AEPD - PS/00329/2020
|AEPD - PS/00329/2020|
|Relevant Law:||Article 37 GDPR|
|Parties:||AYUNTAMIENTO DE BURGOS|
|National Case Number/Name:||PS/00329/2020|
|European Case Law Identifier:||n/a|
|Original Source:||AEPD decision (in ES)|
The Spanish DPA (AEPD) issued a warning to the city Council of Burgos for not having appointed a data protection officer, thus breaching Article 37 GDPR.
English Summary[edit | edit source]
Facts[edit | edit source]
After the GDPR came into force, the Burgos city Council did not appoint a DPO, but carried out a contract of 10 months with an external company to receive data protection advise.
Dispute[edit | edit source]
Is this behaviour in line with GDPR?
Holding[edit | edit source]
The AEPD held that the city Council of Burgos breaching Article 37 GDPR for not having appointed a data protection officer. For this, they issued a warning and ordered the city Council to appoint a DPO within 2 months.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/5 Procedure No.: PS / 00329/2020 RESOLUTION OF SANCTIONING PROCEDURE Of the procedure instructed by the Spanish Agency for Data Protection and based on to the following BACKGROUND FIRST: A.A.A. (hereinafter, the claimant) dated May 21, 2020 filed a claim with the Spanish Data Protection Agency. The claim is directed against the CITY COUNCIL OF BURGOS with NIF P0906100C (hereinafter, the claimed one) The reasons on which the claim is based are that the aforementioned city council lacks a data protection officer. SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5 December, Protection of Personal Data and guarantee of digital rights (in hereinafter LOPDGDD), with reference number E / 04057/2020, a transfer of said claim to the defendant, on June 10, 2020, to proceed with its analysis and inform this Agency within a month, of the actions taken carried out to adapt to the requirements provided in the data protection regulations, without having received any response to the aforementioned request. THIRD: On November 17, 2020, the Director of the Spanish Agency of Data Protection agreed to initiate a sanctioning procedure to the claimed, by the alleged violation of article 37 of the RGPD, typified in article 83.4 of the RGPD. FOURTH: The aforementioned commencement agreement has been notified, the one claimed on January 8, 2021, presented a brief of allegations in which, in summary, it stated that it proceeded to tender the provision of technical assistance service by a company specialized in information security and protection of character data personnel, a contract that was awarded on August 18, 2020 to the company Centro Regional de Servicios Avanzados, S.A. with a duration of 10 months. FIFTH: On January 19, 2021, the instructor of the procedure agreed to the opening of a period of practical tests, taking as incorporated the preliminary investigation actions, E / 04057/2020. SIXTH: On February 11, 2021, a resolution proposal was formulated, proposing that the Director of the Spanish Data Protection Agency sanction the CITY COUNCIL OF BURGOS, with NIF P0906100C, for an infraction of article 37 of the RGPD, typified in article 83.4 of the RGPD, a sanction of awareness. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 2/5 Of the actions carried out in this procedure and of the documentation Obrante in the file, the following have been accredited: PROVEN FACTS FIRST: It is stated that the BURGOS CITY COUNCIL lacks a data protection officer. SECOND: The aforementioned city council has alleged that for the provision of the technical assistance on data protection, held on August 18, 2020 a contract with the company Centro Regional de Servicios Avanzados, S.A., for a duration of 10 months, in order to adapt their treatments to the LOPDGDD and ENS. THIRD: Currently the Burgos City Council has not appointed a Delegate of Data Protection and has notified the AEPD. FOUNDATIONS OF LAW I By virtue of the powers that article 58.2 of the RGPD recognizes to each authority of control, and as established in articles 47 and 48 of the LOPDGDD, the Director of the Spanish Data Protection Agency is competent to initiate and to solve this procedure. II Public Administrations act as data controllers of personal character and, on some occasions, they exercise functions of managers of treatment, for what corresponds to them, following the principle of responsibility proactively, meet the obligations that the RGPD details, among which is included, the Obligation to appoint a data protection officer and communicate it to this AEPD The obligation is imposed by article 37 of the RGPD, which indicates: "one. The person in charge and the person in charge of the treatment will appoint a delegate of data protection provided that: a) the treatment is carried out by a public authority or body, except those courts that act in the exercise of their judicial function; " Article 37.3 and 4 of the RGPD indicates on the designation of the DPD “When the responsible or the person in charge of the treatment is an authority or public body, may designate a single data protection officer for several of these authorities or bodies, taking into account their organizational structure and size. 4. In cases other than those contemplated in section 1, the controller or the in charge of the treatment or the associations and other bodies that represent C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 3/5 categories of managers or managers may designate a protection delegate data or must designate it if required by Union or State law members. The data protection officer may act on their behalf associations and other bodies that represent managers or managers. " The LOPDGDD determines in its article 34.1 and 3: “Appointment of a delegate of Data Protection" 1. Those responsible and in charge of the treatment must designate a delegate of data protection in the cases provided for in article 37.1 of the Regulation (EU) 2016/679 and, in any case, in the case of the following entities: 3. Those responsible and in charge of the treatment will communicate within ten days to the Spanish Agency for Data Protection or, where appropriate, to the authorities autonomic data protection, the designations, appointments and terminations of the data protection delegates both in the cases in which they are obliged to their designation as in the case in which it is voluntary. The infringement is considered as such in article 83.4.a of the RGPD which states: ”4. The Infringements of the following provisions will be sanctioned, in accordance with the paragraph 2, with administrative fines of a maximum of EUR 10 000 000 or, in the case of a company, an amount equivalent to a maximum of 2% of the total annual global business volume of the previous financial year, opting for the highest amount: a) the obligations of the person in charge and the person in charge in accordance with articles 8, 11, 25 a 39, 42 and 43; " Article 83.7 of the RGPD indicates: “Without prejudice to the corrective powers of the control authorities by virtue of the Article 58 (2), each Member State may lay down rules on whether can, and to what extent, impose administrative fines on authorities and bodies public establishments established in said Member State " Article 58.2 of the RGPD indicates: “Each control authority will have all the following corrective powers listed below: b) punish any person responsible or in charge of the treatment with warning when the processing operations have infringed the provisions of this Regulation; d) order the person in charge of the treatment that the operations of treatment comply with the provisions of this Regulation, where appropriate, in a certain way and within a specified period ”. In this sense, article 77.1 c) and 2, 4 and 5 of the LOPGDD, indicates: 1. "The regime established in this article shall apply to the treatment of who are responsible or in charge: C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 4/5 c) The General Administration of the State, the Administrations of the Communities autonomous entities and the entities that make up the Local Administration. " 2 “When the managers or managers listed in section 1 commit any of the infractions referred to in articles 72 to 74 of this law organic, the competent data protection authority will dictate resolution sanctioning them with warning. The resolution will establish Likewise, the measures to be adopted to stop the behavior or to correct it the effects of the offense that had been committed. The resolution will be notified to the person in charge of the treatment, the body of the that depends hierarchically, where appropriate, and those affected who had the condition interested party, if applicable. " 4." The data protection authority must be notified of the resolutions that fall in relation to the measures and actions referred to in the sections previous. " 5." They will be communicated to the Ombudsman or, where appropriate, to similar institutions of the autonomous communities the actions carried out and the resolutions issued under this article. " III Article 73 of the LOPDDG indicates: Violations considered serious "Based on what is established in article 83.4 of Regulation (EU) 2016/679, considered serious and will prescribe after two years the infractions that suppose a substantial violation of the articles mentioned therein and, in particular, the following: v) Failure to comply with the obligation to appoint a data protection officer when their appointment is required in accordance with article 37 of the Regulations (EU) 2016/679 and article 34 of this organic law. " IV The aforementioned city council in response to the agreement to initiate this procedure sanctioner, has proven that in order to correct the events causing this procedure has proceeded to celebrate on August 18, 2020 a contract with the company Centro Regional de Servicios Avanzados, S.A., for the provision of the service of technical assistance on data protection, for a duration of 10 months, in order to adapt their treatments to the LOPDGDD and ENS. However, the Burgos City Council has not yet appointed a Delegate of Data Protection and has notified the AEPD. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 5/5 Therefore, in accordance with the applicable legislation and assessed the criteria of graduation of sanctions whose existence has been proven, the Director of the Spanish Data Protection Agency RESOLVES: FIRST: IMPOSE the CITY COUNCIL OF BURGOS, with NIF P0906100C, for an infringement of article 37 of the RGPD, typified in article 83.4 of the RGPD, a warning sanction. SECOND: REQUEST the BURGOS CITY COUNCIL, with NIF P0906100C that appoint a Data Protection Delegate within a period of 2 months, since that obligation they have since May 25, 2018, in accordance with article 37.3 and 4 of the RGPD date of entry into force of the current data protection regulations. THIRD: NOTIFY this resolution to BURGOS CITY COUNCIL. FOURTH: COMMUNICATE this resolution to the Ombudsman, of in accordance with the provisions of article 77.5 of the LOPDGDD. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which ends the administrative procedure in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the Interested parties may optionally file an appeal for reconsideration before the Director of the Spanish Agency for Data Protection within a month to counting from the day after the notification of this resolution or directly contentious-administrative appeal before the Contentious-Administrative Chamber of the National High Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-administrative jurisdiction, within two months from the day following notification of this act, as provided in article 46.1 of the referred Law. Mar Spain Martí Director of the Spanish Agency for Data Protection C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es