AEPD - PS/00389/2019

From GDPRhub
AEPD - PS/00389/2019
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 5 GDPR
Article 32 GDPR
Article 33 GDPR
Article 34 GDPR
Article 58(2) GDPR
Article 83 GDPR
Type: Investigation
Outcome: Violation Found
Decided: n/a
Published: n/a
Fine: None
Parties: POLICIA LOCAL del AYUNTAMIENTO DE BADAJOZ
SERVICIO AJENO DE PREVENCION LABORAL EXTREMEÑA
SERVICIO AJENO DE PREVENCION LABORAL EXTREMEÑA
National Case Number/Name: PS/00389/2019
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Spanish
Original Source: Agencia Española de Protección de Datos (in ES)
Initial Contributor: Silvia López Arnao

Spanish DPA found that leaving the respondent's workers' medical reports on the street at sight constituted a breach of the principle of integrity and confidentiality of data processing under the GDPR.

English Summary[edit | edit source]

Facts[edit | edit source]

The local authorities filed a complaint with the Spanish DPA against the complainant for an alleged violation of the GDPR by finding scattered on the street medical examination reports concerning workers of the respondent.

Dispute[edit | edit source]

Is it compliant with Article 32 of the GDPR to leave at sight in the street data concerning the medical reports of employees?

Holding[edit | edit source]

The Spanish DPA found that the respondent is responsible for not having made decisions aimed at effectively implementing appropriate technical and organisational measures to ensure a level of safety appropriate to the risk to ensure the confidentiality of the data.

Comment[edit | edit source]

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

DECISION ON DISCIPLINARY PROCEEDINGS
From the procedure instructed by the Spanish Data Protection Agency and
on the basis of the following
BACKGROUND
FIRST: On 23/04/2019 the LOCAL POLICE of BADAJOZ CITY COUNCIL
submitted a complaint against the OUTSIDE SERVICE OF LABOUR PREVENTION
EXTREMEÑA, S.L. (hereinafter the defendant), for allegedly infringing the
regulations on personal data protection, as they are scattered on the ground,
next to a vehicle of the company External service of prevention of labor Extremeña,
S.L. medical examination reports dated 02/12/2010 relating to
workers of the company Aguas del Suroeste, S.L.
SECOND: Upon receipt of the claim, the Subdirectorate General of
Data Inspection proceeded to perform the following actions:
On 18/05/2019, reiterated on 30/05/2019, the
complaint submitted for analysis and communication to the complainant of the decision
adopted in this regard. It was also required to ensure that within one month
to submit certain information to the Agency:
- A copy of the communications, of the decision taken which you have sent to the
claimant regarding the transfer of this claim, and proof that
the complainant has been notified of this decision.
- Report on the causes of the incident that led to the
claim.
- Report on the measures taken to prevent
similar incidents.
- Any other that you consider relevant.
On the same date, the claimant was informed of the receipt of the
claim and its transfer to the claimed entity.
On 22/10/2019, in accordance with Article 65 of the LOPDGDD, the Director
of the Spanish Data Protection Agency agreed to admit the claim for processing
filed by the claimant against the respondent.
THIRD: On 24/02/2020, the Director of the Spanish Protection Agency
of Data agreed to initiate sanctioning proceedings against the respondent, for the alleged
infringement for the alleged violation of Articles 32.1, 33 and 34 of the RGPD,
sanctioned in accordance with the provisions of article 83.4.a) of the aforementioned RGPD,
Considering that the sanction that could correspond would be of APPRECIATION.
FOURTH: Notification of the agreement of initiation, the claimed at the time of this
resolution has not submitted a written statement of case, and therefore the
referred to in Article 64 of Law 39/2015 of 1 October on the Procedure
Common Administrative Framework for Public Administrations, which in its paragraph (f)
provides that in the event of failure to make representations within the prescribed period on the
content of the agreement of initiation, it may be considered as a proposal for
resolution when it contains a precise statement of liability
The Court of First Instance shall give its decision.
FIFTH: Of the proceedings carried out in the present procedure, the following have been decided
The following are accredited:
PROVEN FACTS
FIRST: On 23/04/2019 the LOCAL POLICE of the
BADAJOZ TOWN COUNCIL by which it gives notice of the Act of Complaint against the
SERVICIO AJENO DE PREVENCION LABORAL EXTREMEÑA, S.L. (hereinafter referred to as
claimed), for alleged infringement of data protection regulations
personal, finding them scattered on the ground, next to a company vehicle
Servicio Ajeno de Prevención Laboral Extremeña, S.L. recognition reports
medical care for employees of Aguas del Suroeste, S.L..
SECOND: A copy of the police report has been provided
Local of the City council of Badajoz nº 10735 indicating: "They are scattered by the
floor, next to a company vehicle External occupational health and safety service
Extremeña, S.L., medical examination reports dated 02/12/10",
continuing: "The above-mentioned medical reports relate to workers of the
company Aguas del Suroeste, S.L. Photocopies are attached".
As a precautionary measure, the police state: "These reports are being removed from the road".
THIRD: Copies of "Medical examination reports" are attached
Ordinary Newspaper practiced in the Occupational Medicine Area of the
Prevention on 2 December 2010 a", concerning two workers from the
company Aguas del Suroeste, S.L.
FOURTH: The claimant has not responded to any of the requirements
made by the AEPD; nor has it made any allegations about the agreement to initiate the
sanctioning procedure.
LEGAL GROUNDS
I
By virtue of the powers conferred on each individual by Article 58(2) of the GPRS, the
authority, and in accordance with Article 47 of Organic Law 3/2018, of
5 December, Protection of Personal Data and Guarantee of  Digital Rights (hereinafter LOPDGDD), the Director of the Spanish Agency of
Data Protection is competent to resolve this procedure.
II
Law 39/2015 of 1 October on the Common Administrative Procedure of
the public authorities, in Article 64 "Agreement on initiation in the
procedures of a punitive nature," it provides:
"The agreement to initiate proceedings shall be communicated to the instructor of the proceedings, with
The transfer of any proceedings in this respect shall be notified to the parties concerned,
meaning in any case the accused.
The complainant shall also be informed of the initiation of proceedings where the rules
The procedure's regulators provide for this.
2. The agreement on initiation shall contain at least
(a) Identification of the person or persons alleged to be responsible.
(b) The facts which give rise to the initiation of the proceedings, their possible
qualification and any penalties that may apply, without prejudice to the
of instruction.
(c) Identification of the investigator and, where appropriate, secretary of the proceedings, with
express indication of the regime of challenge of the same.
(d) The competent body for the resolution of the procedure and the rule which it
to attribute such competence, indicating the possibility that the alleged perpetrator
may voluntarily acknowledge its responsibility, with the effects foreseen in the
Article 85.
(e) Measures of a provisional nature agreed upon by the body
competent to initiate the penalty procedure, without prejudice to those
may adopt during the same in accordance with Article 56.
(f) Indication of the right to make representations and to be heard at the
procedure and the time limits for its exercise, as well as an indication that, if
not to make representations on the content of the agreement within the time limit
The motion for a resolution may be considered as a motion for a resolution when it contains a
precise statement of the responsibility charged.
3. Exceptionally, when at the time of issuing the agreement of initiation
there are insufficient elements for the initial qualification of the facts on which they are based
the opening of the procedure, such qualification may be made at one stage
later by drawing up a Statement of Objections, which shall be notified to
the interested parties."
In application of the previous precept and taking into account that no
The proceedings initiated by the Commission are closed.
III
Article 58 of the RGPD, Powers, states:
"Each supervisory authority shall have all the following powers
corrections indicated below:
(…) 
(i) to impose an administrative fine pursuant to Article 83 in addition to or in addition to
place of the measures referred to in this paragraph, depending on the circumstances
of each individual case;
(…)”
Article 5 of the RGPD sets out the principles that should govern the
processing of personal data and mentions among them that of "integrity and
confidentiality".
The article states that:
"1. Personal data shall be:
(…)
(f) treated in such a way as to ensure adequate safety of the
personal data, including protection against unauthorised or unlawful processing and
against their accidental loss, destruction or damage, by the application of measures
appropriate techniques or organisational arrangements ("integrity and confidentiality")".
In turn, the security of personal data is regulated in the
32, 33 and 34 of the RGPD.
Article 32 of the RGPD "Security of processing", states that:
"Taking into account the state of the art, the costs of implementation, and the
nature, scope, context and purposes of the processing, as well as risks of
variable probability and severity for the rights and freedoms of individuals
the controller and the processor shall implement technical and
appropriate organisational arrangements to ensure a level of safety appropriate to the risk,
which in your case includes, among others:
(a) the pseudonymisation and encryption of personal data
(b) the ability to ensure the confidentiality, integrity, availability and
permanent resilience of treatment systems and services;
(c) the ability to restore the availability of and access to data
personal quickly in the event of a physical or technical incident;
(d) a process of regular verification, evaluation and assessment of effectiveness
of technical and organizational measures to ensure the safety of
treatment.
2. In assessing the adequacy of the level of security, particular consideration shall be given to
taking into account the risks involved in the processing of data, in particular as
as a result of the accidental or unlawful destruction, loss or alteration of data
transmitted, retained or otherwise processed, or the communication or
unauthorized access to such data.
3. Adherence to a code of conduct adopted pursuant to Article 40 or to a
certification mechanism approved under Article 42 may serve as an element to demonstrate compliance with the requirements set out in paragraph 1 of
this article.
4. The controller and the processor shall take measures to
ensure that any person acting under the authority of the person in charge or of the
and has access to personal data may only process such data
on the instructions of the person responsible, unless he is obliged to do so by virtue of
Union or Member States' law".
Article 33 of the GPRS, Notification of a breach of the security of
personal data to the supervisory authority, states that:
"1. In the event of a breach of the security of personal data, the
the controller shall notify it to the competent supervisory authority of
in accordance with Article 55 without undue delay and if possible not later than 72
hours after you've had a record of it, unless it's unlikely
that such a breach of security constitutes a risk to the rights and
freedoms of natural persons. If the notification to the supervisory authority does not
within 72 hours, shall be accompanied by an indication of the reasons for
the procrastination.
2. The data controller shall without undue delay notify the person responsible
of the processing the violations of the security of personal data of which
has knowledge.
3. The notification referred to in paragraph 1 shall at least
(a) describe the nature of the data security breach
including, where possible, the categories and number of
of stakeholders concerned, and the categories and approximate number
of affected personal data records;
(b) communicate the name and contact details of the Data Protection Officer of
data or other contact point where further information can be obtained;
(c) describe the possible consequences of a breach of the security of
personal data;
(d) describe the measures taken or proposed by the controller
processing to remedy the data security breach
including, where appropriate, measures taken to mitigate the
possible negative effects.
4. If it is not possible to provide the information simultaneously, and to the extent
Where it is not, the information shall be provided gradually without undue delay.
5. The controller shall document any breach of the
security of personal data, including facts relating to it, its
effects and the corrective measures taken. Such documentation shall enable the
The monitoring authority shall verify compliance with the provisions of this Article And Article 34, Communication of a breach of data security
personal to the interested party, establishes that:
"1. Where it is likely that the breach of data security
personal risk to the rights and freedoms of individuals
the controller shall communicate it to the data subject without delay
improper.
2. The communication to the person concerned referred to in paragraph 1 of this
article will describe in clear and simple language the nature of the violation of
security of personal data and shall contain at least the information and
measures referred to in Article 33(3)(b), (c) and (d).
3. The communication to the person concerned referred to in paragraph 1 shall not be
necessary if any of the following conditions are met:
(a) the controller has adopted technical protection measures
and organizational measures and these measures have been applied to the data
personal data affected by the violation of the security of personal data,
in particular those which make personal data unintelligible to
any person who is not authorized to access them, such as encryption;
(b) the controller has taken further steps to ensure
that there is no longer a likelihood of the high risk for
rights and freedoms of the data subject referred to in paragraph 1;
(c) it involves a disproportionate effort. In this case, the following shall be chosen instead
by a public communication or similar measure informing
in an equally effective way to the stakeholders.
4. Where the person responsible has not yet informed the data subject of
violation of personal data security, the supervisory authority shall, once
considered the likelihood of such a violation involving a high risk, may require you to
to do so or may decide that one of the conditions mentioned in
paragraph 3".
IV
In this case, it is common ground that on 23/04/2019 the LOCAL POLICE
of BADAJOZ TOWN HALL provided a copy of the Act of Complaint against the
The complaint, which shows that the regulations on the protection of
personal data, when they are spread out on the public highway and next to a vehicle of their
property medical examination reports relating to employees of the
company Aguas del Suroeste, S.L. containing sensitive data and especially
protected and the aforementioned forces of law and order proceeding to remove them from the public
as a precautionary measure.
On the other hand, the absence of sensitivity on the part of the defendant to
the aforementioned facts since he did not even answer the requests for information
made by the AEPD, nor did it respond by submitting written allegations at the beginning of
agreement on sanctioning procedures and which, in addition, aims to promote safety and health of workers through the development of activities
necessary and convenient for the prevention of risks derived from work.
It should be noted that the RGPD defines data security violations
personal as "all those violations of security that cause the
accidental or unlawful destruction, loss or alteration of transmitted personal data
stored or otherwise processed, or the unauthorized communication of or access to
such data".
From the documentation in the file, there are clear indications of
that the respondent has violated article 32 of the RGPD, by producing a breach of
security in their systems by allowing and providing access to data
related to medical examination reports dated 02/12/2010 of
workers of the company Aguas del Suroeste who were spread out over the
floor.
The RGPD in the mentioned precept does not establish a list of the measures of
security that apply according to the data that are the subject of
processing, but provides that the controller and the processor
apply technical and organisational measures that are appropriate to the risk involved
treatment, taking into account the state of the art, implementation costs, the
nature, scope, context and purposes of the processing, probability risks
and gravity for the rights and freedoms of the persons concerned.
Security measures should also be adequate and
proportionate to the risk identified, noting that the determination of the measures
The technical and organisational aspects of this must be taken into account: pseudonymisation and
encryption, the ability to ensure confidentiality, integrity, availability and
resilience, the ability to restore data availability and access after a
incident, verification (non-audit) process, evaluation and assessment of
effectiveness of the measures.
In any case, when assessing the adequacy of the level of safety, the following shall be taken into account
particularly taking into account the risks presented by the processing of data, such as
as a result of the accidental or unlawful destruction, loss or alteration of data
transmitted, retained or otherwise processed, or the communication or
unauthorised access to such data and which could result in damage
physical, material or immaterial.
In the same sense, recital 83 of the RGPD states that
"(83) In order to maintain security and to prevent the processing from infringing
provided for in this Regulation, the responsible person or person in charge should evaluate
the risks inherent in the treatment and implement measures to mitigate them, such as
encryption. These measures should ensure an appropriate level of security, including
confidentiality, taking into account the state of the art and the cost of implementation
with regard to the risks and the nature of the personal data to be
to protect themselves. When assessing the risk in relation to data security, you should
take into account the risks involved in the processing of personal data,
such as the accidental or unlawful destruction, loss or alteration of personal data transmitted, retained or otherwise processed, or the communication or access not
authorized to such data, which may in particular cause damage
physical, material or immaterial".
As noted above and in the context of the
investigation ***EXPEDIENTE.1 the AEPD transferred to the reclaimed on 18/05/2019 and the
30/05/2019 the complaint submitted for analysis requesting the contribution of
information related to the claimed incidence, without having received in this
no organism response whatsoever.
The liability of the claimant is determined by the bankruptcy of
security highlighted by the Local Police of the City of Badajoz, already
who is responsible for making decisions aimed at effectively implementing
appropriate technical and organisational measures to ensure a level of safety
to ensure the confidentiality of the data, restoring their
availability and prevent access to them in the event of a physical or technical incident.
However, it is clear from the documentation provided that the entity has not only
This obligation has not been fulfilled, but there is also no knowledge of the adoption of any measures at
in this respect, despite having given him notice of the complaint filed.
Article 33 of the RGPD also regulates the notification of violations of
security that may pose a risk to the rights and freedoms of
natural persons to the competent supervisory authority, which in the case of Spain is
of the AEPD.
Therefore, whenever a gap affects data of a
personnel of natural persons we must communicate it to the AEPD and, in addition
we must notify you within 72 hours of having
knowledge of the gap.
Finally, it should be added that having been informed of the incident of
The security department is also not known to have taken any measures to
to remedy it, once he became aware of it.
Nor is there any evidence that, in accordance with the
Article 34 would have informed the persons concerned of the violation of the security of
personal data without undue delay once he became aware of them.
In accordance with the above, the respondent would be responsible for the
violations of the RGPD: violation of Articles 32, 33 and 34, violations
all of which are typified in article 83.4.a).
V
The violation of articles 32, 33 and 34 of the RGPD are criminalized
in Article 83.4(a) of the said GPRS in the following terms:
“4. Infringements of the following provisions shall be sanctioned, in accordance with
with paragraph 2, with administrative fines of a maximum of EUR 10 000 000 or
in the case of an undertaking, up to a maximum of 2 % of total annual turnover for the previous financial year, opting for
the largest:
(a) the obligations of the person responsible and the person in charge under Articles 8,
11, 25 to 39, 42 and 43.
(…)”
The LOPDGDD in its article 71, Infractions, points out that: "They constitute
infringements the acts and conduct referred to in paragraphs 4, 5 and 6 of
Article 83 of Regulation (EU) 2016/679, as well as those which are contrary to the
present organic law".
And in its article 73, for the purposes of the statute of limitations, it qualifies as "Infringements
considered serious."
"In accordance with Article 83(4) of Regulation (EU) 2016/679
are considered serious and shall be subject to a two-year statute of limitations for offences involving
substantial infringement of the Articles mentioned in that one and, in particular, the
next:
(…)
(g) Breach as a result of lack of due diligence,
of the technical and organisational measures that have been implemented in accordance with
required by Article 32.1 of Regulation (EU) 2016/679".
(r) Failure to notify the protection authority of
data of a personal data security breach in accordance with the
provided for in Article 33 of Regulation (EU) 2016/679.
(s) Failure to comply with the duty to inform the person concerned of a breach of
data security in accordance with Article 34 of the
Regulation (EU) 2016/679 if the controller had been requested
by the data protection authority to carry out such notification.
The facts set out in the complaint are specified in the
existence of a security breach in the systems of the claimed party allowing the
vulnerability of it by allowing reports dated 02/12/2010 concerning
medical examinations and belonging to workers of the company Aguas del
Southwest, were spread out on the public highway and allowing access to data
contained in them.
All of this constitutes a violation of the security of personal data, which
which constitutes an infringement of Articles 32.1, 33 and 34 of the RGPD.
VI
However, Article 58(2) of the EUCPN states: "Each authority
The inspection body shall have all the following corrective powers as indicated to
continued:
(…)
(b) sanction any person responsible for or in charge of the processing with
warning where processing operations have infringed the provisions of
this Regulation;
(…)”
The RGPD, without prejudice to the provisions of Article 83 thereof, provides in its
Article 58(2)(b) the possibility of using the warning to correct treatment
of personal data that does not meet your expectations.
In this case, it has been proved that the person claimed does not
has implemented technical and organisational measures to ensure a level of security
capable of ensuring the confidentiality, integrity, availability of the
access; appropriate measures for notification in the event of a breach of the
of a personal data security breach and the procedure
implemented in the event that the violation of personal data security
involves a high risk to the rights and freedoms of natural persons.
VII
The respondent has not replied to the information request
by the Inspection Service.
At this point, it is necessary to inform that not attending the requirements
of the Agency may constitute a very serious infringement in accordance with
referred to in Article 72 of the LOPDGDD, which provides "1. Depending on what
Article 83(5) of Regulation (EU) 2016/679 are considered very serious and
The statute of limitations for offences involving a substantial breach shall be three years
of the articles mentioned in that one and, in particular, the following ones:
(…)
ñ) Not to provide access to the staff of the data protection authority
competent to personal data, information, premises, equipment and means of
processing required by the data protection authority for the
exercise of their powers of investigation.
(o) Resistance to or obstruction of the exercise of the inspection function by
competent data protection authority'.
(…)”
At the same time, notification of the agreement to commence and the expiry of the period granted
to make allegations, I do not submit any written.
As stated above, it is common ground that the respondent
does not have technical and organisational measures in place to ensure a level of
adequate security capable of ensuring confidentiality, integrity and availability
of the data avoiding its access, loss, etc.; adequate measures to proceed to the
notification in the event of a breach of personal data security and
procedure in place in the event of a data security breach
personal risk to the rights and freedoms of individuals It is necessary to point out that if these incidents are not corrected by adopting the
appropriate technical and organisational measures, adapting them to the
Articles 32.1, 33 and 34 of the RGPD or reiterate the conduct set out in
the complaint and that it is the cause of these proceedings, as well as not informing
following this DPSA of the measures adopted could lead to the exercise of
possible proceedings before the controller to ensure the application of
effectively the appropriate measures to ensure and not compromise the
confidentiality of personal data and the right to privacy of
people.
Therefore, in accordance with the applicable legislation and assessed the criteria of
graduation of penalties whose existence has been established,
The Director of the Spanish Data Protection Agency RESOLVES:
FIRST: TO IMPOSE OUT-OF-SHORE LABOUR PREVENTION SERVICE
EXTREMEÑA, S.L., with NIF B06307748, for infringement of articles 32.1, 33 and 34
of the RGPD, typified in accordance with the provisions of article 83.4.a) of the said RGPD,
a warning sanction.
SECOND: REQUIRING OUTSIDE SERVICE FOR OCCUPATIONAL PREVENTION
EXTREMEÑA, S.L. with NIF B06307748, so that within one month from
notification of this resolution, certify: the adoption of the security measures
necessary and relevant in accordance with the regulations on the protection of
personal data in order to prevent the recurrence of such data in the future
incidents such as those that have given rise to the claim by correcting the effects of the
access to data, adapting these measures to the requirements of the
referred to in Article 32.1 of the GPRS; the measures taken to
the notification in case of a breach of the security of personal data of
in accordance with Article 33 of the RGPD and the procedure implemented to
the case that a breach of personal data security will result in a stop
risk to the rights and freedoms of natural persons, in accordance with
as set out in Article 34 of the RGPD.
THIRD: TO NOTIFY this resolution to OUTSIDE SERVICE OF
PREVENCION LABORAL EXTREMEÑA, S.L. with NIF B06307748.
In accordance with the provisions of article 50 of the LOPDGDD, the
This Resolution shall be made public after it has been notified to the interested parties.
Against this resolution, which puts an end to the administrative procedure according to art.
48.6 of the LOPDGDD, and in accordance with Article 123 of the
LPACAP, the interested parties may, on an optional basis, file an appeal for replacement
to the Director of the Spanish Data Protection Agency within a
month from the day following notification of this resolution or directly
contentious-administrative appeal before the Administrative Chamber of the
Audiencia Nacional, in accordance with Article 25 and paragraph 5 of
the fourth additional provision of Law 29/1998 of 13 July 1998, regulating the
Contentious-Administrative Jurisdiction, within two months from the day following notification of this act, as provided for in Article 46.1 of the
referred to Law.
Finally, it is pointed out that in accordance with the provisions of article 90.3 a) of the
LPACAP, the final resolution may be suspended as a precautionary measure through administrative channels
if the interested party expresses his intention to file an administrative appeal. If this is the case, the interested party must formally communicate this
made by writing to the Spanish Data Protection Agency,
by submitting it through the Agency's Electronic Register
[https://sedeagpd.gob.es/sede-electronica-web/], or through one of the other
registrations provided for in Article 16.4 of the aforementioned Law 39/2015 of 1 October. Also
must send to the Agency the documentation proving the effective intervention
of the contentious-administrative appeal. If the Agency was not aware of the
the lodging of the contentious-administrative appeal within two months of
day following notification of this resolution, would terminate the
precautionary suspension.
Mar España Martí
Director of the Spanish Data Protection Agency