AEPD - PS/00065/2020 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 13 GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | |
Published: | 20.01.2021 |
Fine: | n/a |
Parties: | Ciegos Españoles Católicos Organizados (CECO) |
National Case Number/Name: | PS/00065/2020 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Spanish |
Original Source: | AEPD resolution (in ES) |
Initial Contributor: | Miguel Garrido de Vega |
The Spanish Data Protection Agency (AEPD) imposed a warning on the blind catholic peoples association Ciegos Españoles Católicos Organizados for infringing Article 13 GDPR. The association used a form for the admission of new members that did not include all the relevant information required by the data protection legislation.
English Summary
Facts
The decision is the consequence of a complaint submitted by a Spanish citizen (the claimant), stating that the defendant used forms for the admission of new members that did not comply with the requirements by Article 13 GDPR; to that respect, the claimant attached a copy of such forms.
Dispute
The defendant answered to the first AEPD investigation requests stating that it had always made its best efforts to comply with the legislation, and it attached some information to such answer: the same forms already attached by the claimant, an enquiry to the legal team of the AEPD, internal communications on the irregularities detected regarding data protection, and a copy of the new form already signed by the claimant. The AEPD started the corresponding sanction procedure, and the defendant answered admitting that, although it is true that the last form did not include all the relevant points of Art. 13 GDPR, since the irregularities were detected, the defendant has made big efforts to solve the matter and comply with the legislation.
Holding
Thus, the AEPD understood that the defendant has infringed Article 13 of the GDPR, as its previous form did not provide new members with all the legal information. Consequently, after considering some circumstances [(i) the defendant had already amended the form to include all the necessary information; (ii), the defendant even admitted that such previous form was not compliant; and (iii) the new form includes a separate consent box for the data processing activity and the use of the image of the new members], the AEPD decided to impose a warning to the defendant.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/14 Procedure No: PS/00065/2020 RESOLUTION OF DISCIPLINARY PROCEEDINGS From the procedure carried out by the Spanish Data Protection Agency and based on the following the following: BACKGROUND FIRST: On 27/06/2019, the Spanish Data Protection Agency (AEPD) received a complaint lodged by Mr. A.A.A. (hereinafter, the "AEPD") de Datos (AEPD) a complaint lodged by Mr A.A.A. (hereinafter, the claimant) against the association claimant) against the association CIEGOS ESPAÑOLES CATÓLICOS ORGANIZADOS with tax identification number R5000907E (hereinafter the respondent or CECO). The complaint concerns the application form for the registration and deregistration of its members that CECO started to use in cECO started using in 2019. This form, which was approved by the Board of Directors of the entity complained of, in the opinion of the complainant, a member of the the association, does not comply with the regulations on the protection of personal data personal data. The complainant adds that the registration application form used in 2018 was also not in compliance with the rules governing the right to the protection of personal data, and he personal data protection, and asks the AEPD to "urge CECO to draw up an application form for the registration and deregistration of members application form for the registration and deregistration of members that complies with Spanish legislation on personal data protection and that personal data protection and image rights". A copy of the following documents is attached to the complaint: - As Annex 1, a copy of the application form for registration, bearing the ana- the applicant submits with his complaint a copy of the following documents: As Annex 1, a copy of the application form bearing the name of the association complained of, in which, under the heading "Solicitud de alta in CECO" "Document for the attention of the Secretary of the Association of Spanish Catholic Españoles Católicos (CECO)", includes spaces for the identification details of a person, in particular those relating to name, surname, NIF and the Diocese to which he/she belongs to which he or she belongs. Subsequently, the document indicates that the person thus identified "hereby requests to become a member of the association of the Spanish Catholic Association of the Blind (CECO). It goes on to say: "We then proceed to provide the necessary details for registration". Es- the details are: postal address, including town, province and postcode; date of birth; landline and mobile phone numbers the following details are given: postal address, including town, province and postcode; date of birth; telephone and mobile phone numbers; e-mail address; and the 'literacy system' and the 'reading and writing system'. (The underlining is from the AEPD) In a separate paragraph, it includes this legend: "The applicant of this registration applicant is aware that the data reflected in this registration will be manipulated by the association of the the Spanish Catholic Association of the Blind (CECO), which will be responsible for the is responsible for the correct use of the data". And it adds: "..., authorises the Spanish Catholic Association of the Blind (CECO) to be able to manipulate its image in any act that the association carries out and that is aware that this material (recordings, photos, videos...) will form part of the association's archive" the archives of the association". Below is the "Signature of the applicant". - As Annex II, a copy of the registration application form is provided, which the applicant has to fill in C/ Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 2/14 the CECO member card was used in 2018. Under the heading "CECO membership card", the following data is collected: the Diocese of which you are a member; the dates of your membership the following data: the Diocese of which the member is a member; the dates of joining and leaving; the first and last names and cancellation; first name and surname; address, with an indication of the locality, province and zip code; landline and mobile phone numbers; ID card number; email address; date of birth; profession and disability of birth; the profession and the disability suffered by the person. This is followed by the following legend is included and below it the signature of the interested party is requested: "Data Protection the following legend is then included and below it the signature of the interested party is requested: "Data Protection. In compliance with the provisions of Organic Law 15/1999, it is hereby 15/1999, we inform you that the personal data obtained by filling in this form will be used for the purpose of form are going to be incorporated, for the purposes of data protection in an automated file. In accordance with the provisions of the organic Law, the interested party may exercise his/her rights of access, rectification, cancellation and opposition of the data obtained in this form at any time form at any time SECOND: In view of the complaint, the AEPD, in the framework of the file E/ 8567/2019, by letter dated 26/09/2019, forwarded it to the respondent and requested information on the facts denounced requested information on the facts denounced. The notification was made by by post. The document of the S.E. Correos y Telégrafos, S.A.E., "Proof of Delivery of delivery", which is on file, proves that the respondent received the notification on 01/10/2019 notification on 01/10/2019. On 09/10/2019, the AEPD received the respondent's reply, with which it attached nine documents attached nine documents. It declares that, as can be seen, "it has tried at all times to accommodate at all times to comply with what the legislation required in each case", which is why it was "necessary to draft a new that it has been "necessary to draw up a new application in accordance with the new regulation and to ask all members already registered with CECO to sign the new application'. The documents submitted are as follows: a.- As annex 1, the "CECO membership form", a document which was also provided by the a.- As Annex 1, the "CECO membership form", a document also provided by the claimant and described in the first antecedent, Annex II description of which is reproduced below. b.- As annex 2, a document is provided which the respondent identifies as "the new registration application form created after the approval of the Data Protection Act of 2018..." of 2018...". This document is the same as the one submitted by the claimant and which is described in the First Precedent as Annex I, a description of which is reproduced here reproduced here. c.- Annex 3 is the welcome letter that the Respondent states that it sends to new members new members. From this document, we transcribe the following paragraphs for their interest antepenultimate and penultimate paragraphs: "By filling in the registration form ...you gave us permission to manipulate your data, image, sound.. data, image, sound...all of which you can modify when you think it is convenient or when it is altered" you can modify it when you think it is convenient or it suffers any alteration". "When communicating with us, you have the following options at your disposal channels. E-mail: Secretaria@ceco.org.es. Corporate telephone..." d.- Annex 4 includes the consultation that the president of the association complained of addressed to the Legal Office of the AEPD in April 2019. The query was formulated in the C/ Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 3/14 following terms, and there is no record in this Agency that with the aforementioned document the the respondent had sent the Legal Office of the AEPD any annexed document: "A natural person who does not sign the document allowing the association to be able to can he/she be a full member of the said association? e.- Annex 5 corresponds to the report issued by the AEPD in response to the respondent's query the respondent's query. f.- Identified as appendix 6 is the letter dated 21/06/2019 that the ***1 (...) addressed to the Board of Directors of the association complained of, setting out the irregularities the irregularities found in the form to be filled in by those who wish to be admitted as a member, to to be admitted as a member, in summary, the following: (i) the document does not expressly and (i) the document does not expressly and unequivocally inform of the existence of a data file or data processing or of the purpose of data collection (ii) the document does not guarantee the right of the member to access, rectify, cancel or oppose the processing of his or her data in accordance with the LOPD and the implementing regulations. (iii) the document does not state the identity and address of the data controller (iii) the identity and address of the data controller are not stated in the document. (iv) it does not inform you that, under no (iii) the document does not state the identity and address of the data controller consent of the owner of the data. (v) it does not establish a simple and free procedure for the member to revoke his or her (v) no simple and free procedure is established for the member to revoke consent. (vi) consent for the (vi) Consent to the processing of the image has to be given in a different document from the one in which the data subject consents to the processing of his or her personal data, by (vi) consent to the processing of personal data has to be given in a separate document from the one in which the member consents to the processing of his or her personal data, requesting authorisation in each case in each case. g.- Annex 7: Letter from ***CARGO.2 addressed to ***CARGO.1, in which he/she acknowledges that he/she has given his/her consent to the processing of his/her personal data receipt of your letter. h.- Annex 8 is the letter, dated 04/10/2019, addressed to ***CARGO.1 which, in response to the letter submitted on 21/06/2019, was sent to ***CARGO.1 by ***CARGO.1 in response to the letter submitted on 21/06/2019, sent by ***CARGO.2 in accordance with the resolutions adopted by the General the resolutions adopted by the General Meeting on 2 and 3 October 2019. In the letter states that "...following the consultation submitted ...to the Data Protection Agency, which was responded to on 8 May 2019, it can only be concluded that the CECO registration document is fully registration document in CECO is fully lawful as it is clearly indicated to us that: <<As a consequence, we that: << Consequently, the proposed processing of personal data shall be lawful in accordance with the provisions of paragraph 1 of this in accordance with the provisions of article 6.1b) of the RGPD, as it is an association and insofar as it is an association and insofar as each member enters in the legally required manner established by law>>". The respondent concludes in that letter that there can be no question of anomalies in CECO's registration document, since, it says, "the Data Protection Agency has declared the entire procedure Data Protection Agency has declared the entire procedure lawful". i.- The last document provided (annex 9) is "the new application form for registration" -that is, the model approved in 2019, which is the subject of this complaint - "completed and signed" complaint - "completed and signed by Mr A.A.A.". According to the explanations of the this document was handed over on behalf of the claimant by another member of the association on of the association on 28/04/2019. It further adds that the complainant is a member of CECO since 06/04/2018. THIRD: In view of the documentation in the possession of the AEPD, submitted by both the claimant and the respondent, in accordance with the provisions of article 65.5 of the AEPD both the claimant and the respondent, in accordance with the provisions of Article 65.5 of the Organic Law 3/2018 of Organic Law 3/2018, on Data Protection and the Guarantee of Data Protection Rights, and in accordance with the provisions of article 65.5 of the AEPD C/ Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 4/14 (LOPDGDD), on 26/02/2020 it was agreed to admit this complaint for processing complaint. FOURTH: On 3 June 2020, the Director of the Spanish Data Protection Agency agreed to initiate sanctioning proceedings against the respondent for the Protection Agency agreed to initiate sanctioning proceedings against the respondent, for the alleged infringement of Article 13 of Regulation (EU) 2016/679 (the General Data Protection Regulation, hereinafter GDPR), hereinafter General Data Protection Regulation (hereinafter GDPR), typified in Article 83.5 of the aforementioned the aforementioned regulation. FIFTH: Having been notified of the initiation agreement, the respondent, on 11/06/2020, filed a written allegations stating the following: "FIRST: That CECO is a non-profit making association dedicated fundamentally to the spiritual and moral fundamentally to the spiritual and moral promotion of people with disabilities and moral promotion of the visually impaired, caring for blind people who are ill or in residential care. CECO since its constitution has dedicated its best efforts and will to the compliance with the regulations that may be applicable in different fields, including the protection of personal data, having carried out in good faith all the actions deemed necessary to safeguard actions it has considered necessary to safeguard the rights of its members and to comply with applicable members and to comply with the applicable regulations, having taken all the actions it considered necessary in good faith to safeguard the rights of its members and to comply with the applicable regulations the performance of this activity with means that have proved to be clearly insufficient and very limited insufficient and very limited. Proof of this, as the Resolution indicates, is the fact that the fact that the previous President of the association consulted the Legal Department of the Legal Office of the AEPD in April 2019, which was duly answered. SECOND.- That once it became aware of the complaint submitted, on 27 June 2019, at the Data Protection Agency by one of its associates, it addressed a reply to this members, addressed a reply to this body accrediting that said requests aimed at obtaining the requests aimed at obtaining data from its members had been modified so that their content was in that their content was in accordance with the new regulation, with the intention of sending to all members already registered with CECO authorisation for the processing of their personal data personal data. THIRD.- That notwithstanding the foregoing, the aforementioned letter was submitted to the Spanish Data Protection Agency Spanish Data Protection Agency, a consultation was carried out with a person specialised in such matters who who collaborated in the drafting of a new model of data protection of a new form designed to request the personal data of all those persons who wish to become a member of the express their wish to become a member of the association. FOURTH.- That on 3 December 2019, the new version of the said form was drafted in compliance with the provisions of article 13 of the RGPD was sent to all the members of the association coordinators of CECO in order to obtain their express consent both with regard to the processing of personal with regard to the processing of personal data and images images. Attached to this letter as Annex nº 1 is an e-mail sent by e-mail and as Annex nº 2 an e-mail sent by e-mail and as Annex nº 2, the model form that accompanies the aforementioned e-mail the aforementioned e-mail. FIFTH: That, once these new forms have been drawn up, any possible omission of the information detailed in the information detailed in article 13 of the RGPD and from which a breach of the aforementioned article 13 could derive non-compliance with the aforementioned article 13. C/ Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 5/14 SIXTH.- That, notwithstanding the foregoing, the Resolution received which initiates the sanctioning procedure mentions issues that have been considered relevant with a view to with a view to further increasing the transparency of the processing of the data requested from the members of the association members of the association: a) The validity of the particular legal transaction by virtue of which the status of member is acquired requires that the person who is to become a member knows and accepts the a) The validity of the particular legal transaction by virtue of which the status of member is acquired requires that the person who is to become a member knows and accepts the Statutes of the association of the association. Consequently, the processing of the personal data concerned will be lawful in accordance with the provisions of Article 6(1)(b) of the GDPR by association and to the extent that each member joins the organisation in the manner legally legally established in the organisation by accepting the corresponding statutes. (See page 8 of the Resolution). b) Inclusion of CECO's tax identification number. (c) Reference in the form itself to the consequences of non-authorisation by the applicant to the processing of his personal data. On the basis of the foregoing, a new form has been drawn up and is attached to this document as Annex nº 3, which will be used in the future. SEVENTH - That it recognises that the application form for registration, which is the object of the complaint complaint that initiated this sanctioning procedure did not provide all the information required by article 13 of the information required by article 13 of the RGPD, but that, as has been stated in the previous paragraphs, it did not provide all the information required by article 13 of the RGPD previous sections, this association has subsequently made considerable efforts to adapt it for the purposes of compliance efforts to adapt it to comply with each and every one of the requirements detailed in the aforementioned article in requirements detailed in the aforementioned article, and without prejudice to the additional the special circumstances of this entity are additionally taken into account, while at the same time making a broad interpretation of the entity, while at the same time making a broad interpretation of the criterion inspired by Recital 148 of the Recital 148 of the GDPR, according to which a sanction may be imposed of warning may be imposed when the imposition of a fine would constitute a disproportionate disproportionate burden that would undoubtedly lead to the termination of the association's activity with association with the consequent detriment to all its members. It is also stated in the recital that particular attention should nevertheless be paid to the nature, gravity and duration of the infringement nature, gravity and duration of the infringement, to its intentional character, to the measures taken to mitigate the measures taken to mitigate the damage suffered, the extent of the infringement, the degree of liability or any relevant previous infringement. ESTABLISHED FACTS FIRST: The complaint concerns the application form for the registration and deregistration of its members that CECO began using in 2019 of its members that CECO started to use in 2019, which, according to the complainant, member of the association, does not comply with the regulations on the protection of personal data personal data protection. The registration application form, to which the complainant refers, includes spaces for C/ Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 6/14 the identification data of a person, in particular those relating to name, surname, first name, surname, ID number and diocese to which he/she belongs, NIF and the Diocese to which he or she belongs. Subsequently, the document states that the person so identified "hereby applies for membership as a member of the of the Spanish Catholic Association of the Blind (CECO). It goes on to say: 'The following the information required for registration is then provided'. These details are the address, including town, province and postcode; date of birth; landline and mobile phone numbers; date of birth; date of birth; date of birth; landline and mobile phone numbers date of birth; landline and mobile telephone numbers; e-mail address; and the "reading and writing system" literacy system'. (The underlining is from the AEPD) In a separate paragraph, it includes this legend: "The applicant for this registration, is aware that the data reflected in this that the data reflected in this inscription will be manipulated by the Spanish Catholic Blind spanish Catholic Association of the Blind (CECO), which is responsible for the correct use of the data" for the correct use of the same". And it adds: "..., authorises the Spanish Catholic Association of the Blind (CECO) to be able to to manipulate its image in any act that the association carries out and that it is aware that this material (Recordings) may be used by the association in any act that it carries out that this material (recordings, photos, videos...) will form part of the association's archive" association's archive". Below is the "Signature of the applicant". SECOND: The respondent submits, together with its allegations, the document of the application for registration in CECO, in which, after the collection of the personal data, information is information on the data controller; purpose; legitimisation; recipients of the data; rights that may be exercised, address to which to contact, adding the possibility of lodging a complaint with the AEPD. At the end of the document, consent is requested for the making and use of images, sound and video exclusively for the above-mentioned purposes and to be published in be published in: - The website and social media profiles of the Association. - Filming for the dissemination of the Association's activities. - Photographs for magazines or publications related to the Association. Next, there are two boxes, not pre-marked, with the options: I authorise/Do not authorise. LEGAL BASIS I By virtue of the powers that Article 58(2) of the GDPR recognises to each supervisory authority, and in accordance with the provisions of Articles 47 and 48(1) of the LOPDGDD, the Director authority, and in accordance with the provisions of Articles 47 and 48.1 of the LOPDGDD, the Director of the Spanish Data Protection Agency is competent to resolve this procedure procedure. II Article 85, Termination of sanctioning procedures, of Law 39/2015, of 1 October, on the Common Administrative Procedure of the Public Administrations, establishes in its first Public Administrations, in its first section, establishes the following: C/ Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 7/14 1. Once a sanctioning procedure has been initiated, if the offender acknowledges his or her responsibility, the procedure may be resolved with the imposition of the appropriate sanction. The respondent expressly states the following in its statement of allegations to the that it acknowledges that the application form for registration which is the subject of the complaint which complaint that initiated this sanctioning procedure did not provide all the information required by article 13 of the information required by article 13 of the RGPD, but that, as stated in the previous paragraphs, this association has previous sections, this association has subsequently made considerable efforts to adapt it for the purposes of compliance efforts to adapt it for the purpose of complying with each and every one of the requirements of article 13 of the GDPR requirements detailed in the aforementioned article" III Article 5 of the GDPR concerning the principles governing data processing personal data mentions among them the principle of transparency. Paragraph 1 of the provision stipulates: 'Personal data shall be the first paragraph of the provision stipulates: "Personal data shall be: (a) processed lawfully, fairly and transparently in relation to the data subject ('lawfulness, fairness and transparency')' ('lawfulness, fairness and transparency')" The principle of transparency is manifested by the obligation of data controllers to inform, in the terms and conditions of the processing of personal data, the data controller of the processing of personal data the principle of transparency is manifested in the obligation of data controllers to inform the data subject, in the terms of Article 13 of the GDPR, when personal data are processed by the data controller the data controller must inform the data subject when the personal data are obtained directly from the data subject: 1. Where personal data relating to a data subject are obtained from him or her, the controller shall, in accordance with Article 13 of the GDPR, inform the data controller where the data are obtained directly from the data subject: "1 1. Where personal data relating to him or her are obtained from a data subject, the controller shall, at the time the data are obtained, provide him or her with all of the following information: '1 information set out below: (a) the identity and contact details of the controller and, where applicable, of the data controller's representative; and (a) the identity and contact details of the controller and, where applicable, its representative (b) the contact details of the data protection officer, where applicable; (c) the purposes of the processing for which the personal data are intended and the legal basis for the processing; (d) the purpose for which the personal data are processed and the legal basis for the processing; and (c) the purposes for which the personal data are processed and the legal basis for the processing; (d) where the processing is based on Article 6(1)(f), the legitimate interests of the controller or of a data protection officer, where applicable; (e) the purposes for which the personal data are processed and the legal basis for the processing; and (d) where the processing is based on Article 6(1)(f), the legitimate interests of the controller or of a third party; (e) the recipients or categories of recipients of the personal data, (e) the recipients or categories of recipients of the personal data, where applicable; (f) where applicable, the controller's intention to transfer personal data to a third country or international organisation and the existence or absence of a decision to do so; and (f) where applicable, the controller's intention to transfer personal data to a third country or an international organisation and the existence or absence of an adequacy (f) where applicable, the controller's intention to transfer personal data to a third country or an international organisation and the existence or absence of an adequacy decision of the Commission, or, in the case of transfers referred to in Articles 46 or 47 or in article 46 or 47 or the second subparagraph of Article 49(1), reference to adequate or appropriate safeguards (1) second subparagraph, reference to adequate or appropriate safeguards and to the means for obtaining a copy of them or the fact that they have been given. 2. In addition to the information referred to in paragraph 1, the controller shall provide the data subject with the information referred to in paragraph 2 controller shall provide the data subject, at the time when the personal data are collected, with the following information necessary to ensure fair and lawful processing of the data the following information which is necessary to ensure fair and transparent data processing transparent: C/ Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 8/14 (a) the period for which the personal data will be kept or, where that is not possible, the criteria used to possible, the criteria used to determine this period; (b) the existence of the right to request from the controller access to, and rectification or erasure of, or the right to request (b) the existence of the right to request from the controller access to personal data relating to the data subject, and their rectification or erasure or the restriction of processing, or (b) the existence of the right to request from the controller access to, and rectification or erasure of, or restriction of processing, or to object to the processing, as well as the right to (b) the existence of the right to request access to, and rectification or erasure of, or restriction of the processing of personal data relating to the data subject, or to object to the processing, as well as the right to data portability; (c) where the processing is based on Article 6(1)(a) or Article 9(2)(a) or Article 9(2)(b); or (c) where the processing is based on Article 6(1)(a) or Article 9(2)(a), the existence of the right to withdraw the consent at any time, without the right to (c) where the processing is based on Article 6(1)(a) or Article 9(2)(a), the existence of the right to withdraw consent at any time, without affecting the lawfulness of the basic processing (d) the right to lodge a complaint (d) the right to lodge a complaint with a supervisory authority; (e) if the communication of personal data is a legal or contractual requirement, or a necessary requirement for the (e) whether the communication of personal data is a legal or contractual requirement, or a necessary requirement for entering into a contract, and whether the data subject is obliged to provide the personal data and is informed of such (e) whether the communication of personal data is a legal or contractual requirement, or a necessary requirement for entering into a contract, and whether the data subject is obliged to provide the personal data and is informed of the possible consequences (e) whether the data subject is obliged to provide the personal data and is informed of the possible consequences of not providing such data; (f) the existence of automated decisions, including profiling, as referred to in Article 22(2) of this (f) the existence of automated decisions, including profiling, as referred to in Article 22(1) and (4), and, at least in such cases, meaningful information on the logic applied (f) the existence of automated decisions, including profiling, as referred to in Article 22(1) and (4), and, at least in such cases, meaningful information on the logic applied as well as the relevance and con the significance and expected sequences of such processing for the data subject. 3. Where the controller intends to further process personal data, the data controller shall provide the data subject with a meaningful explanation of the logic applied and the relevance and expected sequences of such processing for the data subject if the controller intends to further process the personal data for a purpose other than that for which they were collected, the controller shall provide the data subject, prior to such further processing, with information about that other purpose and about the other processing prior to such further processing, information on that other purpose and any other relevant information within the meaning of paragraph 2 any additional relevant information within the meaning of paragraph 2. 4. The provisions of paragraphs 1, 2 and 3 shall not apply if and to the extent that the data subject already has access to such information the provisions of paragraphs 1, 2 and 3 shall not apply where and to the extent that the data subject already has the information Article 5(1)(a) of the GDPR sets out the principle of 'lawfulness, fairness and transparency', principle, which is further elaborated in Recital 39: "Any processing of personal data must be lawful and fair must be lawful and fair. For natural persons, it must be absolutely clear that it is personal data relating to them are being collected, used, consulted or otherwise processed, as well as that they are personal data relating to them are being collected, used, consulted or otherwise processed, as well as the extent to which such data are or will be processed. The principle of transparency requires that any information and communication relating to the processing of such data should be easily processing of such data should be easily accessible and easy to understand, and that simple and clear language should be used and easy to understand, and that simple and clear language is used. This principle concerns in particular the information of data subjects on the identity of the controller and the purposes of the processing and additional purposes of the processing and additional information to ensure fair and transparent processing with regard to the natural persons concerned transparent with regard to the natural persons concerned and to their right to obtain confirmation and communication of the personal data they confirmation and communication of personal data relating to them which are the subject of processing are processed. Natural persons should be made aware of the risks, rules, safeguards and rights relating to the processing of personal data, and how to do so personal data, as well as how to assert their rights in relation to the processing processing. In particular, the specific purposes of the processing of personal data should must be explicit and legitimate, and must be determined at the time of collection. […]” For its part, Recital 60 links the duty of information to the principle of transparency, stating that "The principles of fair and transparent processing C/ Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 9/14 require the data subject to be informed of the existence of the processing operation and its purposes its purposes. The controller should provide the data subject with such further information as is necessary to ensure fair and lawful processing additional information necessary to ensure fair and lawful processing of data transparent, having regard to the specific circumstances and context in which the personal data are processed personal data are processed. The data subject should also be informed of the profiling and of the consequences of such profiling. If personal data are if personal data are obtained from data subjects, they should also be informed whether they are obliged to provide them and the if personal data are obtained from data subjects, they should also be informed whether they are obliged to provide them and of the consequences if they do not do so [...]'. In this order, article 12(1) of the GDPR regulates the conditions for ensuring effective article 13 specifies what information must be provided when the data are obtained from the data subject data are obtained from the data subject. III The complaint we are examining concerns the compliance with data protection law of the form that the defendant has been using since 2019 to collect data on data subjects the complaint we are examining concerns the compliance with data protection regulations of the form that the defendant has been using since 2019 to collect the personal data of those who wish to join the association as members the personal data of those who wish to join the association as members. This document is on file in duplicate, provided by both the complainant and the respondent by both the complainant and the respondent. The respondent has stated that the form was approved by the complainant by its General Shareholders' Meeting in 2019 and that it was intended to comply with the new obligations of the LOPDGDD the respondent has stated that the form was approved by its General Meeting in 2019 and that it was intended to comply with the new obligations imposed by the LOPDGDD on those responsible for the processing of personal data tion of personal data. Obligations which, as has been indicated, are actually imposed by the GDPR the obligations which, as has been indicated, are actually imposed by the GDPR, Article 13. The document in question, which bears the name of "CECO Registration Application", is described in Fact one, Annex I, of this agreement the document in question, which is called "CECO Registration Application", is described in the first Fact, Annex I, of this agreement of initiation and is also referred to in the Second Fact, Annex II, of this agreement of initiation the document in question, which is called "CECO Registration Application", is described in Fact Two, paragraph b). According to the 2019 form drawn up and used by the Respondent, the person who requests ... to become a member of the Spanish Catholic Association of the Blind (CECO) and, further on, the document states: "...the necessary details for registration are given" the information required for registration". The document also asks for the following information the document collects, in addition to the first name, surname and ID number, the following personal data: the Diocese to which the data holder belongs the Diocese to which the holder of the data belongs; the postal address, with an indication of town, province and postcode; the date of the registration; the date of the registration; and the date of the registration cia and postcode; date of birth; landline and mobile telephone numbers; e-mail address; and the name and address of the person to whom the data belongs and the "reading and writing system". Thus, an examination of the form shows that, by means of the form, the respondent is indicating the wish of a natural person to become a the will of a natural person to join the association and, for this purpose, collects his or her personal data, collects his or her personal data. Declaration of will of the applicant, which is one of the of the elements that make up the special legal transaction by virtue of which the applicant acquires the status of associate. With regard to this issue - the acquisition of the status of member, with the exception of the founders of the association - the Constitutional Court has repeatedly stated of the founders of the association - the Constitutional Court has repeatedly expressed the following views that it is produced by "an act of integration that constitutes a special legal transaction whereby the new member, having previously accepted the association's the new member, having previously accepted the Statutes, the knowledge of which is obligatory and prior the Statutes, prior knowledge of which is mandatory, is integrated into the association" (STC 218/1988, 11 November 1988) november). The validity of this particular legal transaction by virtue of which the new member acquires C/ Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 10/14 membership requires prior knowledge and acceptance of the Statutes of the Association by the person who is to become a member the association's statutes. This is exactly what the association complained of was informed in the report issued by the AEPD on 30/04/2019, which stated mada in the Report issued by the AEPD on 30/04/2019, which stated: <<As a result, the processing of the personal data in question will be lawful in accordance with the provisions of paragraph 1 of this article accordingly, the processing of personal data in question will be lawful in accordance with the provisions of Article 6(1)(b) of the GDPR, as it is an association, and insofar as the association, and insofar as each member joins the organisation in the legally established manner, accepting the terms and conditions of the legally established in the organisation by accepting the corresponding statutes>>>> Article 13 of the GDPR provides that when personal data are collected from a data subject - which is the case through the data subject - which is the case through the CECO form or document that is the object of the the data controller is obliged, at that precise moment, that is, when it obtains them, to inform the data subject. This information covers various issues detailed in Article 13 of the GDPR. The CECO document we have examined should have included all the information required by the provision the CECO document we examined should have included all the information required by the provision. However, only the name of the company is provided and its acronym, and this paragraph: "The applicant for this registration, is aware that the data reflected in this registration will be manipulated by the the applicant for this registration is aware that the data reflected in this registration will be manipulated by the association ciación de Ciegos Españoles Católicos (CECO), which is responsible for the correct use of the data" use of the same". The respondent, in its capacity as data controller, in accordance with Article 13 of the GDPR, was obliged to include the following information RGPD was obliged to include in the form by means of which it collected the data from third parties various third parties various information which it has totally and utterly dispensed with. In particular, it is obliged in particular, it is obliged to provide information on the purposes of the processing for which the personal data collected will be used personal data collected. Nor does it provide information, as it was obliged to do, on the legal basis for the processing of the personal data collected the legal basis of the processing; nor of the recipients of the personal data; of the period of time for which it will keep the personal data; or, in particular, of the purposes for which the personal data will be processed the period for which it will keep the personal data or, if it is not possible to establish a period, on the criteria used to determine it the criteria used to determine it. It omits the fact that the data subject has the right to request the controller to the right to request from the controller access to his or her data, rectification, erasure, restriction of access to his or her data, rectification, erasure, restriction of access to his or her data, and the Commission has not established a time-limit, as it is not possible to establish a time-limit for the criteria used to determine the time-limit of the data. Nor does it provide information on the right to lodge a complaint with the supervisory authority. It does not inform whether automated decisions as referred to in Article 22(2) of the referred to in Article 22(1) and (4) of the GDPR, including the compilation of personal data, and, if so, on the logic applied and on the relevance and files, and, if so, on the logic applied and on the significance and expected consequences of such processing for the data subject of such processing for the data subject. In short, the registration application form that the Respondent has used from 2019 until its modification following the receipt of this complaint, to collect personal data did not provide the information required by Article 13 of the GDPR GDPR. The form used violated Article 13 of the GDPR conduct that is subsumi- ble under Article 83(5) of the GDPR, which provides: "Infringements of the following provisions shall be shall be punishable in accordance with paragraph 2 by administrative fines of EUR 20 000 000 20,000,000 Eur or, in the case of an undertaking, an amount not exceeding 20,000,000 or, in the case of an undertaking, an amount equivalent to a maximum of 4% of the total annual aggregate turnover for the preceding financial year, whichever is the greater the higher of the two amounts shall be applicable: a) (...) (b) the rights of the interested parties in accordance with Articles 12 to 22;" C/ Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 11/14 For the mere purposes of the statute of limitations, Article 72.1.h) of the LOPDGDD classifies as very serious omission of the duty to inform the data subject about the processing of his or her personal data" data in accordance with the provisions of Articles 13 and 14 of Regulation (EU) 2016/679 and 12 of this Organic Law". The statute of limitations period for very serious infringements provided for in the Organic Law 3.2.2 the statute of limitations period for very serious infringements provided for in Organic Law 3/2018 is three years. IV Article 58(2) of the GDPR states: "Each supervisory authority shall have all of the following corrective powers listed below: a) (..) (b) to sanction any controller or processor by means of a warning (b) sanction any controller or processor with a warning where the processing operations have infringed the provisions of this Regulation Regulation; c)... (d) order the controller or processor to ensure that processing operations are carried out in compliance with the provisions of this Regulation (d) order the controller or processor to bring processing operations into compliance with the provisions of this Regulation, where applicable, in a specified manner and within a specified period of time; (...) (i) to impose an administrative fine in accordance with Article 83, in addition to or instead of (i) impose an administrative fine in accordance with Article 83, in addition to or instead of the measures referred to in this paragraph, depending on the circumstances of (i) impose an administrative fine in accordance with Article 83, in addition to or instead of the measures referred to in this paragraph, according to the circumstances of each individual case. In the present case, in view of the special circumstances of the entity responsible for the infringement and the entity responsible for the infringement, and taking a broad interpretation of the criterion recital 148 of the GDPR, according to which, when the fine that is likely to be imposed on the infringing entity is the fine likely to be imposed would constitute a disproportionate burden, it is appropriate to impose the sanction of a warning for the infringement of Article 13 of the GDPR, resulting from the collection of data using the model of the the collection of data using the 2019 model, which did not include the information provided for in that article information provided for in that article. V The Respondent encloses, together with its allegations, the new data protection clause included in the application for membership in the association the defendant encloses the new data protection clause included in the application for membership of the association with its allegations. The in- the information provided therein includes all the sections set out in Article 13 of the aforementioned GDPR article 13 of the GDPR referred to above. Likewise, and at the end of the registration form, it includes a specific section to obtain the applicant's consent to process his/her image the applicant's consent to process his or her image. In this case, the legal basis the legal basis for the processing of the image of the person applying for membership of the association does not derive from his or her membership of the association - i.e. from his or her the legal basis for processing the image of the person applying for membership of the association does not derive from his or her membership of the association - that is, from Article 6(1)(b) of the The GDPR - but from the consent given for that specific purpose (Article 6(1)(a) of the GDPR) of the GDPR). The GDPR (Article 3(11)) defines the data subject's consent as 'any manifestation of his or her consent' C/ Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 12/14 the data subject's freely given, specific, informed and unambiguous indication of his or her consent, either by declaration or by by which the data subject accepts, either by a statement or by a clear affirmative action, the processing of personal data concerning him or her" and in its Article 7 it of personal data concerning him or her' and in its Article 7 it details the conditions under which the data subject may consent to the processing of personal data concerning him or her consent must meet in order to be valid. Among them, point 2 of the precept reads: "If the data subject's consent is given in the context of a written declaration which also relates to other matters, the request for consent shall be submitted in the context of a written declaration which also relates to other matters if the data subject's consent is given in the context of a written declaration which also relates to other matters, the request for consent shall be presented in such a way that it is clearly distinguishable from the other matters clearly distinguishable from the other matters, in an intelligible and easily accessible form, and using language which is and easily accessible and using clear and plain language. No part of the declaration shall be binding part of the declaration which constitutes a breach of this Regulation shall not be binding. In this respect, Recital (43) of the GDPR may be referred to, which states reads: “(...). Consent is presumed not to have been freely given where it is not consent is presumed not to have been freely given when it does not allow separate authorisation of the different processing operations of personal data despite being appropriate in the specific case, or when the performance of a specific the consent is presumed not to have been freely given when it does not allow separate authorisation of the different personal data processing operations despite being appropriate in the specific case, or when the performance of a contract contract, including the provision of a service, is dependent on consent, (The underlining is that of the AEPD) AEPD) CECO's old form accompanying the complaint "did not allow" the applicant to the old CECO form accompanying the complaint "did not allow" those who applied for membership of the association and provided their personal data for this purpose the old CECO form accompanying the complaint 'did not allow' those applying for membership of the association and providing their personal data for that purpose 'to refuse the processing of their image', as both statements had a joint signature joint signature While the association is entitled to process the member's personal data under the terms of the association's statutes the terms laid down in the association's statutes - statutes which the applicant has to know and accept beforehand -, the legal basis for the processing being the development the legal basis for the processing being the development of that particular legal business in the context of the the legal basis for the processing is the development of that particular legal transaction by virtue of which the member joins the association the association expressly requests the consent of the data subject for the processing of his or her image the association expressly requests the consent of the data subject for the processing of the image. These are two independent declarations of will which must be considered separately this means that each of them must be able to be given or withheld independently of the other, without being linked to each other independently, without linking one to the other. Transposed to the case under consideration, each of these declarations of will must be capable of being granted or withheld independently of the other in the case at hand, each of these declarations must necessarily have its own signature in addition, each of these declarations must necessarily have its own signature. On the other hand, with regard to the processing of the image for which consent is sought, each of these declarations must necessarily have its own signature in addition, with regard to the processing of the image for which consent is sought in the last stipulation of the form, it should be noted that the information required by Article 13 of the form must also be provided the information required by Article 13 GDPR for this particular processing must also be provided. Any processing of images of members carried out by CECO on the basis of a purported consent of the member on the basis of a purported consent of the data subject obtained through the form examined, as such consent is the processing of the image would constitute a breach of Article 7(1) of the GDPR in so far as such consent would be invalid, the processing of the image would constitute a breach of Article 6(1)(a), in conjunction with Article 7(2), of the GDPR. At present, in the registration form of the association complained of, separate information is provided in the form of the association in question the registration form of the association in question now provides separate information on the processing of data as a member of the association and requests express consent, by means of boxes without express consent is requested, by means of unticked boxes, for the processing of the members' image image of the members. VI C/ Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 13/14 The Respondent infringed Article 13 of the GDPR as the form through which the data were collected from the natural persons requesting to be included in the application for access to the data were collected by the Respondent the respondent infringed Article 13 of the GDPR because the form on which the application data of natural persons to become members of the CECO association was collected did not provide the information required by that provision cECO association did not provide the information required by that provision position. This conduct is criminalised in Article 83(5)(b) of the GDPR. It is therefore this conduct is sanctioned with a warning. However, the association in question, having become aware of the complaint and the reasons for it, has modified the registration form for the association's members, informing the complaint, has modified the registration form for members of the association, informing them of all the requirements of article 13 of the GDPR all that is required by Article 13 of the GDPR, and has included the separate application of consent to the processing of the image. Therefore, no corrective measures are required corrective measures are not required. Therefore, in accordance with the applicable legislation and having assessed the criteria for grading the penalties for which it has been established, it is the existence of the sanctions which have been accredited, The Director of the Spanish Data Protection Agency RESOLVES: FIRST: TO IMPOSE on ASOCIACIÓN DE CIEGOS ESPAÑOLES CATÓLICOS OR- GANIZADOS, with NIF R5000907E, for an infringement of Article 13 of the RGPD, as defined in Article 83.5.b) of the RGPD, a sanction of a warning. SECOND: TO NOTIFY this resolution to ASOCIACIÓN DE CIEGOS ESPA- ÑOLES CATÓLICOS ORGANIZADOS. Pursuant to the provisions of Article 50 of the LOPDGDD, the present Resolution will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to administrative proceedings in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 48.6 of the LOPDGDD LOPDGDD, and in accordance with the provisions of Article 123 of the LPACAP, the interested parties may lodge an appeal, at their own discretion, against this resolution rested may lodge an appeal for reconsideration with the Director of the Spanish Data Protection Agency within a period of one month from the day following the notification of this the day following the notification of this decision or directly lodge a contentious-administrative appeal with the administrative appeal before the Contentious-Administrative Chamber of the Audiencia Nacional, in accordance with the provisions of Article 25 and paragraph 5 of the fourth additional provision of Law 29/1995 nal cuarta de la Ley 29/1998, de 13 de julio, reguladora de la Jurisdicción Contencioso-Administrativa, en arreglo en el dispuesto en el artículo 25 y en el apartado 5 de la disposición adicio administrative jurisdiction, within two months of the day following notification of the decision this action may be brought within two months of the day following notification of this act, in accordance with the provisions of Article 46.1 of the aforementioned Law. Finally, it should be noted that, in accordance with the provisions of article 90.3 a) of the LPACAP, a precautionary suspension may be finally, it is pointed out that, in accordance with the provisions of art. 90.3 a) of the LPACAP, the final administrative decision may be suspended as a precautionary measure if the interested party states its intention to finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP, the final administrative decision may be suspended as a precautionary measure if the interested party declares its intention to file an administrative appeal. If this is the case If this is the case, the interested party must formally communicate this fact in writing to the Spanish Data Protection the Spanish Data Protection Agency, submitting it through the Agency's Electronic Register [Re- the Agency's Electronic Register [https://sedeagpd.gob.es/sede-electronica-web/], or through any of the other registers provided for in this through any of the other registers provided for in art. 16.4 of the aforementioned Law 39/2015, of 1 October. The documentation must also be sent to the Agency accrediting the effective filing of the contentious-administrative appeal. If the Agency is not aware of the lodging of the contentious-administrative appeal within a period of two months as from the following date of notification of the administrative appeal within a period of two months from the day following the notification of the present resolution, it will the precautionary suspension shall be deemed to be terminated. C/ Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 14/14 938-131120 Mar España Martí Director of the Spanish Data Protection Agency C/ Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es