AEPD - PS/00075/2020

From GDPRhub
AEPD - PS/00075/2020
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 6(1)(a) GDPR
Article 13 GDPR
Article 83(5)(a) GDPR
Article 83(5)(b) GDPR
Article 6 LOPDPGDD
Article 72 LOPDPGDD
Type: Investigation
Outcome: Violation Found
Decided: 21.08.2020
Published: n/a
Fine: 3000 EUR
Parties: n/a
National Case Number/Name: PS/00075/2020
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Spanish
Spanish
Original Source: AEPD (in ES)
AEPD (in ES)
Initial Contributor: Francesc Julve Falcó

The Spanish DPA fined a gas installation company €3000 for violating Article 6(1)(a) GDPR, as it stored the personal data of its customers in a notebook without having a legal basis to do so, and did not inform its data subjects of this data processing.

English Summary[edit | edit source]

Facts[edit | edit source]

A client of the defendant provided the Guardia Civil (Spanish Police) with a notebook that the defendant had forgotten in his home when he was there for repairs.

The document-agenda contained a large number of notes from clients with their name, surname, personal identification number, divided by parish and containing in many cases the address and telephone number.

The client also presented an invoice for the services provided by the company of the respondent, which did not inform the interested parties about the data protection regulations and their rights as data subjects.

The defendant did not make any allegations at any time during the sanctioning procedure.

Dispute[edit | edit source]

Is it a violation of Article 6 GDPR to collect non-automated personal data without the prior consent of the data subjects?

Holding[edit | edit source]

The AEPD held it has been proven that the complainant violated Article 6 of the GDPR, as he had illegally processed the personal data of the persons concerned, and there was no legitimate basis for the processing of personal data.

The facts claimed also provide evidence of the violation of the Article 13 of the GDPR, by not informing about the processing of personal data with the requirements and pronouncements established in the mentioned article, materialized in the emission of the invoice to its clients not informing in the previous sense.

Among the factors that the AEPD took into account when setting the amount of the penalty, the following stand out:

-The purely local scope of the treatment carried out by the defendant. -Many people have been affected by the offending behavior. -There is no evidence that the defendant has taken steps to prevent similar incidents from occurring in the future, as he did not respond to the request for information. -Although there is no evidence that he acted fraudulently, his actions reveal a lack of diligence. -The accused has not been sanctioned previously. -The accused is a natural person, autonomous. A high penalty could therefore cause him excessive damage to his small business accounts.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

Style ID: PS/00075/2020
RESOLUTION OF SANCTIONING PROCEDURE
From the procedure instructed by the Spanish Data Protection Agency and on the basis of the following

BACKGROUND
FIRST: The CIVIL GUARD COMMANDER of the Post of ***LOCALITY.1 (hereinafter the complainant) refers on 29/08/2019 Office as consequence of the drawing up of the report for possible infringement of the above
in the RGPD and LOPDGDD in relation to Mr A.A.A., with tax identification number ***NIF.1 (hereinafter
claimed). A copy of the Minutes of the complaint that led to the intervention has been provided of the aforementioned body and the facts are as follows: in the aforementioned position person a customer of the claimant, dedicated to the installation of gas, providing a document called Dietario Perpetuo in red containing a large number of customer notes with their name, surname, ID card, divided by parishes and
containing in many cases the address and telephone number; that the aforementioned diary was forgotten by the claimant at his home when he was performing gas installation; that the acting force has confirmed the extremes expressed by the declarant, which could involve the processing of personal data without
consent of the persons concerned; that since the person concerned is requested of police proceedings for the alleged crime of fraud and damages followed before the Court The ***LOCALITY.1 Instruction Manual states that it could be processing data from personal nature of clients without the corresponding consent and without informing them of the terms indicated in the RGPD.

SECOND: Upon receipt of the complaint, the Subdirectorate General of Data Inspection proceeded to carry out the following actions: 

On 28/10/2019, the complaint submitted for analysis was transferred to the respondent and communication to the complainant of the decision taken in this regard. The complainant will also be required to send within one month to the Agency a list of information:

- Copy of the communications, of the decision taken which you have sent to claimant in respect of the transfer of this claim, and evidence that the complainant has been notified of this decision.
- Report on the causes of the incident which led to the claim.
- Report on the measures taken to prevent similar incidents.
- Any other that you consider relevant.

THIRD: On 04/03/2020, in accordance with article 65 of the LOPDGDD, the Director of the Spanish Data Protection Agency agreed to admit the complaint filed by the claimant against the respondent.

FOURTH: On 08/06/2020, the Director of the Spanish Protection Agency of Data agreed to initiate sanctioning proceedings against the respondent: a) for the alleged infringement of Article 6.1.a) of the GDPR, sanctioned in accordance with the Article 83.5.a) of the aforementioned RGPD and, b) for the alleged infringement of Article 13 of GDPR, sanctioned in accordance with the provisions of article 83.5.b) of the aforementioned regulation.

FIFTH: Notification of the agreement of initiation, the one claimed at the time of this resolution has not submitted any written submissions, so it is applicable referred to in Article 64 of Law 39/2015 of 1 October on the Procedure Common Administrative Framework for Public Administrations, which in paragraph (f)
provides that in the event of failure to make representations within the prescribed period on the content of the initiating agreement, it may be considered as a proposal for resolution when it contains a precise statement of liability the Court of First Instance shall give its decision in accordance with the procedure laid down in Article 251 of the Treaty. 

SIXTH: Of the proceedings in these proceedings, the following have been held the following have been accredited:

PROVEN FACTS

FIRST: On 29/08/2019 the CIVIL GUARD COMMAND of the Post of ***LOCALITY.1 (hereinafter the complainant) submits a letter as a result of the preparation of the minutes and complaint for possible violation of the provisions of the GDPR and LOPDGDD in relation to the actions of Mr A.A.A., with NIF ***NIF.1 (hereinafter claimed). They provide a copy of the Minutes of the complaint that motivates the intervention of the facts are as follows: in the above-mentioned position, the person a customer of the claimant, dedicated to the installation of gas, providing a document called Dietario Perpetuo in red containing a large number of notes of people with their name, surname, ID card, divided by parishes and
containing in many cases the address and telephone number; that the aforementioned diary was forgotten by the claimant at his home when he was performing gas installation; that the complainant has confirmed the points made by the which could involve the processing of personal data without the consent of the persons concerned; that since the person concerned is requested to of police proceedings for the alleged crime of fraud and damages followed before the Court  ***LOCALITY.1 Instruction Manual states that it could be processing data from the personal nature of clients without the corresponding consent and without informing them of the terms indicated in the RGPD.

SECOND: It is recorded that a copy of the invoice issued by the complaint was filed without informing the parties concerned about the rules on data protection and their rights 

THIRD: It consists of the delivery of a book of the following type diary, providing a descriptive photograph of it, as well as copy of pages of the same in which are linked by parishes, the names, Surnames and ID cards of people who are supposed to be clients of the claimant.

LEGAL GROUNDS

I
By virtue of the powers conferred on each of the parties by Article 58(2) of the GDPR supervisory authority, and as established in Articles 47 and 48 of the LOPDGDD, the Director of the Spanish Data Protection Agency is competent to initiate and to resolve this procedure.

II
Law 39/2015 of 1 October on the Common Administrative Procedure of the public administrations, in Article 64 "Agreement on initiation in the procedures of a punitive nature", it provides:

"1. The agreement to initiate proceedings shall be communicated to the instructor of the procedure, with
any proceedings in this regard, and the interested parties shall be notified thereof, meaning, in any case, the defendant.

The complainant will also be informed of the initiation of proceedings where the regulatory rules
of the procedure so provide.

2. The agreement on initiation must contain at least 
a) Identification of the person or persons alleged to be responsible.
b) The facts justifying the initiation of the proceedings, their possible qualification, and any penalties that may apply, without prejudice to the result of the instruction.
c) Identification of the instructor and, where appropriate, the Secretary of the proceedings, with an express indication of the regime of the challenge of the same.
d) The competent body for the resolution of the procedure and the rule that such competence, indicating the possibility that the alleged responsible can voluntarily acknowledge their responsibility, with the
effects provided for in Article 85.
(e) Measures of a provisional nature which have been agreed by the body competent to initiate the penalty procedure, without prejudice to those may be adopted during the same in accordance with Article 56.
(f) Indication of the right to make representations and to be heard at the procedure and of the time limits for its exercise, as well as an indication that, in if no arguments are made within the time limit on the content of the agreement to initiate, this may be considered as a motion for a resolution when it contains a precise statement of liability defendant.

3. Exceptionally, when at the time of issuing the initiation agreement there are insufficient elements for the initial qualification of the facts which motivate the opening of the procedure, the qualification may be made in one stage by drawing up a Statement of Objections, which must be notified to the interested parties".

In the application of the above precept and taking into account that no the agreement to open the proceedings should be terminated initiated.

III 
The facts complained of are specified in the processing of the data of character without consent or any other cause that legitimizes such processing by the in its agenda-document called Dietario Perpetuo (Perpetual Diary), the personal data of the inhabitants of several parishes and, moreover, without informing them of
their rights under Article 13 of the GDPR.

Article 58 of the GDPR, Powers, states:
"Each supervisory authority shall have all the following powers corrective measures indicated below:
(…)
b) sanction any person responsible for or in charge of the processing with warning where processing operations have infringed the provisions of this Regulation;
(…)
(i) impose an administrative fine in accordance with Article 83, in addition to or in addition to place of the measures mentioned in this paragraph, according to the circumstances of each individual case;
(…)”

IV
Infringement of Article 6.1.a) of the GDPR 
Article 5, Principles relating to processing, of the RGPD states:
"1. Personal data shall be:
(a) processed in a lawful, fair, and transparent manner in relation to the data subject ("legality, loyalty and transparency");

Furthermore, Article 6, Lawfulness of processing, of the GDPR provides that "Processing shall be lawful only if at least one of the following conditions is met conditions:
a) the data subject has given his consent to the processing of his data for one or more specific purposes;
 (…)”
Article 4(11) of the GDPR, Definitions, states that 
"(11) "Consent of the data subject" means any expression of free will specific, informed and unequivocal by which the data subject accepts, either by a statement or clear affirmative action, the processing of personal data that concern him".

Also Article 6, Treatment based on the consent of the person concerned, of the new Organic Law 3/2018, of 5 December, on Data Protection Personal and guarantee of digital rights (hereinafter LOPDGDD), states
that:
"In accordance with Article 4.11 of the Regulation (EU) 2016/679, the consent of the person concerned is understood as any expression of will specific, informed and unequivocal reason why he accepts, either by a
statement or clear affirmative action, the processing of personal data that you concern.

2. When it is intended to base the processing of data on the consent of the person concerned for a variety of purposes will need to be recorded in as the Commission has also stated specifically and unambiguously that such consent is given for all of them.

3. The execution of the contract may not be subordinated to the consent of the person concerned to
processing of personal data for purposes unrelated to the maintenance, development, or control of the contractual relationship".

V
The documentation in the file proves that the claimant violated Article 6 of the GDPR, since it has unlawfully processed the data of personal nature of the persons concerned since there is no legitimate reason for the
processing of personal data, as set out in the list containing the name, surname and ID card of many people, grouped by parish, all this is set out and contained in the Perpetual Diary document belonging to the
claimed.
It should be noted that respect for the principle of the lawfulness of data requires it is established that there is a legitimate reason for the processing of the data and to display reasonable diligence, which is essential to prove this. If not to do so would empty the principle of legality of its substance.

VI
Article 83.5(a) of the GPRS considers that the infringement of "the principles for treatment, including conditions for consent under the of Articles 5, 6, 7 and 9" is punishable, in accordance with Article
mentioned in Article 83 of that Regulation, "with administrative fines of 20,000,000 maximum or, in the case of a company, an equivalent amount to a maximum of 4% of the total annual turnover for the financial year
The previous one, opting for the one with the highest amount".

On the other hand, the LOPDGDD for the purposes of prescription states in Article 72:
"Infringements considered very serious:
1. In accordance with the provisions of Article 83(5) of the Regulation (EU) 2016/679 are considered very serious and will be subject to a three-year statute of limitations for infringements that constitute a substantial breach of the articles mentioned in that one and, in particular, the following:
(…)

b) The processing of personal data without any of the conditions for the lawfulness of processing laid down in Article 6 of the Regulation (EU) 2016/679.
(…)”

VII
In order to determine the administrative fine to be imposed the provisions of Articles 83(1) and 83(2) of the GPRS, which they point out:
"Each supervisory authority shall ensure that the imposition of fines administrative offences under this Article for infringements of this Regulation referred to in paragraphs 4, 5 and 6 are on a case-by-case basis
effective, proportionate and dissuasive.

2. Administrative fines shall be imposed, depending on the circumstances of each individual case, in addition to or instead of the measures envisaged in Article 58(2)(a) to (h) and (j) In deciding to impose a fine and its amount in each individual case will be duly taken into account:

(a) the nature, gravity and duration of the infringement, taking into account the nature, scope or purpose of the processing operation concerned as well as the number of stakeholders affected and the level of damage and damages they have suffered;
(b) the intentionality or negligence of the infringement;
(c) any measure taken by the controller or processor to mitigate the damages suffered by those concerned;
(d) the degree of responsibility of the person responsible for or in charge of treatment, taking into account any technical or organisational measures that have applied under Articles 25 and 32;
(e) any previous infringement committed by the person responsible for or in charge of treatment;
(f) the degree of cooperation with the supervisory authority in order to put remedy the infringement and mitigate the possible adverse effects of the infringement;
(g) the categories of personal data affected by the infringement;
(h) the way in which the supervisory authority became aware of the infringement, in particular, whether the person responsible or the person in charge notified the infringement and, if so to what extent;
(i) where the measures referred to in Article 58(2) have been ordered in advance against the person responsible or the person in charge in relation to the same matter, compliance with those measures;
(j) adherence to codes of conduct under Article 40 or to mechanisms of certification approved in accordance with Article 42, and
(k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as the financial benefits obtained or the losses avoided, directly or indirectly, through the infringement.

In relation to Article 83.2(k) of the RGPD, the LOPDGDD, in its Article 76, "Sanctions and remedial measures", provides that 
"In accordance with Article 83(2)(k) of the Regulation (EU) 2016/679 may also be taken into account:
(a) the continuing nature of the infringement 
(b) The link between the activity of the offender and the carrying out of the processing of personal data.
(c) The benefits obtained as a result of the commission of the infringement.
(d) The possibility that the conduct of the data subject may have led to the commission of the offence.
(e) The existence of a post-commission merger process of the infringement, which cannot be attributed to the absorber.
f) Affecting the rights of minors.
g) Having, when not compulsory, a delegate for the protection of data.
h) The submission by the person responsible or in charge, with a to alternative dispute resolution mechanisms, in those cases where there are disputes between them and any interested."

In accordance with the above provisions, and without prejudice to the investigation of the proceedings, for the purpose of setting the amount of the penalty to be imposed at the present case for the infringement defined in article 83.5.a) of the GDPR of which the claimant is held responsible, in an initial assessment, the
following factors:
The purely local scope of the treatment carried out by the respondent.
Many people have been affected by the infringing behaviour.
The complainant has not been shown to have adopted measures to prevent similar incidents from occurring in the future since he did not respond to the request for information.
Although there is no evidence that he acted fraudulently, his actions reveal a lack of diligence.
The defendant has not been previously sanctioned.
The defendant is a natural person, autonomous.
Therefore, a sanction is imposed for violation of Article 6.1.a) of the GDPR of 3,000 euros.

VIII
Infringement of Article 13 of the GDPR 
The facts claimed also provide evidence of the violation by the Article 13 of the GDPR, by not informing the processing of personal data with the requirements and pronouncements established in the mentioned article, materialized in the emission of invoice to its clients not informing in the above sense.

This article determines the information to be provided to the interested party at the time of the collection of their data, establishing the following:
"Article 13. Information to be provided when personal data is obtained from the interested party.
When personal data are obtained from a data subject, when the data are obtained, the data controller will provide you with all the information below:
(a) the identity and contact details of the person responsible and, where appropriate, his representative;
b) the contact details of the data protection representative, if applicable;
(c) the purposes of the processing for which the personal data are intended and the basis legal treatment; 

4.5.2016 L 119/40 Official Journal of the European Union EN
(d) where the processing is based on Article 6(1)(f), the legitimate interests of the person responsible or of a third party;
e) the recipients or categories of recipients of the personal data, where appropriate;
(f) where appropriate, the controller's intention to transfer personal data to a third country or international organisation and the existence or absence of an adequacy decision by the Commission, or, in the case of transfers referred to in Articles 46 or 47 or the second subparagraph of Article 49(1), reference to adequate or appropriate safeguards and means of obtaining a copy of these or the fact that they have been lent.

2. In addition to the information referred to in paragraph 1, the person responsible for processing will provide the data subject, at the time the data are obtained the following information necessary to ensure the processing of data loyal and transparent:
(a) the period for which the personal data will be kept or, where not the criteria used to determine this deadline;
(b) the existence of the right to request access from the controller personal data relating to the data subject, and their rectification or erasure, or the limitation of their processing, or to oppose the processing, as well as the right to data portability;
(c) where the processing is based on Article 6(1)(a) or Article 9(2)(a), the existence of the right to withdraw the consent at any time, without affecting the legality of the treatment based on consent prior to withdrawal;
(d) the right to lodge a complaint with a supervisory authority;
(e) whether the communication of personal data is a legal or contractual requirement; or a necessary requirement for entering into a contract, and if the person concerned is obliged to provide personal data and is informed of any consequences of not providing such data;
(f) the existence of automated decisions, including profiling, to referred to in Article 22(1) and (4), and at least in such cases,
significant information on the logic applied, as well as the importance and expected consequences of such processing for the data subject.

3. Where the controller plans the further processing of personal data for a purpose other than that for which it was collected, provide the data subject, prior to such further processing, with information on that other purpose and any additional relevant information within the meaning of paragraph 2.

4. The provisions of paragraphs 1, 2 and 3 shall not apply when and where the extent to which the person concerned already has the information".


IX
Article 83.5(b) of the GDPR considers that the infringement of "the rights of the persons concerned within the meaning of Articles 12 to 22", is punishable, in accordance with Article 83(5) of that Regulation, "with fines 20,000,000 maximum or, in the case of a company, an amounting to a maximum of 4% of the total annual turnover of the previous financial year, opting for the largest amount".

Article 72 of the LOPDGDD states: "Infringements considered very serious:
"In accordance with Article 83(5) of the Regulation (EU) 2016/679 are considered very serious and will be subject to a three-year statute of limitations for infringements that constitute a substantial breach of the articles mentioned in that one and, in particular, the following:
(…)
h) The omission of the duty to inform the affected person about the treatment of his
personal data in accordance with articles 13 and 14 of the Regulation (EU) 2016/679 and 12 of this organic law.
(…)”

X

It should also be pointed out that, given that the complaint covers the personal data of the data subjects, contravenes Article 13 of the GPRS, as it does not provides them, prior to their collection, with all information regarding data protection provided for in that precept.
In accordance with the evidence put forward, the facts above constitute a breach of Article 13 of the GDPR.

This infringement, in accordance with Article 58.2.b) of the RGPD, is sanctioned with a warning that the administrative fine which may be imposed under the provisions of Article 83(5)(b) of the GPRS could constitute a burden disproportionate for the defendant, who is already fined for the infringement of Article 6.1.a) of the GPRS, and that there is no record of any previous data protection infringement, giving the possibility that in his professional activity establish a protocol of information to your clients.

Likewise, in accordance with the aforementioned Article 58.2.d) of the RGPD, the respondent, as the data controller, is required to provide information to users whose personal data is collected from them to the
requirements of Article 13 of the GPRS, as well as the provision of means of proof of compliance with the requirements.

Therefore, in accordance with the applicable legislation and having assessed the graduation of penalties whose existence has been established, the Director of the Spanish Data Protection Agency RESOLVES:

FIRST: To impose on Mr. A.A.A., with NIF ***NIF.1, for an infringement of article 6.1.a) of the RGPD, typified in article 83.5 of the RGPD and considered very serious a prescription effects in Article 72 of the LOPDGDD, a fine of 3,000 euros (three thousand euros).

SECOND: TO CHARGE Mr A.A.A., with tax identification number (NIF) ***NIF.1, for an infringement of Article 13 of the GDPR, typified in article 83.5 of the RGPD, a warning sanction.

THIRD: REQUIRE Mr. A.A.A., with NIF ***NIF.1, so that within one month since notification of this resolution, evidence of: the adoption of the measures necessary and relevant in accordance with Article 13 of the GPRS to in order to prevent the recurrence of infringements such as those that have a place of the claim.

FOURTH: NOTICE this resolution to A.A.A., with NIF ***NIF.1

FIFTH: To warn the sanctioned party that he must make effective the sanction imposed a once this decision becomes enforceable, in accordance with the provisions of Article 98.1.b) of Law 39/2015, of 1 October, on Administrative Procedure Commonwealth of Independent States (hereinafter LPACAP), within the payment period established in art. 68 of the General Regulations on Collection, approved by Royal Decree 939/2005, of 29 July, in relation to Article 62 of Law 58/2003, of 17 December, by means of its payment, indicating the tax identification number of the of procedure set out in the heading of this document, in the account
restricted No ES00 0000 0000 0000 0000, open on behalf of the Agency Spanish Data Protection in the bank CAIXABANK, S.A.. Otherwise, it will be collected during the enforcement period.

Once notification has been received and once it has become enforceable, if the enforceability date the deadline for the completion of the registration process is between the 1st and 15th of each month, inclusive.
voluntary payment will be until the 20th day of the following month or the next business day, and if is between the 16th and the last day of each month, inclusive, the deadline of Payment will be made until the 5th of the second following month or immediately thereafter.

In accordance with the provisions of Article 50 of the LOPDGDD, this Resolution will be made public after it has been notified to the interested parties.

Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of Article 123 of the LPACAP, the interested parties may lodge, on an optional basis, an appeal for a reversal to the Director of the Spanish Data Protection Agency within a period of a month from the day following notification of this resolution or directly contentious-administrative appeal to the Administrative Chamber of the Audiencia Nacional, in accordance with Article 25 and paragraph 5 of the fourth additional provision of Law 29/1998 of 13 July 1998, regulating
Contentious-Administrative Jurisdiction, within two months from the day following notification of this act, as provided for in Article 46(1) of the referred to Law.

Finally, it is pointed out that in accordance with the provisions of Article 90.3 a) of the LPACAP, the final decision may be suspended in administrative proceedings as a precautionary measure if the person concerned indicates his intention to lodge an administrative appeal. If this is the case, the interested party must formally communicate this made by writing to the Spanish Data Protection Agency, by submitting it through the Agency's Electronic Register [https://sedeagpd.gob.es/sede-electronica-web/], or through one of the other registrations provided for in Article 16.4 of the aforementioned Law 39/2015, of 1 October. 

Also must send to the Agency the documentation proving the effective intervention of the contentious-administrative appeal. If the Agency was not aware of the lodging of the contentious-administrative appeal within two months of the day following notification of this resolution, would terminate the precautionary suspension.

Mar España Marti
Director of the Spanish Data Protection Agency