AEPD (Spain) - PS/00480/2020

From GDPRhub
AEPD (Spain) - PS/00480/2020
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 5(1)(f) GDPR
Article 13 GDPR
Article 32 GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published: 16.11.2021
Fine: None
Parties: sacramental y penitencial cofradía de nuestro padre jesús sacramentado y maría santísima de la piedad, amparo de los leoneses
National Case Number/Name: PS/00480/2020
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: n/a

The Spanish DPA (AEPD) issued a reprimand to a Spanish religious brotherhood (sacramental y penitencial cofradía de nuestro padre jesús sacramentado y maría santísima de la piedad, amparo de los leoneses) for unlawfully processing personal data of its members.

English Summary

Facts

The claimant, a member of the brotherhood, asserted that their consent had never been obtained for the processing of their data, nor had they been informed of the rights to which they were entitled.

The claimant also pointed out that their e-mail address has been exposed in the communications made by the brotherhood to its members, by sending the e-mails without a blind copy.

Holding

The Spanish DPA found out a violation of Articles 13, 32, and 5(1)(f) GDPR.

Article 13 sets out the Information to be provided where personal data are collected from the data subject. From the evidence provided by the brotherhood, it has been established that, at the time of the claimant's registration, there was not adequate information on the reasons of collection and use of e-mail address data and the purpose of the processing.

Article 32 defines rules for ensuring the security of processing. This article has been violated in so far as a security incident occurred in their system allowing access to personal data, e-mail addresses, when forwarded without using the "blind copy" option, allowing other recipients to access personal data, e-mail addresses of the other recipients of the communication in breach of the established technical and security measures. This incident equally violated the general principle of “integrity and confidentiality” as set out in Article (5)(1)(f).

For these reasons, the AEPD issued a reprimand to the religious brotherhood and ordered to correct the information provided vie email to new members.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

                                                                          1/14









 Procedure No.: PS / 00480/2020


                 RESOLUTION OF SANCTIONING PROCEDURE

Of the procedure instructed by the Spanish Agency for Data Protection and based on the
following

                                   BACKGROUND



FIRST: D. A.A.A. (hereinafter, the claimant) dated 08/14/2020, filed
claim before the Spanish Agency for Data Protection that is directed against
SACRAMENTAL AND PENITENTIAL BROTHERHOOD OF OUR FATHER JESUS

SACRAMENT AND MOST BLESSED MARY OF PIEDAD, AMPARO DE LOS LEONESES,
with CIF G24294787 (hereinafter, the claimed one). The reasons on which you base the claim
are that he is a member of the claimed Brotherhood and "his consent has never been obtained
for the processing of your data ”,“ nor has you been informed of your rights ”.
It also indicates that the data of your e-mail is exposed in the communications made
by the claimed to its members, by forwarding the emails without hidden copying.


Provides a copy of two emails in which you can see the emails of the recipients,
03/18, and 09/29/2019. In most of the emails its denomination is the name and
surnames, including that of the claimant.


 In September, which has an attached pdf file called "statement" it is reported
Among other aspects, of the matters agreed in the Governing Board held on
09/28/2019 and the changes of the Governing Board.

An informative literal about personal data appears in both emails, indicating:


"Personal data including your e-mail are treated in accordance with the provisions of the
GDPR "

"The purpose of this treatment will be the management of normal business activity through
communication systems with all stakeholders. "


"We inform you that the data has been obtained by consent of the interested party by
derivation of a contractual obligation, by a legitimate assignment or from a source of
public access "


The possibility of exercising the rights is offered.

SECOND: In view of the facts denounced and the documents provided by the
claimant of which this Agency, the Subdirectorate General of Ins-
Data inspection proceeded to carry out actions to clarify the facts.

chos in question.

On 09/28/2020, the claim submitted for analysis and
communication and communicate the decision taken in this regard. Likewise, he was required

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 2/14








so that within a month it sent certain information to the Agency:

        - Copy of the communications, of the adopted decision that has been sent to the complainant

        maintain regarding the transfer of this claim, and accreditation that the claim-
        Mante has received the communication of that decision.

        - Report on the causes that have motivated the incident that has originated the claim.
        mation.


        - Report on the measures adopted to prevent incidents from occurring if-
        thousands.

        - Any other that you consider relevant.


The defendant did not respond to the request made.

THIRD: On 12/15/2020, in accordance with article 65 of Organic Law 3/2018, of
5/12, Protection of Personal Data and guarantee of digital rights (hereinafter
LOPDGDD), the Director of the Spanish Data Protection Agency agreed to admit
processing the claim presented by the claimant against the claimed.


FOURTH: On 01/25/2021, the Director of the Spanish Agency for the Protection of Da-
They agreed to initiate a sanctioning procedure to warn the complained party, due to the
histas infractions of articles 5.1.f), 13 and 32.1 of the RGPD, sanctioned in accordance with
provided in articles 83.5.a), 83.5.b) and 83.4.a) of the aforementioned RGPD.


FIFTH: The commencement agreement was notified, the one claimed on 03/01/2021, presented a brief of
allegations, stating:

-In fact, the mistake was made of sending an email to members of the Brotherhood in which

all recipients could see other people's email. The day
09/30/2019, the incident was communicated to all interested parties. Provide a copy of the document
THREE with the wording of 09/30/2019 of communication of the error to the members.

-It indicates that with the tool “*** TOOL.1” after 09/29/2019 they have been-
Guido sent emails to the claimant without incident. Provide a copy of FOUR document,

including your e-mail, "contact added on 01/12/2020" "last activity 02/14/2020", "twelve and
mails delivered, eleven opened ”. Add the list of emails sent, dates, which go
from 03/13/2020 to 09/07/2020, and if they have been opened, delivered, or “clicked”.

-The members of the Brotherhood were informed that “to prepare the identification card of the

Cofradía it is necessary to update the data and the data protection policy through a
data update form-link to GOOGLE FORMS- “no copy of the form is provided-
mulary.

"In the aforementioned email it can be seen that any recipient can cancel at any-

I would like to subscribe to this list of communications from the Brotherhood ”. "All the co-
The communications include in their final part an extract of the treatment given to the data of the
recipient of the communication, the rights they have and the way to exercise them, as required
ge the GDPR ”.

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 3/14









Provide document FIVE entitled "information of interest and form", dated 10/13/2020, in the
that informs that an "identification card" is going to be elaborated, being obligatory "to fill in the

following informative literal also accepting the update of the protection policy
tion of data. *** URL.1 ”. The informative literal is the same as the March 2019 emails and
09/29/2019 reflected in the first event. The option “CLICK HERE TO CAN-
CELEASE THE SUBSCRIPTION "" If you proceed to cancel the subscription, you will no longer receive
notifications in relation to the Brotherhood, this being the only official means of information
cial ”.


-Provide a copy of other informative emails, reiterating the completion of the form, and
containing the same informative literal with the same option to "cancel the subscription".

 -Adds that the claimant's personal data was collected in the registration request, not

having since received communication from him that he would like to exercise
none of the rights recognized in the previous legislation and in the current one.

Provide a copy of the claimant's “Application for entry into the Brotherhood” with their data, including
going to e-mail address, registration date 07/05/2011.


The informative data collection literal indicates:

-The purpose of the data processing is the "maintenance of the relationship as a person
belonging to the Brotherhood, with the specific purposes established in the Statutes ”.


-In addition, "these data may be used to send you information of your interest as well
as on activities of the Brotherhood ”.

-The explanation of the exercise of rights and the option of "if you have any questions
you can send an email to ... "



SIXTH: On 03/12/2021, a test practice period began, agreeing to
the following

Consider reproduced for evidentiary purposes:


- The claim filed by the claimant and its documentation, the documents obtained
two and generated by the Inspection Services that are part of the file E /
07622/2020.


- The allegations to the initiation agreement PS / 00480/2020 presented by the complainant and the
documentation that accompanies them.

-The respondent is requested to report and, in any case, provide proof of the technical measures
cases and / or organizational measures adopted in order to avoid incidents such as those

have led to the opening of this proceeding.

Within the term granted, no response was received.


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 4/14









SEVENTH: On 04/23/2021, the change of Instructor was agreed, notifying the
Claimed with the result of being returned due to surplus as the shipment was not withdrawn, crediting itself to

The file.

EIGHTH: On 05/04/2021, a letter from the complained party is received, which responds to the request.
tion carried out in tests.

- On 01/10/2020 a new email system was hired that offers services of

"Web page" and "webmail e-mail system" with the system of "e-mail marke-
ting ”, which is a system used for email marketing strategy,
tailored to the needs of the respondent and its members. It involves the delivery of a
immediate and personal contact by email to the group of people that make up the
herself. Provide a copy of part of the contract in document 1.


“The messages are sent directly to the inbox of the recipients received.
blessing them in a particular and individual way ”. "Previously the contacts have to
accept or consent to receive emails. " “Consent must be given in an ex-
prey in the application for entry or registration in the Brotherhood. "


-Provide in document 2, a copy of the “registration sheet” where, among others, the
e-mail data, the purpose of the treatment is informed: “the management of the activity
regular business life through communication systems with all stakeholders ”,
and how to exercise rights. There is no information directly related to the e
emails, nor the explanation of the purpose of said treatment with the option of not granting the

consent in that specific aspect, and its consequences.

-Details how the sending of emails is managed, starting from the creation of a series of
contact lists with emails. When sending an email, it is prepared
a template with the information to send to members, including a link to sign up

come down. The template published in the system allows adding recipients with the name
of the list, without having to access the data of each of the contacts. Attached in do-
Document FIVE, the defined shipping steps. "Once the mail sent from
the Brotherhood, no recipient has any access to the email addresses to which they have
said information has also been sent ". In document SEIS, it states that do-
document sent from the Brotherhood as we would see it by any of the senders

established, but not contributed.

NINTH: On 08/02/2021, a resolution proposal is issued with the literal:

“That the Director of the Spanish Agency for Data Protection be sanctioned with an ap-

cibimiento to SACRAMENTAL AND PENITENTIAL COFRADÍA DE NUESTRO FADRE JESÚS
SACRAMENT AND MOST BLESSED MARY OF PIEDAD, AMPARO DE LOS LEONESES,
with CIF G24294787, for violation of articles 13, 5.1.f) and 32.1 of the RGPD, in accordance with
with the provisions of articles 83.5.b), 83.5.a) and 83.4.a) of the RGPD.


“The execution tending to the correct informative adequacy is carried out by the defendant.
it goes from the e-mail of the members for the use of the sending of e-mails "

No allegations were received.

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 5/14












                                    PROVEN FACTS


1) The claimant has been a member of the claimed party since they submitted their “Application for entry into
la Cofradía ”(discharge 07/05/2011) which included, among other information, his e-mail address. The literal
informative data collection indicated that the purpose of data processing is the

"Maintenance of the relationship as a person belonging to the Brotherhood, with the purposes
specific established in the Statutes "" these data may be used to send you information
training of your interest as well as on activities of the Brotherhood ”.

2) On 08/14/2020 the claimant's claim has entered the AEPD stating that it is

member of the Confraternity claimed, and received two emails without hidden copy, being able to see all
two recipients, everyone's addresses, including yours. The emails carried
cha of 03/18 and 09/29/2019. The defendant acknowledges shipments without a hidden copy. The literal in-
training associated with those two emails stated:

"Personal data including your e-mail are treated in accordance with the provisions of the

GDPR "

"The purpose of this treatment will be the management of normal business activity through
communication systems with all stakeholders. "


"We inform you that the data has been obtained by consent of the interested party by
derivation of a contractual obligation, by a legitimate assignment or from a source of
public access ”.

The emails sent did not contain the literal that makes it possible to stop receiving these emails.


3) It highlights a difference in information on the legitimizing base, when the
data, which indicates the associative relationship as the purpose of the data, and WHAT MAY BE
used to "send you information of your interest as well as activities of the Brotherhood"
and the information contained in the e-mails, with the citation in the body of the en-
email transmission from various legitimating bases.


4) The receipt of communications via e-mail from the complained party is not mandatory,
existing in emails dated after the dates of the reported shipments, the option of
"Cancel the subscription", there being no proven subscription properly by the
Guilds. When the claimant registers in the Brotherhood, the use

of the email to have information about the Brotherhood, nor is the option of not using it offered, or not
consent to such use.

5) After 09/29/2019, emails have been sent to the claimant, providing copies, which
They go from 03/13/2020 to 09/07/2020, without incidents.


6) As of 01/10/2020, the respondent hired a new email system in
the one that "Previously, the contacts have to accept or consent to receive the emails." "The
Consent must be expressly given in the application for entry or registration.

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 6/14








tion in the Brotherhood. " It does not provide the informative literal to verify the form and content contained
creto of the information implemented that could be related to the sending of email to
informative effects of the Brotherhood.

The respondent contributed, among others, emails sent after those who have been the subject of claims.
tion, with this new system. In one of 10/13/2020, entitled: “information of interest and for-
form ”, it is communicated that an“ identification card ”will be elaborated, being obligatory“ to fill in
narrate the following informative literal thus also accepting the update of the
Data Protection. *** URL.1 ”(the aforementioned form is not provided). However, the literal infor-
Mative of the mail of 10/13/2020 is the same as the emails of March 2019 and 09/29/2019,

with the addition of the option “CLICK HERE TO CANCEL THE SUBSCRIPTION” “if applicable.
from the cancellation of the subscription, you will stop receiving notifications in relation to the
Fradia, this being the only official means of information ”.



                                FOUNDATIONS OF LAW


                                                  I

By virtue of the powers that article 58.2 of the RGPD recognizes to each control authority

trol, and as established in articles 47 and 48 of the LOPDGDD, the Director of the Agency
The Spanish Data Protection Company is competent to initiate and resolve this procedure.
performance.



                                                 II


The respondent is charged with an infringement of article 13 of the RGPD, which determines the information
information that must be provided to the interested party at the time of data collection, sta-

stating the following:

        "1. When personal data relating to him are obtained from an interested party, the respondent
The data controller, at the time these are obtained, will provide you with all the information
indicated below:


        a) the identity and contact details of the person in charge and, where appropriate, their representative
        tante;
        b) the contact details of the data protection officer, if applicable;
        c) the purposes of the treatment to which the personal data are destined and the legal basis
        of the treatment;

        d) when the treatment is based on article 6, paragraph 1, letter f), the interests
        gitimos of the person in charge or of a third party;
        e) the recipients or categories of recipients of personal data, in their
        case;
        f) where appropriate, the intention of the person responsible to transfer personal data to a third party

        country or international organization and the existence or absence of an appropriate decision
        qualification of the Commission, or, in the case of the transfers indicated in the articles
        46 or 47 or article 49, paragraph 1, second subparagraph, reference to the appropriate guarantees
        appropriate and the means of obtaining a copy of these or the fact that

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 7/14








        that have been borrowed.

        2. In addition to the information mentioned in section 1, the data controller

ment will provide the interested party, at the time the personal data is obtained, the
following information necessary to guarantee fair and transparent data processing:

        a) the period during which the personal data will be kept or, when not possible,
        sible, the criteria used to determine this term;
        b) the existence of the right to request the data controller for access to the

        personal data relating to the interested party, and its rectification or deletion, or the limitation
        of its treatment, or to oppose the treatment, as well as the right to portability
        of the data;
        c) when the treatment is based on article 6, paragraph 1, letter a), or article
        lo 9, section 2, letter a), the existence of the right to withdraw consent in any-

        at any time, without affecting the legality of the treatment based on the consent
        prior to withdrawal;
        d) the right to file a claim with a supervisory authority;
        e) if the communication of personal data is a legal or contractual requirement, or a re-
        I want necessary to sign a contract, and if the interested party is obliged to provide
        personal data and is informed of the possible consequences of not facilitating

        lite such data;
        f) the existence of automated decisions, including profiling, to which
        referred to in article 22, paragraphs 1 and 4, and, at least in such cases, significant information
        nificant on the applied logic, as well as the importance and consequences
        views of said treatment for the interested party.


        3. When the data controller plans the further processing of data
personal data for a purpose other than that for which they were collected, will provide the interest
given, prior to said further processing, information on that other purpose and any
additional relevant information pursuant to section 2.


        4. The provisions of paragraphs 1, 2 and 3 shall not apply when and on the
given that the interested party already has the information ”.

In general, the legitimizing basis for data processing would be related to the
scheme provided for in article 6.1b), the treatment is necessary for the execution of a
contract or agreement in which the interested party is a party or for the application at his request of
pre-contractual measures.


Now, in this case, what is involved is the use of e-mail and the setting in the
data collection, its use and purpose.
The denounced events initially materialize in the absence of information about

of the processing of personal data, especially the e-mail, if it is mandatory to provide
Provide the e-mail to receive the information, or if you can, I will not consent to it, giving the option
tion if so, or detailing the consequences of not providing such data. In addition, the base
legal treatment of sending emails by e-mail must specify a legal basis
treatment.


The data collection that occurs when entering the Brotherhood must be distinguished, and contains
some data and information that were given, including the e-mail, indicating that

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 8/14








will use "for the maintenance of the relationship", adding that: "In addition, these data
may be used to send you information of interest, as well as about activities of
the Brotherhood ”, which is what is done by sending e-mails. This option of being in-

formed, which, it is deduced, as a voluntary one by containing the option to “cancel your subscription
tion ”, it is not related to the maintenance of the relationship, it is not completed with the option
at the time of data collection to opt out of receiving information of interest or of
activities of the Brotherhood.

Likewise, the information contained in the e-mails does not succeed in establishing the legal basis

scammer of these shipments, mixing diverse, different and contradictory motives.

By examining the information that is given in the registration of the members, it is reported in a
general that the purpose of data processing is the "maintenance of the relationship
as a person belonging to the Brotherhood, with the specific purposes established in the

Statutes"

The e-mails indicated:

The purpose of this treatment will be the management of normal business activity through
communication systems with all stakeholders. "


The purpose of the collection must be clearly and specifically identified: it must be
sufficiently detailed to determine what type of treatment is or is not included in
the specified objective, and to allow compliance with the law to be assessed and
data protection safeguards apply. Any purpose must be specified,

that is, define enough to be explicit. The objective must be sufficiently
unequivocal and clearly expressed.

The requirement that the purposes be specified 'explicitly' contributes to transparency and
predictability. It allows an unambiguous identification of the limits of the way in which the

Controllers may use the personal data collected, in order to protect the data
teresados.

Each goal of treatment must be separate and specific. Maintenance o
compliance with the associative relationship is one objective, the information would be another.


The information of the treatment and the legitimizing basis for the use and purpose of the treatment
of the e-mail offered is confusing in the wording:

"We inform you that the data has been obtained by consent of the interested party by
derivation of a contractual obligation, by a legitimate assignment or from a source of

public access "

In the discharge of the members, it is indicated that the data is for the maintenance of the
relationship, not requiring consent. Even less, consent can be made
derive from “a contractual obligation, by a legitimate assignment or from a source of

public access ”as reported in e-mails.

Originally, in the high as Cofrades, the option is not given to the affected, so that
the purpose of maintaining the contractual relationship is differentiated from that of being informed

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 9/14








do, being different. For the maintenance of the relationship it is not necessary to send the e
mails to associates, which is a voluntary addition, by offering the possibility of canceling
the subscription.


It is the responsibility of the respondent to prove compliance with the provisions of article 13 of the
GDPR. Therefore, it has been proven that, at the time of the claimant's discharge, no
produces adequate information in the collection and use of data from the e-mail address and
purpose of information to members. Circumstance that remains and is credited with the
sending the e-mails that are the subject of the claim, and which persists with the current configuration of

the e-mails, which have not changed.

The respondent should reevaluate the associative purposes of the activity of the respondent,
of which the intrinsic acceptance of the Statutes would be part, which is the basis
original legitimizer of the personal data of the members of the Brotherhood, and

distinguish it from your use of emails to members.

The complained party must take into account the processing of other data under another legitimizing basis.
that does not obey the relationship, in this case statutory between its members and the
claimed. To do this, you must take into account the elements that make up the consent
informed: “for one or more specific purposes”, and the freedom to grant or withdraw it without

suffer any damage, as well as the possibility of revoking it at any time with the
same effects.

In accordance with article 58.2 of the RGPD:


"2. Each supervisory authority shall have all the following corrective powers
indicated below: d) order the person in charge of the treatment that the
processing operations comply with the provisions of this Regulation, when
proceed, in a certain way and within a specified period; "


The respondent must prove the inclusion of pertinent and adequate information to the
treatment of data derived from email with informative use to its members, and inform
of the modality and form by which it would be carried out.

Article 83.5 b) of the RGPD, considers that the infringement of "the rights of the interested parties
According to articles 12 to 22 "" is punishable, "with administrative fines of

€ 20,000,000 maximum or, in the case of a company, an amount equivalent to 4%
as a maximum of the total annual global business volume of the previous financial year,
opting for the highest amount ”.

                                                III


Regarding the dissemination given to the e-mails that are the subject of a complaint, article 5 of the RGPD is-
establishes the principles that must govern the processing of personal data and mentions between-
among them that of "integrity and confidentiality".


        The aforementioned article points out that:

        "1. The personal data will be:


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 10/14








        (…)
        f) processed in such a way as to guarantee adequate security of personal data
personal data, including protection against unauthorized or illegal processing and against its loss.

accidental damage, destruction or damage, through the application of technical or organizational measures
appropriate guidelines ('integrity and confidentiality') ”.
        (…)

Article 5, duty of confidentiality, of Organic Law 3/2018, of 5/12, on Protection
of Personal Data and guarantee of digital rights (hereinafter LOPDGDD), signal-

which:

        "1. Those responsible and in charge of data processing as well as all the persons
Those involved in any phase of this will be subject to the duty of confidentiality.
referred to in article 5.1.f) of Regulation (EU) 2016/679.


        2. The general obligation indicated in the previous section will be complementary to the
duties of professional secrecy in accordance with its applicable regulations.

        3. The obligations established in the previous sections will be maintained even
when the relationship of the obliged with the person in charge or in charge of the treatment has ended.

I lie".

The documentation in the file offers clear indications that the respondent,
violated article 5.1.f) of the RGPD, principle relating to treatment, in relation to article
the 5 of the LOPGDD, duty of confidentiality, when sending emails without using the

blind copy option.

This duty of confidentiality, or duty of secrecy, must be understood as having the purpose of
It is important to avoid data leaks not being consented to by the owners of the
themselves, in this case, the email addresses of the brothers.


Therefore, this duty of confidentiality is an obligation that falls not only on the respondent
member and in charge of the treatment, but to anyone who intervenes in any phase of the
treatment and complementary to the duty of professional secrecy.

The same complainant has indicated that the incident that gave rise to the complaint was motivated by

vada by incorrectly sending emails to members of the
Brotherhood, since the person who managed it involuntarily and accidentally must have
sent as "Bcc" (where each recipient cannot see the other recipients), in
instead of "To" (where each recipient can see the other recipients).


Article 83.5 a) of the RGPD, considers that the infringement of “the basic principles for the
treatment, including the conditions for consent in accordance with articles 5, 6, 7 and
9 ”is punishable, in accordance with section 5 of the aforementioned article 83 of the aforementioned
RGPD, “with administrative fines of a maximum of € 20,000,000 or, in the case of a company
dam, of an amount equivalent to a maximum of 4% of the total annual turnover

overall for the previous financial year, opting for the highest amount ”.

On the other hand, the LOPDGDD, for prescription purposes, in its article 72 indicates:
“Violations considered very serious:

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 11/14









        1. In accordance with the provisions of article 83.5 of Regulation (EU) 2016/679,
considered very serious and will prescribe after three years the infractions that suppose a violation

substantial declaration of the articles mentioned therein and, in particular, the following:

        a) The processing of personal data violating the principles and guarantees established
two in article 5 of Regulation (EU) 2016/679.
        (…) "


                                                IV

Also the conduct of sending emails to third parties violates article 32
of the RGPD "Security of the treatment", which establishes:


        "1. Taking into account the state of the art, the costs of application, and the nature of
lence, scope, context and purposes of the treatment, as well as risks of probability and
variable severity for the rights and freedoms of natural persons, the person responsible and
the person in charge of the treatment will apply appropriate technical and organizational measures to
guarantee a level of security appropriate to the risk, which, where appropriate, includes, among others:


        a) pseudonymisation and encryption of personal data;
        b) the ability to guarantee confidentiality, integrity, availability and resilience
        permanent maintenance of treatment systems and services;
        c) the ability to restore the availability and access to personal data of
        quickly in the event of a physical or technical incident;

        d) a process of regular verification, evaluation and assessment of the effectiveness of the
        technical and organizational measures to guarantee the security of the treatment.

        2. When evaluating the adequacy of the security level, particular attention will be paid to
take into account the risks that the data processing presents, in particular as a consequence

of the destruction, loss or accidental or illegal alteration of personal data transmitted,
stored or otherwise processed, or unauthorized communication or access to said
data.

        3. Adherence to a code of conduct approved in accordance with article 40 or to a
certification authority approved pursuant to article 42 may serve as an element to determine

show compliance with the requirements established in section 1 of this article.

        4. The person in charge and the person in charge of the treatment will take measures to guarantee
that any person acting under the authority of the controller or processor and has
access to personal data can only process said data following instructions from the res-

responsible, unless required to do so under Union or State law
members".

The RGPD defines personal data security violations as “all those
security breaches resulting in accidental destruction, loss or alteration or

illicit personal data transmitted, stored or otherwise processed, or the communication
unauthorized access or access to said data ”.

From the documentation provided to the file, evidence that the respondent has violated the ar-

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 12/14








Article 32 of the RGPD, when a security incident occurs in your system allowing the
access to personal data, email addresses, when sent without using
the blind copy option allowing the rest of the recipients to access

the addresses of the other recipients of the communication with breach of the
established technical and security measures.

The respondent, on 09/30/2019, upon observing the remission of the second email, immediately realized
diata to all recipients so that they were aware of said incident.
It points out that since then no emails have been sent in which they have been provided

personal data to other recipients.

It is proven that the defendant did not have adequate measures in place regarding the
treatment of data in communications to associates of your entity, considering it accredited
the commission of this offense.


The violation of article 32 of the RGPD is referenced in article 83.4.a) of the
cited GDPR in the following terms:

       "4. Violations of the following provisions will be sanctioned, in accordance with
section 2, with administrative fines of a maximum of EUR 10 000 000 or, in the case of

of a company, of an amount equivalent to a maximum of 2% of the turnover
Global annual total for the previous financial year, opting for the highest amount:

       a) the obligations of the controller and the processor pursuant to articles 8,
       11, 25 to 39, 42 and 43.

       (…) "

For its part, the LOPDGDD, in its article 73, for the purposes of prescription, qualifies as “Infringement
tions considered serious ”:


       "Based on what is established in article 83.4 of Regulation (EU) 2016/679,
considered serious and will prescribe after two years the infractions that suppose a vulnerability
substantial tion of the articles mentioned therein and, in particular, the following:

       (…)
       g) The breach, as a consequence of the lack of due diligence,

       of the technical and organizational measures that have been implemented in accordance with
       as required by article 32.1 of Regulation (EU) 2016/679 ”.
       (…) "

                                               V


The RGPD, without prejudice to what is established in its article 83, contemplates in its article 58.2 b)
the possibility of attending the warning to correct the processing of personal data
that do not conform to your forecasts.



On the other hand, the following elements have also been taken into account, in particular.

       • It is a small entity whose main activity is not related to the

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 13/14








       processing of personal data.

       • It is not a company and its activity is not related to making a profit.


       • There is no recidivism, as the commission, within a year, of
       more than one offense of the same nature.

Therefore, in accordance with the applicable legislation,


the Director of the Spanish Data Protection Agency RESOLVES:

FIRST: DIRECT an APPEARANCE sanction to SACRAMENTAL AND
PENITENTIAL BROTHERHOOD OF OUR FATHER JESUS SACRAMENTED AND MARY
SANTÍSIMA DE LA PIEDAD, AMPARO DE LOS LEONESES, with CIF G24294787, by:


- An infringement of article 32 of the RGPD, in accordance with article 83.4.a) of the RGPD.
- An infringement of article 5.1.f) of the RGPD, in accordance with article 83.5.a) of the
GDPR.
- An infringement of article 13 of the RGPD, in accordance with article 83.5. b) of the RGPD.


SECOND: By virtue of article 58.2.d) of the RGPD, the claimed party is required to
correct the information and the purpose of the use of shipments through e-mails, informing
to this Agency within two months of the measures adopted. It is noted that the
Failure to comply with the requirement may imply the infraction provided for in article
83.6 of the RGPD.


THIRD: NOTIFY this resolution to SACRAMENTAL Y PENITENCIAL
BROTHERHOOD OF OUR FATHER JESUS SACRAMENTED AND MOST BLESSED MARY OF
THE PIETY, PROTECTION OF THE LEONESES


FOURTH: In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.

Against this resolution, which ends the administrative procedure in accordance with art. 48.6 of the
LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the
Interested parties may optionally file an appeal for reconsideration before the Director of

the Spanish Data Protection Agency within a month from the day
following notification of this resolution or directly contentious appeal
administrative law before the Contentious-Administrative Chamber of the National Court, with
in accordance with the provisions of article 25 and paragraph 5 of the fourth additional provision
of Law 29/1998, of July 13, regulating the Contentious-Administrative Jurisdiction,

within two months from the day following notification of this act,
as provided in article 46.1 of the aforementioned Law.

Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP, you may
provisionally suspend the final administrative resolution if the interested party manifests

his intention to file a contentious-administrative appeal. If this is the case, the
The interested party must formally communicate this fact by writing to the Agency
Spanish Data Protection, presenting it through the Electronic Registry of the
Agency [https://sedeagpd.gob.es/sede-electronica-web/], or through any of the

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 14/14










remaining records provided for in art. 16.4 of the aforementioned Law 39/2015, of October 1.
You must also send the Agency the documentation that proves the filing
effective contentious-administrative appeal. If the Agency is not aware of the

filing of the contentious-administrative appeal within a period of two months from the date
following the notification of this resolution, it would terminate the suspension
precautionary.



                                                                                                938-131120
Mar Spain Martí
Director of the Spanish Agency for Data Protection






















































C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es