The Sociological Research Center (CIS) violated the General Data Protection Regulation (RGPD) in contracting the ‘Special opinion barometer April 2020. Coronavirus Covid-19’, a tender that was carried out by emergency procedure -due to the pandemic situation-, with a budget of 74,000 euros and which fell to the market research company Intercampo. This is stated in a resolution dated January 21 of the Spanish Data Protection Agency (AEPC), to which it has had access Information, in which the body attached to the Ministry of the Presidency is reprimanded -a warning sanction-, although it avoids a fine that could have reached ten million euros, precisely because it is considered a public entity.
The winning company, which carried out the survey by calling telephone numbers randomly, temporarily stored personal identification data -telephone and first name of the interviewee-, sociodemographic data -postal code, age and sex of the interviewee-, research data -the answers to the questions posed- and the audio generated. The pollster sent the CIS the anonymized personal data (absolute deletion), as contemplated by the regulations, which give six months to eliminate them, and as highlighted, the purpose of processing the first name data “was exclusively to favor a cordial and comfortable relationship between the interviewer and the interviewee.
The formula of the interview, similar to how it is usually carried out by the CIS, was: “Good morning/afternoon. I am———— from (name of the company). We are conducting a survey for the Csociological research center on topics of general interest, by teleworking. For this reason we request your collaboration and we thank you in advance. This phone has been randomly selected using random methods. We guarantee the absolute anonymity and secrecy of your answers in the strictest compliance with the laws on statistical secrecy and personal data protection.”
The department chaired by José Félix Tezanos, due to the pandemic situation and the impossibility of carrying out by itself, in the absence of technical means, a special study with 3,000 interviews, chose to go to the outsourcing requesting four proposals. The CIS selected the offer that it considered most advantageous, taking into account for this, among other reasons, the adherence of the company that had provided it to the Code of Conduct for the Processing of Personal Data, as recognized by the body. Recruitment was carried out by emergency procedure, which allows verbal contracting, formalizing the contract on May 11, 2020.
However, according to the AEPD, the contract formalization document did not contain the mandatory stipulations required by el article 28.3 of the RGPD, nor were documents provided that were binding on the person in charge with respect to the person in charge who contemplated them. For its part, the CIS alleges that it understood that, in this exceptional situation, as it had no obligation even to formalize a written contract, it did not have the obligation to introduce the data protection clauses that usually appear in all Administrative Clauses Sheets (PCAP), “since such specifications are not even made”.
The director of the Spanish Data Protection Agency, Sea Spain Marti, warns that the RGPD in its article 28 does not regulate no exception to the obligation to formalize in writing the contract or binding legal act for the person in charge with respect to the person in charge. In addition, it warns that it does not imply an excuse that specifications were not contemplated, because that does not prevent having included the specifications required by the Regulation in any other document, provided that it was binding, and that in no case does it imply an error of form , as the CIS alleges repeatedly.
The resolution, which puts an end to the administrative procedure and leaves the door open for the CIS to present an appeal in the Contentious-Administrative Chamber of the National audience, it is emphasized that the Data Protection Law considers a serious infraction “to entrust data processing to a third party without the prior formalization of a contract or other written legal act with the content required by the Article 28.3 of Regulation (EU) 2016/679Said infringement is sanctioned with administrative fines of a maximum of ten million euros or, in the case of a company, an amount equivalent to a maximum of 2% of the total annual global turnover of the previous financial year, opting for the highest amount. In spite of everything, the AEPD limits its ‘punishment’ to a sanction of warning, since according to the Regulation, each Member State can establish rules on whether it is possible, and to what extent, to impose administrative fines, authorities and public bodies established in the country.
The Data Protection Law establishes in its article 77 provides for a special sanctioning regime for administrations and organizations, that in the case of committing serious infractions, “the competent data protection authority will issue a resolution sanctioning them with a warning… Notwithstanding that the data protection authority data will also propose the initiation of disciplinary actions when there are sufficient indications for it. In this case, the procedure and the sanctions to be applied will be those established in the legislation on the disciplinary or sanctioning regime that results from application”.