AEPD - PS 00374/2018

From GDPRhub
AEPD - PS/00374/2018
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 5(1)(c) GDPR

Article 5(1)(f) GDPR

Type: Complaint
Outcome: Upheld
Decided: n/a
Published: 3. 2.2020
Fine: None
Parties: Regional Government of Andalucía (Departement of Education) Vs. Anonymous
National Case Number: PS/00374/2018
European Case Law Identifier n/a
Appeal: n/a
Original Language:

Spanish

Original Source: AEPD (in ES)

3 February 2020, the Regional Government of Andalucía was subject to a reprimand for disclosing and publishing personal data of the candidates who participated in a selective concours for the incorporation of High School teachers. The data controller, in this case the public administration, breached Articles 5(1)(c) and 5(1)(f) GDPR.

English Summary[edit | edit source]

Facts[edit | edit source]

The AEPD examined a complaint submitted by an anonymous citizen against the Regional Government of Andalucía (Department of Education) for having made publicly available the condidates' personal data in the context of a concours for the incorporation of High School teachers. These publications contained the qualifications obtained by each one of the candidates while including their full name, surname and complete ID number. The listings were first published in the main building of the public administration (no reference has been made whether the access was restricted or not). Later, they were posted on the website of the Department of Education where any person could access the information simply by typing the ID numbers of the candidates. The access to the information seemed to be relatively easy since anyone with prior access to the physical listings would have the complete ID numbers of the candidates and thus, access to the detailed information displayed on the website.

The public administration claimed that in a such competitive concours process, public institutions must guarantee the principles of publicity and transparency, as acknowledged as a general principle and as provided for in the Spanish Constitution. Therefore, the processing of personal data cannot be used to override these general requirements that force the concours to be carried out in compliance with the minimum conditions of transparency and publicity. It concluded that it was not under the obligation to comply with the appropriate security measures, since the information is legitimate and its disclosure was necessary to fulfill higher values contained in the Spanish Constitution.

Dispute[edit | edit source]

Can public administrations, when dealing with a selective concours process to incorporate public servants, publicly display personal data of the candidates for the sake of transparency and publicity? If yes, are they obliged to still comply with the requirements of data minimisation and confidentiality?

Holding[edit | edit source]

The AEPD holds that there has been a breach of article 5(1)(c) GDPR:

-         In no way can the general principles of transparency and publicity justify the openly and publicly exhibition of full identification of listings of the candidates by the public administration. Even when these principles are essential in a selective concours process, public administrations still have to comply with the principle of data minimisation. This requires that public administrations should find a way to minimise the data according to the principles of necessity and proportionality, e.g., the complete ID numbers of the candidates should not be fully displayed nor accessible to the public.

The AEPD holds that there has also been a breach of article 5(1)(f) GDPR:

-         The information does not appear secure if the ID number of a candidate is imposed as a criterion to access the data on the website, when they have been previously published in paper. It is perfectly possible to consult by any third parties, as the ID number data is a weak means of access, considering also that the public administration has been publishing it in different places. Therefore, the ID number criteria does not offer any security since it’s a personal data that can be easily known.

The AEPD decided to issue a reprimand to the Regional Government of Andalucía (Department of Education) for breaching articles 5(1)(c) and 5(1)(f) of the GDPR. No fines were imposed.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the original. Please refer to the Spanish original for more details.

Procedure No.: PS/00402/2019



DECISION ON DISCIPLINARY PROCEEDINGS

From the procedure instructed by the Spanish Data Protection Agency and based on the following

BACKGROUND


FIRST: D. A.A.A. (hereinafter, the claimant) on 14 June 2019 filed a complaint with the Spanish Data Protection Agency. The claim is directed against IBERIA LÍNEAS AÉREAS DE ESPAÑA, S.A. OPERADORA UNIPERSONAL with NIF A85850394 (hereinafter the claimed party). The reasons on which the complaint is based are that having been a customer with an Iberia loyalty card (Iberia Plus), you applied for cancellation of the loyalty programme and of your personal data with that company.

Subsequently, you received written confirmation of the cancellation and deletion of your data. However, he continued to receive emails. In view of these facts, he filed a complaint with this Agency in August 2018, from which the sanctioning procedure PS/00370/2018 was derived.

This being the case, he has again received emails from the requested party at the same email address in which it is clear that this company has not cancelled its data and is still listed as being linked to the Iberia Plus loyalty programme.

The following documentation, among others, is provided

-	Copy of the e-mail received in your mailbox. It informs you that you can authenticate in your personal Iberia Plus space not only with your Iberia Plus number, but also with your email and password.

SECOND: In view of the facts set forth in the complaint and the documents provided by the complainant, the Subdirectorate General for Data Inspection proceeded to carry out actions for its clarification, under the investigative powers granted to the supervisory authorities in Article 57.1 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter RGPD).

As a result of the investigative actions carried out, it has been established that the person responsible for the processing is the one who has been requested.

The following points are also noted:


As a result of the consultation made to the application of the AEPD that manages previous sanctions and warnings on data protection, that IBERIA LÍNEAS AÉREAS DE ESPAÑA, S.A. OPERADORA UNIPERSONAL with NIF A85850394, it is recorded that on August 1, 2018, another claim was filed with the Spanish Data Protection Agency against the claimed party, in which the claimant stated that he continued to receive commercial communications from IBERIA after this entity confirmed him, On October 20, 2017, the cancellation of your personal data in response to your request, dated October 3, 2017, to cancel the "Iberia Plus Loyalty Card" and to cancel your personal data. These facts led to the sanctioning procedure PS/00370/2018.

2.- The claimed party states in response to this complaint: "Despite the fact that the claimant was removed from the Iberia Plus program on 09/10/2017, due to a new change implemented at the corporate level to provide more security for access to the private area of customers on the web portal, a mass communication was sent out with the requirements for new access to accounts and the actions that each user had to carry out. However, at the time of the design of the "mailing" for the sending of communication, which is carried out manually, due to an unintentional error, the e-mail of this former member of the program was erroneously included".

They state that: "after the analysis of the case, they have created a new project to review the processes of cancellation of all commercial communications of the company, and they are going to incorporate exclusion lists and automate their application, to avoid possible human errors in the realization of the manual processes of preparation of distribution list. They are going to accompany it with a training process for the people in charge of selecting the target audience".

THIRD: On November 19, 2019, the Director of the AEPD agreed:

"INITIATE PENALTIY PROCEEDINGS against IBERIA LÍNEAS AÉREAS DE ESPAÑA, S.A. OPERADORA UNIPERSONAL, with NIF A85850394, for the presumed infringement of Article 6.1 of the RGPD typified in Article 83.5 a) of the aforementioned RGPD". opting for a penalty that could correspond to 20,000 euros (twenty thousand euros), being notified on 21 November 2019.

FOURTH: The following proven facts have emerged from the proceedings in these proceedings:

As a result of the consultation made to the application of the AEPD that manages previous sanctions and warnings on data protection, that IBERIA LÍNEAS AÉREAS DE ESPAÑA, S.A. OPERADORA UNIPERSONAL with NIF A85850394, it is recorded that on August 1, 2018 another claim was filed with the Spanish Data Protection Agency against the claimed party, in which the claimant stated that he continued to receive commercial communications from IBERIA after the said entity confirmed, on October 20, 2017, the cancellation of his personal data in response to his request, dated October 3, 2017, to be removed from la “Tarjeta de Fidelización Iberia Plus”	y de	cancellation of your personal data.

These facts led to the sanctioning procedure PS/00370/2018.

2.- The claimed party states in response to this complaint: "Despite the fact that the claimant was removed from the Iberia Plus program on 09/10/2017, due to a new change implemented at the corporate level to provide more security for access to the private area of customers on the web portal, a mass communication was sent out with the requirements for new access to accounts and the actions that each user had to carry out. However, at the time of the design of the "mailing" for the sending of communication, which is carried out manually, due to an unintentional error, the e-mail of this former member of the program was erroneously included".

They state that: "after the analysis of the case, they have created a new project to review the processes of cancellation of all commercial communications of the company, and they are going to incorporate exclusion lists and automate their application, to avoid possible human errors in the realization of the manual processes of preparation of distribution list. They are going to accompany it with a training process for the people in charge of selecting the target audience".

The respondent has not submitted any arguments to the agreement to initiate the present proceedings.



LEGAL FOUNDATIONS

I

By virtue of the powers that Article 58.2 of the RGPD grants to each supervisory authority, and as established in Articles 47 and 48 of the LOPDGDD, the Director of the Spanish Data Protection Agency is competent to initiate and resolve this procedure.
II

In the present case, from the complaint and documentation presented, it is noted that, the claimant has continued to receive e-mails from the complained party. As the latter acknowledges, in its reply to the transfer of the claim.

Consequently, given that in the case in question there is recidivism due to the commission of infringements of the same nature, given that the complainant continued to receive emails from the requested party, even after the resolution of the PS/00370/2018 sanctioning procedure was issued.

Therefore, the known facts constitute an infringement, attributable to the defendant, for violation of Article 6.1, of the RGPD, which states that: "in accordance with the provisions of Article 4.11 of Regulation (EU) 2016/679, consent of the affected party is understood as any free, specific, informed and unequivocal expression of will by which the affected party accepts, either by statement or clear affirmative action, the processing of personal data concerning you".

Article 72.1(b) of the LOPDGDD defines "very serious" as "the processing of personal data without meeting any of the conditions for the lawfulness of processing set out in Article 6 of the RGPD".

III

This infringement may be sanctioned with a fine of up to 20,000,000 euros or, in the case of a company, of up to 4 % of the total annual turnover of the previous financial year, whichever is greater, in accordance with Article 83.5 of the RGPD.

In accordance with the precepts indicated for the purposes of setting the amount of the penalty to be imposed in this case, it is considered that the penalty to be imposed should be graduated in accordance with the following criteria established in Article 83.2 of the RGPD:

As aggravating criteria:

-	Intentionality or negligence in the infringement (paragraph b).

-	For other previous infringements committed by the controller or processor (section e).

The balance of the circumstances referred to in Article 83.2 of the RGPD, with respect to the infringement committed by violating the provisions of Article 6 thereof, allows for a penalty of 20,000 euros (twenty thousand euros), classified as "very serious", for the purposes of prescription, in Article 72.1.b) of the LOPDGDD.

Therefore, in accordance with the applicable legislation and assessed the criteria for the graduation of the sanctions whose existence has been accredited,

the Director of the Spanish Data Protection Agency RESOLVES:

FIRST: TO IMPOSE on IBERIA LÍNEAS AÉREAS DE ESPAÑA, S.A. OPERADORA UNIPERSONAL, with NIF A85850394, for an infringement of Article 6.1 of the RGPD, typified in Article 83.5 of the RGPD, a fine of

SECOND: TO NOTIFY this resolution to IBERIA LÍNEAS AÉREAS DE ESPAÑA, S.A. OPERADORA UNIPERSONAL.

THIRD : To warn the sanctioned party that he/she must make the sanction imposed effective once this resolution is enforceable, in accordance with the provisions of article 98.1.b) of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter LPACAP), within the voluntary payment period established in article. 68 of the General Collection Regulations, approved by Royal Decree 939/2005, of 29 July, in relation to article 62 of Law 58/2003, of 17 December, by means of its entry, indicating the tax identification number of the person sanctioned and the number of procedure that appears in the heading of this document, in the restricted account nº ES00 0000 0000 0000 0000, opened in the name of the Spanish Data Protection Agency at the CAIXABANK, S.A. Bank.

Once the notification has been received and once it has been executed, if the date of execution is between the 1st and 15th of each month, inclusive, the period for making the voluntary payment will be up to the 20th of the following month or the immediately following working month, and if it is between the 16th and last day of each month, inclusive, the period for payment will be up to the 5th of the second following month or the immediately following working month.

In accordance with the provisions of Article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties.

Against this resolution, which puts an end to the administrative procedure in accordance with Article 48.6 of the LOPDGDD, and in accordance with the provisions of Article 123 of the LPACAP, the interested parties may lodge, optionally, an appeal for reversal with the Director of the Spanish Data Protection Agency within a period of one month from the day following notification of this decision or directly an administrative appeal before the Contentious-Administrative Chamber of the National Court, in accordance with the provisions of Article 25 and paragraph 5 of the fourth additional provision of Law 29/1998 of 13 July 1998, regulating the Contentious-Administrative Jurisdiction, within a period of two months from the day following notification of this act, as provided for in Article 46.1 of the aforementioned Act.

Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP, the final resolution may be suspended as a precautionary measure through administrative channels if the interested party expresses its intention to file a contentious-administrative appeal. If this is the case, the interested party must formally communicate this fact by writing to the Spanish Data Protection Agency, presenting it through the Agency's Electronic Register [https://sedeagpd.gob.es/sede-electronica-web/], or through any of the other registers provided for in Article 16.4 of the aforementioned Law 39/2015, of 1 October. It must also send to the Agency the documentation that proves the effective lodging of the contentious-administrative appeal. If the Agency is not informed of the lodging of the contentious-administrative appeal within two months from the day following the notification of the present decision, it shall terminate the precautionary suspension.

Mar Spain Marti

Director of the Spanish Data Protection Agency