AEPD - PS/00334/2020

From GDPRhub
AEPD - PS/00334/2020
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 6(1) GDPR
Type: Complaint
Outcome: Upheld
Decided:
Published: 26.04.2021
Fine: None
Parties: n/a
National Case Number/Name: PS/00334/2020
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: n/a

The Spanish DPA issued a warning to the former worker of a business that processed personal data of their clients from a previous employment relationship without any legitimate basis.

English Summary[edit | edit source]

Facts[edit | edit source]

A claimant filed a claim before the Spanish DPA, stating that a former worker from their business had used the data of their clients after leaving, without having legitimacy to do so.

Dispute[edit | edit source]

Is the processing of personal data without a valid legitimate basis a violation of GDPR?

Holding[edit | edit source]

The Spanish DPA considered that the processing of personal data was in breach of Article 6(1) GDPR, as the worker had processed data from their previous employment relationship without consent, and thus imposed the controller a reprimand.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

                                                                                     1/6











     Procedure No.: PS / 00334/2020

                 RESOLUTION OF SANCTIONING PROCEDURE

Of the procedure instructed by the Spanish Agency for Data Protection and based on

to the following:

                                    BACKGROUND

FIRST: Mrs. A.A.A. with NIF *** NIF.1 (hereinafter, the claimant) dated 13

January 2020 filed a claim with the Spanish Agency for the Protection of
Data. The claim is directed against Dña. B.B.B. with NIF *** NIF.2 (hereinafter, the
claimed).

        The claimant states that a former worker has used the data of her

clients for their own benefit, after the termination of their contractual relationship.

        And, it provides the following documentation:

        - Data access contract between the parties.

        - Notification of the claimed that it stops providing its services.
        - Cancellation of appointments of your clients.
        - Burofax advising the defendant that it cannot be used for profit
            own the list of clients provided by the claimant.
        - Complaint from a client, expressing her discomfort at being in the group of

            WhatsApp created by the claimed to publish their products.

SECOND: In accordance with article 65.4 of the LOPGDD, which has provided for a
mechanism prior to the admission for processing of claims made before
the AEPD, consisting of transferring them to the Data Protection Delegates

designated by those responsible or in charge of the treatment, for the intended purposes
in article 37 of the aforementioned norm, or to these when it has not designated them, it was given
transfer of the claim to the claimed entity to proceed with its analysis and
respond to the complaining party and this Agency within one month.


THIRD: On March 13, 2020, the respondent was asked to provide
to this Agency the following information:

        1. The decision taken regarding this claim.
        2. In the event of exercising the rights regulated in articles 15 to

            22 of the RGPD, accreditation of the response provided to the claimant.
        3. Report on the causes that have motivated the incident that has originated
            the claim.
        4. Report on the measures adopted to prevent the occurrence of
            similar incidents, implementation dates and controls carried out to

            check its effectiveness.
        5. Any other that you consider relevant.


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 2/6








       The letter was notified to the claimed by post, being the delivery date
of the notification on June 15, 2020, as evidenced by the certificate issued by
the postal service, to respond to this Agency and the complaining party

within a month.

       In the response submitted by the respondent on July 13, 2020, the
content mentioned therein.

       On August 13, 2020, the request for information was reiterated and on August 1,

September of this year, the respondent states that on July 13, 2020, it contributed
allegations and supporting documents, not recorded in this Agency.

       In accordance with the provisions of article 65.2 of the LOPDGDD, dated
September 24, 2020, the Director of the Spanish Agency for the Protection of

Data agrees to admit to processing of this claim.

FOURTH: On October 21, 2020, the Director of the Spanish Agency for
Data Protection agreed to initiate a sanctioning procedure for the claimed, with
in accordance with the provisions of articles 63 and 64 of Law 39/2015, of October 1, of the
Common Administrative Procedure of Public Administrations (hereinafter,

LPACAP), for the alleged violation of Article 6.1 of the RGPD, typified in Article
83.5 of the GDPR.

FIFTH: Once the aforementioned commencement agreement was notified, the respondent submitted a written
allegations in which, in summary, it stated that: “I comply with the duty imposed

by art. 6.1 of the RGPD, seeking the consent of customers when
I request personal data, through the legal text that is attached as proof and
all sign on the spot ”.

SIXTH: On December 14, 2020, the procedure instructor agreed to the

opening of a period of practical tests, taking as incorporated the
previous actions, as well as the documents provided by the respondent.

SEVENTH: On February 16, 2021, a resolution proposal was formulated,
proposing that the Director of the Spanish Data Protection Agency
punish the complained party for an infringement of article 6.1 of the RGPD, typified in the

Article 83.5 of the RGPD, a warning sanction.

EIGHTH: Once the resolution proposal was notified, the claimed party submitted a written
of allegations March 23, 2021, stating: "That I fully comply with said
proposal and I accept the sanction of warning. That I have adopted the procedures

of consent collection provided for in the law as provided in art. 6.1 GDPR.
That there are no data in my files of the claimant's clients that have not
been collected in accordance with the legitimizing basis for it, in accordance with the regulations
in art. 6.1 a) of the RGPD ”.


       In view of all the actions, by the Spanish Protection Agency
of Data in this procedure the following are considered proven facts:



C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 3/6








                                 PROVEN FACTS

FIRST: On January 13, 2020, the claimant files a claim before

the Spanish Data Protection Agency, stating that a former worker has
used the data of its customers, without having legitimacy to do so.

SECOND: Burofax appears warning the defendant that she cannot use to
own benefit the list of clients provided by the claimant, and complaint of a
client, stating "at no time have I given permission to transfer my data,

it is more thought that it was protected by the platform of protection of data ”.
THIRD: The complained party has provided in this sanctioning procedure the

stockings you have adopted.

FOURTH: On March 23, 2021, the party claimed in its brief of

allegations to the proposed resolution acknowledges the facts and agrees with
the sanction imposed, and states: "That I fully comply with said proposal and accept
the penalty of warning. That I have adopted the procedures for collecting
consent provided by law as provided in art. 6.1 GDPR.
That there are no data in my files of the claimant's clients that have not

been collected in accordance with the legitimizing basis for it, in accordance with the regulations
in art. 6.1 a) of the RGPD ”.

                            FOUNDATIONS OF LAW


                                             I

       By virtue of the powers that article 58.2 of the RGPD recognizes to each
control authority, and as established in articles 47 and 48 of the LOPDGDD,
the Director of the Spanish Data Protection Agency is competent to initiate
and to solve this procedure.


                                            II

       The defendant is charged with committing an offense for violation of the
Article 6 of the RGPD, "Legality of the treatment", which indicates in its section 1 the

cases in which the processing of third party data is considered lawful:

        "1. The treatment will only be lawful if at least one of the following is met
terms:

      a) the interested party gave their consent for the processing of their data
      personal for one or more specific purposes;

      b) the treatment is necessary for the performance of a contract in which the
      interested is part or for the application at the request of this of measures
      pre-contractual;

      (…) "
                                            III

       Sections b), d) and i) of article 58.2 of the RGPD provide the following:

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 4/6








       “2 Each supervisory authority shall have all the following powers
corrective measures listed below:

       (…)

       b) punish any person responsible or in charge of the treatment with
warning when the processing operations have infringed the provisions of
this Regulation; "

       (...)

       “D) order the person in charge of the treatment that the operations of
treatment comply with the provisions of this Regulation, where appropriate,
in a certain way and within a specified period; "

       “I) impose an administrative fine in accordance with article 83, in addition or in
place of the measures mentioned in this section, depending on the circumstances
of each particular case; "


       The offense is classified in Article 83.5 of the RGPD, which considers as such:

      "5. Violations of the following provisions will be sanctioned, in accordance with
with section 2, with administrative fines of a maximum of EUR 20,000,000 or,

in the case of a company, an amount equivalent to a maximum of 4% of the
total annual global business volume of the previous financial year, opting for
the highest amount:


      a) The basic principles for the treatment, including the conditions for the
      consent in accordance with articles 5,6,7 and 9. "


       Organic Law 3/2018, on Protection of Personal Data and Guarantee of
Digital Rights (LOPDGDD) in its article 72, under the heading "Infractions
considered very serious ”provides:


      "1. Based on what is established in article 83.5 of the Regulation (E.U.)
2016/679 are considered very serious and will prescribe after three years the infractions that
suppose a substantial violation of the articles mentioned in that one and, in
in particular, the following:


        (…)
       a) The processing of personal data without the concurrence of any of the
           conditions of legality of the treatment established in article 6 of the
           Regulation (EU) 2016/679. "



                                           IV

      The documentation in the file provides evidence that the
claimed, violated article 6.1 of the RGPD, since it is processing data from the
clients of the entity in which he worked, without having legitimacy to do so.



C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 5/6








      In this sense, the claimant submits the complaint made by a
client affected by the processing of her personal data without legitimizing basis, in the
message is stated "I at no time have given permission to transfer my data,

it is more thought that it was protected by the platform of protection of data ”.

      Therefore, the respondent does not accredit the legitimacy for the treatment of the

data of the claimant's clients.

                                            V

       Once the resolution proposal was formally notified, the respondent submitted

brief of allegations on March 23, 2021, stated:
said proposal in full and I accept the penalty of warning. That I have adopted the
procedures for collecting consent provided by law as provided in the
art. 6.1 GDPR.
That there are no data in my files of the claimant's clients that have not
been collected in accordance with the legitimizing basis for it, in accordance with the regulations

in art. 6.1 a) of the RGPD ”.

       Article 85 of Law 39/2015, of October 1, on the Procedure
Common Administrative of Public Administrations (hereinafter, LPACAP),
under the heading "Termination of sanctioning procedures" provides the

following:

       "1. Initiated a sanctioning procedure, if the offender acknowledges his
responsibility, the procedure may be resolved with the imposition of the sanction
that proceeds ”.


       Therefore, based on the foregoing, the Director of the Agency
Spanish Data Protection RESOLVES:

FIRST: IMPOSE Ms. B.B.B., with NIF *** NIF.2, for a violation of Article
6.1 of the RGPD, typified in Article 83.5 of the RGPD, a warning sanction.


SECOND: NOTIFY this resolution to Ms. B.B.B ..

In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.


Against this resolution, which ends the administrative procedure in accordance with art. 48.6 of the
LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the
Interested parties may optionally file an appeal for reconsideration before the
Director of the Spanish Agency for Data Protection within a month to

counting from the day after the notification of this resolution or directly
contentious-administrative appeal before the Contentious-Administrative Chamber of the
National High Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-administrative jurisdiction, within two months from the
day following notification of this act, as provided in article 46.1 of the

referred Law.
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 6/6










Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP,
may provisionally suspend the final resolution through administrative channels if the
interested party expresses his intention to file contentious-administrative appeal.

If this is the case, the interested party must formally communicate this fact through
writing addressed to the Spanish Agency for Data Protection, presenting it through
of the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica-
web /], or through any of the other records provided for in art. 16.4 of the

cited Law 39/2015, of October 1. You must also transfer to the Agency the
documentation that proves the effective filing of the contentious appeal-
administrative. If the Agency was not aware of the filing of the appeal
contentious-administrative within a period of two months from the day following the

notification of this resolution would terminate the precautionary suspension.

Mar Spain Martí
Director of the Spanish Agency for Data Protection












































C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es