AEPD (Spain) - PS/00509/2021

From GDPRhub
Revision as of 14:51, 4 October 2022 by Kk (talk | contribs) (→‎Facts)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
AEPD - PS/00509/2021
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 32 GDPR
Article 16 of the Organic Law 4/2015, on the Protection of Citizen Security (LOPSC)
Article 77(2) of the LOPDGDD
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published:
Fine: 0 EUR
Parties: National Police
National Case Number/Name: PS/00509/2021
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: Agencia Española de Protección de Datos (in ES)
Initial Contributor: Michelle Ayora

The Spanish DPA officially warned the National Police for violating Article 32(1) GDPR. The National Police did not implement appropriate technical and organisational measures for ID identification of citizens by police officers.

English Summary[edit | edit source]

Facts[edit | edit source]

On 2 June 2021, the data subject was leaving a protest which he had attended. He encountered a police control on the way. In the course of the interaction, a police officer took a photograph of their ID card with a personal mobile phone since there was no official device provided for this task. The data subject did not give their consent to the taking of the photo and, consequently, submitted a complaint to the Spanish DPA.

As a response, the Director General of the National Police (the controller) argued that the officer proceeded in the mentioned way to avoid direct contact because of the health risk related to the Covid-19 pandemic. Allegedly, the procedure of identification carried a risk for the officers’ health, thus, the action was justified, especially because after the identification, the photo was deleted from the device. Another argument from the National Police was that neither the scope of GDPR nor the respective national legislation cover the processing of data in the context of crime prevention, investigation or enforcement. Rather, Directive (EU) 2016/680 (the Law Enforcement Directive) and relevant implementing national law should be applicable.

Holding[edit | edit source]

The Spanish DPA started by referring to national law, Article 16 of the Organic Law 4/2015, on the Protection of Citizen Security (LOPSC), which prescribes that the identification process of ID cards by law enforcement authorities should respect the principles of proportionality, equal treatment and non-discrimination. With regards to the protection of personal data and taking into account the risks to rights and freedoms of natural persons, the use of personal cameras or cell phones does not guarantee security of the data. The private uses that each person can perform with their own devices are not compatible with the measures of security that, for the exercise of police functions, must be conducted on an official device and recorded in a police database.

Seemingly, the DPA concluded that, in the present case, the actions performed by the police officer on their private cell phone could not be considered to fall within the scope of Directive (EU) 2016/680. Moreover, the national law implementing the respective Directive had not come into force yet at the time of the proceedings. Hence, the GDPR was considered to be applicable.

Accordingly, the DPA found a violation of Article 32(1) GDPR regarding the security of processing for not implementing the appropriate technical and organisational measures to ensure a level of security appropriate to the risk.

The DPA only issued an official warning to the controller as Article 83 GDPR and Article 77(2) of the LOPDGDD, the Spanish data protection law, do not allow to impose monetary fines on public authorities.

Comment[edit | edit source]

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

                                                                               1/24








     Procedure No.: PS/00509/2021

               RESOLUTION OF PUNISHMENT PROCEDURE


Through an Agreement dated 01/03/22, the sanctioning procedure was initiated,
PS/0509/2021, instructed by the Spanish Data Protection Agency before the
GENERAL DIRECTORATE OF THE POLICE, (DGP), (hereinafter, "the party claimed"),
for alleged infringement of Regulation (EU) 2016/679, of the European Parliament and of the
Council, of 04/27/16, regarding the Protection of Natural Persons in what

regarding the Processing of Personal Data and the Free Circulation of these Data,
(RGPD) and Organic Law 3/2018, of December 5, on Data Protection
Personal and guarantee of digital rights, (LOPDGDD), and based on
the following:


                                  BACKGROUND:

FIRST: On 06/02/21, this Agency received a letter from A.A.A.,
(hereinafter, "the complaining party"), in which, among others, it indicated the following:

       “Last day 06/01/21 I was with a group of friends in the

       confluence of General Aranaz and María Lombillo Madrid streets. Us
       we were leaving a rally that had been convened
       by the association "my safe neighborhood" and when we left the concentration,
       various CNP callsigns proceeded to identify us and pass on our data
       by the issuer for the purpose of carrying out the appropriate checks. One time

       After completing the identification process and after checking the agents that everything
       was correct, the agent proceeded to take pictures of our IDs with his
       personal telephone, all this, despite being warned by those present that
       we did not grant our consent for that photo taking of the DNI.
       The agent herself told us that the photographs were being taken from

       their personal telephone, since they do not have a staff telephone”.

SECOND: Dated 07/01/21, in accordance with the provisions of article 65.4
of the LOPDGDD Law, by this Agency, said claim was transferred
to the DGP, so that it proceeded to its analysis and report, within a period of one month, on
what was stated in the statement of claim.


THIRD: On 07/23/21, the DGP sends this Agency a written response
to the request made, in which, among others, it indicated the following:

       “The Organic Law 4/2015, of March 30, on the protection of the security

       citizen, regulates in its article 16, the assumptions and the way in which the
       Agents of the Security Forces and Bodies may request the
       identification of people, enabling them to "carry out the checks
       necessary on public roads or in the place where the
       requirement, including the identification of persons whose face is not

       Totally or partially visible due to the use of any type of garment or object that
       cover, preventing or hindering the identification, when necessary to the
       indicated effects", and must strictly respect "the principles of
       proportionality, equal treatment and non-discrimination on the grounds of

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/24








       birth, nationality, racial or ethnic origin, sex, religion or belief,
       age, disability, sexual orientation or identity, opinion or any other
       personal or social condition or circumstance.


       In this sense, the aforementioned rule even provides that when it is not possible to
       identification by any means, the agents could “require those who do not
       could be identified to accompany them to the police stations
       closest in which the adequate means are available for the
       practice of this diligence, for the sole purpose of identification and for the

       time strictly necessary.

       In a context like the current one marked by the pandemic situation
       international crisis caused by the coronavirus COVID-19, the practice of
       identification procedures implies an increase in personal risk

       for the performers. For this reason and in accordance with the advice disseminated
       by the health authorities, the police officers take extreme measures of
       self-protection of agents, also in the field of health and hygiene,
       avoiding direct contact with the person identified and their belongings, looking for
       asepsis environmental conditions and maintaining safety distances.


       In this sense, the sole purpose of taking an image of the document
       identity and with it to carry out the opportune verifications, was to avoid the
       manipulation of this and keep the safety distance. In this way, the
       photography is an exceptional way of proceeding at a time
       marked by health and social circumstances of serious risk to health.


       In order to know the specific circumstances in which the
       facts described above, consultation was evacuated to the Superior Headquarters of Madrid.

       The following conclusions are drawn from the report: - It has been found that the

       The official took a single image of the National Identity Document of the
       identified person, acting under article 16 of LO 4/2015, and with
       the same effects and purpose as if the data had been taken from
       manual way. - As stated in her Minutes-Report, the agent proceeded to
       delete the document image once the purpose for which it was created has been fulfilled.
       I take.


       It should be noted that police action for criminal prevention and
       maintenance of public order, the subject of this report, accommodated
       specifically to the basic principles of action established in the
       article 5 of the Organic Law 2/1986, of March 13, of Forces and Bodies

       Security, as well as the current legislation on the protection of
       data, specifically: • Directive (EU) 2016/680 of the European Parliament and of the
       Council of April 27, 2016, regarding the protection of natural persons
       with regard to the processing of personal data by the
       competent authorities for purposes of prevention, investigation, detection or

       prosecution of criminal offenses or execution of criminal sanctions, and
       to the free movement of said data and by which the Framework Decision is repealed
       2008/977/JAI of the Council, which has been transposed into Spanish law
       through: • Organic Law 15/1999, of December 13, on Data Protection

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/24








       of a Personal Nature, in force at the time of the events. • Organic Law
       3/2018, of December 5, on the Protection of Personal Data and guarantee of
       digital rights, which includes the following specifications. either

       Unique derogatory provision. Regulatory repeal. 1. Without prejudice to
       provided for in the fourteenth additional provision and in the transitory provision
       fourth, the Organic Law 15/1999, of December 13, of
       Personal data protection. Specifically, article 2.2
       section a) of the aforementioned Organic Law 3/2018 in relation to article 2.2
       section d) of Regulation (EU) 2016/679 of the European Parliament and the

       Council, of April 27, 2016, regarding the protection of people
       regarding the processing of your personal data and the free
       circulation of these data expressly excludes the application of the Law
       Organic 3/2018 to the processing of personal data "by the
       competent authorities for the purposes of prevention, investigation, detection or

       prosecution of criminal offenses, or execution of criminal sanctions,
       including protection against threats to public safety and its
       prevention".

       It is participated that, from the Operational Deputy Directorate, will proceed to impart
       instructions on the use of electronic devices by

       police officers in operational actions, so as to ensure the
       conformity of said actions to the regulations on the Protection of
       Data".

FOURTH: Dated 10/18/21, in accordance with article 65 of the LPDGDD Law

by the Director of the Spanish Data Protection Agency, it is issued
agreement of admission of procedure of the presented claim, when appreciating possible
reasonable indications of a violation of the rules in the field of competences
of the Spanish Agency for Data Protection.


FIFTH: On 01/03/22, by the Board of Directors of the Spanish Agency for
Data Protection, a sanctioning procedure is initiated against the DGP, for violation
of the RGPD, when appreciating possible indications of infringement of 32.1 of the RGPD.

SIXTH: Notification of the initiation agreement to the DGP, the latter by means of a document dated
01/14/22 made, in summary, the following allegations:


       “Regarding the identification procedure, the procedural agreement
       sanctioning PS/00509/2021, performs an analysis of Organic Law 4/2015 of
       March 30, protection of citizen security (hereinafter, LOPSC),
       referring, firstly, to the preamble where it is stated that "...

       empowers the competent authorities to agree on different actions
       aimed at maintaining and, where appropriate, restoring tranquility
       citizen in cases of public insecurity, precisely regulating the
       budgets, purposes and requirements to carry out these procedures,
       in accordance with the principles, among others, of proportionality, minimal interference

       and non-discrimination…”.

       Reference is also made to articles 9, on the obligations and rights
       of the holder of the National Identity Document and 16.1, in which

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/24








       specify the cases in which the Security Forces and Bodies may
       require the identification of persons (“When there are indications that they have
       been able to participate in the commission of an offence, when it is necessary

       to prevent a crime…”), and allusion is made to the strict respect for the principles
       of proportionality, equal treatment and non-discrimination on the grounds of
       birth, nationality, racial or ethnic origin, sex, religion or belief,
       age, disability, sexual orientation or identity, opinion or any other
       personal or social condition or circumstance, which must necessarily govern the
       practice of identification diligence.


       In relation to the provisions of Organic Law 4/2015 of March 30, the
       General Directorate of the Police considers that the police action was carried out
       with absolute respect for the principles contained in article 16.1 LOPSC
       (proportionality, equal treatment and non-discrimination), being noteworthy

       that there is no evidence that these extremes have been questioned by the claimant,
       focusing the claim solely on the means used for the practice of
       the identification. Article 16.2 LOPSC contemplates the use of any means
       available to the agents that favors the act of identification.

       In this sense, the official who carried out the identification procedure used

       the means available to them, taking into account the circumstances
       exceptional circumstances of the international pandemic context motivated by the
       coronavirus SARS-CoV-2, in order to practice identification with a
       that facilitated the intervention by minimizing interpersonal contact, which
       as stated above, following the instructions of the authorities

       healthcare in this regard.

       Once the necessary checks were made, the images were deleted
       without any trace of them remaining in any police file.


       Likewise, it is considered that police action within the framework of
       crime and maintenance of public order was specifically accommodated to the
       basic principles of action established in article 5 of the Organic Law
       2/1986, of March 13, on Security Forces and Bodies, as well as the
       forecasts of the LOPSC itself.


       SECOND.- The action that gives rise to this procedure consists
       in the identification procedure that, as can be deduced from the articles
       referenced above of the LOPSC, is part of the activity that, in terms of
       prevention of criminal and administrative offenses, carried out by the Forces and
       Security forces. It should be noted that the events that bring together

       large concentrations of people, such as the one being analyzed,
       They are usually taken advantage of by individuals or groups who, protected by the
       multitude carry out criminal acts that must be prevented by the
       FFCC Security to guarantee citizen security and the free development of
       fundamental rights and public freedoms of other citizens.


       THIRD.- The act that gives rise to this procedure consists of the
       identification diligence carried out during the concentration
       held in the Madrid district of San Blas, on June 1, 2021. The

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/24








       Organic Law 3/2018, of December 5, on the Protection of Personal Data and
       guarantee of digital rights, alleged by the AEPD to initiate the
       sanctioning procedure, expressly excludes from its scope of application

       in its article 2.2 to the treatments excluded from the scope of application of the
       General data protection regulation by its article 2.2, without prejudice to
       the provisions of sections 3 and 4 of this article.

       Article 2.2.d) of the RGPD regulates the scope of its material application, and
       excludes the processing of personal data carried out by the

       competent authorities for the purposes of prevention, investigation, detection or
       prosecution of criminal offenses, or execution of criminal sanctions,
       including protection against threats to public safety and its
       prevention.


       The processing of personal data by the competent authorities
       for purposes of prevention, investigation, detection or prosecution of
       criminal offenses or execution of criminal sanctions, at the time of
       the facts that originate the present sanctioning procedure, continued
       being subject to regulation by articles 23 and 24 of the Organic Law
       15/1999, of December 13, on the Protection of Personal Data, in

       under the provisions of Additional Provision 14 LPDGDD.

       On the other hand, regarding the use of video cameras by the Forces and
       Security Corps is concerned, the regulatory framework was given by the Law
       Organic 4/1997, of August 4, which regulates the use of

       video cameras by the Security Forces and Bodies in public places,
       which, however, did not refer in its articles to any limitation or require
       any authorization regarding the use of photographic cameras.

       FOURTH.- The Agreement to initiate the sanctioning procedure, in its point IV,

       analyzes the alleged excessive treatment of personal data of the
       demonstrators, and alludes to an alleged violation of the provisions of article
       5 LPDGDD, 1.c) specifies that "the processing of personal data must
       be adequate, pertinent and limited to what is necessary in relation to the purposes
       for which they are processed”, known as the principle of data minimization.


       FIFTH.- The Initial Agreement concludes that the known facts could
       be constitutive of an infringement of article 32.1 RGPD: "Taking into account
       the state of the art, the application costs, and the nature, scope,
       context and purposes of the treatment, as well as risks of probability and
       variable seriousness for the rights and freedoms of natural persons, the

       Responsible and the person in charge of the treatment will apply technical measures and
       appropriate organizational arrangements to ensure a level of security adequate to the
       risk, which, where appropriate, includes, among others: (...) b).- The ability to guarantee
       the ongoing confidentiality, integrity, availability and resiliency of the
       treatment systems and services”, and in this case, where the agent performed

       a photograph of the claimant's ID with his mobile phone for personal use,
       does not guarantee at all what is stipulated in this article.



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/24








       The aforementioned criterion is not shared by the Deputy Directorate of the
       General Directorate of the Police, given the circumstances in which the
       identification, given that the exposure of the document by its holder to the

       agent and the consequent copying of the data by the latter, required
       necessarily a temporary space of close contact wider than the
       time required to take the photograph of the document, this being
       last option, the one chosen by the acting official given the circumstances
       sanitary existing at the time of the action, and on the other hand, the erasure
       instantaneous data of the terminal by which they were captured, guarantees the

       minimization of risks in treatment.

       Yes, well, if a less invasive data collection was possible, but this
       possibility would be detrimental to the security of the agents and
       individuals, by extending the time of interpersonal contact, and in the case of

       agents, this increased risk rises exponentially in acts
       crowds like the one that caused the identification that is now being evaluated, without
       detriment of the fact that against his will and in compliance with his
       obligations, can also act as vectors of contagion.

       For this reason, the need and suitability of the medium used is considered accredited.

       in this specific action in order to reduce contact times
       interpersonal relationships, and maintain the social distance that the health authorities
       they had been demanding, and that police identification would not violate the principle of
       data minimization.


       SIXTH.- Finally, and in relation to the qualification of the facts, the
       They are included in the serious offense, typified in article 73.f) of the
       LOPDGDD, which includes the infraction consisting of: "f) The lack of adoption of
       those technical and organizational measures that are appropriate to
       guarantee a level of security appropriate to the risk of the treatment, in the

       terms required by article 32.1 of the RGPD”.

       This conduct would not coincide with the facts prosecuted, insofar as the
       identification diligence carried out by the agents was solely
       oriented to the prevention of acts typified as a crime in view of
       facts with similar antecedents and causes, being on the contrary

       police actions covered by the LOPSC and executed based on the
       principle of proportionality, suitability and minimum intervention, given that
       they only intended to guarantee citizen security and avoid the
       consummation of criminal acts through prevention, guaranteeing with the
       instant deletion of images the level of security appropriate to the

       treatment of the data carried out in the pandemic situation”.

SEVENTH: On 02/22/22, the test practice period began,
remembering in the same: a).- to consider reproduced for evidentiary purposes the complaint
filed by the complainant and her documentation, the documents obtained and

generated that are part of file E/07313/2020 and b).- consider reproduced
evidentiary effects, the allegations to the initiation agreement of PS/00509/2021,
presented.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/24








EIGHTH: On 03/10/22, the proposed resolution was transferred to the DGP, in
which, it was proposed that, by the Director of the Spanish Agency of
Protection of Data a warning was directed to said Body, for the infraction

of article 32.1 of the RGPD, when processing the personal data of the
claimant, by taking a photograph of his ID with a mobile phone
personnel of the police officer, without the required security guarantees for this type
of acts.

NINTH: The resolution proposal was notified to the DGP, which, dated 03/17/22,

submits a brief of allegations, indicating, among others, the following:

       I.- Regarding the identification diligence.

       Organic Law 4/2015 of March 30, on security protection

       citizen (hereinafter, LOPSC), referring, firstly to the
       preamble where it is indicated that "... the competent authorities are empowered
       to agree on different actions aimed at maintenance and, where appropriate, at
       Restoration of citizen tranquility in cases of insecurity
       public, precisely regulating budgets, purposes and requirements
       to carry out these procedures, in accordance with the principles, among others, of

       proportionality, minimal interference and non-discrimination…”.

       In articles 9 of the same norm, on the obligations and rights of the
       holder of the National Identity Document and article 16.1, the 3
       assumptions in which the Security Forces and Bodies may require the

       identification of persons (“When there are indications that they have been able to
       participate in the commission of an offence, when it is necessary to
       prevent a crime…”), and allusion is made to the strict respect for the principles of
       proportionality, equal treatment and non-discrimination on the grounds of
       birth, nationality, racial or ethnic origin, sex, religion or belief,

       age, disability, sexual orientation or identity, opinion or any other
       personal or social condition or circumstance, which must necessarily govern the
       practice of identification diligence.

       Needless to say, the police action was carried out with absolute respect for the
       principles contained in article 16.1 LOPSC (proportionality, equality of

       treatment and non-discrimination), extremes that the claimant has not questioned,
       focusing the complaint of this only in the means used for the practice of
       the identification.

       The use of electronic devices is becoming more common in the different

       police services and its purpose is to expedite police actions,
       optimizing available resources without undermining guarantees
       citizens and reducing intervention times, which results in the
       standards of quality of the police service and in the security of the own
       acting.


       Article 16.2 LOPSC, does contemplate the use of any means available
       of the agents that favors the act of identification. Article 16.2 LOPSC.-
       When identification is not possible by any means, including the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 8/24








       telematic or telephone, or if the person refuses to identify himself, the agents,
       to prevent the commission of a crime or in order to punish an infraction,
       may require those who cannot be identified to accompany them to
       the nearest police stations (...).


       Based on this authorization, which refers to the use of any means, without limiting
       strictly to official or endowment means, the official who carried out this
       diligence, he used the means available to him, in this case a
       particular mobile device, for not having another device at that time
       officer at your disposal, and taking into account the exceptional circumstances of the
       international pandemic context caused by the SARS-CoV-2 coronavirus,

       in order to practice identification with a medium that facilitated the intervention
       minimizing interpersonal contact, as has been said
       previously, following the instructions of the health authorities when
       respect and with scrupulous respect for data protection regulations
       in regard to the treatment of this personal data because, as already

       indicated, once the necessary checks were made, the images were
       deleted without leaving any trace of them in any file
       police or private

       4 It can be stated, therefore, that police action for crime prevention and
       maintenance of public order specifically accommodated the principles

       basic actions established in article 5 of Organic Law 2/1986,
       of March 13, Security Forces and Bodies, as well as the
       forecasts of the LOPSC itself.

       II.- Applicable regulations regarding the protection of personal data.


       The act that gives rise to this procedure consists of the diligence of
       identification that was made during a concentration in Madrid,
       on 06/01/21.

       The identification diligence, as extracted from the articles before
       referred to the LOPSC, is part of the activity that, in terms of

       prevention of criminal and administrative infractions, carried out by the Forces and
       Security forces. It should be noted again that many
       concentrations or demonstrations, are usually used by individuals or
       groups that sheltered in the crowd carry out criminal acts that
       must be prevented by the Security Forces and Bodies to guarantee
       citizen security and the free development of fundamental rights and

       public freedoms of other citizens.

       Organic Law 3/2018, of December 5, on Data Protection
       Personal and guarantee of digital rights, alleged by the AEPD for
       initiate the sanctioning procedure, expressly excludes from its scope of

       application to this matter, determining in article 2.2 of the same:

       Article 2 LPDGDD.- 2. This organic law shall not apply: a) To the
       treatments excluded from the scope of application of the General Regulation of


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 9/24








       data protection by its article 2.2, without prejudice to the provisions of the
       sections 3 and 4 of this article.

       In this sense, article 2.2.d) of Regulation (EU) 2016/679, of the
       European Parliament and of the Council, of April 27, 2016, regarding the

       protection of natural persons with regard to data processing
       personal data and the free circulation of these data, regulates the scope of application
       material of the same, and excludes the treatment of personal data carried out by
       part of the competent authorities for the purposes of prevention, investigation,
       detection or prosecution of criminal offenses, or execution of
       criminal sanctions, including protection against security threats

       public and its prevention.

       For all of the above, the references that in the Resolution Proposal of
       Sanctioning Procedure are carried out to this Organic Law 3/2018, of 5 of
       December, are incorrect, to the extent that the matter to which it deals

       is expressly excluded from its scope of application.

       Thus, there is no doubt that, on the date on which the events take place
       object of this procedure, the processing of personal data by
       of the competent authorities for purposes of prevention, investigation,
       detection or prosecution of criminal offenses or execution of

       criminal sanctions, at the time of the events that gave rise to this
       sanctioning procedure, were already subject to regulation by the Organic Law
       7/2021, of May 26, on the protection of personal data processed for purposes
       of prevention, detection, investigation and prosecution of infringements
       penalties and execution of criminal sanctions, issued in transposition of the
       Directive (EU) 2016/680 of the European Parliament and of the Council, of April 27

       of 2016, relative to the protection of natural persons with regard to
       processing of personal data by the competent authorities to
       purposes of prevention, investigation, detection or prosecution of violations
       criminal offenses or the execution of criminal sanctions, and the free circulation of said
       data.


       III.- Regarding the merits of the matter:

       Notwithstanding the foregoing, and the clear exclusion of the LPDGDD for exceeding
       of the scope of application of the matter dealt with, the Resolution Proposal
       performs in the Basis of Law III, an analysis of the alleged
       excessive treatment of personal data of protesters: reaching the

       following conclusion:

       (...) That given the social-health context due to the pandemic that
       we were suffering, the high risk of contagion by the Covid-19 virus was assessed.
       19, which has been found to multiply in these massive acts,

       therefore, he proceeded to take a photograph of the claimant's DNI, the only
       objective of avoiding the manipulation of this and maintaining the safety distance
       and that, once the necessary checks were made, he deleted it
       immediately from the device. To clarify below that, "the fact that
       that it be advised to take extreme precautions and expedite as much as possible the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 10/24








       interventions with the demonstrators, using an exceptional means of
       identification such as taking pictures with a mobile phone made it possible, in
       the work of identifying the protesters reduced contact

       interpersonal relationship between them and the agents. All this added to the fact that, once made
       the necessary verifications in the identification, the images taken with
       the mobile were erased.

       Finally, it considers the aforementioned resolution that “the realization of the photograph
       of the claimant's DNI, in the exceptional circumstances of the pandemic

       experienced, complies with the principle of minimization of the data, collected in the
       article 5.1.c) of the RGPD, that is: “adequate, pertinent and limited to the
       necessity”, for which they were collected.”

       In the following Legal Basis, the taking of the DNI photograph is analyzed

       of the claimant with the private mobile phone of the National Police agent:
       In this sense, it considers the fact that the photograph of the DNI of the
       particular was made with the private mobile phone of the civil servant of
       policeman.

       Regarding this circumstance, from the Deputy Directorate of Operations of the

       DGP, instructions have already been issued in order to ensure compliance
       of police actions with the regulations on the Protection of
       Data, instructions that were disseminated to all police units to
       your knowledge.


       Reference is made in this Legal Basis to article 32 of the RGPD,
       which requires data controllers to adopt the
       corresponding security measures of a technical and organizational nature
       necessary to guarantee that the treatment is in accordance with the regulations
       in force, as well as to guarantee that any person acting under the authority

       of the person in charge or the person in charge and has access to personal data only those
       can treat following instructions of the person in charge.

       It then refers to section 1.b) of the aforementioned article 32, which
       refers to the following: "Taking into account the state of the art, the costs of
       application, and the nature, scope, context and purposes of the treatment,

       as well as risks of varying probability and severity to the rights and
       freedoms of natural persons, the person in charge and the person in charge of the
       treatment will apply appropriate technical and organizational measures to
       guarantee a level of security appropriate to the risk, which, where appropriate, includes,
       among others: (...) b).- The ability to guarantee confidentiality, integrity,

       permanent availability and resilience of treatment systems”.

       Finally concluding that: “in this case, where the police agent carried out
       a photograph of the claimant's ID with his mobile phone for personal use,
       does not guarantee a level of security adequate to the required requirements,

       circumstance that would not occur if said photograph had been taken with a
       official device.



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 11/24








       ”FIRST.- The Organic Law 7/2021, which has previously been made
       reference regarding its preferential application because it is a special law regarding the
       general regulations for the protection of personal data processed by the
       competent authorities for the purposes of prevention, investigation, detection or
       prosecution of criminal offences, as well as the Directive of the Parliament

       European and Council, 680/2016, also contain their own regulation
       Regarding the security of the treatment, thus article 37 of LO 7/2021 is
       determines that: 1. The controller and the processor, taking into account
       account the state of the art and the costs of application, and the nature,
       scope, context and purposes of the treatment, as well as the levels of risk
       for the rights and freedoms of natural persons, will apply measures

       appropriate technical and organizational measures to guarantee a level of security
       adequate, especially with regard to the treatment of the categories of
       personal data referred to in article 13.

       This article does not mention the ability to guarantee the

       confidentiality, integrity, availability and permanent resilience of the
       treatment systems, which is mentioned in the Agency's resolution and which
       it does contain the GDPR.

       However, it does expressly mention that they must be taken into account
       different circumstances such as: the context of the treatment, to which so many times

       has been alluded to in the development of this procedure, the context in which
       unwrapping the id in question was a completely unwrapped context
       anomalous, in which the global pandemic situation caused by COVID,
       demanded that health protection measures be taken for both law enforcement officers
       police as well as individuals, were interposed to other circumstances in
       other priority contexts, causing them to relax certain

       protocols and modes of action in order to give priority to health security.

       In this context, it must be clarified that it appeared so unexpectedly and
       supervening, which did not allow the adoption by the Administrations
       Public, with sufficient technical means to guarantee that all
       officials had the appropriate official tools to guarantee

       that these functions of protection and prevention of citizen security in
       crowded environments were developed with the means that in terms of
       data processing would be desirable. Thus, it was left to the discretion of the
       officials the adoption of the measures that, in their case, they considered
       opportune to protect your safety and that of individuals, always
       acting under the principles of legality and responsibility required by art.

       6 of the LO 2/1986, of May 13, on Security Forces and Bodies, and with
       respect for the rights of individuals regarding the processing of their data
       personal.

       This article also alludes to the levels of risk for the rights and

       freedoms of natural persons. In this sense, we must stop to analyze
       the specific circumstances surrounding the police action. On the one hand, the
       technical security measures of the device used (the private telephone of
       the official), once the Superior Police Headquarters had been consulted on this


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 12/24








       extreme, reports that the terminal used had the following measurements
       of security:

       1.- Encryption of all personal data, protected by "protection" technology
       of data” mechanism by which the files and the keychain of this are protected,

       password with key, as well as by FACEID, not being able to access the terminal
       mobile without them.

       2.- The mobile terminal during the entire collection, as well as transfer of the data to
       another support was without internet connection.


       3.- That likewise there is no connectivity activated between the gallery of
       photos and cloud storage applications or any other
       third party application.

       4.- Reiterate that the collection of this personal data was done without the

       photographic image of the holder of the document, being therefore identical data to
       those that had been made in written format.

       5.- It should also be pointed out that data collection in paper format shows
       more lack of security than taking it with technological means, as can be
       be the impossibility of its immediate elimination by having to rely on

       special containers for its destruction, as well as security in case of
       loss.

       In addition to the above, the following factors must be taken into account:

       a) The term of conservation of the personal data of the individual: in view of the

       report sent by the agent proceeded to delete the image of the document a
       Once the purpose for which it was taken has been fulfilled, that is, the data was
       obtained and preserved for a few minutes, the time it took to
       carry out the effective identification of the individual, after which,
       were deleted from the device without any trace of
       storage of the same or in any other file.


       b) The constant custody of the data by a police officer
       National. Since the photograph was not sent to any other device,
       not leaving the official's private device at any time and therefore
       within its scope of control, a fact that, together with the rest of the measures of
       certainty that the device used counted notably ensures the

       treatment safety.

       c) We must also consider that the alternative to this procedure of the
       official would have been the handwritten copy of the individual's data for a
       then communicate them through the station and carry out the

       timely checks. First of all, it means that this option requires
       a time of interpersonal contact greater than that of taking the photograph
       (given that it was intended to avoid as much as possible manipulation by
       officials of hundreds of identity documents), and therefore greater
       risk of contagion.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 13/24









       On the other hand, these handwritten data are also in the custody
       of the official, responsible in its case for its loss or misplacement, if
       well, with respect to these 9 actions, the responsibility of the
       police officers, who are subject to a statute

       professional, disciplinary regime and ethical codes, containing strict
       basic principles of action; we are talking (among others) about the
       principles contained in the L.O. 2/1986, of May 13, on Forces and Corps
       Security, specifically, the principle of responsibility (art. 5.6) according to the
       which police officers “are personally and directly responsible for
       the acts that they carry out in their professional performance, infringing or

       violating the legal norms, as well as the regulations that govern their
       profession and the principles set forth above, without prejudice to the
       patrimonial responsibility that may correspond to the Administrations
       Public for the same.”.


       In the present case, it can be affirmed in view of the result of the facts
       that the official acted at all times under the aforementioned principle of
       responsibility, and proof of this, is that the personal data of the individual
       were treated with the sole purpose of preventing citizen security
       (art. 1 of LO 7/2021), and guaranteeing that the individual did not suffer any
       damage derived from said treatment.


       SECOND.- Article 83 of the General Data Protection Regulation
       establishes the general conditions for the imposition of fines
       administrative. In the second section of the same, the following is determined:
       When deciding the imposition of an administrative fine and its amount in each case
       individual, due account shall be taken of:


       a) the nature, seriousness and duration of the offence, taking into account the
       nature, scope or purpose of the processing operation in question
       as well as the number of stakeholders affected and the level of damage and
       damages they have suffered; the purpose of the treatment is founded on the
       compliance with the tasks of prevention of citizen security for the

       that Organic Law 4/2015 attributes powers to the FFCCSS, ordering
       the use of the available means in order to guarantee the identification of
       people in order to ensure the prevention and maintenance of
       citizen security, that is, the personal data was not processed to
       other purposes than those established in art. 1 of LO 7/2021, of 26
       May. The seriousness of the infringement must be estimated as negligible, in view of the

       absence of damage to the person who owns the data, the same can be said
       regarding the duration of the infraction, once the brevity of the
       treatment.

       b) intentionality or negligence in the infringement; not appreciated here

       any kind of negligence in the actions of the police officer, every time
       that the 1 Supplementary application to LO 7/2021, as deduced from the
       art.2.3 LOPDGDD when it provides that "the treatments to which it is not
       directly applicable Regulation (EU) 2016/679 for affecting activities
       not included in the scope of application of European Union law,

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 14/24








       shall be governed by the provisions of their specific legislation, if any, and
       additionally by what is established in the aforementioned regulation and in this law
       Organic”. 10 performance was carried out with all security measures

       necessary to guarantee the success of the police intervention, the security
       of personal data, and more importantly, health of officials
       and individuals.

       c) any measure taken by the controller or processor
       to alleviate the damages suffered by the interested parties; as has already been

       advance, the individual did not suffer any damage derived from the treatment of his
       personal data, but a fortiori, the Deputy Directorate of Operations has adopted
       measures to prevent the use of private electronic devices in
       order to identify people, which have consisted, on the one hand, in
       the dissemination to the entire scope of this Directorate, of operating instructions

       referred to the practice of identifications, and on the other hand, it is found in
       advanced state of elaboration, of a regulatory provision of a
       that will regulate the use of mobile recording devices by
       police officials, in order to adapt the new protocols, to the
       postulates of the L.O. 7/2021, of May 26.


       d) the degree of responsibility of the person in charge or of the person in charge of the
       treatment, taking into account the technical or organizational measures that have
       applied under articles 25 and 32;

       e) Any previous infraction committed by the person in charge or the person in charge of the

       treatment; There is no record of the existence of complaints for facts
       similar, this measure being exceptional and derived from the transitory situation
       caused by the pandemic situation caused by the COVID SARS virus
       19, so it can be stated that there has been no recidivism in these cases.
       facts.


       f) The degree of cooperation with the supervisory authority in order to put
       remedying the violation and mitigating the possible adverse effects of the violation:
       In this sense, it must be specified that no activity has been necessary
       complementary intended to mitigate the adverse effects since it has not been
       produced any damage. All the efforts of the control authority have been

       focused on the adoption of preventive measures aimed at regulating the
       use of electronic devices and their adaptation to the recent regulation of
       Data Protection. g) the categories of personal data
       affected by the infringement. As reported by the police officer, the
       photograph of the document was limited to personal data relating to: Name,

       surnames, sex, nationality, date of birth, issuance of the document and
       validity, as well as support number and document number, without it being
       photographed the image of the same, therefore, categories have not been treated
       special data, whose protection is reinforced by law, despite
       of the express authorization for its treatment by the Forces and

       Security Corps, provided for in art. 13 of LO 7/2021.

       h) the way in which the supervisory authority became aware of the infringement, in
       particular if the person in charge or the person in charge notified the infringement and, in such case,

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 15/24








       to what extent; Although it is true that the control authority had
       knowledge of the facts that make up the alleged infringement by complaint
       of the individual, and not by this Directorate, this is mainly due to the fact that

       Based on the legal grounds set forth in this document,
       no administrative fault is observed in the practice of identifying the
       given the exceptional context in which it was developed.
       On the other hand, it should be noted that in addition to admitting the reality of the facts,
       all the actions have been directed from its knowledge to reinforce
       the prevention of behaviors that could be contrary to the regulations

       personal data protection regulator.

       i) when the measures indicated in article 58, paragraph 2, have been
       previously ordered against the person in charge or the person in charge in question
       in relation to the same matter, compliance with said measures;


        j) adherence to codes of conduct under article 40 or mechanisms
       certificates approved in accordance with article 42, and

       k) any other aggravating or mitigating factor applicable to the circumstances of the
       case, such as financial benefits realized or losses avoided, direct

       or indirectly, through infringement. In this sense, to argue that the only
       advantage resulting from the way in which the police officer acts, can
       be derived for citizen safety, as well as for the safety and health of
       those involved in the police intervention (officials and individuals), since the
       The purpose of this decision was none other than to facilitate the identification of this

       person, in a crowded context, avoiding contact as much as possible, and
       speeding up the intervention for the sake of safety, without forgetting in any
       moment the security of the processing of personal data.

       THIRD.- This article was duly transposed into Spanish regulations,

       being reflected in article 76 of the L.O. 3/2018, of December 5, of
       Protection of Personal Data and guarantee of digital rights, which
       establishes that: 2. In accordance with the provisions of article 83.2.k) of the RGPD
       to take into account: a) The continuous nature of the infraction. not appreciated
       such character in the intervention object of the present procedure. b) The
       linking the activity of the offender with the performance of treatment of

       personal information. The processing of personal data becomes a competence
       directly from the General Directorate of the Police, by virtue of the powers
       assigned to this police force by the L.O. 2/1986, of May 13, Forces
       and Security Bodies, as well as by the L.O. 4/2015, of March 30, of
       protection of citizen security. c) The benefits obtained as

       consequence of the commission of the offence. Needless to say, it has not been
       obtained greater benefit with the intervention carried out beyond the derivative
       for public safety and the health of those involved. d) The possibility of
       that the conduct of the affected party could have induced the commission of the
       infringement. e) The existence of a merger process by absorption subsequent to the

       commission of the infringement, which cannot be attributed to the absorbing entity. F)
       The rights of minors have not been affected. g) Arrange, when not
       mandatory, of a data protection delegate. h) Submission by
       part of the person in charge or in charge, on a voluntary basis, to mechanisms of

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 16/24








       alternative conflict resolution, in those cases in which there are
       controversies between them and any interested party.


       Based on all the above, and taking into account all these circumstances
       analyzed, which article 83 urges to consider when deciding on
       the imposition of an administrative sanction, it can be concluded that the action
       of the police was adjusted to contextual needs.

       Therefore, having accredited the need and suitability of the medium used for the

       effects of reducing interpersonal contact times, and maintaining the
       social distance that the health authorities imposed in order to prevent
       successive infections, and in view of the security measures adopted in the
       development of the analyzed intervention, this Directorate General understands that the
       identification of the individual, was covered with security guarantees

       required, not proceeding therefore, the imposition of the sanction of
       warning proposed by the examining body, for which reason it is urged to file
       of this proceeding without imposition of any sanction”.

Of the actions carried out in this procedure, of the information and
documentation presented by the parties, the following have been accredited:


                                PROVEN FACTS

First: The claimant, when he tried to leave the demonstration in which he was
participating, a police control that was in one of the streets adjacent to

the demonstration required them to identify themselves. When he showed them his ID, one of the
agents took a photograph of the document and returned it to him.

Second: Given these facts, the DGP stated to this Agency, among others, that the
data processing carried out by the police officer when taking the photograph of the DNI

of the claimant with the camera of his private mobile phone was a way of proceeding
exceptional in the circumstances of the pandemic experienced, in order to avoid a risk to
your health.

Third: The DGP affirms before this Agency that, from the Deputy Directorate of Operations,
Instructions will be given on the use of electronic devices by

part of police officers in operational actions, in a way that ensures
the conformity of said actions to the regulations on the Protection of
Data.

                           FOUNDATIONS OF LAW


       I.- Competition:

The Director of the Spanish Agency is competent to resolve this procedure.
Data Protection, in accordance with the provisions of art. 58.2 of the RGPD in

the art. 47 of LOPDGDD.

       II.- Summary of the facts:


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 17/24








According to the claimant, when he tried to leave the concentration in which they were
participating, a police control that was in one of the streets adjacent to
the concentration required him to identify himself. When he showed them his ID, one of them

he took a picture of the document with his personal mobile phone and handed it back. The
The claimant assures that the agent herself told her that the photographs were
taking with his personal mobile phone, since they did not have an official telephone number.

On the part of the DGP, it was stated that, in the social and health context such as the one
was living, marked by the coronavirus COVID-19, the practice of identifying

people implied an increase in personal risk to the health of the
agents so in cases like this, self-protection measures were extreme
avoiding all direct contact with the people who identified themselves and with their
belongings, looking for environmental conditions of asepsis and keeping distances
of security, reason why it was decided that the best solution for it, was the taking of

photographs of the DNI, ensuring that, once the appropriate checks have been made
for correct identification, the photograph was immediately deleted from the device.

       III.- Regarding the allegations made by the DGP regarding the proposal for
resolution.


FIRST: The DGP alleges in its brief dated 03/17/22 that article 2.2.d) of the
RGPD, excludes from its application the processing of personal data carried out by
of the competent authorities for the purposes of prevention, investigation, detection or
prosecution of criminal offences, or execution of criminal sanctions, including
that of protection against threats to public security and their prevention, and that,

Therefore, the data processing carried out by the police officer when taking the photograph
of the claimant's DNI with the camera of the private mobile phone is
expressly excluded from the scope of application of the RGPD and the LOPDGDD.

In this regard, the following should be indicated:


Organic Law 4/2015, of March 30, on the Protection of Citizen Security
(LOPSC), empowers the competent authorities to:

       “(…) agree on different actions aimed at maintenance and, where appropriate, at
       Restoration of citizen tranquility in cases of insecurity

       public, precisely regulating budgets, purposes and requirements
       to carry out these procedures, in accordance with the principles, among others, of
       proportionality, minimal interference and non-discrimination (…)”.

In application of the foregoing, article 9.2 of the LOPSC establishes, with respect to the

obligation to show the DNI to the agents of the Security Forces and Bodies of the
State, the following:

       "two. All persons required to obtain the National Document of
       Identity they are also to exhibit it and allow the verification of the

       security measures referred to in section 2 of article 8 when
       are required to do so by the authority or its agents, for the
       compliance with the purposes set forth in section 1 of article 16.
       theft or loss must be reported as soon as possible to the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 18/24








       Police station or post of the Security Forces and Corps more
       next".


For its part, article 16 of the LOPSC itself, on the possibility of verifying
of the DNI by the State Security Forces and Bodies, establishes that:

       1. In the fulfillment of its functions of criminal investigation and prevention,
       as well as for the sanction of penal and administrative infractions, the agents
       of the Security Forces and Bodies may require the identification of the

       people in the following cases:

       a) When there are indications that they may have participated in the commission of a
       infringement.


       b) When, in view of the concurrent circumstances, it is considered
       reasonably necessary to prove their identity to prevent the commission
       of a crime. In these cases, the agents may carry out the
       necessary checks on public roads or in the place where the
       made the request, including the identification of persons whose face was not
       is totally or partially visible due to the use of any type of garment or object

       that covers it, preventing or hindering identification, when necessary to
       the indicated effects (…)”.

However, in the LOPSC Law itself, certain limits are established to this practice of
verification of the DNI, indicating that:


       “(…) In the practice of identification, the
       principles of proportionality, equal treatment and non-discrimination on grounds
       of birth, nationality, racial or ethnic origin, sex, religion or belief,
       age, disability, sexual orientation or identity, opinion or any other

       personal or social condition or circumstance (…)”.

The National Security Scheme, regulated in Royal Decree 3/2010, of 8
January, modified by Royal Decree 951/2015, of October 23, establishes, in its
article 21, the following:


       “In the structure and organization of the security of the system, it will be paid
       particular attention to information stored or in transit through
       insecure environments.

       Portable equipment will be considered insecure environments,

       personal assistants (PDA), peripheral devices, information carriers and
       communications over open networks or with weak encryption.

       2.- Part of security is the procedures that ensure the
       retrieval and long-term preservation of electronic documents

       produced by public administrations within the scope of their
       competencies.



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 19/24








       3. All information in non-electronic support, which has been caused or
       direct consequence of the electronic information referred to in the
       present royal decree, must be protected with the same degree of security

       than this one. To this end, the measures that correspond to the nature of the
       of the support in which they are found, in accordance with the rules of
       application to their safety.

And for its part, article 22 of RD 3/2010, on prevention before other systems
of interconnected information, establishes the following:


       “The system has to protect the perimeter, in particular, if it connects to networks
       public. Public communications network shall be understood as the network of
       electronic communications that is used, in whole or mainly,
       for the provision of electronic communications services available

       for the public, in accordance with the definition established in section 26
       of annex II, of Law 32/2003, of November 3, General of
       Telecommunications. In any case, the risks derived from the
       interconnection of the system, through networks, with other systems, and
       will control your junction point.


Regarding the Activity Register, article 23 of RD 3/2010 establishes that:

       “With the exclusive purpose of achieving the fulfillment of the object of this
       royal decree, with full guarantees of the right to honor, to personal privacy
       and family and in the image of those affected, and in accordance with the regulations

       on the protection of personal data, of public or labor function, and other
       provisions that result from application, the activities of the
       users, retaining the information necessary to monitor, analyze,
       investigate and document improper or unauthorized activities, allowing
       identify at each moment the person who acts”.


And regarding the minimum requirements, article 27 of RG 3/2010 establishes:

       1. To comply with the minimum requirements established in this
       royal decree, the Public Administrations will apply the security measures
       indicated in Annex II, taking into account: a) The assets that constitute the

       system. b) The category of the system, as provided in article 43. c) The
       decisions taken to manage identified risks.

       2. When a system affected by this Royal Decree handles data from
       of a personal nature, the provisions of the Organic Law will apply

       15/1999, of December 13, and development regulations, without prejudice to the
       requirements established in the National Security Scheme.

               Note: Rule repealed, with effect from 07/12/18, without prejudice to the
               provided for in additional provision 14 of Organic Law 3/2018, of 5

               of December, as established in its sole repeal provision) therefore
               that this section is understood as referenced to the RGPD and the LOPDGDD,
               currently in force)


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 20/24








       3. The measures referred to in sections 1 and 2 will have the condition
       of minimum requirements, and may be extended due to the concurrence
       indicated or the prudent discretion of the person responsible for the information, given
       account of the state of technology, the nature of the services provided and the
       information handled, and the risks to which they are exposed.


Finally, regarding the security audits of the information systems used,
Article 34 of RD 3/2010 establishes the following:

       1. The information systems referred to in this royal decree
       shall be subject to an ordinary regular audit, at least every two years, which

       verify compliance with the requirements of this National Scheme
       of security. On an extraordinary basis, said audit must be carried out
       Whenever there are substantial changes in the system of
       information, which may affect the required security measures. The
       performance of the extraordinary audit will determine the date of computation for

       the calculation of the two years, established for the realization of the following
       ordinary regular audit, indicated in the previous paragraph.

       2. This audit will be carried out based on the category of the system,
       determined according to the provisions of annex I and in accordance with the provisions of
       annex III.


       3. Within the framework of the provisions of article 39, of Law 11/2007, of 22
       June, the audit will delve into the details of the system to the level that
       considers that it provides sufficient and relevant evidence, within the scope
       established for the audit.


       4. In carrying out this audit, the criteria, methods of
       generally recognized work and conduct, as well as the normalization
       national and international applicable to this type of audits of systems of
       information.

       5. The audit report must rule on the degree of compliance with the

       present royal decree, identify its deficiencies and suggest possible measures
       necessary corrective or complementary, as well as the recommendations that
       are considered appropriate. It must also include the criteria
       audit methodologies used, the scope and objective of the audit, and
       the data, facts and observations on which the conclusions are based
       formulated.


       6. The audit reports will be presented to the person in charge of the system and to the
       competent security officer. These reports will be analyzed by
       the latter who will present his conclusions to the person in charge of the system for
       take appropriate corrective action.


Therefore, taking into account the risks indicated, it should be considered that the use of
personal cameras or cell phones, unofficial or endowed, of the agents does not guarantee
the security of the data, while the private uses that each person can
perform with their own devices are not compatible with the measures of

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 21/24








security that for the exercise of police functions must be adopted by the
responsible for the police file of which such recordings will be part.

SECOND: Regarding the statement made by the DGP when it indicates that: “(…) In this
In this way, it was left to the discretion of the officials to adopt the measures that, in their case,

considered appropriate to protect their safety and that of individuals, always
acting under the principles of legality and responsibility required by art. 6 of the
IT. 2/1986, of May 13, on Security Forces and Bodies, and with respect to the
rights of individuals regarding the processing of their personal data (...)”.

It should be noted in this regard that the first additional provision of the LOPDGDD,

on “Security measures in the public sector” establishes that:

       1. The National Security Framework will include the measures that must
       be implemented in case of processing of personal data to prevent its loss,
       alteration or unauthorized access, adapting the criteria for determining the

       risk in the treatment of the data as established in article 32 of the
       Regulation (EU) 2016/679.

       2. Those responsible listed in article 77.1 of this organic law
       They must apply to the processing of personal data the measures of
       security that correspond to those provided for in the National Scheme of

       Security, as well as promoting a degree of implementation of measures
       equivalents in companies or foundations linked to them subject to
       to private law.

       In cases where a third party provides a service under a concession regime,
       management assignment or contract, the security measures are

       will correspond to those of the original public Administration and will adjust to the
       National Security Scheme.

The DGP, as a Body of the Ministry of the Interior, is subject to the provisions of
section 2 of the aforementioned additional provision and since it is the DGP that acts as
responsible for the processing of personal data, it is your obligation to apply to the

processing of personal data carried out by its officials, the measures of
corresponding security, of those provided for in the National Security Scheme,
not being protected by the regulations, leave "(...) at the discretion of the officials the
adoption of the measures that they considered appropriate to protect their
security and that of individuals (...)”,


THIRD: About the statement made by the DGP when it indicates that. "(…) It can
affirm in view of the results of the facts that the official acted in all
moment under the aforementioned principle of responsibility, and proof of this, is that the data
personal data of the individual were treated with the sole purpose of preventing the
citizen security (art. 1 of LO 7/2021), and guaranteeing that the individual does not

suffered any damage derived from said treatment (…)”.

Indicate in this regard that, as established in its twelfth final provision, this Law
Organic "will enter into force twenty days after its publication in the Official Gazette of the


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 22/24








Condition. Its publication occurred on 05/27/21, so the entry into force of the
standard occurred on 06/16/21.


Well, since the events that are the subject of this proceeding occurred on
06/01/21, the date on which Organic Law 07/2021 was not yet in force, is not
can be taken into account in this case.

FOURTH: Regarding the consideration requested by the DGP, in the sense of applying the
extenuating circumstances indicated in article 83 of the RGPD and in article 76 of the LOPDGDD.


Regarding this aspect, it should be noted that article 77.2 of the LOPDGDD establishes the
Next:

       “When those responsible or in charge listed in section 1

       committed any of the offenses referred to in articles 72 to
       74 of this organic law, the data protection authority that results
       authority will issue a resolution sanctioning them with a warning
       (…)”,

Therefore, it is not possible, in this case, to take into consideration what is stipulated in the

article 83 of the RGPD and in article 76 of the LOPDGDD, in order to graduate the
sanction to be imposed, because in this case, it is only possible to sanction with a warning.

IV.- On the infringement of article 32 of the RGPD committed by the DGP.


The RGPD, in its article 32, requires those responsible for the treatment to adopt,
security measures of a technical and organizational nature that guarantee that the
processing of personal data is carried out in accordance with current regulations, as well
as that, any person acting under the authority of the person in charge or the
person in charge performs it following the instructions of the person in charge and this is established in

said article:

       1. Taking into account the state of the art, the application costs, and the
       nature, scope, context and purposes of the treatment, as well as risks
       of variable probability and severity for the rights and freedoms of
       natural persons, the person in charge and the person in charge of the treatment will apply

       appropriate technical and organizational measures to ensure a level of
       security appropriate to the risk, which, where appropriate, includes, among others:

       a) pseudonymization and encryption of personal data;


       b) the ability to ensure the confidentiality, integrity, availability and
       permanent resilience of treatment systems and services;

       c) the ability to restore availability and access to data
       quickly in the event of a physical or technical incident;


       d) a process of regular verification, evaluation and evaluation of the effectiveness
       technical and organizational measures to guarantee the security of the
       treatment.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 23/24









       2. When evaluating the adequacy of the security level, particular consideration shall be given to
       taking into account the risks presented by the processing of data, in particular as

       consequence of the accidental or unlawful destruction, loss or alteration of
       personal data transmitted, stored or otherwise processed, or the
       unauthorized communication or access to such data.

       3. Adherence to an approved code of conduct under article 40 or to a
       certification mechanism approved under article 42 may serve as a

       element to demonstrate compliance with the requirements established in the
       paragraph 1 of this article.

       4. The person in charge and the person in charge of the treatment will take measures to
       ensure that any person acting under the authority of the controller or

       of the person in charge and has access to personal data can only treat said
       data following the instructions of the person in charge, unless it is obliged to do so
       under the law of the Union or of the Member States.

V.- Typification and Sanction for the infringement of article 32.1 of the RGPD


In the present case, the fact of taking a photograph of the DNI with a mobile phone
of personal use of a police officer supposes the commission of the infraction of the
article 32.1 of the RGPD, when processing personal data without having the
guarantees necessary to have implemented the technical and organizational measures
appropriate to guarantee a level of security appropriate to the risk.


In this sense, article 73.f) of the LOPDGDD, considers "serious", for the purposes of
prescription, “f) The lack of adoption of those technical and organizational measures that
are appropriate to guarantee a level of security appropriate to the risk of the
treatment, in the terms required by article 32.1 of the RGPD”.


This infraction can be sanctioned with a fine of €10,000,000 maximum or,
in the case of a company, an amount equivalent to a maximum of 2% of the
global total annual turnover of the previous financial year, opting for the
of greater amount, in accordance with article 83.4.a) of the RGPD.


In the present case, since the party claimed is the General Directorate of the Police,
Directive Body belonging to the General Administration of the State, it must have
present what is established in art. 83.7 of the aforementioned RGPD, where it is indicated that:

"Without prejudice to the corrective powers of the control authorities (...) each

Member State may lay down rules on whether, and to what extent,
impose administrative fines on authorities and public bodies established in
that Member State".

Well, article 77.2 of the LOPDGDD establishes, on the regime applicable to

Entities that are part of the Public Administration, the following:

“When those responsible or in charge listed in section 1 committed
any of the infractions referred to in articles 72 to 74 of this law

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 24/24








organic, the data protection authorities that are competent will dictate
resolution sanctioning them with a warning. The resolution will establish
Likewise, the measures that should be adopted to stop the conduct or correct it.

the effects of the infraction that has been committed”.

In accordance with these criteria, it is considered appropriate to sanction with a warning the
General Directorate of the Police, for the infringement of article 32.1 of the RGPD, by
considers that the taking of the photograph of the claimant's DNI with a telephone
personal mobile of one of the police officers, is an act that does not guarantee a level

security appropriate to the risk.

Therefore, in accordance with the foregoing, by the Director of the Agency
Spanish Data Protection,
                                     RESOLVES:


FIRST: SANCTION with a WARNING, to the GENERAL DIRECTORATE OF THE
POLICE for the violation of article 32.1) of the RGPD, punishable in accordance with the
provided in art. 83 of the aforementioned rule, regarding the lack of security in the
treatment of personal data revealed at the time of taking a
Photograph of the claimant's ID with a personal mobile phone of the police officer

who made the identification.

SECOND: NOTIFY this resolution to the GENERAL DIRECTORATE OF THE
POLICE and the claimant about the result of the claim.


THIRD: COMMUNICATE this resolution to the Ombudsman,
in accordance with the provisions of article 77.5 of the LOPDGDD.

In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.


Against this resolution, which puts an end to the administrative procedure as prescribed by
the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure
Common to Public Administrations, and in accordance with the provisions of the
art. 112 and 123 of the aforementioned Law 39/2015, of October 1, interested parties may
file, optionally, an appeal for reconsideration before the Director of the Agency

Spanish Data Protection Authority within a month from the day
following the notification of this resolution or directly contentious appeal
before the Contentious-Administrative Chamber of the National High Court,
in accordance with the provisions of article 25 and paragraph 5 of the provision
additional fourth of Law 29/1998, of July 13, regulating the Jurisdiction

Contentious-Administrative, within two months from the day after
to the notification of this act, as provided in article 46.1 of the aforementioned Law.

Sea Spain Martí.
Director of the Spanish Agency for Data Protection.






C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es