AEPD (Spain) - PS/00422/2018: Difference between revisions

From GDPRhub
No edit summary
No edit summary
Line 15: Line 15:
[[Article 58 GDPR#2|Article 58(2) GDPR]]
[[Article 58 GDPR#2|Article 58(2) GDPR]]
[[Category:Article 58(2) GDPR]]
[[Category:Article 58(2) GDPR]]
[[Article 2 GDPR]][[Category:Article 2 GDPR]]
[[Article 2 GDPR#r15|Recital 15 GDPR]]
Articles 47 and 48(1) of the [https://www.boe.es/boe/dias/2018/12/06/pdfs/BOE-A-2018-16673.pdf LOPDGDD]
|-
|-
|Type:||Complaint
|Type:||Complaint
|-
|-
|Outcome:||Rejected
|Outcome:||Dismissed
|-
|-
|Decided:||n/a
|Decided:||n/a
Line 27: Line 33:
|Fine:||None
|Fine:||None
|-
|-
|Parties:||Sant Miquel d'Olèrdola Town Council v. SHANA REVOLUTION SHOPS and PROYECTO DISEÑO Y FABRICACIONCLUSTER S.L.
|Parties:||Sant Miquel d'Olèrdola Town Council v.  
 
SHANA REVOLUTION SHOPS and  
 
PROYECTO DISEÑO Y FABRICACIONCLUSTER S.L.
|-
|-
|National Case Number:||PS/00006/2019
|National Case Number:||PS/00422/2018
|-
|-
|European Case Law Identifier
|European Case Law Identifier:||n/a
|n/a
|-
|-
|Appeal:||n/a
|Appeal:||n/a
Line 39: Line 48:
Spanish
Spanish
|-
|-
|Original Source:||[https://www.aepd.es/es/documento/ps-00006-2019.pdf AEPD (in ES)]
|Original Source:||[https://www.aepd.es/es/documento/ps-00422-2018.pdf AEPD (in ES)]
|}  
|}  


The AEPD confirmed that a webpage's privacy policy lack of precision violated the GDPR.  
The AEPD rejected company's responsibility for depositing on the public highway documents which contain personal data. According to the decision, the fact that a company merely threw or deposited such documents on the highway does not render the company responsible for the documents in terms of security according to the GDPR.  


==English Summary==
==English Summary==


===Facts===
===Facts===
A citizen submitted a complaint before the AEPD stating that privacy policy of www.banderacatalana.cat did not comply with the GDPR. GRUP BC S.L. was the controller of the page. Especially, the complainant stated that the privacy policy did not include precise information regarding the specific purposes of the processing of personal data, the consent and the child’s consent as a legal basis of the processing.
The complaint followed a discovery by Agents of the Local Police of the City Council of Sant Miquel d' Olèrdola of documents containing personal data on the public highway.
 
The complainant argued that the company SHANA REVOLUTION SHOPS was responsible to maintain security of these documents or otherwise to delete them. They alleged violation of [[Article 5 GDPR#1f|Article 5(1)(f) GDPR]] and asked for a EUR 15,000 fine to be imposed.  


===Dispute===
===Dispute===
Does the lack of specific information regarding the purposes of processing, the consent and the child’s consent as a legal basis of the processing within a privacy policy, contravene Articles 13(1), 6(1)(a) and 8 GDPR?


===Holding===
===Holding===
The AEPD found that GRUP BC S.L violated Article 13(1), 6(1)(a) and 8 GDPR.
The AEPD found that it could not be proved which entity collected these documents and which was responsible for deleting the personal data. The AEPD highlighted that a basic principle of the GDPR is that personal data should be processed in a secure manner with technical and organisational means and measures laid down in advance, depending on the data processed and the risks involved. This includes taking measures and protocols to ensure that information in tangible formats, when discarded, is discarded by means that ensure the confidentiality of the data. However, it noted that the fact that an entity throws or deposits documents containing personal data on the public highway does not make it responsible for them in terms of security under the GDPR. Thus, it dismissed the allegations against both defendants since there was no concrete evidence against them.  


==Comment==
==Comment==
''Share your comments here!''
''Share your comments here!''



Revision as of 15:33, 20 February 2020

AEPD - PS/00422/2018
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 5(1)(f) GDPR

Article 58(2) GDPR

Article 2 GDPR

Recital 15 GDPR

Articles 47 and 48(1) of the LOPDGDD

Type: Complaint
Outcome: Dismissed
Decided: n/a
Published: n/a
Fine: None
Parties: Sant Miquel d'Olèrdola Town Council v.

SHANA REVOLUTION SHOPS and

PROYECTO DISEÑO Y FABRICACIONCLUSTER S.L.

National Case Number: PS/00422/2018
European Case Law Identifier: n/a
Appeal: n/a
Original Language:

Spanish

Original Source: AEPD (in ES)

The AEPD rejected company's responsibility for depositing on the public highway documents which contain personal data. According to the decision, the fact that a company merely threw or deposited such documents on the highway does not render the company responsible for the documents in terms of security according to the GDPR.

English Summary

Facts

The complaint followed a discovery by Agents of the Local Police of the City Council of Sant Miquel d' Olèrdola of documents containing personal data on the public highway.

The complainant argued that the company SHANA REVOLUTION SHOPS was responsible to maintain security of these documents or otherwise to delete them. They alleged violation of Article 5(1)(f) GDPR and asked for a EUR 15,000 fine to be imposed.

Dispute

Holding

The AEPD found that it could not be proved which entity collected these documents and which was responsible for deleting the personal data. The AEPD highlighted that a basic principle of the GDPR is that personal data should be processed in a secure manner with technical and organisational means and measures laid down in advance, depending on the data processed and the risks involved. This includes taking measures and protocols to ensure that information in tangible formats, when discarded, is discarded by means that ensure the confidentiality of the data. However, it noted that the fact that an entity throws or deposits documents containing personal data on the public highway does not make it responsible for them in terms of security under the GDPR. Thus, it dismissed the allegations against both defendants since there was no concrete evidence against them.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the original. Please refer to the Spanish original for more details.

RESOLUTION OF PUNISHMENT PROCEDURE

The procedure instructed by the Spanish Data Protection Agency and based on the following 

FIRST: On 3/08/2018, the Catalan Data Protection Authority (AEPD) received a complaint from the Sant Miquel d'Olèrdola Town Council, as it considered this AEPD to be competent. On 27/07/2018 a complaint was received at the electronic headquarters of this authority from the Olèrdol Town Hall against "SHANA REVOLUTION SHOPS", due to an alleged breach of data protection legislation.  The case refers to actions by the Local Police on 12/06/2018 regarding the discovery of documents containing personal data on the public highway. El Clot de la Mojá, carrer Ull de llebre/ carrer Cabernet by the Local Police, which indicates that the patrol car observes that there are, among others, dumped boxes of office material and CVs. Photographs are provided of the enclave in which they were found, and it can be seen that various objects are scattered on the ground, next to some containers. 2) Police inspection report of the same day, number ***NUMBER.2 hour 10, in which the agents go to c/ Cabernet 22 in Olèrdola, company CLUSTER SL observing that there is diverse material like the one found abandoned in carrer Ull de Llebre and they are interviewed with the one that declares to be the Administrator of the company in the statement of demonstrations of 12/06/2018, number ***NUMBER.3,   that 'on occasions they dismantle shops and remove antique furniture', 'this furniture is taken to their premises' 'which are then placed in the selective container at the address of Ull de Llebre' 'according to the instructions of the collection personnel'.   The Administrator also recognises that "controlled dumping of hangers, cartons, labels, documents, invoices, cash receipts, office material, CVs, etc.", and that all the arrangements are made "in an orderly manner and with all the products in boxes". In the signature of the act of manifestation the stamp CLUSTER "project - design - manufacture - limited company" appears.3)A copy of the document from the Olèrdola Town Hall, "Agentes municipales "called "incidencia vía pública", abocament ("spillage") which is a summary, end time10:25, with NEWS and CHRONOLOGY in which it is stated that "while patrolling, a spillage is observed next to the containers-hangers, CVs, office material, bag of papers in an ocular inspection report" and that "the agents keep two boxes full of CVs with personal data", pending their count, estimate in about 300." "Apparently they are from a store called "SHANA REVOLUTIONS SHOPS". The agents patrol on foot in the vicinity and at number 22 of Cabernet, they collect material such as that found in the container and fill out a police report, enter the ship and "At first a worker comes out in a loquacious attitude who says he is a responsible worker on shift, and the patrol meets with him, making the report" ***NUMBER.4, which "recognizes that the dumped boxes are the property of his company" and the agent requests the administrator of the activity, presenting a man who claims to be "the owner of the activity" and the patrol interviews him and takes the minutes ***NUMBER.3  "

SECOND: In view of the facts of the complaint and the documents provided, the following information is requested: 1..Report on the causes that have motivated the incident that has originated the re-claim.3.Report on the measures adopted to avoid that incidents occur if-millions.4.Any other that it considers relevant is transferred to :-B66490624 SHANA RETAIL S.L., social object according to the Mercantile Registry "the commercialization, manufacture, import, export and sale to the wholesale and detail of raw materials, textiles, intermediate products, textile products in general, and especially clothing, etc.". The first shipment, sent by the electronic system with expired result, by not opening the mailbox within ten days from shipment. The second, delivered on 30/10/2018 and again sent and delivered on 7/11/2018. The request for information will not be answered. -B66390105 PROYECTO DISEÑO Y FABRICACION CLUSTER SL corporate purpose according to the Commercial Register "carrying out, on its own account or on behalf of others, all kinds of interior design and works for the installation of commercial premises and housing, including the execution of masonry, carpentry, etc.", registered office c Cabernet 20, was returned on the two occasions it was sent, the first by the electronic system denotification, the second, 30/10/2018 by unknown. 

THIRD: On 4/06/2019 you can access GOOGLE and search for SHANA RETAIL, reading in some page that is in ordinary contest of creditors, so you access the page of public registry of bankruptcy, obtaining and incorporating:-a declaration of bankruptcy procedure 804/2017 of 20/10/2017, in which it appoints as sole administrator of the professional society "FOREST PARTNERS, ES-TRADA Y ASOCIADOS, S.L.P."On 7/06/2019, it was agreed by the Director of the AEPD:-To initiate disciplinary proceedings against SHANA RETAIL S.L. for alleged infringement of Article 5.1 f) of the GDPR, in accordance with Article 83.5.a) of the GDPR- Initiate sanctioning procedure against PROYECTO DISEÑO Y FABRICACIONCLUSTER SL. for alleged infringement of Article 5.1 f) of the GDPR, in accordance with Article 83.5.a) of the GDPR. A penalty of 15,000 euros was proposed to each entity, without prejudice to what may arise from the processing of the procedure, considering: "In the present case, although the entities involved do not have the processing of data as a habitual task in the performance of their functions, these are curricula for the selection of personnel with identifying data that may add academic and/or professional aspects, and some three hundred have been recovered.The fact that the documents are found next to common containers on the public highway means that there are no measures in place for the destruction of supports containing personal data, in addition to a lack of diligence in the handling and custody of the documents."

FIFTH: In the notification of the start agreement to the Bankruptcy Administrator of SHANARETAIL, it is stated by the Support Service of the Electronic Notifications and Qualified Electronic Address Service, which certifies that on 21/06/2019 "the notification was sent: Date made available: 10/06/2019 09:26:10, Date of automatic rejection: 21/06/2019 00:00:00", and that the automatic rejection occurs, in general, after ten calendar days have elapsed since it was made available for access in accordance with Article 43(2) of Law 39/2015 of 1/10 of the Common Administrative Procedure for Public Administrations. And in particular, once the period established by the Administration acting in accordance with the specific legal regulations that are applicable has elapsed", the effect of having been notified that these entities are obliged to do so, according to the LPCAP, article 14. 2. a).

SIXTH: In the notification of the agreement to start the insolvency proceedings to the Administrator of PROYECTO DISEÑO Y FABRICACION CLUSTER SL -, the same circumstance occurred, as it was carried out by the Support Service of the Electronic Notifications Service and Qualified Electronic Address, which certifies that on 21/06/2019, the notification was sent with: Date made available: 10/06/2019 09:26:18Date of automatic rejection: 21/06/2019 00:00:00 "

SEVENTH: No allegations were received regarding the agreement to begin. 
On 19/12/2019 the period of evidence began, with those from the complaint being considered as incorporated. Furthermore, it was decided to ask the Local Police of Ol èrdola to provide information or to contribute:1) A copy of 10 or 15 curriculums vitae (CV), not similar or as different as possible from those found on the public streets by local police officers. It was noted that none of them included a company stamp or any other element that would allow for a list of the entity that could collect them.  The data contained in the CVs are a photograph, address and telephone number, academic studies and work experience. As for the dating of the CVs, some dates can be seen in the writing, for example 12/01/1989, but the majority are not dated, with some studies or professional experiences referring to years such as 2011, 2015, October-November2015, and one of 2016 as the chronological points closest to the present, which can approximately affect their delivery dates.2)In relation to these CVs, why do they indicate in the summary section, or NEWS-CRONO-LOGY, that "According to the indications it seems to be a store called SHANA REVOLU-TIONS SHOP", when in none of the previous minutes do they mention such a store, and what would those indications be? Also, the relationship that may exist between the inspected ship in which the conversation with its Administrator took place (CLUSTER SL in C/ Cabernet 22) and said store, and if they know the physical location of the store and who its owner is. This question is not specifically answered.3)If any/all resumes were shown to the Administrator of the company CLUSTER and if he recognized or manifested something about them or in relation to them. This question is not specifically answered.4)Send the inspection report number ***NUMBER.4/2018 which states that it corresponds to a conversation with an employee of CLUSTER SL. A copy of the report of 12/06/2018 hour 9.55 is provided, which contains the name and details of the person, with the reason for affiliation, "abocament", place of identification cCabernet 22, without any explanatory text.In addition, they send some documentation that was already in the procedure, and that has not been requested, namely: a) minutes of 12/06/2018 at 10, in c Cabernet number ***NUMBER.3,   containing demonstrations already noted.b) Sheet called SERVICE of 12/06/2018, arrival 9.40 and which consists of the chronological report of the incident "Abocament" (spillage) in which its content has already been explained; "Que s'observa caixes de cartró, amb penja robes, alarms de roba desarma-des, material d'oficina, bosses de paper, factures i tancament de caixes, cartells publicit-taris i currículums Vitaes.   of 12/06/2018, of ocular inspection in the company CLUSTERSL, c Cabernet 22. Colour photos are contributed in which pieces of destroyed, chopped paper are seen.PROVEN FACTS1)Agents of the Local Police of the City Council of Sant Miquel d' Olèrdola, carried out actions on 12/06/2018 consisting of the finding in the public thoroughfare of documents containing data of a personal nature.  of 12/06/2018, at 9:40, in Olèrdola, Pol.   El Clot de laMojá, carrer Ull de llebre/ carrer Cabernet stating that there are boxes of office material, CVs, providing photographs of the place where they were found, seeing that, next to some containers, there are various objects scattered on the floor. 2) In the police inspection report of the same day, number ***NUMBER.2hora 10, the agents went to c/ Cabernet 22 in Olèrdola, company CLUSTER SL, observing that there was various material such as the one found abandoned in carrer Ull deLlebre, and filled out a police report.   The agents who were seen meeting with an employee in charge of the shift, and the patrol car met with him, and the report was drawn up" ***NUMBER.4, stating that the agents "recognise that the dumped boxes are the property of their company", although the report sent in as evidence does not contain this wording.     The agents met with the administrator, declaring the minutes of the demonstration of 12/06/2018, number ***NUMBER.3,that they usually "remove old furniture from shops and leave it in the selective container in the street, "according to the indications of the collection personnel", and that they "carry out controlled dumping of hangers, cartons, signs, documents, invoices, cash receipts, office material, and curricula vitae etc.", and that they carry out all of the provisions "in order and with all of the products in boxes". In the signature of the act of manifestation the stamp CLUSTER appears "project - design - manufacture - limited company". The CVs were found, according to the act, in cardboard boxes.3)In the document from the Olèrdola Town Hall, called "public incident", abocament (spillage) summary, end time 10:25, with NEWS and CHRONOLOGY, it is indicated that "while patrolling, a spillage was observed next to the container-hangers, CVs, office material, bag of papers in an ocular inspection report" and that "the agents kept two boxes full of CVs with personal data", pending their count, which is estimated at around 300."They affirm that "It seems that they are from a store called "SHANA REVOLUTIONS SHOPS", although the tests did not clarify the indication that the CVs are from this entity, since no it is accredited that they asked and did not show any CV to the Administrator, nor did they ask for an explanation of why an entity other than SHANA, has such documents.4)In the CVs provided by the complaining entity, there are personal data, ignoring the entity that could have collected them. These CVs could have been collected in different chronological periods, including some references to "work experience or studies" from October to November 2015, one without specifying the month, to 2016.5) It is not accredited that the claimant entity asked during the investigation and interview to the Administrator of CLUSTER SL on 12/06/2018, if the CVs found had been deposited in the point in which they were found by that entity, nor does it appear that they were shown to him.  6)It is not known which entity collected the CVs, the purpose of the same, and the destruction policy related to said material. 

LAW FUNDAMENTALS I By virtue of the powers that article 58.2 of the GDPR recognizes to each control authority, and according to what is established in articles 47 and 48.1 of the LOPDGDD, the Director of the Spanish Data Protection Agency is competent to resolve this procedure.II Article 5.1 f) of the GDPR, establishes "1. Personal data shall be: f) "processed in such a way as to ensure adequate security of personal data, including protection against unauthorised or unlawful processing and accidental loss, destruction or damage, through the application of appropriate technical or organisational measures ('integrity and confidentiality')". In this case, the data are on paper, (not automated) and can in principle be processed manually (recital 15 of the GDPR), considering Article 2 of the GDPR that "This Regulation applies to the processing of personal data, whether totally or partially automated, and to the processing of personal data contained or intended to be included in a file.A basic principle of the GDPR is that personal data should be processed in a secure manner with technical and organisational means and measures laid down in advance, depending on the data to be processed and the risks involved. This includes taking measures and protocols to ensure that information in tangible formats, such as the role of CVs, when discarded, is discarded by means that ensure the confidentiality of the data. Such obligations are attributable to the person responsible for the file or the processing, which usually coincide in the same entity. The GDPR defines in its article 4: 2) "processing": any operation or set of operations performed upon personal data or sets of personal data, whether by automatic or non-automatic means, such as collection, recording, organization, structuring, storage, adaptation or modification, extraction, consultation, use, communication by transmission, dissemination or any other form of enabling access, comparison or interconnection, limitation, erasure or destruction6) "file": any structured set of personal data, accessible according to specific criteria, whether centralized, decentralized or dispersed in a functional or geographical manner the natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing. Where Union law or the law of the Member States determines the purposes and means of the processing, the controller or the specific criteria for his nomination may lay them down in Union law or in the law of the Member States any breach of security leading to the accidental or unlawful destruction, loss or alteration of personal data transmitted, stored or otherwise processed, or to their unauthorised disclosure or access.   The data controller, however, is the subject to whom decisions on the specific activities of a given data processing, i.e. on a specific application, can be attributed.   This would cover all those cases in which the power of decision must be differentiated from the material performance of the activity that makes up the processing.   The entity responsible for the file or processing must, when a medium is to be discarded, adopt the necessary measures to prevent any subsequent recovery of the stored information. This can be done by the entity itself, or by hiring a third party as the processor, who would be responsible for the task of deleting the documents.   If she uses the latter, she must sign a contract to have the documents processed. The security measures must be implemented effectively, and the correspondence between the documents that are destroyed and the verification that they have been destroyed must be verified. In this case, the person responsible for the offence would be the entity that collected the CV data, or it could, alternatively, if it is not the same entity, be the one that kept them and decided the purpose and th application of the same.   Usually it can be the same entity that collects the data and uses it for a purpose. However, in addition to this responsibility, it could fall to a processing manager, if it is decided to entrust this function to a third party. In this case, the practical implementation of the deletion of data is the responsibility of the said entity, in accordance with the provisions of a contract concluded for that purpose. In the present case, two entities have been charged with the same infringement at the beginning of the procedure. The charge of an infringement must be supported by evidence incriminating the action of its author.The statement in the police document "According to the opinion of a store called "SHANA REVOLUTIONS SHOPS" lacks evidential support, as there is no evidence in this sense.   It has not been proven that those that appeared in the boxes together with the containers had been deposited there by said entity, nor in its case the legal title in which it participated if that were the case. It should be borne in mind that although it was accredited that the said entity deposited the boxes with the CVs, it is not responsible for this for the purposes of data protection regulations, since in the first place it would be necessary to consider why the entity has the legal title to these documents, if there is some type of contract, and furthermore it would be necessary to find out who originally collected the CVs (the person responsible for the file-treatment). The fact that an entity throws or deposits documents containing personal data on the public highway does not make it responsible for them in terms of security. Therefore, in accordance with the legislation, the Director of the Spanish Agency of Protection of Data RESOLVES:FIRST: TO DECLARE the FILING of the infraction of the article 5.1.f) of the GDPR against PROJECT, DESIGN AND MANUFACTURE CLUSTER SL, considering that her responsibility for the infraction has not been accredited, in accordance with article 90.1 of Law 39/2015, of 1/10, of the Common Administrative Procedure of Public Administrations (LPACAP).SECOND: DECLARE the ARCHIVE of the infringement of Article 5.1 (f) of the GDPR against SHANA RETAIL S.L.,  considering that its responsibility for the infringement has not been accredited, in accordance with article 90.1 of the LPACAP.THIRD: TO NOTIFY the present resolution to PROYECTO, DISEÑO Y FABRICACIONCLUSTER SL and to FOREST PARTNERS, ESTRADA Y ASOCIADOS, S.L.P. representing SHANA RETAIL S.L.FOURTH: In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties.6 of the LOPDGDD, and in accordance with the provisions of Article 123 of the LPACAP, the interested parties may lodge, optionally, an appeal for reversal with the Director of the Spanish Data Protection Agency within a period of one month from the day following notification of this decision or directly an administrative appeal before the Administrative Chamber of the National Court, in accordance with the provisions of Article 25 and paragraph 5 of the fourth additional provision of Law 29/1998 of 13 July 1998, regulating the Contentious-Administrative Jurisdiction, within a period of two months from the day following notification of this act, as provided for in Article 46.Finally, in accordance with the provisions of article 90.3 a) of the LPACAP, the final resolution may be suspended as a precautionary measure through administrative channels if the interested party expresses its intention to file a contentious-administrative appeal.   If this is not the case, the interested party must formally communicate this fact by writing to the Spanish Data Protection Agency, submitting it through the Agency's Electronic Register [https://sedeagpd.gob.es/sede-electronica-web/], or through any of the other registers provided for in art. 16.4 of the aforementioned Law 39/2015, of October 1. He must also send to the Agency the documentation that accredits the effective filing of the contentious-administrative appeal. If the Agency were to become aware of the lodging of the contentious-administrative appeal within two months from the day following the notification of the present resolution, it would terminate the precautionary suspension.