AEPD - PS/00366/2019

From GDPRhub
AEPD - PS/00366/2019
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 5(1)(d) GDPR
Article 4 LOPDGDD
Type: Investigation
Outcome: Violation Found
Started:
Decided: 10.12.2020
Published:
Fine: None
Parties: AGENCIA ESTATAL DE ADMINISTRACIÓN TRIBUTARIA (AEAT)
National Case Number/Name: PS/00366/2019
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: Francesc Julve Falcó

The Spanish Data Protection Agency (AEPD) imposed a warning sanction against the State Tax Administration Agency (AEAT) for infringing Article 5(1)(d) GDPR, i.e. lack of accuracy in the processing of personal data.

English Summary[edit | edit source]

Facts[edit | edit source]

The claim was initiated by an employer who, when he wanted to register a worker in the Social Security system and requested the reduction of the contribution, was refused on the grounds that the claimant was not up to date with his tax obligations, since the tax agency's files contained the notation "fiscal offense".

The Tax Agency recognized that the lack of updating of data was due to an error, and proceeded to solve and update the data processing systems.

Dispute[edit | edit source]

Is the lack of accuracy when processing personal data by the tax authorities an infringement of Article 5 (1) (d) GDPR?

Holding[edit | edit source]

The AEPD agreed to impose a penalty for infringement of Article 5 (1) (d) for lack of accuracy in the processing of personal data, due to an out-of-date data processing system.

As regulated in article 77 LOPDGDD it will be agreed that the sanction corresponds to a "warning" when the entity sanctioned is a public administration.

Furthermore, due to the updating of systems and other measures that have been carried out in the processes carried out by the sanctioned entity, the AEPD did not consider it necessary to impose other types of corrective sanctions.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

                                                                                1/10








                                                  Procedure No.: PS / 00366/2019

                RESOLUTION OF SANCTIONING PROCEDURE


       Of the procedure instructed by the Spanish Agency for Data Protection and
based on the following
                                  BACKGROUND


FIRST: D. A.A.A. (hereinafter, the claimant) on 05/20/2019 filed
claim before the Spanish Agency for Data Protection. The claim is
directs against STATE AGENCY OF TAX ADMINISTRATION, with NIF
Q2826000H (hereinafter, the claimed one). The reasons on which the claim is based are
in short: that the claimant when registering a female worker with Social Security
On 04/06/2018 he requested a reduction in his quotation. The request was denied by the

TGSS, requesting the claimant to present a certificate of being at the
current of your tax obligations. After the presentation of two certificates
positives issued by the AEAT the TGSS denies the bonus informing the
claimant that the AEAT files contain the annotation "tax offense". He
On 02/08/2019, the complainant addressed the AEAT DPD requesting explanations

opportune, as inaccurate and contradictory data appear in their files. The DPD
responds on 04/01/2019 pointing out that the data in the AEAT file
are correct, however, the Legal Assistance application did not complete a
field, motivating the issuance of the wrong certificate with a negative result requested
by the TGSS.


SECOND: Upon receipt of the claim, the Subdirectorate General of
Data Inspection proceeded to carry out the following actions:

       On 06/12/2019, the brief presented for his
analysis and communication to the affected party of the decision taken in this regard. Equally,

he was required to submit to the determined Agency within a month
information:

       - Report on the Impact Assessment carried out before the implementation of
       improvements in the Legal Aid application.


       -The decision taken to anticipate this claim.

       - Report on the measures adopted to prevent the occurrence of
       similar incidents.

       - Any other that you consider relevant.

The one claimed by writing of 07/12/2019 refers, first of all, to the system of
issuance of certificates of being up to date with the payment of tax obligations and
the channels through which it is possible to make requests, as well as access by
part of other organisms to the services of requesting certificates of being at the

current payment of tax obligations and the incidence occurred in the case of the
claimant.
In relation to the questions raised, the respondent does not consider it necessary
carry out an impact assessment as the claim does not concern a

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 2/10








certain treatment but with an error in the recording of the status of a file.
That the situation of the DNI of the claimed person is corrected and reviewed. That the data
used in the generation of the claimant's certificate had been registered in the
year 2012 and due to an error the status of the file had not been updated
adequately. Regarding the measures adopted, they can be summarized in three lines

of action:
1. That since 2015 the Legal Assistance application has integrated different
controls to help employees using this app and improve quality
of the data; all controls are in place and there is no evidence
of similar errors.
2. That the files prior to 2015 are under review and are

realizing gradually and,
3. That as a result of the case under study, the DPD sent the Management Group
AET electronics proposing a general review of the issuance procedure
of tax certificates in order to identify improvements in the management and
information that is provided to interested parties.


THIRD: On 10/09/2019, in accordance with article 65 of the LOPDGDD, the
Director of the Spanish Data Protection Agency agreed to admit for processing the
claim filed by the claimant against the defendant.


FOURTH: The complainant's written document dated 10/22/2019 stating that
based on article 77.2 and 78.3 of the RGPD that state “2. The authority of
control to which the claim has been submitted will inform the claimant about
the course and result of the claim, including the possibility of accessing the

judicial protection under article 78 "and" 3. Actions against an authority of
control must be exercised before the courts of the Member State in which it is
control authority established ”, he was going to resort to the Contentious Jurisdiction
Administrative, for what it required the AEPD to provide the information requested
refers to article 77.2 of the RGPD, as well as the corresponding claim
before the European Data Protection Supervisor given the disinterest shown by the

AEPD by not deigning to answer your claim.
FIFTH: On 03/12/2020, the Director of the Spanish Agency for the Protection of

Data agreed to initiate a sanctioning procedure for the claimed person for the alleged infringement
of article 5.1.d) of the RGPD.
SIXTH: Once the aforementioned commencement agreement was notified, the defendant submitted a written

allegations on 06/12/2020 stating, in summary: that as a consequence of the
claim, the circumstances that allowed the certificates to be issued were reviewed,
so that currently the conditions in the application have been modified
legal entity of the AEAT, so that a negative certificate is issued and that the DPD sent a
proposal to the Electronic Administration Group of the Tax Agency, proposing
a general review of this procedure; what happened in the case of

claimant is not the consequence of a breach of the principle of accuracy of the
data, but precisely the technical and organizational measures adopted to
minimize and correct errors in the automated processing of personal data to
the issuance of certificates of being up to date with tax obligations; what
Although it could be considered that the claimant's data were inaccurate, for not

the field in the Legal Assistance application has been incorporated into your file,
The truth is that article 5.1.d) of the RGPD, in relation to the update, does not impose
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 3/10








adopt disproportionate measures to update the data, if not reasonable ones,
taking into account the available means and the purpose for which the data is used; the
unnecessary processing of sanctioning procedure for having solved the

claim; that although it is considered that there was non-compliance by the AEAT
of the principle of data accuracy, corrective measures have been adopted
timely, addressing the claim of the claimed.

SEVENTH: On 08/18/2020 it was agreed to open a trial period,
remembering the following:

       - To consider reproduced for evidentiary purposes the claim filed by the
           claimant and its documentation, the documents obtained and generated by
           the Inspection Services before the AEAT that are part of the file
           E / 05725/2019.

       - To consider reproduced for evidentiary purposes, the allegations to the agreement of
           start PS / 00366/2019 submitted by the claimed.

EIGHTH: On 11/16/2020, Proposal for Resolution was notified to the effect that
by the Director of the AEPD the claimed person will be sanctioned for an infraction of the article
5.1.d) of the RGPD, typified in article 83.5.a) of the RGPD, with warning.

After the term established by the claimed, at the time of this Resolution,
he had not presented any written allegation.

NINTH: Of the actions carried out in the present procedure, there have been
accredited the following,

                                 PROVEN FACTS

FIRST. On 05/20/2019 you have entry into the Spanish Agency for the Protection of
Written data filed by the claimant; the claim is directed against the AEAT
motivated by registering a worker with Social Security and requesting the
reduction of its contribution, was denied by the TGSS, informing the claimant that
was not aware of its tax obligations since in the files of the AEAT
there is the annotation "tax offense". The claimant addressed on 02/08/2019 to the DPD of the

AEAT requesting the appropriate explanations, as data is recorded in its files
inaccurate and contradictory. The DPD responds on 04/01/2019 noting that the data
that work in the AEAT file are correct, however, in the application
Legal Assistance a field was not completed, motivating the issuance of the certificate
wrong with the negative result of the request before the TGSS.

SECOND. It is provided by the claimant diligence of appearance in the
Special delegation of the AEAT in Madrid dated 03/22/2019 in which it is requested

explanation of the situation created by the certificate issued and identification of the
acting official.
THIRD. There is a written written addressed to the AEAT DPD on 02/08/2029 in the

that the claimant requests explanations about the incident that occurred and that it is subject to
this claim.

FOURTH. There is a response from the DPD dated 05/20/2019, stating that
“When you have requested it from the TGSS, although the meaning of the certificate is NEGATIVE,

It has been provided as a reason for the denial: “M. Tax Crime ”, for their transfer and
that could request a review before the Tax Agency. It must be recognized that the
term Tax Crime is unfortunate and a message of the type would have been preferable
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 4/10









"Go to your tax office to review the situation" and that "Once analyzed
your case and having identified the causes that have caused the situation you have described,
has proceeded to update the Legal Aid application. In this way, from
now and while circumstances do not change, the meaning of the tax certificate

will be the same, regardless of whether it is requested before the Tax Agency or
through a body integrated into the information supply system where
Certificates of being up to date with payment of tax obligations are offered.
This modification has been in effect since March 26, 2019 ”.

In the light of what happened, a series of modifications is also indicated in order to
prevent situations such as the one that gave rise to the

claim.


                            FOUNDATIONS OF LAW

                                              I
        By virtue of the powers that article 58.2 of the RGPD recognizes to each

control authority, and as established in articles 47 and 48 of the LOPDGDD,
the Director of the Spanish Data Protection Agency is competent to initiate
and to solve this procedure.







































C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 5/10








                                             II
        Article 5, Principles relating to treatment, of the RGPD establishes that:


        "1. The personal data will be:

        (…)
        d) accurate and, if necessary, updated; all measures will be taken
        reasonable for the personal data to be deleted or rectified without delay
        that are inaccurate with respect to the purposes for which they are treated

        ("accuracy");
        (…)

        Also article 4, Accuracy of the data, of the new Organic Law 3/2018,
of December 5, Protection of Personal Data and guarantee of rights

digital (hereinafter LOPDGDD), states:

        "1. In accordance with article 5.1.d) of Regulation (EU) 2016/679 the data will be
exact and, if necessary, updated.

        2. For the purposes provided for in article 5.1.d) of Regulation (EU) 2016/679,

It will not be attributable to the person responsible for the treatment, provided that he has adopted
all reasonable measures so that they are suppressed or rectified without delay, the
inaccuracy of personal data, with respect to the purposes for which they are processed,
when inaccurate data:


        a) They had been obtained by the person responsible directly from the affected party.
        b) They had been obtained by the person in charge of a mediator or intermediary
        in the event that the rules applicable to the sector of activity to which it belongs
        the person responsible for the treatment established the possibility of intervention
        an intermediary or mediator who collects on his own behalf the data of the

        affected for transmission to the person in charge. The mediator or intermediary
        will assume the responsibilities that may arise in the event of
        communication to the data controller that does not correspond to the
        provided by the affected party.
        c) They were subjected to treatment by the person responsible for having received them from
        another person responsible by virtue of the exercise by the affected party of the right to

        portability in accordance with article 20 of Regulation (EU) 2016/679 and the provisions
        in this organic law.
        d) They were obtained from a public registry by the person in charge ”.

                                                 III












C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 6/10








       In the present case, as stated in the antecedent and first proven fact
The claim filed is due to the fact that the claimant upon registering with the Security
Social to a worker on 04/06/2018 requested a reduction in her contribution for being

older than 50 years; The request was denied by the TGSS, on the grounds that
had debts with the AEAT, requesting the claimant to present a certificate
to be up to date with their fiscal and tax obligations; for what I request
to this positive certification body of being up to date with its obligations
prosecutors; four months have elapsed since the certificate request and in the face of silence
I request an appearance by requesting an appointment at the AEAT

without having obtained a satisfactory answer, although the next day it was issued
positive electronic certificate of your tax situation that was presented to the
TGSS was once again rejected due to the existence of a tax offense, having been
hidden such circumstance until 11/18/2018; Faced with such an unusual situation, he goes to
DPD who, after more than a month without obtaining a response, presented himself at the headquarters

of the AEAT where he exposed his situation and after five days he receives a reply from the DPD
considering it entirely unsatisfactory and unfortunate.

       It is true that the documentation in the file shows that
the defendant would have violated article 5.1.d), principle of accuracy, in relation to
Article 4 of the LOPDGDD by keeping inaccurate data related to the

claimant without having corrected them, appearing since 2012 as linked to a crime
fiscal.

       The DPD himself in the written reply to the request / complaint of the claimant
noted on 04/01/2019 that “The explanation of why this data is not complete

It is due to the age of the information, which is prior to the improvements made in the
Legal Assistance Application, to help the public employee in the
maintenance of the data and status of the files ”and that“ When it has
requested to the TGSS, although the meaning of the certificate is NEGATIVE, it has been provided
as a reason for denial: “M. Tax Crime ”, for their transfer and that could

request a review before the Tax Agency. It must be recognized that the term
Tax crime is unfortunate and a message such as "Go to
your tax office to review the situation ”.

       Therefore, it is true that the complainant himself has admitted that the data that
were used to generate the claimant's certificate and that had been

registered in 2012, due to an error the status of the
file properly.

       However, it is also true that on the occasion of the request / complaint of the
complainant, the parameters used to issue the certificates of

so that at present the conditions in the consultation with Argos have been modified
Criminal, application of the AEAT, in the issuance of negative certificates; furthermore, as a result
of the complainant's case, the DPD submitted a proposal to the Administration Group
Electronic of the Tax Agency, proposing "a general review of this
procedure in order to identify improvements in the management of certificates and

the information that is provided to the interested parties who request them, having
modified the descriptions of the reason for refusal provided to the
Petitioning Public Administrations ”.


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 7/10








       It should also be noted that on the occasion of the claim,
a series of measures that aim to avoid similar incidents in the future
as the one that has given rise to the present claim:


       Since 2015, the Legal Assistance application has integrated different
controls to help employees using this app and improve quality
of the data. That controls have been included in the Legal Assistance application for
ensure that the necessary data are provided to the files and that they are not left without
complete and the generation of follow-up reports has also been facilitated.

status of the files that allow better control of them,
controls that are already in place with no evidence of errors similar to
those reported by the claimant.

       All files prior to 2015 are under review by the

legal services of the Tax Agency delegations.

       The Data Protection Delegate has submitted a proposal to the Group of
Electronic Administration of the Tax Agency, where the
areas that participate in the procedure for issuing tax certificates,
proposing a general review of this procedure in order to identify

improvements in the management of certificates and the information provided to
interested parties who request them.

                                                IV
       Article 83.5 a) of the RGPD, considers that the infringement of “the principles

basic for the treatment, including the conditions for consent in accordance with
of articles 5, 6, 7 and 9 ”is punishable.

       On the other hand, the LOPDGDD in its article 72, for the purposes of prescription, indicates
which are: “Violations considered very serious:


       1. In accordance with the provisions of article 83.5 of the Regulation (EU)
2016/679 are considered very serious and will prescribe after three years the infractions that
suppose a substantial violation of the articles mentioned in that and, in
in particular, the following:


       a) The processing of personal data violating the principles and guarantees
       established in article 5 of Regulation (EU) 2016/679.
       (…) "

       However, the LOPDGDD in its article 77, Regime applicable to

certain categories of data controllers or managers, establishes the
following:

       "1. The regime established in this article will apply to the treatments
of those who are responsible or in charge:


       a) Constitutional bodies or those with constitutional relevance and
       institutions of the autonomous communities analogous to them.
       b) The jurisdictional bodies.

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 8/10








       c) The General State Administration, the Administrations of the
       autonomous communities and entities that make up the Local Administration.
       d) Public bodies and public law entities linked to or

       dependent on Public Administrations.
       e) The independent administrative authorities.
       f) The Bank of Spain.
       g) Public law corporations when the purposes of the treatment
       are related to the exercise of powers of public law.
       h) Public sector foundations.

       i) Public Universities.
       j) Consortia.
       k) The parliamentary groups of the Cortes Generales and the Assemblies
       Autonomous legislatures, as well as the political groups of the Corporations
       Local.


       2. When the managers or managers listed in section 1
commit any of the offenses referred to in articles 72 to 74 of
this organic law, the competent data protection authority will dictate
resolution sanctioning them with warning. The resolution will establish
Likewise, the measures to be adopted to stop the conduct or to correct

the effects of the offense that had been committed.

       The resolution will be notified to the person in charge of the treatment, at
body on which it depends hierarchically, where appropriate, and those affected who have
the condition of interested party, if applicable.


       3. Without prejudice to the provisions of the previous section, the authority of
data protection will also propose the initiation of disciplinary actions
when there is sufficient evidence to do so. In this case, the procedure and
Sanctions to be applied will be those established in the legislation on disciplinary regime

or sanctioner that is applicable.

       Likewise, when the infractions are attributable to authorities and managers,
and the existence of technical reports or recommendations for treatment is accredited
that had not been duly attended, in the resolution in which the
The sanction will include a warning with the name of the position responsible and

will order the publication in the Official Gazette of the State or Autonomous
corresponds.

       4. The data protection authority must be informed of the
resolutions that fall in relation to the measures and actions to which they refer

the previous sections.

       5. They will be communicated to the Ombudsman or, where appropriate, to the institutions
of the autonomous communities, the actions carried out and the
Resolutions issued under this article.






C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 9/10








       6. When the competent authority is the Spanish Agency for the Protection of
Data, it will publish on its website with due separation the resolutions
referring to the entities of section 1 of this article, with express indication of the

identity of the person in charge or in charge of the treatment who had committed the
infringement.

       When the competence corresponds to an autonomous protection authority
of data will be, as for the publicity of these resolutions, to what is available
its specific regulations ”.


       In accordance with the evidence available, the conduct of the
claimed constitutes a violation of the provisions of article 5.1.d) of the RGPD.

       It should be noted that article 77 of the LOPDGDD contemplates the possibility of

go to the sanction of warning to correct data processing
personal data that do not conform to their forecasts, when those responsible or
managers listed in section 1 committed any of the infractions to the
referred to in articles 72 to 74 of this organic law.

       Likewise, it is contemplated that the resolution issued will establish the measures

that is appropriate to adopt so that the conduct ceases, the effects of the offense are corrected
that had been committed through the adoption of the measures and the contribution of
means of accrediting compliance with what is required, a regulation that is not a
A novelty since it was also partly included in the previous LOPD.


       Now, taking into account that the claim of the interested party was addressed,
issuing the requested certificate and reviewing the false negative that had been issued
at the request of the TGSS and that, in addition, complementary measures were adopted
how to include the reason for provisional dismissal in the application file
legal status of the claimed in order to avoid similar incidents; that the

parameter of the automated certificate issuance application to reduce
false negatives requiring human intervention; that the message that was modified
the remote petitioning Public Administration receives certificates of being up to date
current of tax obligations on the cause of the denial of the certificate,
etc., as indicated previously, it is not appropriate to urge the adoption of measures
additional, having been accredited, that the defendant has adopted all

those that are reasonable, in accordance with the provisions of the regulations on
Data Protection.

       Therefore, in light of the foregoing, it is not appropriate to urge the adoption of measures
additional, having been proven, that the defendant has adopted the measures

reasonable, in accordance with the regulations on data protection, which
As he himself points out, it is the main purpose of the procedures regarding
those entities listed in article 77 of the LOPDGDD.

       Therefore, in accordance with the applicable legislation,


       The Director of the Spanish Agency for Data Protection RESOLVES:



C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 10/10








FIRST: IMPOSE STATE AGENCY OF TAX ADMINISTRATION,
with NIF Q2826000H, for the violation of article 5.1.d) of the RGPD, typified in the
Article 83.5.a) of the RGPD, a warning sanction.


SECOND: NOTIFY this resolution to the STATE AGENCY OF
TAX ADMINISTRATION, with NIF Q2826000H.

       In accordance with the provisions of article 50 of the LOPDGDD, the
This Resolution will be made public once it has been notified to the interested parties.


       Against this resolution, which puts an end to the administrative procedure in accordance with art.
48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the
LPACAP, the interested parties may optionally file an appeal for reversal
before the Director of the Spanish Agency for Data Protection within a period of
month from the day after notification of this resolution or directly

contentious-administrative appeal before the Contentious-Administrative Chamber of the
National High Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-administrative jurisdiction, within a period of two months from the
day following notification of this act, as provided in article 46.1 of the

referred Law.

       Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the
LPACAP, the final resolution may be suspended in an administrative way
If the interested party expresses his intention to file a contentious appeal-

administrative. If this is the case, the interested party must formally communicate this
made by writing to the Spanish Agency for Data Protection,
Presenting it through the Electronic Registry of the Agency
[https://sedeagpd.gob.es/sede-electronica-web/], or through any of the rest
records provided for in art. 16.4 of the aforementioned Law 39/2015, of October 1. As well
must forward to the Agency the documentation that proves the effective filing

of the contentious-administrative appeal. If the Agency is not aware of the
filing of the contentious-administrative appeal within a period of two months from the
day after the notification of this resolution, would terminate the
precautionary suspension.


                                                                    Mar Spain Martí
                             Director of the Spanish Agency for Data Protection















C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es