AEPD (Spain) - PS/00257/2020

From GDPRhub
AEPD - PS/00257/2020
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 37 GDPR
LOPDGDD
Type: Investigation
Outcome: Violation Found
Started:
Decided:
Published: 11.01.2021
Fine: None
Parties: Ayuntamiento de Arroyomolinos
National Case Number/Name: PS/00257/2020
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: n/a

The Spanish DPA (AEPD) issued a reprimand against the Spanish municipality Ayuntamiento de Arroyomolinos for lacking a Data Protection Officer (DPO) for more than two years after the entry into force of the GDPR. This breached Article 37 GDPR.

English Summary

Facts

Ayuntamiento de Arroyomolinos was found lacking a Data Protection Officer (DPO).

The defendant has since adopted corrective measures. A DPO has been appointed pursuant to a service contract from 28.09.2020.

Dispute

Was the municipality Ayuntamiento de Arroyomolinos under the obligation to appoint a DPO?

Holding

The Spanish DPA recalled that the public administrations act as controllers for the processing of personal data and on some occasions as processors. As a result, they are subject to the GDPR and must fulfill all its obligations, including the obligation to appoint a data protection officer (Article 37 GDPR). This obligation had to be fulfilled starting from 28.05.2018, the date of entry into force of the GDPR.

The Spanish DPA issued a reprimand against Ayuntamiento de Arroyomolinos for violating Article 37 GDPR. The reprimand was issued by virtue of the power conferred by Article 58(2)(b) GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.


                                                                                1/7


    Procedure No.: PS/00257/2020

                RESOLUTION OF SANCTIONING PROCEDURE


From the procedure instructed by the Spanish Data Protection Agency and based
to the following:

                                  BACKGROUND



FIRST: D. A.A.A. (hereinafter the complainant) dated 20 January 2020
filed a complaint with the Spanish Data Protection Agency. The
claim is directed against the Town Hall of Arroyomolinos with NIF P2801500F
(hereinafter referred to as the Respondent).


       The complainant states that he received on his behalf a notification from
City Council, and it contains the data and facts that motivate the imposition
from a sanction to another person.


       On the other hand, it points out that the consistory does not have a Delegate for the Protection of
Data.

       Together with the complaint, you will provide the notification that you have been sent.


SECOND: In view of the facts denounced in the complaint and the
the documents provided by the claimant are transferred to the claimant.

       On 24 July 2020, the petitioner states: "that on 20 January
2020 the complainant was informed that on the day of notification of the Resolution there was
a computer failure, and in the notification of its procedure the body of the

resolution of the previous notification. The department proceeded to review
the notifications generated, finding none more erroneous, also
proceeded to add further revision controls on the documents generated so that
this situation will not be repeated.


       You were also informed that your data have not been transferred to third parties,
have only been used for the notification of the procedure between
claimant and this Town Hall".

THIRD: On 25 September 2020, the Director of the Spanish Agency

of Data Protection agreed to initiate sanctioning proceedings against the respondent, with
in accordance with Articles 63 and 64 of Law 39/2015 of 1 October on the
Common Administrative Procedure for Public Administrations (hereinafter referred to as the "Common Administrative Procedure"),
LPACAP), for the alleged violation of Article 37 of the GPRS, typified in Article
83.4 of the RGPD.


FOURTH: Once the above-mentioned agreement to initiate the proceedings had been notified, the respondent submitted a letter of
in which he stated, in summary: "that on 28 September
2020 was awarded by Decree No 2497/2020 for technical assistance services
for information security (ENS) support and updating, and

C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 2/7








protection of personal data (RGPD-LOPDGDD) and Delegate Service of
Data Protection, for a period of 12 months.


       In good time before the date of termination of the contract and having
on the basis of the work carried out by the DPD during this time, it is already planned to call for tenders
publicly for a maximum of 4 years the Data Protection Delegate, with
the aim is for this Town Hall to have this figure permanently.

       In compliance with the duty to communicate the appointment of the DPD by

this City Council to the AEPD in accordance with the provisions of Article 34.3 LOPDGDD, is
the following information is provided: START UP, S.L. CIF B33667494

       Attached to this letter: Decree No. 2497/2020 on the award of
service contract and technical-economic proposal of the company Start up CDF S.L.

which details the content of the services to be provided".

FIFTH: On 13 October 2020, the instructor of the procedure agreed on the
opening of a trial period, with the incorporation of the
preliminary investigation proceedings, E/02287/2020, as well as documents
provided by the respondent on 8 October 2020.


SIXTH: A motion for resolution was tabled on 18 November 2020,
proposing to sanction the Town Hall of Arroyomolinos with a warning
NIF P2801500F, for an infringement of Article 37 of the RGPD, typified in Article
83.4 of the RGPD.


SEVENTH: After notification of the motion for a resolution, the respondent submitted a letter of
allegations in which, in summary, he stated

"FIRST - That on September 28, 2020, it was awarded by Decree No
2497/2020 technical assistance service contract for support and updates in

information security (ENS) and personal data protection
(RGPD-LOPGDD) and the Data Protection Officer Service, for a period of
12 months to the company Start up CDF S.L.

SECOND: The duty to communicate the appointment of the

DPD by this City Council to the AEPD in accordance with the provisions of Article 34.3
LOPDGDD.

THIRD: The proposal for a resolution of the AEPD indicates that "In this case
the evidence is based on the documents provided with their
allegations to the agreement of initiation that the respondent has appointed as Delegate of

Data Protection: START UP, S.L. CIF B33667494."

FOURTH - Taking into consideration the Judgment of the Audiencia Nacional de
29/11/2013, (ECR 455/2011), on the basis of the Sixth
warning regulated in article 45.6 of the LOPD and regarding its nature

legal warns that it "does not constitute a penalty" and that these are "measures
corrective measures for the cessation of the activity constituting the infringement" replacing
sanction. The Decision understands that Article 45.6 of the LOPD confers on the AEPD

C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 3/7








a "power" different from the sanctioning power, the exercise of which is conditional on the
concurrence of the special circumstances described in the precept. At
congruence with the nature attributed to the warning as an alternative to

penalty when, in view of the circumstances of the case, the subject of the offence is not
and considering that the object of the warning is the
imposition of corrective measures, the above-mentioned SAN concludes that where these measures have already
have been adopted, it is appropriate in law to agree to the closure of the
performances".


In view of all that has been done, by the Spanish Data Protection Agency
the following are regarded as established facts in these proceedings,


                                      FACTS


FIRST: The person claimed lacks the figure of a data protection representative.

SECOND: The City Council of Arroyomolinos, has contributed in the present
the measures it has taken, including the penalties it has imposed:

       Technical assistance service contract for support and updates in

information security (ENS) and personal data protection
(RGPD-LOPDGDD) and the Data Protection Officer Service, for a period of
12 months.

       Communication of the appointment of the Data Protection Officer: START

UP, S.L. CIF B33667494

       Decree No 2497/2020 on the award of service contracts and proposals
technical-economic of the company START UP CDF S.L.



                           LEGAL FOUNDATIONS

                                           I

By virtue of the powers conferred on each authority in Article 58(2) of the GPRS

control, and in accordance with the provisions of Articles 47 and 48.1 of the LOPDGDD, the
the Spanish Data Protection Agency is competent to resolve this
procedure.
                                           II


Public administrations act as data controllers of

and, in some cases, they are in charge of the management of the
processing, for which they are responsible, in accordance with the principle of
proactive, to meet the obligations detailed in the RGPD, including the
obligation to appoint a data protection officer and to notify the latter of his or her
AEPD

The obligation is imposed by Article 37 of the RGPD, which states

C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 4/7








"1. The data controller and the processor shall appoint a delegate of
data protection whenever:

(a) the processing is carried out by a public authority or body, except

courts acting in their judicial capacity

Article 37.3 and 4 of the RGPD states about the designation of the DPD "When the
the controller or the person responsible for the processing is a public authority or
may appoint a single data protection officer for several of these

authorities or bodies, taking into account their organisational structure and size.

4. In cases other than those referred to in paragraph 1, the person responsible or
processing agent or associations and other bodies representing
categories of managers or supervisors may appoint a delegate of protection
or must designate it if required by Union or national law

members. The Data Protection Officer may act on behalf of these
associations and other bodies representing decision-makers or managers"

The LOPDGDD determines in its article 34.1 and 3: "Designation of a delegate of

data protection "

1. Data controllers and processors must appoint a delegate of
data protection in the cases provided for in article 37.1 of the Regulation
(EU) 2016/679 and, in any case, in the case of the following entities:

3. Data controllers and processors shall communicate within ten
days to the Spanish Data Protection Agency or, where appropriate, to the authorities

data protection, appointments, appointments and dismissals of employees
the data protection delegates both in cases where they are
obliged to be appointed as in the case of voluntary appointment.



The infringement is contemplated as such in Article 83.4.a of the RGPD which states: "4. The
infringements of the following provisions shall be penalised in accordance with the
paragraph 2, with administrative fines of up to EUR 10 000 000 or
in the case of an enterprise, an amount equivalent to a maximum of 2 % of
total annual turnover for the previous financial year, opting for
the largest:


(a) the obligations of the person responsible and of the person appointed under Articles 8, 11, 25 to
39, 42 y 43;”


Article 83.7 of the RGPD states:

"Without prejudice to the corrective powers of the supervisory authorities under the ar-
in accordance with Article 58(2), each Member State may lay down rules as to whether or not a
of, and to what extent, imposing administrative fines on public authorities and bodies

public bodies established in that Member State"


Article 58(2) of the GPRS states: "Each supervisory authority shall have all the
C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 5/7








the following corrective powers are indicated below:

(b) sanction any person responsible for or in charge of the processing, with a warning as to how
if the processing operations have infringed the provisions of this Regulation, the
mento;

(d) order the controller or processor to carry out the processing operations
treatment are in accordance with the provisions of this Regulation, where appropriate,
in a certain way and within a specified time".


In this sense, Article 77.1 c) and 2, 4 and 5 of the LOPGDD, indicates:

1. The regime established in this article shall apply to the processing of
who are responsible or in charge:

c) The General State Administration, the Community Administrations

the local authorities and the entities that make up the local administration.

2 "Where the persons responsible for, or in charge of, the activities listed in paragraph 1 commit
any of the offences referred to in articles 72 to 74 of this law
authority shall issue an opinion on the matter
resolution sanctioning them with a warning. The resolution will establish

also the measures to be taken to ensure that the conduct ceases or is corrected
the effects of the infringement that has been committed.

The decision shall be notified to the controller or processor, to the
that is hierarchically dependent, where appropriate, and to those affected who have the status
of interested party, if any."


4.The data protection authority must be informed of decisions that
be made in connection with the measures and actions referred to in paragraphs
previous.

5.They shall be communicated to the Ombudsman or, where appropriate, to similar institutions

of the autonomous communities the actions taken and the decisions handed down
under this article."


                                             III


Article 73 of the LOPDDG states Infringements considered serious:

"In accordance with Article 83(4) of Regulation (EU) 2016/679, the
consider serious and will prescribe after two years any infringements involving a
substantial breach of the articles mentioned in that one, and in particular the

following:

(v) Failure to comply with the obligation to appoint a data protection representative
when his appointment is required in accordance with Article 37 of the Regulation
(EU) 2016/679 and article 34 of this organic law"



C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 6/7








By means of a statement of claim, the respondent has stated that he has already designated
Data Protection Delegate.




In spite of this, the Spanish Data Protection Agency has sanctioned the complainant with
a penalty of a warning, since the latter must have had a delegate from
data protection in accordance with article 37 of the RGPD,
from 25 May 2018, when the RGPD came into force.




Therefore, in accordance with the applicable legislation and assessed on the basis of
graduation of the sanctions whose existence has been accredited, the Director of
Spanish Data Protection Agency RESOLVES:


FIRST: IMPOSE on the ARROYOMOLINOS CITY COUNCIL, with NIF
P2801500F, for a violation of Article 37 of the GPRS, as defined in Article 83.4
of the RGPD, a warning sanction.


SECOND: TO NOTIFY this resolution to the CITY COUNCIL OF
ARROYOMOLINOS.

THIRD: To communicate this resolution to the Ombudsman, of

in accordance with the provisions of Article 77.5 of the LOPDGDD

In accordance with the provisions of Article 50 of the LOPDGDD, this
The decision will be made public after it has been notified to the interested parties.

Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the

LOPDGDD, and in accordance with Article 123 of the LPACAP, the
the interested parties may, on an optional basis, lodge an appeal for reversal with the
Director of the Spanish Data Protection Agency within one month to
counting from the day following notification of this resolution or directly
contentious-administrative appeal to the Administrative Chamber of the

Audiencia Nacional, in accordance with Article 25 and paragraph 5 of
the fourth additional provision of Law 29/1998 of 13 July 1998, regulating
Contentious-Administrative Jurisdiction, within two months from
day following notification of this act, as provided for in Article 46(1) of the
referred to Law.


Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP, it is
may suspend, as a precautionary measure, the final administrative decision if the
the applicant states that he intends to bring an administrative appeal.
If this is the case, the interested party must formally communicate this fact by
written to the Spanish Data Protection Agency, submitting it through

from the Agency's Electronic Register [https://sedeagpd.gob.es/sede-electronica-
web/], or through any of the other registers provided for in Article 16.4 of the
the aforementioned Law 39/2015 of 1 October. It must also transfer to the Agency the
documentation proving the effective filing of the contentious action
administrative. If the Agency is not aware that the action has been brought

administrative proceedings within two months of the day following the
notification of the present resolution, would terminate the precautionary suspension.
                                                                                              938-131120
Mar Spain Martí

Director of the Spanish Data Protection Agency