The Spanish Data Protection Agency (AEPD) has published this Monday its 2021 Report, which comprehensively includes the activities carried out, management figures, the most relevant reports and procedures of the year, and an analysis of present and future challenges. The Agency’s activities in 2021 have been focused on two main aspects: responding to the data protection challenges related to the pandemic and continuing to encourage those who process data to commit to privacy protection. In the first block, the Agency has continued to participate in articulating safeguards to protect personal data in processing related to measures against COVID-19, both at a national and European level through the European Data Protection Board (EDPC).

In the second, the Digital Pact for the Protection of Individuals was launched in 2021, an initiative that already has almost 400 adhered entities and promotes privacy and digital ethics as an asset that organizations should take into account when designing their policies and strategies.

Complaints:

During 2021, work has continued in the Priority Channel to request the urgent removal of sexual or violent content published on the internet without the permission of the persons appearing in them. Thus, 377 requests have been received through the Priority Channel, of which 215 have entered through the channel for minors. 25 emergency interventions have been carried out after determining the particularly sensitive nature of the personal data disclosed and the serious affectation to the privacy of individuals, achieving the removal of sensitive content with immediacy.

As for ordinary complaints, those raised most frequently by citizens in 2021 correspond to internet services (16%), video surveillance (12%), receipt of advertising (except spam) (11%) and improper insertion in delinquency files (9%). As for sanctioning procedures, 585 were completed, 49% more than in 2021. The most frequent areas in sanctioning procedures are video surveillance (25%), internet services (22%), and advertising via email or cell phone (9%).

In terms of management figures, 13,905 complaints were filed with the Agency in 2021, an increase of 35% over 2020. This figure rises to 14,571 including cross-border cases, cases in which the Agency acts on its own initiative and security breaches transferred to inspection. In 2021, resolved claims have increased by 35% (14,098) compared to the previous year (10,443), a very remarkable figure that has made it possible to resolve claims pending from previous years without significantly increasing the average resolution times. In these claim processing times, a reference must be made to transfers, a provision included in the LOPDGDD to facilitate the rapid resolution of claims and which has allowed these to be resolved in less than two months.

Fines:

There have been 264 resolutions that have ended with the imposition of a fine. The six areas of activity with the highest overall amount of fines were advertising (€8,659,200), telecommunications (€6,500,000), financial institutions/creditors (€6,243,000), delinquency files (€4,209,000), fraudulent contracting (€3,674,000) and labor matters (€2,625,900). These six areas account for more than 90% of the overall amount of penalties, which in 2021 amounted to €35,074,800. The increase in the number of fines imposed with respect to previous years is related to the higher number of sanctioning proceedings resolved and also to the size and complexity of the cases, derived from the magnitude of the data processing investigated.

As regards cross-border cases, the Agency has initiated 16 in 2021 and has declared itself to be the authority concerned in more than 300. 1,070 requests have also been received from other European authorities, requests for assistance and consultation, and draft decisions.

With regard to the rulings of the National High Court in appeals filed against resolutions of the Agency, of the 66 issued in 2021, 56 (85%) were dismissed or inadmissible. For its part, the Supreme Court handed down 4 rulings, all of which were favorable to the Agency.

As for the notifications of personal data breaches made to the Agency, these are initially received by the Technological Innovation Division (DIT), which performs an initial analysis. The DIT received and analyzed 1,647 notifications in 2021, of which just over 4% (76) were referred to the Inspection Branch as requiring in-depth investigation. The most frequent personal data breaches are those caused by cyber incidents of external/malicious origin and, within this type of incident, ransomware is the most repeated. At the same time, the number of cases in which data and/or systems are encrypted before information is leaked and offered for sale on the internet/darkweb continues to increase.

As regards the numbers of data protection delegates (DPOs) notified to the Agency, 2021 closed with 82,249 DPOs compared to 65,040 DPOs in 2020. Of last year’s figure, 74,033 were in the private sector and 8,396 in the public sector. With regard to the assistance services provided by the Agency for the adaptation to the Regulation, almost 670 queries have been received through the DPO Channel, which responds to the queries raised by the Data Protection Officers previously notified to the Agency.

Finally, almost 1,800 questions have been raised before the Agency’s Youth Channel, an increase of more than 28% compared to 2020. Parents have raised the largest number of queries (54%) and, as a group, 25% of the queries were made by those responsible for companies and public bodies that process data on minors, such as sports clubs or local entities, or teachers from educational centers.

Fuente: Noticias Juridicas