| AEPD (Spain) - PS/00315/2019 | |
|---|---|
 | |
| Authority: | AEPD (Spain) |
| Jurisdiction: | Spain |
| Relevant Law: | Article 13 GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | |
| Published: | 14.02.2020 |
| Fine: | None |
| Parties: | Anonymous ASOCIACIÓN ESPAÑOLA PARA LA PREVENCIÓN DEL ACOSACOLAR |
| National Case Number/Name: | PS/00315/2019 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Spanish |
| Original Source: | AEPD (in ES) |
| Initial Contributor: | n/a |
The AEPD confirmed that processing personal data without providing an easily accessible privacy notice is a violation of Article 13 GDPR.
English Summary
Facts
The controller processed personal data without providing an easily accessible privacy policy. Furthermore, the privacy notice did not fully inform the users on their rights under the GDPR.
Dispute
Whether the privacy policy should be easy to find and what level of details it should include with regard to the user's rights.
Holding
The AEDP found that the information provided was in breach of Article 13 GDPR. Therefore, the authority warned the controller (Article 83(5) GDPR) and requested to complete the notice respecting the criteria of Article 13 GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the original. Please refer to the Spanish original for more details.
• Product No.: PS/00315/2019
DECISION ON DISCIPLINARY PROCEEDINGS
From the procedure instructed by the Spanish Data Protection Agency and based on the following
BACKGROUND
FIRST: A.A.A. (hereinafter, the complainant) filed a complaint with the Spanish Data Protection Agency on 19 February 2019. The claim is directed against ASOCIACIÓN ESPAÑOLA PARA LA PREVENCIÓN DEL ACOSACOLAR with NIF G86432226 (hereinafter the claimed.
The reasons on which the complaint is based are that the association's website does not have a personal data privacy policy.
SECOND: In view of the facts denounced in the complaint and the documents provided by the complainant, the Subdirectorate General of Data Inspection proceeded to carry out preliminary investigative actions to clarify the facts in question, by virtue of the investigative powers granted to the supervisory authorities in Article 57.1 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter referred to as the GPRD), and in accordance with the provisions of Title VII, Chapter I, Section 2 of Organic Law 3/2018 of December 5, 1978, on the Protection of Personal Data and Guarantee of Digital Rights (hereinafter referred to as the LOPDGDD).
The aim is to inform the complainant of this complaint on 15 March 2019, requiring him to send this Agency, within a period of one month, information on the response given to the complainant on the facts denounced, as well as the reasons for the incident and the measures taken to adapt his "Privacy Policy" to Article 13 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (RGPD).
However, such a request was returned by mail, claiming "wrong address"
Next, research was carried out on the website of the complainant, http://aepae.es/, verifying that to access his privacy policy it must be done through the link to the cookie policy https://automattic.com/cookies/, and following this second link through the link https://automattic.com/privacy/.
Analysing its privacy policy, it should be noted that it does not say anything about the exercise of rights, nor does it mention the right to file a complaint with the AEPD, nor does it expressly indicate the regulations governing the protection of personal data.
THIRD: On December 18, 2019, the Director of the Spanish Data Protection Agency agreed to initiate sanctioning proceedings against the respondent, for the alleged infringement of article 13 of the RGPD, typified in article 83.5 of the RGPD.
FIFTH: Once the aforementioned agreement to initiate the present sanctioning procedure has been notified, a hearing period of TEN WORKING DAYS is granted to him to formulate the allegations and present the evidence that he considers appropriate, in accordance with the provisions of Articles 73 and 76 of Law 39/2015 on Common Administrative Procedure of Public Administrations.
SIXTH: Not having made any allegations or submitted any evidence within the given time limit, this resolution is hereby issued, taking into account the following
FACTS
FIRST: The personal data privacy policy of the website of the claimed association is not governed by the current regulations on this matter.
SECOND: This complaint was brought to the attention of the respondent but was returned by post, claiming "incorrect address".
Next, research was carried out on the website of the respondent and analysing its privacy policy, it should be noted that with respect to the exercise of rights it does not say anything, nor does it mention the right to file a complaint with the AEPD, nor does it expressly indicate the regulations governing the protection of personal data.
LEGAL FOUNDATIONS
I
By virtue of the powers that Article 58.2 of the RGPD recognises to each supervisory authority, and as established in Articles 47 and 48.1 of the LOPDGDD, the Director of the Spanish Data Protection Agency is competent to resolve this procedure.
II
Article 4 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation, hereinafter referred to as GDPR), under the heading "Definitions", provides that
"For the purposes of this Regulation
1) "personal data" means any information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier or one or more factors specific to that person's identity
physical, physiological, genetic, psychic, economic, cultural or social of that person;
2) "processing" means any operation or set of operations which is performed upon personal data or upon sets of personal data, whether or not by automatic means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, limitation, erasure or destruction
Therefore, in accordance with these definitions, the collection of personal data through forms included on a website constitutes data processing, for which the data controller must comply with the provisions of Article 13 of the RGPD, a provision that has been moved from 25 May 2018 to Article 5 of Organic Law 15/1999 of 13 December on the Protection of Personal Data.
In relation to this matter, it is noted that the Spanish Data Protection Agency has at the disposal of citizens the Guide for the fulfilment of the duty to inform (https://www.aepd.es/media/guias/guia-modelo- clausula-informativa.pdf) and, in the case of low risk data processing, the free tool Facilita (https://www.aepd.es/herramientas/facilita.html).
III
Article 13 of the RGPD, which determines the information to be provided to the data subject at the time of collection of his or her data, provides
"1.Where personal data relating to a data subject are collected, the controller shall provide him with all the following information at the time of collection
a) the identity and contact details of the person responsible and, where appropriate, his representative;
b) the contact details of the data protection officer, if any;
c) the purposes of the processing for which the personal data are intended and the legal basis of the processing;
d) where the processing is based on Article 6(1)(f), the legitimate interests of the controller or of a third party;
e) the recipients or categories of recipients of the personal data, where appropriate;
f) where appropriate, the intention of the controller to transfer personal data to a third country or international organisation and the existence or otherwise of a Commission decision on adequacy, or, in the case of transfers pursuant to Article 46 or 47 or the second subparagraph of Article 49(1), reference to adequate or appropriate safeguards and the means to obtain a copy thereof or the fact that they have been provided.
2. In addition to the information referred to in paragraph 1, the controller shall provide the data subject, at the time the personal data are collected, with the following information necessary to ensure fair and transparent processing of the data
a) the period for which personal data will be kept or, where this is not possible, the criteria used to determine this period;
b) the existence of the right to request the controller to have access to the personal data concerning the data subject and to have them corrected, deleted or restricted, or to object to their processing, and the right to the transfer of data;
c) where the processing is based on Article 6(1)(a) or Article 9(2)(a), the existence of the right to withdraw consent at any time, without affecting the lawfulness of the processing based on consent prior to withdrawal;
d) the right to lodge a complaint with a supervisory authority;
e) whether the disclosure of personal data is a legal or contractual requirement or a requirement for entering into a contract, and whether the data subject is obliged to provide the personal data and is informed of the possible consequences of not providing such data;
f) the existence of automated decisions, including profiling, as referred to in Article 22(1) and (4) and, at least in such cases, significant information on the logic applied and the significance and expected consequences of such processing for the data subject.
3. Where the controller plans to further process personal data for a purpose other than that for which they were collected, he shall provide the data subject, prior to such further processing, with information about that other purpose and any relevant additional information within the meaning of paragraph 2.
4. The provisions of paragraphs 1, 2 and 3 shall not apply if and in so far as the information is already available to the person concerned.
Article 11 of the LOPDGDD provides as follows:
"Where personal data are obtained from the data subject, the controller may fulfil the duty of information laid down in Article 13 of Regulation (EU) 2016/679 by providing the data subject with the basic information referred to in the following paragraph and by indicating an electronic address or other means that makes the other information easily and immediately accessible.
2. The basic information referred to in the previous section must contain at least the following
a) The identity of the data controller and his representative, in his
case.
b) The purpose of the treatment.
c) The possibility of exercising the rights set out in Articles 15 to 22
of Regulation (EU) 2016/679.
If the data obtained from the data subject are to be processed for profiling purposes, the basic information shall also include this circumstance. In this case, the person concerned must be informed of his right to oppose the adoption of automated individual decisions which produce legal effects on him or significantly affect him in a similar way, where this right exists in accordance with Article 22 of Regulation (EU) 2016/679.
IV
By virtue of the provisions of Article 58.2 of the RGPD, the Spanish Data Protection Agency, as the supervisory authority, has a set of corrective powers in the event of a breach of the precepts of the RGPD.
Article 58(2) of the RGPD provides as follows:
"2 Each supervisory authority shall have all the following corrective powers as set out below:
(…)
(b) sanction any controller or processor with a warning where processing operations have infringed the provisions of this Regulation
(...)
"(d) to instruct the controller or processor to bring processing operations into conformity with the provisions of this Regulation, where appropriate, in a particular manner and within a specified time limit;".
"(i) to impose an administrative fine pursuant to Article 83, in addition to or instead of the measures referred to in this paragraph, depending on the circumstances of the individual case;".
Article 74(a) of the LOPDGDD, under the heading "Offences considered minor" provides:
"The remaining infringements of a purely formal nature of the Articles referred to in Article 83(4) and (5) of Regulation (EU) 2016/679, and in particular the following, shall be regarded as minor and shall be subject to a limitation period of one year
(a) Failure to comply with the principle of transparency of information or the right to information of the person concerned by not providing all the information required by Articles 13 and 14 of Regulation (EU) 2016/679.
V
In this case, it is claimed that the web page of the claimed person does not have a personal data privacy policy.
This Agency has noted the difficulty of access to the privacy policy of the claimed, on its website, http://aepae.es/ as it must be done through the link of cookie policy https://automattic.com/cookies/, and then, following this second link through the link https://automattic.com/privacy/.
Furthermore, analysing its privacy policy, it should be pointed out that nothing is indicated with respect to the exercise of rights, nor with respect to the right to file a complaint with the AEPD, nor is the regulation governing the protection of personal data expressly indicated.
It should also be noted that, taking into account this context, and the fact that the respondent collects the personal data of its users, it is clear that the
The requested information contravenes Article 13 of the RGPD, since it does not provide them with all the information on data protection provided for in that provision prior to its collection.
Therefore, in accordance with the applicable legislation and assessed the criteria for the graduation of the sanctions whose existence has been accredited,
the Director of the Spanish Data Protection Agency RESOLVES:
FIRST: IMPOSE SPANISH ASSOCIATION FOR THE PREVENTION OF
SCHOOL HARASSMENT, with NIF G86432226, for an infraction of Article 13 of the RGPD, typified in Article 83.5 of the RGPD, a warning sanction
SECOND: REQUIRE SPANISH ASSOCIATION FOR THE PREVENTION OF
SCHOOL HARASSMENT, with NIF G86432226, according to article 58.2.b) of the RGPD
so that within one month of notification of this resolution, you can prove
✓ the adoption of the necessary measures to update its "Privacy Policy" to the current regulations on the protection of personal data,
-Regulation (EU) 2016/679 (RGPD)-, adapting the information offered to the requirements contemplated in article 13 of the RGPD, having to provide the users, prior to the collection of their personal data, all the information required in the mentioned precept, for which the claimed association will have to take into account the provisions of article 6 of the RGPD in relation to the legality of the treatment, as well as what is indicated in article 5 of the RGPD in relation to the purpose of the treatment and term of conservation of the data.
THIRD: NOTICE this resolution to the SPANISH ASSOCIATION FOR THE PREVENTION OF SCHOOL HARASSMENT.
In accordance with the provisions of Article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties.
Against this resolution, which puts an end to the administrative procedure (Article 48.2 of the LOPD), and in accordance with the provisions of Articles 112 and 123 of Law 39/2015, of 1 October, on the Common Administrative Procedure of Public Administrations, the interested parties may, optionally, file an appeal for reversal with the Director of the Spanish Data Protection Agency within a period of one month from the day following notification of this decision, or, directly to the Contentious-Administrative Chamber of the National Court, in accordance with the provisions of Article 25 and paragraph 5 of the fourth additional provision of Law 29/1998, of 13 July, regulating the Contentious-Administrative Jurisdiction, within a period of two months from the day following notification of this act, in accordance with the provisions of Article 46.1 of the above-mentioned legal text.
Mar Spain Marti
Director of the Spanish Data Protection Agency
