AEPD - PS/00389/2019 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 5 GDPR Article 32 GDPR Article 33 GDPR Article 34 GDPR Article 58(2) GDPR Article 83 GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | |
Published: | |
Fine: | None |
Parties: | POLICIA LOCAL del AYUNTAMIENTO DE BADAJOZ SERVICIO AJENO DE PREVENCION LABORAL EXTREMEÑA SERVICIO AJENO DE PREVENCION LABORAL EXTREMEÑA |
National Case Number/Name: | PS/00389/2019 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Spanish |
Original Source: | Agencia Española de Protección de Datos (in ES) |
Initial Contributor: | Silvia López Arnao |
Spanish DPA found that leaving the respondent's workers' medical reports on the street at sight constituted a breach of the principle of integrity and confidentiality of data processing under the GDPR.
English Summary
Facts
The local authorities filed a complaint with the Spanish DPA against the complainant for an alleged violation of the GDPR by finding scattered on the street medical examination reports concerning workers of the respondent.
Dispute
Is it compliant with Article 32 of the GDPR to leave at sight in the street data concerning the medical reports of employees?
Holding
The Spanish DPA found that the respondent is responsible for not having made decisions aimed at effectively implementing appropriate technical and organisational measures to ensure a level of safety appropriate to the risk to ensure the confidentiality of the data.
Comment
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
DECISION ON DISCIPLINARY PROCEEDINGS From the procedure instructed by the Spanish Data Protection Agency and on the basis of the following BACKGROUND FIRST: On 23/04/2019 the LOCAL POLICE of BADAJOZ CITY COUNCIL submitted a complaint against the OUTSIDE SERVICE OF LABOUR PREVENTION EXTREMEÑA, S.L. (hereinafter the defendant), for allegedly infringing the regulations on personal data protection, as they are scattered on the ground, next to a vehicle of the company External service of prevention of labor Extremeña, S.L. medical examination reports dated 02/12/2010 relating to workers of the company Aguas del Suroeste, S.L. SECOND: Upon receipt of the claim, the Subdirectorate General of Data Inspection proceeded to perform the following actions: On 18/05/2019, reiterated on 30/05/2019, the complaint submitted for analysis and communication to the complainant of the decision adopted in this regard. It was also required to ensure that within one month to submit certain information to the Agency: - A copy of the communications, of the decision taken which you have sent to the claimant regarding the transfer of this claim, and proof that the complainant has been notified of this decision. - Report on the causes of the incident that led to the claim. - Report on the measures taken to prevent similar incidents. - Any other that you consider relevant. On the same date, the claimant was informed of the receipt of the claim and its transfer to the claimed entity. On 22/10/2019, in accordance with Article 65 of the LOPDGDD, the Director of the Spanish Data Protection Agency agreed to admit the claim for processing filed by the claimant against the respondent. THIRD: On 24/02/2020, the Director of the Spanish Protection Agency of Data agreed to initiate sanctioning proceedings against the respondent, for the alleged infringement for the alleged violation of Articles 32.1, 33 and 34 of the RGPD, sanctioned in accordance with the provisions of article 83.4.a) of the aforementioned RGPD, Considering that the sanction that could correspond would be of APPRECIATION. FOURTH: Notification of the agreement of initiation, the claimed at the time of this resolution has not submitted a written statement of case, and therefore the referred to in Article 64 of Law 39/2015 of 1 October on the Procedure Common Administrative Framework for Public Administrations, which in its paragraph (f) provides that in the event of failure to make representations within the prescribed period on the content of the agreement of initiation, it may be considered as a proposal for resolution when it contains a precise statement of liability The Court of First Instance shall give its decision. FIFTH: Of the proceedings carried out in the present procedure, the following have been decided The following are accredited: PROVEN FACTS FIRST: On 23/04/2019 the LOCAL POLICE of the BADAJOZ TOWN COUNCIL by which it gives notice of the Act of Complaint against the SERVICIO AJENO DE PREVENCION LABORAL EXTREMEÑA, S.L. (hereinafter referred to as claimed), for alleged infringement of data protection regulations personal, finding them scattered on the ground, next to a company vehicle Servicio Ajeno de Prevención Laboral Extremeña, S.L. recognition reports medical care for employees of Aguas del Suroeste, S.L.. SECOND: A copy of the police report has been provided Local of the City council of Badajoz nº 10735 indicating: "They are scattered by the floor, next to a company vehicle External occupational health and safety service Extremeña, S.L., medical examination reports dated 02/12/10", continuing: "The above-mentioned medical reports relate to workers of the company Aguas del Suroeste, S.L. Photocopies are attached". As a precautionary measure, the police state: "These reports are being removed from the road". THIRD: Copies of "Medical examination reports" are attached Ordinary Newspaper practiced in the Occupational Medicine Area of the Prevention on 2 December 2010 a", concerning two workers from the company Aguas del Suroeste, S.L. FOURTH: The claimant has not responded to any of the requirements made by the AEPD; nor has it made any allegations about the agreement to initiate the sanctioning procedure. LEGAL GROUNDS I By virtue of the powers conferred on each individual by Article 58(2) of the GPRS, the authority, and in accordance with Article 47 of Organic Law 3/2018, of 5 December, Protection of Personal Data and Guarantee of Digital Rights (hereinafter LOPDGDD), the Director of the Spanish Agency of Data Protection is competent to resolve this procedure. II Law 39/2015 of 1 October on the Common Administrative Procedure of the public authorities, in Article 64 "Agreement on initiation in the procedures of a punitive nature," it provides: "The agreement to initiate proceedings shall be communicated to the instructor of the proceedings, with The transfer of any proceedings in this respect shall be notified to the parties concerned, meaning in any case the accused. The complainant shall also be informed of the initiation of proceedings where the rules The procedure's regulators provide for this. 2. The agreement on initiation shall contain at least (a) Identification of the person or persons alleged to be responsible. (b) The facts which give rise to the initiation of the proceedings, their possible qualification and any penalties that may apply, without prejudice to the of instruction. (c) Identification of the investigator and, where appropriate, secretary of the proceedings, with express indication of the regime of challenge of the same. (d) The competent body for the resolution of the procedure and the rule which it to attribute such competence, indicating the possibility that the alleged perpetrator may voluntarily acknowledge its responsibility, with the effects foreseen in the Article 85. (e) Measures of a provisional nature agreed upon by the body competent to initiate the penalty procedure, without prejudice to those may adopt during the same in accordance with Article 56. (f) Indication of the right to make representations and to be heard at the procedure and the time limits for its exercise, as well as an indication that, if not to make representations on the content of the agreement within the time limit The motion for a resolution may be considered as a motion for a resolution when it contains a precise statement of the responsibility charged. 3. Exceptionally, when at the time of issuing the agreement of initiation there are insufficient elements for the initial qualification of the facts on which they are based the opening of the procedure, such qualification may be made at one stage later by drawing up a Statement of Objections, which shall be notified to the interested parties." In application of the previous precept and taking into account that no The proceedings initiated by the Commission are closed. III Article 58 of the RGPD, Powers, states: "Each supervisory authority shall have all the following powers corrections indicated below: (…) (i) to impose an administrative fine pursuant to Article 83 in addition to or in addition to place of the measures referred to in this paragraph, depending on the circumstances of each individual case; (…)” Article 5 of the RGPD sets out the principles that should govern the processing of personal data and mentions among them that of "integrity and confidentiality". The article states that: "1. Personal data shall be: (…) (f) treated in such a way as to ensure adequate safety of the personal data, including protection against unauthorised or unlawful processing and against their accidental loss, destruction or damage, by the application of measures appropriate techniques or organisational arrangements ("integrity and confidentiality")". In turn, the security of personal data is regulated in the 32, 33 and 34 of the RGPD. Article 32 of the RGPD "Security of processing", states that: "Taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of the processing, as well as risks of variable probability and severity for the rights and freedoms of individuals the controller and the processor shall implement technical and appropriate organisational arrangements to ensure a level of safety appropriate to the risk, which in your case includes, among others: (a) the pseudonymisation and encryption of personal data (b) the ability to ensure the confidentiality, integrity, availability and permanent resilience of treatment systems and services; (c) the ability to restore the availability of and access to data personal quickly in the event of a physical or technical incident; (d) a process of regular verification, evaluation and assessment of effectiveness of technical and organizational measures to ensure the safety of treatment. 2. In assessing the adequacy of the level of security, particular consideration shall be given to taking into account the risks involved in the processing of data, in particular as as a result of the accidental or unlawful destruction, loss or alteration of data transmitted, retained or otherwise processed, or the communication or unauthorized access to such data. 3. Adherence to a code of conduct adopted pursuant to Article 40 or to a certification mechanism approved under Article 42 may serve as an element to demonstrate compliance with the requirements set out in paragraph 1 of this article. 4. The controller and the processor shall take measures to ensure that any person acting under the authority of the person in charge or of the and has access to personal data may only process such data on the instructions of the person responsible, unless he is obliged to do so by virtue of Union or Member States' law". Article 33 of the GPRS, Notification of a breach of the security of personal data to the supervisory authority, states that: "1. In the event of a breach of the security of personal data, the the controller shall notify it to the competent supervisory authority of in accordance with Article 55 without undue delay and if possible not later than 72 hours after you've had a record of it, unless it's unlikely that such a breach of security constitutes a risk to the rights and freedoms of natural persons. If the notification to the supervisory authority does not within 72 hours, shall be accompanied by an indication of the reasons for the procrastination. 2. The data controller shall without undue delay notify the person responsible of the processing the violations of the security of personal data of which has knowledge. 3. The notification referred to in paragraph 1 shall at least (a) describe the nature of the data security breach including, where possible, the categories and number of of stakeholders concerned, and the categories and approximate number of affected personal data records; (b) communicate the name and contact details of the Data Protection Officer of data or other contact point where further information can be obtained; (c) describe the possible consequences of a breach of the security of personal data; (d) describe the measures taken or proposed by the controller processing to remedy the data security breach including, where appropriate, measures taken to mitigate the possible negative effects. 4. If it is not possible to provide the information simultaneously, and to the extent Where it is not, the information shall be provided gradually without undue delay. 5. The controller shall document any breach of the security of personal data, including facts relating to it, its effects and the corrective measures taken. Such documentation shall enable the The monitoring authority shall verify compliance with the provisions of this Article And Article 34, Communication of a breach of data security personal to the interested party, establishes that: "1. Where it is likely that the breach of data security personal risk to the rights and freedoms of individuals the controller shall communicate it to the data subject without delay improper. 2. The communication to the person concerned referred to in paragraph 1 of this article will describe in clear and simple language the nature of the violation of security of personal data and shall contain at least the information and measures referred to in Article 33(3)(b), (c) and (d). 3. The communication to the person concerned referred to in paragraph 1 shall not be necessary if any of the following conditions are met: (a) the controller has adopted technical protection measures and organizational measures and these measures have been applied to the data personal data affected by the violation of the security of personal data, in particular those which make personal data unintelligible to any person who is not authorized to access them, such as encryption; (b) the controller has taken further steps to ensure that there is no longer a likelihood of the high risk for rights and freedoms of the data subject referred to in paragraph 1; (c) it involves a disproportionate effort. In this case, the following shall be chosen instead by a public communication or similar measure informing in an equally effective way to the stakeholders. 4. Where the person responsible has not yet informed the data subject of violation of personal data security, the supervisory authority shall, once considered the likelihood of such a violation involving a high risk, may require you to to do so or may decide that one of the conditions mentioned in paragraph 3". IV In this case, it is common ground that on 23/04/2019 the LOCAL POLICE of BADAJOZ TOWN HALL provided a copy of the Act of Complaint against the The complaint, which shows that the regulations on the protection of personal data, when they are spread out on the public highway and next to a vehicle of their property medical examination reports relating to employees of the company Aguas del Suroeste, S.L. containing sensitive data and especially protected and the aforementioned forces of law and order proceeding to remove them from the public as a precautionary measure. On the other hand, the absence of sensitivity on the part of the defendant to the aforementioned facts since he did not even answer the requests for information made by the AEPD, nor did it respond by submitting written allegations at the beginning of agreement on sanctioning procedures and which, in addition, aims to promote safety and health of workers through the development of activities necessary and convenient for the prevention of risks derived from work. It should be noted that the RGPD defines data security violations personal as "all those violations of security that cause the accidental or unlawful destruction, loss or alteration of transmitted personal data stored or otherwise processed, or the unauthorized communication of or access to such data". From the documentation in the file, there are clear indications of that the respondent has violated article 32 of the RGPD, by producing a breach of security in their systems by allowing and providing access to data related to medical examination reports dated 02/12/2010 of workers of the company Aguas del Suroeste who were spread out over the floor. The RGPD in the mentioned precept does not establish a list of the measures of security that apply according to the data that are the subject of processing, but provides that the controller and the processor apply technical and organisational measures that are appropriate to the risk involved treatment, taking into account the state of the art, implementation costs, the nature, scope, context and purposes of the processing, probability risks and gravity for the rights and freedoms of the persons concerned. Security measures should also be adequate and proportionate to the risk identified, noting that the determination of the measures The technical and organisational aspects of this must be taken into account: pseudonymisation and encryption, the ability to ensure confidentiality, integrity, availability and resilience, the ability to restore data availability and access after a incident, verification (non-audit) process, evaluation and assessment of effectiveness of the measures. In any case, when assessing the adequacy of the level of safety, the following shall be taken into account particularly taking into account the risks presented by the processing of data, such as as a result of the accidental or unlawful destruction, loss or alteration of data transmitted, retained or otherwise processed, or the communication or unauthorised access to such data and which could result in damage physical, material or immaterial. In the same sense, recital 83 of the RGPD states that "(83) In order to maintain security and to prevent the processing from infringing provided for in this Regulation, the responsible person or person in charge should evaluate the risks inherent in the treatment and implement measures to mitigate them, such as encryption. These measures should ensure an appropriate level of security, including confidentiality, taking into account the state of the art and the cost of implementation with regard to the risks and the nature of the personal data to be to protect themselves. When assessing the risk in relation to data security, you should take into account the risks involved in the processing of personal data, such as the accidental or unlawful destruction, loss or alteration of personal data transmitted, retained or otherwise processed, or the communication or access not authorized to such data, which may in particular cause damage physical, material or immaterial". As noted above and in the context of the investigation ***EXPEDIENTE.1 the AEPD transferred to the reclaimed on 18/05/2019 and the 30/05/2019 the complaint submitted for analysis requesting the contribution of information related to the claimed incidence, without having received in this no organism response whatsoever. The liability of the claimant is determined by the bankruptcy of security highlighted by the Local Police of the City of Badajoz, already who is responsible for making decisions aimed at effectively implementing appropriate technical and organisational measures to ensure a level of safety to ensure the confidentiality of the data, restoring their availability and prevent access to them in the event of a physical or technical incident. However, it is clear from the documentation provided that the entity has not only This obligation has not been fulfilled, but there is also no knowledge of the adoption of any measures at in this respect, despite having given him notice of the complaint filed. Article 33 of the RGPD also regulates the notification of violations of security that may pose a risk to the rights and freedoms of natural persons to the competent supervisory authority, which in the case of Spain is of the AEPD. Therefore, whenever a gap affects data of a personnel of natural persons we must communicate it to the AEPD and, in addition we must notify you within 72 hours of having knowledge of the gap. Finally, it should be added that having been informed of the incident of The security department is also not known to have taken any measures to to remedy it, once he became aware of it. Nor is there any evidence that, in accordance with the Article 34 would have informed the persons concerned of the violation of the security of personal data without undue delay once he became aware of them. In accordance with the above, the respondent would be responsible for the violations of the RGPD: violation of Articles 32, 33 and 34, violations all of which are typified in article 83.4.a). V The violation of articles 32, 33 and 34 of the RGPD are criminalized in Article 83.4(a) of the said GPRS in the following terms: “4. Infringements of the following provisions shall be sanctioned, in accordance with with paragraph 2, with administrative fines of a maximum of EUR 10 000 000 or in the case of an undertaking, up to a maximum of 2 % of total annual turnover for the previous financial year, opting for the largest: (a) the obligations of the person responsible and the person in charge under Articles 8, 11, 25 to 39, 42 and 43. (…)” The LOPDGDD in its article 71, Infractions, points out that: "They constitute infringements the acts and conduct referred to in paragraphs 4, 5 and 6 of Article 83 of Regulation (EU) 2016/679, as well as those which are contrary to the present organic law". And in its article 73, for the purposes of the statute of limitations, it qualifies as "Infringements considered serious." "In accordance with Article 83(4) of Regulation (EU) 2016/679 are considered serious and shall be subject to a two-year statute of limitations for offences involving substantial infringement of the Articles mentioned in that one and, in particular, the next: (…) (g) Breach as a result of lack of due diligence, of the technical and organisational measures that have been implemented in accordance with required by Article 32.1 of Regulation (EU) 2016/679". (r) Failure to notify the protection authority of data of a personal data security breach in accordance with the provided for in Article 33 of Regulation (EU) 2016/679. (s) Failure to comply with the duty to inform the person concerned of a breach of data security in accordance with Article 34 of the Regulation (EU) 2016/679 if the controller had been requested by the data protection authority to carry out such notification. The facts set out in the complaint are specified in the existence of a security breach in the systems of the claimed party allowing the vulnerability of it by allowing reports dated 02/12/2010 concerning medical examinations and belonging to workers of the company Aguas del Southwest, were spread out on the public highway and allowing access to data contained in them. All of this constitutes a violation of the security of personal data, which which constitutes an infringement of Articles 32.1, 33 and 34 of the RGPD. VI However, Article 58(2) of the EUCPN states: "Each authority The inspection body shall have all the following corrective powers as indicated to continued: (…) (b) sanction any person responsible for or in charge of the processing with warning where processing operations have infringed the provisions of this Regulation; (…)” The RGPD, without prejudice to the provisions of Article 83 thereof, provides in its Article 58(2)(b) the possibility of using the warning to correct treatment of personal data that does not meet your expectations. In this case, it has been proved that the person claimed does not has implemented technical and organisational measures to ensure a level of security capable of ensuring the confidentiality, integrity, availability of the access; appropriate measures for notification in the event of a breach of the of a personal data security breach and the procedure implemented in the event that the violation of personal data security involves a high risk to the rights and freedoms of natural persons. VII The respondent has not replied to the information request by the Inspection Service. At this point, it is necessary to inform that not attending the requirements of the Agency may constitute a very serious infringement in accordance with referred to in Article 72 of the LOPDGDD, which provides "1. Depending on what Article 83(5) of Regulation (EU) 2016/679 are considered very serious and The statute of limitations for offences involving a substantial breach shall be three years of the articles mentioned in that one and, in particular, the following ones: (…) ñ) Not to provide access to the staff of the data protection authority competent to personal data, information, premises, equipment and means of processing required by the data protection authority for the exercise of their powers of investigation. (o) Resistance to or obstruction of the exercise of the inspection function by competent data protection authority'. (…)” At the same time, notification of the agreement to commence and the expiry of the period granted to make allegations, I do not submit any written. As stated above, it is common ground that the respondent does not have technical and organisational measures in place to ensure a level of adequate security capable of ensuring confidentiality, integrity and availability of the data avoiding its access, loss, etc.; adequate measures to proceed to the notification in the event of a breach of personal data security and procedure in place in the event of a data security breach personal risk to the rights and freedoms of individuals It is necessary to point out that if these incidents are not corrected by adopting the appropriate technical and organisational measures, adapting them to the Articles 32.1, 33 and 34 of the RGPD or reiterate the conduct set out in the complaint and that it is the cause of these proceedings, as well as not informing following this DPSA of the measures adopted could lead to the exercise of possible proceedings before the controller to ensure the application of effectively the appropriate measures to ensure and not compromise the confidentiality of personal data and the right to privacy of people. Therefore, in accordance with the applicable legislation and assessed the criteria of graduation of penalties whose existence has been established, The Director of the Spanish Data Protection Agency RESOLVES: FIRST: TO IMPOSE OUT-OF-SHORE LABOUR PREVENTION SERVICE EXTREMEÑA, S.L., with NIF B06307748, for infringement of articles 32.1, 33 and 34 of the RGPD, typified in accordance with the provisions of article 83.4.a) of the said RGPD, a warning sanction. SECOND: REQUIRING OUTSIDE SERVICE FOR OCCUPATIONAL PREVENTION EXTREMEÑA, S.L. with NIF B06307748, so that within one month from notification of this resolution, certify: the adoption of the security measures necessary and relevant in accordance with the regulations on the protection of personal data in order to prevent the recurrence of such data in the future incidents such as those that have given rise to the claim by correcting the effects of the access to data, adapting these measures to the requirements of the referred to in Article 32.1 of the GPRS; the measures taken to the notification in case of a breach of the security of personal data of in accordance with Article 33 of the RGPD and the procedure implemented to the case that a breach of personal data security will result in a stop risk to the rights and freedoms of natural persons, in accordance with as set out in Article 34 of the RGPD. THIRD: TO NOTIFY this resolution to OUTSIDE SERVICE OF PREVENCION LABORAL EXTREMEÑA, S.L. with NIF B06307748. In accordance with the provisions of article 50 of the LOPDGDD, the This Resolution shall be made public after it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure according to art. 48.6 of the LOPDGDD, and in accordance with Article 123 of the LPACAP, the interested parties may, on an optional basis, file an appeal for replacement to the Director of the Spanish Data Protection Agency within a month from the day following notification of this resolution or directly contentious-administrative appeal before the Administrative Chamber of the Audiencia Nacional, in accordance with Article 25 and paragraph 5 of the fourth additional provision of Law 29/1998 of 13 July 1998, regulating the Contentious-Administrative Jurisdiction, within two months from the day following notification of this act, as provided for in Article 46.1 of the referred to Law. Finally, it is pointed out that in accordance with the provisions of article 90.3 a) of the LPACAP, the final resolution may be suspended as a precautionary measure through administrative channels if the interested party expresses his intention to file an administrative appeal. If this is the case, the interested party must formally communicate this made by writing to the Spanish Data Protection Agency, by submitting it through the Agency's Electronic Register [https://sedeagpd.gob.es/sede-electronica-web/], or through one of the other registrations provided for in Article 16.4 of the aforementioned Law 39/2015 of 1 October. Also must send to the Agency the documentation proving the effective intervention of the contentious-administrative appeal. If the Agency was not aware of the the lodging of the contentious-administrative appeal within two months of day following notification of this resolution, would terminate the precautionary suspension. Mar España Martí Director of the Spanish Data Protection Agency