WELCOME TO ATGROUP

Latest news

PLATAFORMA DE VEHÍCULO CONECTADO, DGT 3.0, APLICACIÓN DE LA DIRECCIÓN GENERAL DE TRÁFICO., ¿NUEVO RETO EN MATERIA DE PROTECCIÓN DE DATOS?

LA ENTRADA EN VIGOR DEL REAL DECRETO 159/2021, DE 16 DE MARZO, POR EL QUE SE REGULAN LOS SERVICIOS DE AUXILIO EN LAS VÍAS PÚBLICAS, EL PRÓXIMO 1 DE JULIO, CONSOLIDA LA TENDENCIA DE LA MOVILIDAD CONECTADA QUE FOMENTA LA DGT DESDE SU PROPUESTA DE PLATAFORMA DE MOVILIDAD INTELIGENTE , DGT 3.0

Recientemente ha vuelto a salir en prensa (La Vanguardia, 26/05/2021) que la Dirección General de Tráfico tiene muy avanzada una aplicación informática que interconectará a los conductores entre sí, con la vía y les notificará en tiempo real las diferentes incidencias y novedades que puedan tener en la ruta.

El objetivo no puede ser más interesante: accidentes cero, heridos cero y fallecidos cero para el famoso año 2050.

Para el desarrollo de esta aplicación se han destinado recursos económicos importantes, que ascienden a más de tres millones de euros y se han implicado prestigiosas empresas e instituciones en su desarrollo. También se han tenido presentes los diferentes operadores que tengan datos o conocimientos para aportar en la mejora de la movilidad, como son los fabricantes de vehículos, centros de coordinación de emergencias o de control de tráfico rodado.

A nadie se le escapa que la potencia y el alcance de esta aplicación va en paralelo a la evolución de las nuevas tecnologías como son el 4G y el 5G, y sobre todo el llamado Internet de las Cosas (IoT), donde millones de dispositivos se conectan en tiempo real, interactuando de forma automatizada. Las previsiones son que una vez este implantado el 5G la plataforma DGT 3.0 entre en pleno funcionamiento.

Sin duda el saber la situación de la vía, si hay un accidente, un tramo de obras o esta cortada por una inclemencia meteorológica es una valiosa información, que a buen seguro será apreciada por los conductores y aportará mejoras en la seguridad y la reducción de la contaminación, optimizando trayectos y reduciendo caravanas e incidentes.

Con la entrada en vigor del RD 159/2021, de 16 de mayo, por el cual se reforma el Reglamento General de Vehículos, se da un paso más en esa dirección, dicha norma, modifica el Reglamento General de Vehículos y regula la conexión a la nube de la DGT, no sólo de los vehículos con incidencia en la vía ( señales luminosas e interconexión bajo protocolo V.16), sino de los servicios de asistencia en ruta, creando un registro de homologación de los operadores de dichos servicios, de obligada inscripción en el Registro Estatal de Auxilio en Vías Públicas (REAV), así como a la señalización en tiempo real de las actividades de asistencia , geoposicionando los servicios en tiempo real de la ubicación de los trabajos con el protocolo de comunicaciones asignado (V.2, V.23 y V.24).

De todas estas novedades en materia de movilidad y seguridad vía echamos a faltar un elemento importante, el estudio de la evaluación del impacto en materia de privacidad.

En efecto, la realidad es que detrás de cada vehículo, u operador de movilidad hay personas físicas, identificadas o identificables (titulares, conductores, peatones afectados, personal técnico de asistencia en ruta, etc.), haciendo poco o nada creíble que esos datos masivos utilizados se traten exclusivamente de forma anónima sin posibilidad de reversión por ninguno de los operadores afectados.

La interconexión de todos los elementos de movilidad urbana en interurbana mediante el 5G e IoT, junto a la IA, hace que el cerco sobre la esfera de la intimidad sea cada vez más estrecho, y más si lo asociamos al uso masivo de nuestros inseparables smartphone.

El cruce de datos entre todos los dispositivos interconectados en tiempo real puede abrir la puerta no sólo a las conductas de asistencia en carretera o ayuda ante incidentes, sino a la supervisión de fiel y estricto cumplimiento de las normas de circulación, ya que será nuestro propio vehículo el que vaya indicando a la Autoridad de Control las situaciones que pudieran constituir infracción administrativa e incluso penal.

Y de todo ello, no parece que nadie vaya a informar adecuadamente según el RGPD y la LOPDGDD a los usuarios e incluso a los terceros afectados, como pudieran ser pasajeros o viandantes.

Por tanto, entendemos que dichas nuevas plataformas de gestión de la movilidad, ya sea urbana o interurbana, compartidas o no , necesitan un análisis profundo desde el punto de vista de la afectación o los riesgos que pueda tener en materia de privacidad desde el punto de vista del RGPD Y.

No basta con enunciar que serán datos anónimos, el principio de Responsabilidad Activa del artículo 5.2 del RGPD nos exige poder acreditar en todo momento los hechos, por tanto, se hace imprescindible que en todo proyecto donde pueda haber uso masivo de datos que pudieran ser vinculados a personas se haga la correspondiente evaluación del riesgo y los oportunos Planes de Evaluación de Impacto, y todo ello, por supuesto, antes de la puesta en explotación, como nos indica el principio de privacidad desde el diseño del artículo 25 del RGPD.

No perdemos la esperanza de que en breve se publicaran los informes correspondientes por parte del Delegado de Protección de Datos de la Dirección General de Tráfico respecto a la plataforma DGT 3.0.

May 28th, 2021

AEPD 2020 Report: Endorsement of the Tribunal Supremo to the Sanctions Imposed by the AEPD: 95%

Image from Hans Braxmeier on Pixabay
In the recently published 2020 report of the Spanish Data Protection Authority (AEPD), the trend of the TS of overwhelmingly confirm the sanctioning resolutions of the AEPD is confirmed.

In a legal system with guarantees, such as the Spanish one, sanctioning administrative resolutions can be reviewed by the judges as established by the appropriate procedural laws.

In the case of sanctioning resolutions filed by the Spanish Data Protection Agency, the competent judging body in the first instance is the National Court and in the second instance it is the Supreme Court.

Historically, as the AEPD is a legal operator with guarantees and extensive procedural experience, the sanctioning decisions that were appealed by those affected were, in the first instance, mostly totally or partially rejected and in some cases inadmissible, the few being considered in favor of the appellant normally by procedural rather than substantive issues (eg prescriptions, expiration, material errors, etc.) or favorable legislative changes.

It is evident that once the first procedural instance has passed, (the National Court), when the matter reaches the second instance, (the Supreme Court), it has already been tried by a collegiate and qualified judicial body, and it is unlikely that it will not be have taken into account arguments or situations with legal relevance that may modify the meaning of a ruling. In any case, as human error exists, the second instance verifies if the ruling appealed to the Law is adjusted, as an example of the above, it should be noted that in this year 2020, there has been a sentence estimated by the Supreme Court, although it should also be noted that another 17 have been rejected ...

In any case, it is an undeniable fact that the historical statistics of judicial decisions act as a deterrent when filing a judicial appeal against the AEPD, making it only advisable in cases where there is truly a clear and precise legal basis.

In any case, in the resolution of conflicts in matters of RGPD, if we would like to highlight from these lines the importance that the system of "Transfer" of actions that the AEPD is adopting is gaining, consisting of informing the accused of the existence of a complaint against his natural or legal person, indicating the possibility of making allegations and clarifying the facts before initiating the inspection actions.

We understand that this prior procedure, the "Transfer" is a great opportunity to solve possible misunderstandings and incidents and avoid further sanctioning procedures with uncertain results and very likely onerous. From ATGROUP we will inform you of the news about this and other issues that may be of interest in matters of RGPD.

April 30th, 2021

FLoC: THE END OF COOKIES... EXCEPT FOR GOOGLE

Google is preparing the FLoC, an update to its famous Google Chrome browser in which they will not accept any third party cookies
t has recently come out in the media that Google is preparing a major change to its famous CHROME browser that will consist of two key elements:

 First You will only accept Google’s own cookies and not those of third parties.
 Second Google cookies will use FLoC technology to filter users by cohorts or common interest groups.

Without a doubt, it may seem like an advance in privacy with respect to the current system where multiple companies develop their cookies (browser attachments with different functions) and generate their own user profiles in an absolutely decentralized system, Unlike Google, where the future model will be totally controlled by the Internet giant with no option to third-party participation in the segmentation of users.


It is clear that the current system of cookies may involve situations not wanted by the user and to avoid such situations the AEPD ,(we understand that with very good judgment) has required all website owners to allow the user to choose which cookies they accept or not before browsing a website. In this way, it is the user who chooses which level of privacy you want in the navigation within a web.

With the new model proposed by Google will not make sense such cookie settings, since only those that the dominant operator has developed for itself will be accepted, and surely the user when entering a website will only have to answer a binary question, that is whether or not I agree to enter the FLoC system.

The Federated Learning of Cohorts (FLoC) of Google, consists in identifying the user according to their tastes and browsing activity within a certain group or cohort, assigning a differentiated ID according to interests and profiles. In this way you don’t have an individual but a group with common interests with advertising segmentation that can be of interest at any time for advertisers and agencies.

At this point, we see some light and also some shadow, as a positive and interesting element in the improvement of privacy would highlight the lack of identification of the end user, that is, the FLoC system does not allow to identify users one by one as it happens now, would only be allowed to know which cohort ID belongs, without going into absolute anonymity, but blurred within a similar interest group. Undoubtedly, this layer of concealment, if well done can be an improvement with respect to privacy.

As shadows, the truth is that we are concerned that only Google can make Chrome cookies, a dominant operator with more than 90% of the Western market, is certainly a monopoly that goes beyond borders and states, while it is true that the fragmentation of the market made it more difficult to monitor and supervise it, It is no less true that the coercive capacity of the European Supervisory Authorities is much greater in these third party operators than they can in the face of Internet monsters such as Google.

The second shadow, is the alternative that Google gives us with its FLoC system to the personal identification of the user, the operator proposes us to classify by groups (cohorts in Google language) consumers, so that each user according to their behavior would be segmented and classified according to the pattern designed by Google.

It is clear that these patterns of conduct are of maximum interest to Google, and not precisely because of their altruistic spirit, but to market with them advertisers and advertisers with maximum efficiency and without competition, since only Google will have access to such profiles.

In short, it is not unreasonable to think that with the excuse of improving the privacy of your browser, Single-motion Google eliminates the possibility for third parties to extract commercial information from browsing by not accepting third-party cookies and also imposes the exclusive monopolistic system of segmentation of potential customers through its own and only cookies of the FLoC system... the truth is that it seems to us a monopolistic practice that can harm both users and other small developers in the advertising world who will see how they have to change all their patterns and economic investment, as always in favor of monopoly.

It is clear that all the European supervisory authorities are well aware of the ways in which the issue can be taken up, there is concern about the monitoring over time of users, consumption trends, the true anonymisation of the FLoC cohorts, the processing of specially protected data.

In any case, users feel the fight of David against Goliath, try to control through administrative procedures the giants of the Internet, It is not an easy task for any European supervisory authority, nor can it have an optimal outcome if there are no other complementary measures to promote competition and stimulate compliance.

In conclusion, we would like to restate a wish, now with more sense than ever, that the European Union must take a step forward in its Digital policy, it is clear that there is a common border, financial, goods and even external relations policy, but we miss the promotion of policies of digital independence similar to those undertaken by China in its day with BAIDO, ALIBABA, TACENT and XAOMI, and even Russia with YANDEX, certainly necessary alternatives and examples to follow if we are to have some European digital independence.

We will see in a few months where the FLoC evolves, we will be waiting and we will keep you informed.

A greeting.

April 8th, 2021

THE BEST WAY TO AVOID AN AEPD SANCTION: ANSWER THE TRANSFER OF THE COMPLAINT CORRECTLY

THE PRIOR MECHANISM FOR ADMISSION TO PROCESSING CLAIMS BEFORE THE AEPD, WHICH CONSISTS OF TRANSFERING THE ACCUSED.

The truth is that the prior mechanism established in article 65.4 of the LOPDGDD is a tool little known to all.

This is a process by which the competent Control Authority in matters of data protection, when it receives a complaint from a person affected by a possible violation of the LOPDGDD, proceeds to transfer it to the denounced party to express what it deems appropriate in his defense based on the facts presented in the complaint.

With the respondent's response, the supervisory authority will decide with better criteria whether to open another administrative procedure or, on the contrary, to file the complaint.

It is important to note that historically the number of disciplinary proceedings opened based on a complaint is much higher than those opened ex officio, and that in the event of an infringement of the RGPD, the Control Authority cannot evade its responsibility and will have to act, regardless of what the interest of the complainant is honest or not when presenting the complaint.

In many cases the receipt of said communication of transfer of the complaint by the AEPD is the first news that the complainant has that there is a problem in terms of data protection and that it has been reported by someone to the competent Control Authority .

In any case, from ATGROUP our recommendation is to take advantage of that first opportunity to explain, document and why not say it to help the Control Authority in its task of clarifying the facts, providing the evidence and evidence necessary to eliminate or minimize the alleged violation reported.

Let us remember that the principle of proactive responsibility (art. 5. RGPD) obliges the data controller to faithfully comply with the RGPD and the LOPDGDD and also to be able to demonstrate such compliance at all times.

Finally, we will not tire of recommending the intervention of the organization's Data Protection Delegate in all the management of responding to the transfer of the AEPD, the DPD being the natural interlocutor with the control authority and the qualified professional to advise and coordinate the entire response process to complaints filed (art. 37 RGPD).

We will continue to inform you.

All the best.

March 31st, 2021

SPANISH DATA PROTECTION AGENCY FINES VODAFONE 8 MILLION EUROS

The Spanish Data Protection Agency (AEPD) has imposed on Vodafone Spain several penalties totaling more than eight million euros for breaching several articles of Spanish law, making it the highest fine ever imposed by this body.

The company Vodafone Spain, according to the AEPD, has breached not only the Law on the Protection of Personal Data and Guarantees of Digital Rights, but also the General Telecommunications Law and the Law on Information Society Services and e-commerce.

In the resolution, to which EFE has had access, it is noted that since the second quarter of 2018 the AEPD has received almost two hundred complaints against the company.

Most of the complaints against Vodafone Spain denounce the performance of marketing and commercial prospecting actions through telephone calls and by sending electronic commercial communications, both mailings and SMS messages, actions that according to the Agency violate the law.

These communications have not been requested or expressly authorized by the persons who have received them, who have not been able to exercise their right to object; or they have been addressed to persons who had requested their inclusion in the "Robinson list" (a directory to which those who do not want to receive advertising subscribe); and they did not comply with the procedures and guarantees established to carry out these marketing actions.

The Spanish Data Protection Agency imposed a penalty of 4 million euros on the company for failing to comply with Article 28 of the General Data Protection Regulation; and 2 million euros for failing to comply with Article 44 of the same regulation. It also imposed a fine of 150,000 euros for failing to comply with Article 21 of the Law on Information Society Services and Electronic Commerce; and another two million euros for failing to comply with the General Telecommunications Law.

And it grants the company Vodafone Spain a period of six months to accredit before the Spanish Data Protection Agency that it has adjusted to the law all the operations that have been the reason for the investigation and the sanction.

The company assures that it does not agree with the breaches imputed to them by the Agency, considers that the amount of the proposed sanction is disproportionate and stresses that the company treats "with the maximum guarantees of confidentiality and privacy of its customers' data" and has communicated its intention to appeal the sanction before the Agency itself and has left open the possibility of taking the case to the National Court.

March 25th, 2021

SPANISH DATA PROTECTION AGENCY OPENS AN INVESTIGATION TO EMT ON SECURITY GAP IN FRAUD OF 4 MILLION EUROS

The AEPD has opened an investigation for possible security breach in the Municipal Transport Company of Valencia

The Spanish Data Protection Agency has estimated the appeal filed on June 1 by PP Councillor Carlos Mundina. This appeal will also investigate non-compliance with the EMT's data protection regulations.

From the political party they claim to appreciate very positively the opening of this investigation of the security breach in the EMT to avoid scams like the one that occurred a month ago and that it involved the theft of 4 million euros. The 'popular' warn in their claim a very low level of cybersecurity in the EMT as well as the lack of protocols in management. Consultancy Ernst and Young mentions that "EMT is not yet adapted to the legal obligations of the General Data Protection Regulation".

A statement is also collected by the EMT Data Protection Delegate about a possible security breach in Caixabank's e-banking in relation to possible phishing when accessing EMT's bank accounts in that entity.

Members of other political parties mentioned the major cybersecurity problems when the fraud of the 4 million euros occurred and which was certified by several important states. In addition, they claimed that the fact that there were cybersecurity problems in the EMT was cleared very prematurely, as there were notifications from the AEPD when the commission was closed.

March 11th, 2021

EU SANCTIONS SPAIN WITH 15 MILLION EURO FOR FAILING TO INCORPORATE A STANDARD FOR THE PROTECTION OF PERSONAL DATA IN TIME

The Court of Justice of the European Union (CJEU) on Thursday ordered Spain to pay a fine of €15 million for failing to transpose the directive on data protection in criminal matters into national law.

In July 2018, the European Commission opened infringement proceedings against Spain for failing to adopt the directive on the protection of personal data in the framework of the prevention and detection of criminal offences. This directive should have been adopted by member states before 6 May 2018, after a year of disputes, the European Commission asked the European Court of Justice to impose a sanction on Spain in July 2019.

The judgment given on February 25, 2021, has ruled in favor of the European commission and Spain will have to pay 15 million euros in addition to paying a daily amount of 89,000 euros if the non-compliance still persists.

The aforementioned directive introduces rules for the processing of personal data by law enforcement authorities in order to facilitate the exchange of information for the purposes of prevention, investigation, detection and enforcement of criminal penalties. The measure ensures that case-related data such as victims, witnesses, suspects and the perpetrators themselves are adequately protected in the criminal investigation.

The purpose of the measure is to facilitate cooperation between Member States in order to combat crime and terrorism more effectively on European territory. These EU rules contribute to the full realisation of an area of freedom, security and justice.

Arguments of Spain before the prosecution

Spain did not deny that it had failed to comply with its obligations to adopt and communicate the measures transposing the Directive, but argued that due to the very exceptional institutional circumstances, the activities of the government and parliament had been delayed. Let us remember that there was a functioning government and elections just around the corner.

Result of the judgment

In this Thursday’s judgment, the CJEU dismisses Spain’s arguments and declares its failure to comply with its obligations. In fact, on the date of completion of the written procedure in Luxembourg on 6 May 2020, the Sanchez government had not yet adopted or communicated the measures transposing the directive.
European judges therefore consider the fine to be an appropriate means of ensuring that Spain puts an end to it, as soon as possible, to the breach of the rule and considers that the fine is a deterrent to the future recurrence of similar infringements affecting the full effectiveness of EU law.

March 4th, 2021