AEPD - PS/00390/2019
|AEPD - PS/00390/2019|
|Relevant Law:||Article 32 GDPR|
Article 83(4) GDPR
|National Case Number/Name:||PS/00390/2019|
|European Case Law Identifier:||n/a|
|Original Source:||AEPD (in ES)|
The Spanish DPA (AEPD) imposed fine € 2.000 for violation of Article 32 GDPR.
English Summary[edit | edit source]
Facts[edit | edit source]
The complainant claimed that reused documents which were sent to third parties included his personal data with regard to his participation as lawyer in legal proceedings without his consent, violating Articles 6 and 32 GDPR.
Dispute[edit | edit source]
Holding[edit | edit source]
The AEPD confirmed the complainant's claims and the violation of Article 32. It imposed the defendant a fine of € 2.000.
Comment[edit | edit source]
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
OEPD • Procedure No.: PS/00390/2019 RESOLUTION OF THE SANCTIONING PROCEDURE The procedure instituted by the Spanish Data Protection Agency and on the basis of the following BACKGROUND FIRST:A.A.A. (hereinafter referred to as the claimant) filed a complaint with the Spanish Data Protection Agency on 11 April 2019. The claim is directed against B.B.B. with IFRS ***NIF.1 (hereinafter the claim). The reasons on which the complaint is based are the reuse of paper with personal data, in particular for using the one claimed, on two occasions, to summon tenants of a property, a sheet on the back of which third party data appear referring to procedures in which the respondent has worked as a lawyer, so that the use of such documents when containing third party data on its back makes such data accessible to third parties, without the consent of the holders of such personal data. The claim is accompanied by a copy of two folios summoning the tenants of the property, one dated 20/08/2018 and the other dated 13/02/2019. On the back of both documents you can read the name and surnames of several people, one of whom is a minor. SECOND:Upon receipt of the complaint, the Sub-Directorate-General for Data Inspection proceeded with the following actions: On 30 May and 9 July 2019, the claim submitted for analysis and communication to the claimant of the decision in that regard was transferred to the claimant. The defendant has not responded to any of the requests made by the Spanish Data Protection Agency, which are returned by mail, alleging that they are not being distributed. THIRD:On January 13, 2020, the Director of the Spanish Data Protection Agency agreed to initiate criminal proceedings for the alleged violation of Article 32 of the GDPR, as defined in Article 83.4 of the GDPR. FOURTH:Notified of the abovementioned agreement for the initiation of this sanctioning procedure, it is granted a period of hearing of TEN HABLE DAYS to make the allegations and to present any evidence it deems appropriate, in accordance with the provisions of Articles 73 and 76 of Law 39/2015 on the Common Administrative Procedure of Public Administrations. OEPD FIFTH:In the absence of any submissions or evidence within the given time limit, the present decision shall be rendered taking into account the following: FACTS FIRST:Reuse of documents with personal data, in particular for using the one claimed, on two occasions, to summon the tenants of a property, a folio on whose reverse appears data of third parties referring to proceedings in which the person complained has participated as a lawyer. The use of such documents, to be cited with tenants of a property, when containing third party data on its back, makes such data accessible to third parties, without the consent of the holders of such personal data. SECOND:AEPD has notified the complainant of the agreement to initiate the present sanctioning procedure, but the latter has not submitted any allegations or evidence contradicting the facts complained of. GROUNDS OF LAW I By virtue of the powers that Article 58.2 of the GDPR recognises to each supervisory authority, and in accordance with the provisions of Articles 47 and 48.1 of the LOPDGDD, the Director of the Spanish Data Protection Agency is competent to resolve this procedure. II Article 6.1 of the GDPR establishes the assumptions that allow the processing of personal data to be considered lawful. Article 32 of the GDPR provides that: “1. Taking into account the state of the art, the costs of implementation, the nature, scope, context and purposes of the treatment, as well as the risks of varying probability and severity for the rights and freedoms of natural persons, the controller and the processor shall apply appropriate technical and organisational measures to ensure a level of safety appropriate to the risk, including, inter alia: a) pseudonymisation and encryption of personal data; b) the ability to ensure the continued confidentiality, integrity, availability and resilience of treatment systems and services; c) the ability to restore availability and access to personal data quickly in the event of a physical or technical incident; OEPD d) a process of regular verification, evaluation and assessment of the effectiveness of technical and organisational measures to ensure the safety of treatment. 2. In assessing the adequacy of the level of security, particular account shall be taken of the risks posed by the processing of data, in particular as a result of the accidental or unlawful destruction, loss or alteration of personal data transmitted, retained or otherwise processed, or unauthorised communication or access to such data. 3. Adherence to a code of conduct approved in accordance with Article 40 or to a certification mechanism approved in accordance with Article 42 may serve as an element for demonstrating compliance with the requirements set out in paragraph 1 of this Article. 4. The controller and the processor shall take measures to ensure that any person acting under the authority of the controller or the controller and who has access to personal data can only process such data on instructions from the controller, unless he is obliged to do so under Union or Member State law.’ III It is considered that the known facts – the reuse of documents on the back of which data from third parties refer to proceedings in which the respondent has worked as a lawyer, thus allowing access to third party data without the consent of third parties – are constituting an infringement, attributable to the complaint, for violation of Article 32 of the GDPR, transcribed in point II, which states that “the controller and the controller shall apply appropriate technical and organisational measures to ensure an adequate level of security”. IV. Article 58.2 of the GDPR provides as follows: ‘Each supervisory authority shall have all of the following corrective powers: penalising any person responsible for or conducting the treatment with warning when the processing operations have infringed the provisions of this Regulation; to instruct the controller or processor that the processing operations comply with the provisions of this Regulation, where appropriate, in a certain manner and within a specified period of time; impose an administrative fine in accordance with Article 83, in addition to or in lieu of the measures referred to in this paragraph, depending on the circumstances of each particular case. Article 83.4 of the GDPR provides that "infringements of the following provisions shall be punishable, in accordance with paragraph 2, by administrative fines OEPD not more than EUR 10000000 or, in the case of an undertaking, at a maximum of 2 % of the total total annual turnover of the previous financial year, the largest amount being: a) the obligations of the person responsible and the person responsible under Articles 8, 11, 25 to 39, 42 and 43; b) the obligations of certification bodies under Articles 42 and 43; c) the obligations of the supervisory authority within the meaning of Article 41(4).’ It is also considered that the penalty to be imposed in accordance with the following criteria set out in Article 83.2 of the GDPR should be graduated: As an aggravating factor, the following: • In the present case we are dealing with negligent action unintentionally, but about significant data that permit the identification of a person (Article 83.2(b)) • Basic personal identifiers are affected (Article 83.2 g) Therefore, in accordance with the applicable legislation and assessed the criteria for graduation of sanctions, the existence of which has been established, the Director of the Spanish Data Protection Agency RESUELVE: FIRST:To impose a fine of EUR 2,000 (two thousand euros) on B.B.B., with IFRN ***NIF.1, for an infringement of Article 32 GDPR, as defined in Article 83.4 of the GDPR. SECOND:Notify B.B.B. of this resolution. THIRD:To warn the convicted person that he or she must enforce the penalty imposed once this resolution is enforceable, in accordance with the provisions of Article 98.1.b) of Law 39/2015, of October 1, of the Common Administrative Procedure of Public Administrations (hereinafter LPACAP), within the period of voluntary payment established in Article 68 of the General Regulation of Collection, approved by Royal Decree 939/2005, of 29 July, in relation to Article 62 of Law 58/2003, which indicates the number of articles of the Act No. Upon receipt of the notification and once the enforcement date is between the 1st and 15th of each month, inclusive, the period for making the voluntary payment shall be until the 20th day of the following or immediate subsequent working month, and if OEPD it is between the 16th and last days of each month, both inclusive, the payment period shall be until the 5th of the following month or immediately thereafter. In accordance with Article 50 of the LOPDGDD, this Resolution shall be made public once it has been notified to the parties concerned. Against this decision, which terminates the administrative procedure in accordance with Article 48.6 of the LOPDGDD, and in accordance with the provisions of Article 123 of the LPACAP, interested parties may lodge an appeal with the Director of the Spanish Data Protection Agency within a period of one month from the day following notification of this decision or directly appealing administrative proceedings before the Director of the Spanish Agency for the Protection of Data within the period of one month from the date of Article 13 of the Act, according to article 5 of the Act. Finally, it is noted that, in accordance with the provisions of Article 90.3(a) of the LPACAP, the final decision in administrative proceedings may be suspended provisionally if the person concerned expresses his intention to lodge an administrative appeal. If this is the case, the data subject must formally communicate this fact by writing to the Spanish Data Protection Agency, presenting it through the Agency’s Electronic Registry [https: //sedeagpd.gob.es/sede-electronica-web/], or through one of the other registers provided for in Article 16.4 of Law 39/2015, of October 1. It shall also transmit to the Agency the documentation attesting to the effective filing of the administrative proceedings. If the Agency was not aware of the lodging of the administrative action within two months of the day following notification of this decision, it would terminate the interim stay. Martí Spain Martí Director of the Spanish Data Protection Agency