AEPD (Spain) - PS/00065/2020: Difference between revisions

From GDPRhub
Line 982: Line 982:
C/ Jorge Juan, 6 www.aepd.es
C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 14/14
28001 - Madrid sedeagpd.gob.es 14/14




Line 999: Line 988:
Mar España Martí
Mar España Martí
Director of the Spanish Data Protection Agency
Director of the Spanish Data Protection Agency





Revision as of 11:47, 27 January 2021

AEPD - PS/00065/2020
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 13 GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published: 20.01.2021
Fine: n/a
Parties: Ciegos Españoles Católicos Organizados (CECO)
National Case Number/Name: PS/00065/2020
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Spanish
Original Source: AEPD resolution (in ES)
Initial Contributor: Miguel Garrido de Vega

The Spanish Data Protection Agency (AEPD) imposed a warning on the blind catholic people association Ciegos Españoles Católicos Organizados (the defendant) for infringing Article 13 GDPR. The defendant used a form for the admission of new members that did not include all the relevant information required by the data protection legislation.

English Summary

Facts

The decision is the consequence of a complaint submitted by a Spanish citizen (the claimant), stating that the defendant used forms for the admission of new members that did not comply with the requirements by Article 13 GDPR; to that respect, the claimant attached a copy of such forms.

Dispute

The defendant answered to the first AEPD investigation requests stating that it had always made its best efforts to comply with the legislation, and it attached some information to such answer: the same forms already attached by the claimant, an enquiry to the legal team of the AEPD, internal communications on the irregularities detected regarding data protection, and a copy of the new form already signed by the claimant. The AEPD started the corresponding sanction procedure, and the defendant answered admitting that, although it is true that the last form did not include all the relevant points of Art. 13 GDPR, since the irregularities were detected, the defendant has made big efforts to solve the matter and comply with the legislation.

Holding

Thus, the AEPD understood that the defendant has infringed Article 13 of the GDPR, as its previous form did not provide new members with all the legal information. Consequently, after considering some circumstances [(i) the defendant had already amended the form to include all the necessary information; (ii), the defendant even admitted that such previous form was not compliant; and (iii) the new form includes a separate consent box for the data processing activity and the use of the image of the new members], the AEPD decided to impose a warning to the defendant.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.


                                                                                  1/14








    Procedure No: PS/00065/2020

                RESOLUTION OF DISCIPLINARY PROCEEDINGS


From the procedure carried out by the Spanish Data Protection Agency and based on the following
the following:

                                   BACKGROUND


FIRST: On 27/06/2019, the Spanish Data Protection Agency (AEPD) received a complaint lodged by Mr. A.A.A. (hereinafter, the "AEPD")
de Datos (AEPD) a complaint lodged by Mr A.A.A. (hereinafter, the claimant) against the association
claimant) against the association CIEGOS ESPAÑOLES CATÓLICOS ORGANIZADOS
with tax identification number R5000907E (hereinafter the respondent or CECO).


The complaint concerns the application form for the registration and deregistration of its members that CECO started to use in
cECO started using in 2019. This form, which was approved
by the Board of Directors of the entity complained of, in the opinion of the complainant, a member of the
the association, does not comply with the regulations on the protection of personal data
personal data. The complainant adds that the registration application form used in 2018

was also not in compliance with the rules governing the right to the protection of personal data, and he
personal data protection, and asks the AEPD to "urge CECO to draw up an application form for the registration and deregistration of members
application form for the registration and deregistration of members that complies with Spanish legislation on personal data protection and that
personal data protection and image rights".


A copy of the following documents is attached to the complaint:

    -   As Annex 1, a copy of the application form for registration, bearing the ana-
        the applicant submits with his complaint a copy of the following documents: As Annex 1, a copy of the application form bearing the name of the association complained of, in which, under the heading "Solicitud de alta
        in CECO" "Document for the attention of the Secretary of the Association of Spanish Catholic
        Españoles Católicos (CECO)", includes spaces for the identification details of

        a person, in particular those relating to name, surname, NIF and the Diocese to which he/she belongs
        to which he or she belongs. Subsequently, the document indicates that the person thus
        identified "hereby requests to become a member of the association of
        the Spanish Catholic Association of the Blind (CECO). It goes on to say:
        "We then proceed to provide the necessary details for registration". Es-

        the details are: postal address, including town, province and postcode; date of birth; landline and mobile phone numbers
        the following details are given: postal address, including town, province and postcode; date of birth; telephone and mobile phone numbers; e-mail address; and the 'literacy system'
        and the 'reading and writing system'. (The underlining is from the AEPD)

        In a separate paragraph, it includes this legend: "The applicant of this registration

        applicant is aware that the data reflected in this registration will be manipulated by the association of the
        the Spanish Catholic Association of the Blind (CECO), which will be responsible for the
        is responsible for the correct use of the data".

        And it adds: "..., authorises the Spanish Catholic Association of the Blind (CECO)
        to be able to manipulate its image in any act that the association carries out and that

        is aware that this material (recordings, photos, videos...) will form part of the association's archive"
        the archives of the association". Below is the "Signature of the applicant".

    -   As Annex II, a copy of the registration application form is provided, which the applicant has to fill in

C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 2/14








        the CECO member card was used in 2018. Under the heading "CECO membership card", the following data is collected: the Diocese of which you are a member; the dates of your membership
        the following data: the Diocese of which the member is a member; the dates of joining and leaving; the first and last names
        and cancellation; first name and surname; address, with an indication of the locality,

        province and zip code; landline and mobile phone numbers; ID card number; email address; date of birth; profession and disability
        of birth; the profession and the disability suffered by the person. This is followed by
        the following legend is included and below it the signature of the interested party is requested: "Data Protection
        the following legend is then included and below it the signature of the interested party is requested: "Data Protection. In compliance with the provisions of Organic Law 15/1999, it is hereby
        15/1999, we inform you that the personal data obtained by filling in this form will be used for the purpose of
        form are going to be incorporated, for the purposes of data protection

        in an automated file. In accordance with the provisions of the
        organic Law, the interested party may exercise his/her rights of access,
        rectification, cancellation and opposition of the data obtained in this form at any time
        form at any time


SECOND: In view of the complaint, the AEPD, in the framework of the file E/
8567/2019, by letter dated 26/09/2019, forwarded it to the respondent and requested information on the facts denounced
requested information on the facts denounced. The notification was made by
by post. The document of the S.E. Correos y Telégrafos, S.A.E., "Proof of Delivery
of delivery", which is on file, proves that the respondent received the notification on 01/10/2019
notification on 01/10/2019.


On 09/10/2019, the AEPD received the respondent's reply, with which it attached nine documents
attached nine documents. It declares that, as can be seen, "it has tried at all times to accommodate
at all times to comply with what the legislation required in each case", which is why it was "necessary to draft a new
that it has been "necessary to draw up a new application in accordance with the new regulation and

to ask all members already registered with CECO to sign the new application'.

The documents submitted are as follows:

a.- As annex 1, the "CECO membership form", a document which was also provided by the

a.- As Annex 1, the "CECO membership form", a document also provided by the claimant and described in the first antecedent, Annex II
description of which is reproduced below.

b.- As annex 2, a document is provided which the respondent identifies as "the
new registration application form created after the approval of the Data Protection Act of 2018..."
of 2018...". This document is the same as the one submitted by the claimant and which is

described in the First Precedent as Annex I, a description of which is reproduced here
reproduced here.

c.- Annex 3 is the welcome letter that the Respondent states that it sends to new members
new members. From this document, we transcribe the following paragraphs for their interest

antepenultimate and penultimate paragraphs:
      "By filling in the registration form ...you gave us permission to manipulate your data, image, sound..
data, image, sound...all of which you can modify when you think it is convenient or when it is altered"
you can modify it when you think it is convenient or it suffers any alteration".
    "When communicating with us, you have the following options at your disposal

channels. E-mail: Secretaria@ceco.org.es. Corporate telephone..."

d.- Annex 4 includes the consultation that the president of the association complained of addressed
to the Legal Office of the AEPD in April 2019. The query was formulated in the

C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 3/14








following terms, and there is no record in this Agency that with the aforementioned document the
the respondent had sent the Legal Office of the AEPD any annexed document:
"A natural person who does not sign the document allowing the association to be able to

can he/she be a full member of the said association?

e.- Annex 5 corresponds to the report issued by the AEPD in response to the respondent's query
the respondent's query.

f.- Identified as appendix 6 is the letter dated 21/06/2019 that the

***1 (...) addressed to the Board of Directors of the association complained of, setting out the irregularities
the irregularities found in the form to be filled in by those who wish to be admitted as a member, to
to be admitted as a member, in summary, the following: (i) the document does not expressly and
(i) the document does not expressly and unequivocally inform of the existence of a data file or data processing or of the purpose of data collection
(ii) the document does not guarantee the right of the member to

access, rectify, cancel or oppose the processing of his or her data in accordance with the LOPD
and the implementing regulations. (iii) the document does not state the identity and address of the data controller
(iii) the identity and address of the data controller are not stated in the document. (iv) it does not inform you that, under no
(iii) the document does not state the identity and address of the data controller
consent of the owner of the data. (v) it does not establish a simple and free procedure for the member to revoke his or her
(v) no simple and free procedure is established for the member to revoke consent. (vi) consent for the

(vi) Consent to the processing of the image has to be given in a different document from the one in which the data subject consents to the processing of his or her personal data, by
(vi) consent to the processing of personal data has to be given in a separate document from the one in which the member consents to the processing of his or her personal data, requesting authorisation in each case
in each case.

g.- Annex 7: Letter from ***CARGO.2 addressed to ***CARGO.1, in which he/she acknowledges that he/she has given his/her consent to the processing of his/her personal data

receipt of your letter.

h.- Annex 8 is the letter, dated 04/10/2019, addressed to ***CARGO.1 which, in response to the letter submitted on 21/06/2019, was sent to ***CARGO.1 by ***CARGO.1
in response to the letter submitted on 21/06/2019, sent by ***CARGO.2 in accordance with the resolutions adopted by the General
the resolutions adopted by the General Meeting on 2 and 3 October 2019. In the

letter states that "...following the consultation submitted ...to the Data Protection Agency,
which was responded to on 8 May 2019, it can only be concluded that the CECO registration document is fully
registration document in CECO is fully lawful as it is clearly indicated to us that: <<As a consequence, we
that: << Consequently, the proposed processing of personal data shall be lawful in accordance with the provisions of paragraph 1 of this
in accordance with the provisions of article 6.1b) of the RGPD, as it is an association and insofar as it is
an association and insofar as each member enters in the legally required manner

established by law>>". The respondent concludes in that letter that there can be no question of
anomalies in CECO's registration document, since, it says, "the Data Protection Agency has declared the entire procedure
Data Protection Agency has declared the entire procedure lawful".

i.- The last document provided (annex 9) is "the new application form for registration"

-that is, the model approved in 2019, which is the subject of this complaint - "completed and signed"
complaint - "completed and signed by Mr A.A.A.". According to the explanations of the
this document was handed over on behalf of the claimant by another member of the association on
of the association on 28/04/2019. It further adds that the complainant is a member of
CECO since 06/04/2018.


THIRD: In view of the documentation in the possession of the AEPD, submitted by both the claimant and the respondent, in accordance with the provisions of article 65.5 of the AEPD
both the claimant and the respondent, in accordance with the provisions of Article 65.5 of the Organic Law 3/2018
of Organic Law 3/2018, on Data Protection and the Guarantee of Data Protection Rights, and in accordance with the provisions of article 65.5 of the AEPD

C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 4/14








(LOPDGDD), on 26/02/2020 it was agreed to admit this complaint for processing
complaint.


FOURTH: On 3 June 2020, the Director of the Spanish Data Protection Agency agreed to initiate sanctioning proceedings against the respondent for the
Protection Agency agreed to initiate sanctioning proceedings against the respondent, for the
alleged infringement of Article 13 of Regulation (EU) 2016/679 (the General Data Protection Regulation, hereinafter GDPR), hereinafter
General Data Protection Regulation (hereinafter GDPR), typified in Article 83.5 of the aforementioned
the aforementioned regulation.


FIFTH: Having been notified of the initiation agreement, the respondent, on 11/06/2020, filed a
written allegations stating the following:

"FIRST: That CECO is a non-profit making association dedicated fundamentally to the spiritual and moral
fundamentally to the spiritual and moral promotion of people with disabilities

and moral promotion of the visually impaired, caring for blind people who are ill or in residential care. CECO
since its constitution has dedicated its best efforts and will to the
compliance with the regulations that may be applicable in different fields,
including the protection of personal data, having carried out in good faith all the actions deemed necessary to safeguard
actions it has considered necessary to safeguard the rights of its members and to comply with applicable
members and to comply with the applicable regulations, having taken all the actions it considered necessary in good faith to safeguard the rights of its members and to comply with the applicable regulations

the performance of this activity with means that have proved to be clearly insufficient and very limited
insufficient and very limited. Proof of this, as the Resolution indicates, is the fact that
the fact that the previous President of the association consulted the Legal Department of the
Legal Office of the AEPD in April 2019, which was duly answered.


SECOND.- That once it became aware of the complaint submitted, on
27 June 2019, at the Data Protection Agency by one of its associates, it addressed a reply to this
members, addressed a reply to this body accrediting that said requests aimed at obtaining the
requests aimed at obtaining data from its members had been modified so that their content was in
that their content was in accordance with the new regulation, with the intention of sending to all

members already registered with CECO authorisation for the processing of their personal data
personal data.

THIRD.- That notwithstanding the foregoing, the aforementioned letter was submitted to the Spanish Data Protection Agency
Spanish Data Protection Agency, a consultation was carried out with a person specialised in such matters who
who collaborated in the drafting of a new model of data protection

of a new form designed to request the personal data of all those persons who wish to become a member of the
express their wish to become a member of the association.

FOURTH.- That on 3 December 2019, the new version of the said form was drafted
in compliance with the provisions of article 13 of the RGPD was sent to all the members of the association

coordinators of CECO in order to obtain their express consent both with regard to the processing of personal
with regard to the processing of personal data and images
images. Attached to this letter as Annex nº 1 is an e-mail sent by e-mail and as Annex nº 2 an e-mail sent by e-mail
and as Annex nº 2, the model form that accompanies the aforementioned e-mail
the aforementioned e-mail.


FIFTH: That, once these new forms have been drawn up, any possible omission of the information detailed in
the information detailed in article 13 of the RGPD and from which a breach of the aforementioned article 13 could derive
non-compliance with the aforementioned article 13.

C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 5/14









SIXTH.- That, notwithstanding the foregoing, the Resolution received which initiates the
sanctioning procedure mentions issues that have been considered relevant with a view to
with a view to further increasing the transparency of the processing of the data requested from the members of the association
members of the association:


a) The validity of the particular legal transaction by virtue of which the status of member is acquired requires that the person who is to become a member knows and accepts the
a) The validity of the particular legal transaction by virtue of which the status of member is acquired requires that the person who is to become a member knows and accepts the Statutes of the association
of the association. Consequently, the processing of the personal data concerned
will be
lawful in accordance with the provisions of Article 6(1)(b) of the GDPR by

association and to the extent that each member joins the organisation in the manner legally
legally established in the organisation by accepting the corresponding statutes.
(See page 8
of the Resolution).


b) Inclusion of CECO's tax identification number.

(c) Reference in the form itself to the consequences of non-authorisation
by
the applicant to the processing of his personal data.


On the basis of the foregoing, a new form has been drawn up and is attached to this document as
Annex nº 3, which will be used in the future.

SEVENTH - That it recognises that the application form for registration, which is the object of the complaint
complaint that initiated this sanctioning procedure did not provide all the information required by article 13 of the
information required by article 13 of the RGPD, but that, as has been stated in the previous paragraphs, it did not provide all the information required by article 13 of the RGPD

previous sections, this association has subsequently made considerable efforts to adapt it for the purposes of compliance
efforts to adapt it to comply with each and every one of the requirements detailed in the aforementioned article in
requirements detailed in the aforementioned article, and without prejudice to the additional
the special circumstances of this entity are additionally taken into account, while at the same time making a broad interpretation of the
entity, while at the same time making a broad interpretation of the criterion inspired by Recital 148 of the
Recital 148 of the GDPR, according to which a sanction may be imposed of

warning may be imposed when the imposition of a fine would constitute a disproportionate
disproportionate burden that would undoubtedly lead to the termination of the association's activity with
association with the consequent detriment to all its members. It is also stated in the
recital that particular attention should nevertheless be paid to the nature, gravity and duration of the infringement
nature, gravity and duration of the infringement, to its intentional character, to the measures taken to mitigate the
measures taken to mitigate the damage suffered, the extent of the infringement, the degree of

liability or any relevant previous infringement.

                                ESTABLISHED FACTS

FIRST: The complaint concerns the application form for the registration and deregistration of its members that CECO began using in 2019
of its members that CECO started to use in 2019, which, according to the complainant,

member of the association, does not comply with the regulations on the protection of personal data
personal data protection.

The registration application form, to which the complainant refers, includes spaces for

C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 6/14








the identification data of a person, in particular those relating to name, surname, first name, surname, ID number and diocese to which he/she belongs,
NIF and the Diocese to which he or she belongs. Subsequently, the document states that the
person so identified "hereby applies for membership as a member of the

of the Spanish Catholic Association of the Blind (CECO). It goes on to say: 'The following
the information required for registration is then provided'. These details are the
address, including town, province and postcode; date of birth; landline and mobile phone numbers; date of birth; date of birth; date of birth; landline and mobile phone numbers
date of birth; landline and mobile telephone numbers; e-mail address; and the "reading and writing system"
literacy system'. (The underlining is from the AEPD)


In a separate paragraph, it includes this legend: "The applicant for this registration, is aware that the data reflected in this
that the data reflected in this inscription will be manipulated by the Spanish Catholic Blind
spanish Catholic Association of the Blind (CECO), which is responsible for the correct use of the data"
for the correct use of the same".


 And it adds: "..., authorises the Spanish Catholic Association of the Blind (CECO) to be able to
to manipulate its image in any act that the association carries out and that it is aware that this material (Recordings) may be used by the association in any act that it carries out
that this material (recordings, photos, videos...) will form part of the association's archive"
association's archive". Below is the "Signature of the applicant".

SECOND: The respondent submits, together with its allegations, the document of the

application for registration in CECO, in which, after the collection of the personal data, information is
information on the data controller; purpose; legitimisation;
recipients of the data; rights that may be exercised, address to which to contact,
adding the possibility of lodging a complaint with the AEPD.


At the end of the document, consent is requested for the making and use of
images, sound and video exclusively for the above-mentioned purposes and to be published in
be published in:

- The website and social media profiles of the Association.

- Filming for the dissemination of the Association's activities.
- Photographs for magazines or publications related to the Association.

Next, there are two boxes, not pre-marked, with the options: I authorise/Do not authorise.

                            LEGAL BASIS


                                              I

By virtue of the powers that Article 58(2) of the GDPR recognises to each supervisory authority, and in accordance with the provisions of Articles 47 and 48(1) of the LOPDGDD, the Director
authority, and in accordance with the provisions of Articles 47 and 48.1 of the LOPDGDD, the Director of

the Spanish Data Protection Agency is competent to resolve this procedure
procedure.

                                             II


Article 85, Termination of sanctioning procedures, of Law 39/2015,
of 1 October, on the Common Administrative Procedure of the Public Administrations, establishes in its first
Public Administrations, in its first section, establishes the following:


C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 7/14








1. Once a sanctioning procedure has been initiated, if the offender acknowledges his or her responsibility,
the procedure may be resolved with the imposition of the appropriate sanction.


The respondent expressly states the following in its statement of allegations to the
that it acknowledges that the application form for registration which is the subject of the complaint which
complaint that initiated this sanctioning procedure did not provide all the information required by article 13 of the
information required by article 13 of the RGPD, but that, as stated in the previous paragraphs, this association has
previous sections, this association has subsequently made considerable efforts to adapt it for the purposes of compliance
efforts to adapt it for the purpose of complying with each and every one of the requirements of article 13 of the GDPR

requirements detailed in the aforementioned article"

                                             III

Article 5 of the GDPR concerning the principles governing data processing

personal data mentions among them the principle of transparency. Paragraph 1 of the provision stipulates: 'Personal data shall be
the first paragraph of the provision stipulates: "Personal data shall be:

         (a) processed lawfully, fairly and transparently in relation to the data subject ('lawfulness, fairness and transparency')'
('lawfulness, fairness and transparency')"

The principle of transparency is manifested by the obligation of data controllers to inform, in the terms and conditions of the processing of personal data, the data controller of the processing of personal data
the principle of transparency is manifested in the obligation of data controllers to inform the data subject, in the terms of Article 13 of the GDPR, when personal data are processed by the data controller
the data controller must inform the data subject when the personal data are obtained directly from the data subject:


      1. Where personal data relating to a data subject are obtained from him or her, the controller shall, in accordance with Article 13 of the GDPR, inform the data controller where the data are obtained directly from the data subject: "1
1. Where personal data relating to him or her are obtained from a data subject, the controller shall, at the time the data are obtained, provide him or her with all of the following information: '1
information set out below:

        (a) the identity and contact details of the controller and, where applicable, of the data controller's representative; and
        (a) the identity and contact details of the controller and, where applicable, its representative
        (b) the contact details of the data protection officer, where applicable;

        (c) the purposes of the processing for which the personal data are intended and the legal basis for the processing; (d) the purpose for which the personal data are processed and the legal basis for the processing; and
        (c) the purposes for which the personal data are processed and the legal basis for the processing;

        (d) where the processing is based on Article 6(1)(f), the legitimate interests of the controller or of a data protection officer, where applicable; (e) the purposes for which the personal data are processed and the legal basis for the processing; and
        (d) where the processing is based on Article 6(1)(f), the legitimate interests of the controller or of a third party;

        (e) the recipients or categories of recipients of the personal data,
        (e) the recipients or categories of recipients of the personal data, where applicable;

        (f) where applicable, the controller's intention to transfer personal data to a third country or international organisation and the existence or absence of a decision to do so; and
        (f) where applicable, the controller's intention to transfer personal data to a third country or an international organisation and the existence or absence of an adequacy
        (f) where applicable, the controller's intention to transfer personal data to a third country or an international organisation and the existence or absence of an adequacy decision of the Commission, or, in the case of transfers referred to in Articles 46 or 47 or in
        article 46 or 47 or the second subparagraph of Article 49(1), reference to adequate or appropriate safeguards
        (1) second subparagraph, reference to adequate or appropriate safeguards and to the means for obtaining

        a copy of them or the fact that they have been given.

2. In addition to the information referred to in paragraph 1, the controller shall provide the data subject with the information referred to in paragraph 2

controller shall provide the data subject, at the time when the personal data are collected, with the following information necessary to ensure fair and lawful processing of the data
the following information which is necessary to ensure fair and transparent data processing
transparent:


C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 8/14








        (a) the period for which the personal data will be kept or, where that is not possible, the criteria used to
        possible, the criteria used to determine this period;

        (b) the existence of the right to request from the controller access to, and rectification or erasure of, or the right to request
        (b) the existence of the right to request from the controller access to personal data relating to the data subject, and their rectification or erasure or the restriction of processing, or
        (b) the existence of the right to request from the controller access to, and rectification or erasure of, or restriction of processing, or to object to the processing, as well as the right to
        (b) the existence of the right to request access to, and rectification or erasure of, or restriction of the processing of personal data relating to the data subject, or to object to the processing, as well as the right to data portability;

        (c) where the processing is based on Article 6(1)(a) or Article 9(2)(a) or Article 9(2)(b); or
        (c) where the processing is based on Article 6(1)(a) or Article 9(2)(a), the existence of the right to withdraw the consent at any time, without the right to
        (c) where the processing is based on Article 6(1)(a) or Article 9(2)(a), the existence of the right to withdraw consent at any time, without affecting the lawfulness of the basic processing

        (d) the right to lodge a complaint
        (d) the right to lodge a complaint with a supervisory authority;

        (e) if the communication of personal data is a legal or contractual requirement, or a necessary requirement for the
        (e) whether the communication of personal data is a legal or contractual requirement, or a necessary requirement for entering into a contract, and whether the data subject is obliged to provide the personal data and is informed of such
        (e) whether the communication of personal data is a legal or contractual requirement, or a necessary requirement for entering into a contract, and whether the data subject is obliged to provide the personal data and is informed of the possible consequences
        (e) whether the data subject is obliged to provide the personal data and is informed of the possible consequences of not providing such data;

        (f) the existence of automated decisions, including profiling, as referred to in Article 22(2) of this
        (f) the existence of automated decisions, including profiling, as referred to in Article 22(1) and (4), and, at least in such cases, meaningful information on the logic applied
        (f) the existence of automated decisions, including profiling, as referred to in Article 22(1) and (4), and, at least in such cases, meaningful information on the logic applied as well as the relevance and con

        the significance and expected sequences of such processing for the data subject.

3. Where the controller intends to further process personal data, the data controller shall provide the data subject with a meaningful explanation of the logic applied and the relevance and expected sequences of such processing for the data subject

if the controller intends to further process the personal data for a purpose other than that for which they were collected, the controller shall provide the data subject, prior to such further processing, with information about that other purpose and about the other processing
prior to such further processing, information on that other purpose and any other relevant information within the meaning of paragraph 2
any additional relevant information within the meaning of paragraph 2.

4. The provisions of paragraphs 1, 2 and 3 shall not apply if and to the extent that the data subject already has access to such information
the provisions of paragraphs 1, 2 and 3 shall not apply where and to the extent that the data subject already has the information

Article 5(1)(a) of the GDPR sets out the principle of 'lawfulness, fairness and transparency',
principle, which is further elaborated in Recital 39: "Any processing of personal data must be lawful and fair
must be lawful and fair. For natural persons, it must be absolutely clear that it is

personal data relating to them are being collected, used, consulted or otherwise processed, as well as that they are
personal data relating to them are being collected, used, consulted or otherwise processed, as well as the extent to which such data are or will be processed. The
principle of transparency requires that any information and communication relating to the processing of such data should be easily
processing of such data should be easily accessible and easy to understand, and that simple and clear language should be used
and easy to understand, and that simple and clear language is used. This principle concerns in particular the

information of data subjects on the identity of the controller and the purposes of the processing and additional
purposes of the processing and additional information to ensure fair and transparent processing with regard to the natural persons concerned
transparent with regard to the natural persons concerned and to their right to obtain confirmation and communication of the personal data they
confirmation and communication of personal data relating to them which are the subject of processing
are processed. Natural persons should be made aware of the risks,

rules, safeguards and rights relating to the processing of personal data, and how to do so
personal data, as well as how to assert their rights in relation to the processing
processing. In particular, the specific purposes of the processing of personal data should
must be explicit and legitimate, and must be determined at the time of collection.
[…]”


For its part, Recital 60 links the duty of information to the principle of
transparency, stating that "The principles of fair and transparent processing
C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 9/14








require the data subject to be informed of the existence of the processing operation and its purposes
its purposes. The controller should provide the data subject with such further information as is necessary to ensure fair and lawful processing
additional information necessary to ensure fair and lawful processing of data

transparent, having regard to the specific circumstances and context in which the personal data are processed
personal data are processed. The data subject should also be informed of the
profiling and of the consequences of such profiling. If personal data are
if personal data are obtained from data subjects, they should also be informed whether they are obliged to provide them and the
if personal data are obtained from data subjects, they should also be informed whether they are obliged to provide them and of the consequences if they do not do so [...]'. In this order,
article 12(1) of the GDPR regulates the conditions for ensuring effective

article 13 specifies what information must be provided when the data are obtained from the data subject
data are obtained from the data subject.

                                             III


The complaint we are examining concerns the compliance with data protection law of the form that the defendant has been using since 2019 to collect data on data subjects
the complaint we are examining concerns the compliance with data protection regulations of the form that the defendant has been using since 2019 to collect the personal data of those who wish to join the association as members
the personal data of those who wish to join the association as members.

This document is on file in duplicate, provided by both the complainant and the respondent
by both the complainant and the respondent. The respondent has stated that the form was approved by the complainant

by its General Shareholders' Meeting in 2019 and that it was intended to comply with the new obligations of the LOPDGDD
the respondent has stated that the form was approved by its General Meeting in 2019 and that it was intended to comply with the new obligations imposed by the LOPDGDD on those responsible for the processing of personal data
tion of personal data. Obligations which, as has been indicated, are actually imposed by the GDPR
the obligations which, as has been indicated, are actually imposed by the GDPR, Article 13.


The document in question, which bears the name of "CECO Registration Application", is described in Fact one, Annex I, of this agreement
the document in question, which is called "CECO Registration Application", is described in the first Fact, Annex I, of this agreement of initiation and is also referred to in the Second Fact, Annex II, of this agreement of initiation
the document in question, which is called "CECO Registration Application", is described in Fact Two, paragraph b).

According to the 2019 form drawn up and used by the Respondent, the person who

requests ... to become a member of the Spanish Catholic Association of the Blind (CECO)
and, further on, the document states: "...the necessary details for registration are given"
the information required for registration". The document also asks for the following information
the document collects, in addition to the first name, surname and ID number, the following personal data: the Diocese to which the data holder belongs
the Diocese to which the holder of the data belongs; the postal address, with an indication of town, province and postcode; the date of the registration; the date of the registration; and the date of the registration
cia and postcode; date of birth; landline and mobile telephone numbers; e-mail address; and the name and address of the person to whom the data belongs

and the "reading and writing system".

Thus, an examination of the form shows that, by means of the form, the respondent is indicating the wish of a natural person to become a
the will of a natural person to join the association and, for this purpose, collects his or her personal data,
collects his or her personal data. Declaration of will of the applicant, which is one of the

of the elements that make up the special legal transaction by virtue of which the applicant acquires the
status of associate.

With regard to this issue - the acquisition of the status of member, with the exception of the founders of the association - the Constitutional Court has repeatedly stated
of the founders of the association - the Constitutional Court has repeatedly expressed the following views

that it is produced by "an act of integration that constitutes a special legal transaction whereby the new member, having previously accepted the association's
the new member, having previously accepted the Statutes, the knowledge of which is obligatory and prior
the Statutes, prior knowledge of which is mandatory, is integrated into the association" (STC 218/1988, 11 November 1988)
november). The validity of this particular legal transaction by virtue of which the new member acquires

C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 10/14








membership requires prior knowledge and acceptance of the Statutes of the Association by the person who is to become a member
the association's statutes. This is exactly what the association complained of was informed in the report issued by the AEPD on 30/04/2019, which stated
mada in the Report issued by the AEPD on 30/04/2019, which stated:


<<As a result, the processing of the personal data in question will be lawful in accordance with the provisions of paragraph 1 of this article
accordingly, the processing of personal data in question will be lawful in accordance with the provisions of Article 6(1)(b) of the GDPR, as it is an association, and insofar as the
association, and insofar as each member joins the organisation in the legally established manner, accepting the terms and conditions of the
legally established in the organisation by accepting the corresponding statutes>>>>

Article 13 of the GDPR provides that when personal data are collected from a data subject - which is the case through the
data subject - which is the case through the CECO form or document that is the object of the

the data controller is obliged, at that precise moment,
that is, when it obtains them, to inform the data subject. This information covers
various issues detailed in Article 13 of the GDPR.

The CECO document we have examined should have included all the information required by the provision
the CECO document we examined should have included all the information required by the provision. However, only the name of the company is provided

and its acronym, and this paragraph: "The applicant for this registration, is aware that the data reflected in this registration will be manipulated by the
the applicant for this registration is aware that the data reflected in this registration will be manipulated by the association
ciación de Ciegos Españoles Católicos (CECO), which is responsible for the correct use of the data"
use of the same".


The respondent, in its capacity as data controller, in accordance with Article 13 of the GDPR, was obliged to include the following information
RGPD was obliged to include in the form by means of which it collected the data from third parties various
third parties various information which it has totally and utterly dispensed with. In particular, it is obliged
in particular, it is obliged to provide information on the purposes of the processing for which the personal data collected will be used
personal data collected. Nor does it provide information, as it was obliged to do, on the legal basis for the processing of the personal data collected

the legal basis of the processing; nor of the recipients of the personal data; of the period of time for which it will keep the personal data; or, in particular, of the purposes for which the personal data will be processed
the period for which it will keep the personal data or, if it is not possible to establish a period, on the criteria used to determine it
the criteria used to determine it. It omits the fact that the data subject has the right to request the controller to
the right to request from the controller access to his or her data, rectification, erasure, restriction of access to his or her data, rectification, erasure, restriction of access to his or her data, and
the Commission has not established a time-limit, as it is not possible to establish a time-limit for the criteria used to determine the time-limit
of the data. Nor does it provide information on the right to lodge a complaint with the

supervisory authority. It does not inform whether automated decisions as referred to in Article 22(2) of the
referred to in Article 22(1) and (4) of the GDPR, including the compilation of personal data, and, if so, on the logic applied and on the relevance and
files, and, if so, on the logic applied and on the significance and expected consequences of such processing for the data subject
of such processing for the data subject.


In short, the registration application form that the Respondent has used from
2019 until its modification following the receipt of this complaint,
to collect personal data did not provide the information required by Article 13 of the GDPR
GDPR.


The form used violated Article 13 of the GDPR conduct that is subsumi-
ble under Article 83(5) of the GDPR, which provides: "Infringements of the following provisions shall be
shall be punishable in accordance with paragraph 2 by administrative fines of EUR 20 000 000
20,000,000 Eur or, in the case of an undertaking, an amount not exceeding
20,000,000 or, in the case of an undertaking, an amount equivalent to a maximum of 4% of the total annual aggregate turnover for the preceding financial year, whichever is the greater
the higher of the two amounts shall be applicable:

    a) (...)
    (b) the rights of the interested parties in accordance with Articles 12 to 22;"
C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 11/14









For the mere purposes of the statute of limitations, Article 72.1.h) of the LOPDGDD classifies as very serious
omission of the duty to inform the data subject about the processing of his or her personal data"

data in accordance with the provisions of Articles 13 and 14 of Regulation (EU)
2016/679 and 12 of this Organic Law". The statute of limitations period for very serious infringements provided for in the Organic Law 3.2.2
the statute of limitations period for very serious infringements provided for in Organic Law 3/2018 is three years.


                                             IV


Article 58(2) of the GDPR states:

      "Each supervisory authority shall have all of the following corrective powers
listed below:

      a) (..)
      (b) to sanction any controller or processor by means of a warning
(b) sanction any controller or processor with a warning where the processing operations have infringed the provisions of this Regulation
Regulation;
      c)...
      (d) order the controller or processor to ensure that processing operations are carried out in compliance with the provisions of this Regulation

(d) order the controller or processor to bring processing operations into compliance with the provisions of this Regulation, where applicable,
in a specified manner and within a specified period of time;
      (...)
      (i) to impose an administrative fine in accordance with Article 83, in addition to or instead of
(i) impose an administrative fine in accordance with Article 83, in addition to or instead of the measures referred to in this paragraph, depending on the circumstances of

(i) impose an administrative fine in accordance with Article 83, in addition to or instead of the measures referred to in this paragraph, according to the circumstances of each individual case.

In the present case, in view of the special circumstances of the entity responsible for the infringement and
the entity responsible for the infringement, and taking a broad interpretation of the criterion
recital 148 of the GDPR, according to which, when the fine that is likely to be imposed on the infringing entity is

the fine likely to be imposed would constitute a disproportionate burden, it is appropriate to impose the
sanction of a warning for the infringement of Article 13 of the GDPR, resulting from the collection of data using the model of the
the collection of data using the 2019 model, which did not include the information provided for in that article
information provided for in that article.

                                             V


The Respondent encloses, together with its allegations, the new data protection clause included in the application for membership in the association
the defendant encloses the new data protection clause included in the application for membership of the association with its allegations. The in-
the information provided therein includes all the sections set out in Article 13 of the aforementioned GDPR
article 13 of the GDPR referred to above.


Likewise, and at the end of the registration form, it includes a specific section to obtain the applicant's consent to process his/her image
the applicant's consent to process his or her image. In this case, the legal basis
the legal basis for the processing of the image of the person applying for membership of the association does not derive from his or her membership of the association - i.e. from his or her
the legal basis for processing the image of the person applying for membership of the association does not derive from his or her membership of the association - that is, from Article 6(1)(b) of the

The GDPR - but from the consent given for that specific purpose (Article 6(1)(a) of the GDPR)
of the GDPR).

The GDPR (Article 3(11)) defines the data subject's consent as 'any manifestation of his or her consent'

C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 12/14








the data subject's freely given, specific, informed and unambiguous indication of his or her consent, either by declaration or by
by which the data subject accepts, either by a statement or by a clear affirmative action, the processing of personal data concerning him or her" and in its Article 7 it
of personal data concerning him or her' and in its Article 7 it details the conditions under which the data subject may consent to the processing of personal data concerning him or her

consent must meet in order to be valid. Among them, point 2 of the precept
reads:

      "If the data subject's consent is given in the context of a written declaration which also relates to other matters, the request for consent shall be submitted in the context of a written declaration which also relates to other matters
if the data subject's consent is given in the context of a written declaration which also relates to other matters, the request for consent shall be presented in such a way that it is clearly distinguishable from the other matters
clearly distinguishable from the other matters, in an intelligible and easily accessible form, and using language which is
and easily accessible and using clear and plain language. No part of the declaration shall be binding
part of the declaration which constitutes a breach of this Regulation shall not be binding.

In this respect, Recital (43) of the GDPR may be referred to, which states
reads:

      “(...). Consent is presumed not to have been freely given where it is not

consent is presumed not to have been freely given when it does not allow separate authorisation of the different processing operations of personal data despite being appropriate in the specific case, or when the performance of a specific
the consent is presumed not to have been freely given when it does not allow separate authorisation of the different personal data processing operations despite being appropriate in the specific case, or when the performance of a contract
contract, including the provision of a service, is dependent on consent,
(The underlining is that of the AEPD)
AEPD)

CECO's old form accompanying the complaint "did not allow" the applicant to
the old CECO form accompanying the complaint "did not allow" those who applied for membership of the association and provided their personal data for this purpose

the old CECO form accompanying the complaint 'did not allow' those applying for membership of the association and providing their personal data for that purpose 'to refuse the processing of their image', as both statements had a joint signature
joint signature

While the association is entitled to process the member's personal data under the terms of the association's statutes
the terms laid down in the association's statutes - statutes which the applicant has to know and accept beforehand -, the legal basis for the processing being the development
the legal basis for the processing being the development of that particular legal business in the context of the
the legal basis for the processing is the development of that particular legal transaction by virtue of which the member joins the association

the association expressly requests the consent of the data subject for the processing of his or her image
the association expressly requests the consent of the data subject for the processing of the image. These are two independent declarations of will which must be considered separately
this means that each of them must be able to be given or withheld independently of the other, without being linked to each other
independently, without linking one to the other. Transposed to the case under consideration, each of these declarations of will must be capable of being granted or withheld independently of the other
in the case at hand, each of these declarations must necessarily have its own signature
in addition, each of these declarations must necessarily have its own signature. On the other hand, with regard to the processing of the image for which consent is sought, each of these declarations must necessarily have its own signature

in addition, with regard to the processing of the image for which consent is sought in the last stipulation of the form, it should be noted that the information required by Article 13 of the form must also be provided
the information required by Article 13 GDPR for this particular processing must also be provided.

Any processing of images of members carried out by CECO on the basis of a purported consent of the member
on the basis of a purported consent of the data subject obtained through the form examined, as such consent is
the processing of the image would constitute a breach of Article 7(1) of the GDPR
in so far as such consent would be invalid, the processing of the image would constitute a breach of Article 6(1)(a), in conjunction with Article 7(2), of the

GDPR.
At present, in the registration form of the association complained of, separate information is provided in the form of the association in question

the registration form of the association in question now provides separate information on the processing of data as a member of the association and requests express consent, by means of boxes without
express consent is requested, by means of unticked boxes, for the processing of the members' image
image of the members.

                                            VI


C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 13/14








The Respondent infringed Article 13 of the GDPR as the form through which the data were collected from the natural persons requesting to be included in the application for access to the data were collected by the Respondent
the respondent infringed Article 13 of the GDPR because the form on which the application data of natural persons to become members of the CECO association was collected did not provide the information required by that provision
cECO association did not provide the information required by that provision

position. This conduct is criminalised in Article 83(5)(b) of the GDPR. It is therefore
this conduct is sanctioned with a warning.

However, the association in question, having become aware of the complaint and the reasons for it, has modified the registration form for the association's members, informing
the complaint, has modified the registration form for members of the association, informing them of all the requirements of article 13 of the GDPR
all that is required by Article 13 of the GDPR, and has included the separate application of

consent to the processing of the image. Therefore, no corrective measures are required
corrective measures are not required.

Therefore, in accordance with the applicable legislation and having assessed the criteria for grading the penalties for which it has been established, it is
the existence of the sanctions which have been accredited,


The Director of the Spanish Data Protection Agency RESOLVES:

FIRST: TO IMPOSE on ASOCIACIÓN DE CIEGOS ESPAÑOLES CATÓLICOS OR-
GANIZADOS, with NIF R5000907E, for an infringement of Article 13 of the RGPD,
as defined in Article 83.5.b) of the RGPD, a sanction of a warning.


SECOND: TO NOTIFY this resolution to ASOCIACIÓN DE CIEGOS ESPA-
ÑOLES CATÓLICOS ORGANIZADOS.

Pursuant to the provisions of Article 50 of the LOPDGDD, the present

Resolution will be made public once it has been notified to the interested parties.

Against this resolution, which puts an end to administrative proceedings in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 48.6 of the LOPDGDD
LOPDGDD, and in accordance with the provisions of Article 123 of the LPACAP, the interested parties may lodge an appeal, at their own discretion, against this resolution
rested may lodge an appeal for reconsideration with the Director

of the Spanish Data Protection Agency within a period of one month from the day following the notification of this
the day following the notification of this decision or directly lodge a contentious-administrative appeal with the
administrative appeal before the Contentious-Administrative Chamber of the Audiencia Nacional,
in accordance with the provisions of Article 25 and paragraph 5 of the fourth additional provision of Law 29/1995
nal cuarta de la Ley 29/1998, de 13 de julio, reguladora de la Jurisdicción Contencioso-Administrativa, en arreglo en el dispuesto en el artículo 25 y en el apartado 5 de la disposición adicio
administrative jurisdiction, within two months of the day following notification of the decision

this action may be brought within two months of the day following notification of this act, in accordance with the provisions of Article 46.1 of the aforementioned Law.

Finally, it should be noted that, in accordance with the provisions of article 90.3 a) of the LPACAP, a precautionary suspension may be
finally, it is pointed out that, in accordance with the provisions of art. 90.3 a) of the LPACAP, the final administrative decision may be suspended as a precautionary measure if the interested party states its intention to
finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP, the final administrative decision may be suspended as a precautionary measure if the interested party declares its intention to file an administrative appeal. If this is the case

If this is the case, the interested party must formally communicate this fact in writing to the Spanish Data Protection
the Spanish Data Protection Agency, submitting it through the Agency's Electronic Register [Re-
the Agency's Electronic Register [https://sedeagpd.gob.es/sede-electronica-web/], or through any of the other registers provided for in this
through any of the other registers provided for in art. 16.4 of the aforementioned Law
39/2015, of 1 October. The documentation must also be sent to the Agency

accrediting the effective filing of the contentious-administrative appeal. If the
Agency is not aware of the lodging of the contentious-administrative appeal within a period of two months as from the following date of notification of the
administrative appeal within a period of two months from the day following the notification of the present resolution, it will
the precautionary suspension shall be deemed to be terminated.

C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 14/14


                                                                                                   938-131120

Mar España Martí
Director of the Spanish Data Protection Agency




C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es