AEPD (Spain) - PS/00329/2020

From GDPRhub
Revision as of 13:27, 2 April 2021 by Cvl (talk | contribs)
AEPD - PS/00329/2020
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 37 GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published: 24.03.2021
Fine: None
Parties: AYUNTAMIENTO DE BURGOS
National Case Number/Name: PS/00329/2020
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD decision (in ES)
Initial Contributor: n/a

The Spanish DPA (AEPD) issued a warning to the city Council of Burgos for not having appointed a data protection officer, thus breaching Article 37 GDPR.

English Summary

Facts

After the GDPR came into force, the Burgos city Council did not appoint a DPO, but carried out a contract of 10 months with an external company to receive data protection advise.

Dispute

Is this behaviour in line with GDPR?

Holding

The AEPD held that the city Council of Burgos breaching Article 37 GDPR for not having appointed a data protection officer. For this, they issued a warning and ordered the city Council to appoint a DPO within 2 months.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

                                                                               1/5










     Procedure No.: PS / 00329/2020


                RESOLUTION OF SANCTIONING PROCEDURE

Of the procedure instructed by the Spanish Agency for Data Protection and based on
to the following


                                  BACKGROUND

FIRST: A.A.A. (hereinafter, the claimant) dated May 21, 2020
filed a claim with the Spanish Data Protection Agency.


The claim is directed against the CITY COUNCIL OF BURGOS with NIF
P0906100C (hereinafter, the claimed one)

The reasons on which the claim is based are that the aforementioned city council lacks a
data protection officer.


SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5
December, Protection of Personal Data and guarantee of digital rights (in
hereinafter LOPDGDD), with reference number E / 04057/2020, a transfer of
said claim to the defendant, on June 10, 2020, to proceed with its

analysis and inform this Agency within a month, of the actions taken
carried out to adapt to the requirements provided in the data protection regulations,
without having received any response to the aforementioned request.

THIRD: On November 17, 2020, the Director of the Spanish Agency
of Data Protection agreed to initiate a sanctioning procedure to the claimed, by the

alleged violation of article 37 of the RGPD, typified in article 83.4 of the RGPD.

FOURTH: The aforementioned commencement agreement has been notified, the one claimed on January 8, 2021,
presented a brief of allegations in which, in summary, it stated that it proceeded to
tender the provision of technical assistance service by a company

specialized in information security and protection of character data
personnel, a contract that was awarded on August 18, 2020 to the company Centro
Regional de Servicios Avanzados, S.A. with a duration of 10 months.

FIFTH: On January 19, 2021, the instructor of the procedure agreed to the

opening of a period of practical tests, taking as incorporated the
preliminary investigation actions, E / 04057/2020.

SIXTH: On February 11, 2021, a resolution proposal was formulated,
proposing that the Director of the Spanish Data Protection Agency
sanction the CITY COUNCIL OF BURGOS, with NIF P0906100C, for an infraction

of article 37 of the RGPD, typified in article 83.4 of the RGPD, a sanction of
awareness.



C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 2/5








Of the actions carried out in this procedure and of the documentation
Obrante in the file, the following have been accredited:


                                PROVEN FACTS

FIRST: It is stated that the BURGOS CITY COUNCIL lacks a
data protection officer.

SECOND: The aforementioned city council has alleged that for the provision of the

technical assistance on data protection, held on August 18, 2020
a contract with the company Centro Regional de Servicios Avanzados, S.A., for a
duration of 10 months, in order to adapt their treatments to the LOPDGDD and
ENS.


THIRD: Currently the Burgos City Council has not appointed a Delegate
of Data Protection and has notified the AEPD.

                           FOUNDATIONS OF LAW

                                           I


By virtue of the powers that article 58.2 of the RGPD recognizes to each authority of
control, and as established in articles 47 and 48 of the LOPDGDD, the Director
of the Spanish Data Protection Agency is competent to initiate and to
solve this procedure.


                                           II

Public Administrations act as data controllers of
personal character and, on some occasions, they exercise functions of managers of

treatment, for what corresponds to them, following the principle of responsibility
proactively, meet the obligations that the RGPD details, among which is included, the
Obligation to appoint a data protection officer and communicate it to this
AEPD

The obligation is imposed by article 37 of the RGPD, which indicates:


"one. The person in charge and the person in charge of the treatment will appoint a delegate of
data protection provided that:

a) the treatment is carried out by a public authority or body, except those

courts that act in the exercise of their judicial function; "

Article 37.3 and 4 of the RGPD indicates on the designation of the DPD “When the
responsible or the person in charge of the treatment is an authority or public body,
may designate a single data protection officer for several of these

authorities or bodies, taking into account their organizational structure and size.

4. In cases other than those contemplated in section 1, the controller or the
in charge of the treatment or the associations and other bodies that represent

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 3/5








categories of managers or managers may designate a protection delegate
data or must designate it if required by Union or State law
members. The data protection officer may act on their behalf

associations and other bodies that represent managers or managers. "

The LOPDGDD determines in its article 34.1 and 3: “Appointment of a delegate of
Data Protection"

1. Those responsible and in charge of the treatment must designate a delegate of

data protection in the cases provided for in article 37.1 of the Regulation
(EU) 2016/679 and, in any case, in the case of the following entities:

3. Those responsible and in charge of the treatment will communicate within ten
days to the Spanish Agency for Data Protection or, where appropriate, to the authorities

autonomic data protection, the designations, appointments and terminations of
the data protection delegates both in the cases in which they are
obliged to their designation as in the case in which it is voluntary.

The infringement is considered as such in article 83.4.a of the RGPD which states: ”4. The
Infringements of the following provisions will be sanctioned, in accordance with the

paragraph 2, with administrative fines of a maximum of EUR 10 000 000 or,
in the case of a company, an amount equivalent to a maximum of 2% of the
total annual global business volume of the previous financial year, opting for
the highest amount:


a) the obligations of the person in charge and the person in charge in accordance with articles 8, 11, 25 a
39, 42 and 43; "

Article 83.7 of the RGPD indicates:


“Without prejudice to the corrective powers of the control authorities by virtue of the
Article 58 (2), each Member State may lay down rules on whether
can, and to what extent, impose administrative fines on authorities and bodies
public establishments established in said Member State "

Article 58.2 of the RGPD indicates: “Each control authority will have all the

following corrective powers listed below:

b) punish any person responsible or in charge of the treatment with warning
when the processing operations have infringed the provisions of this
Regulation;


d) order the person in charge of the treatment that the operations of
treatment comply with the provisions of this Regulation, where appropriate,
in a certain way and within a specified period ”.


In this sense, article 77.1 c) and 2, 4 and 5 of the LOPGDD, indicates:

1. "The regime established in this article shall apply to the treatment of
who are responsible or in charge:

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 4/5









c) The General Administration of the State, the Administrations of the Communities

autonomous entities and the entities that make up the Local Administration. "

2 “When the managers or managers listed in section 1 commit
any of the infractions referred to in articles 72 to 74 of this law
organic, the competent data protection authority will dictate

resolution sanctioning them with warning. The resolution will establish
Likewise, the measures to be adopted to stop the behavior or to correct it
the effects of the offense that had been committed.

The resolution will be notified to the person in charge of the treatment, the body of the

that depends hierarchically, where appropriate, and those affected who had the condition
interested party, if applicable. "

4." The data protection authority must be notified of the resolutions that
fall in relation to the measures and actions referred to in the sections

previous. "

5." They will be communicated to the Ombudsman or, where appropriate, to similar institutions
of the autonomous communities the actions carried out and the resolutions issued
under this article. "


                                            III

Article 73 of the LOPDDG indicates: Violations considered serious


"Based on what is established in article 83.4 of Regulation (EU) 2016/679,
considered serious and will prescribe after two years the infractions that suppose a
substantial violation of the articles mentioned therein and, in particular, the
following:


v) Failure to comply with the obligation to appoint a data protection officer
when their appointment is required in accordance with article 37 of the Regulations
(EU) 2016/679 and article 34 of this organic law. "

                                            IV


The aforementioned city council in response to the agreement to initiate this procedure
sanctioner, has proven that in order to correct the events causing this
procedure has proceeded to celebrate on August 18, 2020 a contract with the
company Centro Regional de Servicios Avanzados, S.A., for the provision of the service

of technical assistance on data protection, for a duration of 10
months, in order to adapt their treatments to the LOPDGDD and ENS.

However, the Burgos City Council has not yet appointed a Delegate of
Data Protection and has notified the AEPD.





C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 5/5








Therefore, in accordance with the applicable legislation and assessed the criteria of
graduation of sanctions whose existence has been proven,


the Director of the Spanish Data Protection Agency RESOLVES:

FIRST: IMPOSE the CITY COUNCIL OF BURGOS, with NIF P0906100C, for
an infringement of article 37 of the RGPD, typified in article 83.4 of the RGPD, a

warning sanction.

SECOND: REQUEST the BURGOS CITY COUNCIL, with NIF P0906100C that
appoint a Data Protection Delegate within a period of 2 months, since that
obligation they have since May 25, 2018, in accordance with article 37.3

and 4 of the RGPD date of entry into force of the current data protection regulations.

THIRD: NOTIFY this resolution to BURGOS CITY COUNCIL.

FOURTH: COMMUNICATE this resolution to the Ombudsman, of

in accordance with the provisions of article 77.5 of the LOPDGDD.

In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.


Against this resolution, which ends the administrative procedure in accordance with art. 48.6 of the
LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the
Interested parties may optionally file an appeal for reconsideration before the
Director of the Spanish Agency for Data Protection within a month to
counting from the day after the notification of this resolution or directly

contentious-administrative appeal before the Contentious-Administrative Chamber of the
National High Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-administrative jurisdiction, within two months from the
day following notification of this act, as provided in article 46.1 of the

referred Law.

Mar Spain Martí
Director of the Spanish Agency for Data Protection


















C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es