AEPD (Spain) - PS/00274/2019

From GDPRhub
AEPD - PS/00274/2019
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 5(1)(f) GDPR
Article 6(1) GDPR
Article 5 of the Spanish Law on Personal Data Protection and Digital Rights Guarantee (LOPDGDD)
Article 74 of the Spanish Workers Statute
Spanish law (RD 1846/1994) on public workers elections
Article 6(2) of the Spanish law (RD 1844/1994) on private workers elections
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published: 06.10.2020
Fine: 3000 EUR
Parties: Central Sindical Independiente y de Funcionarios CSI-CSIF
National Case Number/Name: PS/00274/2019
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Spanish
Original Source: AEPD decision (in ES)
Initial Contributor: Miguel Garrido de Vega

6 October 2020 - The Spanish Data Protection Agency (AEPD) decided to impose a fine up to 3,000 € on the public workers union Central Sindical Independiente y de Funcionarios CSI-CSIF (the defendant) for the infringement of the integrity and confidentiality principle, as per Article 5(1)(f) of the GDPR.

English Summary

Facts

The decision is the consequence of a complaint submitted by a Spanish citizen stating that the union representative of the defendant had openly published an electoral census list (which was exclusive of the union and contained personal data such as the ID numbers of all voters considered regular staff) in an open WhatsApp group (in which almost all the workers of the radiodiagnosis Madrid central unit are included).

Dispute

The defendant answered to the first AEPD investigation requests stating that: (i) it considered that the data publication was legally covered by the Spanish law on public workers elections, (ii) the publication was made during a legal elections process and due to the request of several members of the WhatsApp group (in which the claimant was included), as they had some difficulties to access the intranet of the union in which such data were already published. The defendant also answered to the subsequent evidence investigation requests by the AEPD stating that: (i) the resolution proposal is not doing an adequate balance of the right to union freedom and the right to the data protection, (ii) there is public interest and legitimate interest in the data processing made by the publication of such data, as it was in the interest of the workers, (iii) there has never been a lack of responsibility in the acts of the union representative, (iv) all the members at the WhatsApp group accessed such information voluntarily, including the claimant, as they are also included in such electoral census list, (v) the communication area claimed is less than other publication media used by the electoral census, (vi) the union is concerned about data protection, and so it contracted the corresponding law firm in order to ensure a full compliance of the regulation, (vii) the claimant avoided to use the reporting channels offered by the defendant. After the investigation process, the AEPD started the corresponding sanction procedure, and understood that: (i) the processing activity consisting of the publication of the personal data would only be legal if its covered by Article 6(1) GDPR, (ii) with basis on several other Spanish regulations, (such as the Worker's Statute, the Spanish law on public workers elections, the Spanish law on private workers elections) there is neither a legal basis to do such publication in the way it has been made, as it shall be made by the polling station at the notice board, (iii) the publication cannot be legally covered by the legitimate interest neither, as the specific personal data published by the union representative were excessive to the alleged purpose, (iv) regarding the balance over data protection right and union freedom right, the union was never obliged to do such publication, so it significantly surpassed the boundaries of Spanish labour law to that respect.

The AEPD started the corresponding sanction procedure.

Holding

Thus, the AEPD understood that the defendant has infringed the integrity and confidentiality principle included at Article 5(1)(f) GDPR. Consequently, after considering some circumstances [(i) the local scope of the processing activity made by the defendant, (ii) the number of persons affected by the processing activity, (iii) there is no evidence that the defendant has adopted any measures in order to prevent such issues to happen again in the future, (iv) there is no evidence of wilful misconduct by the defendant, even being this issue a very serious breach of the law, (v) the link between the activity of the defendant and the processing of personal data, and (vi) the defendant has not the consideration of big company, despite it represents a big number of public workers throughout the country], the AEPD decided to impose a fine of 3,000 € to the defendant.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

Page 1
1/12 Procedure No.: PS / 00274/2019RESOLUTION OF SANCTIONING PROCEDUREOf the procedure instructed by the Spanish Agency for Data Protection andbased on the followingBACKGROUNDFIRST: Ms. AAA (hereinafter, the claimant) filed on 04/04/2019claim before the Spanish Agency for Data Protection. The claim isdirected against the CENTRAL SINDICAL INDEPENDIENTE Y DE OFFICIALS CSI-CSIF , with NIF G79514378 (hereinafter, the claimed one). The reasons on which theclaim are, in summary, the following:The CSIF union delegate has published in an open WhatsApp group in whichare almost all the workers of the Central Radiodiagnosis Unit ofthe Community of Madrid, a list of the electoral census that was exclusively publicizedfor unions and in this list there are data such as the DNI of all votersthat form the statutory staff.SECOND: Upon receipt of the claim, the Subdirectorate General ofData Inspection proceeded to carry out the following actions:On 05/07/2019, the claim submitted for analysis was transferred to the defendantand communication to the complainant of the decision taken in this regard. Likewise,required him to send within a month to the determined Agencyinformation:- Copy of the communications, of the adopted decision that has been sent to theclaimant regarding the transfer of this claim, and accreditation thatthe claimant has received the communication of that decision.- Report on the causes that have motivated the incidence that has originated theclaim.- Report on the measures adopted to prevent the occurrence ofsimilar incidents.- Any other that you consider relevant.On the same date, the claimants were notified of the receipt of theirclaims and their transfer to the claimed entity.On 05/24/2019, the DPD of the CSIF sent a letter stating that based onin the provisions of articles 14 and 18 of RD 1846/1994, which approves theRegulation of elections of the personnel at the service of the Public Administrations, andsince the aforementioned census data are accessible by all the personnel of theCentral Radiodiagnosis Unit of the Community of Madrid through itsC / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 2
2/12intranet, the claim is dismissed because the incident caused is coveredin the current legislation.THIRD: On 06/17/2019, in accordance with article 65 of the LOPDGDD, theDirector of the Spanish Data Protection Agency agreed to admit for processing theclaim filed by the claimant against the defendant.FOURTH: On 11/22/2019, the Director of the Spanish Protection Agencyof Data agreed to initiate a sanctioning procedure against the claimed party, for the allegedinfringement of article 5.1.f) of the RGPD, sanctioned in accordance with the provisions of theArticle 58.2.a) of the aforementioned RGPD.FIFTH: The aforementioned initiation agreement has been notified, in writing of 12/05/2019 the claimedpresented a brief of allegations in which, in summary, it stated the following: thatconsidered that there is legal protection for the publication of the data and in themade and that the argument that the electoral roll list is for publicityexclusive to unions is inaccurate; that the communication was made by whatsappwithin the framework of a process of union elections protected by article 28 of theConstitution, at the request of several members of the WhatsApp group who haddifficulties in accessing the intranet where the data of thecensus and that each and every one of the members of the group in which thecensus voluntarily agreed including the complainant who are at the same timemembers of said census and that the real reason for the claim is inserted in aelection period since the claimant belongs to a union other than CSIF thathe went to the elections.SIXTH: On 02/12/2020 the opening of a period of practice oftests, remembering the following:Considering reproduced for evidentiary purposes the claim filed by theclaimant and its documentation, the documents obtained and generated by theInspection services that are part of the file.Consider reproduced for evidentiary purposes, the allegations to the initiation agreementpresented by the claimed and the documentation that accompanies them.Request from the claimant a copy of the documentation in her possessionregarding the sanctioning procedure that for whatever reason had not beenprovided at the time of the complaint or any other manifestation in relation towith the denounced facts.SEVENTH: On 07/08/2020, the complainant presented a brief of allegations in whichpointed out, in summary, the following: that the proposal omits due weightingbetween the right to freedom of association and the right to data protection in matterthat affects both rights; the concurrence of public interest and legitimate interestin the treatment of the data since the information released was of public relevance orof general interest to workers; that there has been no lack of diligence inthe performance of the union delegate; that the members of the whatsapp group in thethat the census was reported, voluntarily acceded to it, including the complainant, andthey are members of that same census; that the communication scope of thepersonal data that is reported is inferior to the other means of publication of theelectoral census; that the union cares about adequate data protectionpersonal information of citizens and for that reason signed a contract with the cabinetC / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 3
3/12legal *** CABINET.1 , a company specialized in the protection ofdata, which implemented in it the necessary channels to comply with theprovided in the LOPD, appointment of the Data Protection Delegate, etc., whichthe complainant eluded the complaint channels and other means that CSIF offers; hearchive of proceedings.EIGHTH: Of the actions carried out, the following have been accredited,PROVEN FACTSFIRST. The 04/04/2019 has a written entry in the AEPD stating that theCSIF union delegate had posted in an open WhatsApp group in whichare almost all the workers of the Central Radiodiagnosis Unit ofthe Community of Madrid, a list of the electoral census of exclusive advertising forunions, including data such as the DNI of all the voters who make up thestatutory staff; that the census that is published on the boards and to which they haveaccess to workers does not include the DNI.SECOND. A copy of the WhatsApp application is provided in which a list of theelectoral census, appearing next to the names and surnames, the DNI number.THIRD . The complainant in writing dated 05/24/2019 has stated that: “there islegal protection for the publication of the data and in the way it has been done,more when neither of the two mentioned precepts differentiates between census forpublish on the boards, and census to communicate to the unions, or what is the samethat the census published on the boards does not contain the same data as in thecensus that are communicated to the unions. At the same time it enables to make it public betweenthe functionaries".FOUNDATIONS OF LAWIBy virtue of the powers that article 58.2 of the RGPD recognizes to eachcontrol authority, and as established in articles 47 and 48 of the LOPDGDD,the Director of the Spanish Data Protection Agency is competent to initiateand to solve this procedure.IIThe claimed facts are specified in the publication through a groupWhatsApp open that contains the majority of the Unit's workersCentral Radiodiagnosis of the Community of Madrid, from the census listelectoral in which the data of the DNI number of those appears.Such treatment could be constitutive of an infringement of article 5,Principles relating to treatment , of the RGPD that establishes that:"one. The personal data will be:(…)f) treated in such a way as to guarantee adequate security for thepersonal data, including protection against unauthorized or illegal processing andC / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 4
4/12against their loss, destruction or accidental damage, by applying measuresappropriate technical or organizational ("integrity and confidentiality").(…) "Article 5, Duty of confidentiality , of the new Organic Law 3/2018, of 5December, Protection of Personal Data and guarantee of digital rights(hereinafter LOPDGDD), states that:"one. Those responsible and in charge of data processing as well as allpeople who intervene in any phase of this will be subject to the duty ofconfidentiality referred to in article 5.1.f) of Regulation (EU) 2016/679.2. The general obligation indicated in the previous section will be complementaryof the duties of professional secrecy in accordance with its applicable regulations.3. The obligations established in the previous sections will be maintainedeven when the relationship between the obligated party and the person in charge or manager has endedtreatment ”.IIIThe documentation in the file shows that the defendantviolated article 5 of the RGPD, principles relating to treatment , in relation to theArticle 5 of the LOPGDD, duty of confidentiality , in relation to the incidentproduced: sending to an open group of WhatsApp the list of the electoral rollincluding the data of the voter DNI number.This duty of confidentiality should be understood to be intended to avoidthat there are leaks of the data not consented to by the owners of the same.Therefore, this duty of confidentiality is an obligation incumbent upon notonly to the person in charge and in charge of the treatment but to everyone who intervenes inany phase of the treatment and complementary to the duty of professional secrecy.In the case examined, the processing of personal data that the delegateCSIF union carried out by publishing, through an open group inthe WhatsApp social network aimed at the majority of the Unit's workersCentral Radiodiagnosis of the Community of Madrid, from the census listelectoral system in which, in addition to the name and surname, the data of the DNI numberof voters would be lawful as long as the premises of article 6.1 of the RGPD are met.In light of what is indicated in the aforementioned article, only data may be processedwhen they have the consent of the persons in question, in the exercise of acontractual obligation, to comply with a legal obligation, when the treatmentis necessary for the fulfillment of a mission carried out in the public interest, toprotect the vital interests of the data subject or to satisfy the legitimate interests ofyour organization.In short, the treatment of the claimant's personal data carried outout would only be lawful as long as any of the premises of the aforementionedArticle 6.1 of the RGPD.Thus, there would be no legal basis to legitimize the processing of personal data.of the claimant for the purpose pursued based on consent, which in theThis case does not occur since the claimant opposes it.C / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 5
5/12Nor will there be legal protection for the publication of the data in the form inthat has been carried out, through an open group of WhatsApp.The Workers' Statute in its article 74, Functions of the Board , statesthat “In the case of elections to members of the works council, thepolling station will request the employer for the labor census and will draw up, with themeans that it will provide him, the list of voters. This will be made public innotice boards by exposing them for a period of no less than seventy-fivetwo hours".On the other hand, article 6.2 of Royal Decree 1844/1994, of September 9,by which the Regulations for elections to Representative Bodies ofWorkers in the Company provide that: “In the elections for Delegates ofStaff and members of the Company Committee, communicated to the company the purposeto hold elections for their promoters, this, within seven days, will givetransfer of said communication to the workers who must constitute the table and inthe same term will send the constituents of the polling station the labor census,with an indication of the workers who meet the age and seniority requirements, inthe terms of article 69.2 of the Workers' Statute, precise to showthe status of voters and eligible.The polling station will make public, among workers, the labor census withindication of who are voters and eligible in accordance with article 69.2 of theWorkers' Statute, which will be considered for voting purposes as a listof voters.In the case of elections for Works Councils, the list of voters andeligible will be made public on the notice boards for a period of no less thanseventy-two hours ..Also the Regulation of elections of the personnel at the service of thePublic Administrations approved by Royal Decree 1846/1994, of 9 DecemberSeptember in its article 14, Electoral Census , establishes:"one. The Administration will refer the officials who should constitute the tableelectoral coordinator or, where appropriate, to the single electoral table the census ofofficials adjusted to the standard model, within twelve business daysfrom receipt of the election promotion letter.In the aforementioned census, the name, two surnames, sex, date will be recordedof birth, national identity document and seniority recognized in thepublic function, of all officials of the electoral unit.2. The coordinating polling station will draw up the list of voters, according toin accordance with article 16 of Law 9/1987, with the means that will facilitate theAdministration.In case of elections to Personnel Boards, the list will be made public in thenotice boards by exposing them for a period of no less than seventy-fivetwo hours.Once the claims to the provisional list have been received, submitted untiltwenty-four hours after the end of the exposure period mentioned in theprevious section, the coordinating polling station will resolve them and publish the listdefinitive number of voters within twenty-four hours after the end of theprocedure described above. In the same period, it will determine the number ofC / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 6
6/12representatives to be elected in the electoral unit, in accordance withArticles 5 and 8 of Law 9/1987.(…)And in its article 18 "Elections to Personnel Delegates", it states that:"one. In the case of elections to Personnel Delegates, the managing bodyof personnel, within the same period of article 7 of these Regulations, will send thecomponents of the polling station census of officials, which will be adjusted, to theseeffects, to normalized model.2. The polling station will fulfill the following functions:a) Make the census public among the officials indicating who they arevoters.b) Set the number of representatives and the deadline for the presentation ofcandidacies.(…) "In view of the transcribed precepts, there is no legal basis for publicationof the data in the form in which it has been made, names and surnames together with the number ofDNI, through an open group of whatsapp in which the majority ofthe workers of the Central Radiodiagnosis Unit of the Community ofMadrid.Who has the responsibility to publish the census data is the BureauElectoral and the aforementioned publication must be made on the notice board so thatcan be endorsed by voters in order to rectify possible errors.And this publication on the board does not violate the legislation on protectionof personal data. Finally, it must be said that the RGPD does notexpress mention of this particular particular, therefore, does not modify the legislationhad to date.The complainant considers that the basis that legitimizes the processing of the data of theclaimant is in the legitimate interest, that is, that the treatment ofpersonal data made through the publication on the social network watsappIt sought to satisfy the exercise of the right to freedom of association.Now, this requires that the pursued interests do not prevail over theinterests or fundamental rights and freedoms of the interested party that require theprotection of personal data, that is, it requires weighing the interests at staketo conclude whether or not the right to freedom of association should prevail or notof the claimant to their privacy.Regarding legitimate interest as a legal basis for data processingpersonal data of third parties, Recital 47 of the RGPD says:<< The legitimate interest of a data controller, including that of aresponsible to whom personal data may be communicated, or of a third party, mayconstitute a legal basis for the treatment, provided that theinterests or the rights and freedoms of the interested party, taking into account thereasonable expectations of stakeholders based on their relationship to theresponsable. Such a legitimate interest could occur, for example, when there is a relationshiprelevant and appropriate between the data subject and the controller, such as in situationsC / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 7
7/12those that the interested party is a client or is at the service of the person in charge. In any case,the existence of a legitimate interest would require a careful assessment, even ifa data subject can reasonably foresee, at the time and in the context of thecollection of personal data, which may be processed for this purpose. InIn particular, the interests and fundamental rights of the interested party couldprevail over the interests of the data controller when proceeding to theprocessing of personal data in circumstances in which the interested party does notreasonably expect further treatment to take place. Since it correspondsthe legislator establish by law the legal basis for the processing of personal databy public authorities, this legal basis should not apply to thetreatment carried out by public authorities in the exercise of their functions. Heprocessing of personal data strictly necessary for preventionfraud is also a legitimate interest of the person responsible for the treatment ofin question. The processing of personal data for direct marketing purposesIt can be considered done for legitimate interest. >>In accordance with the facts at hand, it must be concluded that thetreatment carried out by the CSIF union delegate, through the publicationin a whatsapp group containing most of the Unit's workersCentral Radiodiagnosis of the Community of Madrid, I provide information that does notIt was relevant to the purposes of exercising the aforementioned freedom of association, quite the oppositesince the data provided, list of the census that included the personal dataof the DNI, must be classified as excessive.The processing of data concerning the workers included in the listof the census released is not legal because it did not find protection in the article6.1.f) of the RGPD.In consideration of the foregoing, taking into account that the union delegate of theCSIF unlawfully processed certain personal data that were alien to the intereststrade unions at stake by revealing the ID number of the members of theWhatsApp group, it is concluded that the defendant is responsible for a violation of thearticle 5.1.f), in relation to article 6.1 of the RGPD.The violation of article 5.1.f) of the RGPD is typified in article 83.5.a)of the RGPD. The LOPDGDD, for the purposes of prescription, in its article 72.1.a) qualifies thisvery serious infraction.IVThe defendant has alleged that or has taken into account the weighting between theexercise of the right to freedom of association and the right to data protectionpersonal rights, and freedom of association must prevail in the event that the union hasacted in legitimate exercise of their right to freedom of association in the aspect of theirright to inform about of interest to workers.Regarding the right to freedom of association, it should be noted that thetrade union organizations have recognized a series of competencies for theexercise of their union representation functions and that are protected by theright to freedom of association recognized in article 28.1 of the Constitution,developed through Organic Law 11/1985, of August 2, on Freedom of Association.Union activity includes the right to promote elections and presentcandidacies for the election of company committees and personnel delegates, whichit implies the realization of an electoral campaign and the publication of an electoral census.C / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 8
8/12Well, in the present case and as stated in the proven facts andpoints out in previous foundations the incidence produced refers to the publication toThrough an open WhatsApp group from the electoral roll listing in which it appearsthe data of the DNI number.The freedom of association law recognizes in its article 8.1. C) the right to receive theinformation that your union sends you and in the same article, section 2.a),recognizes the right that in order to facilitate the dissemination of those noticesthat may be of interest to union members and workers in general, theThe company will put at your disposal a notice board that should be placed in theworkplace and in a place where adequate access to it is guaranteed by theworkers.In the case we are examining, the right to freedom of association embodied in theinformation provided through the social network is fully satisfied without needto go to said medium so that nothing leads to the right to freedom of association.It is essential to take into account that no obligation had theunion to publish the electoral roll including personal data of theworkers and this because the regulations governing union elections do notimposes in this regard as previously indicated.For all the foregoing, it must be concluded that the action of the recurring UnionIt has notably exceeded the limits in which its performance was protectedfor the legitimate performance of their freedom of association and the omission of advertisingcarried out through the social network would not have implied any kind of impairment inrelation to the exercise of freedom of association and, on the contrary, would have safeguarded theright of the claimant in relation to personal data as relevant as theDNI.VArticle 83.5 a) of the RGPD, considers that the infringement of “the principlesbasic for the treatment, including the conditions for consent in accordance withof articles 5, 6, 7 and 9 ” is punishable, in accordance with section 5 of thementioned article 83 of the aforementioned RGPD, “with administrative fines of € 20,000,000at most or, in the case of a company, an amount equivalent to 4% asmaximum total annual global business volume of the previous financial year,opting for the highest amount ”.And the LOPDGDD in its article 72 indicates for the purposes of prescription: "Infractionsconsidered very serious:1. In accordance with the provisions of article 83.5 of the Regulation (EU)2016/679 are considered very serious and will prescribe after three years the infractions thatsuppose a substantial violation of the articles mentioned in that and, inin particular, the following:a) The processing of personal data violating the principles and guaranteesestablished in article 5 of Regulation (EU) 2016/679.(…) "SAWC / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 9
9/12In order to establish the administrative fine to be imposed, they mustobserve the provisions contained in articles 83.1 and 83.2 of the RGPD, whichpoint out:"one. Each supervisory authority shall ensure that the imposition of finesadministrative under this article for the infractions of thisRegulations indicated in paragraphs 4, 5 and 6 are in each individual caseeffective, proportionate and dissuasive.2. Administrative fines will be imposed, depending on the circumstancesof each individual case, as an additional or substitute for the measures contemplatedin article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fineadministrative and its amount in each individual case will be duly taken into account:a) the nature, severity and duration of the offense, taking into account thenature, scope or purpose of the processing operation in questionas well as the number of affected stakeholders and the level of damage anddamages they have suffered;b) intentionality or negligence in the infringement;c) any measure taken by the controller or processorto mitigate the damages suffered by the interested parties;d) the degree of responsibility of the person in charge of thetreatment, taking into account the technical or organizational measures that haveapplied by virtue of articles 25 and 32;e) any previous infringement committed by the person in charge or the person in charge of thetreatment;f) the degree of cooperation with the supervisory authority in order toremedy the violation and mitigate the possible adverse effects of the violation;g) the categories of personal data affected by the infringement;h) the way in which the supervisory authority learned of the infringement, inparticular if the person in charge or the person in charge notified the infringement and, in such case,what extent;i) when the measures indicated in Article 58 (2) have beenpreviously ordered against the person in charge or the person in chargein relation to the same matter, compliance with said measures;j) adherence to codes of conduct under article 40 or to mechanismscertification approved in accordance with Article 42, andk) any other aggravating or mitigating factor applicable to the circumstances of thecase, such as financial benefits obtained or losses avoided, director indirectly, through infringement.In relation to letter k) of article 83.2 of the RGPD, the LOPDGDD, in itsArticle 76, “Sanctions and corrective measures”, establishes that:"two. In accordance with the provisions of article 83.2.k) of Regulation (EU)2016/679 may also be taken into account:a) The continuing nature of the offense.C / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 10
10/12b) The linking of the offender's activity with the performance of treatmentsof personal data.c) The benefits obtained as a result of the commission of the offense.d) The possibility that the affected person's conduct could have led to thecommission of the offense.e) The existence of a merger process by absorption after the commissionof the infringement, which cannot be attributed to the absorbing entity.f) Affecting the rights of minors.g) To have, when not mandatory, a delegate for the protection ofdata.h) The submission by the person in charge or in charge, with charactervoluntary, to alternative dispute resolution mechanisms, in thosecases in which there are controversies between those and anyinterested."In accordance with the transcribed precepts, and without prejudice to what results from theinstruction of the procedure, in order to fix the amount of the fine sanction toimpose in the present case for the offense typified in article 83.5.a) of the RGPDfor which CSI-CESIF is responsible, in an initial assessment, it is estimatedconcurrent the following factors:The merely local scope of the treatment carried out by the entityclaimed.The number of treatment and people affected by the offending conduct,all members of the Central Radiodiagnosis Unit of the Community ofMadrid.There is no evidence that the claimed entity has adopted measures to preventproduce similar incidents.There is no evidence that the defendant acted fraudulently,although the performance reveals a lack of diligence.The linking of the offender's activity with the performance of treatment ofPersonal data.The claimed entity is not considered a large company, althoughrepresents a large number of members among the workers and employees of the country.Therefore, in accordance with the applicable legislation and the criteria ofgraduation of sanctions whose existence has been proven,The Director of the Spanish Agency for Data Protection RESOLVES:FIRST: IMPOSE the INDEPENDENT SINDICAL ANDCSI-CSIF OFFICIALS, with NIF G79514378, for an infraction of article5.1.f) of the RGPD, typified in article 83.5.a) of the RGPD, and considered for the purposes ofprescription as very serious in article 72.1.a) of the LOPDGDD, a sanction of€ 3,000 (three thousand euros).C / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 11
11/12SECOND: NOTIFY this resolution to CENTRAL SINDICALINDEPENDENT AND OFFICIALS CSI- CSIF, with NIF G79514378.THIRD: Warn the sanctioned person that the sanction imposed by aOnce this resolution is enforceable, in accordance with the provisions of theart. 98.1.b) of Law 39/2015, of October 1, on Administrative ProcedureCommon of Public Administrations (hereinafter LPACAP), within the payment periodvoluntary established in art. 68 of the General Collection Regulations, approvedby Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003,of December 17, by means of their entry, indicating the NIF of the sanctioned person and the numberof procedure that appears in the heading of this document, in the accountrestricted number ES00 0000 0000 0000 0000 0000 , opened in the name of the AgencySpanish Data Protection Agency in the bank CAIXABANK, SA. In caseOtherwise, it will be collected in the executive period.Once the notification has been received and once it is executed, if the date of execution isfinds between the 1st and 15th of each month, both inclusive, the deadline to carry out thevoluntary payment will be until the 20th of the following or immediately subsequent business month, and ifis between the 16th and last days of each month, both inclusive, the term of thePayment will be up to the 5th of the second following or immediate business month.In accordance with the provisions of article 50 of the LOPDGDD, theThis Resolution will be made public once it has been notified to the interested parties.Against this resolution, which puts an end to the administrative procedure in accordance with art.48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of theLPACAP, the interested parties may optionally file an appeal for reversalbefore the Director of the Spanish Agency for Data Protection within a period ofmonth from the day after notification of this resolution or directlycontentious-administrative appeal before the Contentious-Administrative Chamber of theNational High Court, in accordance with the provisions of article 25 and section 5 ofthe fourth additional provision of Law 29/1998, of July 13, regulating theContentious-administrative jurisdiction, within a period of two months from theday following notification of this act, as provided in article 46.1 of thereferred Law.Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of theLPACAP, the final resolution may be suspended in an administrative wayIf the interested party expresses his intention to file a contentious appeal-administrative. If this is the case, the interested party must formally communicate thismade by writing to the Spanish Agency for Data Protection,Presenting it through the Electronic Registry of the Agency[https://sedeagpd.gob.es/sede-electronica-web/], or through any of the restrecords provided for in art. 16.4 of the aforementioned Law 39/2015, of October 1. Toomust forward to the Agency the documentation that proves the effective filingof the contentious-administrative appeal. If the Agency is not aware of thefiling of the contentious-administrative appeal within a period of two months from theday after the notification of this resolution, would terminate theprecautionary suspension.C / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 12
12/12
Mar España Martí
Director of the Spanish Agency for Data Protection