AEPD (Spain) - PS/00214/2022

From GDPRhub
Revision as of 14:55, 7 February 2023 by Kv (talk | contribs)
AEPD - PS 00214-2022
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 6(1) GDPR
Article 9(2) GDPR
Type: Complaint
Outcome: Upheld
Started: 26.02.2021
Decided:
Published: 16.01.2023
Fine: 40,000 EUR
Parties: AGROXARXA, S.L.
THOMAS INTERNATIONAL SYSTEMS, S.A.
National Case Number/Name: PS 00214-2022
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: Teresa López

The Spanish DPA fined a talent acquisition company €40,000 for collecting data on ethnicity and disability of data subjects during their aptitude testing process. The company violated Article 9 GDPR because it could not rely on any of the exceptions of Article 9(2) GDPR to process this special category data.

English Summary

Facts

THOMAS INTERNATIONAL SYSTEMS, S.A. (THOMAS) was a talent acquisition company that carried out aptitude testing on behalf of its clients. THOMAS provided behavioural tests and surveys for potential job candidates of companies. THOMAS would then provide a report about the capabilities of the data subject as a result of the test. This way, potential employers could assess the qualities of a potential job candidate.

In this context, AGROXARXA, S.L. (AGROXARXA), a client of THOMAS, requested a job candidate (data subject) to complete a behavioural survey. This survey was accessible on the website of THOMAS. The data subject received instructions to complete this survey in order to participate in a selection process of a job application.

Following these instructions, the data subject completed the assessment of THOMAS (From here, The first survey), on behalf of the potential new employer AGROXARXA. The purpose of this first survey was to assess the suitability of the data subject for the open position at AGROXARXA. This first survey was a psychological test which assessed the intelligence, personality, emotional intelligence and potential of the candidates.

However, once they completed the survey, THOMAS asked the data subject to fill in a second questionnaire (From here, The second survey) for the purposes of research and improvement of the evaluations conducted by THOMAS. This second survey collected several categories of personal data, such as gender, year of birth, disability, ethnicity, mother tongue, level of education, current employment status, current industry, current role, current level of leadership, level of job happiness, job rating, description of disability and consideration of leadership.

For each question in this second survey, the data subject was presented with a drop-down mechanism that included the option “I prefer not to answer”, except for the disability category. This category only contained a text field in which the data subject could fill in text, without the aformentioned drop-down mechanism.

The second survey also contained an informative text which would be presented before the data subject would start answering the questions. THOMAS stated in this text that participation was entirely voluntary. Data subjects would be able to skip any question they did not wish to answer.

On 21 February 2021, the data subject filled a complaint with the Spanish DPA (DPA) against THOMAS for requesting disability and ethnicity data, during an application procedure for a job offered by AGROXARXA. The data subject stated that they were unaware of how the company would use such data.

After a request from the DPA, THOMAS disclosed its data processing agreement with AGROXARXA, which was signed by both parties on 30 May 2018. This agreement identified THOMAS as a data processor for the purposes of carrying out the first survey on behalf of AGROXARXA. Regarding the second survey, THOMAS identified itself as a controller for the processing of disability and ethnicity data. THOMAS stated that it did not process this data for its psychometric assessment. This data was only aimed at ensuring that the assessment tools were designed in such a way that they did not discriminate against the persons being assessed.

THOMAS stated that it could rely on Article 9(2)(j) GDPR (“scientific research purposes”) to process the special category health data. THOMAS held in this regard that it complied with the international psychometric standards recommended by the European federation of Psychologist Associations (FEAP), the international test commission (ITC) and the association of Business phycology. THOMAS also stated that the data subject had the choice to consent to the processing of ethnicity and disability, because the data subject could simply choose to refrain from giving an answer to these questions.

Holding

First, The DPA started by acknowledging that THOMAS was the controller for the processing regarding the second survey. The DPA stated that THOMAS determined both the means and purposes of the processing, and also held that the controller processed this data for its own benefit.

Second, The DPA held that THOMAS (controller) processed data relating to ethnicity and disability, which is special category data, without justifying the applicability of any circumstances or exceptions established in Article 9(2) GDPR. Therefore, THOMAS did not have a justification for violating the prohibition on the processing of special category personal data. The DPA specifically held that the exception alleged by the controller, that of Article 9(2)(j) (“scientific research purposes”), did not apply. The controller could not invoke any legal rule covering such data processing. Regarding the standards invoked of the controller, such as that the controller complied with the standards of the FEAP and the ICT, the DPA held that these did not constitute 'standards of Union or Member State Law', which is a requirement of Article 9(2)(j) GDPR. Therefore, the controller could not rely on Article 9(2)(j) GDPR for its processing.

Third, the DPA held that it was unclear if the controller even had an appropriate legal basis pursuant to Article 6 GDPR. The information contained in their privacy policy was too generic and was limited to citing several legal bases, but without specifying which of these legal bases corresponded to each of the controller's processing operations. The DPA assessed the legal bases of contract (Article 6(1)(b) GDPR), legal obligation (Article 6(1)(c) GDPR) and legitimate interest (Article 6(1)(f) GDPR) and determined that the controller would not be able to use any of these legal bases for the processing in this case.

Fourth, The DPA also dismissed the possibility that the processing of sensitive data was based on consent due to the optional nature of the survey. The DPA held that the mere indication of voluntariness does not meet the requirements of Article 9(2)(a) GDPR, which states that consent to the processing of special categories of personal data must be “explicit”. The DPA also stated that the controller did not have a consent-mechanism in place and held that the fact that the data subject could choose whetheror not to fill in the form could not be accepted as a form of consent.

Fifth, The controller did not duly inform the data subject about the purpose, legal basis or the right to withdraw consent in accordance with the provisions of Article 13 GDPR. Another deficiency was the fact that the privacy policy was only provided in English.

Lastly, the DPA held that THOMAS had failed to provide sufficient evidence to prove that proportionality requirements were met, which was an obligation demanded by the Spanish constitutional court (see Judgement 14/2003, 28 January). Based on the information the controller provided, it could not be concluded whether the processing was appropriate for the proposed purpose, whether it was necessary or not, or whether there were less intrusive alternative measures.

For all these reasons, the DPA found that the controller had breached Article 9 GDPR. The DPA imposed a sanction according to Article 83(5)(a) GDPR and Article 72(1)(e) of the Spanish Data Protection Law. The DPA considered the following aggravating factors:

Based on Article 83(2)(a) GDPR: (1) The nature and gravity of the offence, given that the data subject was clearly not aware of the controller of the processing and the use to be made of the personal data. This had an impact on the ability of data subjects to exercise effective control over their personal data. (2) The duration of the infringement, since the data processing actions, which were subject of this procedure, dated as early as 3 July 2019. (3) The number of data subjects: the infringement affected all data subjects who are assessed by the Controller. (4) The harm suffered by the data subjects: the data subjects saw increased risks to their privacy.

Based on Article 83(2)(b) GDPR: Negligence in the commission of the offence. The DPA understood that the controller processes personal data systematically and continuously and should have taken better care to comply with its data protection obligations.

Based on Article 83(2)(d) GDPR: The controller did not have adequate procedures in place for the collection and processing of ethnicity and disability data. The infringement was not the result of an anomaly in the operation of those procedures, but a defect in the personal data management system, which was designed by the controller on its own initiative.

Based on Article 76(2)(b) Spanish Data Protection Law: The close link between the controller's activity and the processing of personal data.

Considering the above factors, the DPA determined a fine of €50,000. The DPA also ordered the controller to stop the collection of personal data relating to ethnicity and disability from the survey. The controller also had to stop using the data it had previously collected on this basis. The controller ended paying €40,000, making use of the possibillity to have the fine reduced due to voluntary payment in comparison with the proposed penalty. This possibility was provided for in Spanish administrative law.

Comment

The Spanish Data Protection Authority gave an example of what measures would have constituted an adequate remedy and mitigation to the breach according to Article 83(2)(f) GDPR: “Mitigating the adverse effects or mitigating the damage caused by breaches involves restoring the rights of data subjects, which in this case entails deleting the ethnicity and disability data collected from data subjects and suspending their collection”.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

1/42










     File No.: PS/00214/2022


       RESOLUTION OF TERMINATION OF THE PROCEDURE FOR PAYMENT
                                   VOLUNTEER

Of the procedure instructed by the Spanish Agency for Data Protection and based on
to the following


                                 BACKGROUND

FIRST: On May 5, 2022, the Director of the Spanish Agency for
Data Protection agreed to initiate sanction proceedings against THOMAS

INTERNATIONAL SYSTEMS, S.A. (hereinafter the claimed party). Notified on
initiation agreement and after analyzing the allegations presented, on December 14,
November 2022, the proposed resolution was issued as follows:
transcribe:

<<



File No.: PS/00214/2022



      PROPOSED RESOLUTION OF SANCTION PROCEDURE

Of the procedure instructed by the Spanish Agency for Data Protection and based on
to the following:


                                 BACKGROUND


FIRST: On 02/26/2021, he entered this Spanish Agency for
Data Protection a document presented by A.A.A. (hereinafter, the part
claimant), for which he files a claim against the entity Agroxarxa, S.L., with

NIF B25269358 (hereinafter, Agroxarxa), for the processing of personal data of
special categories.

The complaining party states that (...) it should have carried out psychotechnical tests, accessible
through a link from an entity specialized in these services. As he claims,

in one of the forms used to carry out the process, they requested data
sensitive (disability and ethnicity), ignoring the use that the company would make of
these dates. It adds that the completion of these forms was required by the
Agroxarxa Human Resources department.


Provide a screenshot of the questionnaire in which the data is requested
controversial, available on the web "***URL.1" (hereinafter "Questionnaire of
Thomas Research” or “Questionnaire”), the content of which is outlined in the
Fact Proven Second. In its upper left corner is the logo of the entity

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/42








"Thomas International Ltd.", to which said form belongs according to the indication
inserted therein (“Copyright”). On the screen provided by the claimant
the options detailed in Proven Fact Six are selected.

SECOND: During the phase of admission for processing of the claim reviewed, by the

General Subdirectorate of Data Inspection accessed the Privacy Policy of
the entity "Thomas International Ltd.", dated 07/03/2019 and in English (the
detail of the content of this document, in what interests the present
procedure, is outlined in the Fourth Proven Fact).


THIRD: In accordance with article 65.4 of Organic Law 3/2018, of 5
December, Protection of Personal Data and guarantee of digital rights (in
forward LOPDGDD), the claim made was transferred to the entity Agroxarxa
to proceed with its analysis and inform this Agency, within a month,

of the actions carried out to adapt to the requirements established in the
data protection regulations.

The term granted for this to Agroxarxa elapsed without this Agency
receive any written response.


FOURTH: On 06/29/2021, in accordance with article 65 of the LOPDGDD,
The claim presented by the complaining party was admitted for processing.

FIFTH: In view of the facts denounced in the claim and the documents
provided by the complaining party, the General Subdirectorate of Data Inspection
proceeded to carry out preliminary investigation actions for the

clarification of the facts in question, by virtue of the investigative powers
granted to control authorities in article 57.1 of Regulation (EU)
2016/679 (General Data Protection Regulation, hereinafter GDPR), and
in accordance with the provisions of Title VII, Chapter I, Second Section, of the
LOPDGDD. The inspection services of the AEPD carried out the actions
following:


1. The Inspection Services of this Agency sent Agroxarxa a
information request, which was attended by said entity by means of a written
12/21/2021, in which he reports the following:

. (…).


. In reference to the personnel selection process, it warns that it does not request or require
to the candidates the inclusion in the curricula of personal data
concerning race, ethnicity or disability.

Explain the process that follows to select the finalists, who are

requests that they complete a "behavioral survey" with the aim of
know if the candidate adjusts -in terms of skills and competencies- to
the conditions required for the job, which is done through the
platform owned by the company "Thomas International Ltd", who informs of
its terms and conditions, privacy policy, cookies and other legal requirements

in the mail that candidates receive to complete the survey.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/42









Once the candidates carry out the survey on the "Thomas

International Ltd.”, and based on the analysis of the result it issues, a
Final interview to select the person to be hired.

. In reference to the information provided to the candidates.


The company "Thomas International Ltd.", when sending the mail to participate in the
survey sends the link to its rules where you can see in detail the treatment
of data.


Agroxarxa incorporates one of these emails as an example, whose text is the following:

“Dear…
…(name), from Agroxarxa, SLU has invited you to complete a brief evaluation of
behaviour.
Click on the following link or copy and paste it into your browser to start the
evaluation

https://open.***URL.1/Login/Login...
There is a possibility that you will be asked to enter the following user data and
password:
User…
Password…
Visit the Thomas candidate area https://www.***URL.1/en-us/candidates.aspx for
Learn more about this evaluation.
Regards
… (Name)
Agroxarxa, SLU

… (phone)
rrhh_desenvolupament@Agroxarxa.com
See our privacy policy www.***URL.1/es-es/Privacycookies.as.x”

According to Agroxarxa, this makes it clear that "the information available to the

candidates and the processing of data that informs the company, not
Agroxarxa, SLU”.

. In reference to the contract signed with "Thomas International Ltd.".


Those responsible for the entity provide a copy of the contract for the provision of services and
contract for data processing (“Data Processing Agreement”) signed in
dated 05/30/2018 with the entity THOMAS INTERNACIONAL SYSTEMS, S.A. (in
hereinafter THOMAS INTERNATIONAL SYSTEMS). The content of this "Agreement of

data processing", as far as this procedure is concerned, consists of
detailed in the Third Proven Fact.

. In reference to the reason why "Thomas International Ltd." collect ethnicity data

and disability.

As indicated by the representatives of Agroxarxa, they are not expressly collected
this data for the entity. Thomas International Ltd. uses the same
"Questionnaire" for all your customers.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/42








In addition, the data requested in the "Questionnaire" regarding "disability" and
“ethnic group” are voluntary, the person surveyed can choose the option “I prefer not to
to answer". They provide the image of said "Questionnaire", whose content coincides with the

described in the Second Proven Fact. The answers are in this image.
following:

. Sex: "Female".
. Year of birth: “2017”.
. Disability: "I prefer not to answer."

. Ethnicity: "I prefer not to answer."

Thomas International Ltd. only has the information that people
Candidates contribute voluntarily, without it being mandatory and necessary to
Agroxarxa have the data in question. Agroxarxa at no time has

requested that this information be collected for any selection process.

Therefore, “Thomas International Ltd.” only have information regarding
ethnicity and disability when the candidate expressly and completely
voluntarily and informed, provides it, without this information being provided to Agroxarxa,
to which only the corresponding competency profile report is sent and

skills, but never the answers.

. In reference to the treatments carried out by Agroxarxa with the data related to ethnicity
and disability and retention period.


The application of “Thomas International Ltd.” not expressly designed
for Agroxarxa selection processes, who (like the rest of the clients) do not
participates in the preparation of the forms used by said company.

That is why Agroxarxa does not collect, process or keep data related to ethnicity and

disability.

. In reference to the data contained in Agroxarxa relating to the complaining party.

It does not have data related to ethnicity or disability of the complaining party. (…).



With its response, Agroxarxa provided a copy of two reports as an example of the
information about the candidates that “Thomas International Ltd.” facilitates the
Agroxarxa:


a) The first of them contains some graphics and scores related to "Mask of
work”, “Behavior under pressure” and “self-image”.

b) The second describes the "APP Profile" of the person assessed in relation to the
“Self-image”, “Self-motivation”, “Work emphasis”, “Descriptive words”, “Mask”

(“how others see you”), “Behavior under pressure” and “General comments”.


2. On 12/30/2021, the Inspection Services of this Agency sent to

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/42








Agroxarxa a new request for information, which was answered as follows:

. In the selection process, Agroxarxa at no time gives data to the entity

"Thomas International Ltd.", but hires this company to carry out a
analysis of skills and competencies.

The only data that Agroxarxa communicates to "Thomas Internacional Ltd." are the
name and surname and contact email, used to facilitate access
to the platform.


. It is in your interest to proceed to a reassessment of the selection process and protocol
of people with the aim of simplifying and improving the process, as well as facilitating the
candidates more and better information.



3. (…):

Its activity is to provide psychometric tools for companies to use.
apply in their evaluation and recruitment processes.


On 05/30/2018, a "Data Processing Agreement" was signed with the company
Agroxarxa (provide a copy).

(…).


In the contract signed between the parties (Annex 1), it is contemplated that "Thomas
International" will process, by order of Agroxarxa, the data information
personal information of candidates selected by it and will be stored and controlled
by the person responsible for the data, Agroxarxa, in the “Thomas International” hub that
has previously been hired. Agroxarxa has tools for the

maintenance of personal data resulting from the evaluation processes and
during the time that Agroxarxa deems appropriate.

In section 2.3 of the Contract it is specified that Agroxarxa is the one who controls the
information of the personal data entered in the evaluation systems of
Thomas International Ltd. through the tools provided by it, and that

the data of the candidates (results of the evaluations) will be processed by
indication of Agroxarxa, having the latter the only access to the processed results
by “Thomas International” systems.

In section 2.4 it is indicated that Agroxarxa is responsible for personal data

that are introduced in the evaluation processes of "Thomas International" so that
are processed and evaluation results are obtained that are analyzed and
received by Agroxarxa for the development of its business activity. Likewise,
Agroxarxa has previously contracted tools for unique access and
exclusive to the "Thomas International" hub (where the results of the

evaluations) to analyze, view, delete, maintain, etc. information
processed by "Thomas International" by indication of Agroxarxa.

According to section 3.1.1, the “Thomas International” systems process the data

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/42








personal information of Agroxarxa candidates by indication and following the instructions
provided by it.


And section 3.1.2 stipulates that “Thomas International” acts according to the instructions
provided by the client, Agroxarxa.

Section 3.2 provides that they must promptly comply with the instructions
provided by Agroxarxa.


In section 4 Agroxarxa authorizes "Thomas International Ltd." to send a
form for permitted research purposes, to be filled out
voluntarily and anonymously by the people who access the procedures
authorized and contracted by Agroxarxa as long as the three
sections 4.1; 4.2 and 4.3.


THOMAS INTERNATIONAL SYSTEMS ends by noting that, according to the agreement
signed between the parties, "Thomas International" is not obliged to provide information
to the candidates that are going to be evaluated for Agroxarxa, which is the owner of the
information relating thereto, and “Thomas International Ltd.” only processes the
information that is provided by Agroxarxa and at its request. Thomas

International Ltd.” does not know the personal data of the candidates who are going to be
evaluated according to the needs determined by Agroxarxa in its policies of
evaluation of candidates for certain jobs.

In relation to the data on ethnic origin and disability, it indicates that they were collected from

voluntarily and optionally, with the option not to respond. Any information
collected through this optional survey is part of the psychometric evaluation
and does not affect the results obtained by the candidate in his evaluation. All the
information collected by the aforementioned optional survey would be used by the research team
“Thomas International Sciences” to ensure that their assessment tools

Psychometrics are designed in such a way that they do not discriminate against the people evaluated.

THOMAS INTERNATIONAL SYSTEMS provides a copy of the form "authorized by
part of Agroxarxa to be sent to the personnel who access the systems of
Thomas International Ltd. according to the assumptions of section 4” (“the Questionnaire”),
whose content coincides with that outlined in the Second Proven Fact, and a copy of the

following prior information that you provide. After the informative text are included the
“I disagree” and “Next” buttons.

SIXTH: On 04/25/2022, by the General Sub-Directorate of Data Inspection
the information available about the entity THOMAS INTERNACIONAL is accessed

SYSTEMS in “Axesor”. (…).

SEVENTH: On May 5, 2022, the Director of the Spanish Agency for
Data Protection agreed to initiate sanction proceedings against THOMAS
INTERNACIONAL SYSTEMS, in accordance with the provisions of articles 63 and 64 of the

LPACAP, for the alleged violation of article 9 of the GDPR, typified in article
83.5.a) of the aforementioned Regulation; and classified as very serious for prescription purposes
in article 72.1.e) of the LOPDGDD.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/42








In the opening agreement it was determined that the sanction that could correspond,
attention to the existing evidence at the time of opening and without prejudice to the
resulting from the instruction, would amount to a total of 50,000 euros.

Likewise, it was warned that the imputed infractions, if confirmed, may

entail the imposition of measures, according to the aforementioned article 58.2 d) of the GDPR.

EIGHTH: Notification of the aforementioned initiation agreement in accordance with the established regulations
at the LPACAP, THOMAS INTERNATIONAL SYSTEMS submitted a brief of
allegations in which it requests the filing of the procedure or, alternatively, that it be
issue a warning, based on the following considerations:


1. From the actions of THOMAS INTERNATIONAL SYSTEMS.

THOMAS INTERNATIONAL SYSTEMS is a Spanish company that
provides services to different entities in Spain consisting of facilitating the use of the

platform specialized in the evaluation, training and consulting of users of
said clients “www.***URL.1”. Client entities access a restricted area
on the platform using a username and password and are in charge of managing the
candidates, selecting those who performed the evaluations, and obtaining
the final reports made on said valuations.


Based on the foregoing, it concludes that THOMAS INTERNATIONAL
SYSTEMS has not carried out any processing of personal data on the part
claimant.

2. From the performances of “Thomas”.


The “Thomas International group”, as a group, and specifically the parent company
“Thomas International Limited LTD”, provides psychometric, evaluation,
training and/or auditing to those clients who contract it through the platform
www.***URL.1.

Said platform offers said psychometric evaluation services, fulfilling

all current legislation, the strictest international standards of
psychometrics, as well as the strictest technical and organizational security measures
and legal in general, and especially in matters of data protection and
psychometry.

Precisely, one of the measures adopted to guarantee compliance with the

international standards and norms of psychometrics is the "Questionnaire of
Thomas investigation" object of this procedure, which is carried out
completely independent of user evaluations: only once you
When the evaluation is finished and it is closed irreversibly, the user is offered to perform
questionnaire". The user can choose to do it or not, without having any

conditioning or consequence its completion or not, nor its responses, which are not
are shared with client entities or with third parties.

The sole purpose of this "Questionnaire" is to be able to comply with the standards
international psychometrics required by regulations and protocols

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 8/42








international; as well as being able to guarantee the reliability of the evaluations and
demoscopic questionnaires carried out by "Thomas International" through its
platform.

Customers are informed about this questionnaire through the order contract of the

treatment (clause 4). Also to users who, before completing
access a notice stating that “Thomas International” is the
responsible for it, which has the purpose of scientific research, of the
independence and conditionality of carrying it out or not of any evaluation that
carried out previously, of the anonymous and confidential nature in the treatment of
the information and that no information will be shared with the entity or person

would have invited you to carry out the evaluation (in no case the data collected
through the "Questionnaire" are known by the clients of the platform or other
third parties and not even by those partners or employees of the Group).

On this issue of transparency in the processing of data that entails the

"Questionnaire", THOMAS INTERNATIONAL SYSTEMS states that it has
entrusted to new professionals and a new DPD to perfect the
compliance with data protection regulations. Provide a copy of the new
informative clause, which is reproduced in the Second Proven Fact.

3. Of the legitimacy of the treatment of the questionnaire.


The processing of personal data that is carried out in the "Questionnaire" object of the
This file is carried out legitimately and in accordance with the provisions of the
article 9.2 j) of the GDPR, in relation to article 89.1 of the same Regulation, and
other regulations applicable to the sector in which the entity is dedicated.


The "International company", prior to carrying out the "Questionnaire", has
taken all necessary technical, organizational and legal measures to:

a) Process data of a sensitive nature that obeys exclusively
for the purpose of scientific research and to comply with the requirements demanded in
international standards and norms of psychometrics, in order to guarantee the

reliability required in its evaluations (limitation of the purpose), without the entity
get any benefit from completing the questionnaire.
b) Treat, in any case, the minimum data possible to fulfill said purposes and
needs. The "Thomas Research Questionnaire" is carried out by the minimum
necessary people, during the time strictly necessary and the data is processed
strictly necessary for the fulfillment of the indicated purpose, fulfilling

scrupulously observe the principle of data minimization and anonymization of the
identifying data. Applies robust pseudo-anonymization processes and
amonimization to their treatments.
c) Apply all technical, organizational and legal measures necessary for a
correct treatment of said information; establishing a robust system of

minimization of information, access restricted to professional collegiate personnel of
psychologists, who have duly signed the agreements of rules of use of the
necessary information, confidentiality agreements and codes of ethics; Y
also applying a system of anonymization of the information obtained,
previously tested and continuously monitored.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 9/42








d) Applying equally robust security systems, encrypting the
"Questionnaire", applying the highest security measures that guarantee the
confidentiality, integrity and availability of information. Once
Once completed, the form is stored in encrypted servers of the entity,
with the highest security measures and anonymously in three tables. The

system has obtained the ISO 9001 Certificates.
e) Analyze and previously evaluate all possible risks and incidents, with
adoption of the necessary measures to evidence and/or mitigate any incidence, and
complying with all measures and/or obligations regarding data protection,
concretely the principles established in article 5 of the GDPR.
f) Respect the principle of accuracy of the data: the need for accuracy in the

evaluations provided by "Thomas" through its platform makes it necessary to
existence of the “Thomas Research Questionnaire”. Likewise, they have established
all necessary measures to ensure accuracy in the collection process,
storage and conservation of the processed data.
g) Keep the data strictly for the purpose described. By anonymizing the

data and irreversibly break down the identifying data of the responses
given, the minimum conservation period is fully guaranteed, as it is
securely and irreversibly destroy personal data immediately in
the system of three tables. Therefore, only non-personal data that
meet the purpose of scientific research and compliance with standards
required scientists.


In relation to the legality and loyalty of the data processing of the questionnaire, it indicates the
Next:

The data required through the "Questionnaire", among which are data from
sensitive character (such as ethnicity and possible disabilities), it is necessary to

in compliance with the requirements of international standards and regulations of
psychometry; in such a way that the evaluations carried out on the platform measure with
scientific rigor what they say they do, they do it accurately and they do it
fair. And at the same time ensure they meet the right demographic
and that no discrimination is made, as required by the standards and
international standards listed below:


. The “Questionnaire” is validated in accordance with the Federation Guidelines
European Associations of Psychologists (FEAP) or EFPA in its acronym in English
(European Federation Psychologists Associations). EFPA is an organization
European Union of which most of the European associations of
psychology. Its proof review model is used throughout Europe, and serves as a

tool to evaluate psychometric evaluations from two points of view:
on the one hand, to check if a group or sample is representative of a population
broader and calculate the relative position in that sample of examinees; and by
other hand, to ensure the fairness of the test.


. International Testing Commission (ITC), Guidelines on the use of tests, which
they also refer to the fairness of the tests, whether they are fair for use with
various groups; and the need to control changes in the population through the
demographic information provided by test takers.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 10/42








. Code of Conduct of the Business Psychology Association ***URL.2.

It adds that the information collected is necessary, according to the aforementioned formulation
survey (CIT or ITC in its acronym in English), since it allows to ensure, through
anonymous statistical studies, that their psychometric assessment tools

(personality, intelligence, aptitudes, emotional intelligence, etc.) do not discriminate against
people evaluated, precisely for reasons of ethnicity or disability, among others
circumstances. Therefore, it understands that "Thomas International", as designer of
evaluations and questionnaires, is legitimized and protected in its objectives by the
art.89.1 of the GDPR, which accepts the collection of data for research purposes and
global statistics, with the guarantee that this data is anonymized and is

impossible for them to be associated with a specific candidate, through the aforementioned
CIT.

The relevance of the activity of “Thomas International” and its CIT survey is based on
the requirements of guaranteeing good practices in the design, development and monitoring

of psychometric tests, according to the standards defined by the BPS (British
Psychological Society), the EFPA (European Federation Psychologists Associations) or
the COP (Official Association of Psychologists), who ensure good practices in
psychometrics, certify the validity and reliability of a test and demand that the standards of
quality are kept up-to-date through macro-statistical studies parallel to
throughout the technical life of these tests, using statistical meta-analyses

obligatorily anonymous, global and longitudinal. There has recently emerged a
new application standard in this field, ISO.30414 Human Resources Management,
that results in the requirement of carrying out an adequate use of the tests
psychometrics, as well as the requirement of their discriminating power.

In addition, it adds that "Thomas International" carried out the analyzes and evaluations of

necessary impact, having assessed the proportionality of data processing and
the need for them for scientific research, before making the
platform evaluations.

Likewise, both the evaluations and the questionnaires have been designed
exclusively by prestigious collegiate psychology professionals who

carry out their activity in "Thomas International", which are the ones that deal exclusively with
the questionnaire data. These professionals are covered by agreements of
confidentiality and strict compliance with standards and regulations
International Psychometrics.

4. Bearing in mind that (...) without any discrimination, he did not suffer an infraction or damage

(...), without having expressed any objection to the treatment of the "Questionnaire of
Thomas investigation”; that Agroxarxa did not know whether or not the interested party made said
"Questionnaire" or what you answered; that “Thomas International” has not obtained any
benefit or harm; and has not had any claim or incident;
THOMAS INTERNATIONAL SYSTEMS understands that there is no infringement and/or

breach of data protection.

5. Of the non-existence of illegality in the treatment of information: it also understands,
THOMAS INTERNATIONAL SYSTEMS that data processing is carried out
personal data of a sensitive nature in accordance with article 9.2 j) of the GDPR; and once they have

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 11/42








anonymized the data; therefore, it cannot be considered that there is a treatment of
personal information.

6. From the lack of intent and/or fault of "Thomas International": for there to be
a punishable offence, there must be not only an unlawful act but also a

intentionality in the commission or omission that causes it, as stated in the
Resolutions and Judgments of the National Court of 02/25/2010, (which establishes
that is not admissible in administrative law sanctioning responsibility
objective, which is proscribed, after STC 76/1999; Judgment of the Hearing
National 04/29/2010), 04/29/2020, 10/19/2010 and 02/10/2011.


"Thomas International" has had a proactive attitude and compliant with its
obligations regarding data protection in all the treatments it carries out,
applying the highest safety standards in their treatments.

7. Of the non-existence of seriousness of "Thomas International": in the hypothetical case that

it is considered that "Thomas International" has not informed correctly, so
subsidiary, the attitude of "Thomas International" cannot be sanctioned with a
serious infraction, since all the indicated circumstances that occur in the present
case and that have been accredited, lead to determine the total non-existence of
Serious offense.


In addition, as a result of what is known in this case, it has taken additional measures
to avoid any incident or infringement, such as appointing a new Delegate
of Data Protection of proven experience and knowledge (ANNEX No. 15);
initiate a new risk analysis and impact assessment on the treatments of
personal data in order to identify possible risks and apply the measures
necessary to avoid and/or mitigate its damages; write new informative clauses

on the treatment carried out in the "Thomas Research Questionnaire";
reinforce the information and training of all the agents involved in the treatments
of personal data, such as clients, collegiate psychological staff and personal
technology, people who agree to carry out the evaluations and questionnaires.

Therefore, it considers that the provisions of Recital

148 of the GDPR, as stated in the following AEPD resolutions:

a) In the Resolution issued in procedure E/00660/2020, regarding a
very serious infringement for illegal data processing, the proceedings for the
adaptation to the regulations carried out before the presentation of the claim
before the AEPD.


b) In the procedures indicated with the numbers PS/00077/2021 and
PS/00416/2020, regarding serious infractions due to security breaches of the
information, is sanctioned with a warning for the measures adopted to resolve
the problem and for the suspension of the website involved in the events, which was migrated to

another server, adopting measures to avoid events similar to those that motivated
the claim.

c) In the actions followed with the number E/05039/2018, the procedure
sanctioning is transformed into a file according to the measures adopted to

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 12/42








solve the problem and the low relevance of the deficiencies.

d) In the case of procedures PS/00040/2021, PS/00041/2021, PS/00067/2021,

PS/00071/2021, PS/00240/2020, PS/00366/2020, PS/00285/2020, PS/00311/2020,
PS/00355/2020, PS/00371/2020, PS/00381/2020, PS/00399/2020, PS/00414/2020,
PS/00441/2020, PS/00453/2020, PS/00454/2020, PS/00455/2020, PS/00457/2020 and
PS/00490/2020, the disciplinary procedure becomes a warning in
based on fundamentals such as those expressed below:


. It is verified that the claimed party updated the information.
. The Privacy Policy is prepared after the claim.
. The consent is express because the treatment of the data is based on the
Consent given by filling in and submitting the form and checking the box
accepting data processing (PS/00040/2021).

. The fine is considered disproportionate for the claimed party, whose activity
principal is not directly linked to the processing of personal data, and that it does not
there is evidence of the commission of any previous infraction in terms of data protection
(PS/00041/2021 and others).
. The provisions of article 58.2 of the GDPR (PS/00067/2021 and others) are complied with.
. Absence of intentionality; adoption of measures to comply with the GDPR;

appointment of a DPO; there is no recidivism; appropriate measures have been taken
and reasonable to avoid incidents such as the claimed party (PS/00071/2021).
. Rectification, once the file has been initiated, of the deficiency found in the
existing form on the web and acceptance of the privacy conditions before the
sending said form and enabling a box to consent to the sending of

commercial communications (PS/00311/2020).
. There is no record of any previous violation of data protection.
. The privacy policies were conveniently modified.

Finally, he highlights that he has a proactive attitude; all your staff are

duly trained; its activity has not caused damage to the rights of the
interested parties, that they have not received any claim or incidence or breach of
security up to date; and that, upon learning of the matter, has initiated a
review of its protocols, analyzes and evaluations, and has proceeded to appoint
proven specialists in the field.


With its allegations, it provides the following documentation:

. Contract signed with Agroxarxa.
. Partner agreement between "Thomas IS" and "Thomas LTD".
. Explanation of the anonymization and minimization process in three tables that are

performs the "Thomas Research Questionnaire".
. Protocols and security policy applied, including a version of the
Privacy Policy dated 03/31/2020.
. EFPA Guidelines.
. ICT Guidelines.

. Code of conduct.
. Executive summary of Thomas International's practices and compliance with the
GDPR.
. Protocol for the preparation of tests for Dyslexia and Occupational Tests.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 13/42








. Deontological Code.
. Psychologist contract.



                                 PROVEN FACTS



FIRST: The entity THOMAS INTERNATIONAL SYSTEMS provides services of
evaluation and consultancy in personnel selection processes carried out by the
entities that contract such services.

The evaluation of candidates by THOMAS INTERNATIONAL SYSTEMS

requires them to complete accessible behavioral tests or surveys
through the website of said entity, "***URL.1", for, based on the information
obtained, assess the suitability of the candidate for the job offered.

The entity that summons the selection process makes a pre-selection of the

Candidates who must be evaluated by THOMAS INTERNATIONAL SYSTEMS.
These finalist candidates receive an email from the latter entity with the
instructions to access your platform, the "candidate area", and be able to carry out the
poll. The username and password that you must use for the
access and includes a link to start the evaluation; and others that lead to

information available on the "candidate area" and the Privacy Policy
available on the web “***URL.1”.

As a result of the provision of the service, THOMAS INTERNATIONAL SYSTEMS
provides client entities with a report or profile on skills and abilities of

the candidate person.

SECOND: Once the candidates finish completing the tests
necessary to carry out the evaluation, THOMAS INTERNATIONAL SYSTEMS
asks them to fill in a new questionnaire, which he calls the "Questionnaire

of Thomas Research”, which includes questions related to sex, year of
birth, disability, ethnicity, mother tongue, educational level, employment status
current sector currently working in current role current level of command
level of happiness in the job (on a scale from 1 to 7), qualification of your work (with
scale from 1 to 7), description of the disability (text field) and consideration

about leadership. To answer each question, except for the description of the
disability, a drop-down is shown with the options that the interested party can
select, including the option “I prefer not to answer”.

Prior to completing this "Questionnaire", the

interested parties the following information regarding the protection of personal data:

Thank you for completing the form.
A notification has been sent to the person who invited you to take the assessment. Please,
contact him for more information on this evaluation Thomas.
Welcome to the Thomas Research Quiz.
At Thomas International, we are committed to continuous improvement of our
evaluations. As part of our research and development initiative, we ask that you
provide us with information to help us improve our assessments. Information

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 14/42









collected will be used for research purposes only and will not be provided to your employer.
Our psychologists abide by ethical guidelines and all information we collect will be
confidential and only global results will be reported. Participation is entirely
voluntary and you can choose to skip any question you do not want to answer.

After the informative text, the buttons "I do not agree" and

"Next".

The entity THOMAS INTERNACIONAL SYSTEMS, on the occasion of the process of

allegations at the opening of the procedure, has reported that the informative clause
above has been modified, remaining as follows:

Thank you for completing the form.
A notification has been sent to the person who invited you to take the assessment. Please,

contact him for more information on this evaluation Thomas.
Welcome to the Thomas Research Quiz.
At Thomas International we are committed to the continuous improvement of our
evaluations. As part of this, Thomas International, as the controller of the
data, regularly conducts research to ensure that our assessments
are valid, reliable and, above all, fair. This allows us to ensure that we adhere to the
international best practice standards. We would appreciate your help in this

important research by filling in the following questionnaire.
Completion of the questionnaire is voluntary and independent of the person who has
asked to do the evaluation. In no case will the information of this
questionnaire to the person who invited you to carry out the mentioned evaluation. Information
collected in this questionnaire will be used solely for scientific research purposes, it will be
treated only by Thomas International registered psychologists and will be treated
anonymously. To exercise your rights and/or for more information, consult our

privacy policy (***URL.3), or contact our Privacy Policy
Data Protection in ***EMAIL.1. Our psychologists are governed by ethical guidelines and all
information we collect will be kept confidential and only the results will be communicated
anonymous aggregates. Participation is completely voluntary and you can choose to skip
any questions you don't want to answer."


After the informative text, the buttons "I do not agree" and
"Next".

THIRD: To formalize the provision of the services outlined in the Fact

Tried First, the entity has arranged a form called “Agreement of
data processing" that it signs with its clients.


Of the stipulations contained in this agreement, which is declared reproduced at
evidentiary purposes, the following should be noted:

Background


(...)
(...)

(…)

(…)


Thomas's Duties
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 15/42










(…):


     (…);
     (…);
     (…);

     (…)


 Research

(…):

(…);


(…);

(…).

(...)”.


FOURTH: The Privacy Policy available on the web "***URL.1", in its version of
dated 07/03/2019, includes the following information:


“1.3 Do we always act as data controllers? Although Thomas acts
often as data controller, in some of our activities
We can also act as data processor or sub-processor...

Among the examples of cases where Thomas acts as data controller

Data includes, but is not limited to, the following:
(…)
. Processing of personal data of candidates for research purposes.
. Processing of personal data of candidates to create an anonymous form of
Personal information…


2.5 Do we use personal data in our research?
We are committed to continually improving our assessments. To do this, we ask the
Candidates who provide us with additional information, such as age group, educational level,
ethnicity and similar issues. Providing this information is voluntary and is not
necessary to complete an assessment.
When we process any of this personal data for research, we do so as

responsible for data processing.
Any personal information provided to us for research will be used exclusively
for research purposes and will not be disclosed to third parties. Both during and after
our psychologists evaluate your personal information, we will store it safely and with
the highest confidence. If we share our results with third parties, only the results will be shared.
anonymous and aggregate results from which no individual can be identified.


2.6 In case we are data controller: What legal basis
we have to use your personal data?
(…)
. you have consented to the use of your personal data;

. the use we make of your personal data is in our legitimate interest as
business organization; In these cases, we will process your information at all times
manner that is proportionate and respectful of your right to privacy. You will also have the right to
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 16/42








object to the processing, as explained in section 7;
. the use of your personal data is necessary to perform a contract or take steps to
enter into a contract with you; either
. our use of your personal data is necessary to comply with a legal obligation or
pertinent regulatory…” (Unofficial translation).


The content of the transcribed sections is similar to that included in the version of the
Privacy Policy dated 03/31/2020, contributed to the proceedings by THOMAS
INTERNATIONAL SYSTEMS.


FIFTH: Agroxarxa called a personnel selection process and hired the
services of THOMAS INTERNATIONAL SYSTEMS to carry out the
evaluations of the candidates shortlisted by Agroxarxa. For this reason,
both entities signed a contract (“Data Processing Agreement”) in
dated 05/30/2018, in the terms indicated in the Third Proven Fact.


SIXTH: The complaining party participated in a personnel selection process
summoned by Agroxaxa indicated in the Fifth Proven Fact and was selected
as a finalist to be evaluated by THOMAS INTERNATIONAL SYSTEMS.
After carrying out the surveys arranged to carry out this evaluation to

Through the web "***URL.1", he was asked to fill in the "Questionnaire of
Thomas Investigation", through which the claimed party provided the data
following:

. Sex: “XXXXXX”.

. Year of birth: “XXXX”.
. Disability: “XX”.
. Ethnicity: “XXXXXXXXXXXX”.



                           FUNDAMENTALS OF LAW

                                           Yo

By virtue of the powers that article 58.2 of the RGPD recognizes to each authority of

control, and as established in articles 47 and 48 of Organic Law 3/2018, of 5
December, Protection of Personal Data and guarantee of digital rights
(hereinafter LOPDGDD), the Director of the Spanish Data Protection Agency
is competent to initiate and resolve this procedure.


Article 63.2 of the LOPDGDD determines that: "The procedures processed by the
Spanish Data Protection Agency will be governed by the provisions of the GDPR, in
this organic law, by the regulatory provisions issued in its
development and, as long as they do not contradict them, on a subsidiary basis, by the rules
general on administrative procedures”.


                                           II

The claim that has motivated these proceedings questions the treatment of
personal data relating to ethnicity and disability carried out by THOMAS

INTERNACIONAL SYSTEMS during the candidate selection process for a
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 17/42








job offered by the entity Agroxarxa, constituting this question the
sole purpose of this proceeding.


Thus, the conclusions derived from the procedure do not imply any
pronouncement regarding issues unrelated to said object.



                                           II

The personnel selection process (...) begins with the publication, for this reason
entity, of and with the following examination of the profile of the candidates who have
interested in the position to select the finalists, who are asked to

complete a “behavioral survey.”

This "behavioral survey" is carried out through the entity's platform
THOMAS INTERNATIONAL SYSTEMS. These are psychological tests that
value intelligence, personality, emotional intelligence, and the potential of

candidates.

THOMAS INTERNATIONAL SYSTEMS sends an email to the candidate with access to
your platform. In this email you warn that the reason is to carry out an evaluation of
behavior for Agroxarxa, indicates the link to access the platform, as well

as the username and password to use. In addition, it indicates the links for
access the information contained in the candidate area and the privacy policy.

As a result of this action, THOMAS INTERNATIONAL SYSTEMS sends to
Agroxarxa a report on the profile of skills and abilities of the person

candidate.

The selection process ends with a final interview carried out by Agroxarxa.

The tasks that THOMAS INTERNATIONAL SYSTEMS performs within the framework of this

process were entrusted to him by Agroxarxa through a contract for the provision of
services subscribed by both entities. Said contract includes an "Agreement of
data processing", formalized on 05/30/2018, which defines the role of
THOMAS INTERNATIONAL SYSTEMS as the person in charge of the treatment and points out that
Said entity follows the instructions of Agroxarxa, which intervenes as

responsible for the treatment.

The figures of "responsible for the treatment" and "in charge of the treatment" are defined
in article 4 of the GDPR as follows:

. "Responsible for the treatment or responsible: the natural or legal person, public authority,

service or other body which, alone or jointly with others, determines the ends and means of the
treatment; if the law of the Union or of the Member States determines the ends and means
of the treatment, the person in charge of the treatment or the specific criteria for their appointment
they may be established by the law of the Union or of the Member States”.

. "In charge of the treatment or in charge: the natural or legal person, public authority,
service or other body that processes personal data on behalf of the data controller
treatment".

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 18/42










Article 24 of the GDPR, referring to the "Liability of the person responsible for the
treatment”, states the following:

"one. Taking into account the nature, scope, context and purposes of the treatment as well as

risks of varying probability and severity for the rights and freedoms of individuals
physical, the person in charge of the treatment will apply appropriate technical and organizational measures to
In order to guarantee and be able to demonstrate that the treatment is in accordance with this
Regulation. These measures will be reviewed and updated when necessary.
2. When they are provided in relation to the treatment activities, among the
measures mentioned in section 1 will include the application, by the person responsible for the
treatment, of the appropriate data protection policies…”.


Report 0064/2020 of the Legal Office of the AEPD has emphatically expressed
that "The GDPR has meant a paradigm shift when addressing the regulation of the
right to the protection of personal data, which is based on the

principle of "accountability" or "proactive responsibility" as indicated
repeatedly by the AEPD (Report 17/2019, among many others) and is included in the
Explanation of reasons for the Organic Law 3/2018, of December 5, Protection of
Personal Data and guarantee of digital rights (LOPDGDD)”.


The said report goes on to say the following:

“…the criteria on how to attribute the different roles remain the same (paragraph 11),
reiterates that these are functional concepts, which are intended to assign responsibilities

according to the real roles of the parties (paragraph 12), which implies that in most
of the assumptions must be addressed to the circumstances of the specific case (case by case)
based on their actual activities rather than the formal designation of an actor as
"responsible" or "in charge" (for example, in a contract), as well as autonomous concepts,
whose interpretation must be carried out under the European regulations on the protection of
personal data (section 13), and taking into account (section 24) that the need for a
factual assessment also means that the role of a controller is not
derives from the nature of an entity that is processing data but from its activities

concrete in a specific context…”.

The concepts of data controller and data processor are not formal, but
functional and must attend to the specific case.


The person responsible for the treatment is from the moment he decides the purposes and the
means of treatment, not losing such condition by the fact of leaving a certain margin
of action to the person in charge of the treatment or for not having access to the databases

of the manager

This is undoubtedly expressed in the Guidelines 07/2020 of the European Committee of
Data Protection (CEPD) on the concepts of data controller and

in charge in the GDPR:

“A controller is the one who determines the purposes and means of the processing.
treatment, that is, the why and how of the treatment. The data controller must
decide on both purposes and means. However, some more practical aspects of the
implementation ("non-essential media") can be left to the person in charge of
treatment. It is not necessary for the controller to actually have access to the data that is

they are trying to qualify themselves as responsible” (the translation is ours).
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 19/42









In the present case, it is clear that Agroxarxa is responsible for the processing of
personal data that have a cause in the personnel selection process in which

the complaining party participated, since, as defined in article 4.7 of the GDPR,
is the entity that determines the purpose and means of the treatments carried out. In its
condition of controller is obliged to comply with the provisions of
the transcribed article 24 of the RGPD and, especially, that related to the effective control and
of the “appropriate technical and organizational measures in order to guarantee and
be able to demonstrate that the processing is in accordance with this Regulation”, among

which are those provided in article 28 of the GDPR in relation to the
person in charge of the treatment that acts in the name and on behalf of the person in charge.

Agroxarxa is responsible for data processing for the purpose of
solve the selection process even if you do not have access to said data. In

In this sense, in Directives 07/2020 of the European Committee for Data Protection
(CEPD), on the concepts of data controller and processor in the GDPR,
it is indicated that “42. It is not necessary for the data controller to actually have
access to the data being processed. Whoever outsources an activity
treatment and, in doing so, have a determining influence on the purpose and
(essential) means of treatment (for example, adjusting the parameters of a

service in such a way as to influence whose personal data will be processed), it must be
considered as responsible although it will never have real access to the data” (the
translation is ours).

On the other hand, the existence of a data processor depends on a decision

adopted by the person responsible for the treatment, which he may decide to carry out himself
certain processing operations or hire all or part of the
treatment with a manager.

The essence of the function of the person in charge of the treatment is that the personal data

are processed in the name and on behalf of the data controller. In practice,
it is the person in charge who determines the purpose and the means, at least the essential ones,
while the person in charge of the treatment has the function of providing services to the
data controllers. In other words, “acting in the name and on behalf of
of the person in charge of the treatment” means that the person in charge of the treatment is aware of the
serving the interest of the controller in carrying out a task

specific and, therefore, follows the instructions established by it, at least in
regarding the purpose and the essential means of the treatment entrusted.

The person responsible for the treatment is the one who has the obligation to guarantee the application
of data protection regulations and the protection of the rights of

interested parties, as well as being able to prove it (articles 5.2, 24, 28 and 32 of the GDPR).
The control of compliance with the law extends throughout the treatment,
From the beginning to the end. The data controller must act, in
any case, in a diligent, conscious, committed and active way.


This mandate of the legislator is independent of the fact that the treatment is carried out
directly the person in charge of the treatment or to carry it out using a
treatment manager.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 20/42








In addition, the treatment carried out materially by a person in charge of treatment by
account of the person responsible for the treatment belongs to the sphere of action of the latter
last, in the same way as if he did it directly himself. The person in charge of

Treatment, in the case examined, is an extension of the person responsible for the
treatment, and may only perform treatment on documented instructions
of the controller, unless he is required to do so by Union law or by
a Member State, which is not the case (Article 29 of the GDPR).

Therefore, the data controller must establish clear modalities for

said assistance and give precise instructions to the person in charge of the treatment on how
comply with them adequately and document it previously through a contract or
either in another (binding) agreement and verify at all times the development of the
contract compliance in the manner established therein.


Only the person in charge of the treatment will be fully responsible when it is
fully responsible for the damages caused in terms of the rights and
freedoms of the affected parties.

By establishing the responsibility of the person in charge of the treatment in the commission of
infringements of the GDPR, its article 28.10 also meets the criterion of determining

of the purposes and means of processing. Pursuant to this article, if the manager
determines the purposes and means of treatment will be considered responsible for it:

“10. Without prejudice to the provisions of articles 82, 83 and 84, if a data processor
infringes this Regulation when determining the purposes and means of processing, it will be
considered responsible for the treatment with respect to said treatment”.


In the present case, the correct legal classification under the GDPR of THOMAS
INTERNACIONAL SYSTEMS is in charge of the treatment, since it acts in
name and on behalf of Agroxarxa.

However, the proceedings have revealed that THOMAS

INTERNACIONAL SYSTEMS performs, for its own benefit, data processing
of the candidates for the position offered by Agroxarxa or, in general, by
any other client. Regarding these treatments, THOMAS INTERNATIONAL
SYSTEMS determines the measures and purposes and holds the status of person responsible for the
treatment, according to the provisions of the aforementioned article 28.10 of the GDPR.


When carrying out the behavioral surveys commissioned by Agroxarxa, the entity
THOMAS INTERNATIONAL SYSTEMS includes a "Questionnaire" for you to
completed by the applicants for the job through which the applicants are requested to
interested personal data related to sex, year of birth, disability, ethnicity,
mother tongue, educational level, current employment status, sector in which you work

currently, current role, current level of command, level of job happiness (with
scale from 1 to 7), qualification of your work (on a scale from 1 to 7), description of the
disability (text field) and leadership consideration. In order to respond
For each question, except for the description of the disability, a
drop-down menu with the options that the interested party can select (in the

The specific "Questionnaire" provided by the claimant appears selected
following options: Sex: “XXXXX”; Year of birth: “XXXX”; Disability:
"XX"; Ethnicity: “XXXXXXXXXXXX”).
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 21/42










It is THOMAS INTERNATIONAL SYSTEMS who decides the collection of this data
personal data and their use for their own purposes (research purposes and improvement of
evaluations), for their own benefit. Ultimately, it is said entity that
determines to carry out these personal data processing operations. is it

same as saying that THOMAS INTERNATIONAL SYSTEMS is the entity that
determines why (purpose) and how (means) such personal data is processed
to achieve the intended purpose.


Regarding the "means of treatment", the Directives 07/2020 of the European Committee
of Data Protection (CEPD) on the concepts of data controller and
in charge of the GDPR, already cited, state the following:

As regards the determination of the means, a distinction can be made between
essential and non-essential media. "Essential media" are traditionally and inherently

reserved for the data controller. While non-essential media also
can be determined by the manager, the essential means must be determined by
the data controller. "Essential media" means media that are closely
related to the purpose and scope of the treatment, such as the type of personal data that
are processed ("what data will be processed?"), the duration of the treatment ("for how long will
will they treat?"), categories of recipients ("who will have access to them?"), and categories
of data subjects ("whose personal data is being processed"). Along with the purpose of
treatment, the essential means are also closely related to the issue

Whether the processing is lawful, necessary and proportionate. "Non-essential media" refers to
to more practical aspects of the application, such as choosing a particular type of
software or detailed security measures that can be left to the developer.
treatment for you to decide” (the translation is ours.

THOMAS INTERNATIONAL SYSTEMS holds the status of person in charge of the

treatment regarding the collection and use of personal data relating to
ethnicity and disability to which the claim refers, as well as that same entity
has recognized and according to the record accredited by the documentation incorporated into the
performances.


The "Data processing agreement" formalized by Agroxarxa and THOMAS
INTERNATIONAL SYSTEMS, referred to above, contemplates in its stipulation 4 the
use of personal data as controller by THOMAS

INTERNATIONAL SYSTEMS for research purposes. It is expressly said:

“Thomas may act as a data controller in relation to the Personal Data
of the Company and such processing may be carried out solely for the Purposes of
investigation allowed.


Likewise, in the Privacy Policy available on the web "***URL.1" the
following information:

2.5 Do we use personal data in our research?
We are committed to continually improving our assessments. To do this, we ask the
Candidates who provide us with additional information, such as age group, educational level,

ethnicity and similar issues. Providing this information is voluntary and is not
necessary to complete an assessment.
When we process any of this personal data for research, we do so as

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 22/42








responsible for data processing.
Any personal information provided to us for research will be used exclusively
for research purposes and will not be disclosed to third parties…” (Unofficial translation).


This condition of responsible for the treatment of the response is also deduced
provided by THOMAS INTERNATIONAL SYSTEMS to the Inspection Services of
this Agency, when it states that data on ethnic origin and disability do not form
part of the psychometric evaluation nor do they affect the results obtained by the

candidate in his evaluation; and that said information is used by the team of “Thomas
International Sciences” to ensure that their assessment tools
Psychometrics are designed in such a way that they do not discriminate against the people evaluated.


With this response, said entity provided a copy of the "Questionnaire" whose
completion requests the interested parties (candidates for the position offered) and the
previous information that In this information the form is referred to as
"Thomas Research Questionnaire" and warn that the data will be used with
research purposes, to improve their assessments.


On the other hand, the entity Agroxarxa has reported that it does not collect data on ethnicity and
disability, that these data are not collected by THOMAS INTERNATIONAL
SYSTEMS for Agroxarxa nor are you provided with the answers contained in the form
in question. Likewise, it has declared that THOMAS INTERNATIONAL SYSTEMS

uses the same form for all its clients.

THOMAS INTERNATIONAL SYSTEMS, in its allegations at the opening of the
procedure, has not questioned the previous arguments, which were already set out in

said opening agreement.

                                           IV.

Personal data related to ethnicity and disability, by its nature, belongs to

special categories of data, regulated in article 9 of the GDPR, which establishes
a general prohibition of its treatment. This article provides the following:

“Processing of special categories of personal data

1. The processing of personal data that reveals ethnic or racial origin, the

political opinions, religious or philosophical convictions, or trade union membership, and the
treatment of genetic data, biometric data aimed at uniquely identifying a person
natural person, data relating to health or data relating to sexual life or sexual orientation
of a physical person.

2. Section 1 shall not apply when one of the following circumstances occurs:

a) the interested party gave his explicit consent for the processing of said personal data
for one or more of the specified purposes, except where the law of the Union or of the

Member States provide that the prohibition referred to in paragraph 1 cannot be
raised by the interested party;
b) the treatment is necessary for the fulfillment of obligations and the exercise of rights
specific to the person responsible for the treatment or the interested party in the field of labor law and
security and social protection, to the extent that it is authorized by Union Law or
of the Member States or a collective agreement under the law of the Member States

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 23/42









members that establish adequate guarantees of respect for fundamental rights and
the interests of the interested party;
c) the processing is necessary to protect vital interests of the data subject or of another person
physically, in the event that the interested party is not able, physically or legally, to give his/her
consent;

d) the treatment is carried out, within the scope of its legitimate activities and with the due
guarantees, by a foundation, an association or any other non-profit organization, whose
purpose is political, philosophical, religious or trade union, provided that the treatment refers to
exclusively to current or former members of such bodies or to persons who
maintain regular contact with them in relation to their purposes and provided that the data
personal data are not communicated outside of them without the consent of the interested parties;

e) the treatment refers to personal data that the interested party has manifestly made
public;
f) the treatment is necessary for the formulation, exercise or defense of claims or
when the courts act in the exercise of their judicial function;
g) the processing is necessary for reasons of essential public interest, on the basis of the
Union or Member State law, which must be proportional to the objective

persecuted, essentially respect the right to data protection and establish measures
adequate and specific to protect the interests and fundamental rights of the interested party;
h) the treatment is necessary for the purposes of preventive or occupational medicine, evaluation of the
work capacity of the worker, medical diagnosis, provision of assistance or treatment of
health or social type, or management of health and social care systems and services, on
the basis of Union or Member State law or by virtue of a contract with a

health professional and without prejudice to the conditions and guarantees contemplated inthe paragraph
3;
i) the processing is necessary for reasons of public interest in the field of public health,
such as protection against serious cross-border threats to health, or to ensure
high levels of quality and safety of health care and medicines or
medical devices, on the basis of Union or Member State law that
establish appropriate and specific measures to protect the rights and freedoms of the

concerned, in particular professional secrecy,
j) processing is necessary for archiving purposes in the public interest, research purposes
scientific or historical or statistical purposes, in accordance with article 89, paragraph 1, on the
basis of Union or Member State law, which must be proportional to the objective
persecuted, essentially respect the right to data protection and establish measures
appropriate and specific to protect the interests and fundamental rights of the interested party.


3. The personal data referred to in section 1 may be processed for the purposes mentioned in the
section 2, letter h), when your treatment is carried out by a professional subject to the obligation
of professional secrecy, or under its responsibility, in accordance with the Law of the Union or of
Member States or with the rules established by national bodies
authorities, or by any other person also subject to the obligation of secrecy in accordance

with the law of the Union or of the Member States or of the rules established by the
competent national bodies.

4. Member States may maintain or introduce additional conditions, including
limitations, regarding the treatment of genetic data, biometric data or data related to
to health”.


In general, this precept prohibits the performance of treatment of
special categories of data, unless such treatment can be covered by
any of the exceptions regulated in article 9.2 of the GDPR.


Thus, a general prohibition of personal data processing is established that
reveal ethnic or racial origin and health-related data, such as those relating to

28001 – Madrid 6 sedeagpd.gob.es 24/42








the disability of the person (Recital 35 and article 4.15 of the GDPR); and, in his
Section 2 regulates the exceptions that lift said prohibition, some of them

on the basis of Union or Member State law, which must
incorporate into their own regulation the adequate guarantees so that the right to
data protection is respected, also respect the principle of proportionality and
establish adequate and specific measures to safeguard the rights
fundamentals and the interests of the people affected.


Specifically, for the processing of special categories of data that are
necessary for scientific research purposes referred to in letter j) of the aforementioned
Article 9.2 of the GDPR, the person in charge must inevitably go to a specific
legal norm that protects it and, in addition, comply with the aforementioned principles and establish

additional guarantees that safeguard the rights of the affected persons.

In relation to the processing of personal data related to health, the provision
additional seventeenth of the LOPDGDD establishes that they are covered by
letters g), h), i) and j) of the aforementioned article 9.2 of the GDPR the treatments that are

regulated in the laws that it lists, among which is the consolidated text of the Law
General of the rights of people with disabilities and their social inclusion,
approved by Royal Legislative Decree 1/2013 of November 29. Nonetheless
does not rule out those data treatments that are carried out in application of other
standards other than those indicated in the aforementioned additional provision.


Article 89 of the GDPR expressly refers to "Guarantees and exceptions
applicable to processing for archiving purposes in the public interest, research purposes
scientific or historical or statistical purposes”:

1. Processing for archiving purposes in the public interest, scientific research purposes or

historical or statistical purposes will be subject to the appropriate guarantees, in accordance with this
Regulation, for the rights and freedoms of the interested parties. Such guarantees will
technical and organizational measures are in place, in particular to ensure respect for the
principle of minimization of personal data. Such measures may include the
pseudonymization, provided that such purposes can be achieved in this way. As long as
those purposes can be achieved through further processing that does not or no longer allows
the identification of the interested parties, those purposes will be achieved in this way.

(…)”.


The GDPR includes the principles related to treatment in its article 5: legality, loyalty and
transparency; purpose limitation; data minimization; accuracy; limitation of
conservation period; and integrity and confidentiality.

On the other hand, once the general prohibition with the coverage of the

Article 9.2 of the GDPR, to legalize the processing of special category data
it is necessary to resort to the cases of article 6 of the same Regulation. So indicated
the Article 29 Working Group (whose functions have been assumed by the Committee
European Union of Data Protection) in its opinion "Guidelines on decisions

automated individuals and profiling for the purposes of the Regulation
2016/679”, adopted on 10/03/2017 and revised on 02/06/2018, indicating that “The
Data controllers can only process category personal data
especially if one of the conditions provided for in Article 9(2) is met, as well as

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 25/42









as a condition of article 6”.

This article 6 of the GDPR establishes the assumptions that allow the treatment of

data is considered lawful:

"Article 6. Legality of the treatment


1. Processing will only be lawful if at least one of the following conditions is met:

a) the interested party gave his consent for the processing of his personal data for one or
various specific purposes;
b) the treatment is necessary for the execution of a contract in which the interested party is a party
or for the application at his request of pre-contractual measures;

c) the processing is necessary for compliance with a legal obligation applicable to the
responsible for the treatment;
d) the processing is necessary to protect the vital interests of the data subject or of another person
physical;
e) the processing is necessary for the fulfillment of a task carried out in the public interest
or in the exercise of public powers conferred on the data controller;
f) the treatment is necessary for the satisfaction of legitimate interests pursued by the user.

responsible for the treatment or by a third party, provided that such interests are not
the interests or fundamental rights and freedoms of the data subject prevail
require the protection of personal data, in particular when the data subject is a child.

The provisions of letter f) of the first paragraph shall not apply to the treatment carried out by
public authorities in the exercise of their functions.


2. Member States may maintain or introduce more specific provisions in order to
adapt the application of the rules of this Regulation with respect to the treatment in
compliance with section 1, letters c) and e), setting more precisely requirements
treatment and other measures that guarantee lawful and equitable treatment, with
inclusion of other specific treatment situations under chapter IX.


3. The basis of the treatment indicated in section 1, letters c) and e), must be established by:

a) Union law, or
b) the law of the Member States that applies to the data controller.


The purpose of the treatment must be determined in said legal basis or, as regards
to the treatment referred to in section 1, letter e), will be necessary for the fulfillment of
a mission carried out in the public interest or in the exercise of public powers vested in the
responsible for the treatment. Said legal basis may contain specific provisions for
adapt the application of the rules of this Regulation, among others: the conditions
general rules that govern the legality of the treatment by the person in charge; data types
object of treatment; affected stakeholders; the entities to which you can communicate

personal data and the purposes of such communication; purpose limitation; the terms of
data storage, as well as processing operations and procedures,
including measures to ensure lawful and equitable treatment, such as those relating to
other specific situations of treatment according to chapter IX. Union law or
of the Member States will meet a public interest objective and be proportionate to the end
legitimate pursued.


4. When the treatment for a purpose other than that for which the data was collected
personal information is not based on the consent of the interested party or on Union Law or
of the Member States which constitutes a necessary and proportional measure in a company

28001 – Madrid 6 sedeagpd.gob.es 26/42








democracy to safeguard the objectives indicated in article 23, paragraph 1, the
responsible for the treatment, in order to determine if the treatment for another purpose is
compatible with the purpose for which the personal data was initially collected, will take into account
account, among other things:


a) any relationship between the purposes for which the personal data was collected and
the purposes of the intended further processing;
b) the context in which the personal data was collected, in particular with regard to
to the relationship between the interested parties and the data controller;
c) the nature of the personal data, in particular when dealing with special categories
of personal data, in accordance with article 9, or personal data relating to convictions
and criminal offenses, in accordance with article 10;
d) the possible consequences for data subjects of the planned further processing;

e) the existence of adequate guarantees, which may include encryption or pseudonymization”.


                                             V


In the present case, THOMAS INTERNATIONAL SYSTEMS performs
a treatment of data related to ethnicity and disability, for which we find ourselves
in the case of treatment of special categories of personal data subject
to the general rule of prohibition established in article 9.1 of the GDPR.


On the other hand, it does not appear in the proceedings, nor has it been justified by the
entity THOMAS INTERNATIONAL SYSTEMS, that none of the
circumstances or exceptions established in section 2 of said article that
save the prohibition of treatment of such personal data.


The aforementioned entity considers the exception provided for in article 9.2.j) applicable.
considering that those data of ethnicity and disability are subjected to treatment
for scientific research purposes, and dedicates its allegations to justify the need
and proportionality of that treatment and the additional guarantees established for

respect the right to data protection of the affected persons, among them, the
regarding the security, technical and organizational measures implemented, the non-
communication of data to third parties, or compliance with the limitation principles
of the purpose, minimization, limitation of the conservation and accuracy of the data.


However, THOMAS INTERNATIONAL SYSTEMS does not invoke any legal norms
that covers such data processing, in the context in which it is carried out, in
so that the basic budget established in article 9.2.j) of the
GDPR, according to which the treatment of data of special categories for the purpose of

Scientific research must be carried out “on the basis of Union law or of the
Member States, which must be proportional to the objective pursued, respect as far as
the right to data protection is essential and establish appropriate measures and
to protect the interests and fundamental rights of the interested party”.


In this regard, the aforementioned entity has limited itself to stating that it complies with the
international psychometric standards recommended by the European Federation
Associations of Psychologists (FEAP), the International Testing Commission (ITC) or
Association of Business Psychology, which do not constitute norms "of the Law of

the Union or of the Member States.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 27/42








This requirement cannot be saved, as THOMAS INTERNATIONAL claims.
SYSTEMS, for the establishment of the guarantees referred to in its letter of

allegations or for compliance with the principles relating to treatment, nor for the
measures that it claims to have taken as a result of this case, with which it has sought to
improve the information offered to the interested parties and mitigate the possible damages with
new risk assessments.


The legal basis that legitimizes the treatment of these
data in accordance with the provisions of article 6 of the GDPR, nor THOMAS
INTERNACIONAL SYSTEMS clearly informs the interested parties in this regard. The
information contained in the Privacy Policy in relation to this aspect is

generic, limiting itself to enumerating the types of legitimation base, but without
specify which of them corresponds to the specific treatments carried out:

“2.6 In case we are responsible for data processing: What legal basis
we have to use your personal data?


We will only collect, use and share your personal data if we are convinced
that we have an adequate legal basis for it. Based on the variety of
services we provide, we may rely on one of the following legal bases for the
treatment of your data:
. you have consented to the use of your personal data;
. the use we make of your personal data is in our legitimate interest as
business organization; In these cases, we will process your information at all times
manner that is proportionate and respectful of your right to privacy. You will also have the right to
object to the processing, as explained in section 7;
. the use of your personal data is necessary to perform a contract or take steps to

enter into a contract with you; either
. our use of your personal data is necessary to comply with a legal obligation or
pertinent regulatory…” (Unofficial translation).

The processing of data object of the proceedings is not necessary for the

compliance with the contractual relationship that THOMAS INTERNATIONAL SYSTEMS
formalizes with its clients as a service provider, since said treatment
is carried out outside of said commercial relationship, for the exclusive benefit of THOMAS
INTERNATIONAL SYSTEMS; nor does it respond to the fulfillment of an obligation
legal; nor is a legitimate interest invoked that prevails over the rights and freedoms

stakeholder fundamentals.

THOMAS INTERNATIONAL SYSTEMS has only stated in this regard that
ethnicity and disability data were collected on a voluntary and optional basis,

offering the interested party the option not to respond.

From this, it seems to be deduced that the legal basis invoked by this entity to
legitimize the data processing that it carries out is the consent of the interested parties.


However, in relation to the processing of personal data relating to ethnicity and
disability, the provision of valid consent has not been justified by the
interested.

It is true that the information offered prior to completing the

form warns interested parties that "participation is entirely voluntary and
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 28/42








You may choose to skip any question you do not want to answer”; and what after

the informative text includes the buttons "I do not agree" and "Next".
In addition, in the dropdown of answers that are shown for any of the
questions also includes the option "I prefer not to answer".


But there is no mechanism that allows the interested party to lend their
consent and the mere completion of the form, in this case, cannot
be accepted as a rendering of such consent.


In accordance with the provisions of article 9.2.a) of the GDPR, the consent to
processing of special categories of personal data must be “explicit”, so
in such a way that a mere affirmative action that can be
conclude that the interested party consents to the treatment, but it is necessary to have
formal proof of the provision of said consent, a declaration or

express confirmation of consent.

The most obvious way would be to make a written statement, although in the environment
digital or online forms can be enabled that could imply consent

valid explicit: fill in an electronic form, send an email that
contains the consent, use the electronic signature or upload a document
scanned with handwritten signature. Similarly, in the case of web pages, this
explicit consent could be collected by inserting some boxes with the options

to accept and not accept together with a text referring to the consent that is clear to
the interested.

This is how the European Data Protection Committee understands it in the document
"Guidelines 05/2020 on consent under Regulation 2016/679",

updating the guidelines on consent adopted by the Group of
Work of Article 29 on 11/28/2017, revised and approved on 04/10/2018:

“91. Explicit consent is required in certain situations where there is a
serious risk in relation to data protection and in which it is considered appropriate that

there is a high level of control over personal data. Under the GDPR, the
explicit consent has an important role in article 9 on the treatment of
special categories of personal data…

92. The GDPR stipulates that the prerequisite for “normal” consent is “a statement
or clear affirmative action. Since the “normal” consent requirement in the GDPR is no longer
has been raised to a higher level compared to the consent requirement
referred to in Directive 95/46/EC, it should be clarified what additional efforts should be
perform the data controller in order to obtain the explicit consent of the

interested in line with the GDPR.

93. The explicit term refers to the way in which the interested party expresses consent.
It means that the interested party must make an express declaration of consent. A
obvious way to ensure that consent is explicit would be to confirm
express such consent in a written statement. When appropriate, the person in charge
could ensure that the data subject signs the written statement, in order to remove
any possible doubts or lack of proof in the future.


94. However, said signed statement is not the only way to obtain consent
explicit and the GDPR cannot be said to prescribe written and signed declarations in all

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 29/42









circumstances requiring valid explicit consent. For example, in the context
digitally or online, an interested party can issue the required declaration by filling out a form
by sending an email, uploading a scanned document with your signature, or
using an electronic signature. In theory, the use of verbal statements can also be
a sufficiently manifest way of expressing explicit consent, however,
It may be difficult for the controller to demonstrate that all the requirements have been met.
conditions for valid explicit consent when the statement was recorded”.


And other requirements that grant validity to the consent are not met, according to the
definition contained in article 4 of the GDPR:

“Article 4 Definitions

For the purposes of this Regulation, the following shall be understood as:
11. "consent of the interested party": any expression of free, specific, informed will
and unequivocal by which the interested party accepts, either by means of a declaration or a clear
affirmative action, the processing of personal data that concerns you”.

In relation to the provision of consent, the following must be taken into account:

established in article 6 of the GDPR and in articles 7 of the GDPR and 7 of the
LOPDGDD.

Article 7 "Conditions for consent" of the GDPR:


"one. When the treatment is based on the consent of the interested party, the person in charge must
be able to demonstrate that he consented to the processing of his personal data”.

Article 6 "Treatment based on the consent of the affected party" of the LOPDGDD:


"one. In accordance with the provisions of article 4.11 of Regulation (EU) 2016/679,
The consent of the affected person is understood to be any manifestation of free, specific,
informed and unequivocal by which he accepts, either by means of a declaration or a clear
affirmative action, the processing of personal data concerning you.
2. When it is intended to base the processing of the data on the consent of the affected party
for a plurality of purposes it will be necessary to state in a specific and unequivocal way

that said consent is granted for all of them.
3. The execution of the contract may not be made subject to the fact that the affected party consents to the processing of
personal data for purposes that are not related to the maintenance, development
or control of the contractual relationship”.

Consent is understood as a clear affirmative act that reflects a

expression of free, specific, informed and unequivocal will of the interested party
accept the processing of personal data that concerns you, provided with
sufficient guarantees to prove that the interested party is aware of the fact that
give your consent and to the extent that you do so. And it must be given to all

treatment activities carried out for the same purpose or purposes, so that,
where processing is for multiple purposes, consent must be given for all
them in a specific and unequivocal manner, without the execution of the
contract to which the affected party consents to the processing of their personal data for

purposes that are not related to the maintenance, development or control of the
business relationship. In this regard, the legality of the treatment requires that the interested party be
informed about the purposes for which the data is intended (consent
informed).


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 30/42









Consent must be given freely. It is understood that the consent
is free when the interested party does not enjoy true or free choice or cannot
deny or withdraw your consent without prejudice; or when you don't know
allows separate authorization of the different data processing operations

despite being appropriate in the specific case, or when compliance with a
contract or provision of service is dependent on consent, even when it
is not necessary for such compliance. This occurs when consent is
included as a non-negotiable part of the general conditions or when

imposes the obligation to agree to the use of additional personal data to
those strictly necessary.

Without these conditions, the provision of consent would not offer the interested party a

true control over your personal data and its destination, and this would
illegal processing activity.

The European Committee for Data Protection analyzed these issues in its document

"Guidelines 05/2020 on consent in accordance with Regulation 2016/679", of
05/04/2020 From what is indicated in this document, it is now interesting to highlight some
aspects related to the validity of consent, specifically regarding the
“specific”, “informed” and “unambiguous” elements:


“3.2. Expression of specific will
Article 6(1)(a) confirms that the data subject's consent to the
The processing of your data must be given "for one or more specific purposes" and that an interested party
may choose with respect to each such purpose. The requirement that consent
should be "specific" is intended to ensure a level of control and transparency for the
interested. This requirement has not been changed by the GDPR and remains closely
linked to the requirement of "informed" consent. At the same time, it must be interpreted

in line with the “disassociation” requirement to obtain “free” consent. In sum,
To comply with the "specific" character, the data controller must apply:

i) the specification of the purpose as a guarantee against the deviation of the use,
ii) dissociation in consent requests, and
iii) a clear separation between information related to obtaining consent
for data processing activities and information relating to other matters.


(…)

“3.3. Manifestation of informed will
The GDPR reinforces the requirement that consent must be informed. in accordance
with article 5 of the GDPR, the requirement of transparency is one of the principles
fundamental, closely related to the principles of loyalty and legality. To ease

information to the interested parties before obtaining their consent is essential so that they can
make informed decisions, understand what they are authorizing, and, for example,
exercise your right to withdraw your consent. If the person in charge does not provide information
accessible, user control will be illusory and consent will not constitute a valid basis
for data processing.
If the requirements for informed consent are not met, the consent will not
will be valid and the person in charge may be in breach of article 6 of the GDPR.


3.3.1. Minimum content requirements for consent to be "informed"
For the consent to be informed, it is necessary to communicate to the interested party certain
elements that are crucial to be able to choose. Therefore, GT29 is of the opinion that it is required, at

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 31/42








least, the following information to obtain valid consent:
i) the identity of the data controller,
ii) the purpose of each of the processing operations for which the authorization is requested;
consent,
iii) what (type of) data is to be collected and used,
iv) the existence of the right to withdraw consent,

v) information on the use of data for automated decisions in accordance with the
Article 22(2)(c), where relevant, and
vi) information on the possible risks of data transfer due to the absence of
an adequacy decision and adequate guarantees, as described in article
46”.

In the alleged case, there is no evidence of the provision of a

valid consent on the part of the interested parties that covers the treatments of
personal data object of the claim. This entity does not even report
duly about this data processing, about its purpose and legal basis or the
right to withdraw consent, where appropriate, in accordance with the provisions of
Article 13 of the GDPR; nor has it established any mechanism for interested parties to

can give explicit consent.

Regarding the information, it should be noted that only the Privacy Policy is presented.
Privacy of the British parent of the Group, Thomas International Ltd., in language
English, and that it does not duly inform about the legal basis of the treatment and the

purpose of the treatment, which is described simply by referring to the purposes of
research.

Finally, the entity THOMAS INTERNACIONAL SYSTEMS has not contributed
sufficient elements to determine compliance with the judgment of the

proportionality requirements demanded by the Constitutional Court, so that
The suitability of the treatment for the proposed purpose can be concluded, if the same
whether or not it is necessary or whether there are alternative, less intrusive measures.

In this sense, the Constitutional Court has indicated (Judgment 14/2003, of 28

January) that "to verify if a restrictive measure of a fundamental right
passes the proportionality judgment, it is necessary to verify if it complies with the three
following requirements or conditions: if such a measure is likely to achieve the
proposed objective (suitability judgement); if, moreover, it is necessary, in the sense of
that there is no other more moderate measure for the achievement of said purpose with

equal efficacy (judgment of necessity); and, finally, if it is weighted or
balanced, because it derives from it more benefits or advantages for the general interest than
damages to other goods or values in conflict (judgment of proportionality in
Strict sense)".


In this regard, the principle of minimum intervention must be taken into account (art. 5.1.c)
and art. 25.1 GDPR), since it is necessary to prove that there is no other measure
moderate to achieve the intended purpose with equal effectiveness, in the
framework of the proactive responsibility of the data controller.


Therefore, from the facts and legal grounds set forth, it results that, on the part
of THOMAS INTERNATIONAL SYSTEMS, data processing is carried out
personal of special categories against the prohibition established in the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 32/42








Article 9 of the GDPR and without any of the exceptions provided for
lift that ban. This breach of what is established in article 9 of the

GDPR gives rise to the application of the corrective powers that article 58 of the aforementioned
Regulation grants the Spanish Data Protection Agency.



                                            SAW

THOMAS INTERNATIONAL SYSTEMS has indicated that there is no infringement
punishable in the absence of intentionality in the commission or omission that causes said
infraction, adding that it has had a proactive attitude and complied with its

obligations.

In this regard, it should be noted, first of all, that the incident occurs in the
scope of responsibility of THOMAS INTERNATIONAL SYSTEMS and this entity

you must answer for it. In no way can it be considered that the lack of
alleged intentionality excludes its responsibility, especially when the
infraction could have been avoided by the use of greater diligence. In this case, the
offense committed is incompatible with the diligence that said entity is obliged to
To watch.


This diligence must be manifested in the specific case being analyzed, and not in the
general circumstances that the entity alleges to justify a proactive action,
which cannot be taken as circumstances that prevent demanding the
responsibilities that derive from the concrete irregular action.


Accept the approach made by THOMAS INTERNATIONAL SYSTEMS in its
allegations would amount to admitting that the application of the GDPR and the
LOPDGDD, distorting the entire system established on the legality of the

processing of personal data.

It should be remembered, on the other hand, that the offense may be committed intentionally or
guilty. The National Court in Judgment of September 21, 2004 (RCA
937/2003), is pronounced in the following terms:


"Furthermore, as regards the application of the principle of guilt, it results (following the criterion of
this Chamber in other Judgments such as the one dated January 21, 2004 issued in the appeal
1139/2001) that the commission of the offense provided for in article 44.3.d) can be both
fraudulent as culpable... because although in penalizing matters the principle of guilt governs,
As can be inferred from the simple reading of Article 130 of Law 30/1992, the truth is that the expression
"simple non-observance" of Art. 130.1 of Law 30/1992, allows the imposition of the sanction, without
doubt in fraudulent cases, and also in culpable cases, sufficing the non-observance of the

duty of care”.

In this line it is worth mentioning the SAN of January 21, 2010, in which the Court
exposes:


“The appellant also maintains that there is no guilt in her actions. Is
true that the principle of guilt prevents the admission in administrative law
sanctioning of strict liability, it is also true that the absence of
intentionality is secondary since this type of infraction is normally committed

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 33/42








due to negligent or negligent action, which is enough to integrate the subjective element
of guilt. XXX's performance is clearly negligent because... he must know... the
obligations imposed by the LOPD on all those who handle personal data of third parties.
XXX is obliged to guarantee the fundamental right to the protection of personal data
of its clients and hypothetical clients with the intensity required by the content of its own

right".

The principle of guilt is required in the disciplinary procedure and thus the STC
246/1991 considers it inadmissible in the field of penalizing administrative law
a responsibility without fault. But the fault principle does not imply that it can only

punish an intentional or voluntary action, and in this regard article 28
of Law 40/2015 on the Legal Regime of the Public Sector, under the rubric
"Responsibility" provides the following:

"one. They may only be penalized for acts constituting an administrative offense
physical and legal persons, as well as, when a Law recognizes their capacity to act, the
affected groups, unions and entities without legal personality and estates
independent or self-employed, who are responsible for them by way of fraud or

fault".

The facts set forth in the preceding Basis show that
THOMAS INTERNATIONAL SYSTEMS did not act with the diligence to which it came
obliged, who acted with a lack of diligence. The Supreme Court (Sentences of 16 and

04/22/1991) considers that from the guilty element it follows “...that the action or
omission, classified as an administratively punishable infraction, must be, in all
case, attributable to its author, due to intent or imprudence, negligence or ignorance
inexcusable". The same Court reasons that "it is not enough... for exculpation against
a typically unlawful behavior the invocation of the absence of guilt" but

that it is necessary "that the diligence that was required by the person claiming his
non-existence” (STS January 23, 1998).

Also connected to the degree of diligence that the data controller is
obliged to deploy in compliance with the obligations imposed by the

data protection regulations can be cited the SAN of 10/17/2007 (Rec. 63/2006),
which specified: "(...) the Supreme Court has been understanding that there is imprudence
whenever a legal duty of care is neglected, that is, when the offender does not
behaves with the required diligence”.


In addition, the National Court on data protection of
personal nature, has declared that "simple negligence or breach of
the duties that the Law imposes on the persons responsible for files or the
data processing to be extremely diligent..." (SAN 06/29/2001).


It is therefore concluded, contrary to what was objected to by the defendant entity, that the
subjective element is present in the declared infringement.


                                           VII


In the event of an infringement of the provisions of the GDPR, among the
corrective powers available to the Spanish Data Protection Agency,

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 34/42









as supervisory authority, article 58.2 of said Regulation contemplates the
following:

"2 Each control authority will have all the following corrective powers indicated to
continuation:

(…)
b) send a warning to any person in charge or person in charge of the treatment when the
processing operations have infringed the provisions of this Regulation;”
(...)
d) order the person in charge or in charge of the treatment that the treatment operations are
conform to the provisions of this Regulation, where appropriate, of a given
manner and within a specified period;
(…)

i) impose an administrative fine in accordance with article 83, in addition to or instead of the
measures mentioned in this section, according to the circumstances of each case
particular;".

According to the provisions of article 83.2 of the GDPR, the measure provided for in letter d)

above is compatible with the sanction consisting of an administrative fine.


                                             VIII


It is considered that the facts exposed fail to comply with the provisions of article 9 of the
GDPR, which implies the commission of an infringement classified in section 5.a) of the
Article 83 of the GDPR.


Article 83.5.a) of the GDPR, under the heading "General conditions for the
imposition of administrative fines" provides the following:

"5. Violations of the following provisions will be penalized, in accordance with the

paragraph 2, with administrative fines of a maximum of EUR 20,000,000 or, in the case of a
company, of an amount equivalent to a maximum of 4% of the total annual turnover
of the previous financial year, opting for the highest amount:

a) the basic principles for treatment, including the conditions for consent to
tenor of articles 5, 6, 7 and 9”.


On the other hand, Article 71 of the LOPDGDD considers any offense
breach of this Organic Law:

"Infractions are the acts and conducts referred to in sections 4, 5 and 6 of the

Article 83 of Regulation (EU) 2016/679, as well as those that are contrary to this
organic Law".

Section 1.e) of article 72 of the LOPDGDD considers, as “very serious”, a
prescription effects:


"one. Based on what is established in article 83.5 of Regulation (EU) 2016/679,
are considered very serious and will prescribe after three years the infractions that suppose a
substantial violation of the articles mentioned therein and, in particular, the following:

e) The processing of personal data of the categories referred to in article 9 of the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 35/42








Regulation (EU) 2016/679, without the occurrence of any of the circumstances provided for in said
precept and in article 9 of this Organic Law.


In order to determine the administrative fine to be imposed, the
provisions of articles 83.1 and 83.2 of the GDPR, precepts that state:

"one. Each control authority will guarantee that the imposition of administrative fines with
under this article for the infringements of this Regulation indicated in the

paragraphs 4, 9 and 6 are in each individual case effective, proportionate and dissuasive.

2. Administrative fines will be imposed, depending on the circumstances of each case
individually, in addition to or in lieu of the measures contemplated in article 58,
section 2, letters a) to h) and j). When deciding to impose an administrative fine and its amount
in each individual case due account shall be taken of:
a) the nature, seriousness and duration of the offence, taking into account the

nature, scope or purpose of the processing operation in question
such as the number of interested parties affected and the level of damages that
have suffered;
b) intentionality or negligence in the infraction;
c) any measure taken by the controller or processor to

alleviate the damages and losses suffered by the interested parties;
d) the degree of responsibility of the controller or processor,
taking into account the technical or organizational measures that they have applied under
of articles 25 and 32;
e) any previous infringement committed by the controller or processor;

 f) the degree of cooperation with the supervisory authority in order to remedy the
infringement and mitigate the potential adverse effects of the infringement;
g) the categories of personal data affected by the infringement;
h) the way in which the supervisory authority became aware of the infringement, in

particular whether the person in charge or the person in charge notified the infringement and, if so, in what
extent;
i) when the measures indicated in article 58, paragraph 2, have been ordered
previously against the person in charge or the person in charge in relation to the
same matter, compliance with said measures;

j) adherence to codes of conduct under article 40 or to mechanisms of
certification approved in accordance with article 42, and
k) any other aggravating or mitigating factor applicable to the circumstances of the case,
such as financial benefits obtained or losses avoided, directly or

indirectly, through the infringement.”

For its part, article 76 "Sanctions and corrective measures" of the LOPDGDD
has:


"one. The sanctions provided for in sections 4, 5 and 6 of article 83 of Regulation (EU)
2016/679 will be applied taking into account the graduation criteria established in the
section 2 of said article.
2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679 also
may be taken into account:

a) The continuing nature of the offence.
b) Linking the offender's activity with data processing
personal.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 36/42








c) The benefits obtained as a consequence of the commission of the infraction.
d) The possibility that the conduct of the affected party could have led to the commission of the
infringement.
e) The existence of a merger process by absorption subsequent to the commission of the infraction,

that cannot be attributed to the absorbing entity.
f) The affectation of the rights of minors.
g) Have, when it is not mandatory, a data protection delegate.
h) Submission by the person responsible or in charge, on a voluntary basis, to
alternative conflict resolution mechanisms, in those cases in which there are
disputes between those and any interested party”.


Regarding the infringement of article 9 of the GDPR, based on the facts
exposed, it is considered that the sanction that would correspond to be imposed is a fine
administrative.

The fine imposed must be, in each individual case, effective, proportionate

and dissuasive, in accordance with the provisions of article 83.1 of the GDPR. Thus
considers, in advance, the condition of small business and volume of
business of THOMAS INTERNATIONAL SYSTEMS (Recorded in the proceedings that
said entity (…).


In accordance with the precepts indicated, for the purpose of setting the amount of the sanction to
imposed in the present case, the following criteria are considered applicable:

The following graduation criteria are considered concurrent as aggravating factors:


    . Article 83.2.a) of the GDPR: "a) the nature, seriousness and duration of the
    infringement, taking into account the nature, scope or purpose of the operation
    treatment in question as well as the number of interested parties affected and the
    level of damages they have suffered”.


         . The nature and seriousness of the infringement, taking into account that the interested party does not
         clearly knows the entity responsible for the treatment and the use that is
         will make of the personal data, which affects the ability of the

         interested in exercising true control over their personal data.

         . In relation to the duration of the infringement, it is stated in the proceedings that the
         Privacy Policy that includes data processing actions
         personal data that it carries out, including those that are the subject of this

         procedure, is dated 07/03/2019.

         . The number of interested parties: the infringement affects all the interested parties who
         are evaluated by the entity THOMAS INTERNATIONAL SYSTEMS.


         . The damages suffered by the interested parties: taking into account all
         the exposed circumstances, it is clear that the interested parties have seen
         increased risks to your privacy.


    . Article 83.2.b) of the GDPR: "b) intentionality or negligence in the infringement".

    The negligence appreciated in the commission of the infraction. In this respect, one has

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 37/42








    taking into account what was declared in the National Court Judgment of 10/17/2007 (rec.
    63/2006) that, based on the fact that these are entities whose activity
    coupled with continuous data processing, indicates that "...the Supreme Court

    has been understanding that imprudence exists whenever a duty is neglected
    legal care, that is, when the offender does not behave with due diligence
    callable. And in assessing the degree of diligence, consideration must be
    especially the professionalism or not of the subject, and there is no doubt that, in the
    case now examined, when the appellant's activity is constant and
    copious handling of personal data must insist on rigor and

    Exquisite care to comply with the legal provisions in this regard”.

    It is a company that performs personal data processing in a
    systematic and continuous in the workplace and that extreme care should be taken in the
    compliance with its obligations regarding data protection.


    . Article 83.2.d) of the GDPR: "d) the degree of responsibility of the controller or the
    processor, taking into account technical or organizational measures
    that they have applied by virtue of articles 25 and 32”.

    The accused entity does not have adequate procedures in place

    action in the collection and processing of personal data, in what
    refers to data relating to ethnicity and disability, so the offense
    is not the consequence of an anomaly in the operation of said
    procedures but a defect in the personal data management system
    designed by the person in charge at his initiative.


    . Article 76.2.b) of the LOPDGDD: "b) Linking the offender's activity
    with the processing of personal data”.

    The high link between the activity of the offender and the performance of treatments

    of personal data. The level of implementation of the Group at which
    belongs to THOMAS INTERNATIONAL SYSTEMS and the activity it develops.
    This circumstance determines a greater degree of demand and professionalism and,
    consequently, of the responsibility of said entity in relation to the
    data treatment.


Considering the exposed factors, the valuation that reaches the fine, for the
Violation of article 9 of the GDPR, is 50,000 euros (fifty thousand euros).

THOMAS INTERNATIONAL SYSTEMS, in its statement of allegations at the opening of the
procedure has not made any statement on the criteria of

graduation exposed, which were exposed in said agreement with the same amplitude and
detail.

However, it has requested that, instead of sanctioning with an administrative fine,
issues a warning considering that it has taken additional measures to

avoid any incident, such as appointing a new data protection delegate
data, carry out a new risk analysis and impact assessment, and write
new informative clauses on the treatments involved in the "Questionnaire",
in addition to reinforcing the information and training of its staff.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 38/42









In support of his approach, he cites various precedents processed by this Agency,
that are mentioned in the Eighth Antecedent, in which the

actions or a warning was addressed in accordance with the regulatory adequacy
carried out by the responsible entity.

THOMAS INTERNACIONAL SYSTEMS highlights the actions developed by the
complaining party in the precedents that cites, among them, the suspension of the web
implicated in the facts, the updating of the information regarding the protection of

data offered to the interested parties, the improvement of the mechanisms to grant the
consent by checking a box, appointment of a delegate
of data protection, or the non-commission of any previous infraction by the party
claimed.


Finally, he highlights that he has a proactive attitude; all your staff are
duly trained; its activity has not caused damage to the rights of the
interested parties, that they have not received any claim or incidence or breach of
security up to date; and that, upon learning of the matter, has initiated a
review of its protocols, analyzes and evaluations, and has proceeded to appoint
proven specialists in the field.


In response to these allegations, it is reiterated that, in this case, considering the
seriousness of the verified infringement, the imposition of a fine is appropriate, in addition to the
adoption of measures. The request made by THOMAS cannot be accepted
INTERNATIONAL SYSTEMS to impose other corrective powers that

would have allowed the correction of the irregular situation, such as the warning,
which is provided, in general, for natural persons and when the sanction
constitutes a disproportionate burden (recital 148 of the GDPR).

In addition, THOMAS INTERNATIONAL SYSTEMS has not justified, or even

mentioned, what are the similarities between the present case and the assumptions of
fact examined in the precedents that it invokes.

In any case, it should be noted that the measures adopted are insufficient for the
intended effects, since they do not restore the rights of the interested parties.
THOMAS INTERNATIONAL SYSTEMS has not raised in any way the termination

of conduct that violates the legal system.

Nor can the measures that said entity has adopted be assessed as
a mitigation. These measures are not adequate to "remedy the
infringement and mitigate the possible adverse effects of the infringement”, according to the terms

of article 83.2.f) of the GDPR, or "to alleviate the damages suffered by the
interested parties" as a consequence of the infringement, according to section 2.c) of the same
Article. Mitigate the adverse effects or alleviate the damages caused by the
infringements implies restoring the rights of the interested parties, which in this
case entails the suppression of the ethnicity and disability data collected from the

interested and suspend their collection.

On the other hand, none of the grading factors considered is attenuated
due to the fact that the entity THOMAS INTERNATIONAL SYSTEMS has not been

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 39/42








previously subject to a disciplinary procedure.

In this regard, the Judgment of the AN, of 05/05/2021, rec. 1437/2020, indicates:


"It considers, on the other hand, that the non-commission of a
previous violation. Well, article 83.2 of the GDPR establishes that it must be taken into account
for the imposition of the administrative fine, among others, the circumstance "e) any infraction
committed by the person in charge or the person in charge of the treatment". It is a
aggravating circumstance, the fact that the budget for its application does not exist
entails that it cannot be taken into consideration, but it does not imply or allow, as it claims
the plaintiff, its application as attenuated.e”


According to the aforementioned article 83.2 of the GDPR, when deciding to impose a fine
administration and its amount must take into account "any previous infraction committed
by the person responsible." It is a normative provision that does not include the inexistence of
previous infractions as a factor for grading the fine, which must be
be understood as a criterion close to recidivism, although broader.


Nor can it be accepted that there has been no damage to the rights of the
interested parties, since they have seen an increased risk in their
privacy.



                                          IX

If the infringement is confirmed, it could be agreed to impose on the person responsible the adoption of
adequate measures to adjust its performance to the regulations mentioned in this
act, in accordance with the provisions of the aforementioned article 58.2.d) of the GDPR, according to the

which each control authority may "order the person responsible or in charge of the
processing that the processing operations comply with the provisions of the
this Regulation, where appropriate, in a certain way and within a certain
specified term…”.

This act establishes the offense committed and the facts that

give rise to the violation of data protection regulations, from which it can be inferred
clearly what are the measures to adopt, notwithstanding that the type of
specific procedures, mechanisms or instruments to implement them
corresponds to the sanctioned party, since it is the person responsible for the treatment who
He fully knows his organization and has to decide, based on the responsibility

proactive and risk-focused, how to comply with the GDPR and the LOPDGDD.

However, in this case, regardless of the foregoing, it is proposed that in the
resolution that is adopted, this Agency requires the responsible entity so that in
the term to be determined accredits having proceeded to delete from the "Questionnaire" the

collection of personal data related to ethnicity and disability of those affected; So
such as the cessation of the use of those previously collected.

It is noted that not meeting the requirements of this body may be
considered as a serious administrative infraction by "not cooperating with the Authority
of control" before the requirements made, and such conduct can be assessed at the

time of the opening of an administrative procedure penalizing with a fine
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 40/42








pecuniary



In view of the foregoing, the following is issued


                          PROPOSED RESOLUTION



FIRST: That by the Director of the Spanish Data Protection Agency
penalize THOMAS INTERNATIONAL SYSTEMS, S.A., with NIF A81603391, for a
breach of Article 9 of the GDPR, typified in Article 83.5.a) of the GDPR, and

classified as very serious for the purposes of prescription in article 72.1.e) of the
LOPDGDD, with a fine of 50,000 euros (fifty thousand euros).

SECOND: That by the Director of the Spanish Data Protection Agency
imposes on THOMAS INTERNATIONAL SYSTEMS, S.A., within the term

determine, the adoption of the necessary measures to adapt its performance to the
personal data protection regulations, with the scope expressed in the
Legal basis IX of this proposed resolution.

Likewise, in accordance with the provisions of article 85.2 of the LPACAP, you will be

informs that it may, at any time prior to the resolution of this
procedure, carry out the voluntary payment of the proposed sanction, which
It will mean a reduction of 20% of the amount of the same. With the application of this
reduction, the sanction would be established at 40,000 euros (forty thousand euros), and its
payment will imply the termination of the procedure. The effectiveness of this reduction

will be conditioned to the withdrawal or resignation of any action or appeal via
administrative against the sanction.

In case you choose to proceed to the voluntary payment of the specified amount
above, in accordance with the provisions of the aforementioned article 85.2, you must do it

effective by depositing it in the restricted account no. ES00 0000 0000 0000 0000
0000 open in the name of the Spanish Data Protection Agency in the entity
bank CAIXABANK, S.A., indicating in the concept the reference number of the
procedure that appears in the heading of this document and the cause, for
voluntary payment, reduction of the amount of the sanction. You must also send the

Proof of admission to the Sub-Directorate General of Inspection to proceed to close
The file.

By virtue of this, you are notified of the foregoing, and the procedure is revealed.
so that within TEN DAYS you can allege whatever you consider in your defense and

present the documents and information that it deems pertinent, in accordance with
Article 89.2 of the LPACAP.
                                                                              926-050522
B.B.B.
INSTRUCTOR
>>




C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 41/42








SECOND: On November 18, 2022, the claimed party has proceeded to the
payment of the penalty in the amount of 40,000 euros using the reduction
provided for in the motion for a resolution transcribed above.


THIRD: The payment made entails the waiver of any action or resource in the
against the sanction, in relation to the facts referred to in the
resolution proposal.

FOURTH: In the previously transcribed resolution proposal, the

acts constituting an infringement, and it was proposed that, by the Director, the
responsible for adopting adequate measures to adjust its performance to the
regulations, in accordance with the provisions of the aforementioned article 58.2 d) of the GDPR, according to
which each control authority may "order the person responsible or in charge of the
processing that the processing operations comply with the provisions of the

this Regulation, where appropriate, in a certain way and within a certain
specified term…”.

                           FUNDAMENTALS OF LAW
                                           Yo
                                     Competence


In accordance with the powers that article 58.2 of Regulation (EU) 2016/679
(General Data Protection Regulation, hereinafter GDPR), grants each
control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the
Organic Law 3/2018, of December 5, Protection of Personal Data and

guarantee of digital rights (hereinafter, LOPDGDD), is competent to
initiate and resolve this procedure the Director of the Spanish Protection Agency
of data.

Likewise, article 63.2 of the LOPDGDD determines that: "The procedures

processed by the Spanish Data Protection Agency will be governed by the provisions
in Regulation (EU) 2016/679, in this organic law, by the provisions
regulations dictated in its development and, insofar as they do not contradict them, with character
subsidiary, by the general rules on administrative procedures."

                                           II

                            Termination of the procedure

Article 85 of Law 39/2015, of October 1, on Administrative Procedure
Common for Public Administrations (hereinafter, LPACAP), under the heading
"Termination in disciplinary proceedings" provides the following:


"one. Initiated a disciplinary procedure, if the offender acknowledges his responsibility,
The procedure may be resolved with the imposition of the appropriate sanction.

2. When the sanction has only a pecuniary nature or it is possible to impose a

pecuniary sanction and another of a non-pecuniary nature but the
inadmissibility of the second, the voluntary payment by the presumed perpetrator, in
any moment prior to the resolution, will imply the termination of the procedure,


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 42/42








except in relation to the replacement of the altered situation or the determination of the
compensation for damages caused by the commission of the offence.


3. In both cases, when the sanction is solely pecuniary in nature, the
The competent body to resolve the procedure will apply reductions of at least
20% of the amount of the proposed penalty, these being cumulative among themselves.
The aforementioned reductions must be determined in the notification of initiation

of the procedure and its effectiveness will be conditioned to the withdrawal or resignation of
any administrative action or resource against the sanction.

The percentage reduction provided for in this section may be increased
according to regulations."


According to what has been indicated, the Director of the Spanish Agency for the Protection of
Data RESOLVES:

FIRST: DECLARE the termination of procedure PS/00214/2022, in

in accordance with the provisions of article 85 of the LPACAP.

SECOND: REQUEST THOMAS INTERNATIONAL SYSTEMS, S.A. so that in
within one month notify the Agency of the adoption of the measures described
on the legal grounds of the proposed resolution transcribed in this

resolution.

THIRD: NOTIFY this resolution to THOMAS INTERNATIONAL
SYSTEMS, S.A.


In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once the interested parties have been notified.

Against this resolution, which puts an end to the administrative process as prescribed by
the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure

Common of Public Administrations, interested parties may file an appeal
administrative litigation before the Administrative Litigation Chamber of the
National Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-Administrative Jurisdiction, within a period of two months from the

day following the notification of this act, as provided for in article 46.1 of the
referred Law.

                                                                                 1331-281122
Mar Spain Marti
Director of the Spanish Data Protection Agency










C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es