AEPD - PS/00086/2020

From GDPRhub
AEPD - PS/00086/2020
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 5(1)(f) GDPR
Article 83(5) GDPR
72 (1) (a) LOPDGDD
Type: Investigation
Outcome: Violation Found
Decided: 01.09.2020
Published: 01.09.2020
Fine: None
Parties: ASOCIACIÓN DE TÉCNICOS Y PROFESIONALES DEL SECTOR AEROESPACIAL
National Case Number/Name: PS/00086/2020
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: Francesc Julve Falcó

Spanish DPA held that the sending of the electoral roll by e-mail to different persons outside and inside the company constitutes an infringement of Article 5(1)(f) GDPR.

English Summary[edit | edit source]

Facts[edit | edit source]

ATPSA's union representative at ITP Aero in Aljavir had sent the electoral roll, which includes the data of the employees, by email to different people addresses inside and outside the company, without the consent of the employers. The defendant did not make any allegations, nor did it demonstrate that it had fulfilled its proactive obligation to respect the GDPR when processing data.


Dispute[edit | edit source]

Does the fact of sending the electoral roll, which includes the personal data of the claimant, by email to different addresses within the company and outside it, constitute a violation of Article 5 (1) (f) of the RGPD?


Holding[edit | edit source]

For infringing Article 5(1)(f) GDPR, in conjunction with Article 72(1)(a) LOPDGDD, the Spanish DPA imposed the sanction of warning under Article 83(5)(a) GDPR.

The Spanish DPA required the claimed party to provide evidence within one month that appropriate technical or organizational measures have been taken to ensure adequate security for the personal data it is processing, including protection against unauthorized or unlawful processing and loss, accidental destruction, or damage.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

Procedure No.: PS/00086/2020
RESOLUTION OF SANCTIONING PROCEDURE
From the procedure instructed by the Spanish Data Protection Agency and in
based on the following
BACKGROUND
FIRST: Dated June 12, 2019, it is entered in the Spanish Agency of
Data Protection claim against the ASSOCIATION OF TECHNICIANS AND
AEROSPACE SECTOR PROFESSIONALS (hereinafter ATPSA), with VAT number
G82386533 and against the Trade Union Representative of that Association, whose file number
is E/12078/2019.
The reason for the complaint is that the ATPSA union representative in the company
ITP Aero in Aljavir has sent the electoral roll by email, which includes its
data, to different people with the company and non-company addresses, without
your consent.
Although the complaint submitted may constitute an infringement of the
data protection, it is not possible to initiate sanctioning actions as we do not have
tax identification of the alleged perpetrator, a decision is taken to close the file on 27
December 2019.
SECOND: On 6 March 2020, the Court of First Instance ruled in favor of
replacement RR/00124/2020, brought by A.A.A., B.B.B., and C.C.C. (hereinafter
claimants), requesting the revocation of the resolution, basically based on
that the Tax Office has not been able to provide the CIF of the respondent: Association of
Technicians and Professionals of the Aerospace Sector as stated in the deposited Statutes
in the Ministry of Labour G82386533.
As the appellants have provided their tax identification number, the appeal is considered and the proceedings begin.
appropriate actions through this sanctioning procedure.
THIRD: Despite the transfer to the claimed entity of the claim presented by the
for analysis as well as to inform the Agency of whether the complaint was
had communicated with the complainants, and the decision was taken in this regard
The defendant has not responded to any of the requests for information.
requirements formulated by the Spanish Data Protection Agency.
FOURTH: On 3 June 2020, the Director of the Spanish Data Protection
Data Protection agreed to initiate sanctioning procedures against the respondent, by the
alleged infringement of Article 5.1.f) of the RGPD, typified in Article 83.5 of the RGPD.
FIFTH: On 15 June 2020, the agreement to initiate this
procedure, the same becoming a motion for a resolution in accordance with
Articles 64.2.f) and 85 of Law 39/2015 of 1 October on Procedure
Common Administration of Public Administration (LPACAP), as it does not
allegations within the above-mentioned time limit.
In the light of the above, the Spanish Agency for the Protection of
The following are considered to be proven facts in these proceedings,
FACTS
FIRST: the ATPSA union representative at ITP Aero in Aljavir, has
sent by email the electoral roll, which includes your data, to different
people with company and outside addresses.
SECOND: the respondent has not made any allegations.
LEGAL GROUNDS
I
By virtue of the powers conferred on each authority by Article 58(2) of the GPRS
control, and in accordance with the provisions of articles 47 and 48 of the LOPDGDD, the Director
the Spanish Data Protection Agency is competent to initiate and resolve
this procedure.
II
Article 6.1 of the RGPD establishes the cases in which the following may be considered lawful
processing of personal data.
For its part, Article 5 of the RGPD establishes that personal data will be
"(a) processed in a lawful, fair and transparent manner in relation to the data subject
("legality, fairness and transparency");
(b) collected for specified, explicit and legitimate purposes and not treated
subsequently in a manner incompatible with those purposes; in accordance with Article 89,
paragraph 1, the further processing of personal data for archiving purposes in the interest
public, scientific and historical research or statistical purposes shall not be considered
incompatible with the initial purposes ("purpose limitation");
(c) adequate, relevant and limited to what is necessary in relation to the purposes for
those that are processed ("data minimization");
(d) accurate and, where necessary, updated; all measures shall be taken
to have personal data deleted or rectified without delay if they are
inaccurate with respect to the purposes for which they are intended ("accuracy");
(e) kept in a form which permits identification of the data subjects during
no longer than is necessary for the purposes of processing the personal data; the
personal data may be kept for longer periods provided that they are processed
exclusively for archiving purposes in the public interest, for scientific research purposes or
historical or statistical purposes, in accordance with Article 89(1), without prejudice
the implementation of the appropriate technical and organisational measures imposed by this
Regulation to protect the rights and freedoms of the data subject ("time limit
of conservation");
(f) processed in such a way as to ensure adequate security of the data
including the protection against unauthorised or unlawful processing and against
accidental loss, destruction or damage, through the application of technical or
appropriate organisational arrangements ("integrity and confidentiality"),
The controller shall be responsible for compliance with the provisions
in paragraph 1 and able to demonstrate it ("proactive responsibility")."
III
According to the evidence available, the
claimed when sending the electoral roll by email, which includes the data
personal of the claimant, to different people with company and outside addresses
of the company, is a violation of Article 5.1(f) of the RGPD, which governs the principles
integrity and confidentiality of personal data, as well as the responsibility
The proactive nature of the data controller's actions is such that compliance with them can be demonstrated.
IV
Article 58(2) of the GPRS provides: "Each supervisory authority
shall have all of the following corrective powers listed below:
(b) sanction any controller or processor with a warning
where processing operations have infringed the provisions of this
Regulation;
(d) instruct the controller or processor to ensure that the processing operations
treatment in accordance with the provisions of this Regulation, where appropriate, of
in a certain way and within a specified time frame;
(i) impose an administrative fine in accordance with Article 83, in addition to or instead of
the measures referred to in this paragraph, according to the circumstances of each case
particular;
V
By virtue of the provisions of Article 58.2 of the RGPD, the Spanish Agency of
As a supervisory authority, it has a range of powers
corrective measures in the event of a breach of the RGPD.
Article 58.2 of the RGPD provides the following:
"2 Each control authority shall have all the following corrective powers
indicated below:
(…)
b) sanction any person responsible for or in charge of the processing with a warning
where processing operations have infringed the provisions of this
Regulation;"
(...)
(...) "d) order the controller or processor to carry out
treatment in accordance with the provisions of this Regulation, where appropriate, of
in a certain way and within a specified time period;"
"(i) to impose an administrative fine pursuant to Article 83, in addition to or instead of
of the measures referred to in this paragraph, according to the circumstances of each
particular case;"
The controller shall be responsible for compliance with the provisions
in paragraph 1 and able to demonstrate it ("proactive responsibility")."
III
According to the evidence available, the
claimed when sending the electoral roll by email, which includes the data
personal of the claimant, to different people with company and outside addresses
of the company, is a violation of Article 5.1(f) of the RGPD, which governs the principles
integrity and confidentiality of personal data, as well as the responsibility
The proactive nature of the data controller's actions is such that compliance with them can be demonstrated.
IV
Article 58(2) of the GPRS provides: "Each supervisory authority
shall have all of the following corrective powers listed below:
(b) sanction any controller or processor with a warning
where processing operations have infringed the provisions of this
Regulation;
(d) instruct the controller or processor to ensure that the processing operations
treatment in accordance with the provisions of this Regulation, where appropriate, of
in a certain way and within a specified time frame;
(i) impose an administrative fine in accordance with Article 83, in addition to or instead of
the measures referred to in this paragraph, according to the circumstances of each case
particular;
V
By virtue of the provisions of Article 58.2 of the RGPD, the Spanish Agency of
As a supervisory authority, it has a range of powers
corrective measures in the event of a breach of the RGPD.
Article 58.2 of the RGPD provides the following:
"2 Each control authority shall have all the following corrective powers
indicated below:
(…)
b) sanction any person responsible for or in charge of the processing with a warning
where processing operations have infringed the provisions of this
Regulation;"
(...)
(...) "d) order the controller or processor to carry out
treatment in accordance with the provisions of this Regulation, where appropriate, of
in a certain way and within a specified time period;"
"(i) to impose an administrative fine pursuant to Article 83, in addition to or instead of
of the measures referred to in this paragraph, according to the circumstances of each
particular case;"
The parties concerned may lodge an appeal for reconsideration with the Director
of the Spanish Data Protection Agency within one month of
day after notification of this decision or directly by way of an appeal
before the Administrative Chamber of the National Court of Justice, with
in accordance with Article 25 and the fourth additional provision, paragraph 5
of Law 29/1998, of 13 July, regulating the Contentious-Administrative Jurisdiction,
within two months of notification of this act, in accordance with the provisions of Article 46.1 of the aforementioned Law.
Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP
the final decision may be suspended as a precautionary measure through administrative channels if the interested party expresses its intention to lodge an administrative appeal. If this is the
In this case, the interested party must formally communicate this fact in writing to
the Spanish Data Protection Agency, presenting it through the Registry
Electronic Agency [https://sedeagpd.gob.es/sede-electronica-web/], or through
any of the other registers provided for in Article 16.4 of the aforementioned Law 39/2015, of 1
October. You must also send the Agency the documentation proving the
effective filing of the contentious-administrative appeal. If the Agency does not have
knowledge of the lodging of the contentious-administrative appeal within two
months from the day following the notification of this resolution, I would
the precautionary suspension has ended.
Mar España Martí
Director of the Spanish Data Protection Agency