well as the political groups of the Local Corporations.

2. When the managers or managers listed in section 1 commit any of the
offenses referred to in articles 72 to 74 of this organic law, the authority of

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 9/11









data protection that is competent shall issue a resolution sanctioning them with
warning. The resolution will also establish the measures to be adopted so that
the conduct ceases or the effects of the offense that had been committed are corrected.

The resolution will be notified to the person in charge or in charge of the treatment, the body of which
hierarchically depends, where appropriate, and those affected who had the status of

interested, if applicable.

3. Without prejudice to the provisions of the previous section, the data protection authority
will also propose the initiation of disciplinary actions when there are indications
enough for it. In this case, the procedure and the sanctions to be applied will be the
established in the legislation on disciplinary or sanctioning regime that results from
app.


Likewise, when the infractions are attributable to authorities and managers, and the
existence of technical reports or recommendations for treatment that had not been
duly attended to, the resolution imposing the sanction will include a
reprimand with the name of the responsible position and the publication will be ordered in the
Official Gazette of the State or autonomous region that corresponds.


4. The data protection authority must be notified of the resolutions that fall
in relation to the measures and actions referred to in the previous sections.

5. They will be communicated to the Ombudsman or, where appropriate, to the analogous institutions of the
autonomous communities the actions carried out and the resolutions issued under the
this article.


6. When the competent authority is the Spanish Agency for Data Protection, this
will publish on its website with due separation the resolutions referring to the entities
of section 1 of this article, expressly indicating the identity of the person responsible or
person in charge of the treatment that had committed the infringement.

When the competence corresponds to an autonomous data protection authority,

It will be, as far as the publicity of these resolutions is concerned, to what its regulations provide
specific ”.

In the case at hand, it is found that the defendant, as he has

confirmed in its response to the informative request of this AEPD, it has breached
the obligation to have the RAT established, as well as to make it public by means of
electronic


Said conduct constitutes, on the part of the defendant, an infringement of the
provided in articles 30 of the RGPD and 31 of the LOPDGDD.

It should be noted that the RGPD, without prejudice to the provisions of its article 83,

contemplates in its article 77 the possibility of directing a warning to correct the
breaches of the provisions set forth in said Regulation and in the aforementioned
Organic Law by those responsible or in charge listed in section 1.


This being the case, the established circumstances cannot be applied in the present case.
to graduate the administrative fines, to which the CITY COUNCIL OF
GIJÓN in its brief of allegations to the resolution proposal.



C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 10/11








On the other hand, it is contemplated that the resolution issued may establish the
measures to be taken to stop the behavior, correcting the effects of the
infraction that had been committed and the necessary adaptation is carried out, in this

case, to the requirements contemplated in article 30 of the RGPD, as well as the
Provision of means of accreditation of compliance with what is required.

Thus, in accordance with the provisions of the aforementioned article 77 of the LOPD, by the instructor of the
procedure, a resolution proposal was formulated so that the Director of the
AEPD agrees to require the responsible entity to adapt its action to the

personal data protection regulations, proceeding to prepare the registry of
treatment activities and providing what is necessary to make it accessible by
electronic media.

However, on the occasion of the hearing procedure on the proposed resolution, the

claimed has proven to have fulfilled these obligations. It is proven that,
By Resolution of the Mayor's Office dated 06/16/2021, the said
"Inventory of the registry of personal data processing activities" and published
Through the web “gijon.es” (url “https://www.gijon.es/es/publicaciones/inventario-del-
registry-of-activities-of-treatment-of-personal-data ”).


The brief of allegations included a link to the aforementioned "Inventory", in its initial edition.
It is verified that the treatments are grouped by common subjects and specific to
administrative areas, services or units; and that for each treatment activity
Its purpose, legal basis, category of personal data, category of
interested parties, recipients of communications, international transfers,

retention periods and technical and organizational measures. It also details the
identity of the person responsible for the treatment (GIJÓN CITY COUNCIL) and the data of
contact of the Data Protection Delegate.

This "Inventory", due to its content and structure, conforms to the regulated provisions

of articles 30 of the RGPD and 31 of the LOPD. Therefore, as of the current date, it is understood
the obligation to keep a record of processing activities has been fulfilled
carried out under the responsibility of the GIJÓN CITY COUNCIL, not resulting
from the imposition of additional measures.

This declaration does not imply any pronouncement on the regularity or legality of

the treatment activities described in the registry provided by the claimed, nor
on its purpose or legal basis, as they are aspects that exceed the object of the
present proceeding.



Therefore, in accordance with the applicable legislation,
the Director of the Spanish Data Protection Agency RESOLVES:

FIRST: DIRECT AN APPOINTMENT to the entity GIJÓN CITY COUNCIL,
with NIF P3302400A, for a violation of articles 30 of the RGPD and 31 of the

LOPDGDD, typified in Article 83.4.a) of the RGPD.

SECOND: NOTIFY this resolution to the entity CITY COUNCIL OF
GIJÓN.

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 11/11









THIRD: COMMUNICATE this resolution to the Ombudsman, of

in accordance with the provisions of article 77.5 of the LOPDGDD.

In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.


Against this resolution, which ends the administrative procedure in accordance with art. 48.6 of the
LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the
Interested parties may optionally file an appeal for reconsideration before the
Director of the Spanish Agency for Data Protection within a month to

counting from the day after the notification of this resolution or directly
contentious-administrative appeal before the Contentious-Administrative Chamber of the
National High Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the

Contentious-administrative jurisdiction, within two months from the
day following notification of this act, as provided in article 46.1 of the
referred Law.

Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP,

may provisionally suspend the final resolution through administrative channels if the
interested party expresses his intention to file contentious-administrative appeal.
If this is the case, the interested party must formally communicate this fact through
writing addressed to the Spanish Agency for Data Protection, presenting it through
of the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica-

web /], or through any of the other records provided for in art. 16.4 of the
cited Law 39/2015, of October 1. You must also transfer to the Agency the
documentation that proves the effective filing of the contentious appeal-
administrative. If the Agency is not aware of the filing of the appeal

contentious-administrative within a period of two months from the day following the
notification of this resolution would terminate the precautionary suspension.

                                                                                   938-131120
Mar Spain Martí
Director of the Spanish Agency for Data Protection




















C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es