AEPD (Spain) - E/01090/2021

From GDPRhub
Revision as of 11:07, 15 March 2021 by Cvl (talk | contribs)
AEPD - E/01090/2021
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 4(9) GDPR
Type: Complaint
Outcome: Rejected
Started:
Decided:
Published:
Fine: None
Parties: n/a
National Case Number/Name: E/01090/2021
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: n/a

The Spanish DPA (AEPD) has held that sharing documents containing personal data with the courts and other parties involved in the context of legal proceedings does not infringe the right to data protection, as the rights to a due process and legal defence have to be balanced against it.

English Summary

Facts

A data subject made a complaint to the Spanish DPA because a party in a legal proceeding against the data subject shared with another counterparty in the same legal proceeding with such data subject a legal document containing personal data of the data subject.

Dispute

Can the right of data protection preclude sharing documents containing personal data with the courts and the other parties involved in the context of a legal proceeding?

Holding

The Spanish DPA, based on case-law from the Spanish Constitutional Court, held that in the context of legal proceeding where the data subject is a party, it is not necessary to ask for his consent in order to share documents that are used as evidence in a trial with the court and with the other counterparties in the proceedings.

Comment

The decision from the Spanish DPA does not analyze in detail the articles of the GDPR but makes a general balancing act between the right of data protection and the right to a due process and the right to legal defence. It argues that individuals can't use data protection rights to avoid disclosing personal data that is relevant for the legal proceedings.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

                                                                             1/5










     Procedure Nº: E / 01090/2021


                  RESOLUTION OF ACTION FILE


Of the actions carried out by the Spanish Agency for Data Protection and

based on the following

                                      ACTS

FIRST: A.A.A. (hereinafter, the claimant) on July 4, 2020 filed
claim before the Spanish Agency for Data Protection. The claim is

directs against WALLNER EUROPA, S.L. with NIF B63809560 (hereinafter, the
claimed). The reasons on which the claim is based are that the company WALLNER
EUROPA SL or the law firm representing SINDREU ABOGADOS
has provided the company ADGEST MANAGER S.L. an auto document of
dismissal of precautionary measures requested by the claimant in a dismissal against

WALLNER EUROPA S.L.

You have filed a labor lawsuit against ADGEST MANAGER S.L. and has had
knowledge that the order for the rejection of precautionary measures has been provided
in the proceeding against said company.


Along with the claim, it provides

-Copy of ADGEST document, represented by FMI ABOGADOS Y ECONOMISTAS
addressed to the Social Court no. 7 of *** LOCALITY. 1, of June 15, 2020,
claim procedure amount *** PROCEDURE.1, and diligence of

incorporation into the judicial procedure signed by the Attorney for the administration of
Justice of June 18, 2020. The brief explains that “it challenges the request for
precautionary measures and preventive seizure of assets because it is understood that the
requirements". It indicates that there is no employment relationship with the claimant and "there is no indication
any insolvency of the co-defendants that prevented the execution of a

eventual conviction… ”It is illustrative for these purposes, signing the thesis
of this, is provided as document 1, Writ in piece of precautionary measures, in
procedure of the actor himself ... in claim of dismissal, against another entity
financial Wallner Europa SL
 followed before the Social Court 4 of this city, in dismissal orders

*** CARS.1. "

  The aforementioned order that you attached is dated February 5, 2020 with the claimant
as plaintiff against Wallner Europa S.L, “in demand for dismissal with request
of precautionary measure of preventive seizure of the defendant's assets, indicating that
Since they were part of a Business Group with only one partner, they could

transfer the assets or rights and divert funds from the entity to other companies
of the group frustrating the possibilities of collection of the amounts requested. " At
reasoning, the car analyzes the documentation provided by WALLNER: balance of
situation and provisional operating account for the year 2019, annual accounts

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 2/5








of the 2018 financial year, as well as certificates of being up-to-date with
Social Security or up to date with tax obligations for the purposes of contracts with the
public sector. The order dismisses the request for precautionary measures presented by
the claimant, indicating that the existence of circumstance
any that lead to your request being considered. The operative part contains the

rejection of the petition filed, with the name of the claimant, as well as in the
header. The document on its left margin horizontally, along the
folios, it contains a literal that warns: "The dissemination of the text of this resolution to
parties not interested in the process in which it has been issued may only be carried out
carried out prior dissociation of the personal data that they contain
and with full respect for the right to privacy, the rights of the people who

require a special duty of guardianship or the guarantee of the anonymity of the victims or
harmed where appropriate. The personal data included in this resolution does not
they may be transferred or communicated for purposes contrary to the law "-

-Copy of order of the Judge of the Social Court 7, subject: defendant

ADGEST in which the day after its presentation, June 16, 2020, gives
transfer of the brief submitted by ADGEST to the complaining party, in order for them to allege
what is convenient for you.


SECOND: In view of the facts denounced in the claim and the

documents provided by the claimant to the General Subdirectorate of Inspection of
Data proceeded on July 23, 2020 to transfer the claim of
in accordance with the provisions of Title VII, Chapter I, Second Section, of the Law
Organic 3/2018, of December 5, Protection of Personal Data and guarantee of
digital rights (hereinafter LOPDGDD).



On August 6, 2020, the respondent responds:

-The claimant throughout 2019 has filed on his own behalf and in
representing his mother a total of seven legal proceedings in the matter of
dismissal, claim for quantity, illegal assignment, violation of rights

fundamentals against WALLNER EUROPA S.L. Indicates the number of
procedures and the subject of each one of them.

He states that upon receiving the first claim, he entrusted DURÁN
SINDREU S.L. defense and representation in all proceedings, and that “El 9
June 2020, Wallner receives a call from lawyer B.B.B., from the IMF firm

ABOGADOS Y ECONOMISTAS S.L., “who tells us that his client the company
ADGEST MANAGERS, a competitor of WALLNER, has received demand from the
claimant with identical motions of merits to those received by WALLNER.

WALLNER forwarded said call to the lawyer of DURÁN SINDREU's office,

C.C.C. to get in touch with attorney B.B.B. since the claimant
had submitted identical claims to WALLNER and ADGEST and had
requested against both precautionary measures.



C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 3/5








From the various conversations that took place between the lawyers and for the sake of the defense of
our companies against claims with identical motions, the attorney C.C.C.
provided the ADGEST attorney with the order dismissing precautionary measures issued. "


It considers that the communication between lawyers of the aforementioned dismissal order "is
It is part of the confidentiality and professional secrecy established in article 5 of the
code of ethics of the Spanish Lawyers, not having violated the right
any relation to Data Protection "


On October 20, 2020, the claim is admitted for processing.


                                FOUNDATIONS OF LAW


                                                 I

In accordance with the investigative and corrective powers that article 58 of the
Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter
RGPD) grants each control authority, and according to the provisions of article 47 of the
Organic Law 3/2018, of December 5, on the Protection of Personal Data and

guarantee of digital rights (hereinafter LOPDGDD), is competent to
resolve these investigative actions by the Director of the Spanish Agency for
Data Protection.

                                                II

The RGPD defines in its article 4:

"1)" personal data ": any information about an identified natural person or
identifiable ("the interested party"); an identifiable natural person shall be considered any person
whose identity can be determined, directly or indirectly, in particular by means of
an identifier, such as a name, an identification number, data from
location, an online identifier or one or more elements of the identity
physical, physiological, genetic, psychic, economic, cultural or social of said person; "


  2) "treatment": any operation or set of operations carried out on
personal data or personal data sets, whether by procedures
automated or not, such as collection, registration, organization, structuring,
conservation, adaptation or modification, extraction, consultation, use,

communication by transmission, broadcast or any other form of authorization of
access, collation or interconnection, limitation, deletion or destruction;

  4) "file": any structured set of personal data, accessible in accordance with
  to certain criteria, whether centralized, decentralized or distributed in a
  functional or geographic;

  7) "controller" or "controller": the natural or legal person,
authority, service or other body that, alone or together with others, determines the purposes and
means of treatment; whether the law of the Union or of the Member States

determines the purposes and means of the treatment, the person responsible for the treatment or
Specific criteria for their appointment may be established by Union law.
or the Member States].

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 4/5








  9) "addressee": the natural or legal person, public authority, service or other
body to which personal data is communicated, whether or not it is a third party. Do not
However, public authorities that may receive

personal data in the framework of a specific investigation in accordance with the
Union or Member State law; the treatment of such data by
said public authorities will be in accordance with the rules on protection
of data applicable to the purposes of the treatment;

  10) "third party": natural or legal person, public authority, service or body

other than the interested party, the person responsible for the treatment, the person in charge of the treatment
and of the persons authorized to process personal data under the authority
direct from the person in charge or the person in charge; "

                                             III


The Constitutional Court has declared, in its Sentence 292/2000, of November 30,
Regarding the fundamental right to data protection, “that the right to

Data protection is not unlimited, and although the Constitution does not impose express-
specific limits, nor refer to the Public Powers for their determination
As it has done with other fundamental rights, there is no doubt that they must
contradict them in the remaining fundamental rights and constitutional legal rights
protected, as it is required by the principle of unity of the Constitution ”.

The enforceability of the consent of the parties in the judicial processes for the contribution

tation of documents in which the data of the counterparty appears would mean leaving the
disposition of the former, the will to use it, which would result in the impossibility of
to fully exercise their right to effective judicial protection, producing defenselessness
Zion. Thus, the lack of these data or their communication to the counterparty may imply, lo-
gically, a reduction in the possibility of contribution by the interested party of "the media

pertinent evidence for his defense ", violating another of the guarantees derived
of the aforementioned right to effective guardianship and restricting the possibility of obtaining the full
development of this right.

In view of this, the legislator has created a system in which the right to protection

of personal data yields in those cases in which the legislator himself
(constitutional or ordinary) has considered the existence of reasoned and fundamental reasons
given that justify the need for data processing, incorporating said
supposed to norms of, at least, the same rank as the one that regulates the
gida.


As stated by the reiterated jurisprudence of the Constitutional Court (for all,
STC 186/2000, dated 07/10, with the citation of many others) "the right to privacy is not
absolute, as none of the fundamental rights is, being able to yield to
constitutionally relevant interests, provided that the cut that it has to

experience is revealed as necessary to achieve the legitimate purpose envisaged, proportionate to
in order to achieve it and, in any case, be respectful of the essential content of the
right ".

Therefore, the acceptance or knowledge of the affected party is not required for the transfer of
personal data, when the communication is for judicial defense and as

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 5/5








recipients to the Judges or Courts within the exercise of their powers,
including the cases in which it is evidence that, although it has not been

Requested by the Judge or Court, they are provided by the parties. The action is
subsumed in the right of all citizens to use all means of
relevant evidence for your defense, in the exercise of your rights and interests
legitimate, without, in any case, being defenseless, as indicated in the
Article 24.2 of the Constitutional text that prevails in this case, also considering

that the personal data of the claimant was already known by the defendant because it was the
counterpart of a demand for quantity against them, and the document contained the
reasons for the denial of the precautionary measures that he requested, so that with
his transfer does not reveal intimate data of the claimant nor was his identity
unknown to ADGEST.

In the present case, the analysis carried out on the documents provided and the
concurrent circumstances, there are no indications of infringement in the field
competence of this AEPD.




Therefore, in accordance with the provisions, by the Director of the Spanish Agency for
Data Protection, IT IS AGREED:


FIRST: PROCEED WITH THE FILING of these actions.

SECOND: NOTIFY this resolution to the claimant and claimed.


In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.

Against this resolution, which puts an end to the administrative procedure as prescribed by

the art. 114.1.c) of Law 39/2015, of 1/10, of the Common Administrative Procedure of
the Public Administrations, (LPCAP) and in accordance with the provisions of the
arts. 112 and 123 of the same Law, the interested parties may file, optionally,
appeal for reconsideration before the Director of the Spanish Agency for Data Protection
within a month from the day following notification of this

resolution or directly administrative contentious appeal before the Chamber of
Contentious-administrative of the National Court, in accordance with the provisions of the
Article 25 and in section 5 of the fourth additional provision of Law 29/1998, of
07/13, regulating the Contentious-Administrative Jurisdiction, within two
months from the day following notification of this act, as provided

in article 46.1 of the aforementioned Law.

                                                                                   940-0419
Mar Spain Martí
Director of the Spanish Agency for Data Protection








C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es