AEPD (Spain) - PS/00134/2019

From GDPRhub
Revision as of 12:34, 8 September 2020 by Miguel Garrido de Vega (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoES.jpg |DPA_Abbrevation=AEPD |DPA_With_Country=AEPD (Spain) |Case_Number_Name=PS/00...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
AEPD - PS/00134/2019
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 5(1)(a) GDPR
Article 77 of the Spanish Law on Personal Data Protection and Digital Rights Guarantee (LOPDGDD)
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published: 28.08.2020
Fine: n/a
Parties: Establecimientos Residenciales de Ancianos de Asturias (ERA)
National Case Number/Name: PS/00134/2019
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Spanish
Original Source: AEPD decision (in ES)
Initial Contributor: Miguel Garrido de Vega

28 August 2020 - The Spanish Data Protection Agency (AEPD) decided to impose a warning on Establecimientos Residenciales de Ancianos de Asturias or "ERA" (the defendant), for the open publication of personal data related to temporary public employees in a website, with the consequent infringement of the lawfulness principle, as per Article 5(1)(a) GDPR.

English Summary

Facts

The decision is the consequence of a complaint submitted by Centro Sindical Independiente y de Funcionarios or "CSI-CSIF" (the claimant) stating that the defendant had openly published personal data (name, surname, national ID, mobile phone number, desk phone number, results of the exam to become a temporary public employee, date in which he/she has been phoned by the administration, his/her acceptance or refusal of the job, locations of the job, and notes on each person regarding previous vacancies or cessations in such position); the claimant also attached such list in an Excel file as an evidence of its claim. According to the claimant, such information was available for a week at least at the website of public employment offers by the Principality of Asturias.

Dispute

After a clarification process in order to determine who is the data controller (the Principality of Asturias as owner of the website, or the ERA as dependent public entity in charge of the job offers and publications), it is determined that the ERA is the data controller. The defendant answered to the AEPD investigation requests attaching a different copy of the same Excel file provided by the claimant (the copy by the defendant only included names, surnames and incomplete ID numbers), and declaring that, as soon as it knew about the existence of such list, it was immediately blocked, even posting an information message of "list currently not available". During its investigations, the AEPD discovered that the information contained in such list was dated 2015, so it totally fulfilled its function and should have been deleted before. The defendant did not explain which measures have been taken in order to avoid the exposure of personal data once the purpose of such exposure (transparency on public employment offers) has been completed. The AEPD started the corresponding sanction procedure.

Holding

Thus, the AEPD understood that the publication of the personal data of the temporary public employees has infringed the lawfulness principle, so, after considering Article 77 of the Spanish Law on Personal Data Protection and Digital Rights Guarantee or "LOPDGDD" (according to which public entities shall not be punished with economic fines), it imposed a warning to the defendant. The AEPD also requires the defendant to take the corresponding measures to ensure that personal data related to job offers or job pools are no longer available once their purpose and expiry period have been completed.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

 Procedure No.: PS / 00134/2019938-300320RESOLUTION OF SANCTIONING PROCEDUREOf the procedure instructed by the Spanish Agency for Data Protection and based onto the followingBACKGROUNDFIRST: CENTRAL SINDICAL INDEPENDIENTE Y DE OFFICIALS CSI-CSIF (inhereinafter, the claimant) on 10/23/2018 filed a claim with the Spanish Agencyof Data Protection because in a url that indicates, of *** URL.1 , “it has beenpublished personal information of temporary workers who provide their services for thePrincipality of Asturias ”,“ at least for a week with free access ” .You could access the pdf whose attached copy. These are Excel type sheets " LISTA DEEMPLOYMENT ATS , resolution *** RESOLUTION.1 BOPA *** BOPA.1 goes into operation1/11/15 ". The list contains order number, up to 140, number of approved exercises,some one, others two or zero, note, NIF, surname and first name, telephone, mobile and landline, boxesmarked in numbers 1 to 6 and comments on the vacancy. On a continuous sheetthey contain " Zones ", " call day, time, call result".SECOND: Upon receipt of the claim, on 12/14/2018, the General Sub-Directorate ofData Inspection proceeded, in accordance with article 65.4 of Organic Law 3/2018,of 5/12, Protection of Personal Data and guarantee of digital rights, theclaim to the Ministry of the Presidency and citizen participation of the Principality of Asturias,General Technical Secretary, urging that he respond to the claimant and detail whathappened and the measures implemented so that events such as the object of theclaim.THIRD: On 01/04/2019, a letter is received stating that he is a delegate ofdata protection, performing its powers exclusively in the field ofCouncil of the Presidency and citizen participation and that does not exercise its functions for theresponsible for the treatment that gives rise to the aforementioned claim.Provide a letter of " internal communication ", sending the claim from theGeneral Technical Secretary to the " Management Directorate " of ESTABLISHMENTSRESIDENTIALS FOR THE ELDERLY IN ASTURIAS dated 12/26/2018. In remission you willHe adds that he is accompanied by a report from the Head of the Publications Service, archivesadministrative, documentation and citizen participation. According to a copy thereof, " reporton publication of the ATS job bank of the ERA ”, indicates that it refers to an addresselectronic that corresponds to the electronic headquarters of the Principality of Asturias. " It is understood thatThe claim does not refer to what was published in the BOPA but to a publication made in theC / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 2
2/8electronic headquarters ”. " The announcement published in the BOPA that corresponds to these data does notshows personal information ” . “ The announcement publishes the resolution of *** RESOLUTION.1 of theManaging Director of the Autonomous Body Residential Establishments for the elderly ofAsturias, which provides for the indefinite employment contract of 10 job openings.titled medium grade ATS-call published in the BO Principado de Asturias *** BOPA.2 . "" The URL corresponds to the electronic headquarters of the Principality of Asturias, where there area section on "public employment offers" that is managed directly by the respectiveresponsible bodies through a computer application that publishes in a mannerautonomous. The person in charge of most of the publications is the administration serviceof personnel through the temporary personnel section. However, in this case, when treatingof an ERA exchange, the responsible body is the HR management area through thehiring and personnel management section . "Make a search in the search engine of the electronic office with the term " ats " and enterother results, a pdf indicates “ ATS EMPLOYMENT LIST ATS ERA 2015 work personnel processSelective available SI-Job Bank ERA-Job List ATS ERA 2015 ”. Thedocument referred to in the claim " at this time informs that the list is notcurrently available ”.Another search is carried out with the term " nursing assistant ", resulting in a pdf list" Labor personnel selection process employment list ERA Aux Nursing 2015 PDF " with a listof 10 employees with surname and first name, NIF, note, number on the exchange, zones, resultcall. " But on that same screen there are other bags such as AUXILIARYEducator, which shows similar data, alluding to the “Educator Assistant Employment List, OEP2016, resolution *** RESOLUTION.2 , BOPA *** BOPA.3 , takes office 09/10/2018 and a listExcel type with data of four people, with names and surnames, nif, note, date called09/10/2018 . "“ Currently many documents are published that are not in accordance withthe data protection regulations, in addition to the one claimed in this case ”.Proposal : “ It is proposed to send it to all the Technical General Secretaries so thatsend it to the bodies of their respective ministries that publish directly inelectronic headquarters or those that send information for publication either on the portalAsturias or that of transparency a text similar to the following (Refers to the new LawOrganic 3/2018, of 5/12, Protection of Personal Data and guarantee of rightsdigital-hereinafter LOPDGDD-, its seventh additional provision).FOURTH: The Autonomous Body RESIDENTIAL ESTABLISHMENTS FOR THE ELDERLYDE ASTURIAS, (ERA) (claimed) attached to the Ministry of Services and Social Rightspresents written on 01/24/2019. Provide the same copy of the list that the claimant attached,with the non-complete NIF and the name and surname.He states that “ the list was immediately blocked, leaving an informative message aboutlist not currently available ”and the list is drawn up in accordance with the provisions of theLOPDGDD.FIFTH On 03/20/2019, the Director of the AEPD admits the claim for processing.C / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 3
3/8SIXTH: The BOPA of *** BOPA.1 is accessed , and the resolution of the Ministry ofServices and Social Rights, RESIDENTIAL ESTABLISHMENTS FOR THE ELDERLY OFASTURIAS (ERA) of *** RESOLUTION. 1 , of the Managing Director of the ORGANISMAUTONOMOUS " RESIDENTIAL ESTABLISHMENTS FOR THE ELDERLY OF ASTURIAS"(ERA), which provides for the indefinite employment contract of 10 job openings.Titled Medium Degree (ATS) (call published in the Official Gazette of the Principality ofAsturias of 11/13/2009. At its first point it is indicated:First. — To enter into a permanent employment contract with the workers whoappear in the annex that accompanies this Resolution and award the destinations, which will have thecharacter of definitive in the Councils and Work Centers that are mentioned in the same.The annex contains only 10 names and surnames of those who have passed the test.SEVENTH: On 10/30/2019, the Director of the Spanish Agency for Data Protectionagreed to initiate a sanctioning procedure for the claimed person, for the alleged violation of article6.1 of the RGPD, in accordance with article 83.5 of the RGPD.No allegations received.EIGHTH: On 03/17/2020 a resolution proposal was formulated, sent electronically,with the result of expired when not being opened by the claimed one. A second shipment occursby ordinary mail, warning of the effects of the electronic notification and being collected.In it it was meant: " That by the Director of the Spanish Protection Agencyof Data is sanctioned with warning to AUTONOMOUS ORGANISM ESTABLISHMENTSRESIDENTIALS FOR THE ELDERLY OF ASTURIAS , for a violation of article 5.1 a) of theRGPD , in accordance with Article 83.5 a) of the RGPD,Report of the measures implemented so that listings with personal data of offersof employment or job boards are not visible when their purpose has been fulfilled,exposure and blocking of data. "It states in allegations that the list referred to in the claim was immediatelyblocked leaving informational message of “ List not currently available. Soonwe will correct the problem ”. Subsequently, they prepared said list in accordance with the provisionadditional seventh of the LOPDGDD, publishing name and surname and adding four figuresrandom numbers of the DNI. They indicate that the electronic address of the access to the aforementioned listera: *** URL.2 , accessed on 07/27/2020 and it appears that it does not exist, however, it is accesseda *** URL.1 , and an ordered list has been published, with 140, with data of surnames andname, NIF only four digits, containing day of call, time and result of call,accepts , locates, or works ERA. It's about resolution *** RESOLUTION. 1 BOPA*** BOPA.1 , "will go into operation 11/1/15 ". It is the same list that is the object of the claim.Supposedly, this 2015 list will have fulfilled its function, so in application of theprinciple of "limitation of conservation period", data remain longer than necessaryfor the purposes of the treatment, unless accredited to the contrary. It is ignored if there are more listingssimilar but the same principle would apply to them.C / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 4
4/8In view of all the actions, by the Spanish Agency for Data ProtectionIn this proceeding, the following are considered proven facts,PROVEN FACTSone)The claimant states that several excel list type sheets entitled "LIST OFEMPLOYMENT ATS, resolution *** RESOLUTION.1 BOPA *** BOPA.1 goes into operation1/11/15 ”, containing order number, up to 140, number of approved exercises (1 or2), note, NIF, surname and name, telephone, mobile and landline with the boxes marked in thenumbers 1 to 6 and observations on the vacancy, have been exposed in the electronic officeof the Principality of Asturias. On a continuous sheet, " Zones ", day of call, time,call result. Remarks include reference dates as prior to 11/4/2015and annotations on each person, cessation, previous vacancy, work etc., accepts RIAÑO, does not acceptexclusion, dates called 10/4/2018 as closest.two)On 01/04/2019 it is proven that there is aoption in public employment offers, with " seek competitive examinations " or " job bank ". Effectedsearch by ATS, figure ATS ERA 2015 employment list, workforce, job bankWAS. When clicking on the pdf, the annotation " ATS EMPLOYMENT LIST, Resolution*** RESOLUTION.1 BOPA *** BOPA.1 goes into operation 11/1/15 ”“ list not availablecurrently, we will fix the problem shortly . " The defendant confirms in writing of01/24/219 that the listing was blocked, however, on 07/27/2020, if it was available on theheadquarters at url *** URL.1 , the same list object of the claim with surname and first name, NIFonly four digits, containing day of call, time and result of call, accepts , thelocality, or works ERA. In addition to containing data that are not provided for in the standard ordisposition, day of call, time and result of call, accepts , location, or worksERA own of the management of the job bank, supposedly, this list of 2015 will havefulfilled its function, so in application of the principle of " limitation of the term ofconservation ”, its validity is not credited.3)As the data protection delegate of the Ministry of the Presidency andparticipation, a search can be carried out in the electronic office with the term ““ auxiliarynursing ", resulting in a pdf list" labor personnel selection process employment list was Auxnursing 2015 PDF ”will enter into operation 05/13/2015 resolution *** RESOLUTION.3 ,BOPA *** BOPA.4 with days called " 01/12/2016 " with a list of 10 employees with surnamesand name, NIF, note, number on the exchange, zones, call result. On that same screen there areother bags such as AUXILIARY Educator that shows similar data,referring to the “ list of auxiliary educator employment, OEP 2016, resolution *** RESOLUTION.2 , BOPA*** BOPA.3 , takes possession 09/10/2018 ”and an Excel-type list with data from four people,with names and surnames, nif, note, date called 09/10/2018. It is also verified in the courseof this file, that by accessing the electronic headquarters of the Principality ofAsturias, in the Public employment offer section and it is appreciated that there are personal data:Complete ID, name and surname and if you worked or not, and if you accept the job proposal, inlists of calls for 2005 that presumably have fulfilled their function. By titleExample, figure List employment of graduate in nursing resolution *** RESOLUTION. 4BOPA *** BOPA.5 which presumably has already fulfilled its function.C / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 5
5/84)The defendant has not reported “ the measures implemented so that lists with datapersonnel of job offers or job boards are not visible when it has been fulfilledits purpose, exposure period and data blocking. " that was contained in the proposal.FOUNDATIONS OF LAWIBy virtue of the powers that article 58.2 of the RGPD recognizes to each authority ofcontrol, and as established in articles 47 and 48 of the LOPDGDD, the Director of theSpanish Data Protection Agency is competent to initiate and resolve thisprocess.IIA first question arises that the BOE list is of 10 people, whichThe object of the complaint appears is 140. The type, purpose and legitimacy have not been given.of the exposure of the 140 members of the list, since it does not appear related to the BOPA.There is no legitimate basis for the aforementioned exposition, for which reason the claim wasinfringement of article 6.1 of the RGPD that states: " Legality of the treatment " "1 . Treatment aloneit will be lawful if at least one of the following conditions is met : "listing different ones, notnone of them concurring for the treatment carried out on the page indicated suchas it has been done.Although an infraction of article 6.1 of the RGPD was imputed, in the proposal ofresolution, the classification of the offense is changed, as it is considered more appropriate to classifythe facts that are the object of the complaint as included in article 5.1 a). Thus, the exposure andpublication of the lists with the data: ID, name and surname, and landline telephone numbersand / or mobiles, and results of calls with annotations, in the electronic headquarters of thePrincipality of Asturias with access for anyone, supposes an infringement of the aforementionedarticle, as there is no legitimation for the set of elements that are published,adding that it could be a process already completed since 2015 andremains exposed.Article 5.1.a) of the RGPD indicates: “ The personal data will be:to)treated in a lawful, loyal and transparent manner in relation to the interested party("Lawfulness, fairness and transparency");The exposed document could rather be classified as an internal document ofmanagement, by being contained as a block, data that must not be exposed for publicitythat seeks the concurrence of the processes, whether it is job boards or any otherselective process. After the development of the tests it seems that a list is made onwhich annotations are produced, and in no case is there legal authorization to exhibit in aweb, in electronic headquarters said list to the knowledge of third parties. It could be due to an error thatdenotes lack of diligence. Therefore, there is no legitimizing cause that enables the exhibitionof the data in open electronic office as it was given, a kind of management documentof the process that is not related to qualifications or transparency when exceedingsaid elements.C / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 6
6/8In addition, as a basic principle of the RGPD, when processing data, it has always beento opt for the minimum data necessary for the group of affected people to achieve their goal. I knowIt thus accredits the commission of the violation of article 5.1. a) of the RGPD.Likewise, it must be understood that the listings should not remain on the page as they haveits purpose has been fulfilled and the claimed party does not justify reasons that in the processing of thisprocedure, these lists survived, even with an incomplete DNI.IIIArticle 83.5 of the RGPD"5. Violations of the following provisions will be sanctioned, in accordance with theparagraph 2, with administrative fines of maximum EUR 20,000,000 or, in the case of acompany, of an amount equivalent to a maximum of 4% of the total annual turnoveroverall for the previous financial year, opting for the highest amount:a) the basic principles for the treatment, including the conditions for consentin accordance with Articles 5, 6, 7 and 9; "IVArticle 72 of Organic Law 3/2018, of 5/12, on the Protection of Personal Data andguarantee of digital rights (hereinafter LOPDGDD) states:"1 . Based on what is established in article 83.5 of Regulation (EU) 2016/679,considered very serious and will prescribe after three years the infractions that suppose asubstantial violation of the articles mentioned therein and, in particular, the following :a) The processing of personal data violating the principles and guarantees establishedin Article 5 of Regulation (EU) 2016/679 . "VArticle 83.7 of the RGPD indicates:“ Without prejudice to the corrective powers of the control authorities by virtue of theArticle 58 (2), each Member State may lay down rules on whether it can, and inwhat measure, impose administrative fines on authorities and established public bodiesin that Member State "Article 58.2 of the RGPD indicates: " Each control authority will have all thefollowing corrective powers listed below:b) sanction any person responsible or in charge of the treatment with warningwhen the treatment operations have infringed the provisions of thisRegulation;C / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 7
7/8d) order the person in charge of the treatment that the operations oftreatment comply with the provisions of this Regulation, where appropriate, of ain a certain way and within a specified period ”.The Spanish legal system has chosen not to penalize entities with a finepublic, as indicated in article 77.1. c) and 2. 4. 5. and 6. of the LOPDDGG: “ 1. Theregime established in this article will be applicable to the treatments of which areresponsible or managers:c) The General Administration of the State, the Administrations of the communitiesautonomous entities and the entities that make up the Local Administration.2. When the managers or managers listed in section 1 commit anyof the offenses referred to in articles 72 to 74 of this organic law, the authorityof data protection that is competent will issue a resolution sanctioning themwith warning. The resolution will also establish the measures to be adopted tothat the conduct ceases or the effects of the offense that was committed be corrected.The resolution will be notified to the person in charge of the treatment, the body of whichhierarchically depends, where appropriate, and those affected who had the status ofinterested, where appropriate.4. The decisions that fall must be communicated to the data protection authorityin relation to the measures and actions referred to in the previous sections.5. They will be communicated to the Ombudsman or, where appropriate, to the analogous institutions of theautonomous communities the actions carried out and the resolutions issued under thethis article.6. When the competent authority is the Spanish Data Protection Agency, thispublish on its website with due separation the resolutions referring to the entitiesof section 1 of this article, expressly indicating the identity of the person responsible orin charge of the treatment who had committed the offense . "Therefore, in accordance with the applicable legislation,the Director of the Spanish Agency for Data Protection RESOLVES:FIRST: IMPOSE RESIDENTIAL ESTABLISHMENTS FOR THE ELDERLY OFASTURIAS, with NIF Q8350062I , for a violation of article 5.1 a) of the RGPD, ofin accordance with article 83.5 of the RGPD, a fine of APPEARANCE, in accordancewith article 58.2.b) of the RGPD.SECOND: NOTIFY this resolution to RESIDENTIAL ESTABLISHMENTS OFELDERS OF ASTURIAS .C / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 8
8/8THIRD: RESIDENTIAL ESTABLISHMENTS FOR THE ELDERLY OF ASTURIAS mustaccredit, in compliance with article 58.2.d) of the RGPD, the measures implemented so thatlists the personal data of job offers or job boards are not visible whenits purpose, exposure period and data blocking have been fulfilled. " .FOURTH: COMMUNICATE this resolution to the OMBUDSMAN, in accordance withwith the provisions of article 77.5 of the LOPDGDD.FIFTH: In accordance with the provisions of article 50 of the LOPDGDD, thisResolution will be made public once it has been notified to the interested parties.Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of theLOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the interested partiesThey may optionally file an appeal for reconsideration before the Director of the AgencySpanish Data Protection Agency within a month from the day after thenotification of this resolution or directly administrative contentious appeal before the Chamberof the Contentious-administrative of the National Court, in accordance with the provisions of theArticle 25 and in section 5 of the fourth additional provision of Law 29/1998, of 07/13,regulator of the Contentious-administrative Jurisdiction, within a period of two months fromfrom the day following notification of this act, as provided in article 46.1 of thereferred Law.Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP,may provisionally suspend the final resolution through administrative channels if the interested partyexpresses its intention to file a contentious-administrative appeal. If this is the case, theThe interested party must formally communicate this fact by writing to the AgencySpanish Data Protection, presenting it through the Electronic Registry of theAgency [https://sedeagpd.gob.es/sede-electronica-web/], or through one of the restrecords provided for in art. 16.4 of the aforementioned Law 39/2015, of 1/10. You will also need to transfer tothe Agency the documentation that proves the effective filing of the contentious appeal-administrative. If the Agency was not aware of the filing of the appealcontentious-administrative within a period of two months from the day following the notification ofthis resolution would terminate the precautionary suspension.
Mar España Martí
Director of the Spanish Agency for Data Protection