AEPD - PS/00188/2020

From GDPRhub
AEPD - PS/00188/2020
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 5(1)(f) GDPR
5 LOPDGDD
Type: Investigation
Outcome: Violation Found
Decided: 06.08.2020
Published: 06.08.2020
Fine: 1800 EUR
Parties: ASOCIACIÓN DE VIGILANTES DE SEGURIDAD DEL AEROPUERTO DE BARCELONA
National Case Number/Name: PS/00188/2020
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: Francesc Julve Falcó

The Spanish DPA has fined "ASOCIACIÓN DE VIGILANTES DE SEGURIDAD DEL AEROPUERTO DE BARCELONA" with €1800 for an infringement of the principle of confidentiality in the processing of data, as set out in article 5 GDPR.

English Summary[edit | edit source]

Facts[edit | edit source]

A member of the trade union representation committee distributed a census of the workers through a WhatsApp group, in which there were private non-corporate phones.

The data controller claimed that he did this so that employees could check whether their data were correct.

A worker, whose data had been disseminated in this way, complained to the Spanish DPA that the confidentiality of the processing had been breached.



Dispute[edit | edit source]

Does the distribution of the census of workers through a Whatsapp group constitute a violation of Article 5 (1) (f) GDPR?

Holding[edit | edit source]

The Spanish DPA held that were clear indications that the defendant infringed Article 5 (1) (f) GDPR, principles relating to processing with the duty of confidentiality.

This duty of confidentiality, previously a duty of secrecy, does have the purpose to prevent the leakage of data that is not consented to by the holders of the same.

Therefore, this duty of confidentiality is an obligation that does not only to the person responsible for and in charge of the processing but to anyone who any phase of the treatment and complementary to the duty of professional secrecy.

The fact that it was a non-intentional negligent action, that basic personal identifiers were affected, and that no subsequent prevention measures were carried out of the infringement was considered aggravating factors, determining the amount of the fine in €3000. This amount was reduced by the person responsible for benefiting from the corresponding legal reductions.

Comment[edit | edit source]

The Spanish DPA assessed the specific modifying circumstances, in this case, the merely local scope, the number of people affected, the conduct resulting from a lack of diligence, and the position of the person who distributed the personal data as a data processor.

The defendant made use of two reductions under Article 85 LPACAP, of 20% of the total amount each: recognition of liability and voluntary payment. So from the initial €3000 it became €1800.

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

Procedure No.: PS/00188/2020
DECISION R/00367/2020 ON THE TERMINATION OF PROCEEDINGS FOR PAYMENT
VOLUNTEER
In the sanctioning procedure PS/00188/2020, conducted by the Agency
Spanish Data Protection to ASSOCIATION OF SECURITY GUARDIANS
OF BARCELONA AIRPORT, having regard to the complaint lodged by A.A.A., and in
based on the following,
BACKGROUND
FIRST: On July 10, 2020, the Director of the Spanish Agency for
Data Protection agreed to initiate a sanctioning procedure to ASSOCIATION OF
BARCELONA AIRPORT SECURITY WATCHERS (hereinafter,
the one being claimed), by means of the Agreement which is transcribed:
<<
Procedure No.: PS/00188/2020
AGREEMENT ON THE INITIATION OF DISCIPLINARY PROCEEDINGS
Of the actions carried out by the Spanish Agency for the Protection of
Data and based on the following
FACTS
FIRST: Mrs. A.A.A. (hereinafter the complainant) dated 18/11/2019 filed
claim before the Spanish Data Protection Agency. The claim is
directed against AIRPORT SAFETY WATCHMAN ASSOCIATION
DE BARCELONA with NIF G65350316 (hereinafter the claimed). The reasons in
that bases the complaint are: that a member of the Ilunion Centre Committee
Barcelona Airport Security has distributed through WhatsApp, the census
workers to private, non-corporate phones. Provides screenshots of the application in which it is stated that the respondent sent the lists for the
members of their union section to verify that their census data were correct.
SECOND: Upon receipt of the complaint, the Subdirectorate General of
Data Inspection proceeded to carry out the following actions:
On 20/01/2020, the complaint submitted for analysis was transferred to the respondent
and inform the complainant of the decision taken in this regard. Similarly, the
required him to send to the Agency within one month a list of
information:
- Copy of the communications, of the decision taken which you have sent to
claimant regarding the transfer of this claim, and proof that the
The complainant has been notified of this decision.
- Report on the causes of the incident which led to the
claim.
- Report on measures taken to prevent incidents
similar.
- Any other that you consider relevant.
On 11/02/2020, the respondent sent a letter in which he stated that the dissemination of the
through the Whatsapp group only to employees of the company llunión
Seguridad S.A. of the Barcelona Airport work center affected by the
the process of union elections from the electoral rolls for the same does not violate the
data protection regulations, especially when such data were accessible
and the purpose of the sending was to facilitate the verification of data by those
workers with difficulties in moving; which on this subject has already
the Supreme Court in its judgment of 27/09/2007; that the publication or
dissemination of the electoral roll to workers affected by the electoral process
The data protection legislation is not violated;
that the use of the electoral roll carried out by the defendant, such as ***CARGO.1, in the
exercise of their right to trade union activity was adequate for the purposes of the
The only purpose of sending the electoral roll, as indicated in the
The "screenshots" accompanying the complaint were "Check that it is
your name and that your details are correct. If you see any anomaly, please let us know.
that the use of the electoral register made by the defendant, as a means of
***CARGO.1, in exercising its right to trade union activity, was fully
for the purposes of the electoral process, as it was only intended to facilitate the verification of the workers in the workplace of their data for the exercise of their rights
of representation.
On 08/06/2020, in accordance with article 65 of the LOPDGDD, the Director of the
The Spanish Data Protection Agency agreed to admit the complaint about the processing
filed by the claimant against the respondent.
LEGAL GROUNDS
I
By virtue of the powers conferred on each of the parties by Article 58(2) of the GPRS
the supervisory authority, and in accordance with Articles 47 and 48 of the LOPDGDD,
the Director of the Spanish Data Protection Agency is competent to initiate
and to resolve this procedure.
II
The claimed facts are materialized in the distribution through a group of
WhatsApp by a member of the Ilunion Center Airport Security Committee
of Barcelona, of the electoral census of workers, which could mean the
violation of the principle of confidentiality.
Article 5, Principles relating to processing, of the RGPD which states that
"1. Personal data shall be:
(…)
(f) treated in such a way as to ensure adequate security of the
personal data, including protection against unauthorized or unlawful processing and
against their accidental loss, destruction, or damage, by implementing measures
appropriate techniques or organizational arrangements ("integrity and confidentiality").
(…)”
And Article 6, Legality of Processing, of the aforementioned RGPD states in point 1
that:
"1. Treatment shall be lawful only if at least one of the following is fulfilled
conditions:
a) the data subject has given his consent to the processing of his data
for one or more specific purposes;
(b) processing is necessary for the performance of a contract in which the
interested is a party to or for the application at his request of measures
pre-contractual;
(c) processing is necessary for the performance of a legal obligation
applicable to the data controller;
(d) processing is necessary to protect the vit(f) processing is necessary for the satisfaction of legitimate interests
persecuted by the controller or by a third party, provided that there are
such interests do not prevail over interests or rights and freedoms
data subject's fundamental rights requiring the protection of personal data, in
particularly when the person concerned is a child.
Point (f) of the first subparagraph shall not apply to
processing by public authorities in the exercise of their duties".
(…)”
Also Article 5, Duty of confidentiality, of the new Organic Law
3/2018, of 5 December, on the Protection of Personal Data and Guarantee of
digital rights (hereinafter 'LOPDGDD'), points out that
"Data controllers and data processors, as well as all
persons intervening at any stage of this shall be subject to the duty to
confidentiality referred to in Article 5(1)(f) of Regulation (EU) 2016/679.
2. The general obligation referred to in the previous paragraph shall be complementary
of the duties of professional secrecy in accordance with its applicable regulations.
3. The obligations established in the previous paragraphs shall be maintained
even if the relationship between the obligor and the person responsible or in charge has ended
of the treatment".
On the other hand, Article 83.5 a) of the RGPD, considers that the infringement of "the
basic principles for treatment, including conditions for consent
under Articles 5, 6, 7 and 9" is punishable, in accordance with paragraph 5 of
referred to in Article 83 of the said RGPD, "with administrative fines of
maximum or, in the case of a company, an amount equivalent to 4% as
maximum of the total annual turnover of the previous financial year,
by opting for the largest amount".
And the LOPDGDD in its article 72 indicates for prescription purposes: "Infringements
considered very serious:

al interests of the data subject or
of another natural person;
(e) the processing is necessary for the performance of a task carried out in
public interest or in the exercise of public authority conferred on the person responsible for
treatment;
1. In accordance with Article 83(5) of the Regulation (EU)
2016/679 are considered very serious and will be subject to a three-year statute of limitations for infringements that
constitute a substantial breach of the articles mentioned in that one and, in
In particular, the following:
a) The processing of personal data in violation of the principles and guarantees
laid down in Article 5 of Regulation (EU) 2016/679.
(…)
III
From the documentation in the file, there are clear indications of
that the defendant infringed Article 5 of the RGPD, principles relating to processing, in
in relation to Article 5 of the LOPGDD, duty of confidentiality, in relation to the
impact produced: sending a whatsapp group of the electoral roll list.
This duty of confidentiality, previously a duty of secrecy, must
The purpose of this is to prevent the leakage of data that is not
consented to by the holders of the same.
Therefore, this duty of confidentiality is an obligation that does not
only to the person responsible for and in charge of the processing, but to anyone who
any phase of the treatment and complementary to the duty of professional secrecy.
IV
In order to determine the administrative fine to be imposed
the provisions of Articles 83(1) and 83(2) of the GPRS, which
they point out:
"Each supervisory authority shall ensure that the imposition of fines
administrative offences under this Article for infringements of this
Regulation referred to in paragraphs 4, 5 and 6 are on a case-by-case basis
effective, proportionate and dissuasive.
2. Administrative fines shall be imposed, depending on the circumstances
of each individual case, in addition to or instead of the measures envisaged
in Article 58(2)(a) to (h) and (j) In deciding to impose a fine
and its amount in each individual case will be duly taken into account:

(a) the nature, gravity and duration of the infringement, taking into account the
nature, scope or purpose of the processing operation concerned
as well as the number of stakeholders affected and the level of damage and
damages they have suffered;
(b) the intentionality or negligence of the infringement;
(c) any measure taken by the controller or processor
to mitigate the damages suffered by those concerned;
(d) the degree of responsibility of the person responsible for or in charge of
treatment, taking into account any technical or organisational measures that have
applied under Articles 25 and 32;
(e) any previous infringement committed by the person responsible for or in charge of
treatment;
(f) the degree of cooperation with the supervisory authority in order to put
remedy the infringement and mitigate the possible adverse effects of the infringement;
(g) the categories of personal data affected by the infringement;
(h) the way in which the supervisory authority became aware of the infringement, in
in particular whether the person responsible or the person in charge notified the infringement and, if so
to what extent;
(i) where the measures referred to in Article 58(2) have been
ordered in advance against the person responsible or the person in charge
in relation to the same matter, compliance with those measures;
(j) adherence to codes of conduct under Article 40 or to mechanisms
(k) any other factor
aggravating or mitigating circumstances, such as the
financial benefits obtained or losses avoided, directly or
indirectly, through the infringement.
With regard to Article 83.2(k) of the RGPD, the LOPDGDD, in its
Article 76, "Sanctions and remedial measures", provides that
"In accordance with Article 83(2)(k) of the Regulation (EU)
2016/679 may also be taken into account:
(a) the continuing nature of the infringement
b) The link between the activity of the offender and the carrying out of processing
of personal data.
c) The benefits obtained as a result of the commission of the infringement.
(d) The possibility that the conduct of the data subject may have led to the
commission of the offence.
(e) The existence of a post-commission merger process
of the infringement, which cannot be attributed to the absorber.
f) Affecting the rights of minors.
g) Having, when not compulsory, a delegate for the protection of
data.
h) The submission by the person responsible or in charge, with a
to alternative dispute resolution mechanisms, in those
cases where there are disputes between them and any
interested."
In accordance with the above provisions, and without prejudice to the
proceedings in order to determine the amount of the fine to be imposed on
imposed in the present case for the infringement defined in Article 83.5.a) of the RGPD
for which the claimant is held responsible, in an initial assessment, are estimated
The following factors are concurrent:
The merely local scope of the treatment carried out by the entity
claimed.
The number of persons affected by the infringing conduct, members of the
Iluniion company's electoral register.
There is no evidence that the entity complained of has adopted measures to prevent
similar incidents, in the light of the response sent to this body.
There is no evidence that the complainant acted fraudulently,
although the performance reveals a lack of diligence.
The link between the activity of the offender and the processing of
personal data.
The entity complained of is a trade union that is not very representative.
Therefore, in accordance with the above,
By the Director of the Spanish Data Protection Agency,
IT IS AGREED:
1. initiation of disciplinary proceedings against the association of
BARCELONA AIRPORT SECURITY WATCHERS with VAT number
G65350316, for the alleged infringement of article 5.1.f) of the RGPD, sanctioned
in accordance with the provisions of article 83.5.a) of the aforementioned RGPD.
2. NAME R.R.R. as Instructor and S.S.S. as Secretary, indicating that
any of them may be challenged, where appropriate, in accordance with the provisions of
Articles 23 and 24 of Law 40/2015 of 1 October on the Legal Regime of the Sector
Public (LRJSP).
3. INCORPORATE the complaint into the sanctioning file, for evidential purposes
filed by the complainant and its documentation, the documents obtained and
generated by the Inspection Services during the pre-investigation phase, as well
as the report of previous Inspection actions; all documents that
are part of the file.
4. THAT for the purposes of Article 64.2 b) of Law 39/2015, dated 1 January
October, of the Common Administrative Procedure for Public Administrations
(LPACAP), and Article 127(b) of the RLOPD, the sanction that may correspond for
the infringement described would amount to EUR 3 000 (three thousand euros), without prejudice to
result of the instruction.
5. NOTIFY this Agreement to the ASSOCIATION OF WATCHMEN OF
BARCELONA AIRPORT SECURITY with NIF G65350316,
expressly indicating his right to be heard in the proceedings and
granting him a period of TEN WORKING DAYS to make the allegations and
propose the evidence it deems appropriate. In your pleading
you must provide your VAT number and the procedure number in the heading
of this document.
Furthermore, in accordance with Articles 64(2)(f) and 85 of the LPACAP, it is
informs that, if he does not make representations within the time limit of this initiating agreement, the
The same may be considered as a motion for resolution.
You are also informed that, in accordance with Article
85.1 LPACAP may acknowledge its liability within the time allowed for
making representations to this agreement inception which will entail a
reduction of 20% of the penalty to be imposed at present
procedure, equivalent in this case to EUR 600. With the implementation of this
reduction, the penalty would be set at EUR 2 400, with the decision being taken on
procedure with the imposition of this penalty.
Similarly, at any time prior to the resolution of the
This procedure, to carry out the voluntary payment of the proposed penalty, of
in accordance with the provisions of Article 85(2) LPACAP, which will
reduction of 20% of the amount of the fee, equivalent in this case to EUR 600.
With the application of this reduction, the penalty would be set at
and its payment will entail the termination of the procedure.
The reduction for the voluntary payment of the penalty is cumulative with the one
is to be applied for the recognition of responsibility, provided that this
recognition of responsibility is shown within the time limit
granted to make representations on the opening of the procedure. The payment
of the amount referred to in the previous paragraph may be made at any
moment before the resolution. In this case, if it is appropriate to apply both
reductions, the amount of the penalty would be set at EUR 1 800.
In any case, the effectiveness of either of the two above-mentioned reductions
shall be conditional upon the withdrawal or waiver of any action or remedy in the
administrative sanction against the sanction.
If you choose to proceed with the voluntary payment of any of the
amounts indicated above ('2,400 or '1,800), in accordance with the
provided for in Article 85.2 above, we indicate that you must make it effective by
your deposit in the restricted account nº ES00 0000 0000 0000 0000 open to
name of the Spanish Data Protection Agency at CAIXABANK Bank,
S.A., indicating in the concept the reference number of the procedure that appears in
the heading of this document and the reason for the reduction in the amount to which

You must also send proof of payment to the Subdirectorate General of
Inspection to continue the procedure in accordance with the quantity
entered.
The procedure will last a maximum of nine months from
the date of the agreement to initiate or, where appropriate, the draft agreement to initiate
After this period, it will expire and consequently the
archive of proceedings; in accordance with the provisions of Article 64 of the
LOPDGDD.
Finally, it should be noted that in accordance with Article 112.1 of the
LPACAP, there is no administrative remedy against this act.
Mar Spain Martí
Director of the Spanish Data Protection Agency
>>
 SECOND: On July 31, 2020, the claimant paid the
1 800 by making use of the two reductions provided for
in the above transcribed agreement, which implies the recognition of the
responsibility.
THIRD: The payment made, within the period granted to make representations to
the opening of the procedure, entails the waiver of any action or appeal in
administrative sanction and recognition of responsibility in relation to
the facts referred to in the Home Agreement.
LEGAL BASIS
I
By virtue of the powers conferred on each authority in Article 58(2) of the GPRS
control, and in accordance with Article 47 of Organic Law 3/2018 of 5 December
December, on the Protection of Personal Data and Guarantee of Digital Rights (en
hereinafter LOPDGDD), the Director of the Spanish Data Protection Agency
is competent to penalise infringements committed against it
Regulations; infringements of Article 48 of Law 9/2014 of 9 May, General
of Telecommunications (hereinafter referred to as LGT), in accordance with the
article 84.3 of the GLT, and the offences defined in articles 38.3 c), d) and i) and
38.4 d), g) and h) of Law 34/2002, of 11 July, on the services of the company
information and electronic commerce (hereinafter referred to as the ISESA), as provided for in Article
43.1 of that Act
II
Article 85 of Law 39/2015 of 1 October on Administrative Procedure
Commonwealth of Independent States (hereinafter LPACAP), under the heading
"Termination in sanctioning proceedings" provides the following:
"1. A sanctioning procedure has been initiated, if the offender acknowledges his
responsibility, the procedure may be terminated with the imposition of the penalty
as appropriate.
2. When the sanction is solely of a pecuniary nature or when it fits
impose a financial penalty and a non-pecuniary penalty but it has been justified
the unsuitability of the second, voluntary payment by the alleged perpetrator, in
any time before the resolution, will imply the termination of the procedure,
except as regards the restoration of the altered situation or the determination of
compensation for damages caused by the commission of the infringement.
3. In both cases, when the sanction is solely of a pecuniary nature,
the body competent to decide on the procedure shall apply reductions of, at
less 20% of the amount of the proposed penalty, which may be cumulated
each other. These reductions must be determined in the notification of
initiation of the procedure and its effectiveness shall be conditional upon the withdrawal or
waiver of any action or appeal in administrative proceedings against the sanction.
The percentage of reduction provided for in this paragraph may be increased
by regulation.
In accordance with the above,
the Director of the Spanish Data Protection Agency RESOLVES:
FIRST: TO DECLARE the termination of procedure PS/00188/2020, of
in accordance with Article 85 of the LPACAP.
SECOND: NOTICE this resolution to the ASSOCIATION OF WATCHERS OF
BARCELONA AIRPORT SECURITY.
In accordance with the provisions of article 50 of the LOPDGDD, this
The decision will be made public after it has been notified to the interested parties.
Against this resolution, which puts an end to the administrative procedure as provided for by
Article 114.1.c) of Law 39/2015, of 1 October, on Administrative Procedure
The persons concerned may lodge an appeal with the
administrative litigation before the Administrative Chamber of the
Audiencia Nacional, in accordance with Article 25 and paragraph 5 of
the fourth additional provision of Law 29/1998 of 13 July 1998, regulating
Contentious-Administrative Jurisdiction, within two months from
day following notification of this act, as provided for in Article 46(1) of the
referred to Law.
Mar España Martí
Director of the Spanish Data Protection Agency