AEPD (Spain) - PS/00565/2022
|AEPD - PS/00565/2022|
|Relevant Law:||Article 32 GDPR|
Article 58(2)(d) GDPR
Article 83(4) GDPR
|Parties:||AGRUPACION DE LOS CUERPOS DE LA ADMINISTRACION DE INSTITUCIONES PENITENCIARIAS|
ASOCIACIÓN DE TRABAJADORES PENITENCIARIOS TU ABANDONO ME PUEDE MATAR
ASOCIACIÓN PROFESIONAL DE FUNCIONARIOS DE PRISIONES
SECRETARÍA GENERAL DE INSTITUCIONES PENITENCIARIAS
|National Case Number/Name:||PS/00565/2022|
|European Case Law Identifier:||n/a|
|Original Source:||AEPD (in ES)|
The Spanish DPA reprimanded the General Secretariat of Penitentiary Institutions of Spain for the leak of images captured by the video surveillance system of the penitentiary center of Villena (Alicante), violating Article 32 GDPR.
English Summary[edit | edit source]
Facts[edit | edit source]
On 14, 19 and 21 September 2021, three penitentiary associations lodged a complaint against the Secretaría General de Instituciones Penitenciarias (the General Secretariat of Penitentiary Institutions of Spain - SGIP) due to leaked images captured by the video surveillance system of the penitentiary center of Villena (Alicante). In these images the aggression of some officials against a prisoner can be seen.
The images only motivated an internal investigation to determine possible disciplinary responsibilities.
Holding[edit | edit source]
The Spanish DPA considered that the General Secretariat of Penitentiary Institutions of Spain did not have the appropriate measures in place to ensure a level of security appropriate to the risk, violating Article 32 GDPR. Who leaked the file could not be ascertained as there were no accredited records of users who may have accessed the system. Any inspctor was able to access the recorded images, regardless of whether or not they were authorized to do so.
The Spanish DPA reprimanded the General Secretariat of Penitentiary Institutions of Spain for the leak of images captured by the video surveillance system of the penitentiary center of Villena (Alicante) and for violating Article 32 GDPR.
The General Secretariat must within a period of 6 months, affirm that it has adopted the necessary measures to ensure records of access to personal data, and also grant profiles to civil servants so that each one can only access the information that is necessary for the performance of their duties.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/12 File No.: EXP202102430 RESOLUTION OF SANCTIONING PROCEDURE From the procedure instructed by the Spanish Data Protection Agency and based to the following BACKGROUND FIRST: GROUPING OF THE BODIES OF THE ADMINISTRATION OF PENITENTIARY INSTITUTIONS (ACAIP) (hereinafter the claimant party 1), ASSOCIATION OF PENITENTIARY WORKERS YOUR ABANDONMENT CAN ME MATAR (hereinafter the claimant party 2), and PROFESSIONAL ASSOCIATION OF PRISON OFFICIALS (hereinafter, the claimant party 3) with dates 09/14/2021, 09/19/2021 and 09/21/2021 respectively, filed a claim with the Spanish Data Protection Agency. The claim is directed against GENERAL SECRETARIAT OF PENITENTIARY INSTITUTIONS with NIF S2813060G (hereinafter, SGIP). The reasons on which the claim is based are the following: They denounce the leak of some images captured by the video surveillance system of the Villena penitentiary center (Alicante), in which the aggression of some officials to a prisoner. According to what they state, the images only motivated, apparently, a confidential internal investigation to determine possible responsibilities disciplinary measures, although the press has echoed the events and broadcast the video. Along with the notification, links to the news that contain the facts are provided. reported, and the video with the images can be viewed. SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5 December, Protection of Personal Data and guarantee of digital rights (in hereinafter LOPDGDD), said claim was transferred to the SGIP so that proceed to its analysis and inform this Agency within a period of one month, of the actions carried out to adapt to the requirements provided for in the regulations of Data Protection. The transfer, which was carried out in accordance with the rules established in Law 39/2015, of October 1, of the Common Administrative Procedure of Administrations Public (hereinafter, LPACAP), was collected on 10/06/2021 as stated in the acknowledgment of receipt that appears in the file. THIRD: On December 14, 2021, in accordance with article 65 of the LOPDGDD, the claims presented by the parties were admitted for processing claimants. FOURTH: The General Subdirectorate of Data Inspection proceeded to carry out of previous investigative actions to clarify the facts in issue, by virtue of the functions assigned to the control authorities in the article 57.1 and the powers granted in article 58.1 of the Regulation (EU) C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 2/12 2016/679 (General Data Protection Regulation, hereinafter GDPR), and in accordance with the provisions of Title VII, Chapter I, Second Section, of the LOPDGDD, having knowledge of the following points: Date on which the claimed events took place: September 9, 2021 The background information contained in the information systems is as follows: Once the claim was transferred to the claimed party on October 6, 2021, it was received in this Agency written response on November 5, 2021 from the Subdirectorate General Analysis and Inspection of the SGID stating that: (…) On December 14, 2021 and January 4, 2022, the parties were informed claimants admission to processing. On January 17, 2022, the Spanish Data Protection Agency agreed carry out these investigative actions in relation to the facts claimed. ENTITIES INVESTIGATED During these actions, the following entities have been investigated: GENERAL SECRETARIAT OF PENITENTIARY INSTITUTIONS with NIF S2813060G with address at C/ ALCALA, 38 - 40 - 28014 MADRID (MADRID) RESULT OF THE RESEARCH ACTIONS Information request made to the claimed party on February 9, 2022, A response was received on February 19 from the General Subdirectorate of Institutional Relations. tional and Territorial Coordination where it states that with respect to what is required: 1. Purpose of the processing related to leaked recordings and applicable regulations: Organic Law 3/2018 and/or Organic Law 7/2021, as well as the rest of the details of the Record of activity of said treatment. “in accordance with art. 32 of LO 7/21, of May 26, on protection of personal data. processed data for the purposes of prevention, detection, investigation and prosecution of criminal offenses and execution of criminal sanctions, which: - The purpose of video surveillance treatment in penitentiary establishments is to recording of the images obtained by the different video surveillance systems installed cut down to control access and traffic in penitentiary centers. - The applicable regulations and their legitimizing basis are that of art. 11 of LO 7/21, of 26 May, protection of personal data processed for the purposes of prevention, detection, investigation and prosecution of criminal offenses and execution of personal sanctions finals. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 3/12 - The categories of data processed consist of images of vehicles and people. those who enter and remain in penitentiary establishments. - It is planned to be transferred to the State Security Forces and Corps, Defender of the People, the Public Prosecutor's Office and the Courts in the exercise of the functions assigned to them. buidas, without the international transfer being contemplated. - The General Director of Criminal Enforcement and Reintegration is responsible for the treatment. Social of the General Secretariat of Penitentiary Institutions, C/Alcalá, 38-40, 28014, Madrid, with the directors of each school being delegated responsible. establishment where the recording occurs. Attached is a report from the General Subdirectorate of Analysis and Competitive Inspection. “Tent in the matter.” This report provides the following information: (…) CONCLUSIONS Previous Information 2021/122 was opened for the investigation of the events that occurred on 8/16/21 at the Center and was sent to the Penitentiary Surveillance Court and the Court of Villena Guard. Due to the subsequent dissemination of the images of this incident, a investigation that opened Previous Information 131/2021 to determine the responsibility and circumstances that took place in the dissemination of the images with the consequent breach of the principle of confidentiality and secrecy that governs the duty of conduct of public office. Regarding the determination of authorship in the dissemination of the images, there has been no been able to prove it, nor where the breach of the principle of confidentiality in their treatment. The defendant alleges that he is protected for the processing of the images by the art.11 of Organic Law 7/2021 and Instructions 5/2006 and 6/2007 on communication and clarification of serious regimental facts, and the duty to participation to the judicial authorities in accordance with the provisions of article 262 of the Criminal Procedure Law. It provides information about the CCTV system, covered by two instructions: - Instruction 3/2015 on video surveillance in penitentiary establishments May 18, 2015 and that was in force on the date of the events claimed and of the claim; and - Instruction 4/2022 which regulates the processing of personal data personnel obtained by recording images and sounds by the existing video surveillance systems in the different establishments penitentiaries of July 28, 2022 together with the Guide for the preparation of the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 4/12 Recording, storage and image processing protocol obtained through the establishments' video surveillance systems penitentiaries, of July 28, 2022, in development of Instruction No. 4/2022. That is, the 2022 instruction and its action protocol detailing the measures of security and access date after the events claimed and the claim, takes effect 15 days after its receipt in the centers and was given to the Board of Directors a period of 3 months to adapt the procedures. The 1st instruction refers to the LOPD/RLOPD and these last two documents refer to Organic Law 3/2018, Organic Law 7/2021 and the Regulation (EU) 2016/679. Provides the status of the judicial procedure as of June: Previous Procedures 2021/450 Court of 1st Instance and Instruction No. 1 of Villena. FOURTH: On November 29, 2022, the Director of the Spanish Agency of Data Protection agreed to initiate sanctioning proceedings against the claimed party, for the alleged violation of Article 32 of the RGPD, typified in Article 83.4 of the GDPR. Once the initiation agreement was notified, the SGIP presented a written statement of allegations, in which, in synthesis stated: -The SGIP alleges that any decision adopted in the disciplinary field must be governed by the principle of presumption of innocence. -The SGIP alleges that, in addition to having known the images, the Administration Penitentiary (Alicante Penitentiary Center I and General Subdirectorate of Analysis and Inspection) there were two judicial bodies to which, by legal imperative, they were sent the aforementioned images (Guard Court of Investigation and Surveillance Court Penitentiary), and that they cannot be held responsible for the use and treatment granted for these. -The SGIP alleges that the need for the access profile to be broad has its origin in the very organization and work needs of the General Subdirectorate of Analysis and Inspection, and that in relation to the lack of traceability, it is possible to know which person accesses which images - that is, access to the shared folder leaves trace -, the impossibility of identification to which reference had been made was that of the specific person who has made said images in question public. FIFTH: On 05/05/2023, the procedure instructor agreed to practice the following tests: “It is also requested that the following documentation be sent related to the Prior information procedure 2021/122: Detail and documentary accreditation: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 5/12 a) Users who had access to the system. b) Roles assigned to each of them, functions and permissions access granted c) Existing procedures for user management (detailing the registration, cancellation, identification, authentication and control processes logical access). d) Analysis of the records of the users who had access to the system (logs)” On 05/23/2023, a written response was received, complying with the test. requested. SIXTH: On June 8, 2023, a proposed resolution was formulated, proposing: That the Director of the Spanish Data Protection Agency imposes GENERAL SECRETARIAT OF PENITENTIARY INSTITUTIONS, with NIF S2813060G, for a violation of Article 32 of the RGPD, typified in Article 83.4 of the GDPR, a warning sanction. Once the proposed resolution has been notified, the SGIP presents a new document in which states: “In the Reference File, what was contributed throughout the procedure, remaining available for the implementation of those measures technical and organizational to the extent that it is budgetarily possible” In view of everything that has been done, by the Spanish Data Protection Agency In this procedure, the following are considered proven facts: PROVEN FACTS FIRST: According to documentation in the file, there is a lack of profiles, since any inspector could access the recorded images, without having been specified whether or not they are authorized to do so, whether any system has to be enabled specific, or if access to the images is free for all inspectors, since the response to the requested evidence has not clarified this aspect. SECOND: According to documentation in the file, there is a lack of traceability, since it has not been proven that there are records of users who may have accessed the system. FOUNDATIONS OF LAW Yo C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 6/12 In accordance with the powers that article 58.2 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter RGPD), grants each control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the Organic Law 3/2018, of December 5, on Protection of Personal Data and guarantee of digital rights (hereinafter, LOPDGDD), is competent to initiate and resolve this procedure the Director of the Spanish Protection Agency of data. Likewise, article 63.2 of the LOPDGDD determines that: "The procedures processed by the Spanish Data Protection Agency will be governed by the provisions in Regulation (EU) 2016/679, in this organic law, by the provisions regulations dictated in its development and, insofar as they do not contradict them, with a subsidiary, by the general rules on administrative procedures." II In response to the allegations presented by the claimed entity, it should be noted the next: -The SGIP alleges that any decision adopted in the disciplinary field must be governed by the principle of presumption of innocence. In this regard, this Agency expresses its total and absolute agreement, indicating that all sanctioning procedures are carried out according to established in articles 64 and following of the LOPDGDD, respecting scrupulously the established legislation. The presumption of innocence, a fundamental right of citizenship according to art. 24.2 of the Constitution and art. 6.2 of the European Convention of Rights Humans, is expressly included in our regulations for administrative sanctioning procedures in art. 53.2.b) of Law 39/15 where among the rights of the interested party in the administrative procedure sanctioner will have the right "To the presumption of non-existence of administrative responsibility until proven otherwise." As established by STS 04/28/2016 (RC 677/2014): "it can be said that the right to the presumption of innocence, which applies without exception in the field of administrative sanctioning procedure, according to the Court Constitutional ruling 66/2007, of March 27, means that "no any sanction may be imposed that is not based on a prior lawful evidentiary activity", and also implies the recognition of the right to an administrative sanctioning procedure due or with all guarantees, that respects the principle of contradiction and in which the alleged responsible have the opportunity to defend their own positions, prohibiting the initiation of disciplinary proceedings when it is unequivocally appreciable or manifests the absence of rational indications that a crime has been committed C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 7/12 infringing conduct, or in which illegality or illegality is absent culpability" -The SGIP alleges that, in addition to having known the images, the Administration Penitentiary (Alicante Penitentiary Center I and General Subdirectorate of Analysis and Inspection) there were two judicial bodies to which, by legal imperative, they were sent the aforementioned images (Guard Court of Investigation and Surveillance Court Penitentiary), and that they cannot be held responsible for the use and treatment granted for these. In this regard, this Agency indicates that, in this specific procedure sanctioner, no infringement is being charged for the leak of images in itself, but for lacking technical and organizational measures that result appropriate to guarantee a level of security appropriate to the risk of the treatment, in the terms required by article 32.1 of the RGPD. -The SGIP alleges that the need for the access profile to be broad has its origin in the very organization and work needs of the General Subdirectorate of Analysis and Inspection, and that in relation to the lack of traceability, it is possible to know which person accesses which images - that is, access to the shared folder leaves trace -, the impossibility of identification to which reference had been made was that of the specific person who has made said images in question public. In this regard, this Agency refers to the Report issued by the General Subdirectorate of Analysis and Inspection, recorded in the file, in whose point 2 is quoted verbatim (the underlining corresponds to the AEPD): “Once the images are brought to the attention of the Unit of Inspection were treated, in compliance with their functions of investigation legally established by the Guard Inspection, the Instructor of Previous Information 2021/122, and where they could also the rest of the Inspectors of the “Unity, without being able to prove such an extreme” It does not make reference, therefore, as alleged in the allegations, to the impossibility of determining the specific person who made public the images, but because it has not even been possible to prove which people have accessed the subsequently leaked images. It should also be noted that, requested by this Agency, information about of the records of the users who had access to the system (logs), the response is limited to stating: “The file server logs are saved for a specific time, without being able to have access at this time. the logs of those dates.” III Article 32 “Security of processing” of the GDPR establishes: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 8/12 "1. Taking into account the state of the art, the application costs, and the nature, scope, context and purposes of the processing, as well as risks of variable probability and severity for people's rights and freedoms physical, the person responsible and the person in charge of the treatment will apply technical and appropriate organizational measures to guarantee a level of security appropriate to the risk, which, if applicable, includes, among others: a) pseudonymization and encryption of personal data; b) the ability to guarantee the confidentiality, integrity, availability and permanent resilience of treatment systems and services; c) the ability to restore availability and access to data personnel quickly in the event of a physical or technical incident; d) a process of regular verification, evaluation and assessment of effectiveness of the technical and organizational measures to guarantee the security of the treatment. 2. When evaluating the adequacy of the security level, particular consideration will be given to takes into account the risks presented by data processing, in particular as consequence of the accidental or unlawful destruction, loss or alteration of data personal data transmitted, preserved or otherwise processed, or the communication or unauthorized access to said data. 3. Adherence to a code of conduct approved pursuant to Article 40 or to a certification mechanism approved pursuant to article 42 may serve as an element to demonstrate compliance with the requirements established in section 1 of the present article. 4. The controller and the person in charge of the treatment will take measures to ensure that any person acting under the authority of the person responsible or in charge and has access to personal data can only process said data following instructions of the person responsible, unless it is obliged to do so by virtue of the Law of the Union or the Member States. In the present case, although it is true that it has not been possible to determine when or by which organ of those who have had access to the images the leak occurred of the same, if it becomes clear that the SGIP did not have the measures appropriate to guarantee a level of security appropriate to the risk. From the instruction carried out in this procedure, it is concluded that the SGIP has failed to comply with the provisions of article 32 of the RGPD. IV Article 83.4 of the GDPR, under the heading “General conditions for taxation of administrative fines” provides: “Infringements of the following provisions will be sanctioned, in accordance with the paragraph 2, with administrative fines of a maximum of EUR 10 000 000 or, In the case of a company, an amount equivalent to a maximum of 2% of the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 9/12 global total annual business volume of the previous financial year, opting for the largest amount: a) the obligations of the controller and the processor pursuant to Articles 8, 11, 25 to 39, 42 and 43; (…)” In this regard, the LOPDGDD, in its article 71 “Infringements” establishes that “The acts and conduct referred to in sections 4, 5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that result contrary to this organic law.” For the purposes of the limitation period, article 73 “Infringements considered serious” of the LOPDGDD indicates: “Based on what is established in article 83.4 of Regulation (EU) 2016/679, are considered serious and will prescribe after two years the infractions that involve a substantial violation of the articles mentioned therein and, in particular, the following: (…) f) The lack of adoption of those technical and organizational measures that are appropriate to guarantee a level of security appropriate to the risk of the treatment, in the terms required by article 32.1 of the Regulation (EU) 2016/679. (…) V Without prejudice to the provisions of article 83.5 of the RGPD, the aforementioned article provides in its section 7 the following: “7. Without prejudice to the corrective powers of the supervisory authorities under the Article 58(2), each Member State may lay down rules on whether can, and to what extent, impose administrative fines on authorities and organizations public establishments established in that Member State. For its part, article 77 “Regime applicable to certain categories of responsible or in charge of processing” of the LOPDGDD provides the following: "1. The regime established in this article will apply to the treatments of who are responsible or in charge: a) Constitutional bodies or bodies with constitutional relevance and the institutions of the autonomous communities analogous to them. b) The jurisdictional bodies. c) The General Administration of the State, the Administrations of the autonomous communities and the entities that make up the Local Administration. d) Public bodies and public law entities linked or dependent on Public Administrations. e) Independent administrative authorities. f) The Bank of Spain. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 10/12 g) Public law corporations when the purposes of the treatment are related to the exercise of public law powers. h) Public sector foundations. i) Public Universities. j) The consortia. k) The parliamentary groups of the Cortes Generales and the Assemblies Autonomous legislative bodies, as well as the political groups of the Corporations Local. 2. When the persons responsible or in charge listed in section 1 commit any of the infractions referred to in articles 72 to 74 of this law organic, the competent data protection authority will dictate resolution sanctioning them with a warning. The resolution will establish Likewise, the measures that should be adopted to stop the conduct or correct it. the effects of the infraction that has been committed. 3. Without prejudice to what is established in the previous section, the authority for the protection of data will also propose the initiation of disciplinary actions when there are sufficient evidence for this. In this case, the procedure and sanctions to apply will be those established in the legislation on disciplinary or sanctioning regime that results of application. Likewise, when the infractions are attributable to authorities and managers, and are prove the existence of technical reports or recommendations for the treatment that had not been duly attended to, in the resolution in which the sanction will include a reprimand with the name of the responsible position and will order the publication in the Official State or autonomous Gazette that correspond. 4. The resolutions that fall in relation to the measures and actions referred to in the sections previous. 5. They will be communicated to the Ombudsman or, where appropriate, to similar institutions of the autonomous communities the actions carried out and the resolutions issued under this article. (…)” SAW In accordance with the provisions of article 58.2 d) of the RGPD, each authority of control may “order the person responsible or in charge of the treatment that the operations of treatment comply with the provisions of this Regulation, when appropriate, in a certain manner and within a specified period…”. For all these reasons, the claimed party must proceed, within a period of 6 months from the receipt of this resolution, to the adoption of the necessary measures so that records of access to personal data remain, and also the granting of profiles to officials so that each one can only access the information they necessary for the performance of their functions. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 11/12 It is warned that failure to comply with the order to adopt measures imposed by this body in the sanctioning resolution may be considered as an infraction administrative in accordance with the provisions of the RGPD, classified as an infringement in its article 83.5 and 83.6, such conduct may motivate the opening of a subsequent administrative sanctioning procedure. Therefore, in accordance with the applicable legislation and evaluated the criteria of graduation of sanctions whose existence has been proven, the Director of the Spanish Data Protection Agency RESOLVES: FIRST: IMPOSE the GENERAL SECRETARIAT OF INSTITUTIONS PENITENTIARIES, with NIF S2813060G, for a violation of Article 32 of the RGPD, typified in Article 83.4 of the RGPD, a warning sanction. SECOND: ORDER the GENERAL SECRETARIAT OF INSTITUTIONS PENITENTIARIES, with NIF S2813060G, which by virtue of article 58.2.d) of the RGPD, Within a period of 6 months, prove that you have proceeded to adopt the measures necessary so that records of access to personal data remain, and also the granting of profiles to officials so that each one can only access the information that is necessary for the performance of their functions. THIRD: NOTIFY this resolution to the GENERAL SECRETARIAT OF PENITENTIARY INSTITUTIONS. FOURTH: COMMUNICATE this resolution to the Ombudsman, in accordance with the provisions of article 77.5 of the LOPDGDD. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the Interested parties may optionally file an appeal for reconsideration before the Director of the Spanish Data Protection Agency within a period of one month to count from the day following the notification of this resolution or directly contentious-administrative appeal before the Contentious-administrative Chamber of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-administrative Jurisdiction, within a period of two months from the day following the notification of this act, as provided for in article 46.1 of the referred Law. Finally, it is noted that in accordance with the provisions of art. 90.3 a) of the LPACAP, may provisionally suspend the final resolution through administrative channels if the interested party expresses his intention to file a contentious-administrative appeal. If this is the case, the interested party must formally communicate this fact through writing addressed to the Spanish Data Protection Agency, presenting it through of the Agency's Electronic Registry [https://sedeagpd.gob.es/sede-electronica- web/], or through any of the other registries provided for in art. 16.4 of the cited Law 39/2015, of October 1. You must also transfer to the Agency the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 12/12 documentation that proves the effective filing of the contentious appeal administrative. If the Agency was not aware of the filing of the appeal contentious-administrative within a period of two months from the day following the notification of this resolution would terminate the precautionary suspension. 938-010623 Sea Spain Martí Director of the Spanish Data Protection Agency C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es