AEPD - PS-00449-2019

From GDPRhub
AEPD - PS-00449-2019
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 5(1)(b) GDPR
Article 83(2)(b) GDPR
Article 83(2)(g) GDPR
Article 83(5) GDPR
72.1 A) LOPDGDD
Type: Investigation
Outcome: Violation Found
Decided: n/a
Published: n/a
Fine: 5000 EUR
Parties: n/a
National Case Number/Name: PS-00449-2019
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: Francesc Julve Falcó

AEPD imposes a €5000 penalty on a political party for distributing election advertising in violation of Article 5(1)(b) GDPR.

English Summary[edit | edit source]

Facts[edit | edit source]

On 23/05/2019 it was published in the newspaper "Segre" that the Medical Association of Lleida is investigating a possible breach of ethics for the use of medical data to send advertising of a political party in an election campaign.

On 26/06/2019 the claimant filed a complaint denouncing that he had received advertising from the political party "PARTIT DELS SOCIALISTES DE CATALUNYA (PSC-PSOE)" addressed to a ceased relative and who was a patient of a doctor related to the denounced political party.

The political party states that the doctor, who had run in the municipal elections and was a counselor at the Town Hall, brought boxes with sealed envelopes. The administrative staff of the Political Party proceeded to send them.

Dispute[edit | edit source]

Is it a violation of Article 5 GDPR to send election advertising to citizens using data arising from the doctor-patient relationship?

Holding[edit | edit source]

The AEPD considered that the conduct of the defendant's employees - the sending of electoral publicity using personal data from a patient-doctor relationship - infringes Article 5.1 b) of the RGPD, an infringement punishable under Article 83 (4) (a) GDPR.

Assessing the circumstances that modify the responsibility contemplated in Article 83 (2) GDPR, in this case, the aggravating circumstances for being a non-intentional but significant negligent action (Article 83 (2) (b) GDPR), and for being data known as basic personal identifiers such as name and address (83 (2) (g) GDPR).

The AEPD set the amount of the administrative fine at €5000 (five thousand euros).


Comment[edit | edit source]

The decision was notified on 14 August to the respondent, who lodged an appeal for reconsideration on 15 September 2020. The AEPD refused to admit the appeal due to its late presentation, justifying its action in the case law of the Audiencia Nacional and the Supreme Court.

This jurisprudence established that when the deadline is from month to month, the period begins on the day after the notification and ends on the same day of the notification of the following month.

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

Procedure No.: PS/00449/2019
RESOLUTION OF SANCTIONING PROCEDURE
From the procedure instructed by the Spanish Data Protection Agency and
on the basis of the following
BACKGROUND
FIRST: A.A.A. (hereinafter referred to as the complainant)
 dated 26 June 2019
filed a complaint with the Spanish Data Protection Agency. The claim is directed against PARTIT DELS SOCIALISTES DE CATALUNYA (PSCPSOE), with NIF G08564379 (hereinafter the claimed)
The grounds for the complaint are the receipt of a letter addressed to a family member of the claimant asking for political support for the Socialist Party candidate.
This letter was headed by B.B.B., a specialist in general and digestive surgery.
The only link between the recipient of the letter and the aforementioned doctor was patient/professional, and in no case had the express consent to receive this type of political communication.
SECOND: The aim is to inform the PARTIT DELS SOCIALISTES DE CATALONIA (PSC-PSOE), this complaint on 29 August 2019, requiring them to submit to this Agency, within one month, information on the response given to the complainant on the alleged facts, as well as the causes that have led to the occurrence and the measures taken to remedy it in accordance with Article 5(1)(f) of Regulation (EU) 2016/679 of the Parliament Council of 27 April 2016 (GPRD).
On 19 September 2019 the PSC responded to the above-mentioned request by the EAPD, said that the respondent ran in the municipal elections, forming part of the electoral coalition Candidatura del Progres (CP) as it had served as Councillor of the Town Council of Lleida.
During the election campaign, the person in question went to the headquarters of the PSC federation carrying a box of sealed envelopes (without letterhead, logo or sender) by directly instructing the Federation's personnel who will process the shipment. The said personnel proceeded to send it in view of the fact that the applicant was a prominent candidate on the electoral list.
The respondent does not know the origin of the data, although it could be deduced that it came from the personal diary of B.B.B., a prominent local doctor.
Although he was proclaimed elected, he resigned from his post as councilor, because currently, nothing is binding on the PSC.

In relation to the above-mentioned doctor, it is known that the notification sent on 29 August 2019, has not been delivered as it was not delivered, because which this Agency decides to repeat that request for information on 23 September of 2019, this second time being unknown.
THIRD: On 24 February 2020, the Director of the Spanish Data Protection agreed to initiate sanctioning procedures against the respondent, by the alleged violation of Article 5.1(b) of the GDPR, as set out in Article 83.5 of the GDPR.
FOURTH: On June 9, 2020, the instructor of the procedure agreed on the opening of a trial period, with the incorporation of the preliminary investigation proceedings, E/07792/2019, as well as documents
provided by the respondent.
FIFTH: A motion for resolution was formulated on 22 June 2020, proposing that PARTIT DELS SOCIALISTES DE CATALUNYA (PSCPSOE), with NIF G08564379, be sanctioned for an infringement of article 5.1.b) of the RGPD, typified in article 83.5 of the RGPD, a fine of 5000 euros (five thousand euros).
Of the proceedings in these proceedings and the The following documents have been accredited
PROVEN FACTS
FIRST: The ***DATE.1, is published on www.segre.com/noticies/lleida, which the
The Official College of Physicians of Lleida will proceed with the investigation of the letters sent by Dr. B.B.B., on the occasion of the 2019 elections.
The controversy arises from the receipt of a letter from Dr. B.B.B.  asking for his electoral support for a relative of a patient of his, who had
died in 2002.
SECOND: Receipt of a letter addressed to a relative of the claimant asking to give political support for the Socialist Party candidate.
THIRD: On 19 September 2019 the PSC in response to the above-mentioned request
of the AEPD, said that the respondent ran in the municipal elections part of the electoral coalition Candidatura del Progres (CP) as he was a councilor of the Town Council of Lleida.
During the election campaign, B.B.B., a prominent doctor in the town went to the PSC federation headquarters carrying a box of sealed envelopes (no letterhead, logo or sender) by directly instructing the staff of the Federation that will process your shipment.
The said personnel proceeded to send it in view of the fact that the applicant
was a prominent candidate on the electoral list.

LEGAL FOUNDATIONS
I
The Director of the Agency is competent to resolve this procedure Data Protection, in accordance with the provisions of Article 58.2 of the RGPD and in articles 47 and 48.1 of the LOPDGDD.
II
Article 4(1) of the GPRS defines personal data as "any information relating to an identified or identifiable natural person ("the data subject"); it shall be considered identifiable natural person means any person whose identity can be established, directly or indirectly, in particular by means of an identifier, such as a name an identification number, location data, an online identifier or one or more elements of that person's physical, physiological, genetic, psychological, economic, cultural or social identity.
Article 4.2) of the RGPD defines "processing" as "any operation or set of operations performed on personal data or sets of personal data, whether by automated procedures or not, such as collection, recording, organization, structuring, preservation, adaptation or modification, extraction, consultation, use, communication by transmission, dissemination or any other form of enabling access, matching or interconnection, limitation, deletion or destruction".
In this way, personal data are considered to be processed from when personal data is communicated or disseminated.
Article 6.1 of the RGPD states that "in accordance with the provisions of Article 4.11 of Regulation (EU) 2016/679, consent of the affected party is understood as any free, specific, informed and unequivocal expression of will by the that he accepts, either by a declaration or a clear affirmative action, the processing of personal data concerning him".
For its part, Article 5 of the RGPD establishes that the personal data will be 
"(a) processed in a lawful, fair and transparent manner in relation to the data subject ("legality, fairness and transparency");
(b) collected for specified, explicit and legitimate purposes and not treated subsequently in a manner incompatible with those purposes; in accordance with Article 89, paragraph 1, further processing of personal data for archiving purposes in the public interest, for scientific and historical research or for statistical purposes shall not be considered incompatible with the original purposes ("purpose limitation");
(c) adequate, relevant and limited to what is necessary in relation to the purposes for those who are processed ("data minimization");
(d) accurate and, where necessary, updated; all measures shall be taken to delete or rectify without delay personal data that are inaccurate with respect to the purposes for which they are intended ("accuracy");
(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes of the processing of the personal data; personal data may be kept for longer periods provided
that are processed exclusively for archiving purposes in the public interest, for scientific or historical research or for statistical purposes, in accordance with Article 89, paragraph 1, without prejudice to the application of the appropriate technical and organizational measures required by this Regulation to protect the rights and freedoms of the person concerned ("limitation of retention period");
(f) processed in a way that ensures appropriate security for the personal data, including protection against unauthorized or unlawful processing; and against their accidental loss, destruction or damage, by implementing measures appropriate techniques or organizational arrangements ("integrity and confidentiality").
The controller shall be responsible for compliance with the provisions of paragraph 1 and capable of demonstrating it ("proactive responsibility")".
III
In accordance with the evidence available here at the time of the sanctioning procedure, it is considered that it has been accredited that the defendant has used the data provided by B.B.B., a leading physician in the
to send a letter to a relative of the claimant, asking for his or her support political party, when standing for election on the political party's list claimed, which is clearly a different purpose for which these statements were given data, which was none other than the one between a patient and his doctor.
These facts are accredited by the newspaper www.segre.com, in its publication of ***DATE.1, following the link: ***URL.1. In addition, it has also been noted that it was from the party headquarters since where the electoral propaganda letters with the patients' data were sent provided by the aforementioned doctor.
The defendant is therefore charged with an infringement of Article 5.1(b) of the GPRS, which governs the principle of purpose limitation, as well as the proactive responsibility of the controller to demonstrate his
compliance.
IV
Article 72.1.a) of the LOPDGDD states that "in accordance with the provisions Article 83(5) of Regulation (EU) 2016/679 are considered very serious and will expire after three years if they substantially infringe the articles mentioned therein, and in particular the following articles:
Processing of personal data in breach of the principles and guarantees laid down in Article 5 of Regulation (EU) 2016/679.
V
Article 58(2) of the GDPR provides: "Each supervisory authority shall have all of the following corrective powers listed below:
(b) to sanction any controller or person in charge of the processing with warning where processing operations have infringed the provisions of this Regulation;
(d) instruct the controller or processor to ensure that the processing operations treatment are in accordance with the provisions of this Regulation, where appropriate, in a certain way and within a specified time frame;
(i) impose an administrative fine pursuant to Article 83, in addition to or instead of the measures referred to in this paragraph, depending on the circumstances of each individual case;
VI
This infringement is punishable by a fine of up to or, in the case of an undertaking, of an amount not exceeding 4% of its total annual turnover in the preceding financial year, in which case in accordance with article 83.5 of the GDPR.
Likewise, it is considered that the sanction to be imposed should be graduated in accordance with
with the following criteria established in article 83.2 GDPR::
The following are aggravating factors:
In the present case, we are dealing with unintentional but significant negligent action (Article 83.2 b)
Basic personal identifiers (name, surname, address) are affected, according to Article 83(2)(g)
VII
Furthermore, Article 83.7 of the GPRS provides that, without prejudice to the corrective powers of the supervisory authorities under Article 58(2), Each Member State may lay down rules on whether and to what extent this is possible, impose administrative fines on public authorities and bodies established in
that Member State.
Therefore, in accordance with the applicable legislation and having assessed the criteria of graduation of penalties whose existence has been established, the Director of the Spanish Data Protection Agency RESOLVES:
FIRST: To impose on PARTIT DELS SOCIALISTES DE CATALUNYA (PSCPSOE), with NIF G08564379, an infringement of article 5.1.b) GDPR, typified in Article 83.5 GDPR, in relation to Article 72.1 a) of the LOPDGDD, a fine of 5000 euros (five thousand euros).
SECOND: NOTICE this resolution to PARTIT DELS SOCIALISTES DE CATALONIA (PSC-PSOE).
THIRD: To warn the sanctioned party that he must make effective the sanction imposed a
once this decision becomes enforceable, in accordance with the provisions
in art. 98.1.b) of law 39/2015 of 1 October on Procedure
Common Administrative Framework for Public Administration (LPACAP),
within the voluntary payment period established in Article 68 of the General Regulations
approved by Royal Decree 939/2005, of 29 July, in
The following is a summary of the provisions of Article 62 of Law 58/2003, of 17 December, by means of its
the tax identification number of the sanctioned party and the number of the procedure that
appears in the heading of this document, in the restricted account No
ES00 0000 0000 0000 0000, open on behalf of the Spanish Agency of
Data Protection in the bank CAIXABANK, S.A.. In case
Otherwise, it will be collected during the enforcement period.
Once notification has been received and once it has become enforceable, if the enforceability date
The deadline for the completion of the registration process is between the 1st and 15th of each month, inclusive.
voluntary payment will be until the 20th day of the following month or the next business day, and if
is between the 16th and the last day of each month, inclusive, the deadline of Payment will be made until the 5th of the second following month or immediately thereafter.
In accordance with the provisions of Article 50 of the LOPDGDD, this Resolution will be made public after it has been notified to the interested parties.
Against this resolution, which puts an end to the administrative procedure in accordance with art.
48.6 of the LOPDGDD, and in accordance with the provisions of Article 123 of the LPACAP, the interested parties may lodge, on an optional basis, an appeal for a reversal to the Director of the Spanish Data Protection Agency within a period of a month from the day following notification of this resolution or directly contentious-administrative appeal to the Administrative Chamber of the Audiencia Nacional, in accordance with Article 25 and paragraph 5 of the fourth additional provision of Law 29/1998 of 13 July 1998, regulating Contentious-Administrative Jurisdiction, within two months from the day following notification of this act, as provided for in Article 46(1) of the referred to Law.
Finally, it is pointed out that in accordance with the provisions of Article 90.3 a) of the LPACAP, the final decision may be suspended in administrative proceedings as a precautionary measure if the person concerned indicates his intention to lodge an administrative appeal. If this is the case, the interested party must formally communicate this made by writing to the Spanish Data Protection Agency,
by submitting it through the Agency's Electronic Register [https://sedeagpd.gob.es/sede-electronica-web/], or through one of the other registrations provided for in Article 16.4 of the aforementioned Law 39/2015, of 1 October. Also must send to the Agency the documentation proving the effective intervention
of the contentious-administrative appeal. If the Agency was not aware of the lodging of the contentious-administrative appeal within two months of the day following notification of this resolution, would terminate the precautionary suspension.
Mar España Martí
Director of the Spanish Data Protection Agency