AEPD (Spain) - PS/00285/2020
From GDPRhub
| AEPD - PS/00285/2020 | |
|---|---|
 | |
| Authority: | AEPD (Spain) |
| Jurisdiction: | Spain |
| Relevant Law: | Article 13 GDPR Article 37 GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | |
| Published: | 26.03.2021 |
| Fine: | None |
| Parties: | FEDERACIÓN DE BALONMANO DEL PRINCIPADO DEASTURIAS |
| National Case Number/Name: | PS/00285/2020 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Spanish |
| Original Source: | AEPD decision (in ES) |
| Initial Contributor: | n/a |
The AEPD warned the Asturian Handball Federation for not having appointed a DPO and not having complied with Article 13 GDPR.
English Summary
Facts
A claimant filed a complaint with the DPA to report several infringements of the GDPR coming from the Asturian Handball Federation. They alleged that the federation did not have a DPO, that they did not obtain valid consent from the children above 14 or their parents, nor they verified the legitimacy of such consent, that they were publishing photos of minors without such consent, that they did not inform about the data processed according to Article 13 GDPR and that they made reference in their privacy policy to the old Spanish Data Protection Act.
The Asturian Handball Federation alleged that they had two websites, one with domain .es and another with .com, and that they were coexisting due to an administrative error. The old one was not up-to-date, what is what caused the reference to the old Data Protection Act and the fact that they had non-updated forms for gathering data.
Additionally, the federation appointed a DPO during the course of these proceedings and amended their privacy policy to include everything that Article 13 requires.
Dispute
Did the Asturian Handball Federation incur in any violation of GDPR given these facts?
Holding
The AEPD held that the federation had violated Article 37 GDPR for not having appointed a DPO. They also held that the federation had violated Article 13 for not having provided in their privacy policy the mandatory information provided by the GDPR.
For both these violations, the AEPD issued a warning.
However, the AEPD held that there was no violation regarding consent due to the fact that it is a public federation that, according to the law, processes the data that the sports clubs collect, and that therefore the obligations regarding consent lay on such clubs.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/6
Procedure Nº: PS / 00285/2020
RESOLUTION OF SANCTIONING PROCEDURE
In the sanctioning procedure PS / 00285/2020, instructed by the Spanish Agency for
Data Protection to the HANDBALL FEDERATION OF THE PRINCIPALITY OF
ASTURIAS, with CIF: G33642083, (hereinafter, “the claimed entity”), by virtue of
complaint filed by virtue of complaint filed by D.A.A.A., (hereinafter
te, “the claimant”), and based on the following:
BACKGROUND
FIRST: On 01/28/20, you have an entry in this Agency, a complaint filed
by the claimant in which it indicated, among others, the following:
a) .- I have not been able to demonstrate through the consultations made in the AEPD that the
Asturian Handball Federation has Appointed a Delegate for the Protection of
Data neither on the website of said organization nor in the available forms. The
links to the federation's website that show that they process data of minors under
age to justify because they are applied by article 34 section o).
b) .- In none of the forms used by the FEDERATION, which appear in the
The website of said organization requests the authorization of the children if they are
over 14 years of age or of the holder of their parental authority or guardianship for the treatment of
the data nor is it credited the making of reasonable efforts to verify the validity
of the consent nothing is indicated in this regard.
It is especially interesting in this regard is the first of the forms since in its
footer indicates: "In compliance with the provisions of Organic Law 15/1999,
of December 13, Protection of Personal Data, the above
related parties are informed and expressly consent to the incorporation of their
personal data, including images, to the automated files owned by the
Handball Federation of the Principality of Asturias (…) ”.
In relation to the dissemination of the images, I also attach them as evidence of this
point the images of minors that they disclose on their website. I add the links to
the website of the federation that show that they process data of minors and the
disseminating your image publicly.
SECOND: In view of the facts presented in the claim and the documents
provided by the claimant, the SG of Data Inspection proceeded to carry out
actions for its clarification, under the protection of the powers of investigation
granted in art 57.1 of Regulation (EU) 2016/679 (RGPD). So dated
06/02/20 an informative request is addressed to the claimed entity.
According to the certificate of the Electronic Notifications Service and Electronic Address
Enabled, the request sent to the claimed entity on 06/02/20, through the
NOTIFIC @ service, was rejected at destination on 06/13/20.
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 2/6
THIRD: On 10/14/20, the Director of the Spanish Agency for the Protection of
Data agreed to open a sanctioning procedure and notify said agreement to the Federal
claimed so that within ten business days it could present the allegations
deemed convenient.
FOURTH: Notified the initiation agreement, the claimed federation, by writing of
dated 10/27/20, remits to this Agency allegations, in which, among others, it indicates-
ba:
"As the claim itself describes, it is the sports club itself, which is registered in
the federation, which certifies and is responsible for the parents or guardians of
underage players have given their consent for the personal data to be
player's goals are treated in order to develop the sporting practice of ball-
Therefore, the Federation has authorization to process personal data.
sonals and images of the players as long as their ultimate goal is related to
I swim with the practice of the sport of handball, not existing, therefore, in this case
violation of the provisions of the RGPD.
Since the month of November 2019 the new website of the
Federation with the same address as the previous one but within the .es domain and not
del .com. This website has the mandatory privacy policy, the in-
subject to the terms provided in article 13 of the RGPD and complies with all the
legal requirements, having adapted to the regulations in force.
For technical and operational reasons both pages have coexisted, not being eliminated
gives the old, by administrative error, generated in part by the situation of force
greater generated by the state of alarm, which affected many ongoing actions
in this Federation. For the same reason, the information request was not met
formulated by the AEPD, as the offices are without staff.
The domain.com website that the complaint refers to is inactive and
currently removed from the network. Attached as Document Nº1, links to the new
Go to the website and to the supporting documentation of the above. As of July 16, 2020,
This entity proceeded to comply with its obligation to designate a Delegate of
Data Protection".
FIFTH: On 01/15/21, this Agency accesses the website
Federation official: (*** URL.1), checking, in its privacy policy
(*** URL.2) that provides information, among others, about the person responsible for the treatment.
data management; about the purpose of the treatment; on legitimation and destinations
naries; on the terms of conservation of the data; on the treatment of images
nions and on the rights that assist users.
For its part, in the forms that could be downloaded from the official website of the
Federation, the following message existed in them:
“HANDBALL FEDERATION OF THE PRINCIPALITY OF ASTURIAS is the Responsible
of the processing of personal data provided with your consent and
informs you that these data will be treated in accordance with the provisions of the
Regulation (EU) 2016/679, of April 27 (GDPR), and Organic Law 3/2018, of April 5
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 3/6
December (LOPDGDD), in order to maintain a commercial relationship (by inte-
legitimate responsibility of the person in charge, art. 6.1.f GDPR) and keep them for no longer
necessary to maintain the end of the treatment or as long as there are legal prescriptions
wales ruling their custody. The data will not be communicated to third parties, except when required
legal gation. Likewise, you are informed that you can exercise your access rights,
rectification, portability and deletion of your data and those of limitation and opposition to your
treatment by contacting the HANDBALL FEDERATION OF THE PRINCIPALITY OF
ASTURIAS at C / *** DIRECCIÓN.1 (Asturias). E-mail: *** EMAIL.1 and the claim
to www.aepd.es. Contact details of the data protection officer: *** DIREC-
TION.1 - *** EMAIL.1 ”.
SIXTH: On 02/09/21, the Proposed Resolution is notified to the complaining entity.
in which, it was proposed that, by the Director of the Spanish Protection Agency
tion of Data warns the claimed Federation, for infringement of the articles
13 and 37 of the RGPD, without the need for corrective measures, as these have already been
given by the Federation when it became aware of the initiation of this
sanctioning tooth.
Having notified the resolution proposal, as of today, there is no evidence of any response
has been given to the resolution proposal within the period granted for it.
Of the actions carried out in this procedure, of the information and documents
documentation presented by the parties, the following have been accredited:
PROVEN FACTS
1.- In the present case, the claimant indicates in his letter that the Federation of
Handball of the Principality of Asturias violates several precepts of the RGPD:
- The Federation has not yet appointed a Data Protection Delegate,
verifying that said organization processes personal data.
- In none of the forms used by the Federation, which appear in its
website authorization is requested for the processing of data
personal. In addition, the forms refer to the repealed LO
15/1999 (LOPD).
- There is evidence of the dissemination of images of minors without consent
express of their parents or guardians.
2º.- Transferred the initiation of the sanctioning file to the Federation so that
answer what he deems appropriate on the aspects indicated therein,
The latter sent the Agency the following allegations:
- It is the sports club itself, which is registered with the Federation, which certifies and
is responsible for the parents or guardians of minor players
of age have given their consent for the player's personal data
are treated in order to develop the sports practice of handball, the
Therefore, the Federation has authorization to process the data.
personals and images of the players as long as their ultimate goal
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 4/6
is related to the practice of the sport of handball, not existing, for
Therefore, in this case, violation of the provisions of the RGPD.
- Since the month of November 2019 the new website is operational
of the Federation with the same address as the previous one but within the domain
(.es) and not from (.com). This website has the mandatory policy of
privacy, the interested party is informed in the terms provided in article 13
of the RGPD and complies with all legal requirements, having adapted to the
regulations in force. For technical and operational reasons, both pages have
lived together, the old one not being eliminated, due to an administrative error, generated in
partly due to the force majeure situation generated by the state of alarm, which
it affected many ongoing actions in this Federation. The website of
domain.com that is the one to which the complaint refers is inactive and deleted
currently on the network.
- As of July 16, 2020, the Federation proceeded to comply with its
Obligation to designate a Data Protection Delegate. Attached as
Document Nº2, proof of communication of the appointment.
3º.- On the part of this Agency it was verified, after having received the
allegations, the following:
- In the privacy policy (*** URL.2) of the official website of the
The Federation is informed, among others, of the following aspects: about the data
of the person responsible for data processing; about the purpose of the treatment
of data collected through the website; on legitimation and
recipients; on the terms of conservation of your data once it is finished
the relationship; on the treatment of images or on the rights that assist
to users about the processing of their personal data.
- In the forms that can be downloaded from the official website of the
Federation, it can be verified that, in them there is information that
refers to current regulations on data protection.
FOUNDATIONS OF LAW
I
By virtue of the powers that article 58.2 of Regulation (EU) 2016/679, of the Parliament
Council and European Council, of 04/27/16, regarding the Protection of Natural Persons
Regarding the Processing of Personal Data and the Free Circulation of es-
The Data (RGPD) recognizes each Control Authority and, as established in the
arts. 47, 64.2 and 68.1 of Organic Law 3/2018, of December 5, on the Protection of
Personal Data and Guarantee of Digital Rights (LOPDGDD), the Director of the
Spanish Data Protection Agency is competent to initiate this procedure.
I lie.
Sections 1) and 2) of article 58 of the RGPD, list, respectively, the powers
investigative and corrective measures that the supervisory authority may order for this purpose,
mentioning in point 1.d), that of: “notify the person in charge or commission of the treatment
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 5/6
to the presumed infractions of the present Regulation "and in the 2.i), the one of:" to impose a
administrative fine pursuant to article 83, in addition to or instead of the aforementioned measures
mentioned in this section, according to the circumstances of each case ”.
II
In the present case, it was claimed that the Handball Federation of the Principality of
Asturias did not comply with the provisions of current regulations on data protection of
personal character, lacking a Data Protection Delegate (DPD) and when dealing with data
personal coughs of underage players, including their images, without the precepti-
vo consent of parents or guardians.
As stated in the brief initiating the file, on the use of
the personal data of underage players, including images of the players
themselves, without the mandatory consent of their parents or guardians, indicate that
A sports federation is an organization whose main function is to regulate
the organization and organization of the corresponding sport and the receipt of personal data-
of the players to process their federative file, it is done through the club
corresponding authority, who must have collected the prior consent of the
gator or, where appropriate, the parent or guardian so that said treatment is lawful.
As regards the second part of the claim, it was verified, by
this Agency that, the forms that existed on the Federation's website made
reference to the repealed LOPD, however, once the sanctioning proceedings have been initiated
dor and after receiving the appropriate allegations from the Federation it was found that,
they had been conveniently modified, adapting them to current legislation.
Regarding the existence or not of the privacy policy of the website
of the Federation, it was found that, on its official page, *** URL.1; exists
a link, at the bottom, << privacy policy >> that redirects to a new page
gina *** URL.2, in which information is provided in accordance with those stipulated in the article
Article 13 of the GDPR.
Regarding the complaint that the Federation had not appointed a Delegate of
Data Protection, indicate in this regard that, in the letter of allegations to the inco-
action of the file, the Federation informs this Agency that on 07/16/20
proceeded to designate a Data Protection Delegate, attaching proof of
said designation.
In view of the above, on the part of the Director of the Protection Agency of Da-
cough,
RESOLVES
TO APPEAR: to the HANDBALL FEDERATION OF THE PRINCIPALITY OF
ASTURIAS, with CIF: G33642083, for the violation of article 13) of the RGPD, respect-
to the non-adaptation of its personal data protection policy to the new norm.
valid validity and for the violation of article 37) of the RGPD, as there is no designation
a Data Protection Delegate, until he was not aware of this procedure.
sanctioning penalty.
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 6/6
NOTIFY: this resolution to the HANDBALL FEDERATION OF
PRINCIPALITY OF ASTURIAS,
In accordance with the provisions of article 50 of the LOPDPGDD, this Re-
solution will be made public once it has been notified to the interested parties.
Against this resolution, which ends the administrative procedure in accordance with art. 48.6 of the
LOPDPGDD, and in accordance with the provisions of article 123 of the LPACAP, the
The interested parties may file, optionally, an appeal for reconsideration before the Director
of the Spanish Agency for Data Protection within a month from
the day after notification of this resolution or directly contentious appeal
administrative before the Contentious-Administrative Chamber of the National Court,
in accordance with the provisions of article 25 and section 5 of the additional provision
Fourth nal of Law 29/1998, of July 13, regulating the Contentious Jurisdiction-
administrative, within a period of two months from the day following the notification
tion of this act, as provided in article 46.1 of the aforementioned Law.
Mar Spain Martí
Director of the Spanish Agency for Data Protection.
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es
