AEPD (Spain) - PS/00257/2020: Difference between revisions

Revision as of 16:43, 15 January 2021

AEPD - PS/00257/2020

Authority:	AEPD (Spain)
Jurisdiction:	Spain
Relevant Law:	Article 37 GDPR LOPDGDD
Type:	Investigation
Outcome:	Violation Found
Started:
Decided:
Published:	11.01.2021
Fine:	None
Parties:	Ayuntamiento de Arroyomolinos
National Case Number/Name:	PS/00257/2020
European Case Law Identifier:	n/a
Appeal:	n/a
Original Language(s):	Spanish
Original Source:	AEPD (in ES)
Initial Contributor:	n/a

The Spanish DPA (AEPD) issued a reprimand to the Spanish municipality Ayuntamiento de Arroyomolinos for lacking a DPO for more than two years after the entry into force of the GDPR.

English Summary

Facts

Ayuntamiento de Arroyomolinos was found lacking a DPO. The defendant has provided the measures it has in the meantime adopted: with a service contract from 28.09.2020 a DPO has been appointed.

Dispute

Was this municipality under the obligation of appointing a DPO?

Holding

The Spanish DPA recalled that the public administrations act as controllers for the processing of personal data and on some occasions as processors. As a result, they are subject to the GDPR and must fulfill all its obligations, including the obligation to appoint a data protection officer. This obligation had to be fulfilled starting from 28.05.2018, the date of entry into force of the GDPR. The Spanish DPA issued a reprimand to Ayuntamiento de Arroyomolinos for violating Article 37 GDPR. The reprimand was issued by virtue of the power conferred by Article 58(2)(b) GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

1/7  Procedure Nº: PS / 00257/2020 RESOLUTION OF SANCTIONING PROCEDURE Of the procedure instructed by the Spanish Agency for Data Protection and based on to the following: BACKGROUND FIRST: D. A.A.A. (hereinafter, the claimant) dated January 20, 2020 filed a claim with the Spanish Agency for Data Protection. The claim is directed against the Arroyomolinos City Council with NIF P2801500F (hereinafter, the claimed). The claimant states that he received on his behalf a notification from the City Council, and it contains the data and facts that motivate the imposition of a sanction to another person. On the other hand, he points out that the consistory does not have a Delegate for the Protection of Data. Together with the claim, he provides the notification that they have sent him. SECOND: In view of the facts reported in the claim and the Documents provided by the claimant are transferred to the claimed claim. On July 24, 2020, the defendant states: “that on January 20, 2020, the claimant was informed that on the day of notification of the Resolution there was a computer failure, and in the notification of its procedure the body of the resolution of the previous notification. The department proceeded to review generated notifications, not finding any more erroneous, likewise proceeded to add more revision controls of the documents generated so that this situation is not repeated. Likewise, he was informed that his data has not been disclosed to third parties, have only been used for the notification of the procedure between the claimant and this City Council ”. THIRD: On September 25, 2020, the Director of the Spanish Agency of Data Protection agreed to initiate a sanctioning procedure for the claimed party, with in accordance with the provisions of articles 63 and 64 of Law 39/2015, of October 1, of the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP), for the alleged violation of Article 37 of the RGPD, typified in Article 83.4 of the RGPD. FOURTH: Once the aforementioned commencement agreement was notified, the defendant submitted a allegations in which he, in short, he stated: “that on September 28, 2020 was awarded by Decree No. 2497/2020 technical assistance services contract to support and update information security (ENS) and C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 2/7 protection of personal data (RGPD-LOPDGDD) and Delegate Service of Data Protection, for a period of 12 months. Sufficiently in advance of the contract end date and having As a basis for the work carried out by the DPD during that time, it is already planned to tender publicly for a maximum of 4 years the Data Protection Officer, with The aim is that this City Council permanently have this figure. In compliance with the duty to communicate the appointment of the DPO by this City Council to the AEPD in accordance with the provisions of article 34.3 LOPDGDD, The following details indicate: START UP, S.L. CIF B33667494 Attached to this document is: Decree No. 2497/2020 awarding of service contract and technical-economic proposal of the company Start up CDF S.L. in which the content of the services to be carried out is detailed ”. FIFTH: On October 13, 2020, the instructor of the procedure agreed to the opening of a period of practical tests, taking as incorporated the preliminary investigation actions, E / 02287/2020, as well as the documents provided by the defendant on October 8, 2020. SIXTH: On November 18, 2020, a resolution proposal was formulated, proposing that the Arroyomolinos City Council be sanctioned with a warning NIF P2801500F, for an infraction of Article 37 of the RGPD, typified in Article 83.4 of the RGPD. SEVENTH: Once the resolution proposal was notified, the defendant submitted a written allegations in which, in summary, it stated: "FIRST.- That on September 28, 2020 it was awarded by Decree No. 2497/2020 technical assistance service contract for support and update in information security (ENS) and personal data protection (RGPD-LOPGDD) and Data Protection Delegate Service, for a period of 12 months to the company Start up CDF S.L. SECOND.- The duty of communication of the appointment of the DPD by this City Council to the AEPD in accordance with the provisions of article 34.3 LOPDGDD. THIRD.- In the proposed resolution of the AEPD it is indicated that “In this case specifically, it has been accredited by virtue of the documents provided with their allegations to the initiation agreement that the complainant has appointed Delegate of Data Protection: START UP, S.L. CIF B33667494. " FOURTH.- Taking into consideration the Judgment of the National Court of 11/29/2013, (Rec. 455/2011), Sixth Law Foundation,what about him warning regulated in article 45.6 of the LOPD and regarding its nature legal notice that "does not constitute a sanction" and that it is "measures corrective measures for the cessation of the activity constituting the offense ”that replace the sanction. The Judgment understands that article 45.6 of the LOPD confers on the AEPD C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 3/7 a “power” different from the sanctioning one whose exercise is conditioned to the concurrence of the special circumstances described in the precept. In congruence with the nature attributed to awareness as an alternative to sanction when, given the circumstances of the case, the subject of the offense is not deserving of that, and considering that the object of the warning is the imposition of corrective measures, the aforementioned SAN concludes that when they already had been adopted, the procedure in Law is to agree on the file of the performances ”. In view of all the actions, by the Spanish Agency for Data Protection In this proceeding, the following are considered proven facts, ACTS FIRST: The claimed person lacks the figure of a data protection delegate. SECOND: The Arroyomolinos City Council, has contributed in the present sanctioning procedure the measures it has adopted, including: Technical assistance services contract for support and update in information security (ENS) and personal data protection (RGPD-LOPDGDD) and Data Protection Delegate Service, for a period of 12 months. Communication of the appointment of the Data Protection Officer: START UP, S.L. CIF B33667494 Decree No. 2497/2020 awarding the service contract and proposal technical-economic of the company START UP CDF S.L. FOUNDATIONS OF LAW I By virtue of the powers that article 58.2 of the RGPD recognizes to each authority of control, and as established in arts. 47 and 48.1 of the LOPDGDD, the Director of The Spanish Agency for Data Protection is competent to resolve this process. II The public administrations act as data controllers of personal character and, on some occasions, they perform functions of managers treatment, for what corresponds to them, following the principle of responsibility proactively, meet the obligations that the RGPD details, among which is included, the Obligation to appoint a data protection officer and communicate it to this AEPD The obligation is imposed by article 37 of the RGPD, which indicates: C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 4/7 "1. The person in charge and the person in charge of the treatment will designate a delegate of data protection provided that: a) the treatment is carried out by a public authority or body, except those courts that act in the exercise of their judicial function; " Article 37.3 and 4 of the RGPD indicates on the designation of the DPD “When the responsible or the person in charge of the treatment is an authority or public body, may designate a single data protection officer for several of these authorities or bodies, taking into account their organizational structure and size. 4. In cases other than those contemplated in section 1, the controller or the in charge of the treatment or the associations and other bodies that represent categories of managers or managers may designate a protection delegate data or must designate it if required by Union or State law members. The data protection officer may act on their behalf associations and other organizations that represent managers or managers. " The LOPDGDD determines in its article 34.1 and 3: ”Appointment of a delegate of Data Protection " 1. Those responsible and in charge of the treatment must designate a delegate of data protection in the cases provided for in article 37.1 of the Regulation (EU) 2016/679 and, in any case, in the case of the following entities: 3. Those responsible and in charge of the treatment will communicate within ten days to the Spanish Data Protection Agency or, where appropriate, to the authorities autonomic data protection, appointments, appointments and terminations of the data protection delegates both in the cases in which they are obligated to their appointment as in the case in which it is voluntary. The infringement is considered as such in article 83.4.a of the RGPD which states: ”4. The Infractions of the following provisions will be sanctioned, in accordance with the paragraph 2, with administrative fines of a maximum of EUR 10 000 000 or, in the case of a company, an amount equivalent to a maximum of 2% of the total annual global business volume of the previous financial year, opting for the highest amount: a) The obligations of the person in charge and the person in charge in accordance with articles 8, 11, 25 a 39, 42 and 43; " He Article 83.7 of the RGPD indicates: “Without prejudice to the corrective powers of the supervisory authorities under Article 58 (2), each Member State may establish rules on whether, and to what extent, administrative fines can be imposed on public authorities and bodies established in that Member State. " Article 58.2 of the RGPD states: “Each control authority will have all the C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 5/7 following corrective powers listed below: b) punish any person in charge or in charge of the treatment with warning when the treatment operations have violated the provisions of this Regulation; d) order the person in charge of the treatment that the operations of treatment are in accordance with the provisions of this Regulation, where appropriate, in a certain way and within a specified period ”. In this sense, article 77.1 c) and 2, 4 and 5 of the LOPGDD, indicates: 1. The regime established in this article will apply to the treatment of who are responsible or in charge: c) The General Administration of the State, the Administrations of the Communities autonomous entities and the entities that make up the Local Administration. 2 “When the managers or managers listed in section 1 commit any of the infractions referred to in articles 72 to 74 of this law organic, the competent data protection authority will dictate resolution sanctioning them with warning. The resolution will establish Likewise, the measures to be adopted to stop the conduct or to correct the effects of the offense that had been committed. The resolution will be notified to the person in charge of the treatment, the body of the that depends hierarchically, where appropriate, and those affected who had the condition interested party, if applicable. " 4.The resolutions that fall in relation to the measures and actions referred to in the sections previous. 5 will be communicated to the Ombudsman or, where appropriate, to similar institutions of the autonomous communities the actions carried out and the resolutions issued under this article. " III Article 73 of the LOPDDG indicates: Violations considered serious: "Based on what is established in article 83.4 of Regulation (EU) 2016/679, considered serious and will prescribe after two years the infractions that suppose a substantial violation of the articles mentioned therein and, in particular, the following: v) Failure to comply with the obligation to appoint a data protection officer when the appointment of him is required in accordance with article 37 of the Regulations (EU) 2016/679 and article 34 of this organic law. " C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 6/7 By means of a written statement, the complainant has stated that he has already designated Delegate of Data Protection. Despite this, the Spanish Agency for Data Protection, sanctions the claimed with a warning sanction since it had to have a delegate from data protection in accordance with the provisions of article 37 of the RGPD, since May 25, 2018, when the RGPD entered into force. Therefore, in accordance with the applicable legislation and the criteria of graduation of the sanctions whose existence has been accredited, the Director of the Spanish Agency for Data Protection RESOLVES: FIRST: IMPOSE the CITY COUNCIL OF ARROYOMOLINOS, with NIF P2801500F, for a violation of Article 37 of the RGPD, typified in Article 83.4 of the RGPD, a warning sanction. SECOND: NOTIFY this resolution to the CITY COUNCIL OF ARROYOMOLINOS.

THIRD: COMMUNICATE this resolution to the Ombudsman, of

in accordance with the provisions of article 77.5 of the LOPDGDD. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the Interested parties may file, optionally, an appeal for reconsideration before the Director of the Spanish Agency for Data Protection within a month to count from the day after notification of this resolution or directly contentious-administrative appeal before the Contentious-Administrative Chamber of the National High Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-administrative jurisdiction, within a period of two months from the day following notification of this act, as provided in article 46.1 of the referred Law. Finally, it is pointed out that according to to the provisions of art. 90.3 a) of the LPACAP, may provisionally suspend the final resolution through administrative channels if the interested party expresses his intention to file contentious-administrative appeal. If this is the case, the interested party must formally communicate this fact through letter addressed to the Spanish Agency for Data Protection, presenting it through of the Electronic Registry of the Agency [1], or through any of the other registries provided for in art. 16.4 of the cited Law 39/2015, of October 1. You must also transfer to the Agency the documentation proving the effective filing of the contentious appeal C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 7/7 administrative. If the Agency was not aware of the filing of the appeal contentious-administrative within a period of two months from the day following the notification of this resolution would terminate the precautionary suspension. 938-131120 Mar Spain Martí Director of the Spanish Agency for Data Protection C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es

@@ Line 74: / Line 74: @@
 ''Share blogs or news articles here!''
-== English Machine Translation of the Decision ==
-The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
-<pre>
 /7
- Procedimiento Nº: PS/00257/2020
+ Procedure Nº: PS / 00257/2020
-RESOLUCIÓN DE PROCEDIMIENTO SANCIONADOR
+RESOLUTION OF SANCTIONING PROCEDURE
-Del procedimiento instruido por la Agencia Española de Protección de Datos y en base
+Of the procedure instructed by the Spanish Agency for Data Protection and based on
-a los siguientes:
+to the following:
-ANTECEDENTES
+BACKGROUND
-PRIMERO: D. A.A.A. (en adelante, el reclamante) con fecha 20 de enero de 2020
+FIRST: D. A.A.A. (hereinafter, the claimant) dated January 20, 2020
-interpuso reclamación ante la Agencia Española de Protección de Datos. La
+filed a claim with the Spanish Agency for Data Protection. The
-reclamación se dirige contra el Ayuntamiento de Arroyomolinos con NIF P2801500F
+claim is directed against the Arroyomolinos City Council with NIF P2801500F
-(en adelante, el reclamado).
+(hereinafter, the claimed).
-El reclamante manifiesta que recibió a su nombre una notificación del
+The claimant states that he received on his behalf a notification from the
-Ayuntamiento, y en la misma constan los datos y los hechos que motivan la imposición
+City Council, and it contains the data and facts that motivate the imposition
-de una sanción a otra persona.
+of a sanction to another person.
-Por otra parte, señala que el consistorio no tiene Delegado de Protección de
+On the other hand, he points out that the consistory does not have a Delegate for the Protection of
-Datos.
+Data.
-Junto a la reclamación aporta la notificación que le han remitido.
+Together with the claim, he provides the notification that they have sent him.
-SEGUNDO: A la vista de los hechos denunciados en la reclamación y de los
+SECOND: In view of the facts reported in the claim and the
-documentos aportados por el reclamante se traslada al reclamado la reclamación.
+Documents provided by the claimant are transferred to the claimed claim.
-Con fecha 24 de julio de 2020 el reclamado manifiesta: “que el 20 de enero de
+On July 24, 2020, the defendant states: “that on January 20,
-se le comunico al reclamante que el día de la notificación de la Resolución hubo
+, the claimant was informed that on the day of notification of the Resolution there was
-un fallo informático, y en la notificación de su procedimiento se fusionó el cuerpo de la
+a computer failure, and in the notification of its procedure the body of the
-resolución de la anterior notificación. Se procedió por parte del departamento a revisar
+resolution of the previous notification. The department proceeded to review
-las notificaciones generadas, no encontrando ninguna más errónea, asimismo se
+generated notifications, not finding any more erroneous, likewise
-procedió a añadir más controles revisorios de los documentos generados para que
+proceeded to add more revision controls of the documents generated so that
-esta situación no se repita.
+this situation is not repeated.
-Asimismo, se le comunicó que sus datos no han sido cedidos a terceros,
+Likewise, he was informed that his data has not been disclosed to third parties,
-únicamente han sido utilizados para la notificación del procedimiento entre el
+have only been used for the notification of the procedure between the
-reclamante y este Ayuntamiento”.
+claimant and this City Council ”.
-TERCERO: Con fecha 25 de septiembre de 2020, la Directora de la Agencia Española
+THIRD: On September 25, 2020, the Director of the Spanish Agency
-de Protección de Datos acordó iniciar procedimiento sancionador al reclamado, con
+of Data Protection agreed to initiate a sanctioning procedure for the claimed party, with
-arreglo a lo dispuesto en los artículos 63 y 64 de la Ley 39/2015, de 1 de octubre, del
+in accordance with the provisions of articles 63 and 64 of Law 39/2015, of October 1, of the
-Procedimiento Administrativo Común de las Administraciones Públicas (en adelante,
+Common Administrative Procedure of Public Administrations (hereinafter,
-LPACAP), por la presunta infracción del Artículo 37 del RGPD, tipificada en el Artículo
+LPACAP), for the alleged violation of Article 37 of the RGPD, typified in Article
-.4 del RGPD.
+.4 of the RGPD.
-CUARTO: Notificado el citado acuerdo de inicio, el reclamado presentó escrito de
+FOURTH: Once the aforementioned commencement agreement was notified, the defendant submitted a
-alegaciones en el que, en síntesis, manifestaba: “que con fecha 28 de septiembre de
+allegations in which he, in short, he stated: “that on September 28,
-se adjudicó por Decreto nº 2497/2020 contrato de servicios de asistencia técnica
+was awarded by Decree No. 2497/2020 technical assistance services contract
-para el soporte y actualización en materia de seguridad de la información (ENS) y
+to support and update information security (ENS) and
-C/ Jorge Juan, 6 www.aepd.es
+C / Jorge Juan, 6 www.aepd.es
-– Madrid sedeagpd.gob.es
+- Madrid sedeagpd.gob.es
 /7
-protección de datos personales (RGPD-LOPDGDD) y Servicio de Delegado de
+protection of personal data (RGPD-LOPDGDD) and Delegate Service of
-Protección de Datos, por un período de 12 meses.
+Data Protection, for a period of 12 months.
-Con antelación suficiente a la fecha de finalización del contrato y teniendo
+Sufficiently in advance of the contract end date and having
-como base el trabajo realizado por el DPD durante ese tiempo, ya está previsto licitar
+As a basis for the work carried out by the DPD during that time, it is already planned to tender
-públicamente por un máximo de 4 años el Delegado de Protección de Datos, con
+publicly for a maximum of 4 years the Data Protection Officer, with
-objeto de que este Ayuntamiento cuente permanente con dicha figura.
+The aim is that this City Council permanently have this figure.
-En cumplimiento con el deber de comunicación de la designación del DPD por
+In compliance with the duty to communicate the appointment of the DPO by
-este Ayuntamiento a la AEPD a tenor de lo previsto en el artículo 34.3 LOPDGDD, se
+this City Council to the AEPD in accordance with the provisions of article 34.3 LOPDGDD,
-le indican a continuación los datos del mismo: START UP, S.L. CIF B33667494
+The following details indicate: START UP, S.L. CIF B33667494
-Se adjunta al presente escrito: Decreto nº 2497/2020 de adjudicación de
+Attached to this document is: Decree No. 2497/2020 awarding of
-contrato de servicio y propuesta técnica-económica de la empresa Start up CDF S.L.
+service contract and technical-economic proposal of the company Start up CDF S.L.
-en la que se detalla el contenido de las prestaciones a realizar”.
+in which the content of the services to be carried out is detailed ”.
-QUINTO: Con fecha 13 de octubre de 2020, el instructor del procedimiento acordó la
+FIFTH: On October 13, 2020, the instructor of the procedure agreed to the
-apertura de un período de práctica de pruebas, teniéndose por incorporadas las
+opening of a period of practical tests, taking as incorporated the
-actuaciones previas de investigación, E/02287/2020, así como los documentos
+preliminary investigation actions, E / 02287/2020, as well as the documents
-aportados por el reclamado en fecha 8 de octubre de 2020.
+provided by the defendant on October 8, 2020.
-SEXTO: Con fecha 18 de noviembre de 2020 se formuló propuesta de resolución,
+SIXTH: On November 18, 2020, a resolution proposal was formulated,
-proponiendo se sancione con apercibimiento al Ayuntamiento de Arroyomolinos con
+proposing that the Arroyomolinos City Council be sanctioned with a warning
-NIF P2801500F, por una infracción del Artículo 37 del RGPD, tipificada en el Artículo
+NIF P2801500F, for an infraction of Article 37 of the RGPD, typified in Article
-.4 del RGPD.
+.4 of the RGPD.
-SÉPTIMO: Notificada la propuesta de resolución, el reclamado presentó escrito de
+SEVENTH: Once the resolution proposal was notified, the defendant submitted a written
-alegaciones en el que, en síntesis, manifestaba:
+allegations in which, in summary, it stated:
-“PRIMERO.- Que con fecha 28 de septiembre de 2020 se adjudicó por Decreto nº
+"FIRST.- That on September 28, 2020 it was awarded by Decree No.
-/2020 contrato de servicio de asistencia técnica para el soporte y actualización en
+/2020 technical assistance service contract for support and update in
-materia de seguridad de la información (ENS) y protección de datos personales
+information security (ENS) and personal data protection
-(RGPD-LOPGDD) y Servicio de Delegado de Protección de Datos, por un periodo de
+(RGPD-LOPGDD) and Data Protection Delegate Service, for a period of
-meses a la empresa Start up CDF S.L.
+months to the company Start up CDF S.L.
-SEGUNDO.- Se dio cumplimiento al deber de comunicación de la designación del
+SECOND.- The duty of communication of the appointment of the
-DPD por este Ayuntamiento a la AEPD a tenor de lo previsto en el artículo 34.3
+DPD by this City Council to the AEPD in accordance with the provisions of article 34.3
 LOPDGDD.
-TERCERO.- En la propuesta de resolución de la AEPD se indica que “En este caso
+THIRD.- In the proposed resolution of the AEPD it is indicated that “In this case
-concreto, se ha acreditado en virtud de los documentos aportados con sus
+specifically, it has been accredited by virtue of the documents provided with their
-alegaciones al acuerdo de inicio que el reclamado ha designado Delegado de
+allegations to the initiation agreement that the complainant has appointed Delegate of
-Protección de Datos: START UP, S.L. CIF B33667494.”
+Data Protection: START UP, S.L. CIF B33667494. "
-CUARTO.- Tomando en consideración la Sentencia de la Audiencia Nacional de
+FOURTH.- Taking into consideration the Judgment of the National Court of
-/11/2013, (Rec. 455/2011), Fundamento de Derecho Sexto, que sobre el
+/29/2013, (Rec. 455/2011), Sixth Law Foundation,what about him
-apercibimiento regulado en el artículo 45.6 de la LOPD y a propósito de su naturaleza
+warning regulated in article 45.6 of the LOPD and regarding its nature
-jurídica advierte que “no constituye una sanción” y que se trata de “medidas
+legal notice that "does not constitute a sanction" and that it is "measures
-correctoras de cesación de la actividad constitutiva de la infracción” que sustituyen a la
+corrective measures for the cessation of the activity constituting the offense ”that replace the
-sanción. La Sentencia entiende que el artículo 45.6 de la LOPD confiere a la AEPD
+sanction. The Judgment understands that article 45.6 of the LOPD confers on the AEPD
-C/ Jorge Juan, 6 www.aepd.es
+C / Jorge Juan, 6 www.aepd.es
-– Madrid sedeagpd.gob.es
+- Madrid sedeagpd.gob.es
 /7
-una “potestad” diferente de la sancionadora cuyo ejercicio se condiciona a la
+a “power” different from the sanctioning one whose exercise is conditioned to the
-concurrencia de las especiales circunstancias descritas en el precepto. En
+concurrence of the special circumstances described in the precept. In
-congruencia con la naturaleza atribuida al apercibimiento como una alternativa a la
+congruence with the nature attributed to awareness as an alternative to
-sanción cuando, atendidas las circunstancias del caso, el sujeto de la infracción no es
+sanction when, given the circumstances of the case, the subject of the offense is not
-merecedor de aquella, y considerando que el objeto del apercibimiento es la
+deserving of that, and considering that the object of the warning is the
-imposición de medidas correctoras, la SAN citada concluye que cuando éstas ya
+imposition of corrective measures, the aforementioned SAN concludes that when they already
-hubieran sido adoptadas, lo procedente en Derecho es acordar el archivo de las
+had been adopted, the procedure in Law is to agree on the file of the
-actuaciones”.
+performances ”.
-A la vista de todo lo actuado, por parte de la Agencia Española de Protección de Datos
+In view of all the actions, by the Spanish Agency for Data Protection
-en el presente procedimiento se consideran hechos probados los siguientes,
+In this proceeding, the following are considered proven facts,
-HECHOS
+ACTS
-PRIMERO: El reclamado carece de la figura de delegado de protección de datos.
+FIRST: The claimed person lacks the figure of a data protection delegate.
-SEGUNDO: El Ayuntamiento de Arroyomolinos, ha aportado en el presente
+SECOND: The Arroyomolinos City Council, has contributed in the present
-procedimiento sancionador las medidas que ha adoptado, entre las mismas consta:
+sanctioning procedure the measures it has adopted, including:
-Contrato de servicios de asistencia técnica para el soporte y actualización en
+Technical assistance services contract for support and update in
-materia de seguridad de la información (ENS) y protección de datos personales
+information security (ENS) and personal data protection
-(RGPD-LOPDGDD) y Servicio de Delegado de Protección de Datos, por un período de
+(RGPD-LOPDGDD) and Data Protection Delegate Service, for a period of
-meses.
+months.
-Comunicación de la designación del Delegado de Protección de Datos: START
+Communication of the appointment of the Data Protection Officer: START
 UP, S.L. CIF B33667494
-Decreto nº 2497/2020 de adjudicación de contrato de servicio y propuesta
+Decree No. 2497/2020 awarding the service contract and proposal
-técnica-económica de la empresa START UP CDF S.L.
+technical-economic of the company START UP CDF S.L.
-FUNDAMENTOS DE DERECHO
+FOUNDATIONS OF LAW
 I
-En virtud de los poderes que el artículo 58.2 del RGPD reconoce a cada autoridad de
+By virtue of the powers that article 58.2 of the RGPD recognizes to each authority of
-control, y según lo establecido en los arts. 47 y 48.1 de la LOPDGDD, la Directora de
+control, and as established in arts. 47 and 48.1 of the LOPDGDD, the Director of
-la Agencia Española de Protección de Datos es competente para resolver este
+The Spanish Agency for Data Protection is competent to resolve this
-procedimiento.
+process.
 II
-Las Administraciones públicas actúan como responsables de tratamientos de datos de
+The public administrations act as data controllers of
-carácter personal y, en algunas ocasiones, ejercen funciones de encargados de
+personal character and, on some occasions, they perform functions of managers
-tratamiento, por lo que les corresponde, siguiendo el principio de responsabilidad
+treatment, for what corresponds to them, following the principle of responsibility
-proactiva, atender las obligaciones que el RGPD detalla, entre las que se incluye, la
+proactively, meet the obligations that the RGPD details, among which is included, the
-obligación de nombrar a un delegado de protección de datos y comunicarlo a esta
+Obligation to appoint a data protection officer and communicate it to this
 AEPD
-La obligación viene impuesta por el artículo 37 del RGPD, que indica:
+The obligation is imposed by article 37 of the RGPD, which indicates:
-C/ Jorge Juan, 6 www.aepd.es
+C / Jorge Juan, 6 www.aepd.es
-– Madrid sedeagpd.gob.es
+- Madrid sedeagpd.gob.es
 /7
-“1. El responsable y el encargado del tratamiento designarán un delegado de
+"1. The person in charge and the person in charge of the treatment will designate a delegate of
-protección de datos siempre que:
+data protection provided that:
-a) el tratamiento lo lleve a cabo una autoridad u organismo público, excepto los
+a) the treatment is carried out by a public authority or body, except those
-tribunales que actúen en ejercicio de su función judicial;”
+courts that act in the exercise of their judicial function; "
-El Articulo 37.3 y 4 del RGPD señala sobre la designación del DPD “Cuando el
+Article 37.3 and 4 of the RGPD indicates on the designation of the DPD “When the
-responsable o el encargado del tratamiento sea una autoridad u organismo público, se
+responsible or the person in charge of the treatment is an authority or public body,
-podrá designar un único delegado de protección de datos para varias de estas
+may designate a single data protection officer for several of these
-autoridades u organismos, teniendo en cuenta su estructura organizativa y tamaño.
+authorities or bodies, taking into account their organizational structure and size.
-. En casos distintos de los contemplados en el apartado 1, el responsable o el
+. In cases other than those contemplated in section 1, the controller or the
-encargado del tratamiento o las asociaciones y otros organismos que representen a
+in charge of the treatment or the associations and other bodies that represent
-categorías de responsables o encargados podrán designar un delegado de protección
+categories of managers or managers may designate a protection delegate
-de datos o deberán designarlo si así lo exige el Derecho de la Unión o de los Estados
+data or must designate it if required by Union or State law
-miembros. El delegado de protección de datos podrá actuar por cuenta de estas
+members. The data protection officer may act on their behalf
-asociaciones y otros organismos que representen a responsables o encargados.”
+associations and other organizations that represent managers or managers. "
-La LOPDGDD determina en su artículo 34.1 y 3: ”Designación de un delegado de
+The LOPDGDD determines in its article 34.1 and 3: ”Appointment of a delegate of
-protección de datos “
+Data Protection "
-. Los responsables y encargados del tratamiento deberán designar un delegado de
+. Those responsible and in charge of the treatment must designate a delegate of
-protección de datos en los supuestos previstos en el artículo 37.1 del Reglamento
+data protection in the cases provided for in article 37.1 of the Regulation
-(UE) 2016/679 y, en todo caso, cuando se trate de las siguientes entidades:
+(EU) 2016/679 and, in any case, in the case of the following entities:
-. Los responsables y encargados del tratamiento comunicarán en el plazo de diez
+. Those responsible and in charge of the treatment will communicate within ten
-días a la Agencia Española de Protección de Datos o, en su caso, a las autoridades
+days to the Spanish Data Protection Agency or, where appropriate, to the authorities
-autonómicas de protección de datos, las designaciones, nombramientos y ceses de
+autonomic data protection, appointments, appointments and terminations of
-los delegados de protección de datos tanto en los supuestos en que se encuentren
+the data protection delegates both in the cases in which they are
-obligadas a su designación como en el caso en que sea voluntaria.
+obligated to their appointment as in the case in which it is voluntary.
-La infracción se contempla como tal en el artículo 83.4.a del RGPD que señala:”4. Las
+The infringement is considered as such in article 83.4.a of the RGPD which states: ”4. The
-infracciones de las disposiciones siguientes se sancionarán, de acuerdo con el
+Infractions of the following provisions will be sanctioned, in accordance with the
-apartado 2, con multas administrativas de 10 000 000 EUR como máximo o,
+paragraph 2, with administrative fines of a maximum of EUR 10 000 000 or,
-tratándose de una empresa, de una cuantía equivalente al 2 % como máximo del
+in the case of a company, an amount equivalent to a maximum of 2% of the
-volumen de negocio total anual global del ejercicio financiero anterior, optándose por
+total annual global business volume of the previous financial year, opting for
-la de mayor cuantía:
+the highest amount:
-a) las obligaciones del responsable y del encargado a tenor de los artículos 8, 11, 25 a
+a) The obligations of the person in charge and the person in charge in accordance with articles 8, 11, 25 a
-, 42 y 43;”
+, 42 and 43; "
-El artículo 83.7 del RGPD indica:
+He Article 83.7 of the RGPD indicates:
-“Sin perjuicio de los poderes correctivos de las autoridades de control en virtud del artículo 58, apartado 2, cada Estado miembro podrá establecer normas sobre si se puede, y en qué medida, imponer multas administrativas a autoridades y organismos públicos establecidos en dicho Estado miembro”
+“Without prejudice to the corrective powers of the supervisory authorities under Article 58 (2), each Member State may establish rules on whether, and to what extent, administrative fines can be imposed on public authorities and bodies established in that Member State. "
-El artículo 58.2 del RGPD indica: “Cada autoridad de control dispondrá de todos los
+Article 58.2 of the RGPD states: “Each control authority will have all the
-C/ Jorge Juan, 6 www.aepd.es
+C / Jorge Juan, 6 www.aepd.es
-– Madrid sedeagpd.gob.es
+- Madrid sedeagpd.gob.es
 /7
-siguientes poderes correctivos indicados a continuación:
+following corrective powers listed below:
-b) sancionar a todo responsable o encargado del tratamiento con apercibimiento cuando las operaciones de tratamiento hayan infringido lo dispuesto en el presente Reglamento;
+b) punish any person in charge or in charge of the treatment with warning when the treatment operations have violated the provisions of this Regulation;
-d) ordenar al responsable o encargado del tratamiento que las operaciones de
+d) order the person in charge of the treatment that the operations of
-tratamiento se ajusten a las disposiciones del presente Reglamento, cuando proceda,
+treatment are in accordance with the provisions of this Regulation, where appropriate,
-de una determinada manera y dentro de un plazo especificado”.
+in a certain way and within a specified period ”.
-En tal sentido, el artículo 77.1 c) y 2, 4 y 5 de la LOPGDD, indica:
+In this sense, article 77.1 c) and 2, 4 and 5 of the LOPGDD, indicates:
-. El régimen establecido en este artículo será de aplicación a los tratamientos de los
+. The regime established in this article will apply to the treatment of
-que sean responsables o encargados:
+who are responsible or in charge:
-c) La Administración General del Estado, las Administraciones de las Comunidades
+c) The General Administration of the State, the Administrations of the Communities
-autónomas y las entidades que integran la Administración Local.
+autonomous entities and the entities that make up the Local Administration.
-“Cuando los responsables o encargados enumerados en el apartado 1 cometiesen
+“When the managers or managers listed in section 1 commit
-alguna de las infracciones a las que se refieren los artículos 72 a 74 de esta ley
+any of the infractions referred to in articles 72 to 74 of this law
-orgánica, la autoridad de protección de datos que resulte competente dictará
+organic, the competent data protection authority will dictate
-resolución sancionando a las mismas con apercibimiento. La resolución establecerá
+resolution sanctioning them with warning. The resolution will establish
-asimismo las medidas que proceda adoptar para que cese la conducta o se corrijan
+Likewise, the measures to be adopted to stop the conduct or to correct
-los efectos de la infracción que se hubiese cometido.
+the effects of the offense that had been committed.
-La resolución se notificará al responsable o encargado del tratamiento, al órgano del
+The resolution will be notified to the person in charge of the treatment, the body of the
-que dependa jerárquicamente, en su caso, y a los afectados que tuvieran la condición
+that depends hierarchically, where appropriate, and those affected who had the condition
-de interesado, en su caso.”
+interested party, if applicable. "
-.Se deberán comunicar a la autoridad de protección de datos las resoluciones que
+.The resolutions that
-recaigan en relación con las medidas y actuaciones a que se refieren los apartados
+fall in relation to the measures and actions referred to in the sections
-anteriores.
+previous.
-.Se comunicarán al Defensor del Pueblo o, en su caso, a las instituciones análogas
+will be communicated to the Ombudsman or, where appropriate, to similar institutions
-de las comunidades autónomas las actuaciones realizadas y las resoluciones dictadas
+of the autonomous communities the actions carried out and the resolutions issued
-al amparo de este artículo.”
+under this article. "
 III
-El artículo 73 de la LOPDDG indica: Infracciones consideradas graves:
+Article 73 of the LOPDDG indicates: Violations considered serious:
-“En función de lo que establece el artículo 83.4 del Reglamento (UE) 2016/679 se
+"Based on what is established in article 83.4 of Regulation (EU) 2016/679,
-consideran graves y prescribirán a los dos años las infracciones que supongan una
+considered serious and will prescribe after two years the infractions that suppose a
-vulneración sustancial de los artículos mencionados en aquel y, en particular, las
+substantial violation of the articles mentioned therein and, in particular, the
-siguientes:
+following:
-v) El incumplimiento de la obligación de designar un delegado de protección de datos
+v) Failure to comply with the obligation to appoint a data protection officer
-cuando sea exigible su nombramiento de acuerdo con el artículo 37 del Reglamento
+when the appointment of him is required in accordance with article 37 of the Regulations
-(UE) 2016/679 y el artículo 34 de esta ley orgánica.”
+(EU) 2016/679 and article 34 of this organic law. "
-C/ Jorge Juan, 6 www.aepd.es
+C / Jorge Juan, 6 www.aepd.es
-– Madrid sedeagpd.gob.es
+- Madrid sedeagpd.gob.es
 /7
-Mediante escrito de alegaciones el reclamado, ha manifestado que tiene ya designado
+By means of a written statement, the complainant has stated that he has already designated
-Delegado de Protección de Datos.
+Delegate of Data Protection.
-Pese a ello, la Agencia Española de Protección de Datos, sanciona al reclamado con
+Despite this, the Spanish Agency for Data Protection, sanctions the claimed with
-una sanción de apercibimiento ya que éste debió contar con un delegado de
+a warning sanction since it had to have a delegate from
-protección de datos de conformidad con lo establecido en el artículo 37 del RGPD,
+data protection in accordance with the provisions of article 37 of the RGPD,
-desde el 25 de mayo de 2018, momento en el que entró en vigor el RGPD.
+since May 25, 2018, when the RGPD entered into force.
-Por lo tanto, de acuerdo con la legislación aplicable y valorados los criterios de
+Therefore, in accordance with the applicable legislation and the criteria of
-graduación de las sanciones cuya existencia ha quedado acreditada, la Directora de la
+graduation of the sanctions whose existence has been accredited, the Director of the
-Agencia Española de Protección de Datos RESUELVE:
+Spanish Agency for Data Protection RESOLVES:
-PRIMERO: IMPONER al AYUNTAMIENTO DE ARROYOMOLINOS, con NIF
+FIRST: IMPOSE the CITY COUNCIL OF ARROYOMOLINOS, with NIF
-P2801500F, por una infracción del Artículo 37 del RGPD, tipificada en el Artículo 83.4
+P2801500F, for a violation of Article 37 of the RGPD, typified in Article 83.4
-del RGPD, una sanción de apercibimiento.
+of the RGPD, a warning sanction.
-SEGUNDO: NOTIFICAR la presente resolución al AYUNTAMIENTO DE
+SECOND: NOTIFY this resolution to the CITY COUNCIL OF
 ARROYOMOLINOS.
-  TERCERO: COMUNICAR la presente resolución al Defensor del Pueblo, de
+  THIRD: COMMUNICATE this resolution to the Ombudsman, of
-conformidad con lo establecido en el artículo 77.5 de la LOPDGDD.
+in accordance with the provisions of article 77.5 of the LOPDGDD.
-De conformidad con lo establecido en el artículo 50 de la LOPDGDD, la presente
+In accordance with the provisions of article 50 of the LOPDGDD, this
-Resolución se hará pública una vez haya sido notificada a los interesados.
+Resolution will be made public once it has been notified to the interested parties.
-Contra esta resolución, que pone fin a la vía administrativa conforme al art. 48.6 de la
+Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the
-LOPDGDD, y de acuerdo con lo establecido en el artículo 123 de la LPACAP, los
+LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the
-interesados podrán interponer, potestativamente, recurso de reposición ante la
+Interested parties may file, optionally, an appeal for reconsideration before the
-Directora de la Agencia Española de Protección de Datos en el plazo de un mes a
+Director of the Spanish Agency for Data Protection within a month to
-contar desde el día siguiente a la notificación de esta resolución o directamente
+count from the day after notification of this resolution or directly
-recurso contencioso administrativo ante la Sala de lo Contencioso-administrativo de la
+contentious-administrative appeal before the Contentious-Administrative Chamber of the
-Audiencia Nacional, con arreglo a lo dispuesto en el artículo 25 y en el apartado 5 de
+National High Court, in accordance with the provisions of article 25 and section 5 of
-la disposición adicional cuarta de la Ley 29/1998, de 13 de julio, reguladora de la
+the fourth additional provision of Law 29/1998, of July 13, regulating the
-Jurisdicción Contencioso-administrativa, en el plazo de dos meses a contar desde el
+Contentious-administrative jurisdiction, within a period of two months from the
-día siguiente a la notificación de este acto, según lo previsto en el artículo 46.1 de la
+day following notification of this act, as provided in article 46.1 of the
-referida Ley.
+referred Law.
-Finalmente, se señala que conforme a lo previsto en el art. 90.3 a) de la LPACAP, se
+Finally, it is pointed out that according to to the provisions of art. 90.3 a) of the LPACAP,
-podrá suspender cautelarmente la resolución firme en vía administrativa si el
+may provisionally suspend the final resolution through administrative channels if the
-interesado manifiesta su intención de interponer recurso contencioso-administrativo.
+interested party expresses his intention to file contentious-administrative appeal.
-De ser éste el caso, el interesado deberá comunicar formalmente este hecho mediante
+If this is the case, the interested party must formally communicate this fact through
-escrito dirigido a la Agencia Española de Protección de Datos, presentándolo a través
+letter addressed to the Spanish Agency for Data Protection, presenting it through
-del Registro Electrónico de la Agencia [https://sedeagpd.gob.es/sede-electronicaweb/], o a través de alguno de los restantes registros previstos en el art. 16.4 de la
+of the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronicaweb/], or through any of the other registries provided for in art. 16.4 of the
-citada Ley 39/2015, de 1 de octubre. También deberá trasladar a la Agencia la
+cited Law 39/2015, of October 1. You must also transfer to the Agency the
-documentación que acredite la interposición efectiva del recurso contenciosoC/ Jorge Juan, 6 www.aepd.es
+documentation proving the effective filing of the contentious appeal C / Jorge Juan, 6 www.aepd.es
-– Madrid sedeagpd.gob.es
+- Madrid sedeagpd.gob.es
 /7
-administrativo. Si la Agencia no tuviese conocimiento de la interposición del recurso
+administrative. If the Agency was not aware of the filing of the appeal
-contencioso-administrativo en el plazo de dos meses desde el día siguiente a la
+contentious-administrative within a period of two months from the day following the
-notificación de la presente resolución, daría por finalizada la suspensión cautelar.
+notification of this resolution would terminate the precautionary suspension.
 -131120
-Mar España Martí
+Mar Spain Martí
-Directora de la Agencia Española de Protección de Datos
+Director of the Spanish Agency for Data Protection
-C/ Jorge Juan, 6 www.aepd.es
+C / Jorge Juan, 6 www.aepd.es
-– Madrid sedeagpd.gob.es
+- Madrid sedeagpd.gob.es
-</pre>