AEPD - PS/00173/2020
|AEPD - PS/00173/2020|
|Relevant Law:||Article 5(1)(d) GDPR|
|National Case Number/Name:||PS/00173/2020|
|European Case Law Identifier:||n/a|
|Original Source:||AEPD decision (in ES)|
|Initial Contributor:||Miguel Garrido de Vega|
The Spanish Data Protection Agency (AEPD) decided to impose a fine of €3000 on a Spanish citizen (the defendant) for the infringement of the accuracy principle, as per Article 5(1)(d) of the GDPR.
English Summary[edit | edit source]
Facts[edit | edit source]
The decision is the consequence of a complaint submitted by another Spanish citizen (the claimant) stating that its former company and the agency advising such had infringed the data protection legislation, as they improperly identified him as the author of a traffic offense; the claimant attached several evidences that his/her labour relationship ended nine days before the traffic offense took place (working life report, letter of dismissal and penalty).
Dispute[edit | edit source]
The Spanish company Estevez y Maeso (the advising agency) answered to the first AEPD investigation requests stating that: (i) it maintained a contract relationship with the defendant, who required to process personal data, (ii) the defendant came to the agency with the notice of a traffic offense due to an improper parking of a professional car that, in that moment, was being driven by an employee of him (the claimant), and required the agency to issue the documentation identifying the claimant as driver before the public administration. The AEPD started the corresponding sanction procedure.
Holding[edit | edit source]
Thus, the AEPD understood that the defendant has infringed the accuracy principle included at Article 5(1)(d) GDPR. Consequently, after considering some circumstances [(i) the local scope of the processing activity made by the defendant, (ii) the number of persons affected by the processing activity, (iii) the damage to the claimant, who, not being an employee of the agency anymore, has needed to issue this claim, (iv) there is no evidence that the defendant has adopted any measures in order to prevent such issues to happen again in the future, (v) there has been no collaboration of the defendant with the AEPD, (vi) there is no evidence of wilful misconduct by the defendant, even being this issue a very serious breach of the law, (vii) the link between the activity of the defendant and the processing of personal data, and (viii) the defendant is a physical person], the AEPD decided to impose a fine of € 3000 to the defendant.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
Page 1 1/8 Procedure Nº: PS / 00173/2020RESOLUTION OF SANCTIONING PROCEDUREOf the procedure instructed by the Spanish Agency for Data Protection andbased on the followingBACKGROUNDFIRST: Mr. AAA (hereinafter, the claimant) dated November 19, 2019filed a claim with the Spanish Agency for Data Protection. Theclaim is directed against BBB with NIF *** NIF.1 (hereinafter, the claimed). TheThe reasons on which the claim is based are, in short, that the company for whichworked and the agency that advised it, have violated the regulations ofdata protection by improperly identifying you as the author of an infringement oftraffic.SECOND: Upon receipt of the claim, the Subdirectorate General ofData Inspection proceeded to carry out the following actions:On 01/17/2020, reiterated on 02/21/2020, the claim was transferred to the claimantsubmitted for analysis and communication to the claimant of the decision adopted at therespect. Likewise, he was required to submit to theAgency certain information:- Copy of the communications, of the adopted decision that has been sent to theclaimant regarding the transfer of this claim, and accreditation thatthe claimant has received the communication of that decision.- Report on the causes that have motivated the incidence that has originated theclaim.- Report on the measures adopted to prevent the occurrence ofsimilar incidents.- Any other that you consider relevant.On 02/28/2020, ESTEVEZ Y MAESO company whose corporate purpose is the advice andlegal management of companies and professionals, indicated that he has maintained a relationshipcontractual with the claimed, who required the processing of personal dataresponsibility of the same; that he came to the counseling on the occasion of anotification of complaint that he had received for the bad parking of a vehicleof which it is the owner, intended for professional use and that at the time of the infringementwas led by his employee the claimant, asking them to present thedocumentation identifying the claimant as a driver at the time of theinfringement before the competent body of the Public Administration.C / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es Page 2 2/8THIRD: On 06/08/2020, in accordance with article 65 of the LOPDGDD, theDirector of the Spanish Data Protection Agency agreed to admit for processing theclaim filed by the claimant against the defendant.FOURTH: On 06/23/2020, the Director of the Spanish Protection Agencyof Data agreed to initiate a sanctioning procedure against the claimed party, for the allegedviolation of article 5.1.f) of the RGPD, sanctioned in accordance with the provisions of theArticle 83.5.a) of the aforementioned RGPD.FIFTH: Notified the initiation agreement, the one claimed at the time of the presentresolution has not submitted a brief of allegations, so it is applicableindicated in article 64 of Law 39/2015, of October 1, on the ProcedureCommon Administrative of Public Administrations, which in its section f)establishes that in case of not making allegations within the period provided for thecontent of the initiation agreement, it may be considered a proposal forresolution when it contains a precise pronouncement about the responsibilityimputed, for which a Resolution is issued.SIXTH: Of the actions carried out in this proceeding, there have beenaccredited the following:PROVEN FACTSFIRST: On 11/19/2019 the claimant submitted a written document to the Spanish Agency forData Protection, noting that the company for which you worked at the time andthe agency that advised her have violated the regulations on the protection ofpersonal data by improperly identifying you as the author of an infringement oftraffic.SECOND: The claimant has provided proof that the employment relationship isexpired on 10/22/17, before the commission of the offense on 10/31/2017. Contributeswork life report, dismissal letter and traffic fine.THIRD: ESTEVEZ Y MAESO, SL company whose corporate purpose is the advice andlegal management of companies and professionals, in writing dated 03/04/2020, indicates thatmaintained a contractual relationship with the defendant and indicates that he “went toour offices due to a notification of complaint that had been received by thebad parking of a vehicle owned. This vehicle is intended forprofessional use and informs us that at the time of the infraction it was conductedby his employee the claimant, for which he also asks us to present thedocumentation that identifies the complainant as the driver at the time of theinfringement before the competent body of the Public Administration.FOURTH: ESTEVEZ Y MAESO, SL has provided a Data Protection contractPersonal subscribed with the claimed on 05/25/2018 where he holds the status ofin charge of the treatment.FOUNDATIONS OF LAWC / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es Page 3 3/8IBy virtue of the powers that article 58.2 of the RGPD recognizes to eachcontrol authority, and as established in articles 47 and 48 of the LOPDGDD,the Director of the Spanish Data Protection Agency is competent to initiateand to solve this procedure.IILaw 39/2015, of October 1, on the Common Administrative Procedure ofthe Public Administrations, in its article 64 “Agreement of initiation in theprocedures of a sanctioning nature ” , provides:"one. The initiation agreement will be communicated to the instructor of the procedure, withtransfer of how many actions exist in this regard, and the interested parties will be notified,understanding in any case as such the accused.Likewise, the initiation will be communicated to the complainant when the regulationsregulating the procedure so provide.2. The initiation agreement must contain at least:a) Identification of the person or persons allegedly responsible.b) The facts that motivate the initiation of the procedure, its possiblequalification and penalties that may correspond, without prejudice to whatresult of the instruction.c) Identification of the instructor and, where appropriate, Secretary of the procedure, withexpress indication of the regime of challenge of the same.d) Competent body for the resolution of the procedure and regulation thatattributes such competence, indicating the possibility that the allegedresponsible can voluntarily acknowledge their responsibility, with theeffects provided for in article 85.e) Provisional measures that have been agreed by the bodycompetent to initiate the sanctioning procedure, without prejudice to thosecan be adopted during the same in accordance with article 56.f) Indication of the right to make allegations and to a hearing at theprocedure and deadlines for its exercise, as well as an indication that, incase of not making allegations within the term provided on the content of theinitiation agreement, this may be considered a resolution proposalwhen it contains a precise statement about liabilitycharged.3. Exceptionally, when at the time of issuing the initiation agreementthere are insufficient elements for the initial qualification of the facts that motivatethe initiation of the procedure, the aforementioned qualification may be carried out in a phaselater by preparing a Statement of Charges, which must be notified tothe interested".In application of the previous precept and taking into account that they have notformulated allegations to the initiation agreement, it is necessary to resolve the procedure initiated.IIIC / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es Page 4 4/8The denounced facts materialize in the undue identification of thecomplainant as the author of a traffic offense when he no longer had a relationshiplabor with the claimed, having used their data illegally.Article 58 of the RGPD, Powers , points out in point 2 that:"two. Each supervisory authority shall have all the following powerscorrective measures listed below:(…)b) sanction any person responsible or in charge of the treatment withwarning when the processing operations have violated the provisions ofthese Regulations;(…)i) impose an administrative fine in accordance with article 83, in addition or inplace of the measures mentioned in this section, depending on the circumstancesof each particular case;(…) "The treatment carried out by the complained party is constitutive of an infringementof article 5, Principles relating to treatment , of the RGPD which establishes that:"one. The personal data will be:(…)d) accurate and, if necessary, updated; all measures will be takenreasonable for the personal data to be deleted or rectified without delaythat are inaccurate with respect to the purposes for which they are treated("accuracy");(…) "IVThe documentation in the file shows that the defendant violated theArticle 5 of the RGPD, principles relating to treatment , when disclosing the data to a third partyof the complainant to identify him as the author of a traffic offense, data thatwere inaccurate not responding to reality since the day the infraction wascommitted no longer had an employment relationship with the claimed and was not the drivervehicle.Therefore, the personal data will be accurate and, if necessary,updated. Likewise, the aforementioned article indicates that all thereasonable measures to have the data deleted or rectified without delaypersonal data that are inaccurate with respect to the purposes for which they are processed.In this same sense, recital 39 states that “allreasonable measures to ensure that the data is rectified or deletedthat are inaccurate ”.The responsibility of the person in charge of correcting the data that is inaccurate iscorrelative to the right of rectification of the interested parties expressly recognized inArticle 16 of the regulations.C / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es Page 5 5/8The principle of data accuracy determines in turn the need forarticulate procedures that allow the person in charge to carry out continuous updatingof the data contained in the file in order to respect the aforementioned principle, ofIn such a way that they are accurate and fit the reality of the interested party.VArticle 83.5 a) of the RGPD, considers that the infringement of “the principlesbasic for the treatment, including the conditions for consent in accordance withof articles 5, 6, 7 and 9 ” is punishable, in accordance with section 5 of thementioned article 83 of the aforementioned RGPD, “with administrative fines of € 20,000,000at most or, in the case of a company, an amount equivalent to 4% asmaximum total annual global business volume of the previous financial year,opting for the highest amount ”.The LOPDGDD in its article 72 indicates: “Violations considered very serious:1. In accordance with the provisions of article 83.5 of the Regulation (EU)2016/679 are considered very serious and will prescribe after three years the infractions thatsuppose a substantial violation of the articles mentioned in that and, inin particular, the following:a) The processing of personal data violating the principles and guaranteesestablished in article 5 of Regulation (EU) 2016/679.(…)In order to establish the administrative fine to be imposed, they mustobserve the provisions contained in articles 83.1 and 83.2 of the RGPD, whichpoint out:"one. Each supervisory authority shall ensure that the imposition of finesadministrative under this article for the infractions of thisRegulations indicated in paragraphs 4, 5 and 6 are in each individual caseeffective, proportionate and dissuasive.2. Administrative fines will be imposed, depending on the circumstancesof each individual case, as an additional or substitute for the measures contemplatedin article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fineadministrative and its amount in each individual case will be duly taken into account:a) the nature, severity and duration of the offense, taking into account thenature, scope or purpose of the processing operation in questionas well as the number of affected stakeholders and the level of damage anddamages they have suffered;b) intentionality or negligence in the infringement;c) any measure taken by the controller or processorto mitigate the damages suffered by the interested parties;C / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es Page 6 6/8d) the degree of responsibility of the person in charge of thetreatment, taking into account the technical or organizational measures that haveapplied by virtue of articles 25 and 32;e) any previous infringement committed by the person in charge or the person in charge of thetreatment;f) the degree of cooperation with the supervisory authority in order toremedy the violation and mitigate the possible adverse effects of the violation;g) the categories of personal data affected by the infringement;h) the way in which the supervisory authority learned of the infringement, inparticular if the person in charge or the person in charge notified the infringement and, in such case,what extent;i) when the measures indicated in Article 58 (2) have beenpreviously ordered against the person in charge or the person in chargein relation to the same matter, compliance with said measures;j) adherence to codes of conduct under article 40 or to mechanismscertification approved in accordance with Article 42, andk) any other aggravating or mitigating factor applicable to the circumstances of thecase, such as financial benefits obtained or losses avoided, director indirectly, through infringement.In relation to letter k) of article 83.2 of the RGPD, the LOPDGDD, in itsArticle 76, “Sanctions and corrective measures”, establishes that:"two. In accordance with the provisions of article 83.2.k) of Regulation (EU)2016/679 may also be taken into account:a) The continuing nature of the offense.b) The linking of the offender's activity with the performance of treatmentsof personal data.c) The benefits obtained as a result of the commission of the offense.d) The possibility that the affected person's conduct could have led to thecommission of the offense.e) The existence of a merger process by absorption after the commissionof the infringement, which cannot be attributed to the absorbing entity.f) Affecting the rights of minors.g) To have, when not mandatory, a delegate for the protection ofdata.h) The submission by the person in charge or in charge, with charactervoluntary, to alternative dispute resolution mechanisms, in thosecases in which there are controversies between those and anyinterested."In accordance with the transcribed precepts, in order to set the amount of thesanction of a fine to be imposed in the present case for the offense typified in theArticle 83.5.a) of the RGPD for which the claimed person is responsible, in an assessmentinitial, the following factors are considered concurrent:The merely local scope of the treatment carried out by the claimed person.Only one person has been affected by the offending conduct.C / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es Page 7 7/8The damage caused to the claimant who, without being a company employee, hasbeen charged as the cause of a traffic offense having to go to thisinstance claiming for the aforementioned facts.The respondent does not record that he has adopted measures to preventproduce similar incidents; It has not responded to the information request eitherof the Agency, nor to the agreement to initiate the sanctioning procedure, which affects thelack of cooperation with the supervisory authority in order to remedy theinfringement and mitigate the possible adverse effects of the same.There is no evidence that the defendant acted fraudulently,although the performance reveals a serious lack of diligence.The linking of the offender's activity with the performance of treatment ofPersonal data.The defendant is a natural person.Therefore, in accordance with the applicable legislation and the criteria ofgraduation of sanctions whose existence has been proven,The Director of the Spanish Agency for Data Protection RESOLVES:FIRST: IMPOSE BBB , with NIF *** NIF.1 , for a violation of the article5.1.d) of the RGPD, typified in article 83.5 of the RGPD, a penalty of € 3,000 (threea thousand euros).SECOND: NOTIFY this resolution to BBB, with NIF *** NIF.1 .THIRD: Warn the sanctioned person that the sanction imposed by aOnce this resolution is enforceable, in accordance with the provisions of theart. 98.1.b) of Law 39/2015, of October 1, on Administrative ProcedureCommon of Public Administrations (hereinafter LPACAP), within the payment periodvoluntary established in art. 68 of the General Collection Regulations, approvedby Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003,of December 17, by means of their entry, indicating the NIF of the sanctioned person and the numberof procedure that appears in the heading of this document, in the accountrestricted number ES00 0000 0000 0000 0000 0000 , opened in the name of the AgencySpanish Data Protection Agency in the bank CAIXABANK, SA. In caseOtherwise, it will be collected in the executive period.Once the notification has been received and once it is executed, if the date of execution isfinds between the 1st and 15th of each month, both inclusive, the deadline to carry out thevoluntary payment will be until the 20th of the following or immediately subsequent business month, and ifis between the 16th and last days of each month, both inclusive, the term of thePayment will be up to the 5th of the second following or immediate business month.In accordance with the provisions of article 50 of the LOPDGDD, theThis Resolution will be made public once it has been notified to the interested parties.C / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es Page 8 8/8Against this resolution, which puts an end to the administrative procedure in accordance with art.48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of theLPACAP, the interested parties may optionally file an appeal for reversalbefore the Director of the Spanish Agency for Data Protection within a period ofmonth from the day after notification of this resolution or directlycontentious-administrative appeal before the Contentious-Administrative Chamber of theNational High Court, in accordance with the provisions of article 25 and section 5 ofthe fourth additional provision of Law 29/1998, of July 13, regulating theContentious-administrative jurisdiction, within a period of two months from theday following notification of this act, as provided in article 46.1 of thereferred Law.Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of theLPACAP, the final resolution may be suspended in an administrative wayIf the interested party expresses his intention to file a contentious appeal-administrative. If this is the case, the interested party must formally communicate thismade by writing to the Spanish Agency for Data Protection,Presenting it through the Electronic Registry of the Agency[https://sedeagpd.gob.es/sede-electronica-web/], or through any of the restrecords provided for in art. 16.4 of the aforementioned Law 39/2015, of October 1. Toomust forward to the Agency the documentation that proves the effective filingof the contentious-administrative appeal. If the Agency is not aware of thefiling of the contentious-administrative appeal within a period of two months from theday after the notification of this resolution, would terminate theprecautionary suspension. Mar España Martí Director of the Spanish Agency for Data Protection