| Latest revision |
Your text |
| Line 60: |
Line 60: |
| | Spanish DPA found that leaving the respondent's workers' medical reports on the street at sight constituted a breach of the principle of integrity and confidentiality of data processing under the GDPR. | | Spanish DPA found that leaving the respondent's workers' medical reports on the street at sight constituted a breach of the principle of integrity and confidentiality of data processing under the GDPR. |
| | | | |
| − | ==English Summary== | + | == English Summary == |
| | | | |
| − | ===Facts=== | + | === Facts === |
| | The local authorities filed a complaint with the Spanish DPA against the complainant for an alleged violation of the GDPR by finding scattered on the street medical examination reports concerning workers of the respondent. | | The local authorities filed a complaint with the Spanish DPA against the complainant for an alleged violation of the GDPR by finding scattered on the street medical examination reports concerning workers of the respondent. |
| | | | |
| − | ===Dispute=== | + | === Dispute === |
| | Is it compliant with Article 32 of the GDPR to leave at sight in the street data concerning the medical reports of employees? | | Is it compliant with Article 32 of the GDPR to leave at sight in the street data concerning the medical reports of employees? |
| | | | |
| − | ===Holding=== | + | === Holding === |
| | The Spanish DPA found that the respondent is responsible for not having made decisions aimed at effectively implementing | | The Spanish DPA found that the respondent is responsible for not having made decisions aimed at effectively implementing |
| | appropriate technical and organisational measures to ensure a level of safety | | appropriate technical and organisational measures to ensure a level of safety |
| | appropriate to the risk to ensure the confidentiality of the data. | | appropriate to the risk to ensure the confidentiality of the data. |
| | | | |
| − | ==Comment== | + | == Comment == |
| | | | |
| | | | |
| − | ==Further Resources== | + | == Further Resources == |
| | ''Share blogs or news articles here!'' | | ''Share blogs or news articles here!'' |
| | | | |
| − | ==English Machine Translation of the Decision== | + | == English Machine Translation of the Decision == |
| | The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details. | | The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details. |
| | | | |
| | <pre> | | <pre> |
| − | DECISION ON DISCIPLINARY PROCEEDINGS
| |
| − | From the procedure instructed by the Spanish Data Protection Agency and
| |
| − | on the basis of the following
| |
| − | BACKGROUND
| |
| − | FIRST: On 23/04/2019 the LOCAL POLICE of BADAJOZ CITY COUNCIL
| |
| − | submitted a complaint against the OUTSIDE SERVICE OF LABOUR PREVENTION
| |
| − | EXTREMEÑA, S.L. (hereinafter the defendant), for allegedly infringing the
| |
| − | regulations on personal data protection, as they are scattered on the ground,
| |
| − | next to a vehicle of the company External service of prevention of labor Extremeña,
| |
| − | S.L. medical examination reports dated 02/12/2010 relating to
| |
| − | workers of the company Aguas del Suroeste, S.L.
| |
| − | SECOND: Upon receipt of the claim, the Subdirectorate General of
| |
| − | Data Inspection proceeded to perform the following actions:
| |
| − | On 18/05/2019, reiterated on 30/05/2019, the
| |
| − | complaint submitted for analysis and communication to the complainant of the decision
| |
| − | adopted in this regard. It was also required to ensure that within one month
| |
| − | to submit certain information to the Agency:
| |
| − | - A copy of the communications, of the decision taken which you have sent to the
| |
| − | claimant regarding the transfer of this claim, and proof that
| |
| − | the complainant has been notified of this decision.
| |
| − | - Report on the causes of the incident that led to the
| |
| − | claim.
| |
| − | - Report on the measures taken to prevent
| |
| − | similar incidents.
| |
| − | - Any other that you consider relevant.
| |
| − | On the same date, the claimant was informed of the receipt of the
| |
| − | claim and its transfer to the claimed entity.
| |
| − | On 22/10/2019, in accordance with Article 65 of the LOPDGDD, the Director
| |
| − | of the Spanish Data Protection Agency agreed to admit the claim for processing
| |
| − | filed by the claimant against the respondent.
| |
| − | THIRD: On 24/02/2020, the Director of the Spanish Protection Agency
| |
| − | of Data agreed to initiate sanctioning proceedings against the respondent, for the alleged
| |
| − | infringement for the alleged violation of Articles 32.1, 33 and 34 of the RGPD,
| |
| − | sanctioned in accordance with the provisions of article 83.4.a) of the aforementioned RGPD,
| |
| − | Considering that the sanction that could correspond would be of APPRECIATION.
| |
| − | FOURTH: Notification of the agreement of initiation, the claimed at the time of this
| |
| − | resolution has not submitted a written statement of case, and therefore the
| |
| − | referred to in Article 64 of Law 39/2015 of 1 October on the Procedure
| |
| − | Common Administrative Framework for Public Administrations, which in its paragraph (f)
| |
| − | provides that in the event of failure to make representations within the prescribed period on the
| |
| − | content of the agreement of initiation, it may be considered as a proposal for
| |
| − | resolution when it contains a precise statement of liability
| |
| − | The Court of First Instance shall give its decision.
| |
| − | FIFTH: Of the proceedings carried out in the present procedure, the following have been decided
| |
| − | The following are accredited:
| |
| − | PROVEN FACTS
| |
| − | FIRST: On 23/04/2019 the LOCAL POLICE of the
| |
| − | BADAJOZ TOWN COUNCIL by which it gives notice of the Act of Complaint against the
| |
| − | SERVICIO AJENO DE PREVENCION LABORAL EXTREMEÑA, S.L. (hereinafter referred to as
| |
| − | claimed), for alleged infringement of data protection regulations
| |
| − | personal, finding them scattered on the ground, next to a company vehicle
| |
| − | Servicio Ajeno de Prevención Laboral Extremeña, S.L. recognition reports
| |
| − | medical care for employees of Aguas del Suroeste, S.L..
| |
| − | SECOND: A copy of the police report has been provided
| |
| − | Local of the City council of Badajoz nº 10735 indicating: "They are scattered by the
| |
| − | floor, next to a company vehicle External occupational health and safety service
| |
| − | Extremeña, S.L., medical examination reports dated 02/12/10",
| |
| − | continuing: "The above-mentioned medical reports relate to workers of the
| |
| − | company Aguas del Suroeste, S.L. Photocopies are attached".
| |
| − | As a precautionary measure, the police state: "These reports are being removed from the road".
| |
| − | THIRD: Copies of "Medical examination reports" are attached
| |
| − | Ordinary Newspaper practiced in the Occupational Medicine Area of the
| |
| − | Prevention on 2 December 2010 a", concerning two workers from the
| |
| − | company Aguas del Suroeste, S.L.
| |
| − | FOURTH: The claimant has not responded to any of the requirements
| |
| − | made by the AEPD; nor has it made any allegations about the agreement to initiate the
| |
| − | sanctioning procedure.
| |
| − | LEGAL GROUNDS
| |
| − | I
| |
| − | By virtue of the powers conferred on each individual by Article 58(2) of the GPRS, the
| |
| − | authority, and in accordance with Article 47 of Organic Law 3/2018, of
| |
| − | 5 December, Protection of Personal Data and Guarantee of Digital Rights (hereinafter LOPDGDD), the Director of the Spanish Agency of
| |
| − | Data Protection is competent to resolve this procedure.
| |
| − | II
| |
| − | Law 39/2015 of 1 October on the Common Administrative Procedure of
| |
| − | the public authorities, in Article 64 "Agreement on initiation in the
| |
| − | procedures of a punitive nature," it provides:
| |
| − | "The agreement to initiate proceedings shall be communicated to the instructor of the proceedings, with
| |
| − | The transfer of any proceedings in this respect shall be notified to the parties concerned,
| |
| − | meaning in any case the accused.
| |
| − | The complainant shall also be informed of the initiation of proceedings where the rules
| |
| − | The procedure's regulators provide for this.
| |
| − | 2. The agreement on initiation shall contain at least
| |
| − | (a) Identification of the person or persons alleged to be responsible.
| |
| − | (b) The facts which give rise to the initiation of the proceedings, their possible
| |
| − | qualification and any penalties that may apply, without prejudice to the
| |
| − | of instruction.
| |
| − | (c) Identification of the investigator and, where appropriate, secretary of the proceedings, with
| |
| − | express indication of the regime of challenge of the same.
| |
| − | (d) The competent body for the resolution of the procedure and the rule which it
| |
| − | to attribute such competence, indicating the possibility that the alleged perpetrator
| |
| − | may voluntarily acknowledge its responsibility, with the effects foreseen in the
| |
| − | Article 85.
| |
| − | (e) Measures of a provisional nature agreed upon by the body
| |
| − | competent to initiate the penalty procedure, without prejudice to those
| |
| − | may adopt during the same in accordance with Article 56.
| |
| − | (f) Indication of the right to make representations and to be heard at the
| |
| − | procedure and the time limits for its exercise, as well as an indication that, if
| |
| − | not to make representations on the content of the agreement within the time limit
| |
| − | The motion for a resolution may be considered as a motion for a resolution when it contains a
| |
| − | precise statement of the responsibility charged.
| |
| − | 3. Exceptionally, when at the time of issuing the agreement of initiation
| |
| − | there are insufficient elements for the initial qualification of the facts on which they are based
| |
| − | the opening of the procedure, such qualification may be made at one stage
| |
| − | later by drawing up a Statement of Objections, which shall be notified to
| |
| − | the interested parties."
| |
| − | In application of the previous precept and taking into account that no
| |
| − | The proceedings initiated by the Commission are closed.
| |
| − | III
| |
| − | Article 58 of the RGPD, Powers, states:
| |
| − | "Each supervisory authority shall have all the following powers
| |
| − | corrections indicated below:
| |
| − | (…)
| |
| − | (i) to impose an administrative fine pursuant to Article 83 in addition to or in addition to
| |
| − | place of the measures referred to in this paragraph, depending on the circumstances
| |
| − | of each individual case;
| |
| − | (…)”
| |
| − | Article 5 of the RGPD sets out the principles that should govern the
| |
| − | processing of personal data and mentions among them that of "integrity and
| |
| − | confidentiality".
| |
| − | The article states that:
| |
| − | "1. Personal data shall be:
| |
| − | (…)
| |
| − | (f) treated in such a way as to ensure adequate safety of the
| |
| − | personal data, including protection against unauthorised or unlawful processing and
| |
| − | against their accidental loss, destruction or damage, by the application of measures
| |
| − | appropriate techniques or organisational arrangements ("integrity and confidentiality")".
| |
| − | In turn, the security of personal data is regulated in the
| |
| − | 32, 33 and 34 of the RGPD.
| |
| − | Article 32 of the RGPD "Security of processing", states that:
| |
| − | "Taking into account the state of the art, the costs of implementation, and the
| |
| − | nature, scope, context and purposes of the processing, as well as risks of
| |
| − | variable probability and severity for the rights and freedoms of individuals
| |
| − | the controller and the processor shall implement technical and
| |
| − | appropriate organisational arrangements to ensure a level of safety appropriate to the risk,
| |
| − | which in your case includes, among others:
| |
| − | (a) the pseudonymisation and encryption of personal data
| |
| − | (b) the ability to ensure the confidentiality, integrity, availability and
| |
| − | permanent resilience of treatment systems and services;
| |
| − | (c) the ability to restore the availability of and access to data
| |
| − | personal quickly in the event of a physical or technical incident;
| |
| − | (d) a process of regular verification, evaluation and assessment of effectiveness
| |
| − | of technical and organizational measures to ensure the safety of
| |
| − | treatment.
| |
| − | 2. In assessing the adequacy of the level of security, particular consideration shall be given to
| |
| − | taking into account the risks involved in the processing of data, in particular as
| |
| − | as a result of the accidental or unlawful destruction, loss or alteration of data
| |
| − | transmitted, retained or otherwise processed, or the communication or
| |
| − | unauthorized access to such data.
| |
| − | 3. Adherence to a code of conduct adopted pursuant to Article 40 or to a
| |
| − | certification mechanism approved under Article 42 may serve as an element to demonstrate compliance with the requirements set out in paragraph 1 of
| |
| − | this article.
| |
| − | 4. The controller and the processor shall take measures to
| |
| − | ensure that any person acting under the authority of the person in charge or of the
| |
| − | and has access to personal data may only process such data
| |
| − | on the instructions of the person responsible, unless he is obliged to do so by virtue of
| |
| − | Union or Member States' law".
| |
| − | Article 33 of the GPRS, Notification of a breach of the security of
| |
| − | personal data to the supervisory authority, states that:
| |
| − | "1. In the event of a breach of the security of personal data, the
| |
| − | the controller shall notify it to the competent supervisory authority of
| |
| − | in accordance with Article 55 without undue delay and if possible not later than 72
| |
| − | hours after you've had a record of it, unless it's unlikely
| |
| − | that such a breach of security constitutes a risk to the rights and
| |
| − | freedoms of natural persons. If the notification to the supervisory authority does not
| |
| − | within 72 hours, shall be accompanied by an indication of the reasons for
| |
| − | the procrastination.
| |
| − | 2. The data controller shall without undue delay notify the person responsible
| |
| − | of the processing the violations of the security of personal data of which
| |
| − | has knowledge.
| |
| − | 3. The notification referred to in paragraph 1 shall at least
| |
| − | (a) describe the nature of the data security breach
| |
| − | including, where possible, the categories and number of
| |
| − | of stakeholders concerned, and the categories and approximate number
| |
| − | of affected personal data records;
| |
| − | (b) communicate the name and contact details of the Data Protection Officer of
| |
| − | data or other contact point where further information can be obtained;
| |
| − | (c) describe the possible consequences of a breach of the security of
| |
| − | personal data;
| |
| − | (d) describe the measures taken or proposed by the controller
| |
| − | processing to remedy the data security breach
| |
| − | including, where appropriate, measures taken to mitigate the
| |
| − | possible negative effects.
| |
| − | 4. If it is not possible to provide the information simultaneously, and to the extent
| |
| − | Where it is not, the information shall be provided gradually without undue delay.
| |
| − | 5. The controller shall document any breach of the
| |
| − | security of personal data, including facts relating to it, its
| |
| − | effects and the corrective measures taken. Such documentation shall enable the
| |
| − | The monitoring authority shall verify compliance with the provisions of this Article And Article 34, Communication of a breach of data security
| |
| − | personal to the interested party, establishes that:
| |
| − | "1. Where it is likely that the breach of data security
| |
| − | personal risk to the rights and freedoms of individuals
| |
| − | the controller shall communicate it to the data subject without delay
| |
| − | improper.
| |
| − | 2. The communication to the person concerned referred to in paragraph 1 of this
| |
| − | article will describe in clear and simple language the nature of the violation of
| |
| − | security of personal data and shall contain at least the information and
| |
| − | measures referred to in Article 33(3)(b), (c) and (d).
| |
| − | 3. The communication to the person concerned referred to in paragraph 1 shall not be
| |
| − | necessary if any of the following conditions are met:
| |
| − | (a) the controller has adopted technical protection measures
| |
| − | and organizational measures and these measures have been applied to the data
| |
| − | personal data affected by the violation of the security of personal data,
| |
| − | in particular those which make personal data unintelligible to
| |
| − | any person who is not authorized to access them, such as encryption;
| |
| − | (b) the controller has taken further steps to ensure
| |
| − | that there is no longer a likelihood of the high risk for
| |
| − | rights and freedoms of the data subject referred to in paragraph 1;
| |
| − | (c) it involves a disproportionate effort. In this case, the following shall be chosen instead
| |
| − | by a public communication or similar measure informing
| |
| − | in an equally effective way to the stakeholders.
| |
| − | 4. Where the person responsible has not yet informed the data subject of
| |
| − | violation of personal data security, the supervisory authority shall, once
| |
| − | considered the likelihood of such a violation involving a high risk, may require you to
| |
| − | to do so or may decide that one of the conditions mentioned in
| |
| − | paragraph 3".
| |
| − | IV
| |
| − | In this case, it is common ground that on 23/04/2019 the LOCAL POLICE
| |
| − | of BADAJOZ TOWN HALL provided a copy of the Act of Complaint against the
| |
| − | The complaint, which shows that the regulations on the protection of
| |
| − | personal data, when they are spread out on the public highway and next to a vehicle of their
| |
| − | property medical examination reports relating to employees of the
| |
| − | company Aguas del Suroeste, S.L. containing sensitive data and especially
| |
| − | protected and the aforementioned forces of law and order proceeding to remove them from the public
| |
| − | as a precautionary measure.
| |
| − | On the other hand, the absence of sensitivity on the part of the defendant to
| |
| − | the aforementioned facts since he did not even answer the requests for information
| |
| − | made by the AEPD, nor did it respond by submitting written allegations at the beginning of
| |
| − | agreement on sanctioning procedures and which, in addition, aims to promote safety and health of workers through the development of activities
| |
| − | necessary and convenient for the prevention of risks derived from work.
| |
| − | It should be noted that the RGPD defines data security violations
| |
| − | personal as "all those violations of security that cause the
| |
| − | accidental or unlawful destruction, loss or alteration of transmitted personal data
| |
| − | stored or otherwise processed, or the unauthorized communication of or access to
| |
| − | such data".
| |
| − | From the documentation in the file, there are clear indications of
| |
| − | that the respondent has violated article 32 of the RGPD, by producing a breach of
| |
| − | security in their systems by allowing and providing access to data
| |
| − | related to medical examination reports dated 02/12/2010 of
| |
| − | workers of the company Aguas del Suroeste who were spread out over the
| |
| − | floor.
| |
| − | The RGPD in the mentioned precept does not establish a list of the measures of
| |
| − | security that apply according to the data that are the subject of
| |
| − | processing, but provides that the controller and the processor
| |
| − | apply technical and organisational measures that are appropriate to the risk involved
| |
| − | treatment, taking into account the state of the art, implementation costs, the
| |
| − | nature, scope, context and purposes of the processing, probability risks
| |
| − | and gravity for the rights and freedoms of the persons concerned.
| |
| − | Security measures should also be adequate and
| |
| − | proportionate to the risk identified, noting that the determination of the measures
| |
| − | The technical and organisational aspects of this must be taken into account: pseudonymisation and
| |
| − | encryption, the ability to ensure confidentiality, integrity, availability and
| |
| − | resilience, the ability to restore data availability and access after a
| |
| − | incident, verification (non-audit) process, evaluation and assessment of
| |
| − | effectiveness of the measures.
| |
| − | In any case, when assessing the adequacy of the level of safety, the following shall be taken into account
| |
| − | particularly taking into account the risks presented by the processing of data, such as
| |
| − | as a result of the accidental or unlawful destruction, loss or alteration of data
| |
| − | transmitted, retained or otherwise processed, or the communication or
| |
| − | unauthorised access to such data and which could result in damage
| |
| − | physical, material or immaterial.
| |
| − | In the same sense, recital 83 of the RGPD states that
| |
| − | "(83) In order to maintain security and to prevent the processing from infringing
| |
| − | provided for in this Regulation, the responsible person or person in charge should evaluate
| |
| − | the risks inherent in the treatment and implement measures to mitigate them, such as
| |
| − | encryption. These measures should ensure an appropriate level of security, including
| |
| − | confidentiality, taking into account the state of the art and the cost of implementation
| |
| − | with regard to the risks and the nature of the personal data to be
| |
| − | to protect themselves. When assessing the risk in relation to data security, you should
| |
| − | take into account the risks involved in the processing of personal data,
| |
| − | such as the accidental or unlawful destruction, loss or alteration of personal data transmitted, retained or otherwise processed, or the communication or access not
| |
| − | authorized to such data, which may in particular cause damage
| |
| − | physical, material or immaterial".
| |
| − | As noted above and in the context of the
| |
| − | investigation ***EXPEDIENTE.1 the AEPD transferred to the reclaimed on 18/05/2019 and the
| |
| − | 30/05/2019 the complaint submitted for analysis requesting the contribution of
| |
| − | information related to the claimed incidence, without having received in this
| |
| − | no organism response whatsoever.
| |
| − | The liability of the claimant is determined by the bankruptcy of
| |
| − | security highlighted by the Local Police of the City of Badajoz, already
| |
| − | who is responsible for making decisions aimed at effectively implementing
| |
| − | appropriate technical and organisational measures to ensure a level of safety
| |
| − | to ensure the confidentiality of the data, restoring their
| |
| − | availability and prevent access to them in the event of a physical or technical incident.
| |
| − | However, it is clear from the documentation provided that the entity has not only
| |
| − | This obligation has not been fulfilled, but there is also no knowledge of the adoption of any measures at
| |
| − | in this respect, despite having given him notice of the complaint filed.
| |
| − | Article 33 of the RGPD also regulates the notification of violations of
| |
| − | security that may pose a risk to the rights and freedoms of
| |
| − | natural persons to the competent supervisory authority, which in the case of Spain is
| |
| − | of the AEPD.
| |
| − | Therefore, whenever a gap affects data of a
| |
| − | personnel of natural persons we must communicate it to the AEPD and, in addition
| |
| − | we must notify you within 72 hours of having
| |
| − | knowledge of the gap.
| |
| − | Finally, it should be added that having been informed of the incident of
| |
| − | The security department is also not known to have taken any measures to
| |
| − | to remedy it, once he became aware of it.
| |
| − | Nor is there any evidence that, in accordance with the
| |
| − | Article 34 would have informed the persons concerned of the violation of the security of
| |
| − | personal data without undue delay once he became aware of them.
| |
| − | In accordance with the above, the respondent would be responsible for the
| |
| − | violations of the RGPD: violation of Articles 32, 33 and 34, violations
| |
| − | all of which are typified in article 83.4.a).
| |
| − | V
| |
| − | The violation of articles 32, 33 and 34 of the RGPD are criminalized
| |
| − | in Article 83.4(a) of the said GPRS in the following terms:
| |
| − | “4. Infringements of the following provisions shall be sanctioned, in accordance with
| |
| − | with paragraph 2, with administrative fines of a maximum of EUR 10 000 000 or
| |
| − | in the case of an undertaking, up to a maximum of 2 % of total annual turnover for the previous financial year, opting for
| |
| − | the largest:
| |
| − | (a) the obligations of the person responsible and the person in charge under Articles 8,
| |
| − | 11, 25 to 39, 42 and 43.
| |
| − | (…)”
| |
| − | The LOPDGDD in its article 71, Infractions, points out that: "They constitute
| |
| − | infringements the acts and conduct referred to in paragraphs 4, 5 and 6 of
| |
| − | Article 83 of Regulation (EU) 2016/679, as well as those which are contrary to the
| |
| − | present organic law".
| |
| − | And in its article 73, for the purposes of the statute of limitations, it qualifies as "Infringements
| |
| − | considered serious."
| |
| − | "In accordance with Article 83(4) of Regulation (EU) 2016/679
| |
| − | are considered serious and shall be subject to a two-year statute of limitations for offences involving
| |
| − | substantial infringement of the Articles mentioned in that one and, in particular, the
| |
| − | next:
| |
| − | (…)
| |
| − | (g) Breach as a result of lack of due diligence,
| |
| − | of the technical and organisational measures that have been implemented in accordance with
| |
| − | required by Article 32.1 of Regulation (EU) 2016/679".
| |
| − | (r) Failure to notify the protection authority of
| |
| − | data of a personal data security breach in accordance with the
| |
| − | provided for in Article 33 of Regulation (EU) 2016/679.
| |
| − | (s) Failure to comply with the duty to inform the person concerned of a breach of
| |
| − | data security in accordance with Article 34 of the
| |
| − | Regulation (EU) 2016/679 if the controller had been requested
| |
| − | by the data protection authority to carry out such notification.
| |
| − | The facts set out in the complaint are specified in the
| |
| − | existence of a security breach in the systems of the claimed party allowing the
| |
| − | vulnerability of it by allowing reports dated 02/12/2010 concerning
| |
| − | medical examinations and belonging to workers of the company Aguas del
| |
| − | Southwest, were spread out on the public highway and allowing access to data
| |
| − | contained in them.
| |
| − | All of this constitutes a violation of the security of personal data, which
| |
| − | which constitutes an infringement of Articles 32.1, 33 and 34 of the RGPD.
| |
| − | VI
| |
| − | However, Article 58(2) of the EUCPN states: "Each authority
| |
| − | The inspection body shall have all the following corrective powers as indicated to
| |
| − | continued:
| |
| − | (…)
| |
| − | (b) sanction any person responsible for or in charge of the processing with
| |
| − | warning where processing operations have infringed the provisions of
| |
| − | this Regulation;
| |
| − | (…)”
| |
| − | The RGPD, without prejudice to the provisions of Article 83 thereof, provides in its
| |
| − | Article 58(2)(b) the possibility of using the warning to correct treatment
| |
| − | of personal data that does not meet your expectations.
| |
| − | In this case, it has been proved that the person claimed does not
| |
| − | has implemented technical and organisational measures to ensure a level of security
| |
| − | capable of ensuring the confidentiality, integrity, availability of the
| |
| − | access; appropriate measures for notification in the event of a breach of the
| |
| − | of a personal data security breach and the procedure
| |
| − | implemented in the event that the violation of personal data security
| |
| − | involves a high risk to the rights and freedoms of natural persons.
| |
| − | VII
| |
| − | The respondent has not replied to the information request
| |
| − | by the Inspection Service.
| |
| − | At this point, it is necessary to inform that not attending the requirements
| |
| − | of the Agency may constitute a very serious infringement in accordance with
| |
| − | referred to in Article 72 of the LOPDGDD, which provides "1. Depending on what
| |
| − | Article 83(5) of Regulation (EU) 2016/679 are considered very serious and
| |
| − | The statute of limitations for offences involving a substantial breach shall be three years
| |
| − | of the articles mentioned in that one and, in particular, the following ones:
| |
| − | (…)
| |
| − | ñ) Not to provide access to the staff of the data protection authority
| |
| − | competent to personal data, information, premises, equipment and means of
| |
| − | processing required by the data protection authority for the
| |
| − | exercise of their powers of investigation.
| |
| − | (o) Resistance to or obstruction of the exercise of the inspection function by
| |
| − | competent data protection authority'.
| |
| − | (…)”
| |
| − | At the same time, notification of the agreement to commence and the expiry of the period granted
| |
| − | to make allegations, I do not submit any written.
| |
| − | As stated above, it is common ground that the respondent
| |
| − | does not have technical and organisational measures in place to ensure a level of
| |
| − | adequate security capable of ensuring confidentiality, integrity and availability
| |
| − | of the data avoiding its access, loss, etc.; adequate measures to proceed to the
| |
| − | notification in the event of a breach of personal data security and
| |
| − | procedure in place in the event of a data security breach
| |
| − | personal risk to the rights and freedoms of individuals It is necessary to point out that if these incidents are not corrected by adopting the
| |
| − | appropriate technical and organisational measures, adapting them to the
| |
| − | Articles 32.1, 33 and 34 of the RGPD or reiterate the conduct set out in
| |
| − | the complaint and that it is the cause of these proceedings, as well as not informing
| |
| − | following this DPSA of the measures adopted could lead to the exercise of
| |
| − | possible proceedings before the controller to ensure the application of
| |
| − | effectively the appropriate measures to ensure and not compromise the
| |
| − | confidentiality of personal data and the right to privacy of
| |
| − | people.
| |
| − | Therefore, in accordance with the applicable legislation and assessed the criteria of
| |
| − | graduation of penalties whose existence has been established,
| |
| − | The Director of the Spanish Data Protection Agency RESOLVES:
| |
| − | FIRST: TO IMPOSE OUT-OF-SHORE LABOUR PREVENTION SERVICE
| |
| − | EXTREMEÑA, S.L., with NIF B06307748, for infringement of articles 32.1, 33 and 34
| |
| − | of the RGPD, typified in accordance with the provisions of article 83.4.a) of the said RGPD,
| |
| − | a warning sanction.
| |
| − | SECOND: REQUIRING OUTSIDE SERVICE FOR OCCUPATIONAL PREVENTION
| |
| − | EXTREMEÑA, S.L. with NIF B06307748, so that within one month from
| |
| − | notification of this resolution, certify: the adoption of the security measures
| |
| − | necessary and relevant in accordance with the regulations on the protection of
| |
| − | personal data in order to prevent the recurrence of such data in the future
| |
| − | incidents such as those that have given rise to the claim by correcting the effects of the
| |
| − | access to data, adapting these measures to the requirements of the
| |
| − | referred to in Article 32.1 of the GPRS; the measures taken to
| |
| − | the notification in case of a breach of the security of personal data of
| |
| − | in accordance with Article 33 of the RGPD and the procedure implemented to
| |
| − | the case that a breach of personal data security will result in a stop
| |
| − | risk to the rights and freedoms of natural persons, in accordance with
| |
| − | as set out in Article 34 of the RGPD.
| |
| − | THIRD: TO NOTIFY this resolution to OUTSIDE SERVICE OF
| |
| − | PREVENCION LABORAL EXTREMEÑA, S.L. with NIF B06307748.
| |
| − | In accordance with the provisions of article 50 of the LOPDGDD, the
| |
| − | This Resolution shall be made public after it has been notified to the interested parties.
| |
| − | Against this resolution, which puts an end to the administrative procedure according to art.
| |
| − | 48.6 of the LOPDGDD, and in accordance with Article 123 of the
| |
| − | LPACAP, the interested parties may, on an optional basis, file an appeal for replacement
| |
| − | to the Director of the Spanish Data Protection Agency within a
| |
| − | month from the day following notification of this resolution or directly
| |
| − | contentious-administrative appeal before the Administrative Chamber of the
| |
| − | Audiencia Nacional, in accordance with Article 25 and paragraph 5 of
| |
| − | the fourth additional provision of Law 29/1998 of 13 July 1998, regulating the
| |
| − | Contentious-Administrative Jurisdiction, within two months from the day following notification of this act, as provided for in Article 46.1 of the
| |
| − | referred to Law.
| |
| − | Finally, it is pointed out that in accordance with the provisions of article 90.3 a) of the
| |
| − | LPACAP, the final resolution may be suspended as a precautionary measure through administrative channels
| |
| − | if the interested party expresses his intention to file an administrative appeal. If this is the case, the interested party must formally communicate this
| |
| − | made by writing to the Spanish Data Protection Agency,
| |
| − | by submitting it through the Agency's Electronic Register
| |
| − | [https://sedeagpd.gob.es/sede-electronica-web/], or through one of the other
| |
| − | registrations provided for in Article 16.4 of the aforementioned Law 39/2015 of 1 October. Also
| |
| − | must send to the Agency the documentation proving the effective intervention
| |
| − | of the contentious-administrative appeal. If the Agency was not aware of the
| |
| − | the lodging of the contentious-administrative appeal within two months of
| |
| − | day following notification of this resolution, would terminate the
| |
| − | precautionary suspension.
| |
| − | Mar España Martí
| |
| − | Director of the Spanish Data Protection Agency
| |
| − |
| |
| − |
| |
| − |
| |
| | | | |
| | </pre> | | </pre> |
