• The 2020 activity was characterized by the work carried out in order to guarantee health measures, the control of the pandemic and the fundamental right of personal data protection;
• During 2020 were carried out 29 emergency measures in order to remove sexual or violent contents shared on Internet associated to the Priority Channel, with a succeed percentage over than 86%;
• In 2020 were presented to the Agency a total amount of 10.324 claims;
• Claims which were arisen more frequently among citizens refer to internet services, improper insertion into the crime practices, video surveillance, reception of advertising and credits;
• The most frequent ambits of sanctionatory procedures are surveillance, internet services, public administrations and telecommunications;
• The most sanctioned sectors are financial/credits and telecommunications, which represent the 76% of the total amount of sanctions;
• The decision projects in which another European Data Protection Authority asked the participation to the Agency are increased of the 114% and the assistance request of the 123%;
• Times of resolutions and the development of sensibilization projects were the same of the last year, by revealing that the total implementation of the smart working has not reduced the ability of the Agency work.

The Spanish Data Protection Agency (AEPD) has published today its 2020 annual report, which recollects in a exhaustive way the activities carried out by this institution, data managed, the outstanding trends, decisions and procedures which are the most relevant of the year and an analysis of the present and future challenges.

The activity of the organization in 2020 has been characterized by the work carried out in order to guarantee the management of health measures, the control of the pandemic and the fundamental data protection right, as well as the adoption of organizational decision in order to keep he activity level under circumstances required by COVID-19, in order that the guarantee system for citizens established into the personal data protection legislation can not be influenced.

During 2020 it was consolidated the Priority Channel, which aims was an urgent attention in case of illegitimate diffusion of sensitive contents online. The intervention of the Agency permitted, in a short time, the pickup of photos and videos of sexual or violent content shared online without the consent of the data subjects, who frequently were vulnerable. In 2020 the Agency received 358 requests by the priority channel, of which 174 came by the child channel.

After the analysis, 49 of them were carried out like urgent because they were part of the main aims pursued by the Channel. This number has tripled compared to 2019, a year in which were received only 14 urgent requests.

Of 49 requests, 29 urgent withdrawal of contents were asked to services providers, by obtaining the withdrawal in the 86% of the cases. The other 20 cases had not required the content removal.

The Agency continued to support the challenge of assume all the effect that the General Data Protection Regulation (GDPR) has for the development of personal data protection policy. This came forward both in a significant increase of the Agency work inside the European Data Protection Board as in the number of cross-border procedures.

The annual report underlines as, currently, it is impossible to divide the inner activity from the European one, both related by a unique rule application. In 2020 were presented to the Agency 10.324 claims, a number which goes up to 11.215 if we include also the cross-border cases, in which the Agency acts under its own initiative and security breaches transferred to the inspection. In 2020 the percentage of solved claims compared to the claims received are increased of the 5% compared to the past year, a data which is very important keeping in mind the health emergency situation. From the other hand, the resolutions times and the development of sensibilization projects are in line with the 2019, by revealing that the implementation of the smartworking, already existent into the Agency, has not reduced the ability and the work of the Agency.

The most frequently arising claims by citizens in 2020 refer to Internet services (16%), the improper insertion into the crime practices (15%), video surveillance (12%), reception of advertising (except spam) (7%) and debs requests (6%).

Talking about claims it is important to make references to transferences, which is a procedure promoted by the LOPDGDD which aims to facilitate the fast resolution of the same no matter what inspection activity that the Agency can carried out. In 2020, the 77% of claims was solved after the transference. For this reason, 2.157 claims were solved for obtaining, after the transference, a satisfactory response by the data processors or the data controller.

In 2020 the Agency has issued 393 penalty resolution (the 16% more than the previous year), even if only 172 of them had also a penal sanction. The most frequent ambits of penalty procedures are the video surveillance (24), internet services (19%), public administrations (10%) and telecommunications (7%). Por su parte, los sectores más castigados con la multa son las instituciones financieras/acreedores (5.045.000 euros) y las telecomunicaciones (1.009.000 euros).

For their part, the sectors most punished with the fine are financial institutions/creditors (5,045,000 euros) and telecommunications (1,009,000 euros).

Both represent 76% of the total amount of sanctions, which in 2020 amounted to 8,018,800 euros, up 27% compared to 2019, when the amount of sanctions was down 52% compared to 2018.

On the other hand, the number of cooperation procedures in which the Agency’s involvement by other European Data Protection Authorities has been requested is noteworthy. Overall, they have increased by 15% (1,210 cases) compared to 2019. Draft decisions in which another European Data Protection Authority has requested the Agency’s participation have increased by 114% and requests for assistance by 123%. Thus, among other cases, the case of a security breach affecting the social network Twitter, in which the Agency acted as an interested authority, was dealt with under the cooperation procedure for cross-border processing, and the security failures of UK companies Marriot Hotels and Ticketmaster. It is also worth mentioning the first cross-border sanctioning procedure that has been decided as the leading authority of the AEPD regarding the treatments carried out by the company Miraclia. It should be noted that these procedures have a complex treatment and a longer duration than national procedures.

As regards the judgments of the National High Court on appeals against decisions of the Agency, out of the 77 judgments handed down in 2020, 56 (73%) were dismissed or declared inadmissible. For its part, the Supreme Court has handed down 18 judgements, with a 95% favorable to the Agency.

As for notifications of security breaches made to the Agency, these are initially received by the Division of Technological Innovation (DTI), which carries out a first analysis. The DTI has received and analyzed 1,370 notifications of security breaches in 2020, of which only 6% (81) have been referred to Inspection for in-depth investigation. In this sense, we should highlight the launch in 2020 of the Comunica Brecha tool to help those who process data in the decision to report the security failure to the people affected.

As regards the Data Protection Officer (DPO) figures notified to the Agency, 2020 was closed with 65,040 DPD (57,657 from the private sector and 7,383 from the public sector). As regards the Agency’s support services for the adaptation to the Regulation, almost 2,900 enquiries have been received via the INFORMA_RGPD channel, which in November 2020 was transformed into the DPO Channel to respond to queries raised by Data Protection Officers previously notified to the Agency, enhancing the figure created by the GDPR. The Agency highlights in its report the low number of DPOs in the Local Government, where only 3,334 municipalities, municipalities, local authorities and associated bodies have communicated their DPOs. Even assuming an increase of 25% compared to the same date of the previous year, this figure is still far from the total number of managers who make up the local administration in Spain and who must have a DPO.

Finally, almost 1,400 issues have been raised with the Agency’s Youth Channel. The most frequent queries raised have been related to the processing of students’ personal data for the exercise of the educational function, associated to a large extent with the situation caused by the pandemic. Thus, by having to develop the educational function in a new scenario, schools have used new applications for them, which has led to numerous consultations, both from families and from teachers and management teams. In this scenario, the Agency published frequently asked questions on the conduct of online classes and examinations using video call tools or educational platforms and their involvement in relation to data protection for both students and teachers. In addition, the AEPD published a document with the contact of the DPDs of the Education Councils of the Autonomous Communities, in order to facilitate stakeholders to ask the DPD for specific consultations on educational tools or protocols.

Social Responsibility and Sustainability Plan

The report includes an overview of the actions carried out during 2020 within its Social Responsibility and Sustainability Plan 2019-2024, a pioneering project in the Spanish Public Administration that includes more than 100 initiatives aligned with the SDGs of the 2030 Agenda. In this sense, the AEPD has already completed 65% of the actions planned for the five years. Among the social commitments adopted, the section on the promotion of gender equality to combat violence on the internet (Priority channel) and the actions carried out by the Agency in the field of education and minors stand out. Regarding the internal commitment to equality to achieve greater representation of women at the highest levels of the AEPD, it highlights that it has increased from 31% in 2019 to 38% in 2020.

On the other hand, at the internal level, the Agency’s telework programme should be highlighted, an initiative that started in 2017 to enhance reconciliation and retention of talent and that during 2020 has been crucial to address the health crisis, allowing 100% of the AEPD workforce to be fully operational by working remotely with identical productivity and efficiency ratios.

In the work carried out in 2020, the Digital Pact for the Protection of Persons also deserves special mention, an initiative developed throughout the year to promote privacy as an asset to be taken into account by organizations when designing their policies and strategies.

The Plan, presented in January 2021 with the support of 40 of the main business organizations, foundations, media associations and audiovisual groups, currently has almost 200 affiliated organizations.

The 2020 annual report:

SOURCE: AUTORITA’ PER LA PROTEZIONE DEI DATI DELLA SPAGNA – AEPD