AEPD - PS/00174/2019
|AEPD - PS/00174/2019|
|Relevant Law:||Article 5(1)(f) GDPR|
|Parties:||General Labour Union (GCT)|
|National Case Number:||PS/00174/2019|
|European Case Law Identifier||n/a|
|Original Source:||AEPD (in ES)|
The AEPD imposed a fine of € 3,000 against the General Labour Union (GCT) for the violation of Article 5(1)(f) GDPR.
English Summary[edit | edit source]
Facts[edit | edit source]
The GCT’s 400 members received an email that includes personal data about a citizen (personal information about her private relationship, her home address, her pregnancy status). The email was originally sent to organise an assembly regarding the data subject. The data subject filled a complaint with the AEPD.
Dispute[edit | edit source]
Could disclosure of personal data about an organisation's member to the other members of the same organisation contravene Article 5(1)(f) GDPR?
Holding[edit | edit source]
The AEPD found that the disclosure of her personal data to the 400 members violated Article 5(1)(f) GDPR. The AEPD stressed that Article 5(1(f) GDPR constitutes a basis for the "proactive responsibility" of the controller to demonstrate its compliance. The controller was fined € 3,000.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the original. Please refer to the Spanish original for more details.
936-150719 Product No.: PS/00174/2019 RESOLUTION R/00585/2019 ON THE TERMINATION OF THE PROCEDURE BY VOLUNTARY PAYMENT In the sanctioning procedure PS/00174/2019, instructed by the Spanish Agency of Data Protection to CONFEDERACION GENERAL DEL TRABAJO, having regard to the complaint presented by A.A.A., and based on the following BACKGROUND FIRST: On 23 October 2019, the Director of the Spanish Data Protection Agency agreed to initiate sanctioning proceedings against the GENERAL CONFEDERATION OF LABOUR (hereinafter, the claimed), by means of the Agreement that is transcribed: << Product No.: PS/00174/2019 AGREEMENT TO INITIATE DISCIPLINARY PROCEEDINGS Of the actions carried out by the Spanish Data Protection Agency and based on the following FACTS FIRST: A.A.A. (hereinafter, the claimant) on October 4, 2018 filed a complaint with the Spanish Data Protection Agency against CONFEDERACION GENERAL DEL TRABAJO, FEDERACIÓN INTERCOMARCAL TARRAGONA with NIF G79196614 (hereinafter the claimed). The grounds for the complaint are that without their consent the respondent on September 4, 2018, the union's members received a notice of meeting for September 18, 2010, and disseminated by e-mail to four hundred members of the union personal information of the complainant relating to - Data on the procedure underway for the verbal abuse and harassment she has suffered. - Information on her personal and family relationship. - Data on her state of pregnancy - Your home address. SECOND: In view of the facts denounced in the complaint and the documents provided by the complainant, the Subdirectorate General for Data Inspection proceeded to carry out preliminary investigative actions to clarify the facts in question, by virtue of the investigative powers granted to the supervisory authorities in Article 57.1 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter RGPD), and in accordance with the provisions of Title VII, Chapter I, Section Two of Organic Law 3/2018 of December 5, on the Protection of Personal Data and Guarantee of Digital Rights (hereinafter LOPDGDD). As a result of the investigative actions carried out, it has been established that the person responsible for the processing is the one who has been claimed. LEGAL GROUNDS I By virtue of the powers that article 58.2 of the RGPD recognizes to each control authority, and according to what is established in articles 47 and 48.1 of the LOPDPGDD, the Director of the Spanish Data Protection Agency is competent to resolve this procedure. II Article 6.1 of the RGPD establishes the cases in which the processing of personal data may be considered lawful. On the other hand, Article 5 of the RGPD establishes that the personal data will be "(a) processed in a lawful, fair and transparent manner in relation to the data subject ("lawfulness, fairness and transparency") (b) collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes; according to Article 89(1), further processing of personal data for archiving purposes in the public interest, for scientific and historical research purposes or for statistical purposes shall not be considered incompatible with the original purposes ('purpose limitation'); (c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed ('data minimization'); (d) accurate and, where necessary, kept up to date; all reasonable steps must be taken to ensure that personal data which are inaccurate in relation to the purposes for which they are processed are erased or rectified without delay ('accuracy'); (e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes of the processing of the personal data; personal data may be kept for longer periods provided that they are processed solely for archiving purposes in the public interest or for the purposes of scientific or historical research or statistical purposes, in accordance with Article 89(1), without prejudice to the implementation of appropriate technical and organisational measures required by this Regulation to protect the rights and freedoms of the data subject ('limitation of storage period'); (f) processed in a way that ensures appropriate security of personal data, including protection against unauthorised or unlawful processing and accidental loss, destruction or damage, through the implementation of appropriate technical or organisational measures ('integrity and confidentiality'). The controller shall be responsible for compliance with paragraph 1 and shall be able to prove it ("proactive responsibility"). III In accordance with the evidence available at the present time, and without prejudice to the outcome of the investigation, it is considered that the facts reported, i.e., the dissemination by e-mail to four hundred members of the union complained of, of the complainant's personal information on her personal and family relationship, her state of pregnancy and her home address, thereby violating Article 5.1 f) of the RGPD, which governs the principles of integrity and confidentiality of personal data, as well as the proactive responsibility of the data controller to demonstrate compliance with them. IV Article 72(1)(a) of the LOPDGDD states that 'in accordance with the provisions of Article 83(5) of Regulation (EU) 2016/679, infringements that substantially infringe the articles mentioned therein, and in particular the following, shall be considered very serious and shall be subject to a three-year limitation period: (a) Processing of personal data in breach of the principles and guarantees laid down in Article 5 of Regulation (EU) 2016/679 V Article 58(2) of the GPRS states: 'Each supervisory authority shall have all the following corrective powers (b) to sanction any controller or processor with a warning where processing operations have infringed the provisions of this Regulation (d) to order the controller or processor to comply with the provisions of this Regulation, where appropriate in a particular manner and within a specified time limit; (i) impose an administrative fine pursuant to Article 83, in addition to or instead of the measures referred to in this paragraph, depending on the circumstances of the individual case; VI This infringement may be punished by a fine of up to EUR 20 000 000 or, in the case of a company, of up to 4% of the total annual turnover of the previous financial year, whichever is greater, in accordance with Article 83(5) of the RGPD. It is also considered that the penalty to be imposed should be graduated in accordance with the following criteria established in article 83.2 of the RGPD: As aggravating factors the following: - In the present case we are dealing with non-intentional but significant negligent action (article 83.2 b) - Basic personal identifiers (name, surname, address) are affected, according to Article 83(2)(g) Therefore, on the basis of the above, By the Director of the Spanish Data Protection Agency, AGREED: FIRST: START PENALTY PROCEEDINGS against the GENERAL CONFEDERATION OF LABOUR, TARRAGONIAN INTER-COUNTRY FEDERATION, with NIF G79196614 for the alleged violation of Article 5.1(f) of the GPRS, as set out in 83.5 (a) of the RGPD. SECOND: ORDER to GENERAL CONFEDERATION OF LABOUR, FEDERATION INTERCOMARCAL TARRAGONA with NIF G79196614, in accordance with the provisions of Article 58.2 d) of the RGPD, so that within a period of ten days it proceeds to order the person responsible for or in charge of the processing, that the processing operations comply with the provisions of the RGPD. THIRD: To appoint R.R.R. as instructor and S.S.S. as secretary, indicating that either of them may be challenged, where appropriate, in accordance with the provisions of Articles 23 and 24 of Law 40/2015, of October 1, on the Legal Regime of the Public Sector (LRJSP). FOURTH: TO INCORPORATE into the sanctioning file, for evidential purposes, the claim filed by the claimant and its documentation, the documents obtained and generated by the Subdirectorate General of Data Inspection during the investigation phase, as well as the report of previous Inspection actions. FIFTH: THAT for the purposes set forth in article 64.2 b) of Law 39/2015, of 1 October, on the Common Administrative Procedure of Public Administrations, the sanction that may correspond would be 5,000 Euros (five thousand Euros) without prejudice to what may result from the investigation. SIXTH: NOTIFY this agreement to CONFEDERACION GENERAL DEL TRABAJO, FEDERACIÓN INTERCOMARCAL TARRAGONA with NIF G79196614 giving him a period of ten working days to make the allegations and submit the evidence he deems appropriate. In your pleading, you must provide your tax identification number and the procedure number in the heading of this document. If you do not make any allegations about this agreement to initiate within the stipulated period, it may be considered a proposal for a resolution, as established in Article 64.2.f) of Law 39/2015 of 1 October on the Common Administrative Procedure of Public Administrations (hereinafter LPACAP). In accordance with the provisions of Article 85 of LPACAP, if the penalty to be imposed is a fine, it may acknowledge its liability within the time limit granted for the submission of arguments on this agreement to initiate proceedings; this will entail a reduction of 20% of the penalty to be imposed in these proceedings. With the application of this reduction, the penalty would be set at 4,000, with the procedure being resolved by the imposition of this penalty. Similarly, at any time prior to the resolution of this procedure, the Committee may carry out the voluntary payment of the proposed penalty, which will entail a reduction of 20% of its amount. With the application of this reduction, the sanction would be established at 4,000 euros and its payment would imply the termination of the procedure. The reduction for the voluntary payment of the penalty can be cumulated with that for the recognition of liability, provided that this recognition of liability is shown within the time allowed for making representations at the opening of the procedure. The voluntary payment of the amount referred to in the previous paragraph may be made at any time prior to the decision. In this case, if both reductions were to be applied, the amount of the penalty would be set at 3,000 euros. In any case, the effectiveness of either of the two above-mentioned reductions shall be conditioned on the withdrawal or waiver of any action or appeal in administrative proceedings against the sanction. In the event that you choose to proceed with the voluntary payment of any of the amounts indicated above, (4,000 or 3,000 euros) you must make it effective by paying it into account nº ES00 0000 0000 0000 0000 opened in the name of the Spanish Data Protection Agency at the CAIXABANK, S.A. Bank, indicating in the concept the reference number of the procedure that appears in the heading of this document and the cause for the reduction of the amount to which it is applied. Likewise, you must send the proof of payment to the Subdirectorate General of Inspection to continue with the procedure in accordance with the amount paid. The procedure shall have a maximum duration of nine months as of the date of the starting agreement or, where appropriate, of the draft starting agreement. Once this period has elapsed, it will expire and, consequently, the proceedings will be closed; in accordance with the provisions of article 64 of the LOPDGDD. Finally, it is noted that in accordance with Article 112.1 of the LPACAP, there is no administrative appeal against this act. Mar Spain Martí Director of the Spanish Data Protection Agency >> SECOND: On November 12, 2019, the claimant has proceeded to pay the penalty in the amount of 3000 euros making use of the two reductions provided in the Agreement of initiation transcribed above, which implies the recognition of liability. THIRD: The payment made, within the period granted for making allegations on the opening of the proceedings, implies the waiver of any action or appeal in administrative proceedings against the penalty and the acknowledgement of liability in relation to the facts referred to in the Agreement of Initiation. LEGAL GROUNDS I By virtue of the powers that Article 58.2 of the RGPD grants to each control authority, and as established in Article 47 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and the Guarantee of Digital Rights (hereinafter LOPDGDD), the Director of the Spanish Data Protection Agency is competent to sanction any infringements committed against those Regulations; infringements of Article 48 of Law 9/2014, of May 9, General Telecommunications Law (hereinafter LGT), in accordance with the provisions of Article 84.3 of the GLT, and the infringements defined in articles 38.3 c), d) and i) and 38.4 d), g) and h) of Law 34/2002 of 11 July on information society services and electronic commerce (hereinafter referred to as the ISESA), as provided for in Article 43.1 of the said Act. II Article 85 of Law 39/2015 of 1 October 1995 on the Common Administrative Procedure for Public Administrations (LPACAP), under the heading 'Termination in penalty proceedings', provides as follows "1. If a sanctioning procedure has been initiated, if the offender acknowledges his responsibility, the procedure may be terminated with the imposition of the appropriate sanction. 2. When the penalty is only pecuniary in nature or when it is possible to impose a pecuniary penalty and a non-pecuniary penalty but the latter has been justified, voluntary payment by the alleged offender, at any time prior to the decision, shall entail the termination of the proceedings, except as regards the reinstatement of the altered situation or the determination of compensation for damages caused by the commission of the offence. 3. In both cases, where the penalty is purely financial in nature, the body responsible for deciding the procedure shall apply reductions of at least 20 % to the amount of the penalty proposed, which may be cumulative. Such reductions shall be determined in the notification of initiation of the procedure and their effectiveness shall be conditional upon the withdrawal or waiver of any administrative action or appeal against the penalty. The percentage of reduction provided for in this paragraph may be increased by regulation. In accordance with the above, the Director of the Spanish Data Protection Agency RESOLVES: FIRST: TO DECLARE the termination of procedure PS/00174/2019, in accordance with the provisions of Article 85 of the LPACAP SECOND: TO NOTIFY this resolution to CONFEDERACION GENERAL DEL TRABAJO. In accordance with the provisions of Article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure according to the provisions of article 114.1.c) of Law 39/2015, of October 1, on the Common Administrative Procedure of the Public Administrations, the interested parties may file a contentious-administrative appeal with the Contentious-Administrative Chamber of the National Court, in accordance with the provisions of Article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-Administrative Jurisdiction, within a period of two months from the day following notification of this act, as provided in Article 46.1 of the aforementioned Act. Mar Spain Martí Director of the Spanish Data Protection Agency