The Spanish Data Protection Authority (AEPD) publishes its Annual Report summarizing last year’s activities including enforcement cases
The AEPD underlines that its activity through 2020 has been marked by the work carried out to guarantee health care measures, control of the pandemic and the fundamental right to data protection, as well as by the adoption of organizational decisions to maintain the internal level of activity in the circumstances required by COVID-19, so that the system of guarantees for citizens set out in the personal data protection regulations could not be affected.
The DPA has continued to respond to the challenge of assuming the effects that the General Data Protection Regulation (RGPD) has for the development of data protection policies. The work of the AEPD in the EDPB has increased and so has the number of cross-border procedures.
AEPD issued a total of 393 enforcement procedure decisions (16% more than the previous year), although of them only in 172 cases a sanction was imposed. The most frequent areas in enforcement procedures are video surveillance (24%), internet services (19%), Public Administrations (10%) and telecommunications (7%). The most punished sectors with a fine are financial institutions / creditors (5.045.000 euros) and telecommunications (1.009.000 euros). Both account for 76% of the global amount of penalties, which in 2020 amounted to 8.018.800 euros, an increase in amount of 27% compared to 2019. Note that a few months later, in early 2021, major sanctions amounting to 6 and 8,1 Mio euros were imposed to financial institutions and telecoms respectively.
A few of the rest of figures pointed out by the AEPD are the following:
- 10.324 claims have been filed, a figure that rises to 11,215 including cross-border cases, cases in which the Agency acts on its own initiative and security breaches.
- The rate of claims resolved versus claims received has increased by 5% compared to the previous year, a remarkable figure considering the pandemic situation, clearly showing that such circumstances have not diminished the operational capacity of the authority.
- The complaints most frequently raised by citizens in 2020 refer to internet services (16%), improper usage of delinquency files (15%), video surveillance (12%), advertising (except spam) (7%) and debt claim (6%).
- 2.157 claims have been resolved as a result of having obtained, after their communication to the data controller, a satisfactory response from the data controller ore the data processor.
The number of cooperation procedures in which the participation of the DPA has been requested by other European data protection authorities is noteworthy. In general, they have increased by 15% (1.210 cases) compared to 2019.Draft decisions in which another European data protection authority has requested the DPA's participation have increased by 114% and requests for assistance by 123%.
Regarding the judgments of the National Court ( Audiencia Nacional) relapsed in the appeals filed against resolutions of the DPA, of the 77 judgments handed down in 2020, 56 (73%) were dismissed or inadmissible. On the other hand, the Supreme Court ( Tribunal Supremo) has issued 18 judgments, with a percentage favorable to the AEPD of 95%.
As far as notifications of personal data breaches are concerned, these are initially received by the Division of Technological Innovation (DIT), which carries out a first analysis. The DIT has received and analyzed 1.370 notifications of data breaches in 2020, of which only 6% (81) have been referred to the Inspection Division (i.e. requiring an in-depth investigation). Moreover, the tool Comunica Brecha was launched in order to help data controllers in their decision to communicate the security breach to the data subjects.
Almost 1.400 questions have been raised with the DPA's “Youth Channel”. The most frequently asked queries have been related to the processing of personal data of the students for the exercise of the educational function, largely associated with the situation caused by the pandemic.
Finally, a lot of attention has been put on the a tool called “Priority Channel”, whose objective is urgent handling in the event of illegitimate dissemination on the Internet of sensitive content, a relevant project that was consolidated during last year. The involvement of the AEPD has achieved, in a very short time, the withdrawal of photographs and videos of sexual or violent content disseminated through the internet without the consent of the data subjects, often belonging to vulnerable groups. A total of 358 requests have been received through the Priority Channel, of which 174 have entered through the channel for minors. After their analysis, 49 of these requests have been processed as urgent because they are within the objectives pursued by this Channel. Of the 49, 29 urgent withdrawals of the content have been requested from service providers, achieving the withdrawal in more than 86% of the cases.
Article provided by: Belén Arribas (Belén Arribas Sánchez Abogada, Spain)
Dr. Tobias Höllwarth (Managing Director INPLP)