Municipality sanctioned for not having a DPD

First sanction to a City Council for failure to appoint a DPD

To have a Data Protection Officer (hereinafter DPD) may be be mandatory or voluntary, depending on the entity we are talking about, and in accordance with the provisions of articles 37 of the RGPD and 34 of the LOPDGDD.

As is well known, the DPD is a natural or legal person, appointed by the data controller and the data processor, who must have specialized knowledge in law and practice in the field of data protection; will act as interlocutor between the data controller and the AEPD; will have inspection and recommendation functions, not being subject to the sanctioning regime, according to article 35 and 36. 1 LOPDGDDD.

Inquiries

At our Valencia headquarters we have received several queries related to the obligation to appoint a DPDas well as the candidate’s profile and functions.

In the face of such doubts in this aspect, it is important to point out that last June, the Spanish Data Protection Agency has recently imposed (Sanctioning Procedure Resolution No. PS/00001/2020) a sanction to a City Council in the Autonomous Community of Andalusia, as a result of a complaint filed by a citizen who alleged that the municipal council did not have the figure of the DPD, despite being obliged by the data protection regulations.

Mandatory appointment of a DPD

Article 37 of the GDPR determines as mandatory for the controller and processor, the appointment of the DPD in the following cases:

a) the processing is carried out by a public authority or body, except for courts acting in their judicial function;

(b) the main activities of the controller or processor consist of processing operations which, by virtue of their nature, scope and/or purposes, require regular and systematic observation of data subjects on a large scale; or

(c) the main activities of the controller or processor consist of large-scale processing of special categories of personal data pursuant to Article 9 and of data relating to criminal convictions and offences referred to in Article 10.

The LOPDGDD is much more specific on this point, and Article 34.1 states that the following cases are mandatory:

a) Professional associations and their general councils.

b) Educational centers offering education at any of the levels established in the legislation regulating the right to education, as well as public and private universities.

c) Entities operating electronic communications networks and providing electronic communications services in accordance with the provisions of their specific legislation, when they routinely and systematically process personal data on a large scale.

d) Information society service providers when they prepare large-scale profiles of service users.

e) The entities included in Article 1 of Law 10/2014, of June 26, on the regulation, supervision and solvency of credit institutions.

f) Financial credit institutions.

g) Insurance and reinsurance companies.

h) Investment services companies, regulated by the Securities Market legislation.

i) Distributors and marketers of electric energy and distributors and marketers of natural gas.

j) The entities responsible for common files for the evaluation of solvency and creditworthiness or common files for the management and prevention of fraud, including those responsible for the files regulated by the legislation for the prevention of money laundering and the financing of terrorism.

k) Entities that carry out advertising and commercial prospecting activities, including commercial and market research, when they carry out processing based on the preferences of data subjects or perform activities that involve profiling them.

l) Health centers legally obliged to keep patients’ medical records.

Exceptions are health professionals who, although legally obliged to keep patients’ medical records, carry out their activity on an individual basis.

m) Entities that have as one of their objects the issuance of commercial reports that may refer to natural persons.

n) Operators that develop the gaming activity through electronic, computerized, telematic and interactive channels, in accordance with the gaming regulation regulations.

ñ) Private security companies.

o) Sports federations when processing data of minors.

Apart from these legal cases in which it is mandatory to appoint a DPD DPDThe LOPDGDD also provides for voluntary appointment in Article 34, paragraph 2.

Notification to the AEPD of the appointment of the DPD

In all cases, both mandatory and voluntary, in which there is a designation and appointment of a DPD, the AEPD must be notified within a maximum period of 10 days.

Serious infringement and sanctioning procedure

Failure to comply with the obligation to designate a DPD when this is required by law, is considered a serious infringement under Article 73 v) of the LOPDGDD.

Article 77.1 d) of the LOPDGDD establishes the penalty regime when those responsible for or in charge of the processing are the General State Administration, the Administrations of the Autonomous Communities and the entities comprising the Local Administration.

The penalties linked to serious breaches are set out in Article 83.4 a) of the GDPR, where the administrative fine may be up to EUR 10 000 00, if they are related to breaches of the obligations of the controller and the person in charge set out in Articles 8, 11, 25 to 39, 42 and 43.

The case of the Huércal City Council (Almería)

For the first time, the AEPD has sanctioned a City Council for not having a DPD.

The supervisory authority received a complaint from a citizen in which it was made clear that the City Council did not have the figure of the DPD, being an entity obliged by law, as it is a public authority/agency, which treats personal data of citizens, among which were data related to users of social services and groups in a state of vulnerability or at risk of exclusion.

The Agency initiated the corresponding investigations, reaching the conclusion that, at the date on which the facts occurred and the complaint was filed, the GDPR was already in force and therefore, it was susceptible to demand its compliance; therefore, the City Council was obliged to appoint a DPD and notify such appointment to the supervisory authority within 10 days, which had not been done so far.

Under these circumstances, in June of this year, the Agency decided to sanction the municipal council with a warning, applying Article 83.4 a) of the RGPD, requiring the appointment of the DPD, who must be informed within one month from the notification of the resolution.

If you have any doubts about whether or not it is mandatory to have a DPD in your organization or to know the benefits of having a DPD, with Business Adapter here

Business Adapter Legal Department

Contact us, we will be pleased to help you.
error: Content is protected !!