AEPD - PS/00334/2020
|AEPD - PS/00334/2020|
|Relevant Law:||Article 6(1) GDPR|
|National Case Number/Name:||PS/00334/2020|
|European Case Law Identifier:||n/a|
|Original Source:||AEPD (in ES)|
The Spanish DPA issued a warning to the former worker of a business that processed personal data of their clients from a previous employment relationship without any legitimate basis.
English Summary[edit | edit source]
Facts[edit | edit source]
A claimant filed a claim before the Spanish DPA, stating that a former worker from their business had used the data of their clients after leaving, without having legitimacy to do so.
Dispute[edit | edit source]
Is the processing of personal data without a valid legitimate basis a violation of GDPR?
Holding[edit | edit source]
The Spanish DPA considered that the processing of personal data was in breach of Article 6(1) GDPR, as the worker had processed data from their previous employment relationship without consent, and thus imposed the controller a reprimand.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/6 Procedure No.: PS / 00334/2020 RESOLUTION OF SANCTIONING PROCEDURE Of the procedure instructed by the Spanish Agency for Data Protection and based on to the following: BACKGROUND FIRST: Mrs. A.A.A. with NIF *** NIF.1 (hereinafter, the claimant) dated 13 January 2020 filed a claim with the Spanish Agency for the Protection of Data. The claim is directed against Dña. B.B.B. with NIF *** NIF.2 (hereinafter, the claimed). The claimant states that a former worker has used the data of her clients for their own benefit, after the termination of their contractual relationship. And, it provides the following documentation: - Data access contract between the parties. - Notification of the claimed that it stops providing its services. - Cancellation of appointments of your clients. - Burofax advising the defendant that it cannot be used for profit own the list of clients provided by the claimant. - Complaint from a client, expressing her discomfort at being in the group of WhatsApp created by the claimed to publish their products. SECOND: In accordance with article 65.4 of the LOPGDD, which has provided for a mechanism prior to the admission for processing of claims made before the AEPD, consisting of transferring them to the Data Protection Delegates designated by those responsible or in charge of the treatment, for the intended purposes in article 37 of the aforementioned norm, or to these when it has not designated them, it was given transfer of the claim to the claimed entity to proceed with its analysis and respond to the complaining party and this Agency within one month. THIRD: On March 13, 2020, the respondent was asked to provide to this Agency the following information: 1. The decision taken regarding this claim. 2. In the event of exercising the rights regulated in articles 15 to 22 of the RGPD, accreditation of the response provided to the claimant. 3. Report on the causes that have motivated the incident that has originated the claim. 4. Report on the measures adopted to prevent the occurrence of similar incidents, implementation dates and controls carried out to check its effectiveness. 5. Any other that you consider relevant. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 2/6 The letter was notified to the claimed by post, being the delivery date of the notification on June 15, 2020, as evidenced by the certificate issued by the postal service, to respond to this Agency and the complaining party within a month. In the response submitted by the respondent on July 13, 2020, the content mentioned therein. On August 13, 2020, the request for information was reiterated and on August 1, September of this year, the respondent states that on July 13, 2020, it contributed allegations and supporting documents, not recorded in this Agency. In accordance with the provisions of article 65.2 of the LOPDGDD, dated September 24, 2020, the Director of the Spanish Agency for the Protection of Data agrees to admit to processing of this claim. FOURTH: On October 21, 2020, the Director of the Spanish Agency for Data Protection agreed to initiate a sanctioning procedure for the claimed, with in accordance with the provisions of articles 63 and 64 of Law 39/2015, of October 1, of the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP), for the alleged violation of Article 6.1 of the RGPD, typified in Article 83.5 of the GDPR. FIFTH: Once the aforementioned commencement agreement was notified, the respondent submitted a written allegations in which, in summary, it stated that: “I comply with the duty imposed by art. 6.1 of the RGPD, seeking the consent of customers when I request personal data, through the legal text that is attached as proof and all sign on the spot ”. SIXTH: On December 14, 2020, the procedure instructor agreed to the opening of a period of practical tests, taking as incorporated the previous actions, as well as the documents provided by the respondent. SEVENTH: On February 16, 2021, a resolution proposal was formulated, proposing that the Director of the Spanish Data Protection Agency punish the complained party for an infringement of article 6.1 of the RGPD, typified in the Article 83.5 of the RGPD, a warning sanction. EIGHTH: Once the resolution proposal was notified, the claimed party submitted a written of allegations March 23, 2021, stating: "That I fully comply with said proposal and I accept the sanction of warning. That I have adopted the procedures of consent collection provided for in the law as provided in art. 6.1 GDPR. That there are no data in my files of the claimant's clients that have not been collected in accordance with the legitimizing basis for it, in accordance with the regulations in art. 6.1 a) of the RGPD ”. In view of all the actions, by the Spanish Protection Agency of Data in this procedure the following are considered proven facts: C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 3/6 PROVEN FACTS FIRST: On January 13, 2020, the claimant files a claim before the Spanish Data Protection Agency, stating that a former worker has used the data of its customers, without having legitimacy to do so. SECOND: Burofax appears warning the defendant that she cannot use to own benefit the list of clients provided by the claimant, and complaint of a client, stating "at no time have I given permission to transfer my data, it is more thought that it was protected by the platform of protection of data ”. THIRD: The complained party has provided in this sanctioning procedure the stockings you have adopted. FOURTH: On March 23, 2021, the party claimed in its brief of allegations to the proposed resolution acknowledges the facts and agrees with the sanction imposed, and states: "That I fully comply with said proposal and accept the penalty of warning. That I have adopted the procedures for collecting consent provided by law as provided in art. 6.1 GDPR. That there are no data in my files of the claimant's clients that have not been collected in accordance with the legitimizing basis for it, in accordance with the regulations in art. 6.1 a) of the RGPD ”. FOUNDATIONS OF LAW I By virtue of the powers that article 58.2 of the RGPD recognizes to each control authority, and as established in articles 47 and 48 of the LOPDGDD, the Director of the Spanish Data Protection Agency is competent to initiate and to solve this procedure. II The defendant is charged with committing an offense for violation of the Article 6 of the RGPD, "Legality of the treatment", which indicates in its section 1 the cases in which the processing of third party data is considered lawful: "1. The treatment will only be lawful if at least one of the following is met terms: a) the interested party gave their consent for the processing of their data personal for one or more specific purposes; b) the treatment is necessary for the performance of a contract in which the interested is part or for the application at the request of this of measures pre-contractual; (…) " III Sections b), d) and i) of article 58.2 of the RGPD provide the following: C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 4/6 “2 Each supervisory authority shall have all the following powers corrective measures listed below: (…) b) punish any person responsible or in charge of the treatment with warning when the processing operations have infringed the provisions of this Regulation; " (...) “D) order the person in charge of the treatment that the operations of treatment comply with the provisions of this Regulation, where appropriate, in a certain way and within a specified period; " “I) impose an administrative fine in accordance with article 83, in addition or in place of the measures mentioned in this section, depending on the circumstances of each particular case; " The offense is classified in Article 83.5 of the RGPD, which considers as such: "5. Violations of the following provisions will be sanctioned, in accordance with with section 2, with administrative fines of a maximum of EUR 20,000,000 or, in the case of a company, an amount equivalent to a maximum of 4% of the total annual global business volume of the previous financial year, opting for the highest amount: a) The basic principles for the treatment, including the conditions for the consent in accordance with articles 5,6,7 and 9. " Organic Law 3/2018, on Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD) in its article 72, under the heading "Infractions considered very serious ”provides: "1. Based on what is established in article 83.5 of the Regulation (E.U.) 2016/679 are considered very serious and will prescribe after three years the infractions that suppose a substantial violation of the articles mentioned in that one and, in in particular, the following: (…) a) The processing of personal data without the concurrence of any of the conditions of legality of the treatment established in article 6 of the Regulation (EU) 2016/679. " IV The documentation in the file provides evidence that the claimed, violated article 6.1 of the RGPD, since it is processing data from the clients of the entity in which he worked, without having legitimacy to do so. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 5/6 In this sense, the claimant submits the complaint made by a client affected by the processing of her personal data without legitimizing basis, in the message is stated "I at no time have given permission to transfer my data, it is more thought that it was protected by the platform of protection of data ”. Therefore, the respondent does not accredit the legitimacy for the treatment of the data of the claimant's clients. V Once the resolution proposal was formally notified, the respondent submitted brief of allegations on March 23, 2021, stated: said proposal in full and I accept the penalty of warning. That I have adopted the procedures for collecting consent provided by law as provided in the art. 6.1 GDPR. That there are no data in my files of the claimant's clients that have not been collected in accordance with the legitimizing basis for it, in accordance with the regulations in art. 6.1 a) of the RGPD ”. Article 85 of Law 39/2015, of October 1, on the Procedure Common Administrative of Public Administrations (hereinafter, LPACAP), under the heading "Termination of sanctioning procedures" provides the following: "1. Initiated a sanctioning procedure, if the offender acknowledges his responsibility, the procedure may be resolved with the imposition of the sanction that proceeds ”. Therefore, based on the foregoing, the Director of the Agency Spanish Data Protection RESOLVES: FIRST: IMPOSE Ms. B.B.B., with NIF *** NIF.2, for a violation of Article 6.1 of the RGPD, typified in Article 83.5 of the RGPD, a warning sanction. SECOND: NOTIFY this resolution to Ms. B.B.B .. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which ends the administrative procedure in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the Interested parties may optionally file an appeal for reconsideration before the Director of the Spanish Agency for Data Protection within a month to counting from the day after the notification of this resolution or directly contentious-administrative appeal before the Contentious-Administrative Chamber of the National High Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-administrative jurisdiction, within two months from the day following notification of this act, as provided in article 46.1 of the referred Law. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 6/6 Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP, may provisionally suspend the final resolution through administrative channels if the interested party expresses his intention to file contentious-administrative appeal. If this is the case, the interested party must formally communicate this fact through writing addressed to the Spanish Agency for Data Protection, presenting it through of the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica- web /], or through any of the other records provided for in art. 16.4 of the cited Law 39/2015, of October 1. You must also transfer to the Agency the documentation that proves the effective filing of the contentious appeal- administrative. If the Agency was not aware of the filing of the appeal contentious-administrative within a period of two months from the day following the notification of this resolution would terminate the precautionary suspension. Mar Spain Martí Director of the Spanish Agency for Data Protection C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es