AEPD - PS/00425/2019
|AEPD - PS/00425/2019|
|Relevant Law:||Article 5(1)(f) GDPR|
Article 5(2) GDPR
|National Case Number/Name:||PS/00425/2019|
|European Case Law Identifier:||n/a|
|Original Source:||AEPD (in ES)|
The Spanish Data Protection Agency (AEPD) imposed a fine of 5,000 € on a Centre for Studies, Centro de Estudios Dirigidos Delta, S.L. (the data controller), for the infringement of the principle of integrity and confidentiality, as per Article 5(1)(f) GDPR.
English Summary[edit | edit source]
Facts[edit | edit source]
The decision is the consequence of a complaint submitted by a Civil Guard local office (the claimant) stating that the data controller had sent a Whatsapp message to a third party including personal data (name, surname, ID number) of three people (a mother and her children, probably underage) without their knowledge nor their consent. The complaint includes a copy of such message and a certification by the Civil Guard (although the mobile number of the sender is not identified).
The data controller did not answer to any AEPD investigation requests, so the AEPD started the corresponding sanction procedure.
Dispute[edit | edit source]
Holding[edit | edit source]
The AEPD found that the data controller has infringed not only the integrity and confidentiality principle, but also the accountability principle of Article 5(2) GDPR and, after considering some aggravating circumstances [(i) the data controller has performed a not intentional, but significantly negligent action; (ii) basic personal identification data have been affected (name, surname, domicile)], it decided to impose a fine of 30,000 € to the data controller.
Comment[edit | edit source]
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
Procedure No: PS/00425/2019 RESOLUTION OF PENALTY PROCEEDINGS Procedure initiated by the Spanish Data Protection Agency and based on the following BACKGROUND FIRST:The complainant dated 24 May 2019 lodged a complaint with the Spanish Data Protection Agency (Agencia Española de Protección de Datos) on. The complaint is directed against CENTRO DE ESTUDIES addressed DELTA, S.L., NIF E74345679 ( respondent). The grounds on which the complaint is based are that the respondent sent a document containing the personal details (names and ID card) of three persons (a mother and her two children; the ages are not known, but could be minors), without the knowledge and consent of those affected. In addition to the complaint, you provide a copy of the above-mentioned document and a record of due diligence in which the complainant certifies the terms and content of the conversation (although there is no identification of the telephone number from which the consignment is carried out). SECOND:Upon receipt of the complaint, the Subdirectorate-General for Data Inspection carried out the following actions: On 15 July 2019, it was transferred to the claim submitted for analysis and communication to the complainant of the decision taken on the matter. The respondent did not reply to any of the requests made by the Spanish Data Protection Agency, however, as delivered on 22 July 2019. THIRD: On 13 January 2020, the Director of the Spanish Data Protection Agency agreed to initiate disciplinary proceedings against the respondent for the alleged breach of Article 5 (1) (f) of the GDPR, as set out in Article 83 (5) of the GDPR. FOURTH:On 23 January 2020, the abovementioned agreement was notified to initiate the procedure for the initiation of the present disciplinary proceedings, a hearing of TEN DAYS: DIZ DAYS to issue the comments and provide the evidence which it considers appropriate, in accordance with the provisions of Articles 73 and 76 of Law No 39/2015 on the Common Administrative Procedure of the Public Administrations. FIFTH:The Spanish Data Protection Agency transmits its notifications and electronic communications via the notification platform sent by the Spanish Data Protection Agency. oepd Notifications to the public register and authorised directorate of the Ministry of Finance and Public Administration. Having been sent the enclosed document in relation to file E/09358/2019 by means of the notification system, according to Articles 43.2 and 43.3 of the abovementioned LPACAP,the notification is deemed to have been rejected if ten calendar days have elapsed since the notification was made available and the content is not accessed, it being understood that the obligation to notify in making the notification available on the website or in the single empowered electronic address has been fulfilled. In the absence of any comments or evidence provided within the given deadline, this decision is issued on the basis of the following: FACTS FIRST: The respondent sent a document containing the personal details (names and ID card) of three persons (a mother and her two children, to a third party; the ages are not known, but could be minors), without the knowledge and consent of those affected. SECOND: On 15 July 2019, it was transferred to the claim submitted for analysis and communication to the complainant of the decision taken on the matter. The respondent did not reply to any of the requests made by the Spanish Data Protection Agency, however, as delivered on 22 July 2019. LEGAL BASIS I By virtue of the powers conferred on each supervisory authority by Article 58 (2) of the GDPR, and as set out in Articles 47 and 48.1 of the LOPDEAM, the Director of the Spanish Data Protection Agency is competent to resolve this procedure. II Article 6 (1) of the GDPR lays down the cases in which the processing of personal data may be considered lawful. For its part, Article 5 of the GDPR provides that personal data shall be: “(a) processed lawfully, fairly and transparently in respect of the data subject (“lawfulness, fairness and transparency”); b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’); oepd c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (“data minimisation”); d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’); e) maintained in such a way as to permit identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods provided that they are processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, in accordance with Article 89(1), without prejudice to the application of the appropriate technical and organisational measures required by this Regulation in order to protect the rights and freedoms of the data subject (‘storage limitation’); f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’). The controller shall be responsible for and able to demonstrate compliance with paragraph 1” (“accountability”).” — III — It is considered that the facts reported, i.e. send the respondent by WhatsApp to a third party a document containing the personal data (names, surname and ID card) of three persons without their consent, constitutes a violation of Article 5 (1) (f) of the GDPR, which governs the principles of personal data integrity and confidentiality, as well as the proactive responsibility of the controller to demonstrate compliance. IV Article 72 (1) (a) of the LOPD states that ‘ in accordance with the provisions of Article 83 (5) of Regulation (EU) 2016/679, infringements resulting in a substantial violation of the articles referred to therein shall be deemed to be very serious and shall be subject to a limitation period of three years. (a) processing of personal data in breach of the principles and guarantees set out in Article 5 of Regulation (EU) 2016/679; V Article 58 (2) GDPR reads: ‘Each supervisory authority shall have all of the following corrective powers: (b) to sanction any controller or processor with a warning when the processing operations have infringed the provisions of this Regulation; oepd (D) instruct the controller or processor that the processing operations comply with the provisions of this Regulation, where appropriate, in a specified manner and within a specified period; impose an administrative fine pursuant to Article 83, in addition to or instead of the measures referred to in this paragraph, depending on the circumstances of each particular case; VI Such infringement may be penalised by a fine of up to EUR 20 000 000 or, in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher, in accordance with Article 83 (5) of the GDPR. It is also considered appropriate to graduate the penalty to be imposed in accordance with the following criteria laid down in Article 83 (2) GDPR: As aggravating factors: • In this case, negligent action is not intentional, but it is significant (Article 83 (¬2) (b)). • There are basic personal identifiers (name, surname, address), as referred to in Article 83 (2) (g). Therefore, in accordance with the applicable legislation and assessed the criteria for the gradation of sanctions whose existence has been established, the Director of the Spanish Data Protection Agency: FIRST: To impose a fine of EUR 5000 (EUR) in respect of an infringement of Article 5 (1) (f) of the GDPR under (74345679) (f) of the GDPR, as set out in Article 83 (5) (a) of the GDPR. SECOND: To notify this decision to CENTRO DE ESTUDIES addressed DELTA, S.L. THIRD:Communicate this decision to the Ombudsman, in accordance with Article 77 (5) of the LOPD. THIRD: The sanction imposed once the present judgment is enforceable once the present decision is enforceable, in accordance with Article 98.1 (b) of Law No 39/2015 of 1 October 2015 on the Common Administrative Procedure of the Public Administrations (hereinafter referred to as LPACAP), within the period for voluntary payment laid down in Article 68 of the General Tax Collection Regulation, approved by Royal Decree 939/2005 of 29 July, in conjunction with Article 62 of Law No 58/2003 of 17 December, in conjunction with the subject of the penalty and the procedure number set out in the heading of this document, on the restricted account No ES00 0000 0000 0000 0000 0000, opened in the name of the Agency. oepd Spanish Data Protection Officer at CAIXABANK, S.A. If this is not the case, it will be collected in the executive period. Once they have been notified and enforceable, if the date of enforceability is between 1 and 15 of each month inclusive, the period for voluntary payment shall be until the 20th day of the following month or immediately, and if there is a period between 16 and the last day of each month, both inclusive, the payment period shall be until 5 of the second following further calendar month or immediately thereafter. In accordance with the provisions of Article 50 of the LOPD, this Resolution shall be made public once it has been notified to the parties concerned. Against this resolution, which brings to an end the administrative path under Article 48.6 of the LPDATE, and in accordance with the provisions of Article 123 of the LPACAP, the persons concerned may lodge an appeal before the Director of the Spanish Data Protection Agency within one month from the day following notification of this decision or directly an administrative appeal before the Administrative Appeals Chamber of the National High Court, in accordance with Article 25 and paragraph 5 of the fourth additional provision of Law 29/1998 of 13 July 1998 governing the Administrative Court, within two months from the day following notification of this act, as provided for in Article 46 (1) of that Law. Finally, it should be noted that, in accordance with Article 90.3 (a) of the LPACAP, a decision on an administrative remedy may be suspended as a precautionary measure if the person concerned indicates his intention to bring an administrative appeal. If this is the case, the person concerned must formally notify this fact in writing to the Spanish Data Protection Agency, by submitting it via the Agency’s Electronic Register (https: //sedeagpd.gob.es/sede-electronica-web/)https://sedeagpd.gob.es/sede-electronica-web/, or by means of one of the other registers provided for in Article 16.4 of Law 39/2015 of 1 October. He shall also transfer to the Agency the documents attesting to the actual lodging of the appeal. If the Agency is not aware of the lodging of an administrative appeal within two months of the day following the notification of this decision, the Agency would terminate the provisional suspension. Martes España Martí Director of the Spanish Data Protection Agency