AEPD (Spain) - EXP202102430

From GDPRhub
Revision as of 13:22, 3 October 2023 by Mgrd (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoES.jpg |DPA_Abbrevation=AEPD |DPA_With_Country=AEPD (Spain) |Case_Number_Name=PS/00565/2022 |ECLI= |Original_Source_Name_1=AEPD |Original_Source_Link_1=https://www.aepd.es/documento/ps-00565-2022.pdf |Original_Source_Language_1=Spanish |Original_Source_Language__Code_1=ES |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language_2= |Original_Source_Language__Cod...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
AEPD - PS/00565/2022
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 32 GDPR
Article 58(2)(d) GDPR
Article 83(4) GDPR
Type: Complaint
Outcome: Upheld
Started: 14.09.2021
Decided: 07.09.2023
Published: 07.09.2023
Fine: n/a
Parties: AGRUPACION DE LOS CUERPOS DE LA ADMINISTRACION DE INSTITUCIONES PENITENCIARIAS
ASOCIACIÓN DE TRABAJADORES PENITENCIARIOS TU ABANDONO ME PUEDE MATAR
ASOCIACIÓN PROFESIONAL DE FUNCIONARIOS DE PRISIONES
SECRETARÍA GENERAL DE INSTITUCIONES PENITENCIARIAS
National Case Number/Name: PS/00565/2022
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: Mgrd

The Spanish DPA issued a warning for the Spanish General Secretariat of Penitentiary Institutions for the leak of images captured by the video surveillance system of the penitentiary center of Villena (Alicante), in which the aggression of some officials against a prisoner can be seen, violating article 32 GDPR.

English Summary

Facts

On 14, 19 and 21 September 2021, three penitentiary associations lodged a complaint against the Secretaría General de Instituciones Penitenciarias (the Spanish General Secretariat of Penitentiary Institutions - SGIP) due to a leakage of some images captured by the video surveillance system of the penitentiary center of Villena (Alicante), in which the aggression of some officials against a prisoner can be seen.

According to the complaint, the images only motivated an internal investigation to determine possible disciplinary responsibilities, although the press has echoed the facts and has disseminated the video.

Holding

The Spanish DPA considered there was a lack of profiling, since any inspector could have access to the recorded images, without specifying whether or not they are authorized to do so, whether a specific system has to be set up, or whether access to the images is free for all inspectors.

Also, according to the documentation in the file, there is a lack of traceability, as it has not been accredited that there are records of users who may have accessed the system.

In addition, it has not been possible to determine at what point in time or by which person the images were accessed, but it was clear that the SGIP did not have the appropriate measures in place to ensure a level of security appropriate to the risk, violating Article 32 GDPR.

The Spanish DPA issued a warning for the Spanish General Secretariat of Penitentiary Institutions for the leak of images captured by the video surveillance system of the penitentiary center of Villena (Alicante), in which the aggression of some officials against a prisoner can be seen, violating article 32 GDPR.

Also, within a period of 6 months, to accredit that it has adopted the necessary measures to ensure records of access to personal data, and also the granting of profiles to civil servants so that each one can only access the information that is necessary for the performance of their duties.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

1/12








     File No.: EXP202102430


               RESOLUTION OF SANCTIONING PROCEDURE


From the procedure instructed by the Spanish Data Protection Agency and based
to the following

                                  BACKGROUND

FIRST: GROUPING OF THE BODIES OF THE ADMINISTRATION OF

PENITENTIARY INSTITUTIONS (ACAIP) (hereinafter the claimant party 1),
ASSOCIATION OF PENITENTIARY WORKERS YOUR ABANDONMENT CAN ME
MATAR (hereinafter the claimant party 2), and PROFESSIONAL ASSOCIATION OF
PRISON OFFICIALS (hereinafter, the claimant party 3) with dates
09/14/2021, 09/19/2021 and 09/21/2021 respectively, filed a claim with

the Spanish Data Protection Agency. The claim is directed against
GENERAL SECRETARIAT OF PENITENTIARY INSTITUTIONS with NIF
S2813060G (hereinafter, SGIP). The reasons on which the claim is based are the
following:

They denounce the leak of some images captured by the video surveillance system

of the Villena penitentiary center (Alicante), in which the aggression of some
officials to a prisoner. According to what they state, the images only motivated, apparently, a
confidential internal investigation to determine possible responsibilities
disciplinary measures, although the press has echoed the events and broadcast the video.

Along with the notification, links to the news that contain the facts are provided.

reported, and the video with the images can be viewed.

SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5
December, Protection of Personal Data and guarantee of digital rights (in
hereinafter LOPDGDD), said claim was transferred to the SGIP so that
proceed to its analysis and inform this Agency within a period of one month, of the

actions carried out to adapt to the requirements provided for in the regulations of
Data Protection.

The transfer, which was carried out in accordance with the rules established in Law 39/2015, of
October 1, of the Common Administrative Procedure of Administrations
Public (hereinafter, LPACAP), was collected on 10/06/2021 as stated in the

acknowledgment of receipt that appears in the file.

THIRD: On December 14, 2021, in accordance with article 65 of
the LOPDGDD, the claims presented by the parties were admitted for processing
claimants.


FOURTH: The General Subdirectorate of Data Inspection proceeded to carry out
of previous investigative actions to clarify the facts in
issue, by virtue of the functions assigned to the control authorities in the
article 57.1 and the powers granted in article 58.1 of the Regulation (EU)

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/12








2016/679 (General Data Protection Regulation, hereinafter GDPR), and
in accordance with the provisions of Title VII, Chapter I, Second Section, of the
LOPDGDD, having knowledge of the following points:


Date on which the claimed events took place: September 9, 2021

The background information contained in the information systems is as follows:


Once the claim was transferred to the claimed party on October 6, 2021, it was received in
this Agency written response on November 5, 2021 from the Subdirectorate
General Analysis and Inspection of the SGID stating that:


(…)

On December 14, 2021 and January 4, 2022, the parties were informed
claimants admission to processing.

On January 17, 2022, the Spanish Data Protection Agency agreed

carry out these investigative actions in relation to the facts
claimed.

ENTITIES INVESTIGATED


During these actions, the following entities have been investigated:

GENERAL SECRETARIAT OF PENITENTIARY INSTITUTIONS with NIF
S2813060G with address at C/ ALCALA, 38 - 40 - 28014 MADRID (MADRID)


RESULT OF THE RESEARCH ACTIONS

Information request made to the claimed party on February 9, 2022,

A response was received on February 19 from the General Subdirectorate of Institutional Relations.
tional and Territorial Coordination where it states that with respect to what is required:

1. Purpose of the processing related to leaked recordings and applicable regulations:
Organic Law 3/2018 and/or Organic Law 7/2021, as well as the rest of the details of the

Record of activity of said treatment.

“in accordance with art. 32 of LO 7/21, of May 26, on protection of personal data.
processed data for the purposes of prevention, detection, investigation and prosecution of
criminal offenses and execution of criminal sanctions, which:


- The purpose of video surveillance treatment in penitentiary establishments is to
recording of the images obtained by the different video surveillance systems installed
cut down to control access and traffic in penitentiary centers.

- The applicable regulations and their legitimizing basis are that of art. 11 of LO 7/21, of 26

May, protection of personal data processed for the purposes of prevention, detection,
investigation and prosecution of criminal offenses and execution of personal sanctions
finals.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/12









- The categories of data processed consist of images of vehicles and people.
those who enter and remain in penitentiary establishments.


- It is planned to be transferred to the State Security Forces and Corps, Defender of the
People, the Public Prosecutor's Office and the Courts in the exercise of the functions assigned to them.
buidas, without the international transfer being contemplated.

- The General Director of Criminal Enforcement and Reintegration is responsible for the treatment.

Social of the General Secretariat of Penitentiary Institutions, C/Alcalá, 38-40,
28014, Madrid, with the directors of each school being delegated responsible.
establishment where the recording occurs.

Attached is a report from the General Subdirectorate of Analysis and Competitive Inspection.

“Tent in the matter.”

This report provides the following information:

(…)



CONCLUSIONS
Previous Information 2021/122 was opened for the investigation of the events that occurred
on 8/16/21 at the Center and was sent to the Penitentiary Surveillance Court and the Court
of Villena Guard.


Due to the subsequent dissemination of the images of this incident, a
investigation that opened Previous Information 131/2021 to determine the
responsibility and circumstances that took place in the dissemination of the images with
the consequent breach of the principle of confidentiality and secrecy that governs the duty of

conduct of public office.

Regarding the determination of authorship in the dissemination of the images, there has been no
been able to prove it, nor where the breach of the principle of
confidentiality in their treatment.


The defendant alleges that he is protected for the processing of the images by the
art.11 of Organic Law 7/2021 and Instructions 5/2006 and 6/2007 on
communication and clarification of serious regimental facts, and the duty to
participation to the judicial authorities in accordance with the provisions of article
262 of the Criminal Procedure Law.


It provides information about the CCTV system, covered by two instructions:
    - Instruction 3/2015 on video surveillance in penitentiary establishments
        May 18, 2015 and that was in force on the date of the events claimed and
        of the claim; and

    - Instruction 4/2022 which regulates the processing of personal data
        personnel obtained by recording images and sounds by the
        existing video surveillance systems in the different establishments
        penitentiaries of July 28, 2022 together with the Guide for the preparation of the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/12








       Recording, storage and image processing protocol
       obtained through the establishments' video surveillance systems
       penitentiaries, of July 28, 2022, in development of Instruction No.

       4/2022.

That is, the 2022 instruction and its action protocol detailing the measures of
security and access date after the events claimed and the
claim, takes effect 15 days after its receipt in the centers and was given to the
Board of Directors a period of 3 months to adapt the procedures.



The 1st instruction refers to the LOPD/RLOPD and these last two documents
refer to Organic Law 3/2018, Organic Law 7/2021 and the Regulation
(EU) 2016/679.


Provides the status of the judicial procedure as of June: Previous Procedures
2021/450 Court of 1st Instance and Instruction No. 1 of Villena.

FOURTH: On November 29, 2022, the Director of the Spanish Agency
of Data Protection agreed to initiate sanctioning proceedings against the claimed party,

for the alleged violation of Article 32 of the RGPD, typified in Article 83.4 of the
GDPR.

Once the initiation agreement was notified, the SGIP presented a written statement of allegations, in which, in
synthesis stated:


-The SGIP alleges that any decision adopted in the disciplinary field must
be governed by the principle of presumption of innocence.

-The SGIP alleges that, in addition to having known the images, the Administration
Penitentiary (Alicante Penitentiary Center I and General Subdirectorate of Analysis and

Inspection) there were two judicial bodies to which, by legal imperative, they were sent
the aforementioned images (Guard Court of Investigation and Surveillance Court
Penitentiary), and that they cannot be held responsible for the use and treatment granted
for these.


-The SGIP alleges that the need for the access profile to be broad has its origin
in the very organization and work needs of the General Subdirectorate of
Analysis and Inspection, and that in relation to the lack of traceability, it is possible to know
which person accesses which images - that is, access to the shared folder leaves
trace -, the impossibility of identification to which reference had been made was that of the

specific person who has made said images in question public.

FIFTH: On 05/05/2023, the procedure instructor agreed to practice the
following tests:

       “It is also requested that the following documentation be sent

       related to the Prior information procedure 2021/122:
       Detail and documentary accreditation:


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/12








              a) Users who had access to the system.

              b) Roles assigned to each of them, functions and permissions

              access granted

              c) Existing procedures for user management (detailing the
              registration, cancellation, identification, authentication and control processes
              logical access).


              d) Analysis of the records of the users who had access to the system
              (logs)”

On 05/23/2023, a written response was received, complying with the test.
requested.


SIXTH: On June 8, 2023, a proposed resolution was formulated,
proposing:

That the Director of the Spanish Data Protection Agency imposes
GENERAL SECRETARIAT OF PENITENTIARY INSTITUTIONS, with NIF

S2813060G, for a violation of Article 32 of the RGPD, typified in Article 83.4
of the GDPR, a warning sanction.

Once the proposed resolution has been notified, the SGIP presents a new document in which
states:


“In the Reference File, what was contributed throughout the
procedure, remaining available for the implementation of those measures
technical and organizational to the extent that it is budgetarily possible”


In view of everything that has been done, by the Spanish Data Protection Agency
In this procedure, the following are considered proven facts:

                                PROVEN FACTS

FIRST: According to documentation in the file, there is a lack of profiles,

since any inspector could access the recorded images, without having been
specified whether or not they are authorized to do so, whether any system has to be enabled
specific, or if access to the images is free for all inspectors, since the
response to the requested evidence has not clarified this aspect.


SECOND: According to documentation in the file, there is a lack of
traceability, since it has not been proven that there are records of users who
may have accessed the system.



                           FOUNDATIONS OF LAW

                                           Yo


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/12








In accordance with the powers that article 58.2 of Regulation (EU) 2016/679
(General Data Protection Regulation, hereinafter RGPD), grants each
control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the

Organic Law 3/2018, of December 5, on Protection of Personal Data and
guarantee of digital rights (hereinafter, LOPDGDD), is competent to
initiate and resolve this procedure the Director of the Spanish Protection Agency
of data.

Likewise, article 63.2 of the LOPDGDD determines that: "The procedures

processed by the Spanish Data Protection Agency will be governed by the provisions
in Regulation (EU) 2016/679, in this organic law, by the provisions
regulations dictated in its development and, insofar as they do not contradict them, with a
subsidiary, by the general rules on administrative procedures."



                                           II

In response to the allegations presented by the claimed entity, it should be noted
the next:


-The SGIP alleges that any decision adopted in the disciplinary field must
be governed by the principle of presumption of innocence.

       In this regard, this Agency expresses its total and absolute agreement,
       indicating that all sanctioning procedures are carried out according to

       established in articles 64 and following of the LOPDGDD, respecting
       scrupulously the established legislation.

       The presumption of innocence, a fundamental right of citizenship according to art.
       24.2 of the Constitution and art. 6.2 of the European Convention of Rights

       Humans, is expressly included in our regulations for
       administrative sanctioning procedures in art. 53.2.b) of Law 39/15
       where among the rights of the interested party in the administrative procedure
       sanctioner will have the right

               "To the presumption of non-existence of administrative responsibility

               until proven otherwise."

       As established by STS 04/28/2016 (RC 677/2014): "it can be said that the
       right to the presumption of innocence, which applies without exception in the field of
       administrative sanctioning procedure, according to the Court

       Constitutional ruling 66/2007, of March 27, means that "no
       any sanction may be imposed that is not based on a prior
       lawful evidentiary activity", and also implies the recognition of the right to
       an administrative sanctioning procedure due or with all guarantees,
       that respects the principle of contradiction and in which the alleged responsible

       have the opportunity to defend their own positions, prohibiting the initiation
       of disciplinary proceedings when it is unequivocally appreciable
       or manifests the absence of rational indications that a crime has been committed


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/12








       infringing conduct, or in which illegality or illegality is absent
       culpability"


-The SGIP alleges that, in addition to having known the images, the Administration
Penitentiary (Alicante Penitentiary Center I and General Subdirectorate of Analysis and
Inspection) there were two judicial bodies to which, by legal imperative, they were sent
the aforementioned images (Guard Court of Investigation and Surveillance Court
Penitentiary), and that they cannot be held responsible for the use and treatment granted
for these.


       In this regard, this Agency indicates that, in this specific procedure
       sanctioner, no infringement is being charged for the leak of images
       in itself, but for lacking technical and organizational measures that result
       appropriate to guarantee a level of security appropriate to the risk of the

       treatment, in the terms required by article 32.1 of the RGPD.

-The SGIP alleges that the need for the access profile to be broad has its origin
in the very organization and work needs of the General Subdirectorate of
Analysis and Inspection, and that in relation to the lack of traceability, it is possible to know
which person accesses which images - that is, access to the shared folder leaves

trace -, the impossibility of identification to which reference had been made was that of the
specific person who has made said images in question public.

       In this regard, this Agency refers to the Report issued by the
       General Subdirectorate of Analysis and Inspection, recorded in the file, in

       whose point 2 is quoted verbatim (the underlining corresponds to the AEPD):

               “Once the images are brought to the attention of the Unit
               of Inspection were treated, in compliance with their functions of
               investigation legally established by the Guard Inspection, the

               Instructor of Previous Information 2021/122, and where they could also
               the rest of the Inspectors of the
               “Unity, without being able to prove such an extreme”

       It does not make reference, therefore, as alleged in the allegations, to the
       impossibility of determining the specific person who made public the

       images, but because it has not even been possible to prove which people have
       accessed the subsequently leaked images.

       It should also be noted that, requested by this Agency, information about
       of the records of the users who had access to the system (logs), the

       response is limited to stating: “The file server logs are saved
       for a specific time, without being able to have access at this time.
       the logs of those dates.”




                                           III

Article 32 “Security of processing” of the GDPR establishes:

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 8/12









"1. Taking into account the state of the art, the application costs, and the
nature, scope, context and purposes of the processing, as well as risks of

variable probability and severity for people's rights and freedoms
physical, the person responsible and the person in charge of the treatment will apply technical and
appropriate organizational measures to guarantee a level of security appropriate to the risk,
which, if applicable, includes, among others:
       a) pseudonymization and encryption of personal data;
       b) the ability to guarantee the confidentiality, integrity, availability and

       permanent resilience of treatment systems and services;
       c) the ability to restore availability and access to data
       personnel quickly in the event of a physical or technical incident;
       d) a process of regular verification, evaluation and assessment of effectiveness
       of the technical and organizational measures to guarantee the security of the

       treatment.

2. When evaluating the adequacy of the security level, particular consideration will be given to
takes into account the risks presented by data processing, in particular as
consequence of the accidental or unlawful destruction, loss or alteration of data
personal data transmitted, preserved or otherwise processed, or the communication or

unauthorized access to said data.

3. Adherence to a code of conduct approved pursuant to Article 40 or to a
certification mechanism approved pursuant to article 42 may serve as an element
to demonstrate compliance with the requirements established in section 1 of the

present article.

4. The controller and the person in charge of the treatment will take measures to ensure that
any person acting under the authority of the person responsible or in charge and
has access to personal data can only process said data following

instructions of the person responsible, unless it is obliged to do so by virtue of the Law of
the Union or the Member States.

In the present case, although it is true that it has not been possible to determine when
or by which organ of those who have had access to the images the leak occurred
of the same, if it becomes clear that the SGIP did not have the measures

appropriate to guarantee a level of security appropriate to the risk.

From the instruction carried out in this procedure, it is concluded that the SGIP
has failed to comply with the provisions of article 32 of the RGPD.


                                           IV

Article 83.4 of the GDPR, under the heading “General conditions for taxation
of administrative fines” provides:


“Infringements of the following provisions will be sanctioned, in accordance with the
paragraph 2, with administrative fines of a maximum of EUR 10 000 000 or,
In the case of a company, an amount equivalent to a maximum of 2% of the


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 9/12








global total annual business volume of the previous financial year, opting for
the largest amount:


       a) the obligations of the controller and the processor pursuant to Articles 8,
       11, 25 to 39, 42 and 43; (…)”

In this regard, the LOPDGDD, in its article 71 “Infringements” establishes that
“The acts and conduct referred to in sections 4,
5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that result

contrary to this organic law.”

For the purposes of the limitation period, article 73 “Infringements considered serious”
of the LOPDGDD indicates:


“Based on what is established in article 83.4 of Regulation (EU) 2016/679,
are considered serious and will prescribe after two years the infractions that involve a
substantial violation of the articles mentioned therein and, in particular, the
following:
       (…)
       f) The lack of adoption of those technical and organizational measures that

       are appropriate to guarantee a level of security appropriate to the risk
       of the treatment, in the terms required by article 32.1 of the Regulation
       (EU) 2016/679.
       (…)


                                           V

Without prejudice to the provisions of article 83.5 of the RGPD, the aforementioned article provides in
its section 7 the following:


“7. Without prejudice to the corrective powers of the supervisory authorities under the
Article 58(2), each Member State may lay down rules on whether
can, and to what extent, impose administrative fines on authorities and organizations
public establishments established in that Member State.

For its part, article 77 “Regime applicable to certain categories of

responsible or in charge of processing” of the LOPDGDD provides the following:

"1. The regime established in this article will apply to the treatments of
who are responsible or in charge:


       a) Constitutional bodies or bodies with constitutional relevance and the
       institutions of the autonomous communities analogous to them.
       b) The jurisdictional bodies.
       c) The General Administration of the State, the Administrations of the
       autonomous communities and the entities that make up the Local Administration.

       d) Public bodies and public law entities linked or
       dependent on Public Administrations.
       e) Independent administrative authorities.
       f) The Bank of Spain.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 10/12








       g) Public law corporations when the purposes of the treatment
       are related to the exercise of public law powers.
       h) Public sector foundations.

       i) Public Universities.
       j) The consortia.
       k) The parliamentary groups of the Cortes Generales and the Assemblies
       Autonomous legislative bodies, as well as the political groups of the Corporations
       Local.


2. When the persons responsible or in charge listed in section 1 commit
any of the infractions referred to in articles 72 to 74 of this law
organic, the competent data protection authority will dictate
resolution sanctioning them with a warning. The resolution will establish
Likewise, the measures that should be adopted to stop the conduct or correct it.

the effects of the infraction that has been committed.

3. Without prejudice to what is established in the previous section, the authority for the protection of
data will also propose the initiation of disciplinary actions when there are
sufficient evidence for this. In this case, the procedure and sanctions to apply
will be those established in the legislation on disciplinary or sanctioning regime that

results of application.
Likewise, when the infractions are attributable to authorities and managers, and are
prove the existence of technical reports or recommendations for the treatment that
had not been duly attended to, in the resolution in which the
sanction will include a reprimand with the name of the responsible position and

will order the publication in the Official State or autonomous Gazette that
correspond.

4. The resolutions that
fall in relation to the measures and actions referred to in the sections

previous.

5. They will be communicated to the Ombudsman or, where appropriate, to similar institutions
of the autonomous communities the actions carried out and the resolutions issued
under this article. (…)”


                                          SAW

In accordance with the provisions of article 58.2 d) of the RGPD, each authority of
control may “order the person responsible or in charge of the treatment that the operations
of treatment comply with the provisions of this Regulation, when

appropriate, in a certain manner and within a specified period…”.

For all these reasons, the claimed party must proceed, within a period of 6 months from the
receipt of this resolution, to the adoption of the necessary measures so that
records of access to personal data remain, and also the granting of

profiles to officials so that each one can only access the information they
necessary for the performance of their functions.



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 11/12








It is warned that failure to comply with the order to adopt measures imposed by this
body in the sanctioning resolution may be considered as an infraction
administrative in accordance with the provisions of the RGPD, classified as an infringement in its
article 83.5 and 83.6, such conduct may motivate the opening of a subsequent
administrative sanctioning procedure.


Therefore, in accordance with the applicable legislation and evaluated the criteria of
graduation of sanctions whose existence has been proven,
the Director of the Spanish Data Protection Agency RESOLVES:

FIRST: IMPOSE the GENERAL SECRETARIAT OF INSTITUTIONS

PENITENTIARIES, with NIF S2813060G, for a violation of Article 32 of the RGPD,
typified in Article 83.4 of the RGPD, a warning sanction.

SECOND: ORDER the GENERAL SECRETARIAT OF INSTITUTIONS
PENITENTIARIES, with NIF S2813060G, which by virtue of article 58.2.d) of the RGPD,

Within a period of 6 months, prove that you have proceeded to adopt the measures
necessary so that records of access to personal data remain, and
also the granting of profiles to officials so that each one can only
access the information that is necessary for the performance of their functions.

THIRD: NOTIFY this resolution to the GENERAL SECRETARIAT OF

PENITENTIARY INSTITUTIONS.

FOURTH: COMMUNICATE this resolution to the Ombudsman,
in accordance with the provisions of article 77.5 of the LOPDGDD.

In accordance with the provisions of article 50 of the LOPDGDD, this

Resolution will be made public once it has been notified to the interested parties.

Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the
LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the
Interested parties may optionally file an appeal for reconsideration before the
Director of the Spanish Data Protection Agency within a period of one month to

count from the day following the notification of this resolution or directly
contentious-administrative appeal before the Contentious-administrative Chamber of the
National Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-administrative Jurisdiction, within a period of two months from the
day following the notification of this act, as provided for in article 46.1 of the

referred Law.

Finally, it is noted that in accordance with the provisions of art. 90.3 a) of the LPACAP,
may provisionally suspend the final resolution through administrative channels if the
interested party expresses his intention to file a contentious-administrative appeal.

If this is the case, the interested party must formally communicate this fact through
writing addressed to the Spanish Data Protection Agency, presenting it through
of the Agency's Electronic Registry [https://sedeagpd.gob.es/sede-electronica-
web/], or through any of the other registries provided for in art. 16.4 of the
cited Law 39/2015, of October 1. You must also transfer to the Agency the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 12/12










documentation that proves the effective filing of the contentious appeal
administrative. If the Agency was not aware of the filing of the appeal

contentious-administrative within a period of two months from the day following the
notification of this resolution would terminate the precautionary suspension.

                                                                                      938-010623

Sea Spain Martí
Director of the Spanish Data Protection Agency



























































C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es