AEPD (Spain) - PS/00127/2020: Difference between revisions

From GDPRhub
No edit summary
Line 48: Line 48:
}}
}}


The Spanish DPA issued a warning to Iberia Líneas Aéreas de España for not informing their workers in accordance with Article 13 GDPR regarding a fingerprint clocking-in system.
The Spanish DPA issued a warning to Iberia Líneas Aéreas de España for not informing their workers in accordance with Article 13 GDPR regarding a fingerprint clock-in system.


==English Summary==
==English Summary==


===Facts===
===Facts===
Iberia Líneas Aéreas de España installed a new fingerprint clocking-in system for their workers. They did it following the guidance of the General Labour Confederation. However, Iberia did not inform their workers about the aspects of the general information duty included in Article 13 GDPR.
Iberia Líneas Aéreas de España installed a new fingerprint clock-in system for their workers. They did it following the guidance of the General Labour Confederation. However, Iberia did not inform their workers about the aspects of the general information duty included in Article 13 GDPR.


===Dispute===
===Dispute===
Line 59: Line 59:
Is this a violation of Article 13 GDPR?
Is this a violation of Article 13 GDPR?
===Holding===
===Holding===
progress
The AEPD held that there had been a violation of Article 13. According to the Spanish authority, Iberia should have informed their workers about all the relevant aspects included in Article 13, informing in a clear, concise and complete way about the legal basis that allow such processing and about the rest of the relevant information, specially taking into account that the personal data involved are biometric data from Article 9.
 
The AEPD took also into account the fact that Iberia offered information regarding the processing in their privacy policy since 2018 and, mainly, that they issued a communication to their workers regarding the processing of biometric data in October 2020. Because all of this, the AEPD imposed solely a warning on Iberia.


==Comment==
==Comment==

Revision as of 15:28, 6 April 2021

AEPD - PS/00127/2020
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 13 GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published: 05.04.2021
Fine: None
Parties: IBERIA LÍNEAS AÉREAS DE ESPAÑA, S.A. OPERADORA UNIPERSONAL
National Case Number/Name: PS/00127/2020
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD decision (in ES)
Initial Contributor: n/a

The Spanish DPA issued a warning to Iberia Líneas Aéreas de España for not informing their workers in accordance with Article 13 GDPR regarding a fingerprint clock-in system.

English Summary

Facts

Iberia Líneas Aéreas de España installed a new fingerprint clock-in system for their workers. They did it following the guidance of the General Labour Confederation. However, Iberia did not inform their workers about the aspects of the general information duty included in Article 13 GDPR.

Dispute

Is this a violation of Article 13 GDPR?

Holding

The AEPD held that there had been a violation of Article 13. According to the Spanish authority, Iberia should have informed their workers about all the relevant aspects included in Article 13, informing in a clear, concise and complete way about the legal basis that allow such processing and about the rest of the relevant information, specially taking into account that the personal data involved are biometric data from Article 9.

The AEPD took also into account the fact that Iberia offered information regarding the processing in their privacy policy since 2018 and, mainly, that they issued a communication to their workers regarding the processing of biometric data in October 2020. Because all of this, the AEPD imposed solely a warning on Iberia.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

                                                                                1/12










                                                     Procedure Nº: PS / 00127/2020


                 RESOLUTION OF SANCTIONING PROCEDURE

Of the procedure instructed by the Spanish Agency for Data Protection and based on
to the following


                                  BACKGROUND

FIRST: The claim filed by Ms. A.A.A. (hereinafter the claimant),
It has an entry dated 04/29/2019 in the Spanish Agency for Data Protection.
The claim is directed against IBERIA LÍNEAS AÉREAS DE ESPAÑA, S.A.

UNIPERSONAL OPERATOR, with NIF A85850394 (hereinafter, the claimed one). The
reasons on which the claim is based are: that on 01/24/2019 the C.G.T (Confederación
General del Trabajo) asked the company to follow a series of guidelines: creation and
notification of the mandatory file and obligation to duly inform the
workers before the collection of the fingerprints of the service agents

auxiliaries for a new signing system that would be implemented in the near future. The
02/27/2019 Iberia replies that it is a lawful and adequate treatment, in addition
of measures for safe treatment. However, to date there has been no
provided no document to workers who register their fingerprint.

SECOND: The Subdirectorate General for Data Inspection proceeded to transfer
the claim to the defendant to report on the facts and the measures
taken, having knowledge of the following points:

On 06/18/2019, the claim submitted for analysis was transferred to the defendant
of the decision taken in this regard. Likewise, it was required so that within the period of
one month send the Agency certain information:

       - Copy of the communications, of the adopted decision that has been sent to the
       claimant regarding the transfer of this claim, and accreditation that

       the claimant has received the communication of that decision.
       - Report on the causes that have motivated the incidence that has originated the
       claim.

       - Report on the measures adopted to prevent the occurrence of
       similar incidents.

       - Any other that you consider relevant, etc.

On 07/19/20196 the respondent responded to the request for information
answering the questions raised and providing the following documentation:

       - Letter from the CGT dated 01/24/2019.

       - Response from IBERIA on 01/29/2019.
       - Letter from CGT dated 03/18/2019.

       - Analysis of Impact on privacy on the treatment in question.

       - Communication to all employees on 05/25/2018.

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 2/12








       - Privacy policy for IBERIA employees.

       - Screenshots of the Intranet and the app for employees of the
business.

Subsequently, on 09/12/2019, the defendant was asked to provide the study of
Impact evaluation; giving an answer the next day noting that the aforementioned
The report could only be provided in MS Excel format, not having been accepted as
valid in the electronic office, reason for which it proceeded to present it through the
Agency physical record.

THIRD: On 10/09/2019, in accordance with article 65 of the LOPDGDD, the
Director of the Spanish Agency for Data Protection agreed to admit for processing the
claim filed.

FOURTH: On 09/30/2020, the Director of the Spanish Protection Agency
of Data agreed to initiate a sanctioning procedure for the claimed party, for the alleged

infringement of article 13 of the RGPD, sanctioned in accordance with the provisions of article
58.2.b) of the RGPD.

FIFTH: Notified the initiation agreement, the claimed on 10/15/2010 presented
brief of allegations stating in summary the following: that it was reiterated in the
allegations made in writing dated 07/19/2019 and stated that there had been
prepared and communicated to the staff informative note on biometric treatment
using fingerprint or facial recognition systems
for access control.

SIXTH: On 10/21/2020 a test practice period began,
remembering the following

       - To consider reproduced for evidentiary purposes the claim filed by the
       claimant and its documentation, the documents obtained and generated by the

       Inspection services that are part of file E / 05886/2019.
       - To consider reproduced for evidentiary purposes, the allegations to the agreement of
       beginning presented by the claimed and the documentation that accompanies them.

SEVENTH: On 02/26/2020 a Resolution Proposal was issued to the effect that
by the Director of the AEPD the claimed person will be sanctioned for violation of article 13

of the RGPD, typified in article 83.5.a) of the RGPD, with warning of
in accordance with article 58.2.b) of the RGPD.

After the period legally indicated at the time of this Resolution, the
The complainant had not submitted any written allegation whatsoever.
EIGHTH: Of the actions carried out in the present procedure, there have been

accredited the following:
                                PROVEN FACTS

FIRST: The claimant submitted a written entry dated 04/29/2019 in the
Spanish Agency for Data Protection, stating that on 01/24/2019 C.G.T

(General Labor Confederation) asked the company for information on the
implementation of the access system and follow a series of guidelines on the
itself: creation and modification of the mandatory file and obligation to inform
duly to the workers before the collection of the fingerprints of the
Auxiliary service agents for a new signing system that will be implemented in

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 12/3








a near future; On 02/27/2019, the complainant indicated that it was a lawful treatment,
adequate and safe; without any document being provided to the workers
that register your fingerprint.

SECOND: Letter from CGT of 01/24/2019 has been provided stating its
Disagreement with the guidelines followed by the complainant when collecting fingerprints
fingerprints for the implementation of our signing system in the company, without

at no time had the workers or the
creation and notification of the mandatory file.

THIRD: The respondent's response is stated stating that the replacement of the
magnetic cards for the use of the fingerprint limited exclusively to the area of
airport ramp and the workers who work there implies a lawful treatment
protected in the public interest of the claimed, adequate and secure data
sensitive personnel involved; that the defendant has already informed this type of
treatment within its privacy policy available from May 2018 to

through the internet.
FOURTH: On 03/18/2019 CGT indicated that the information provided by the company

to inform his workers was quite scarce from what he understood that it was
insufficient despite being said to respond to appropriate treatment and
needs of the same.

FIFTH: On 09/13/2019 the respondent provided an Impact Assessment of the treatment
carried out on the treatment of the fingerprint for access control.

SIXTH: On 10/15/2020, the complainant has provided an informative communication
Complementary to employees Informative Note on data processing
biometric through fingerprint recognition systems or
facial recognition for access control.


                            FOUNDATIONS OF LAW


                                            I
       The Director of the Agency is competent to resolve this procedure
Spanish Data Protection, in accordance with the provisions of art. 58.2 of
RGPD and in art. 47 and 48.1 of LOPDGDD.

                                            II

       The legitimacy for the treatment of the fingerprint for the control of the
workers by the employer we must look for it in article 9 and 6 of the RGPD.

       Article 9 of the RGPD establishes in its sections 1 and 2.b) the following:


       "one. The processing of personal data that reveal the origin is prohibited
ethnic or racial, political opinions, religious or philosophical convictions, or
union membership, and the treatment of genetic data, biometric data directed to
uniquely identify a natural person, data related to health or data
relating to the sexual life or sexual orientations of a natural person.


       2. Section 1 shall not apply when one of the
following circumstances:

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 4/12








       b) the treatment is necessary for the fulfillment of obligations and the
       exercise of specific rights of the person responsible for the treatment or
       interested in the field of labor law and security and protection

       social, insofar as it is authorized by the law of the Union of the
       Member States or a collective agreement under the law of the
       Member States to establish adequate guarantees of respect for the
       fundamental rights and interests of the interested party. "

       Article 6.1.b) of the RGPD indicates:


       "one. The treatment will only be lawful if at least one of the following is met
terms:

       (…)

       b) the treatment is necessary for the performance of a contract in which the
       interested is part or for the application at the request of this of measures
       pre-contractual. "

       The defendant has legitimacy, based on the indicated regulations, to
carry out the labor control of its workers and as long as it meets the requirements

indicated in the fifth Law Foundation.

                                                III
       The facts that motivate the claim presented and that are the subject of the
This procedure is materialized in the request made by the claimant to the

claimed in relation to the implementation of a new access system and the
Obligation to duly inform workers.

       The facts claimed imply the violation of what is stated in article 13
of the RGPD, by not duly informing of the planned treatment in relation to the

fingerprint check-in control, in accordance with the pronouncements
established in the aforementioned article.

       This article determines the information that must be provided to the interested party in the
moment of the collection of your data, establishing the following:


       "Article 13. Information that must be provided when personal data is
obtained from the interested party.

       1. When personal data relating to him are obtained from an interested party, the
responsible for the treatment, at the time these are obtained, will provide

all the information indicated below:

       a) the identity and contact details of the person in charge and, where appropriate, of their
       representative;
       b) the contact details of the data protection officer, if applicable;

       c) the purposes of the treatment to which the personal data are destined and the basis
       legal treatment;
       d) when the treatment is based on article 6, paragraph 1, letter f), the
       legitimate interests of the person in charge or of a third party;

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 5/12








        e) the recipients or categories of recipients of personal data,
        in your case;
        f) where appropriate, the intention of the person responsible to transfer personal data to a

        third country or international organization and the existence or absence of a
        Commission adequacy decision, or, in the case of transfers
        indicated in articles 46 or 47 or article 49, paragraph 1, second paragraph,
        reference to adequate or appropriate guarantees and means of obtaining
        a copy of these or the fact that they have been loaned.


        2. In addition to the information mentioned in section 1, the person responsible for the
treatment will facilitate the interested party, at the time the data is obtained
personal information, the following information necessary to guarantee data processing
loyal and transparent:


        a) the period during which the personal data will be kept or, when not
        where possible, the criteria used to determine this deadline;
        b) the existence of the right to request the data controller for access
        to the personal data relating to the interested party, and its rectification or deletion, or
        the limitation of its treatment, or to oppose the treatment, as well as the
        right to data portability;

        c) when the treatment is based on article 6, paragraph 1, letter a), or the
        Article 9, paragraph 2, letter a), the existence of the right to withdraw the
        consent at any time, without affecting the legality of the
        treatment based on consent prior to withdrawal;
        d) the right to file a claim with a supervisory authority;

        e) if the communication of personal data is a legal or contractual requirement, or
        a necessary requirement to enter into a contract, and if the interested party is
        obliged to provide personal data and is informed of the possible
        consequences of not providing such data;
        f) the existence of automated decisions, including profiling, to

        referred to in article 22, paragraphs 1 and 4, and, at least in such cases,
        meaningful information about the applied logic, as well as the importance and
        expected consequences of said treatment for the interested party.

        3. When the person responsible for the treatment plans the subsequent treatment of
personal data for a purpose other than that for which it was collected,

will provide the interested party, prior to said further processing, information
on that other purpose and any additional relevant information pursuant to section 2.

        4. The provisions of sections 1, 2 and 3 shall not apply when and in
the extent to which the interested party already has the information ”.


                                            IV
        In the present case, the claimant declares to write to the defendant
requesting that workers be duly informed before the collection of
fingerprints for the implementation of a new time control system, without

that any answer was obtained.

        However, the documentation provided to the file contains the answer
offered to the claimant, as stated in the second precedent, stating that

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 6/12








the replacement of the established system by the use of the limited fingerprint
exclusively to the airport ramp area and the workers who there
they worked implied a lawful, adequate and secure treatment of personal data

sensitive parties involved and that it had informed through its privacy policy to
through the intranet.

       In relation to the issues raised in this case, first of all
It should be noted that the implementation of a time control system based on the
fingerprint by the employer, must be informed to employees of

complete, clear, concise manner and, in addition, the aforementioned information must be completed
with reference to both the legal bases that cover this type of control of
access, as well as the basic information referred to in article 13 of the
GDPR.


       In the case under review, although the response of the respondent to the writing is counted
presented by the claimant stating that the system to be implemented was safe and
relevant, both the information transmitted by the respondent and the system
used to communicate the access and time control system is not the most
adequate given the quality and specialty of the data that was requested, being able to
have made a greater effort in its information policy on the

planned treatment, formulating it in a much more detailed and complete way,
as well as responding to certain casuistry such as the cases of workers who are
they will refuse to provide their fingerprint.

       However, it should be noted that the entity in the allegations to the agreement of

initiation of the procedure provided a complementary communication aimed at the
employees Informative Note on the processing of biometric data through
fingerprint recognition or facial recognition systems for the
access control, in accordance with the regulations on the protection of
data and, likewise, the mandatory impact assessment relative to the

data protection regulated in article 35 of the RGPD, providing the document
correspondent.

       Secondly, it should be noted that the installation of a
control based on the collection and treatment of the employee's fingerprint
implies the processing of your personal data since personal data is all

that information about an identified or identifiable natural person of
in accordance with article 4.1 of the RGPD.

       As for the fingerprint, it is also data that must be
classified as biometric data and in accordance with article 4.14 of the RGPD have

this consideration when they have been “obtained from a technical treatment
specific, relating to the physical, physiological or behavioral characteristics of a
natural person that allow or confirm the unique identification of said person,
such as facial images or fingerprint data ”.


       This means that, in accordance with article 9.1 of the RGPD, in the case
present, the specific regime provided for special categories is applied to them
of data provided for in article 9 of the RGPD.


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 7/12








       In this sense, recital 51 of the RGPD highlights the nature of
restrictive with which the processing of these data can be admitted:


       “(51) ... Such personal data should not be processed, unless it is allowed
its treatment in specific situations contemplated in this Regulation,
given that Member States may lay down provisions
specific data protection in order to adapt the application of the
rules of this Regulation to the fulfillment of a legal obligation or to the
fulfillment of a mission carried out in the public interest or in the exercise of powers

public conferred to the person responsible for the treatment. In addition to the requirements
specific to that treatment, the general principles and other
rules of this Regulation, especially with regard to the conditions of
legality of the treatment. Exceptions to the
general prohibition of treatment of these special categories of personal data,

among other things when the interested party gives their explicit consent or in the case of
specific needs, in particular when the treatment is carried out in the
framework of legitimate activities by certain associations or foundations whose
The objective is to allow the exercise of fundamental freedoms.

       And recital 52 indicates that


       “(52) Likewise, exceptions to the prohibition to treat
special categories of personal data when established by the Law of the
Union or Member States and provided that appropriate guarantees are given, in order to
to protect personal data and other fundamental rights, when it is in the interest

public, in particular the processing of personal data in the field of legislation
labor law, legislation on social protection, including pensions and for the purposes of
safety, supervision and health alert, prevention or control of diseases
communicable and other serious threats to health ... "


       In accordance with these considerations, the processing of biometric data from
special categories will require, in addition to the concurrence of one of the bases
legal provisions established in article 6 of the RGPD, any of the exceptions provided
in article 9.2 of the RGPD.

       The analysis of the legal basis of legitimacy to carry out this treatment comes

of article 6 of the RGPD, regarding the legality of the treatment, which in its section 1, letter
b) states: “The treatment will be lawful if at least one of the following is met
conditions: (…) b) the treatment is necessary for the execution of a contract in the
that the interested party is part of or for the application at his request of measures
pre-contractual (…) ”.


       By virtue of this precept, the treatment would be lawful and would not require the
consent, when the data processing is carried out for the fulfillment of
contractual relationships of a labor nature.


       On the other hand, and as highlighted in recital 51 of the same RGPD,
insofar as biometric data is of a special category in the cases
of biometric identification (art. 9.1 RGPD), it will be necessary for one of the
the exceptions provided in article 9.2 of the RGPD that would allow lifting the

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 12/8








general prohibition of the treatment of these types of data established in the article
9.1.


       At this point, special mention must be made of letter b) of article 9.2 of the
RGPD, according to which the general prohibition of biometric data processing does not
it will be applied when “the treatment is necessary for the fulfillment of
obligations and the exercise of specific rights of the person responsible for the treatment or
of the interested party in the field of labor law and social security and protection,
to the extent authorized by the Union law of the Member States or

a collective agreement in accordance with the law of the Member States that establishes
adequate guarantees of respect for fundamental rights and the interests of the
interested".

       In Spanish law, article 20 of the Consolidated Text of the Statute of

workers (TE), approved by Royal Legislative Decree 2/2015, of 23
October, foresees the possibility for the employer to adopt surveillance measures and
control to verify compliance with the labor obligations of their
workers:

       "3. The employer may adopt the measures he deems most appropriate in

surveillance and control to verify compliance by the worker with his obligations
and labor duties, keeping in their adoption and application the consideration due to
their dignity and taking into account, where appropriate, the actual capacity of the workers
with disabilities ”.


       The possibility of using data-based systems is undeniable
biometric to carry out access and time control, although it does not seem
that is or should be the only system that can be used: thus the use of cards
personal codes, the use of personal codes, the direct visualization of the
marking, etc., which may constitute, by themselves or in combination with any of the

the other systems available, equally effective measures to carry out the
control.

       In any case, prior to the decision on the start-up
of such a control system and taking into account its implications,
processing of biometric data aimed at uniquely identifying a

natural person, it would be mandatory to carry out an impact assessment regarding the
protection of personal data to evaluate both the legitimacy of the
treatment and its proportionality as the determination of the existing risks and
the measures to mitigate them in accordance with the provisions of article 35 RGPD.


       In the present case, it must be stated that the entity has accredited the
mandatory impact assessment related to data protection regulated in the
Article 35 of the RGPD, providing the corresponding document, since the
09/13/2019 presented the document Impact Evaluation of the treatment carried out
cape.


                                            V



C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 9/12








        On the other hand, biometric data is closely linked to a
person, since they can use a certain unique property of an individual
for your identification or authentication.


        According to Opinion 3/2012 on the evolution of biometric technologies,
“Biometric data irrevocably changes the relationship between the body and the
identity, as they make the characteristics of the human body legible
by machines and are subject to further use. "


        In relation to them, the Opinion specifies that it is possible to distinguish different types of
treatments by stating that “Biometric data can be processed and stored in
different ways. Sometimes the biometric information captured from a person is
stored and treated raw, allowing the source from which it came to be recognized without
special knowledge; for example, a photograph of a face, a photograph of a

fingerprint or voice recording. Other times, raw biometric information
captured is treated in such a way that only certain characteristics or traits are extracted and
they are saved as a biometric template. "

        The processing of these data is expressly permitted by the RGPD
when the employer has a legal basis, which is usually his own

Work contract. In this regard, the STS of July 2, 2007 (Rec. 5017/2003),
that he has understood the legitimate treatment of biometric data carried out by the
Administration for the time control of its public employees, without it being necessary
the prior consent of the workers.


        However, the following should be noted:

        O The worker must be informed about these treatments.

        O The principles of limitation of the purpose, necessity,

proportionality and data minimization.

        In any case, the treatment must also be adequate, pertinent and not
excessive in relation to that purpose. Therefore, biometric data other than
necessary for that purpose should be suppressed and creation will not always be justified.
of a biometric database (Opinion 3/2012 of the Art. 29 Working Group).


        O Use of biometric templates: Biometric data must be stored
as biometric templates whenever possible. The template should be taken from
a way that is specific to the biometric system in question and not used
by other data controllers of similar systems in order to ensure that

a person can only be identified in biometric systems that have
a legal basis for this operation.

        O The biometric system used and the security measures chosen must
ensure that reuse of the biometric data in question is not possible

for another purpose.

        O Mechanisms based on encryption technologies should be used, in order to
prevent unauthorized reading, copying, modification or deletion of biometric data.

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 10/12









       O Biometric systems should be designed so that they can be revoked
the identity bond.


       O You must choose to use data formats or specific technologies that
make it impossible to interconnect biometric databases and disclose data
not verified.

       O Biometric data should be deleted when they are not linked to the

purpose that motivated their treatment and, if possible, they should be implemented
automated data deletion mechanisms.

                                           SAW
       Article 83.5 b) of the RGPD, considers that the infringement of “the rights of

the interested parties according to articles 12 to 22 ”, is punishable, in accordance with the
paragraph 5 of the aforementioned article 83 of the aforementioned Regulation, “with fines
administrative fees of € 20,000,000 maximum or, in the case of a company, a
an amount equivalent to a maximum of 4% of the total global annual business volume of the
previous financial year, opting for the one with the highest amount ”.


       The LOPDGDD in its article 71, Infractions, states that:

       “The acts and conducts referred to in the
paragraphs 4, 5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that
are contrary to this organic law ”.


       The LOPDGDD in its article 72 indicates for the purposes of prescription: "Infractions
considered very serious:

       "one. Based on the provisions of article 83.5 of the Regulation (EU)

2016/679 are considered very serious and will prescribe after three years the infractions that
suppose a substantial violation of the articles mentioned in that and, in
in particular, the following:
       (…)
       h) The omission of the duty to inform the affected party about the treatment of their
       personal data in accordance with the provisions of articles 13 and 14 of the

       Regulation (EU) 2016/679 and 12 of this organic law.
       (…) "

                                           VII
       The sanctioning procedure that concerns us shows that in the installation of

a new fingerprint attendance control system to be implemented had
been carried out without duly informing with all the guarantees indicated
in the data protection regulations, specifically in accordance with the provisions
in article 13 of the RGPD, being able to have incurred in the violation of the same.


       Therefore, the conduct of the defendant would constitute a violation of the provisions
in article 13 of the RGPD.



C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 11/12








       On the other hand, the RGPD, without prejudice to the provisions of its article 83,
contemplates the possibility of resorting to the sanction of warning to correct the
processing of personal data that does not conform to your forecasts.


       Likewise, it is contemplated that the resolution issued will establish the measures
that is appropriate to adopt so that the conduct ceases, the effects of the offense are corrected
that had been committed, the adequacy of the information offered to users to the
requirements contemplated in article 13 of the RGPD, as well as the contribution of
Proof of compliance with what is required.


       However, it should be noted that in the allegations to the agreement to initiate the
In this procedure, the complainant has provided a copy of the communication made
to all workers and that it came to complement the information provided with
previously Informative Note on the processing of biometric data through

fingerprint recognition or facial recognition systems for the
access control, in accordance with those indicated in article 13 of the RGPD, by
Therefore, it is not appropriate to urge the adoption of additional measures since
proven that the defendant has adopted reasonable measures and prevent them from returning to
incidents such as the one that gave rise to the claim occur.


       Therefore, in accordance with the applicable legislation and assessed the criteria of
graduation of sanctions whose existence has been proven,

       The Director of the Spanish Data Protection Agency RESOLVES:


FIRST: IMPOSE IBERIA LÍNEAS AÉREAS DE ESPAÑA, S.A. OPERATOR,
with NIF A85850394, for an infraction of article 13 of the RGPD, typified in the
Article 83.5 of the RGPD, a warning sanction.

SECOND: NOTIFY this resolution to IBERIA LÍNEAS AÉREAS DE

SPAIN, S.A. OPERATOR, with NIF A85850394.

       In accordance with the provisions of article 50 of the LOPDGDD, the
This Resolution will be made public once it has been notified to the interested parties.

       Against this resolution, which ends the administrative procedure in accordance with art.

48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the
LPACAP, the interested parties may file, optionally, an appeal for reversal
before the Director of the Spanish Agency for Data Protection within a period of
month from the day following notification of this resolution or directly
contentious-administrative appeal before the Contentious-Administrative Chamber of the

National High Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-administrative jurisdiction, within two months from the
day following notification of this act, as provided in article 46.1 of the
referred Law.


       Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the
LPACAP, the firm resolution may be suspended in an administrative way
If the interested party expresses his intention to file a contentious appeal-

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 12/12








administrative. If this is the case, the interested party must formally communicate this
made by writing to the Spanish Data Protection Agency,

Presenting it through the Electronic Registry of the Agency
[https://sedeagpd.gob.es/sede-electronica-web/], or through any of the rest
records provided for in art. 16.4 of the aforementioned Law 39/2015, of October 1. Too
must forward to the Agency the documentation that proves the effective filing

of the contentious-administrative appeal. If the Agency is not aware of the
filing of the contentious-administrative appeal within a period of two months from the
day after the notification of this resolution, I would terminate the
precautionary suspension.


                                                                        Mar Spain Martí
                               Director of the Spanish Agency for Data Protection














































C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es