AEPD (Spain) - PS/00119/2021: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoES.jpg |DPA_Abbrevation=AEPD (Spain) |DPA_With_Country=AEPD (Spain) |Case_Number_Na...")
 
(Just minor changes in wording, the summary is clear and concise.)
Line 55: Line 55:


=== Facts ===
=== Facts ===
A worker lodged a complaint with the Spanish DPA (AEPD) against their employer, alleging that the company was using their image on their new website and on Facebook and Instagram.
A worker lodged a complaint with the Spanish DPA (AEPD) against their employer, alleging that the company was using their image on their new website, Facebook and Instagram.


The data subject asked the controller to take down the images, to what the controller replied that they had obtained the data subject's consent (although provided no evidence of it). The data subject pointed that the controller did not have their consent, and additionally that they thought that the images would remain in the internal sphere of the company.
The data subject asked the controller to take down the images. The controller replied that they had obtained the data subject's consent, although provided no evidence of it. The data subject pointed that the controller did not have their consent, and additionally that they thought that the images being used would remain in the internal sphere of the company.


The DPA required the controller for a clarification, to what the controller did not respond whatsoever.
The DPA required clarification from the controller, but did not receive any response.


=== Holding ===
=== Holding ===
The AEPD concluded that the controller had violated [[Article 6 GDPR#1|Article 6(1) GDPR]], since they could not prove they had obtained the data subject's consent. For this violation, the DPA fined the controller €6000.
The AEPD concluded that the controller had violated [[Article 6 GDPR#1|Article 6(1) GDPR]], since they could not prove they had obtained the data subject's consent to publicly display their image online. For this violation, the DPA fined the controller €6000.


Additionally, the DPA determined that the controller had violated [[Article 17 GDPR|Article 17 GDPR]], since they had not complied with the data subject's erasure request. For this violation, the DPA fined the controller €3000.
Additionally, the DPA determined that the controller had violated [[Article 17 GDPR|Article 17 GDPR]], since they had not complied with the data subject's erasure request. For this violation, the DPA fined the controller an additional €3000.


== Comment ==
== Comment ==

Revision as of 10:32, 17 January 2022

AEPD (Spain) - PS/00119/2021
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 6(1) GDPR
Article 17 GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published: 11.01.2022
Fine: 9000 EUR
Parties: EDUCANDO JUNTOS SL
National Case Number/Name: PS/00119/2021
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: Carmen Villarroel

The Spanish DPA fined a company €9000 for sharing the pictures of one of their workers on its website and social networks without their consent, and for not complying with their erasure request regarding these pictures.

English Summary

Facts

A worker lodged a complaint with the Spanish DPA (AEPD) against their employer, alleging that the company was using their image on their new website, Facebook and Instagram.

The data subject asked the controller to take down the images. The controller replied that they had obtained the data subject's consent, although provided no evidence of it. The data subject pointed that the controller did not have their consent, and additionally that they thought that the images being used would remain in the internal sphere of the company.

The DPA required clarification from the controller, but did not receive any response.

Holding

The AEPD concluded that the controller had violated Article 6(1) GDPR, since they could not prove they had obtained the data subject's consent to publicly display their image online. For this violation, the DPA fined the controller €6000.

Additionally, the DPA determined that the controller had violated Article 17 GDPR, since they had not complied with the data subject's erasure request. For this violation, the DPA fined the controller an additional €3000.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

                                                                                 1/10










     File No.: PS / 00119/2021


                RESOLUTION OF SANCTIONING PROCEDURE

Of the procedure instructed by the Spanish Agency for Data Protection and based on the
following


                                   BACKGROUND


FIRST: A.A.A. (hereinafter, the claimant) filed a claim on 11/9/2020
before the Spanish Agency for Data Protection. The claim is directed against EDUCANDO

JUNTOS SL with NIF B85634681 (hereinafter, the claimed one. The reasons on which the
claim are:

“The company EDUCANDO JUNTOS creates a new web page schooleducando.com using
Photographs of employees without requesting authorization from each one. In my case, I have urged them to
several times to remove the images in which I appear, but they ignore it. Too

it is extended to publications on social networks such as FACEBOOK and INSTAGRAM ”.

Provide a copy of:

-E-mails exchanged with the claimed web address, on file: notices 1,

of 10/24/2020, requesting the removal of their photos from their website, Instagram and social networks.

-Copies of emails sent to the same address above, in a notice file 2. In
date 3/11/2020. It affects that you request the deletion of your photos, images and videos, in the es-
children's school in which he performed his work.


-File with “web” photographs containing three photos, one of a group and two of two and three people-
nas in the foreground respectively. Below these are three others. All under the label
"Educational team", with the addition "they have not asked permission from any of the employees."

-File that contains a handwritten, dates and photo numbers in which they claim it-

informs you that their photos are to be deleted, in INSTAGRAM (five dates), FACEBOOK
(twenty-four dates), with the same literal as the absence of permission to upload any of the
Photos. Dates range from 2017 to 2020.

SECOND: In view of the facts reported in the claim and the documents

provided by the claimant, the claim is transferred to the claimed electronically,
being made available from 12/21/2020, and automatic rejection after the
ten calendar days from its availability for access (art. 43.2 of Law 39/2015,
of the Common Administrative Procedure of Public Administrations (LPACAP).


The shipment is repeated by post, appearing absent in delivery in the two attempts, left
notice, and returned by not withdrawn on 02/08/2021.

THIRD: On 03/15/2020, the claim is accepted for processing.

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 2/10








FOURTH: The claimed corporate purpose, according to the BORME publication, is: “exploitation of
schools, academies, kindergartens, kindergartens, toy libraries, as well as all
activities related to education of all kinds of subjects "," date of incorporation:

02/26/2009 ".

FIFTH: On 05/14/2021, it was agreed by the Director of the AEPD:

-INITIATE SANCTIONING PROCEDURE to EDUCANDO JUNTOS SL, with NIF
B85634681, for the alleged infractions of the articles:


-6.1 of the RGPD, in accordance with article 83.5.a) of the RGPD.
-17 of the RGPD, in accordance with article 83.5.b) of the RGPD.

-For the purposes specified in the art. 64.2 b) of Law 39/2015, of 1/10, of the Procedure

Common Administrative of Public Administrations, the sanctions that could
correspond would be two administrative fines, six thousand euros for the infraction of the
article 6.1 and three thousand euros for that of article 17 of the RGPD, without prejudice to what results from
The instruction."

Once the agreement was notified, it resulted in: "expired", with this literal:


"The Support service of the Electronic Notifications and Electronic Address Service
Enabled CERTIFIES: - That the Ministry of Economic Affairs and Digital Transformation (to
through the General Secretariat of Digital Administration) is currently the owner of the Service
of Electronic Notifications (SNE) and Authorized Electronic Address (DEH) in accordance with

Order PRE / 878/2010 and Royal Decree 139/2020, of January 28. The provider of said
Service since June 26, 2015 is the National Mint and Stamp Factory-Real Casa
of the Currency (FNMT-RCM), according to the Management Commission in force of the Ministry of
Finance and Public Administrations. -That the notification was sent through said service:
Reference: 124439560a1392b77f27 Acting Administration: Spanish Protection Agency

Data (AEPD) Owner: - B85634681 Subject: "Notification" with the following result: Date
made available: 05/16/2021 17:25:02 Automatic rejection date: 05/27/2021
00:00:00 Automatic rejection generally occurs after ten days have elapsed
natural since they are made available for access according to paragraph 2, article 43, of the
Law 39/2015, of October 1, of the Common Administrative Procedure of the Administrations
Public. And in a particular way, after the deadline established by the acting Administration

according to the specific legal regulations that are applicable. What is certified to
timely effects in Madrid on May 27, 2021 "


SIXTH: After the term granted for the formulation of allegations to the initiation agreement

of the procedure, it has been verified that no allegation has been received from the
reclaimed.

Article 64.2.f) of LPACAP -which is outlined in the opening agreement of the
procedure- establishes that if allegations are not made within the established period on the

content of the initiation agreement, when it contains a precise statement about
of the imputed responsibility, may be considered a resolution proposal. In the present
In this case, the agreement to initiate the disciplinary proceedings determined the facts in which the
specified the imputation, the violation of the RGPD attributed to the defendant and the sanction that could

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 3/10








impose. Therefore, taking into consideration that the defendant has not made any allegations
to the agreement to initiate the file and in accordance with the provisions of the aforementioned article, the aforementioned
The initiation agreement is considered in this case, a proposal for a resolution.


In view of all the actions, by the Spanish Agency for Data Protection in the
In this proceeding, the following are considered proven facts,


                                        FACTS


1) The claimant, who was employed by the defendant, requests on 10/22/2020 by mail
electronic (provide a copy in your claim) that "the photos of the website, Instagram,
Facebook ”, in which it appears, are eliminated. In a first response, the claimed
The next day, by e-mail, he says that "we get down to it." Follow a
exchange of emails that ends with that of the claimed one, of 10/24/2020, in which he states

that "the photos have always been with your consent, since you have always consented to the
Furthermore, their use has always been posted by the teachers ”.

2) In the email of 3/11/2020, the claimant sends a message to the claimant,
noting that “they do not have the consent for their image to appear on the website,
social networks and similar means of external diffusion of the school ”,“ in which it came

performed ”his work, and that he was not informed that the photos and videos would leave the scope
private from school. It reiterates the request for the removal of the images and videos, presenting
claim before this AEPD on 11/9/2020.

3) The claimed:


    to. It provides six photographs of the claimed website, all under the heading “Equipo edu-
    cative ”, with the addition“ they have not asked permission from any of the employees ”. Of the same-
    But, two are from a group, and in the foreground: two from two and two from three people respectively.
    valy.


    b. Provides a handwritten list in which the claimant indicates the places and dates in
    those that appear their photos: INSTAGRAM (five dates), the first of 2017, last May
    2020, FACEBOOK between 2017 and 2020 (twenty-four dates), with the same literal as the au-
    permission to upload any of the photos.


4) The AEPD transfers the claim to the defendant, consigning the shipment as put to
provision from 12/21/2020, with automatic rejection after ten calendar days have elapsed
from being made available for access (art. 43.2 of the LPACAP. Sending is repeated on
by post, appearing absent in delivery in the two attempts, left notice, and returned by no
withdrawn on 02/08/2021.


5) The initiation agreement was made available to the complainant on 05/16/2021, by
electronic notification, through the provider of said service, certifying their non-access to
the same, with what is understood to be rejected (art 43.2 LPCAP).


6) It is not proven that the complainant has attended the right to delete data from the
claimant, or removed the claimant's photos.


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 4/10








7) It is not proven that the defendant has a legitimate basis for the treatment of the
photos of the claimant.



                            FOUNDATIONS OF LAW

                                              I

By virtue of the powers that article 58.2 of the RGPD recognizes to each control authority, and

as established in arts. 47 and 48.1 of the LOPDGDD, the Director of the Agency
Spanish Data Protection is competent to resolve this procedure.

                                             II


The RGPD defines data processing in article 4.2 of the RGPD:
  "Any operation or set of operations carried out on personal data or

sets of personal data, whether by automated procedures or not, such as the
collection, registration, organization, structuring, conservation, adaptation or modification,
extraction, consultation, use, communication by transmission, diffusion or any other form
to enable access, collation or interconnection, limitation, deletion or destruction "

The treatment of images, in this case in photos, must have a legitimation basis,
of some listed in article 6.1 of the RGPD.

By having images of the claimant, personal data, considering that no

There is a legitimate basis for this, the defendant is charged with the commission of an alleged
infringement of article 6.1 of the RGPD that indicates:


  1. The treatment will only be lawful if at least one of the following conditions is met:

  a) the interested party gave their consent for the processing of their personal data for one
or various specific purposes;


  b) the treatment is necessary for the execution of a contract in which the interested party is
part or for the application at his request of pre-contractual measures;

  c) the treatment is necessary for the fulfillment of a legal obligation applicable to the
responsible for the treatment;


  d) the treatment is necessary to protect vital interests of the interested party or another person
physical;

  e) the treatment is necessary for the fulfillment of a mission carried out in the interest
public or in the exercise of public powers conferred on the data controller;


  f) the treatment is necessary for the satisfaction of legitimate interests pursued by the
responsible for the treatment or by a third party, provided that such interests are not
the interests or fundamental rights and freedoms of the interested party prevail
require the protection of personal data, in particular when the interested party is a child.


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 5/10








  The provisions of letter f) of the first paragraph will not apply to the treatment carried out
by public authorities in the exercise of their functions. "

Once the positive fact of the treatment has been accredited, it corresponds to prove compliance with the

requirements to the claimed. In this sense, it is not proven that the exposure of the object photographs
of the claim in various social networks on the website itself will have one of the bases
legitimizing that indicates the article 6 of the RGPD, the commission of the infraction is accredited
charged.


                                                   III

The right of deletion is the right of the interested party to demand from the person responsible for the treatment,
in this case, the complained party, who excludes personal data from the processing. The right

The deletion process is a reflection of the informative self-determination of control of the data of its
tular.

The right of deletion is contained in article 17 of the RGPD as the right of the interested party,
or concerning your data, and at the same time implies an obligation of the person in charge (of the treatment

ment), indicating:

        1. The interested party shall have the right to obtain without undue delay from the person responsible for the
the deletion of personal data concerning him, which will be obliged to
primary without undue delay the personal data when any of the circumstances concur

following:

        a) the personal data is no longer necessary in relation to the purposes for which
were collected or otherwise treated;

        b) the interested party withdraws the consent on which the treatment in accordance is based

with Article 6, paragraph 1, letter a), or Article 9, paragraph 2, letter a), and this is not based on
other legal basis;

        c) the interested party opposes the treatment in accordance with article 21, paragraph 1, and does not
other legitimate reasons for the treatment prevail, or the interested party opposes the treatment

pursuant to Article 21 (2);

        d) the personal data has been unlawfully processed;

Failure to comply with the right to delete photographs exhibited by the claimed in

its website and social networks violate article 17 of the RGPD.


                                                   IV



Article 58.2 of the RGPD provides: “Each control authority will have all the
following corrective powers listed below:




C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 6/10








        d) order the person in charge of the treatment that the operations of
treatment comply with the provisions of this Regulation, where appropriate, of a
in a certain way and within a specified time;

        i) impose an administrative fine in accordance with article 83, in addition to or instead of the

measures mentioned in this section, according to the circumstances of each case
particular;

A fine is imposed for not responding to the right of the claimed and not making effective
the same, in addition the exposed images come from several years and date back to 2017.


                                                 V

  Regarding these two offenses and the penalties, Article 83.5 of the RGPD refers:


  "Violations of the following provisions will be sanctioned, in accordance with section
2, with administrative fines of a maximum of EUR 20,000,000 or, in the case of a company,
of an amount equivalent to a maximum of 4% of the total annual global business volume of the
previous financial year, opting for the one with the highest amount:

  a) the basic principles for the treatment, including the conditions for consent

in accordance with articles 5, 6, 7 and 9;

  b) the rights of the interested parties in accordance with articles 12 to 22. "

                                                 SAW



The offenses are classified in article 72 of the LOPDGDD:


  1. In accordance with the provisions of article 83.5 of Regulation (EU) 2016/679,
considered very serious and will prescribe after three years the infractions that suppose a
substantial violation of the articles mentioned therein and, in particular, the following:


  b) The processing of personal data without the concurrence of any of the conditions of legality
of the treatment established in article 6 of Regulation (EU) 2016/679.

  k) The impediment or the obstruction or the repeated neglect of the exercise of rights

established in articles 15 to 22 of Regulation (EU) 2016/679.


                                                 VII

The determination of the sanctions to be imposed in the present case requires observing the
provisions of articles 83.1) and .2) of the RGPD, precepts that, respectively, provide what is
following:

    "one. Each control authority will guarantee that the imposition of administrative fines

in accordance with this article for the infractions of this Regulation indicated in the
Sections 4, 9 and 6 are in each individual case effective, proportionate and dissuasive. "

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 7/10








    "two. Administrative fines will be imposed, depending on the circumstances of each case.
individual, as an additional or substitute for the measures contemplated in article 58, section
do 2, letters a) to h) and j). When deciding to impose an administrative fine and its amount in

each individual case will be duly taken into account:

a) the nature, seriousness and duration of the offense, taking into account the nature, al-
cance or purpose of the processing operation in question, as well as the number of inte-

affected parties and the level of damages they have suffered;

b) intentionality or negligence in the infringement;

c) Any measure taken by the person in charge or in charge of the treatment to alleviate the
damages suffered by the interested parties;


d) the degree of responsibility of the person in charge or the person in charge of the treatment, having
account of the technical or organizational measures that have been applied by virtue of articles 25
and 32;

e) any previous infringement committed by the person in charge or the person in charge of the treatment;


f) the degree of cooperation with the supervisory authority in order to remedy the infringement
fraction and mitigate the possible adverse effects of the infringement;

g) the categories of personal data affected by the infringement;


h) the way in which the supervisory authority learned of the infringement, in particular
if the controller or the processor notified the infringement and, if so, to what extent;

i) when the measures indicated in article 58, paragraph 2, have been ordered prior to
directly against the person in charge or the person in charge in relation to the same matter.
to, compliance with said measures;


j) adherence to codes of conduct under article 40 or to certification mechanisms
cation approved in accordance with article 42, and

k) any other aggravating or mitigating factor applicable to the circumstances of the case,
such as financial benefits obtained or losses avoided, directly or indirectly, through

through the offense. "

 Within this section, the LOPDGDD contemplates in its article 76, entitled “Sanctions and me-
corrective measures ”:

  "one. The sanctions provided for in paragraphs 4, 5 and 6 of article 83 of the Regulation (EU)

2016/679 will be applied taking into account the graduation criteria established in the
section 2 of the aforementioned article.

  2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679 also
may be taken into account:


  a) The continuing nature of the offense.

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 8/10








  b) The linking of the offender's activity with the performance of data processing
personal.


  c) The benefits obtained as a result of the commission of the offense.

  d) The possibility that the affected person's conduct could have led to the commission of the
infringement.


  e) The existence of a merger by absorption process after the commission of the
infringement, which cannot be attributed to the absorbing entity.

  f) Affecting the rights of minors.

  g) Have, when not mandatory, a data protection officer.


  h) The submission by the person in charge or in charge, on a voluntary basis, to
alternative dispute resolution mechanisms, in those cases in which there are
controversies between those and any interested party.


  3. It will be possible, complementary or alternative, the adoption, when appropriate, of the
remaining corrective measures referred to in article 83.2 of the Regulation (EU)
2016/679. "
In accordance with the transcribed precepts, in order to set the amount of the fine for

impose, in the present case, for the violation of article 6.1 of the RGPD, of which
holds the claimed liable, the following are considered to be concurrent as aggravating factors
Factors that reveal greater unlawfulness and / or culpability in the conduct of the defendant:


-Article 83.2.a) RGPD: "Nature, seriousness and duration of the offense taking into account
the nature, scope or purpose of the processing operation in question as well as the
number of interested parties affected and the level of damages they have suffered ”. It is tra-
number of treatments that come from afar, year 2017, last in 2018, until 2020, their quantity
which are not rare, and the scope it has, as highlighted, contained in two networks

social networks and the website itself, valuing the amount at six thousand euros (6,000 euros).

In the infraction for lack of attention of the right to suppression of data, article 17 of the
RGPD, for the purpose of setting the amount of the fine to impose, which is
holds the claimed liable, the following are considered to be concurrent as aggravating factors

Factors that reveal greater unlawfulness and / or culpability in the conduct of the defendant:

-Article 83.2b) "intentionality or negligence in the offense", not being an action
intentionally, it was requested up to two occasions, without obtaining any response, which denotes
a special fault of diligence in the fulfillment of the duties that correspond to him,

valuing the offense, at three thousand euros (3,000 euros).









C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 9/10








Therefore, in accordance with the applicable legislation and proving the infractions,

the Director of the Spanish Agency for Data Protection RESOLVES:


FIRST: IMPOSE EDUCANDO JUNTOS SL, with NIF B85634681, for an infraction
of article 6.1 of the RGPD, typified in article 83.5 a) of the RGPD, and for the purposes of
prescription in article 72.1.a) of the LOPDGDD, a fine of 6,000 euros (six thousand euros).

SECOND: IMPOSE EDUCANDO JUNTOS SL, with NIF B85634681, for an offense

of Article 17 of the RGPD, typified in Article 83.5 b) of the RGPD, and for the purposes of
prescription in article 72.1.k) of the LOPDGDD, a fine of 3,000 euros (three thousand euros).

THIRD: NOTIFY this resolution to EDUCANDO JUNTOS SL.


FOURTH: Warn the sanctioned person that he must make the imposed sanction effective once
this resolution is executive, in accordance with the provisions of art. 98.1.b) of the
LPACAP, within the voluntary payment term established in art. 68 of the General Regulations of
Collection, approved by Royal Decree 939/2005, of 07/29, in relation to art. 62 of the
Law 58/2003, of 12/17, by means of their entry, indicating the NIF of the sanctioned person and the number of
procedure that appears in the heading of this document, in the restricted account

nº ES00 0000 0000 0000 0000 0000, opened in the name of the Spanish Protection Agency
of Data in the banking entity CAIXABANK, S.A .. Otherwise, it will proceed to your
collection in executive period.

Once the notification has been received and once it is executed, if the date of execution is between the

1st and 15th of each month, both inclusive, the deadline for making the voluntary payment will be up to
on the 20th of the following or immediately subsequent business month, and if it is between the 16th and
last of each month, both inclusive, the payment term will be until the 5th of the second month
next or immediate after business.


In accordance with the provisions of article 50 of the LOPDGDD, this Resolution
It will be made public once it has been notified to the interested parties.

Against this resolution, which ends the administrative procedure in accordance with art. 48.6 of the
LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the interested parties
They may file, optionally, an appeal for reconsideration before the Director of the Agency

Spanish Data Protection within a period of one month from the day following the
notification of this resolution or directly administrative contentious appeal before the Chamber
of the Contentious-administrative of the National Court, in accordance with the provisions of the
Article 25 and in section 5 of the fourth additional provision of Law 29/1998, of 13 of
July, regulating the Contentious-Administrative Jurisdiction, within a period of two months to

count from the day following notification of this act, as provided in article
46.1 of the aforementioned Law.

Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP, you may
provisionally suspend the final administrative resolution if the interested party manifests

his intention to file a contentious-administrative appeal. If this is the case, the
The interested party must formally communicate this fact by writing to the Agency
Spanish Data Protection, presenting it through the Electronic Registry of the
Agency [https://sedeagpd.gob.es/sede-electronica-web/], or through any of the

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 10/10










remaining records provided for in art. 16.4 of the aforementioned Law 39/2015, of October 1.
You must also send the Agency the documentation that proves the effective filing
of the contentious-administrative appeal. If the Agency is not aware of the

filing of the contentious-administrative appeal within a period of two months from the
following the notification of this resolution, it would terminate the suspension
precautionary.



                                                                                                 938-231221
Mar Spain Martí
Director of the Spanish Agency for Data Protection






















































C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es