AEPD - PS/00123/2020
|AEPD - PS/00123/2020|
|Relevant Law:||Article 5(1)(f) GDPR|
|Parties:||AYUNTAMIENTO DE TOBAR|
|National Case Number/Name:||PS/00123/2020|
|European Case Law Identifier:||n/a|
|Original Source:||Agencia Española de Protección de Datos (in ES)|
The Spanish DPA (AEPD) issued a warning to the Town Hall of Tobar for publicly posting a list with the personal data of citizens on jury duty on a street. The DPA considered this a breach of Article 5(1)(f) GDPR.
English Summary[edit | edit source]
Facts[edit | edit source]
A citizen sent a complaint with pictures to the Spanish DPA (AEPD) because the Town Hall of Tobar had published in a board exposed in the street a list that contained the name, surname, birthday and ID number of the individuals that had been adjudicated "jury duty".
The Spanish DPA (AEPD) sent a request to the Town Hall to remove such lists or to offer an explanation why the lists were published, but it was not answered.
Dispute[edit | edit source]
If there is a legal requirement to publish a list with personal data for certain amount of time to allow for claims and corrections, can this list be published in a public space (street) accessible to everybody that walks by or does this breach the confidentiality principle of Article 5(1)(f) GDPR?
Holding[edit | edit source]
The Spanish DPA (AEPD) acknowledged that there is a legal requirement in Spanish legislation to publish a list with name, surname, birthday and ID number of the individuals that have been adjudicated "jury duty" during 7 days to allow for claims and corrections.
However, they argued that to protect the confidentiality of the personal data, these lists should be published in a board inside the premises of the Town Hall and not in a public space (street) where anybody could view that data. Additionally there were indications, although it couldn't be proved by the Spanish DPA, that the lists had been exposed also for longer than they should have. Therefore, the DPA held that there was a breach of Article 5(1)(f) GDPR.
For these reasons, the Spanish DPA (AEPD) issued a warning to the Town Hall of Tobar.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/7 Procedure No.: PS / 00123/2020 RESOLUTION OF SANCTIONING PROCEDURE Of the procedure instructed by the Spanish Agency for Data Protection and based on to the following BACKGROUND FIRST: A.A.A. (hereinafter, the claimant) on 08/22/2019 filed a claim before the Spanish Agency for Data Protection. The claim is directed against TOBAR CITY COUNCIL with NIF P0939400H (hereinafter, the claimed one). The motives on which the claim is based are that on the City Council notice board “is the Census list from several years ago with all the personal data of the neighbors (some already dead) ”, and has requested their withdrawal, although it continues. The claimant states that “I attach photographs from the beginning of the month (08-05-2019) where you can still see the list with all the personal data. Also from month of 06/12/2019 where it can be seen more clearly. " It provides four image files with photographs. It contains a first DSC 53 in which only a glazed plank is seen, in a wall, without references to any nearby object, and outside, which could be the public road war. Enlarging the image, it can be seen that it has a key lock, and contains eight leaves in its interior. Folio size DIN A4 in vertical position, four at the top, four at the bottom, plus two other sheets, one on the left side, half-folio type, and another sheet on the bottom. upper left, in landscape, which is the one that contains an alphabetized list, first surname, middle and first name, date of birth and complete ID. In the upper part rior Organic law of the jury court ready for exhibition by the city council and cites an article what does not look good, TOBAR municipality, at the bottom of the list there are the data of the claimant, last name *** LETTER.1 beginning the page with the last name of the letter XX. I dont know see the date of the listing, only different documents next to it, with dates from 2017. In a second DSC 55 photograph, the same enlarged photo can be seen, showing me- With the literals listed for exhibition the city council article 13.2, and in the upper part top left Electoral census office, Burgos province. The other two photos do not add to what has already been mentioned. The list is not dated, and some documents are displayed next to the which are reported to have signature dates of August 2017. SECOND: In view of the facts reported in the claim and the documents provided by the claimant, the General Subdirectorate for Data Inspection proceeded to transfer of the claim, and on 11/7/2019, a letter was delivered to the respondent in which, in addition more, you are prompted: C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 2/7 "Within a maximum period of one month, from receipt of this letter, you must analyze the claim and send this Agency the following information: -The decision made regarding this claim. -Report on the causes that have motivated the incident that has originated the claim. -Report on the measures adopted to prevent similar incidents from occurring. laws, implementation dates and controls carried out to verify their effectiveness. -Any other that you consider relevant. " The request was not answered. THIRD: On 03/31/2020, the claim was admitted for processing. FOURTH: On 06/16/2020, the Director of the Spanish Agency for the Protection of Data agreed to initiate a sanctioning procedure to the claimed, in accordance with the provisions of Articles 63 and 64 of Law 39/2015, of 1/10, of the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP), for the alleged violation of Article 5.1.f) of the RGPD, in relation to article 5 of the LOPDGDD, as indicated in article 83.5 a) of the RGPD. The telematic sending resulted in "expired" by not accessing the claimed. FIFTH: On 10/30/2020, a resolution proposal was issued with the following literal: That by the Director of the Spanish Agency for Data Protection: a) TOBAR CITY COUNCIL is sanctioned with a warning, with NIF P0939400H, for an infringement of article 5.1.f) of the RGPD, as indicated in article 83.5 of the RGPD. b) REQUEST TOBAR CITY COUNCIL, to remove the list, and report the document that includes the principles and bases that govern the protocol of the presentation of announcements on the notice board when they contain personal data. " The defendant made no allegations PROVEN FACTS 1) The Jury Court is an institution for the participation of citizens in the Administration of Justice, regulated by Organic Law 5/1995, of 05/22, of the Court of the Jury. In the norm, the Electoral Census Office is assigned powers in the formation of the list of candidates for jury. It is indicated in its article 13 that for constitute the biennial list of candidates for juries, which will be chosen by lot, will be drawn from the list of the current electoral census ordered by municipalities alphabetically and numbered C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 3/7 said list will be sent for its anticipated exhibition during 7 days to the respective town halls " 2) The defendant had exposed on a closed notice board abroad, via public, a list type sheet, containing according to the two photographs that it provides in the claim: In the upper left it reads "Office of the electoral census, Burgos province". in the center "Organic Law 1/1995 of the jury court" "ready for exhibition on town hall, article 13.2 ”,“ TOBAR municipality ”, with personal data, ordered alphabetically, first surname, middle and first name, date of birth and complete ID. At the bottom of the list are the data of the claimant, surname *** LETTER.1 starting the page with the last name of the letter XX. You can't see the date of the listing, just Different documents alongside, with dates from 2017. FOUNDATIONS OF LAW I By virtue of the powers that article 58.2 of the RGPD recognizes to each authority of control, and as established in arts. 47 and 48.1 of the LOPDGDD, the Director of the Spanish Agency for Data Protection is competent to resolve this procedure. II The Jury Court is an institution for the participation of citizens in the Justice administration. Organic Law 5/1995, of 05/22, of the Jury Court assigns to the Electoral Census Office the following competencies in the formation of the list of candidates for juries. Each Provincial Delegation of the Electoral Census Office carries out a lottery within of the last fifteen days of September of the even-numbered years to obtain the list province of jury candidates from the electoral roll in force on the day of the draw. For this purpose, the list of the current electoral census is previously sent to the Town halls for exposure to the public for seven days. The draw is held in previously announced public session. Once the draw has been carried out, the provisional lists of candidates for juries that are exposed in the City Councils and published in the Official Gazette of each Province during the last fifteen days of October, being able to present claims during the first fifteen days of the month of November. With the claims that are estimated, the Provincial Delegations of the The Electoral Census Office obtains the final lists of candidates for jury, which are they send the Presidents of the respective Provincial Courts. Article 13.2 of said law indicates: "Candidates for juries to be obtained by lottery will be drawn from the census list electoral process in force on the date of the draw, ordered by municipalities, related, within these, alphabetically and numbered consecutively within the whole of the province. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 4/7 Said list will be sent for its anticipated exhibition during seven days to the respective Town councils. The draw, which will be held in a public session previously announced in a local authorized for this purpose by the corresponding Provincial Court, will take place in the form that is determined by regulation. " III The defendant has posted the list on a notice board located on the road public, outside municipal facilities, space not suitable for exhibition of documents with personal data, noting article 5.1.f) of the GDPR: "The personal data will be: “Treated in such a way as to guarantee adequate data security personal data, including protection against unauthorized or illegal processing and against its accidental loss, destruction or damage, through the application of technical measures or appropriate organizational arrangements ('integrity and confidentiality'). " The LOPDGDD states in its article 5: "1. Those responsible and in charge of data processing as well as all people who intervene in any phase of this will be subject to the duty of confidentiality referred to in article 5.1.f) of Regulation (EU) 2016/679 ”, In addition, the list could have been exposed for more than the time outlined in the enabling norm being exposed the data beyond the time dictated in the applicable seven-day rule. Notification for legal purposes by completing the explicit procedure in the Law must be carried out, and although its purpose is that those affected can consult said data not in a place where anyone can circulate, since the Data must be kept in the premises of the person in charge in a specific place. There are no details to prove that the list has been more than time established, although the claimant states it and the dates of signature of other writings and the date on which the complainant files the complaint, as well as the dates on which the undertake the tasks of selecting candidates, even years, seems to indicate that the The list has not been diligently exposed in addition to much longer than anticipated applicable regulations. IV Article 83.5 a of the RGPD indicates: "Violations of the following provisions will be sanctioned, in accordance with the paragraph 2, with administrative fines of a maximum of EUR 20,000,000 or, in the case of a company, of an amount equivalent to a maximum of 4% of the total turnover C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 5/7 annual global of the previous financial year, opting for the highest amount: a) the basic principles for the treatment, including the conditions for the consent in accordance with articles 5, 6, 7 and 9; " Article 58.2 of the RGPD states: “Each control authority will have all the following corrective powers listed below: "B) sanction any person responsible or in charge of the treatment with warning when the processing operations have infringed the provisions of this Regulation- ment; " d) order the person in charge of the treatment that the operations of treatment are in accordance with the provisions of this Regulation, where appropriate, in a certain way and within a specified period ”. “I) impose an administrative fine in accordance with article 83, in addition to or instead of the measures mentioned in this section, according to the circumstances of each case particular;" In this sense, in the proposed resolution, the CITY COUNCIL OF TOBAR, to withdraw "the list, and report of the document that includes the principles and bases that govern the protocol of the display of the announcements on the bulletin board when contain personal data. ”, without having obtained a response. Since it is a precise and concrete instruction, and by not stating anything the claimed, it can be understood that has proceeded to the withdrawal of the document, and can prove said withdrawal. In this regard, remember, and be warned, that if the offense persists, it is typical behavior liable to be sanctioned, in accordance with article 83.5 e) of the RGPD: e) failure to comply with a resolution or a temporary or definitive limitation of the treatment or suspension of data flows by the supervisory authority with pursuant to article 58 (2), or failure to provide access in breach of article 58, Paragraph 1." The defendant could also specify whether it has removed the list and the principles that govern the protocol of the announcements on the bulletin board in terms of data from personal character. The Spanish legal system has chosen not to sanction with a fine the public entities, as indicated in article 77.1. c) and 2. 3. 4. 5. and 6. of the LOPDDGG: “1. The regime established in this article will apply to the treatments of those who are responsible or in charge: c) The General Administration of the State, the Administrations of the communities autonomous entities and the entities that make up the Local Administration. 2. When the managers or managers listed in section 1 commit any of the infractions referred to in articles 72 to 74 of this organic law, the The competent data protection authority will issue a resolution sanctioning the same with warning. The resolution will also establish the measures that It is appropriate to adopt so that the conduct ceases or the effects of the infraction that are would have committed. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 6/7 The resolution will be notified to the person in charge of the treatment, the body of which hierarchically depends, where appropriate, and those affected who had the status of interested, where appropriate. 3. Without prejudice to the provisions of the previous section, the protection authority of data will also propose the initiation of disciplinary actions when there are indications enough for it. In this case, the procedure and the penalties to be applied will be the established in the legislation on disciplinary or sanctioning regime resulting from application. Likewise, when the infractions are attributable to authorities and managers, and certify the existence of technical reports or recommendations for treatment that do not had been duly attended, in the resolution in which the sanction is imposed, It will include a warning with the name of the responsible position and the publication in the Official Gazette of the corresponding state or autonomous community. 4. The resolutions that fall in relation to the measures and actions referred to in the sections previous. 5. They will be communicated to the Ombudsman or, where appropriate, to similar institutions of the autonomous communities the actions carried out and the resolutions dictated to the under this article. 6. When the competent authority is the Spanish Data Protection Agency, this will publish on its website with due separation the resolutions referring to the entities of section 1 of this article, expressly indicating the identity of the responsible or in charge of the treatment that had committed the infringement. " Therefore, in accordance with the applicable legislation, the Director of the Spanish Data Protection Agency, RESOLVES: FIRST: IMPOSE TOBAR CITY COUNCIL, with NIF P0939400H, a sanction of warning, for an infraction of article 5.1.f) of the RGPD, in relation to article 5 of the LOPDGDD, in accordance with article 83.5. a) of the RGPD. SECOND: NOTIFY this resolution to TOBAR CITY COUNCIL. THIRD: COMMUNICATE this resolution to the OMBUDSMAN, of in accordance with the provisions of article 77.5 of the LOPDGDD. FOURTH: In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 7/7 Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the Interested parties may optionally file an appeal for reconsideration before the Director of the Spanish Agency for Data Protection within one month from the day following notification of this resolution or directly contentious appeal administrative before the Contentious-Administrative Chamber of the National Court, with in accordance with the provisions of article 25 and paragraph 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-Administrative Jurisdiction, within two months from the day following the notification of this act, as provided in article 46.1 of the aforementioned Law. Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP, may provisionally suspend the final resolution through administrative channels if the interested party expresses its intention to file a contentious-administrative appeal. If this is the In this case, the interested party must formally communicate this fact by writing to the Spanish Agency for Data Protection, presenting it through the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica-web/], or through any of the remaining records provided for in art. 16.4 of the aforementioned Law 39/2015, of October 1. You must also send the Agency the documentation that proves the filing effective contentious-administrative appeal. If the Agency is not aware of the filing of the contentious-administrative appeal within a period of two months from the following the notification of this resolution, it would terminate the suspension precautionary. 938-131120 Mar Spain Martí Director of the Spanish Agency for Data Protection C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es