AN - 578/2021
AN - 578/2021 | |
---|---|
Court: | AN (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 5(1)(d) GDPR |
Decided: | 26.02.2021 |
Published: | |
Parties: | Canary Island Cars, S.L. |
National Case Number/Name: | 578/2021 |
European Case Law Identifier: | ECLI:ES:AN:2021:578 |
Appeal from: | AEPD (Spain) PS/00385/2018 |
Appeal to: | Unknown |
Original Language(s): | Spanish |
Original Source: | Consejo General del Poder Judicial (in Spanish) |
Initial Contributor: | Paola L. |
A car rental company filed an appeal with the Spanish National High Court against a Spanish DPA decision in which a fine of €25,000 was imposed for breaching the principle of accuracy. The Spanish National High Court dismissed the appeal and declared the decision in accordance with the law.
English Summary
Facts
In the appealed AEPD's decision, PS/00385/2018, two customers had the same name, what caused a failure when verifying customer details, what caused Canary Islands Cars, a rental car company, to incorrectly use the information of customer A to create a car rental contract for customer B, who then committed a traffic offence. Subsequently, the details of customer A were incorrectly passed on to the Directorate General for Traffic (DGT).
Once the DGT contacted the complainant, she/he realised that the contract that Canary Island Cars provided to the DGT for the purposes of issuing the fine was dissimilar to the one she/he had initially signed. Based on the mismatch of information, the complainant appealed the fine upon receiving it.
The AEPD noted the following in decision PS/00385/2018:
"Knowing that there may be different names and surnames, the defendant has elements to verify identity by the national ID number (DNI), number that matches that of the driving licence, customer number or printing of the copy of the contract, among others. Although these verifications are normally carried out by the employees, it should be noted that in this case they were not carried out. If any of the three elements had been verified, the defect could have been detected in its origin. In other words, the identification document must be required at the right time to make the procedure effective”.
The car rental company decided to appeal the case before the Spanish National High Court (Audiencia Nacional).
In their appeal to this resolution, Canary Islands Cars argued that the accuracy principle had not been breached because the associated name was correct. The car rental company alleged that this was a human error and a fortuitous event. It also argued that the sanction imposed was disproportionate.
Dispute
Was the resolution of the AEPD decided in error? Should the appeal of Canary Island Cars be granted?
Holding
When analysing the appellant's arguments, the National High Court (Audiencia Nacional) noted that "The mere coincidence of name and surname does not justify the creating of the car rental contract with the data of another person... especially when you have the person in front, to whom the car is handed over and several people or phases intervene: preparation of the contract, data collection and delivery-verification of the vehicle, delivery of a copy of the contract, payment, procedures in all of which must verify the identity of the contracting party and in this case no diligence is accredited".
The National High Court dismissed the appeal and declared that the resolution was in accordance with the law with express imposition of the payment of the procedural costs to the appellant.
Comment
This is one of the first cases of an Spanish Court dealing with the GDPR after it become applicable in 2018.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
Page 1 JURISPRUDENCE Roj: SAN 578/2021 - ECLI: ES: AN: 2021: 578 Cendoj Id: 28079230012021100076 Organ: National Court. Contentious Chamber Headquarters: Madrid Section: 1 Date: 02/26/2021 Resource Number: 2202/2019 Resolution No.: Procedure: Ordinary procedure Speaker: FERNANDO DE MATEO MENENDEZ Type of Resolution: Sentence NATIONAL AUDIENCE Contentious-Administrative Chamber SECTION ONE No. Resource. 0002202 / 2019 Resource Type: ORDINARY PROCEDURE General Registration No.: 15970/2019 Applicant: CANARY ISLANDS CAR SL Attorney: JORGE DELEITO GARCIA Lawyer: ALVARO REQUEIJO PASCUA Defendant: SPANISH DATA PROTECTION AGENCY State Attorney Speaker IImo. Sr .: D. FERNANDO DE MATEO MENÉNDEZ JUDGMENT No.: IImo. Mr. President: D. EDUARDO MENÉNDEZ REXACH Ilmos. Messrs. Magistrates: Mrs. FELISA ATIENZA RODRIGUEZ Mrs. LOURDES SANZ CALVO D. FERNANDO DE MATEO MENÉNDEZ Mrs. NIEVES BUISAN GARCÍA Madrid, February twenty-six, two thousand twenty-one. Seen by the Chamber, made up of the Judges related to the margin, the writ of appeal contentious-administrative number 2,202 / 19, filed by the Attorney General Mr. Jorge Deleito García, on behalf of and on behalf of CANARY ISLANDS CAR, SL , against the resolution of 5 of September 2019 of the Director of the Spanish Agency for Data Protection, relapse in the procedure sanctioner PS / 00385/2018, for which a penalty of 25,000 euros is imposed for an infraction of art. 5.1.d) of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, typified in art. 83.5 of the aforementioned Regulation. It has been part ADMINISTRATION OF THE STATE , represented by State Attorney. The amount of the appeal was set at 25,000 euros. 1 Page 2 JURISPRUDENCE FACTUAL BACKGROUND FIRST.- Once the appeal was admitted and after the appropriate procedural steps had been taken, a transfer was granted to the plaintiff so that, within twenty days, formalize the claim, which was carried out by means of brief presented on June 30, 2020 which, after presenting the facts and legal grounds that it considered opportune, ended up requesting that sentence be passed, "in which, considering this appeal, it is declared that the administrative action is not in accordance with the law, rendering it without effect and canceling the sanction imposed by its disagreement with the Law, condemning the defendant Administration to pay the costs of the present process " . SECOND .- Once the claim was formalized, it was transferred to the defendant for them to answer it. within twenty days, which he did by means of the pertinent brief, alleging the facts and grounds deemed pertinent, requesting the dismissal of the appeal, with express imposition of costs to the appellant. THIRD.- Once the claim was answered, the parties were granted ten days to formulate conclusions, and, once the corresponding writings were presented, the proceedings were concluded for sentencing, being designated for voting and ruling on February 23 of this year, the date on which it took place. BEING SPEAKER the Magistrate Ilmo. Mr. Don Fernando de Mateo Menéndez . RU NDAMENTS OF LAW FIRST.- The plaintiff challenges the resolution of September 5, 2019 of the Director of the Spanish Agency for Data Protection, relapse in the sanctioning procedure PS / 00385/2018, by the that a penalty of 25,000 euros is imposed for an infraction of art. 5.1.d) of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 (hereinafter RGPD), typified in art. 83.5 of the cited Regulation. The proven facts on which the sanction is based are the following: "a) The data of the claimant were assigned to the DGT by the claimed vehicle rental company, for appearing in their information systems as the driver of the vehicle at the time of a traffic violation on 04/04/2018 at 1:47 PM. Provides the certified claimant from his company in which that day, between 8 and 15 hours he was working, paying its ordinary working day from 8 a.m. to 3 p.m. a) The claimant states that she received the complaint from the DGT, providing the bulletin that bears the date of 05/07/2018 stating your data. The claimant submitted a letter appealing to the DGT the sanction on 05/30/2018. b) The data of the claimant were delivered by the claimed to the traffic authorities on 05/03/2018 as driver of the vehicle at the time the offense occurred, stating the finished NIF 162 H, name and surname, address. c) The complained party provides a copy of their information systems in which another client appears with the same name and surname of the claimant, different: DNI, address and client number ending in 38, that of the Claimant ends in 92, claimant registration date 11/15/2017, of the other person 3/1/2016. d) The vehicle rental contract of the day that the traffic offense is caused 04/04/2018, figure completed with the data of the claimant, its client code ending in 92, in letterpress of computer, including a signature that does not resemble that of the claimant on the DNI whose copy was provided in your claim. The car was delivered by a CICAR employee. The contract is not dated. On the reverse side of the contract, the data processing, its purposes and headquarters are reported before which to exercise its rights in English and Spanish. e) The respondent manages the delivery of the vehicles and the contracting with a computer application that, Among other things, it collects data from the driver's license and DNI (normally the same as the DNI and the license of driving). The employee must indicate to begin the task of hiring and delivery of the vehicle, his username and password and collect the data if it is the first time, print the contract and verify them. The claimed states that it will insist on also verifying with the DNI, which coincides with the permit number of driving. f) The defendant provided a copy of the contract that the claimant used for the first time. It contains the same data as the one that motivates this claim, data printed in the document, NIF, date of birth, customer code ending in 092, vehicle delivery date 12/4/217 to 12/5/2017, and a handwritten signature that is two Page 3 JURISPRUDENCE dissimilar to that of the contract that gives rise to the fine. The copy provided does not include the date on which it was signed contract. g) The complainant paid the penalty imposed on the complainant on 07/12/2018 ". SECOND .- The plaintiff argues in the first place, the absence of typicity, since the principle of accuracy that is included in art. 5.1.d) RGPD, sanctioned by a fortuitous event in which a human error came together. The objective element of the type does not concur, because the behavior that is imputed: associate a name and surname to a specific vehicle is correct behavior. The associated name and surname They are right; They are the ones that correspond. The problem is that they are the same names and surnames that you have another different client. There has been an error, but not typical behavior. Acting, moreover, does not refer to a conduct developed with respect to the client, but rather refers to a response to a request for identification, where only the data provided by the applicant can be taken as a reference. The art. 5.1 d) of the RGPD, establishes: "The personal data will be: d) accurate and, if necessary, up-to-date; all reasonable measures will be taken so that personal data that are inaccurate with regarding the purposes for which they are processed ('accuracy'); " . In other words, the established obligation imposes the need for the personal data to be collected in any file are accurate and respond, at all times, to the current situation of those affected, being those responsible for the treatment who is responsible for the fulfillment of this obligation. For its part, art. 58.2.i) of the RGPD provides: "2. Each control authority will have all the following corrective powers listed below: 1. impose an administrative fine in accordance with article 83, in addition to or instead of the aforementioned measures in this section, according to the circumstances of each particular case; " . And, art. 83.5.a) of the RGPD, establishes: "Violations of the following provisions will be sanctioned, according to paragraph 2, with administrative fines of maximum EUR 20,000,000 or, in the case of a company, of an amount equivalent to a maximum of 4% of the total annual global business volume for the year previous financial statement, opting for the one with the highest amount: a) the basic principles for the treatment, including the conditions for consent in accordance with the Articles 5, 6, 7 and 9; " . While art. 72.1.a) of Organic Law 3/2018, of December 5, on the Protection of Personal Data and guarantee of digital rights, states: "Violations considered very serious 1. Based on what is established in article 83.5 of Regulation (EU) 2016/679, they are considered very serious and they will prescribe after three years the infractions that suppose a substantial violation of the articles mentioned in that and, in particular, the following: 4. The processing of personal data violating the principles and guarantees established in article 5 of Regulation (EU) 2016/679 ". Thus, the imputed fact consists of associating a name and surname and the address data with a specific vehicle, with which a traffic offense had been committed, and such data association of a personal nature was inaccurate, as the appellant himself acknowledges, since the person to whom he correspond to the given name and surname, she was not the driver of that vehicle. And, he used the claimant's data to draw up a vehicle rental contract, and gave rise to the identification as a driver of a vehicle incurring the infringement of inaccuracy of data in the treatment carried out, proving that said data was not true, true or truthful. Precisely, Completing the contract leads to wrongly identifying the cause of the infringement. To which we have to add, what is highlighted in the sanctioning resolution: "Knowing that There may be different names and surnames, the claimed has elements to discriminate by DNI, number that matches the driver's license, customer number or printout of the contract copy, among others, although these checks are carried out by the employees, it should be noted that in this case no carried out, if any of the three elements had been verified, the defect could have been detected in its origin. In other words, the identification document must be required at the right time to make it effective. to measure". And provide the inaccurate personal data of the complainant, derived from the contract, in a matter in the that it does not have any intervention and their rights are indirectly violated when that 3 Page 4 JURISPRUDENCE as responsible by the traffic authorities in an administrative file for said declaration of the stop actor. On the other hand, there is no record that the plaintiff had adopted the appropriate and effective measures that allowed him to unequivocally identify the client who entered into the contract, and thus, in the demand, it comes to recognize that "internal protocols have been modified by adding a new operating instruction to the company personnel in order to carry out an additional check not only of name and number of client but also by the DNI number, a number that cannot be duplicated between two citizens " . Therefore, the existence of the infringement attributed to the appellant must be appreciated. THIRD .- We proceed to analyze below, the question regarding the existence of guilt, invoked his absence by the plaintiff. It is said by the recurring company that in order for the responsibility provided by the legal system for the commission of an administrative offense, a double title of imputation: (i) the objective imputation, that is, that can be attributed from the point of view of the accusation material, and (ii) subjective imputation, that is, volitional attribution. It is not enough, then, with the pure devaluation of the result or with the objective injury of a protected legal asset, the devaluation of the the action for the fraudulent or culpable commission of the conduct. Simple non-compliance can be understood as referring to a norm, but the objective non-observance of the norm does not by itself justify the imposition of the sanction. Thus, it is known that liability may be incurred for the infraction that we are examining. both intentionally or maliciously or negligently (art. 28 of Law 40/2015, of October 1, on the Regime Public Sector Legal-). And it should now be recalled that, as the Supreme Court points out in the Sentence of January 23, 1998, "... although the guilt of the conduct must also be proven, it must be considered in order to the assumption of the corresponding load that ordinarily the volitional elements and cognitive factors necessary to appreciate it are part of the proven typical behavior, and that its exclusion requires that the absence of such elements be accredited, or in its normative aspect, that the diligence that was required by whoever claims its nonexistence; it is not enough, in short, for the exculpation in front of a typically unlawful behavior the invocation of the absence of guilt ". Well, none of the concurrent circumstances in the present case allows us to exclude this element. subjective of the offense. On the other hand, the plaintiff invokes two Judgments of this Section in which the existence of of the element of guilt. The first of them dated December 23, 2013 - appeal no. 341 / 2012-, which is It was an infringement of the duty of secrecy, by revealing to a third party the personal data that the company In its files, it dealt with that client who was the holder of said contract, who was not even the one who reported it, so the circumstances are different. And, secondly, the judgment invoked of September 13, 2019 - resource no. 150 / 2017-, dealt with the infringement for not having made the prior request before the inclusion of the personal data of the complainant in a file of patrimonial solvency, and the sanction when proving that the appellant carried out the necessary procedures to carry out the request prior to the inclusion of the data of the complainant, therefore, it is also about different circumstances. And, regarding the existence of administrative precedents, in which it was not sanctioned by the Spanish Agency of Data Protection, in addition to the fact that the concurrent circumstances are different from the present assumption, which is intended is to extend, in the field of public law, situations contrary to the legal system, Well, in the case that concerns us, as we have analyzed, it is possible to appreciate in the behavior of the plaintiff the infringement of art. art. 5.1.d) of the RGPD. Therefore, it is not possible to appreciate lack of guilt, having sufficient proof of charge to distort the presumption of innocence, for which the existence of guilt in the offense is appreciated. FOURTH .- Finally, the applicant company refers to the lack of proportionality and motivation quantification of the sanction. It is argued that the sanction imposed is disproportionate. The amount of the precise sanction that its determination is adequately reasoned by the administrative body attending to the damages caused, intentionality of the deceased, etc. However, in view of the resolution and considering similar or even more serious assumptions, it is not possible to know why it has finally been fixed said sanction in the indicated figure and not in another. In the sanctioning resolution, after taking into account the provisions of sections 1 and 2 of art. 83 of RGPD, to which art. 76 Organic Law 3/2018, of December 5, says: "Regarding the duration of the infringement is committed as soon as the data is reported, materializing at the time the claimed receives the report bulletin of 05/07/2018, when the defendant files her claim, on 05/30/2018, 4 Page 5 JURISPRUDENCE leaving the traffic fine in management waiting to clarify the identity of the driver, proceeding from then on the part of the claimed to collaborate with the traffic authorities until the payment of the sanction (83.2.a of the RGPD). The data affected are of a basic nature, in correspondence with those that usually appear in vehicle leasing contracts (83.2.g) data that are otherwise disclosed to a competent body. The fine was paid to the DGT for the one claimed on 07/12/2018. The claimant does not suffers economic damage, since the process began with the claimed to clarify the facts. To comply with the established legal obligation, extreme care must also be taken when process data, concurring a lack of diligence through an employee regarding the completion of the contract (article 83.2.b of the RGPD). The mere coincidence of name and surname does not justify the completion of the vehicle rental contract with the data of another person, the claimant, especially when you have to the person in front, to whom the vehicle is handed over and several people or phases intervene: preparation of the contract, data collection and delivery-verification of the vehicle, delivery of a copy of the contract, payment, procedures in All of which must verify the identity of the contracting party and in this case no diligence is accredited some, despite the existence of a procedure. The defendant does not explain well what could have happened despite the coincidence of name and surname, which cannot be used by itself, to understand why the events are happening. The infringement is not due to the lack of protocol for the treatment of the data, although they must be reinforced the same, and let employees know that they can lead to the commission of an offense if in their way If they act, they do not carry out the aforementioned verifications (83.2.d). The reinforcement that the respondent will remember in the hiring measures is positively valued (83.2.f) as a way so that infractions such as the one analyzed are not repeated, but it is also appreciated that the same it was already implemented. It cannot be considered as indicated in the initiation agreement that there is a lack of collaboration with the supervisory authority as it is proven that it sent reply briefs without the attached files, and in Allegations to the agreement, it was seen that the letter was dated 08/16/2018. This is nothing but a will to respond to the explanations of the AEPD, reflected in said letter without being related to "cooperation in order to remedy the infringement and mitigate the possible adverse effects ", since they had already solved and paid the fine, even before receiving the transfer of the complaint by the AEPD (07/20/2018). It should be emphasized that in the management database of the Subdirectorate General of Inspection there are no previous infractions on the part of the claimed party. Taking into account these circumstances, it is necessary a penalty of 25,000 euros ". The principle of proportionality of sanctions involves, according to the Court's case law Supreme Court, such as the Judgment of April 12, 2012 -recourse no. 5.149 / 2009-, among others, that must exist a proper adjustment between the seriousness of the act constituting the offense and the sanction applied, such as provides art. 29.3 of Law 40/2015, of October 1. Said principle cannot be exempted from judicial control, since the margin of appreciation granted to the Administration in the imposition of sanctions within the legally foreseen limits, must be developed weighing in any case, the concurrent circumstances, in order to achieve the necessary and due proportion between the imputed facts and the responsibility demanded, since any sanction must be determined in congruence with the entity of the offense committed and according to a criterion of proportionality in relation to with the circumstances of the fact. Thus, proportionality constitutes a normative principle that is imposes on the Administration and that reduces the scope of its sanctioning powers. Well, in accordance with the considerations set out about the proportionality existing between the sanction imposed and the seriousness of the sanctioned infraction taking into account the concurrent circumstances in the In this case, the Chamber considers that the sanctioning resolution has not infringed the principle of proportionality in determining the sanction imposed, which is weighted and proportionate to the seriousness of the offense committed and the nature of the facts, and duly motivated, without appreciating reasons that justify its reduction, especially taking into account the amount to which said sanction of in accordance with art. 83.5.a) of the RGDP. Consequently, this last ground of challenge must be rejected, and, therefore, the present appeal contentious-administrative. FIFTH .- In accordance with art. 139.1 of the Jurisdiction Law, it is appropriate to impose the procedural costs to the party actor. HAVING SEEN the cited articles, and others of general and pertinent application. 5 Page 6 JURISPRUDENCE WE FAILED: That dismissing the contentious-administrative appeal filed by the Attorney General Mr. Jorge Deleito García, on behalf of and on behalf of CANARY ISLANDS CAR, SL , against the resolution of 5 September 2019 of the Director of the Spanish Agency for Data Protection, relapse in the procedure sanctioner PS / 00385/2018, for which a penalty of 25,000 euros is imposed for an infraction of art. 5.1.d) of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, typified in art. 83.5 of the aforementioned Regulation, we declare the aforementioned resolution in accordance with the law; with express imposition of the procedural costs to the plaintiff. This judgment is subject to a cassation appeal, which must be prepared before this Chamber in the within 30 days from the day following that of its non - fication; in the brief of preparation of the appeal Compliance with the requirements established in art. 89.2 of the Jurisdiction Law justifying the objective appeal interest it presents. Thus, by this our Judgment, we pronounce it, send it and sign it. PUBLICATION.- Given, read and published was the previous Judgment in Public Hearing. Attest. Madrid to THE LETTER OF THE ADMINISTRATION OF JUSTICE 6