AEPD - PS/00326/2020 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 37(1)(a) GDPR Artcile 34(1) LOPDGDD Artcile 34(3) LOPDGDD |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | 11.11.2020 |
Published: | 25.11.2020 |
Fine: | None |
Parties: | Ayuntamiento de Mejorada del Campo |
National Case Number/Name: | PS/00326/2020 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | n/a |
The Spanish DPA (AEPD) held that a municipal council (Ayuntamiento de Mejorada del Campo) was in violation of Article 37(1)(a) GDPR as it did not designate a data protection officer despite being a public authority which processes personal data.
English Summary
Facts
The complainant filed a complaint before the Spanish DPA because the municipal council in question, "Ayuntamineto de Mejorada del Campo" does not have a data protection officer.
Ayuntamiento de Mejorada del Campo did not contest the facts.
Dispute
Does the absence of a data protection officer in a municipal council implicate a violation of Article 37(1)(a) GDPR?
Holding
The Spanish DPA (AEPD) held that public authorities such as the municipal council in question often act as data controllers. They must therefore abide by the principle of accountability and have other obligations under the GDPR.
The Spanish DPA held that one of those obligations consists in naming a data protection officer (DPO) and to notify the Spanish DPA of his existence. This is an obligation imposed on public authorities under Article 37(1) GDPR. This obligation is also within Article 34(1) and (3) of the Spanish data protection law (LOPDGDD).
The Spanish DPA therefore imposed a warning sanction on Ayuntamiento de Mejorada del Campo for a violation of Article 37(1) GDPR and asked the council to designate a DPO within a month.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/5 Procedure Nº: PS / 00326/2020 RESOLUTION OF SANCTIONING PROCEDURE Of the procedure instructed by the Spanish Agency for Data Protection and based on to the following BACKGROUND FIRST: A.A.A. (hereinafter, the claimant) dated May 4, 2020 filed a claim with the Spanish Agency for Data Protection. The claim is directed against CITY COUNCIL OF IMPROVEMENT OF THE FIELD with NIF P2808400B (hereinafter, the claimed one). The reasons on which the claim is based are that the aforementioned city council lacks a data protection officer. SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5 December, Protection of Personal Data and guarantee of digital rights (in hereinafter LOPDGDD), with reference number E / 04008/2020, a transfer of said claim to the defendant, on June 7, 2020, to proceed with its analysis and inform this Agency within a month, of the actions taken carried out to comply with the requirements provided in the data protection regulations. THIRD: On September 30, 2020, the Director of the Spanish Agency of Data Protection agreed to initiate a sanctioning procedure to the claimed, by the alleged infringement of article 37 of the RGPD, typified in article 83.4 of the RGPD. FOURTH: On October 8, 2020, the agreement to initiate this procedure, becoming the same proposal for resolution of conformity with articles 64.2.f) and 85 of Law 39/2015, of October 1, on the Procedure Common Administrative of Public Administrations (LPACAP), by not carrying out allegations within the indicated period. In view of all the actions, by the Spanish Protection Agency of Data in this procedure the following are considered proven facts, ACTS FIRST: The claimed City Council lacks a Delegate for the Protection of Data. SECOND: the defendant has not presented any allegation. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 2/5 FOUNDATIONS OF LAW I By virtue of the powers that article 58.2 of the RGPD recognizes to each authority of control, and as established in arts. 47 and 48.1 of the LOPDGDD, the Director of The Spanish Agency for Data Protection is competent to resolve this process. II The public administrations act as data controllers of personal character and, on some occasions, they perform functions of managers treatment, for what corresponds to them, following the principle of responsibility proactively, meet the obligations that the RGPD details, among which is included, the Obligation to appoint a data protection officer and communicate it to this AEPD The obligation is imposed by article 37 of the RGPD, which indicates: "1. The person in charge and the person in charge of the treatment will designate a delegate of data protection provided that: a) the treatment is carried out by a public authority or body, except those courts that act in the exercise of their judicial function; " Article 37.3 and 4 of the RGPD indicates on the designation of the DPD “When the responsible or the person in charge of the treatment is an authority or public body, may designate a single data protection officer for several of these authorities or bodies, taking into account their organizational structure and size. 4. In cases other than those contemplated in section 1, the controller or the in charge of the treatment or the associations and other bodies that represent categories of managers or managers may designate a protection delegate data or must designate it if required by Union or State law members. The data protection officer may act on their behalf associations and other organizations that represent managers or managers. " The LOPDGDD determines in its article 34.1 and 3: ”Appointment of a delegate of Data Protection " 1. Those responsible and in charge of the treatment must designate a delegate of data protection in the cases provided for in article 37.1 of the Regulation (EU) 2016/679 and, in any case, in the case of the following entities: 3. Those responsible and in charge of the treatment will communicate within ten days to the Spanish Data Protection Agency or, where appropriate, to the authorities autonomic data protection, appointments, appointments and terminations of the data protection delegates both in the cases in which they are obligated to their appointment as in the case in which it is voluntary. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 3/5 The infringement is considered as such in article 83.4.a of the RGPD which states: ”4. The Infractions of the following provisions will be sanctioned, in accordance with the paragraph 2, with administrative fines of a maximum of EUR 10 000 000 or, in the case of a company, an amount equivalent to a maximum of 2% of the total annual global business volume of the previous financial year, opting for the highest amount: a) The obligations of the person in charge and the person in charge in accordance with articles 8, 11, 25 a 39, 42 and 43; " Article 83.7 of the RGPD indicates: “Without prejudice to the corrective powers of the control authorities by virtue of the Article 58 (2), each Member State may lay down rules on whether can, and to what extent, impose administrative fines on authorities and bodies public establishments established in said Member State " Article 58.2 of the RGPD indicates: "Each control authority will have all the following corrective powers listed below: b) sanction any person responsible or in charge of the treatment with warning when the treatment operations have infringed the provisions of this Regulation; d) order the person in charge of the treatment that the operations of treatment are in accordance with the provisions of this Regulation, where appropriate, in a certain way and within a specified period ”. In this sense, article 77.1 c) and 2, 4 and 5 of the LOPGDD, indicates: 1. The regime established in this article shall apply to the treatments of those who are responsible or in charge: c) The General Administration of the State, the Administrations of the Communities autonomous entities and the entities that make up the Local Administration. 2 “When the managers or managers listed in section 1 commit any of the infractions referred to in articles 72 to 74 of this law organic, the competent data protection authority will dictate resolution sanctioning them with warning. The resolution will establish Likewise, the measures to be adopted to stop the conduct or to correct the effects of the offense that had been committed. The resolution will be notified to the person in charge of the treatment, the body of the that depends hierarchically, where appropriate, and those affected who had the condition interested party, if applicable. " C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 4/5 4.The resolutions that fall in relation to the measures and actions referred to in the sections previous. 5 will be communicated to the Ombudsman or, where appropriate, to similar institutions of the autonomous communities the actions carried out and the resolutions issued under this article. " III Article 73 of the LOPDDG indicates: "Violations considered serious "Based on what is established in article 83.4 of Regulation (EU) 2016/679, considered serious and will prescribe after two years the infractions that suppose a substantial violation of the articles mentioned therein and, in particular, the following: " v) Failure to comply with the obligation to appoint a data protection officer when their appointment is required in accordance with article 37 of the Regulations (EU) 2016/679 and article 34 of this organic law. " Therefore, in accordance with the applicable legislation and the criteria of graduation of sanctions whose existence has been proven, the Director of the Spanish Agency for Data Protection RESOLVES: FIRST: IMPOSE THE COUNCIL OF IMPROVEMENT OF THE FIELD with NIF P2808400B, for a violation of article 37.1 of the RGPD, in accordance with article 83.4 of the RGPD, a warning sanction. SECOND: REQUIRE the claimed party to accredit within one month before this body the fulfillment of designating a Delegate for the Protection of Data, in accordance with article 37.1 of the RGPD. THIRD: COMMUNICATE this resolution to the Ombudsman, of in accordance with the provisions of article 77.5 of the LOPDGDD. FOURTH: NOTIFY the present resolution to the IMPROVEMENT CITY COUNCIL FROM THE FIELD. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the Interested parties may file, optionally, an appeal for reconsideration before the Director of the Spanish Agency for Data Protection within a month to count from the day after notification of this resolution or directly contentious-administrative appeal before the Contentious-Administrative Chamber of the National High Court, in accordance with the provisions of article 25 and section 5 of C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 5/5 the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-administrative jurisdiction, within a period of two months from the day following notification of this act, as provided in article 46.1 of the referred Law. Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP, may provisionally suspend the final resolution through administrative channels if the interested party expresses his intention to file contentious-administrative appeal. If this is the case, the interested party must formally communicate this fact through letter addressed to the Spanish Agency for Data Protection, presenting it through of the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica- web /], or through any of the other records provided for in art. 16.4 of the cited Law 39/2015, of October 1. You must also transfer to the Agency the documentation proving the effective filing of the contentious appeal- administrative. If the Agency was not aware of the filing of the appeal contentious-administrative within a period of two months from the day following the notification of this resolution would terminate the precautionary suspension. Mar Spain Martí Director of the Spanish Agency for Data Protection C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es