AEPD (Spain) - PS 00214-2022
|AEPD - PS 00214-2022|
|Relevant Law:||Article 6(1) GDPR|
Article 9(2) GDPR
THOMAS INTERNATIONAL SYSTEMS, S.A.
|National Case Number/Name:||PS 00214-2022|
|European Case Law Identifier:||n/a|
|Original Source:||AEPD (in ES)|
|Initial Contributor:||Teresa López|
The Spanish DPA fined a talent acquisition company €40,000 for collecting data on candidates' ethnicity and disability to improve its own services. The company violated Article 9 GDPR because, among other things, it could not rely on 'scientific research purposes' (Article 9(2)(j) GDPR).
English Summary[edit | edit source]
Facts[edit | edit source]
Thomas International Systems, S.A ('Thomas'), the controller, was a talent acquisition company that carried out aptitude testing on behalf of its clients. At the request of its clients, 'Thomas' provided behavioural tests and surveys in order to review job candidates. In this context, Agroxarxa, S.L. ('Agroxarxa'), a client of 'Thomas', requested a candidate for a job (data subject) to complete a behavioural survey on the website of 'Thomas'.
The data subject completed the assessment of 'Thomas' (From here, The first survey), on behalf of 'Agroxarxa'. However, once they completed the first survey, 'Thomas' asked the data subject to fill in a second questionnaire (From here, The second survey) for the purposes of research and improvement of the evaluations conducted by 'Thomas'. This second survey collected several categories of personal data, such as gender, year of birth, disability, ethnicity, mother tongue, level of education, current employment status, etc. For each question in this second survey, the data subject was presented with a drop-down mechanism that included the option “I prefer not to answer”, in all questions apart from those under the disability category. The second survey also contained an informative text which would be presented before the data subject would start answering the questions. 'Thomas' stated in this text that participation was entirely voluntary. Data subjects would be able to skip any question they did not wish to answer.
On 21 February 2021, the data subject filed a complaint with the Spanish DPA (DPA) against 'Thomas' for requesting disability and ethnicity data. The data subject stated that they were unaware of how the company would use such data.
After a request from the DPA, 'Thomas' disclosed its data processing agreement with 'Agroxarxa'. This agreement identified 'Thomas' as a data processor for the purposes of carrying out the first survey on behalf of 'Agroxarxa' for its recruitment process. Regarding the second survey, 'Thomas' acknowledged that it was the controller for the processing of disability and ethnicity data.
'Thomas' stated that it could rely on Article 9(2)(j) GDPR ('scientific research purposes') to process the special category health data. 'Thomas' asserted in this regard that it complied with several international psychometric standards. 'Thomas' also stated that the data subject had the option to consent to the processing of ethnicity and disability, because the data subject could simply choose to refrain from giving an answer to these questions.
Holding[edit | edit source]
First, The DPA started by acknowledging that 'Thomas' was the controller for the processing regarding the second survey. The DPA stated that the company determined both the means and purposes of the processing, and also held that the controller processed this data for its own benefit.
Second, The DPA held that 'Thomas' processed data relating to ethnicity and disability, which are special categories of data, without justifying the applicability of any circumstances or exceptions established in Article 9(2) GDPR. Therefore, 'Thomas' did not have a justification for violating the prohibition on the processing of special category personal data. The DPA specifically held that the exception alleged by the controller, that of Article 9(2)(j) ('scientific research purposes'), did not apply. The controller could not invoke any legal rule covering such data processing. Regarding the international psychometric standards invoked of the controller, the DPA held that these did not constitute "standards of Union or Member State Law", which is a requirement of Article 9(2)(j) GDPR. Therefore, the controller could not rely on Article 9(2)(j) GDPR for its processing.
Fourth, The DPA also dismissed the possibility that the processing of sensitive data was based on consent due to the optional nature of the survey. The DPA held that the mere indication of voluntariness does not meet the requirements of Article 9(2)(a) GDPR, which states that consent to the processing of special categories of personal data must be “explicit”. The DPA also stated that the controller did not have a consent-mechanism in place and held that the fact that the data subject could choose whether to fill in the form could not be accepted as a form of consent.
Lastly, the DPA held that 'Thomas' had failed to provide sufficient evidence to prove that proportionality requirements were met, which was an obligation demanded by the Spanish constitutional court (see Judgement 14/2003, 28 January).
For all these reasons, the DPA found that the controller had breached Article 9 GDPR. The DPA imposed a sanction according to Article 83(5)(a) GDPR and Article 72(1)(e) of the Spanish Data Protection Law. After considering aggravating factors, the DPA determined a fine of €50,000. The DPA also ordered the controller to stop the collection of personal data relating to ethnicity and disability from the survey. The controller also had to stop using the data it had previously collected on this basis. The controller ended paying €40,000 by making use of the possibility, provided for in Spanish administrative law, to have the fine reduced due to a voluntary payment.
Comment[edit | edit source]
The Spanish Data Protection Authority gave an example of what measures would have constituted an adequate remedy and mitigation to the breach according to Article 83(2)(f) GDPR: “Mitigating the adverse effects or mitigating the damage caused by breaches involves restoring the rights of data subjects, which in this case entails deleting the ethnicity and disability data collected from data subjects and suspending their collection”.
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.