AEPD - PS/00251/2020
|AEPD - PS/00251/2020|
|Relevant Law:||Article 37(1)(b) GDPR|
Article 34(1)(ñ) LOPDGDD
Article 34(3) LOPDGDD
|National Case Number/Name:||PS/00251/2020|
|European Case Law Identifier:||n/a|
|Original Source:||AEPD (in ES)|
The Spanish DPA (AEPD) imposed a fine of €50000 on Conseguridad SL for not having a data protection officer in violation of Article 37(1)(b) GDPR in conjunction with Articles 34(1)(ñ) and 34(3) LOPDGDD.
English Summary[edit | edit source]
Facts[edit | edit source]
Conseguridad SL (a private security company) set up a video surveillance system recording any individual that enters and work in their premises. However, the company does not have a data protection officer, meaning that no GPDR rights can be exercised in that respect.
Conseguridad SL did not respond when notified by the Spanish DPA.
Dispute[edit | edit source]
Does the lack of a data protection officer in a company result in a breach of Article 37 GDPR?
Holding[edit | edit source]
The Spanish DPA (AEPD) found that Conseguridad SL had violated Article 37(1)(b) GDPR by not having designated a data protection officer (DPO). The absence of a DPO also resulted in a breach of Article 34(1)(ñ) and 34(3) of the national law, "LOPPDGDD". The DPA specified that a DPO is necessary where a private security company processes personal data on a large scale, such as Conseguridad SL.
On the question of video surveillance, the Spanish DPA mentioned that the installation of video cameras are not necessarily illegal, so long as they have an information notice attached (Article 22(4) LOPDGDD).
Conseguridad SL was fined €50000 for not having a DPO.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/5 Procedure Nº: PS / 00251/2020 RESOLUTION OF SANCTIONING PROCEDURE Of the procedure instructed by the Spanish Agency for Data Protection and based on to the following: BACKGROUND FIRST: FESMC UGT MADRID (hereinafter, the claimant) dated 13 February 2020 filed a claim with the Spanish Agency for the Protection of Data. The claim is directed against CONSEGURIDAD S.L. with NIF B85937902 (in ahead, the claimed one). The reasons on which the claim is based are that the respondent has a system of CCTV, where it records the images of all the people who enter and work in the installations. However, the complained party does not have a designated Delegate of Data Protection (hereinafter DPD) and therefore no rights can be exercised. Along with the claim, it provides recordings of the video surveillance cameras. SECOND: In accordance with article 65.4 of the LOPGDD, which has provided a mechanism prior to the admission for processing of claims made before the AEPD, consisting of transferring them to the Data Protection Delegates designated by those responsible or in charge of the treatment, for the intended purposes in article 37 of the aforementioned rule, or to these when it has not designated them, transfer of the claim to the claimed entity to proceed with its analysis and respond to the complaining party and this Agency within one month. An attempt has been made to transfer the claim to the claimed party, for its analysis and communication to the claimant of the decision adopted in this regard, in two occasions, the first through electronic notification that expired without being collected by the claimed on June 16, 2020, the second notification was made by certified mail and has also been returned by the Post Office with the indication "cast absent" on July 7, 2020. THIRD: On August 10, 2020, in accordance with article 65 of the LOPDGDD, the Director of the Spanish Data Protection Agency agreed to admit To process the claim presented by the claimant against the claimed. FOURTH: On September 21, 2020, the Director of the Spanish Agency for Data Protection agreed to initiate a sanctioning procedure against the claimed party, for the alleged infringement of Article 37.1 b) of the RGPD, in relation to Article 34.1 ñ) of the LOPDGDD, typified in accordance with article 83.4 of the RGPD. FIFTH: Formally notified of the initiation agreement, the claimed party at the time of This resolution has not submitted a brief of allegations, so it is C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 2/5 application of the provisions of article 64 of Law 39/2015, of October 1, of the Common Administrative Procedure of Public Administrations, which in its Section f) establishes that in case of not making allegations within the established period on the content of the initiation agreement. This may be considered a proposal for resolution when it contains a precise pronouncement about the responsibility imputed, by which a Resolution is issued. In view of all the actions, by the Spanish Protection Agency of Data in this procedure the following are considered proven facts, ACTS FIRST: The claimed, private security company, has not named a Delegate of Data Protection. SECOND: The respondent has not responded to this Agency. FOUNDATIONS OF LAW I By virtue of the powers that article 58.2 of the RGPD recognizes to each control authority, and as established in articles 47 and 48 of the LOPDGDD, the Director of the Spanish Data Protection Agency is competent to initiate and to solve this procedure. II Article 37 of the RGPD establishes the following: "1. The person in charge and the person in charge of the treatment will designate a delegate of data protection provided that: b) the main activities of the controller or processor consist of treatment operations that, due to their nature, scope and / or purposes, require regular and systematic stakeholder observation on a large scale, " In this sense, the LOPDGDD determines in its article 34.1) and 3): "Appointment of a data protection officer" "1. Those responsible and in charge of the treatment must designate a delegate of data protection in the cases provided for in article 37.1 of the Regulation (EU) 2016/679 and, in any case, in the case of the following entities: ñ) Private security companies. 3. Those responsible and in charge of the treatment will communicate within the period of ten days to the Spanish Agency for Data Protection or, where appropriate, to the autonomous data protection authorities, the designations, appointments and terminations of data protection delegates both in the cases in which C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 3/5 are obligated to their appointment as in the case in which it is voluntary. " III According to the available evidence, it is considered that the denounced fact of the lack of designation of DPD by a security company private, when the claimed processing of personal data on a large scale, and Being a private security company we are faced with the violation of the article 37.1b) of the RGPD in relation to article 34.1 ñ) of the LOPDGDD. On the other hand, it should be noted that the installation of video surveillance cameras can be carried out in order to guarantee the safety of goods and people, being legitimized for them, if there is an informational poster, as provided for in article 22 section 4 LOPDGDD. IV Article 83.7 of the RGPD establishes that: “Without prejudice to the corrective powers of supervisory authorities pursuant to Article 58 (2), each Member State may establish rules on whether and to what extent administrative fines can be imposed on authorities and public bodies established in said Member State " Article 58.2 of the RGPD provides the following: “Each control authority will have all of the following corrective powers listed below: b) sanction any person responsible or in charge of the treatment with warning when the processing operations have violated the provisions of these Regulations; d) order the person in charge of the treatment that the operations of treatment are in accordance with the provisions of this Regulation, where appropriate, in a certain way and within a specified time; i) impose an administrative fine in accordance with article 83, in addition or in place of the measures mentioned in this section, depending on the circumstances of each particular case. V Article 73 of the LOPDDG indicates: "Violations considered serious "Based on what is established in article 83.4 of Regulation (EU) 2016/679, considered serious and will prescribe after two years the infractions that suppose a substantial violation of the articles mentioned therein and, in particular, the following: " v) Failure to comply with the obligation to appoint a data protection officer when their appointment is required in accordance with article 37 of Regulation (EU) 2016/679 and article 34 of this organic law. " The art. 83.4 of the RGPD establishes that "infringements of the provisions following will be sanctioned, in accordance with section 2, with administrative fines C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 4/5 of EUR 10 000 000 maximum or, in the case of a company, of an amount equivalent to a maximum of 2% of the total global annual turnover of the previous financial year, opting for the one with the highest amount: a) the obligations of the controller and the person in charge pursuant to articles 8, 11, 25 to 39, 42 and 43 " Likewise, it is considered that the sanction to be imposed should be adjusted according to with the following criteria established in article 83.2 of the RGPD: As aggravating factors the following: In the present case, the number of interested parties is aggravating affected, since the complained party carries out a processing of personal data to large scale due to the number of clients it has (article 83.2 a). Basic personal identifiers are affected (article 83.2 g) Therefore, in accordance with the applicable legislation and the criteria of graduation of the sanctions whose existence has been accredited, the Director of the Spanish Agency for Data Protection RESOLVES: FIRST: TO IMPOSE CONSEGURIDAD S.L., with NIF B85937902, for a violation of Article 37.1 b) of the RGPD, in relation to Article 34.1 ñ) of the LOPDGDD, typified in accordance with article 83.4 of the RGPD, a fine of € 50,000 (fifty thousand euros). SECOND: NOTIFY this resolution to CONSEGURIDAD S.L. THIRD: Warn the sanctioned person that the sanction imposed by a Once this resolution is enforceable, in accordance with the provisions of the art. 98.1.b) of Law 39/2015, of October 1, on Administrative Procedure Common of Public Administrations (hereinafter LPACAP), within the payment period voluntary established in art. 68 of the General Collection Regulations, approved by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003, of December 17, by means of their entry, indicating the NIF of the sanctioned person and the number of procedure that appears in the heading of this document, in the account restricted number ES00 0000 0000 0000 0000 0000, opened in the name of the Agency Spanish Data Protection in the bank CAIXABANK, S.A .. In case Otherwise, it will be collected in the executive period. Notification received and once executive, if the execution date is found Between the 1st and the 15th of each month, both inclusive, the deadline for making the payment volunteer will be until the 20th day of the following or immediately subsequent business month, and if between the 16th and the last day of each month, both inclusive, the payment term It will be until the 5th of the second following or immediate business month. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 5/5 Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the Interested parties may file, optionally, an appeal for reconsideration before the Director of the Spanish Agency for Data Protection within a month to count from the day after notification of this resolution or directly contentious-administrative appeal before the Contentious-Administrative Chamber of the National High Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-administrative jurisdiction, within a period of two months from the day following notification of this act, as provided in article 46.1 of the referred Law. Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP, may provisionally suspend the final resolution through administrative channels if the interested party expresses his intention to file contentious-administrative appeal. If this is the case, the interested party must formally communicate this fact through letter addressed to the Spanish Agency for Data Protection, presenting it through of the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica- web /], or through any of the other records provided for in art. 16.4 of the cited Law 39/2015, of October 1. You must also transfer to the Agency the documentation proving the effective filing of the contentious appeal- administrative. If the Agency was not aware of the filing of the appeal contentious-administrative within a period of two months from the day following the notification of this resolution would terminate the precautionary suspension. 938-300320 Mar Spain Martí Director of the Spanish Agency for Data Protection C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es