AEPD - PS/00251/2020

From GDPRhub
AEPD - PS/00251/2020
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 37(1)(b) GDPR
Article 34(1)(ñ) LOPDGDD
Article 34(3) LOPDGDD
Type: Complaint
Outcome: Upheld
Decided: 29.10.2020
Published: 10.11.2020
Fine: 50000 EUR
Parties: Conseguridad SL
National Case Number/Name: PS/00251/2020
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: n/a

The Spanish DPA (AEPD) imposed a fine of €50000 on Conseguridad SL for not having a data protection officer in violation of Article 37(1)(b) GDPR in conjunction with Articles 34(1)(ñ) and 34(3) LOPDGDD.

English Summary[edit | edit source]

Facts[edit | edit source]

Conseguridad SL (a private security company) set up a video surveillance system recording any individual that enters and work in their premises. However, the company does not have a data protection officer, meaning that no GPDR rights can be exercised in that respect.

Conseguridad SL did not respond when notified by the Spanish DPA.

Dispute[edit | edit source]

Does the lack of a data protection officer in a company result in a breach of Article 37 GDPR?

Holding[edit | edit source]

The Spanish DPA (AEPD) found that Conseguridad SL had violated Article 37(1)(b) GDPR by not having designated a data protection officer (DPO). The absence of a DPO also resulted in a breach of Article 34(1)(ñ) and 34(3) of the national law, "LOPPDGDD". The DPA specified that a DPO is necessary where a private security company processes personal data on a large scale, such as Conseguridad SL.

On the question of video surveillance, the Spanish DPA mentioned that the installation of video cameras are not necessarily illegal, so long as they have an information notice attached (Article 22(4) LOPDGDD).

Conseguridad SL was fined €50000 for not having a DPO.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.


     Procedure Nº: PS / 00251/2020


Of the procedure instructed by the Spanish Agency for Data Protection and based on
to the following:


FIRST: FESMC UGT MADRID (hereinafter, the claimant) dated 13
February 2020 filed a claim with the Spanish Agency for the Protection of
Data. The claim is directed against CONSEGURIDAD S.L. with NIF B85937902 (in
ahead, the claimed one).

       The reasons on which the claim is based are that the respondent has a system
of CCTV, where it records the images of all the people who enter and work in
the installations.

       However, the complained party does not have a designated Delegate of
Data Protection (hereinafter DPD) and therefore no rights can be exercised.

       Along with the claim, it provides recordings of the video surveillance cameras.

SECOND: In accordance with article 65.4 of the LOPGDD, which has provided a
mechanism prior to the admission for processing of claims made before
the AEPD, consisting of transferring them to the Data Protection Delegates

designated by those responsible or in charge of the treatment, for the intended purposes
in article 37 of the aforementioned rule, or to these when it has not designated them,
transfer of the claim to the claimed entity to proceed with its analysis and
respond to the complaining party and this Agency within one month.

       An attempt has been made to transfer the claim to the claimed party,
for its analysis and communication to the claimant of the decision adopted in this regard, in
two occasions, the first through electronic notification that expired without being
collected by the claimed on June 16, 2020, the second notification was made by
certified mail and has also been returned by the Post Office with the

indication "cast absent" on July 7, 2020.

THIRD: On August 10, 2020, in accordance with article 65 of the
LOPDGDD, the Director of the Spanish Data Protection Agency agreed to admit
To process the claim presented by the claimant against the claimed.

FOURTH: On September 21, 2020, the Director of the Spanish Agency for
Data Protection agreed to initiate a sanctioning procedure against the claimed party,
for the alleged infringement of Article 37.1 b) of the RGPD, in relation to Article
34.1 ñ) of the LOPDGDD, typified in accordance with article 83.4 of the RGPD.

FIFTH: Formally notified of the initiation agreement, the claimed party at the time of
This resolution has not submitted a brief of allegations, so it is
C / Jorge Juan, 6
28001 - Madrid 2/5

application of the provisions of article 64 of Law 39/2015, of October 1, of the
Common Administrative Procedure of Public Administrations, which in its
Section f) establishes that in case of not making allegations within the established period

on the content of the initiation agreement. This may be considered a proposal for
resolution when it contains a precise pronouncement about the responsibility
imputed, by which a Resolution is issued.

       In view of all the actions, by the Spanish Protection Agency
of Data in this procedure the following are considered proven facts,


FIRST: The claimed, private security company, has not named a
Delegate of Data Protection.

SECOND: The respondent has not responded to this Agency.

                           FOUNDATIONS OF LAW


       By virtue of the powers that article 58.2 of the RGPD recognizes to each
control authority, and as established in articles 47 and 48 of the LOPDGDD,
the Director of the Spanish Data Protection Agency is competent to initiate
and to solve this procedure.


       Article 37 of the RGPD establishes the following:

  "1. The person in charge and the person in charge of the treatment will designate a delegate of
data protection provided that:

    b) the main activities of the controller or processor consist of
treatment operations that, due to their nature, scope and / or purposes,
require regular and systematic stakeholder observation on a large scale, "

       In this sense, the LOPDGDD determines in its article 34.1) and 3):
"Appointment of a data protection officer"

"1. Those responsible and in charge of the treatment must designate a delegate of
data protection in the cases provided for in article 37.1 of the Regulation
(EU) 2016/679 and, in any case, in the case of the following entities:

       ñ) Private security companies.

       3. Those responsible and in charge of the treatment will communicate within the period of
ten days to the Spanish Agency for Data Protection or, where appropriate, to the

autonomous data protection authorities, the designations, appointments and
terminations of data protection delegates both in the cases in which
C / Jorge Juan, 6
28001 - Madrid 3/5

are obligated to their appointment as in the case in which it is voluntary. "


       According to the available evidence, it is considered that the
denounced fact of the lack of designation of DPD by a security company
private, when the claimed processing of personal data on a large scale, and

Being a private security company we are faced with the violation of the
article 37.1b) of the RGPD in relation to article 34.1 ñ) of the LOPDGDD.

       On the other hand, it should be noted that the installation of video surveillance cameras can
be carried out in order to guarantee the safety of goods and people, being

legitimized for them, if there is an informational poster, as provided for in article 22
section 4 LOPDGDD.


       Article 83.7 of the RGPD establishes that: “Without prejudice to the corrective powers of

supervisory authorities pursuant to Article 58 (2), each Member State may
establish rules on whether and to what extent administrative fines can be imposed on
authorities and public bodies established in said Member State "

       Article 58.2 of the RGPD provides the following: “Each control authority

will have all of the following corrective powers listed below:

       b) sanction any person responsible or in charge of the treatment with
warning when the processing operations have violated the provisions of
these Regulations;

       d) order the person in charge of the treatment that the operations of
treatment are in accordance with the provisions of this Regulation, where appropriate,
in a certain way and within a specified time;

       i) impose an administrative fine in accordance with article 83, in addition or in

place of the measures mentioned in this section, depending on the circumstances
of each particular case.

       Article 73 of the LOPDDG indicates: "Violations considered serious

  "Based on what is established in article 83.4 of Regulation (EU) 2016/679,

considered serious and will prescribe after two years the infractions that suppose a
substantial violation of the articles mentioned therein and, in particular, the following: "

  v) Failure to comply with the obligation to appoint a data protection officer
when their appointment is required in accordance with article 37 of Regulation (EU)
2016/679 and article 34 of this organic law. "

       The art. 83.4 of the RGPD establishes that "infringements of the provisions
following will be sanctioned, in accordance with section 2, with administrative fines

C / Jorge Juan, 6
28001 - Madrid 4/5

of EUR 10 000 000 maximum or, in the case of a company, of an amount
equivalent to a maximum of 2% of the total global annual turnover of the
previous financial year, opting for the one with the highest amount:

    a) the obligations of the controller and the person in charge pursuant to articles 8, 11,
    25 to 39, 42 and 43 "

       Likewise, it is considered that the sanction to be imposed should be adjusted according to
with the following criteria established in article 83.2 of the RGPD:

       As aggravating factors the following:

     In the present case, the number of interested parties is aggravating
        affected, since the complained party carries out a processing of personal data to
        large scale due to the number of clients it has (article 83.2 a).

     Basic personal identifiers are affected (article 83.2 g)

       Therefore, in accordance with the applicable legislation and the criteria of
graduation of the sanctions whose existence has been accredited, the Director of the
Spanish Agency for Data Protection RESOLVES:

violation of Article 37.1 b) of the RGPD, in relation to Article 34.1 ñ) of the

LOPDGDD, typified in accordance with article 83.4 of the RGPD, a fine of € 50,000
(fifty thousand euros).


THIRD: Warn the sanctioned person that the sanction imposed by a
Once this resolution is enforceable, in accordance with the provisions of the
art. 98.1.b) of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations (hereinafter LPACAP), within the payment period
voluntary established in art. 68 of the General Collection Regulations, approved
by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003,

of December 17, by means of their entry, indicating the NIF of the sanctioned person and the number
of procedure that appears in the heading of this document, in the account
restricted number ES00 0000 0000 0000 0000 0000, opened in the name of the Agency
Spanish Data Protection in the bank CAIXABANK, S.A .. In case
Otherwise, it will be collected in the executive period.

Notification received and once executive, if the execution date is found
Between the 1st and the 15th of each month, both inclusive, the deadline for making the payment
volunteer will be until the 20th day of the following or immediately subsequent business month, and if
between the 16th and the last day of each month, both inclusive, the payment term

It will be until the 5th of the second following or immediate business month.

In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.

C / Jorge Juan, 6
28001 - Madrid 5/5

Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the
LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the

Interested parties may file, optionally, an appeal for reconsideration before the
Director of the Spanish Agency for Data Protection within a month to
count from the day after notification of this resolution or directly
contentious-administrative appeal before the Contentious-Administrative Chamber of the

National High Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-administrative jurisdiction, within a period of two months from the
day following notification of this act, as provided in article 46.1 of the
referred Law.

Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP,
may provisionally suspend the final resolution through administrative channels if the
interested party expresses his intention to file contentious-administrative appeal.

If this is the case, the interested party must formally communicate this fact through
letter addressed to the Spanish Agency for Data Protection, presenting it through
of the Electronic Registry of the Agency [
web /], or through any of the other records provided for in art. 16.4 of the
cited Law 39/2015, of October 1. You must also transfer to the Agency the

documentation proving the effective filing of the contentious appeal-
administrative. If the Agency was not aware of the filing of the appeal
contentious-administrative within a period of two months from the day following the
notification of this resolution would terminate the precautionary suspension.
Mar Spain Martí
Director of the Spanish Agency for Data Protection

C / Jorge Juan, 6
28001 - Madrid