AEPD (Spain) - PS/00123/2020: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoES.jpg |DPA_Abbrevation=AEPD |DPA_With_Country=AEPD (Spain) |Case_Number_Name=PS/00...")
 
No edit summary
Line 48: Line 48:
}}
}}


A citizen sent a complaint to the Spanish DPA (AEPD) because there was a list with personal data publicly available in a board of his / her town hall exposed in a public space (street).  
A citizen sent a complaint to the Spanish DPA (AEPD) because there was a list with personal data publicly available in a board of his / her town hall exposed in a public space (street). The DPA considered this a breach of Article 5(1)(f) GDPR.  


== English Summary ==
==English Summary==
 
===Facts===
A citizen sent a complaint with pictures to the Spanish DPA (AEPD) because the Town Hall of Tobar had published in a board exposed in the street a list that contained the name, surname, birthday and ID number of the individuals that had been adjudicated "jury duty". 


=== Facts ===
A citizen sent a complaint with pictures to the Spanish DPA (AEPD) because the Town Hall of Tobar had published in a board exposed in the street a list that contained the name, surname, birthday and ID number of the individuals that had been adjudicated "jury duty".
The Spanish DPA (AEPD) sent a request to the Town Hall to remove such lists or to offer an explanation why the lists were published, but it was not answered.  
The Spanish DPA (AEPD) sent a request to the Town Hall to remove such lists or to offer an explanation why the lists were published, but it was not answered.  


=== Dispute ===
===Dispute===
If there is a legal requirement to publish a list with personal data for certain amount of time to allow for claims and corrections, can this list be published in a public space (street) accessible to everybody that walks by or does this breach the confidentiality principle of art 5(1)(f) GDPR?
If there is a legal requirement to publish a list with personal data for certain amount of time to allow for claims and corrections, can this list be published in a public space (street) accessible to everybody that walks by or does this breach the confidentiality principle of Article 5(1)(f) GDPR?
===Holding===
The Spanish DPA (AEPD) acknowledged that there is a legal requirement in Spanish legislation to publish a list with name, surname, birthday and ID number of the individuals that have been adjudicated "jury duty" during 7 days to allow for claims and corrections.


However, they argued that to protect the confidentiality of the personal data, these lists should be published in a board inside the premises of the Town Hall and not in a public space (street) where anybody could view that data. Additionally there were indications, although it couldn't be proved by the Spanish DPA, that the lists had been exposed also for longer than they should have. Therefore, the DPA held that there was a breach of Article 5(1)(f) GDPR.


=== Holding ===
For these reasons, the Spanish DPA (AEPD) issued a warning to the Town Hall of Tobar.
The Spanish DPA (AEPD) acknowledged that there is a legal requirement in Spanish legislation to publish a list with name, surname, birthday and ID number of the individuals that have been adjudicated "jury duty" during 7 days to allow for claims and corrections.
However, they argued that to protect the confidentiality of the personal data, these lists should be published in a board inside the premises of the Town Hall and not in a public space (street) where anybody could view that data. Additionally there were indications, although it couldn't be proved by the Spanish DPA, that the lists had been exposed also for longer than they should have.
For these reasons, the Spanish DPA (AEPD) decided to admonish the Town Hall of Tobar.


== Comment ==
==Comment==
''Share your comments here!''
''Share your comments here!''


== Further Resources ==
==Further Resources==
''Share blogs or news articles here!''
''Share blogs or news articles here!''


== English Machine Translation of the Decision ==
==English Machine Translation of the Decision==
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.



Revision as of 14:42, 25 January 2021

AEPD - PS/00123/2020
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 5(1)(f) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 30.12.2020
Published:
Fine: None
Parties: AYUNTAMIENTO DE TOBAR
National Case Number/Name: PS/00123/2020
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: Agencia Española de Protección de Datos (in ES)
Initial Contributor: n/a

A citizen sent a complaint to the Spanish DPA (AEPD) because there was a list with personal data publicly available in a board of his / her town hall exposed in a public space (street). The DPA considered this a breach of Article 5(1)(f) GDPR.

English Summary

Facts

A citizen sent a complaint with pictures to the Spanish DPA (AEPD) because the Town Hall of Tobar had published in a board exposed in the street a list that contained the name, surname, birthday and ID number of the individuals that had been adjudicated "jury duty".

The Spanish DPA (AEPD) sent a request to the Town Hall to remove such lists or to offer an explanation why the lists were published, but it was not answered.

Dispute

If there is a legal requirement to publish a list with personal data for certain amount of time to allow for claims and corrections, can this list be published in a public space (street) accessible to everybody that walks by or does this breach the confidentiality principle of Article 5(1)(f) GDPR?

Holding

The Spanish DPA (AEPD) acknowledged that there is a legal requirement in Spanish legislation to publish a list with name, surname, birthday and ID number of the individuals that have been adjudicated "jury duty" during 7 days to allow for claims and corrections.

However, they argued that to protect the confidentiality of the personal data, these lists should be published in a board inside the premises of the Town Hall and not in a public space (street) where anybody could view that data. Additionally there were indications, although it couldn't be proved by the Spanish DPA, that the lists had been exposed also for longer than they should have. Therefore, the DPA held that there was a breach of Article 5(1)(f) GDPR.

For these reasons, the Spanish DPA (AEPD) issued a warning to the Town Hall of Tobar.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

                                                                                  1/7










     Procedure No.: PS / 00123/2020


                RESOLUTION OF SANCTIONING PROCEDURE

Of the procedure instructed by the Spanish Agency for Data Protection and based on
to the following


                                   BACKGROUND


FIRST: A.A.A. (hereinafter, the claimant) on 08/22/2019 filed a claim
before the Spanish Agency for Data Protection. The claim is directed against

TOBAR CITY COUNCIL with NIF P0939400H (hereinafter, the claimed one). The motives
on which the claim is based are that on the City Council notice board “is the
Census list from several years ago with all the personal data of the neighbors
(some already dead) ”, and has requested their withdrawal, although it continues.


       The claimant states that “I attach photographs from the beginning of the month (08-05-2019)
where you can still see the list with all the personal data. Also from
month of 06/12/2019 where it can be seen more clearly. "

       It provides four image files with photographs.

       It contains a first DSC 53 in which only a glazed plank is seen, in
a wall, without references to any nearby object, and outside, which could be the public road
war. Enlarging the image, it can be seen that it has a key lock, and contains eight leaves in its interior.
Folio size DIN A4 in vertical position, four at the top, four at the bottom,
plus two other sheets, one on the left side, half-folio type, and another sheet on the bottom.

upper left, in landscape, which is the one that contains an alphabetized list,
first surname, middle and first name, date of birth and complete ID. In the upper part
rior Organic law of the jury court ready for exhibition by the city council and cites an article
what does not look good, TOBAR municipality, at the bottom of the list there are the data of
the claimant, last name *** LETTER.1 beginning the page with the last name of the letter XX. I dont know

see the date of the listing, only different documents next to it, with dates from 2017.



       In a second DSC 55 photograph, the same enlarged photo can be seen, showing me-
With the literals listed for exhibition the city council article 13.2, and in the upper part
top left Electoral census office, Burgos province.

       The other two photos do not add to what has already been mentioned.

       The list is not dated, and some documents are displayed next to the
which are reported to have signature dates of August 2017.


SECOND: In view of the facts reported in the claim and the documents
provided by the claimant, the General Subdirectorate for Data Inspection proceeded to
transfer of the claim, and on 11/7/2019, a letter was delivered to the respondent in which, in addition

more, you are prompted:

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 2/7








       "Within a maximum period of one month, from receipt of this letter, you must analyze
the claim and send this Agency the following information:


-The decision made regarding this claim.

-Report on the causes that have motivated the incident that has originated the claim.

       -Report on the measures adopted to prevent similar incidents from occurring.
       laws, implementation dates and controls carried out to verify their effectiveness.

       -Any other that you consider relevant. "

       The request was not answered.

THIRD: On 03/31/2020, the claim was admitted for processing.

FOURTH: On 06/16/2020, the Director of the Spanish Agency for the Protection of
Data agreed to initiate a sanctioning procedure to the claimed, in accordance with the provisions of
Articles 63 and 64 of Law 39/2015, of 1/10, of the Common Administrative Procedure of

Public Administrations (hereinafter, LPACAP), for the alleged violation of Article
5.1.f) of the RGPD, in relation to article 5 of the LOPDGDD, as indicated in article
83.5 a) of the RGPD.


       The telematic sending resulted in "expired" by not accessing the claimed.


FIFTH: On 10/30/2020, a resolution proposal was issued with the following literal:


       That by the Director of the Spanish Agency for Data Protection:


 a) TOBAR CITY COUNCIL is sanctioned with a warning, with NIF
P0939400H, for an infringement of article 5.1.f) of the RGPD, as indicated in article 83.5
of the RGPD.


 b) REQUEST TOBAR CITY COUNCIL, to remove the list, and report the

document that includes the principles and bases that govern the protocol of the presentation of
announcements on the notice board when they contain personal data. "


 The defendant made no allegations




                                    PROVEN FACTS

1) The Jury Court is an institution for the participation of citizens in the
Administration of Justice, regulated by Organic Law 5/1995, of 05/22, of the Court of the

Jury. In the norm, the Electoral Census Office is assigned powers in the
formation of the list of candidates for jury. It is indicated in its article 13 that for
constitute the biennial list of candidates for juries, which will be chosen by lot, will be drawn from
the list of the current electoral census ordered by municipalities alphabetically and numbered

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 3/7








said list will be sent for its anticipated exhibition during 7 days to the respective
town halls "

2) The defendant had exposed on a closed notice board abroad, via

public, a list type sheet, containing according to the two photographs that it provides in the
claim:

        In the upper left it reads "Office of the electoral census, Burgos province".
in the center "Organic Law 1/1995 of the jury court" "ready for exhibition on

town hall, article 13.2 ”,“ TOBAR municipality ”, with personal data, ordered
alphabetically, first surname, middle and first name, date of birth and complete ID.
At the bottom of the list are the data of the claimant, surname *** LETTER.1
starting the page with the last name of the letter XX. You can't see the date of the listing, just
Different documents alongside, with dates from 2017.



                            FOUNDATIONS OF LAW

                                             I

        By virtue of the powers that article 58.2 of the RGPD recognizes to each authority of
control, and as established in arts. 47 and 48.1 of the LOPDGDD, the Director of the

Spanish Agency for Data Protection is competent to resolve this procedure.

                                             II


        The Jury Court is an institution for the participation of citizens in the
Justice administration. Organic Law 5/1995, of 05/22, of the Jury Court assigns
to the Electoral Census Office the following competencies in the formation of the list of
candidates for juries.

        Each Provincial Delegation of the Electoral Census Office carries out a lottery within

of the last fifteen days of September of the even-numbered years to obtain the list
province of jury candidates from the electoral roll in force on the day of the draw.

        For this purpose, the list of the current electoral census is previously sent to the
Town halls for exposure to the public for seven days. The draw is held in

previously announced public session.

        Once the draw has been carried out, the provisional lists of candidates for
juries that are exposed in the City Councils and published in the Official Gazette of each
Province during the last fifteen days of October, being able to present
claims during the first fifteen days of the month of November.


        With the claims that are estimated, the Provincial Delegations of the
The Electoral Census Office obtains the final lists of candidates for jury, which are
they send the Presidents of the respective Provincial Courts.

        Article 13.2 of said law indicates:

        "Candidates for juries to be obtained by lottery will be drawn from the census list
electoral process in force on the date of the draw, ordered by municipalities, related, within
these, alphabetically and numbered consecutively within the whole of the province.
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 4/7








Said list will be sent for its anticipated exhibition during seven days to the respective
Town councils. The draw, which will be held in a public session previously announced in a
local authorized for this purpose by the corresponding Provincial Court, will take place in the

form that is determined by regulation. "


                                               III


       The defendant has posted the list on a notice board located on the road

public, outside municipal facilities, space not suitable for exhibition
of documents with personal data, noting article 5.1.f) of the
GDPR:

 "The personal data will be:

  “Treated in such a way as to guarantee adequate data security
personal data, including protection against unauthorized or illegal processing and against its

accidental loss, destruction or damage, through the application of technical measures or
appropriate organizational arrangements ('integrity and confidentiality'). "



       The LOPDGDD states in its article 5:

       "1. Those responsible and in charge of data processing as well as all
people who intervene in any phase of this will be subject to the duty of
confidentiality referred to in article 5.1.f) of Regulation (EU) 2016/679 ”,


         In addition, the list could have been exposed for more than the time outlined in the
 enabling norm being exposed the data beyond the time dictated in the
 applicable seven-day rule.


         Notification for legal purposes by completing the explicit procedure
 in the Law must be carried out, and although its purpose is that those affected can
 consult said data not in a place where anyone can circulate, since the
 Data must be kept in the premises of the person in charge in a specific place.

         There are no details to prove that the list has been more than time

 established, although the claimant states it and the dates of signature of other writings and
 the date on which the complainant files the complaint, as well as the dates on which the
 undertake the tasks of selecting candidates, even years, seems to indicate that the
 The list has not been diligently exposed in addition to much longer than anticipated
 applicable regulations.


                                               IV


       Article 83.5 a of the RGPD indicates:

  "Violations of the following provisions will be sanctioned, in accordance with the
paragraph 2, with administrative fines of a maximum of EUR 20,000,000 or, in the case of

a company, of an amount equivalent to a maximum of 4% of the total turnover
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 5/7








annual global of the previous financial year, opting for the highest amount:

  a) the basic principles for the treatment, including the conditions for the
consent in accordance with articles 5, 6, 7 and 9; "

       Article 58.2 of the RGPD states: “Each control authority will have all the
following corrective powers listed below:


       "B) sanction any person responsible or in charge of the treatment with warning
when the processing operations have infringed the provisions of this Regulation-
ment; "


       d) order the person in charge of the treatment that the operations of
treatment are in accordance with the provisions of this Regulation, where appropriate,
in a certain way and within a specified period ”.

       “I) impose an administrative fine in accordance with article 83, in addition to or instead of
the measures mentioned in this section, according to the circumstances of each case
particular;"

       In this sense, in the proposed resolution, the CITY COUNCIL OF
TOBAR, to withdraw "the list, and report of the document that includes the principles and bases

that govern the protocol of the display of the announcements on the bulletin board when
contain personal data. ”, without having obtained a response. Since it is a
precise and concrete instruction, and by not stating anything the claimed, it can be understood that
has proceeded to the withdrawal of the document, and can prove said withdrawal. In this regard,
remember, and be warned, that if the offense persists, it is typical behavior

liable to be sanctioned, in accordance with article 83.5 e) of the RGPD:

  e) failure to comply with a resolution or a temporary or definitive limitation of the

treatment or suspension of data flows by the supervisory authority with
pursuant to article 58 (2), or failure to provide access in breach of article 58,
Paragraph 1."

       The defendant could also specify whether it has removed the list and the principles

that govern the protocol of the announcements on the bulletin board in terms of data from
personal character.

       The Spanish legal system has chosen not to sanction with a fine the
public entities, as indicated in article 77.1. c) and 2. 3. 4. 5. and 6. of the
LOPDDGG: “1. The regime established in this article will apply to the treatments

of those who are responsible or in charge:

  c) The General Administration of the State, the Administrations of the communities
autonomous entities and the entities that make up the Local Administration.

  2. When the managers or managers listed in section 1 commit

any of the infractions referred to in articles 72 to 74 of this organic law, the
The competent data protection authority will issue a resolution sanctioning
the same with warning. The resolution will also establish the measures that
It is appropriate to adopt so that the conduct ceases or the effects of the infraction that are
would have committed.

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 6/7








  The resolution will be notified to the person in charge of the treatment, the body of which
hierarchically depends, where appropriate, and those affected who had the status of
interested, where appropriate.


  3. Without prejudice to the provisions of the previous section, the protection authority of
data will also propose the initiation of disciplinary actions when there are indications
enough for it. In this case, the procedure and the penalties to be applied will be the
established in the legislation on disciplinary or sanctioning regime resulting from
application.


  Likewise, when the infractions are attributable to authorities and managers, and
certify the existence of technical reports or recommendations for treatment that do not
had been duly attended, in the resolution in which the sanction is imposed,
It will include a warning with the name of the responsible position and the
publication in the Official Gazette of the corresponding state or autonomous community.


  4. The resolutions that
fall in relation to the measures and actions referred to in the sections
previous.

  5. They will be communicated to the Ombudsman or, where appropriate, to similar institutions of

the autonomous communities the actions carried out and the resolutions dictated to the
under this article.

  6. When the competent authority is the Spanish Data Protection Agency, this
will publish on its website with due separation the resolutions referring to the
entities of section 1 of this article, expressly indicating the identity of the

responsible or in charge of the treatment that had committed the infringement. "



       Therefore, in accordance with the applicable legislation,


       the Director of the Spanish Data Protection Agency,

RESOLVES:


FIRST: IMPOSE TOBAR CITY COUNCIL, with NIF P0939400H, a sanction
of warning, for an infraction of article 5.1.f) of the RGPD, in relation to article
5 of the LOPDGDD, in accordance with article 83.5. a) of the RGPD.



SECOND: NOTIFY this resolution to TOBAR CITY COUNCIL.

THIRD: COMMUNICATE this resolution to the OMBUDSMAN, of
in accordance with the provisions of article 77.5 of the LOPDGDD.


FOURTH: In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.



C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 7/7








        Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the
LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the

Interested parties may optionally file an appeal for reconsideration before the Director of
the Spanish Agency for Data Protection within one month from the day
following notification of this resolution or directly contentious appeal
administrative before the Contentious-Administrative Chamber of the National Court, with
in accordance with the provisions of article 25 and paragraph 5 of the fourth additional provision

of Law 29/1998, of July 13, regulating the Contentious-Administrative Jurisdiction,
within two months from the day following the notification of this act,
as provided in article 46.1 of the aforementioned Law.

        Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP,

may provisionally suspend the final resolution through administrative channels if the interested party
expresses its intention to file a contentious-administrative appeal. If this is the
In this case, the interested party must formally communicate this fact by writing to the
Spanish Agency for Data Protection, presenting it through the Electronic Registry
of the Agency [https://sedeagpd.gob.es/sede-electronica-web/], or through any of the

remaining records provided for in art. 16.4 of the aforementioned Law 39/2015, of October 1.
You must also send the Agency the documentation that proves the filing
effective contentious-administrative appeal. If the Agency is not aware of the
filing of the contentious-administrative appeal within a period of two months from the
following the notification of this resolution, it would terminate the suspension

precautionary.


                                                                                     938-131120
Mar Spain Martí

Director of the Spanish Agency for Data Protection




























C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es