Editing AEPD - PS/00389/2019

From GDPRhub

Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.

The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then save the changes below to finish undoing the edit.

Latest revision Your text
Line 60: Line 60:
 
Spanish DPA found that leaving the respondent's workers' medical reports on the street at sight constituted a breach of the principle of integrity and confidentiality of data processing under the GDPR.
 
Spanish DPA found that leaving the respondent's workers' medical reports on the street at sight constituted a breach of the principle of integrity and confidentiality of data processing under the GDPR.
  
==English Summary==
+
== English Summary ==
  
===Facts===
+
=== Facts ===
 
The local authorities filed a complaint with the Spanish DPA against the complainant for an alleged violation of the GDPR by finding scattered on the street medical examination reports concerning workers of the respondent.
 
The local authorities filed a complaint with the Spanish DPA against the complainant for an alleged violation of the GDPR by finding scattered on the street medical examination reports concerning workers of the respondent.
  
===Dispute===
+
=== Dispute ===
 
Is it compliant with Article 32 of the GDPR to leave at sight in the street data concerning the medical reports of employees?
 
Is it compliant with Article 32 of the GDPR to leave at sight in the street data concerning the medical reports of employees?
  
===Holding===
+
=== Holding ===
 
The Spanish DPA found that the respondent is responsible for not having made decisions aimed at effectively implementing
 
The Spanish DPA found that the respondent is responsible for not having made decisions aimed at effectively implementing
 
appropriate technical and organisational measures to ensure a level of safety
 
appropriate technical and organisational measures to ensure a level of safety
 
appropriate to the risk to ensure the confidentiality of the data.
 
appropriate to the risk to ensure the confidentiality of the data.
  
==Comment==
+
== Comment ==
  
  
==Further Resources==
+
== Further Resources ==
 
''Share blogs or news articles here!''
 
''Share blogs or news articles here!''
  
==English Machine Translation of the Decision==
+
== English Machine Translation of the Decision ==
 
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
 
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
  
 
<pre>
 
<pre>
DECISION ON DISCIPLINARY PROCEEDINGS
 
From the procedure instructed by the Spanish Data Protection Agency and
 
on the basis of the following
 
BACKGROUND
 
FIRST: On 23/04/2019 the LOCAL POLICE of BADAJOZ CITY COUNCIL
 
submitted a complaint against the OUTSIDE SERVICE OF LABOUR PREVENTION
 
EXTREMEÑA, S.L. (hereinafter the defendant), for allegedly infringing the
 
regulations on personal data protection, as they are scattered on the ground,
 
next to a vehicle of the company External service of prevention of labor Extremeña,
 
S.L. medical examination reports dated 02/12/2010 relating to
 
workers of the company Aguas del Suroeste, S.L.
 
SECOND: Upon receipt of the claim, the Subdirectorate General of
 
Data Inspection proceeded to perform the following actions:
 
On 18/05/2019, reiterated on 30/05/2019, the
 
complaint submitted for analysis and communication to the complainant of the decision
 
adopted in this regard. It was also required to ensure that within one month
 
to submit certain information to the Agency:
 
- A copy of the communications, of the decision taken which you have sent to the
 
claimant regarding the transfer of this claim, and proof that
 
the complainant has been notified of this decision.
 
- Report on the causes of the incident that led to the
 
claim.
 
- Report on the measures taken to prevent
 
similar incidents.
 
- Any other that you consider relevant.
 
On the same date, the claimant was informed of the receipt of the
 
claim and its transfer to the claimed entity.
 
On 22/10/2019, in accordance with Article 65 of the LOPDGDD, the Director
 
of the Spanish Data Protection Agency agreed to admit the claim for processing
 
filed by the claimant against the respondent.
 
THIRD: On 24/02/2020, the Director of the Spanish Protection Agency
 
of Data agreed to initiate sanctioning proceedings against the respondent, for the alleged
 
infringement for the alleged violation of Articles 32.1, 33 and 34 of the RGPD,
 
sanctioned in accordance with the provisions of article 83.4.a) of the aforementioned RGPD,
 
Considering that the sanction that could correspond would be of APPRECIATION.
 
FOURTH: Notification of the agreement of initiation, the claimed at the time of this
 
resolution has not submitted a written statement of case, and therefore the
 
referred to in Article 64 of Law 39/2015 of 1 October on the Procedure
 
Common Administrative Framework for Public Administrations, which in its paragraph (f)
 
provides that in the event of failure to make representations within the prescribed period on the
 
content of the agreement of initiation, it may be considered as a proposal for
 
resolution when it contains a precise statement of liability
 
The Court of First Instance shall give its decision.
 
FIFTH: Of the proceedings carried out in the present procedure, the following have been decided
 
The following are accredited:
 
PROVEN FACTS
 
FIRST: On 23/04/2019 the LOCAL POLICE of the
 
BADAJOZ TOWN COUNCIL by which it gives notice of the Act of Complaint against the
 
SERVICIO AJENO DE PREVENCION LABORAL EXTREMEÑA, S.L. (hereinafter referred to as
 
claimed), for alleged infringement of data protection regulations
 
personal, finding them scattered on the ground, next to a company vehicle
 
Servicio Ajeno de Prevención Laboral Extremeña, S.L. recognition reports
 
medical care for employees of Aguas del Suroeste, S.L..
 
SECOND: A copy of the police report has been provided
 
Local of the City council of Badajoz nº 10735 indicating: "They are scattered by the
 
floor, next to a company vehicle External occupational health and safety service
 
Extremeña, S.L., medical examination reports dated 02/12/10",
 
continuing: "The above-mentioned medical reports relate to workers of the
 
company Aguas del Suroeste, S.L. Photocopies are attached".
 
As a precautionary measure, the police state: "These reports are being removed from the road".
 
THIRD: Copies of "Medical examination reports" are attached
 
Ordinary Newspaper practiced in the Occupational Medicine Area of the
 
Prevention on 2 December 2010 a", concerning two workers from the
 
company Aguas del Suroeste, S.L.
 
FOURTH: The claimant has not responded to any of the requirements
 
made by the AEPD; nor has it made any allegations about the agreement to initiate the
 
sanctioning procedure.
 
LEGAL GROUNDS
 
I
 
By virtue of the powers conferred on each individual by Article 58(2) of the GPRS, the
 
authority, and in accordance with Article 47 of Organic Law 3/2018, of
 
5 December, Protection of Personal Data and Guarantee of  Digital Rights (hereinafter LOPDGDD), the Director of the Spanish Agency of
 
Data Protection is competent to resolve this procedure.
 
II
 
Law 39/2015 of 1 October on the Common Administrative Procedure of
 
the public authorities, in Article 64 "Agreement on initiation in the
 
procedures of a punitive nature," it provides:
 
"The agreement to initiate proceedings shall be communicated to the instructor of the proceedings, with
 
The transfer of any proceedings in this respect shall be notified to the parties concerned,
 
meaning in any case the accused.
 
The complainant shall also be informed of the initiation of proceedings where the rules
 
The procedure's regulators provide for this.
 
2. The agreement on initiation shall contain at least
 
(a) Identification of the person or persons alleged to be responsible.
 
(b) The facts which give rise to the initiation of the proceedings, their possible
 
qualification and any penalties that may apply, without prejudice to the
 
of instruction.
 
(c) Identification of the investigator and, where appropriate, secretary of the proceedings, with
 
express indication of the regime of challenge of the same.
 
(d) The competent body for the resolution of the procedure and the rule which it
 
to attribute such competence, indicating the possibility that the alleged perpetrator
 
may voluntarily acknowledge its responsibility, with the effects foreseen in the
 
Article 85.
 
(e) Measures of a provisional nature agreed upon by the body
 
competent to initiate the penalty procedure, without prejudice to those
 
may adopt during the same in accordance with Article 56.
 
(f) Indication of the right to make representations and to be heard at the
 
procedure and the time limits for its exercise, as well as an indication that, if
 
not to make representations on the content of the agreement within the time limit
 
The motion for a resolution may be considered as a motion for a resolution when it contains a
 
precise statement of the responsibility charged.
 
3. Exceptionally, when at the time of issuing the agreement of initiation
 
there are insufficient elements for the initial qualification of the facts on which they are based
 
the opening of the procedure, such qualification may be made at one stage
 
later by drawing up a Statement of Objections, which shall be notified to
 
the interested parties."
 
In application of the previous precept and taking into account that no
 
The proceedings initiated by the Commission are closed.
 
III
 
Article 58 of the RGPD, Powers, states:
 
"Each supervisory authority shall have all the following powers
 
corrections indicated below:
 
(…)
 
(i) to impose an administrative fine pursuant to Article 83 in addition to or in addition to
 
place of the measures referred to in this paragraph, depending on the circumstances
 
of each individual case;
 
(…)”
 
Article 5 of the RGPD sets out the principles that should govern the
 
processing of personal data and mentions among them that of "integrity and
 
confidentiality".
 
The article states that:
 
"1. Personal data shall be:
 
(…)
 
(f) treated in such a way as to ensure adequate safety of the
 
personal data, including protection against unauthorised or unlawful processing and
 
against their accidental loss, destruction or damage, by the application of measures
 
appropriate techniques or organisational arrangements ("integrity and confidentiality")".
 
In turn, the security of personal data is regulated in the
 
32, 33 and 34 of the RGPD.
 
Article 32 of the RGPD "Security of processing", states that:
 
"Taking into account the state of the art, the costs of implementation, and the
 
nature, scope, context and purposes of the processing, as well as risks of
 
variable probability and severity for the rights and freedoms of individuals
 
the controller and the processor shall implement technical and
 
appropriate organisational arrangements to ensure a level of safety appropriate to the risk,
 
which in your case includes, among others:
 
(a) the pseudonymisation and encryption of personal data
 
(b) the ability to ensure the confidentiality, integrity, availability and
 
permanent resilience of treatment systems and services;
 
(c) the ability to restore the availability of and access to data
 
personal quickly in the event of a physical or technical incident;
 
(d) a process of regular verification, evaluation and assessment of effectiveness
 
of technical and organizational measures to ensure the safety of
 
treatment.
 
2. In assessing the adequacy of the level of security, particular consideration shall be given to
 
taking into account the risks involved in the processing of data, in particular as
 
as a result of the accidental or unlawful destruction, loss or alteration of data
 
transmitted, retained or otherwise processed, or the communication or
 
unauthorized access to such data.
 
3. Adherence to a code of conduct adopted pursuant to Article 40 or to a
 
certification mechanism approved under Article 42 may serve as an element to demonstrate compliance with the requirements set out in paragraph 1 of
 
this article.
 
4. The controller and the processor shall take measures to
 
ensure that any person acting under the authority of the person in charge or of the
 
and has access to personal data may only process such data
 
on the instructions of the person responsible, unless he is obliged to do so by virtue of
 
Union or Member States' law".
 
Article 33 of the GPRS, Notification of a breach of the security of
 
personal data to the supervisory authority, states that:
 
"1. In the event of a breach of the security of personal data, the
 
the controller shall notify it to the competent supervisory authority of
 
in accordance with Article 55 without undue delay and if possible not later than 72
 
hours after you've had a record of it, unless it's unlikely
 
that such a breach of security constitutes a risk to the rights and
 
freedoms of natural persons. If the notification to the supervisory authority does not
 
within 72 hours, shall be accompanied by an indication of the reasons for
 
the procrastination.
 
2. The data controller shall without undue delay notify the person responsible
 
of the processing the violations of the security of personal data of which
 
has knowledge.
 
3. The notification referred to in paragraph 1 shall at least
 
(a) describe the nature of the data security breach
 
including, where possible, the categories and number of
 
of stakeholders concerned, and the categories and approximate number
 
of affected personal data records;
 
(b) communicate the name and contact details of the Data Protection Officer of
 
data or other contact point where further information can be obtained;
 
(c) describe the possible consequences of a breach of the security of
 
personal data;
 
(d) describe the measures taken or proposed by the controller
 
processing to remedy the data security breach
 
including, where appropriate, measures taken to mitigate the
 
possible negative effects.
 
4. If it is not possible to provide the information simultaneously, and to the extent
 
Where it is not, the information shall be provided gradually without undue delay.
 
5. The controller shall document any breach of the
 
security of personal data, including facts relating to it, its
 
effects and the corrective measures taken. Such documentation shall enable the
 
The monitoring authority shall verify compliance with the provisions of this Article And Article 34, Communication of a breach of data security
 
personal to the interested party, establishes that:
 
"1. Where it is likely that the breach of data security
 
personal risk to the rights and freedoms of individuals
 
the controller shall communicate it to the data subject without delay
 
improper.
 
2. The communication to the person concerned referred to in paragraph 1 of this
 
article will describe in clear and simple language the nature of the violation of
 
security of personal data and shall contain at least the information and
 
measures referred to in Article 33(3)(b), (c) and (d).
 
3. The communication to the person concerned referred to in paragraph 1 shall not be
 
necessary if any of the following conditions are met:
 
(a) the controller has adopted technical protection measures
 
and organizational measures and these measures have been applied to the data
 
personal data affected by the violation of the security of personal data,
 
in particular those which make personal data unintelligible to
 
any person who is not authorized to access them, such as encryption;
 
(b) the controller has taken further steps to ensure
 
that there is no longer a likelihood of the high risk for
 
rights and freedoms of the data subject referred to in paragraph 1;
 
(c) it involves a disproportionate effort. In this case, the following shall be chosen instead
 
by a public communication or similar measure informing
 
in an equally effective way to the stakeholders.
 
4. Where the person responsible has not yet informed the data subject of
 
violation of personal data security, the supervisory authority shall, once
 
considered the likelihood of such a violation involving a high risk, may require you to
 
to do so or may decide that one of the conditions mentioned in
 
paragraph 3".
 
IV
 
In this case, it is common ground that on 23/04/2019 the LOCAL POLICE
 
of BADAJOZ TOWN HALL provided a copy of the Act of Complaint against the
 
The complaint, which shows that the regulations on the protection of
 
personal data, when they are spread out on the public highway and next to a vehicle of their
 
property medical examination reports relating to employees of the
 
company Aguas del Suroeste, S.L. containing sensitive data and especially
 
protected and the aforementioned forces of law and order proceeding to remove them from the public
 
as a precautionary measure.
 
On the other hand, the absence of sensitivity on the part of the defendant to
 
the aforementioned facts since he did not even answer the requests for information
 
made by the AEPD, nor did it respond by submitting written allegations at the beginning of
 
agreement on sanctioning procedures and which, in addition, aims to promote safety and health of workers through the development of activities
 
necessary and convenient for the prevention of risks derived from work.
 
It should be noted that the RGPD defines data security violations
 
personal as "all those violations of security that cause the
 
accidental or unlawful destruction, loss or alteration of transmitted personal data
 
stored or otherwise processed, or the unauthorized communication of or access to
 
such data".
 
From the documentation in the file, there are clear indications of
 
that the respondent has violated article 32 of the RGPD, by producing a breach of
 
security in their systems by allowing and providing access to data
 
related to medical examination reports dated 02/12/2010 of
 
workers of the company Aguas del Suroeste who were spread out over the
 
floor.
 
The RGPD in the mentioned precept does not establish a list of the measures of
 
security that apply according to the data that are the subject of
 
processing, but provides that the controller and the processor
 
apply technical and organisational measures that are appropriate to the risk involved
 
treatment, taking into account the state of the art, implementation costs, the
 
nature, scope, context and purposes of the processing, probability risks
 
and gravity for the rights and freedoms of the persons concerned.
 
Security measures should also be adequate and
 
proportionate to the risk identified, noting that the determination of the measures
 
The technical and organisational aspects of this must be taken into account: pseudonymisation and
 
encryption, the ability to ensure confidentiality, integrity, availability and
 
resilience, the ability to restore data availability and access after a
 
incident, verification (non-audit) process, evaluation and assessment of
 
effectiveness of the measures.
 
In any case, when assessing the adequacy of the level of safety, the following shall be taken into account
 
particularly taking into account the risks presented by the processing of data, such as
 
as a result of the accidental or unlawful destruction, loss or alteration of data
 
transmitted, retained or otherwise processed, or the communication or
 
unauthorised access to such data and which could result in damage
 
physical, material or immaterial.
 
In the same sense, recital 83 of the RGPD states that
 
"(83) In order to maintain security and to prevent the processing from infringing
 
provided for in this Regulation, the responsible person or person in charge should evaluate
 
the risks inherent in the treatment and implement measures to mitigate them, such as
 
encryption. These measures should ensure an appropriate level of security, including
 
confidentiality, taking into account the state of the art and the cost of implementation
 
with regard to the risks and the nature of the personal data to be
 
to protect themselves. When assessing the risk in relation to data security, you should
 
take into account the risks involved in the processing of personal data,
 
such as the accidental or unlawful destruction, loss or alteration of personal data transmitted, retained or otherwise processed, or the communication or access not
 
authorized to such data, which may in particular cause damage
 
physical, material or immaterial".
 
As noted above and in the context of the
 
investigation ***EXPEDIENTE.1 the AEPD transferred to the reclaimed on 18/05/2019 and the
 
30/05/2019 the complaint submitted for analysis requesting the contribution of
 
information related to the claimed incidence, without having received in this
 
no organism response whatsoever.
 
The liability of the claimant is determined by the bankruptcy of
 
security highlighted by the Local Police of the City of Badajoz, already
 
who is responsible for making decisions aimed at effectively implementing
 
appropriate technical and organisational measures to ensure a level of safety
 
to ensure the confidentiality of the data, restoring their
 
availability and prevent access to them in the event of a physical or technical incident.
 
However, it is clear from the documentation provided that the entity has not only
 
This obligation has not been fulfilled, but there is also no knowledge of the adoption of any measures at
 
in this respect, despite having given him notice of the complaint filed.
 
Article 33 of the RGPD also regulates the notification of violations of
 
security that may pose a risk to the rights and freedoms of
 
natural persons to the competent supervisory authority, which in the case of Spain is
 
of the AEPD.
 
Therefore, whenever a gap affects data of a
 
personnel of natural persons we must communicate it to the AEPD and, in addition
 
we must notify you within 72 hours of having
 
knowledge of the gap.
 
Finally, it should be added that having been informed of the incident of
 
The security department is also not known to have taken any measures to
 
to remedy it, once he became aware of it.
 
Nor is there any evidence that, in accordance with the
 
Article 34 would have informed the persons concerned of the violation of the security of
 
personal data without undue delay once he became aware of them.
 
In accordance with the above, the respondent would be responsible for the
 
violations of the RGPD: violation of Articles 32, 33 and 34, violations
 
all of which are typified in article 83.4.a).
 
V
 
The violation of articles 32, 33 and 34 of the RGPD are criminalized
 
in Article 83.4(a) of the said GPRS in the following terms:
 
“4. Infringements of the following provisions shall be sanctioned, in accordance with
 
with paragraph 2, with administrative fines of a maximum of EUR 10 000 000 or
 
in the case of an undertaking, up to a maximum of 2 % of total annual turnover for the previous financial year, opting for
 
the largest:
 
(a) the obligations of the person responsible and the person in charge under Articles 8,
 
11, 25 to 39, 42 and 43.
 
(…)”
 
The LOPDGDD in its article 71, Infractions, points out that: "They constitute
 
infringements the acts and conduct referred to in paragraphs 4, 5 and 6 of
 
Article 83 of Regulation (EU) 2016/679, as well as those which are contrary to the
 
present organic law".
 
And in its article 73, for the purposes of the statute of limitations, it qualifies as "Infringements
 
considered serious."
 
"In accordance with Article 83(4) of Regulation (EU) 2016/679
 
are considered serious and shall be subject to a two-year statute of limitations for offences involving
 
substantial infringement of the Articles mentioned in that one and, in particular, the
 
next:
 
(…)
 
(g) Breach as a result of lack of due diligence,
 
of the technical and organisational measures that have been implemented in accordance with
 
required by Article 32.1 of Regulation (EU) 2016/679".
 
(r) Failure to notify the protection authority of
 
data of a personal data security breach in accordance with the
 
provided for in Article 33 of Regulation (EU) 2016/679.
 
(s) Failure to comply with the duty to inform the person concerned of a breach of
 
data security in accordance with Article 34 of the
 
Regulation (EU) 2016/679 if the controller had been requested
 
by the data protection authority to carry out such notification.
 
The facts set out in the complaint are specified in the
 
existence of a security breach in the systems of the claimed party allowing the
 
vulnerability of it by allowing reports dated 02/12/2010 concerning
 
medical examinations and belonging to workers of the company Aguas del
 
Southwest, were spread out on the public highway and allowing access to data
 
contained in them.
 
All of this constitutes a violation of the security of personal data, which
 
which constitutes an infringement of Articles 32.1, 33 and 34 of the RGPD.
 
VI
 
However, Article 58(2) of the EUCPN states: "Each authority
 
The inspection body shall have all the following corrective powers as indicated to
 
continued:
 
(…)
 
(b) sanction any person responsible for or in charge of the processing with
 
warning where processing operations have infringed the provisions of
 
this Regulation;
 
(…)”
 
The RGPD, without prejudice to the provisions of Article 83 thereof, provides in its
 
Article 58(2)(b) the possibility of using the warning to correct treatment
 
of personal data that does not meet your expectations.
 
In this case, it has been proved that the person claimed does not
 
has implemented technical and organisational measures to ensure a level of security
 
capable of ensuring the confidentiality, integrity, availability of the
 
access; appropriate measures for notification in the event of a breach of the
 
of a personal data security breach and the procedure
 
implemented in the event that the violation of personal data security
 
involves a high risk to the rights and freedoms of natural persons.
 
VII
 
The respondent has not replied to the information request
 
by the Inspection Service.
 
At this point, it is necessary to inform that not attending the requirements
 
of the Agency may constitute a very serious infringement in accordance with
 
referred to in Article 72 of the LOPDGDD, which provides "1. Depending on what
 
Article 83(5) of Regulation (EU) 2016/679 are considered very serious and
 
The statute of limitations for offences involving a substantial breach shall be three years
 
of the articles mentioned in that one and, in particular, the following ones:
 
(…)
 
ñ) Not to provide access to the staff of the data protection authority
 
competent to personal data, information, premises, equipment and means of
 
processing required by the data protection authority for the
 
exercise of their powers of investigation.
 
(o) Resistance to or obstruction of the exercise of the inspection function by
 
competent data protection authority'.
 
(…)”
 
At the same time, notification of the agreement to commence and the expiry of the period granted
 
to make allegations, I do not submit any written.
 
As stated above, it is common ground that the respondent
 
does not have technical and organisational measures in place to ensure a level of
 
adequate security capable of ensuring confidentiality, integrity and availability
 
of the data avoiding its access, loss, etc.; adequate measures to proceed to the
 
notification in the event of a breach of personal data security and
 
procedure in place in the event of a data security breach
 
personal risk to the rights and freedoms of individuals It is necessary to point out that if these incidents are not corrected by adopting the
 
appropriate technical and organisational measures, adapting them to the
 
Articles 32.1, 33 and 34 of the RGPD or reiterate the conduct set out in
 
the complaint and that it is the cause of these proceedings, as well as not informing
 
following this DPSA of the measures adopted could lead to the exercise of
 
possible proceedings before the controller to ensure the application of
 
effectively the appropriate measures to ensure and not compromise the
 
confidentiality of personal data and the right to privacy of
 
people.
 
Therefore, in accordance with the applicable legislation and assessed the criteria of
 
graduation of penalties whose existence has been established,
 
The Director of the Spanish Data Protection Agency RESOLVES:
 
FIRST: TO IMPOSE OUT-OF-SHORE LABOUR PREVENTION SERVICE
 
EXTREMEÑA, S.L., with NIF B06307748, for infringement of articles 32.1, 33 and 34
 
of the RGPD, typified in accordance with the provisions of article 83.4.a) of the said RGPD,
 
a warning sanction.
 
SECOND: REQUIRING OUTSIDE SERVICE FOR OCCUPATIONAL PREVENTION
 
EXTREMEÑA, S.L. with NIF B06307748, so that within one month from
 
notification of this resolution, certify: the adoption of the security measures
 
necessary and relevant in accordance with the regulations on the protection of
 
personal data in order to prevent the recurrence of such data in the future
 
incidents such as those that have given rise to the claim by correcting the effects of the
 
access to data, adapting these measures to the requirements of the
 
referred to in Article 32.1 of the GPRS; the measures taken to
 
the notification in case of a breach of the security of personal data of
 
in accordance with Article 33 of the RGPD and the procedure implemented to
 
the case that a breach of personal data security will result in a stop
 
risk to the rights and freedoms of natural persons, in accordance with
 
as set out in Article 34 of the RGPD.
 
THIRD: TO NOTIFY this resolution to OUTSIDE SERVICE OF
 
PREVENCION LABORAL EXTREMEÑA, S.L. with NIF B06307748.
 
In accordance with the provisions of article 50 of the LOPDGDD, the
 
This Resolution shall be made public after it has been notified to the interested parties.
 
Against this resolution, which puts an end to the administrative procedure according to art.
 
48.6 of the LOPDGDD, and in accordance with Article 123 of the
 
LPACAP, the interested parties may, on an optional basis, file an appeal for replacement
 
to the Director of the Spanish Data Protection Agency within a
 
month from the day following notification of this resolution or directly
 
contentious-administrative appeal before the Administrative Chamber of the
 
Audiencia Nacional, in accordance with Article 25 and paragraph 5 of
 
the fourth additional provision of Law 29/1998 of 13 July 1998, regulating the
 
Contentious-Administrative Jurisdiction, within two months from the day following notification of this act, as provided for in Article 46.1 of the
 
referred to Law.
 
Finally, it is pointed out that in accordance with the provisions of article 90.3 a) of the
 
LPACAP, the final resolution may be suspended as a precautionary measure through administrative channels
 
if the interested party expresses his intention to file an administrative appeal. If this is the case, the interested party must formally communicate this
 
made by writing to the Spanish Data Protection Agency,
 
by submitting it through the Agency's Electronic Register
 
[https://sedeagpd.gob.es/sede-electronica-web/], or through one of the other
 
registrations provided for in Article 16.4 of the aforementioned Law 39/2015 of 1 October. Also
 
must send to the Agency the documentation proving the effective intervention
 
of the contentious-administrative appeal. If the Agency was not aware of the
 
the lodging of the contentious-administrative appeal within two months of
 
day following notification of this resolution, would terminate the
 
precautionary suspension.
 
Mar España Martí
 
Director of the Spanish Data Protection Agency
 
 
 
 
  
 
</pre>
 
</pre>

Please note that all contributions to GDPRhub are considered to be released under the Creative Commons Attribution-NonCommercial-ShareAlike (see GDPRhub:Copyrights for details). If you do not want your writing to be edited mercilessly and redistributed at will, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource. Do not submit copyrighted work without permission!

To edit this page, please answer the question that appears below (more info):

Cancel Editing help (opens in new window)

Template used on this page: