AEPD (Spain) - PS/00505/2021: Difference between revisions
No edit summary |
No edit summary |
||
(One intermediate revision by the same user not shown) | |||
Line 53: | Line 53: | ||
}} | }} | ||
The Spanish DPA | The Spanish DPA fined a defendant in a criminal trial €2000 for sharing a video of a court hearing on Twitter without the consent of the other participants in it. | ||
== English Summary == | == English Summary == | ||
Line 64: | Line 64: | ||
The Spanish authority held that the defendant had infringed [[Article 6 GDPR#1|Article 6(1) GDPR]] by disclosing the video without the consent of those appearing in it. The AEPD noted that for consent to be valid, it must be expressed resulting from a positive and clear action from the data subject, that translates into a free, specific, informed and unequivocal expression of will. Based on the absence of valid consent and the violation of the aforementioned GDPR provision, the AEPD issued a €2000 fine against the defendant. | The Spanish authority held that the defendant had infringed [[Article 6 GDPR#1|Article 6(1) GDPR]] by disclosing the video without the consent of those appearing in it. The AEPD noted that for consent to be valid, it must be expressed resulting from a positive and clear action from the data subject, that translates into a free, specific, informed and unequivocal expression of will. Based on the absence of valid consent and the violation of the aforementioned GDPR provision, the AEPD issued a €2000 fine against the defendant. | ||
== Comment == | == Comment == | ||
'' | ''An administrative appeal (recurso de reposición) was filed by the defendant, and dismissed by the AEPD on the grounds that no new arguments were made. The decision can be found [https://www.aepd.es/es/documento/reposicion-ps-00505-2021.pdf here].'' | ||
== Further Resources == | == Further Resources == |
Latest revision as of 09:43, 24 March 2022
AEPD (Spain) - PS/00505/2021 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 6(1) GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | 01.11.2020 |
Decided: | |
Published: | 04.02.2022 |
Fine: | 2000 EUR |
Parties: | Juzgado Penal Nº 2 de Manresa |
National Case Number/Name: | PS/00505/2021 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | Jennifer Vidal |
The Spanish DPA fined a defendant in a criminal trial €2000 for sharing a video of a court hearing on Twitter without the consent of the other participants in it.
English Summary
Facts
The Criminal Court No. 2 of Manresa filed a complaint with the Spanish DPA (AEPD) for the disclosure of audiovisual material captured during the oral trial by the defendant, who posted recordings of the hearing on Twitter. The disclosure was carried out without the consent of witnesses and procedural parties involved in the hearing.
The defendant eventually deleted the video, and was unable to specify how long the post had been online. In the investigation conducted by the AEPD on we.barchive.org, it determined that there was enough indicators that the video shared by the defendant on Twitter included images of witnesses and other procedural parties.
Holding
The Spanish authority held that the defendant had infringed Article 6(1) GDPR by disclosing the video without the consent of those appearing in it. The AEPD noted that for consent to be valid, it must be expressed resulting from a positive and clear action from the data subject, that translates into a free, specific, informed and unequivocal expression of will. Based on the absence of valid consent and the violation of the aforementioned GDPR provision, the AEPD issued a €2000 fine against the defendant.
Comment
An administrative appeal (recurso de reposición) was filed by the defendant, and dismissed by the AEPD on the grounds that no new arguments were made. The decision can be found here.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/10 File No.: PS/00505/2021 RESOLUTION OF PUNISHMENT PROCEDURE Of the procedure instructed by the Spanish Agency for Data Protection and based on to the following BACKGROUND FIRST: The Criminal Court No. 2 of Manresa (hereinafter, the claimant party) with date 11/01/2020 filed a claim with the Spanish Agency for the Protection of Data. The claim is directed against D. A.A.A. with NIF ***NIF.1 (hereinafter, the claimed party). The grounds on which the claim is based are as follows: dissemination by the accused in his profile on the social network TWITTER, without consent, of audiovisual material captured during the oral trial held with date ***DATE.1 in Criminal Court no. 2 of Manresa (Barcelona), in which They see and listen to witnesses and procedural parties. A copy of the Diligence of proof of the Lawyer of the Administration of Justice is provided dated and signed on 10/23/2020. SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5 December, of Protection of Personal Data and guarantee of digital rights (in hereinafter LOPDGDD), said claim was transferred to the respondent, so that proceed to its analysis and inform this Agency within a month, so that will provide information in relation to the publication without restrictions of fragments Entire audiovisuals of the oral trial held on ***DATE.1 of Criminal Court No. 2 of Manresa through his Twitter account ***USER.1 in which they are displayed and witnesses, procedural parties are heard. On 05/07/2021, this Agency received a written response indicating: that does not retain a copy of the video, which was destroyed on a date that it cannot determine, that he does not know the time in which he could remain published in his twitter account. THIRD: On 12/10/2020 the Director of the Spanish Protection Agency Data agreed to admit the claim filed by the claimant for processing. FOURTH: The General Subdirectorate for Data Inspection proceeded to carry out of previous investigative actions to clarify the facts in matter, by virtue of the investigative powers granted to the authorities of control in article 57.1 of Regulation (EU) 2016/679 (General Regulation of Data Protection, hereinafter RGPD), and in accordance with the provisions of the Title VII, Chapter I, Second Section, of the LOPDGDD, having knowledge of the following ends: On 10/19/2021 and after conducting a search on web.achive.org, it has not been possible to view any video, although there is evidence of tweets with the following text and a video not viewable, published on dates 10/21/2020 and 10/22/2020: (...) C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 2/10 FIFTH: On 11/15/2021, the Director of the Spanish Agency for the Protection of Data agreed to initiate a sanctioning procedure against the defendant, for the alleged infringement of article 6.1.a) of the RGPD, typified in article 83.5.a) of the aforementioned Regulation, a fine of 2,000 euros. SIXTH: Once the initiation agreement has been notified, the one claimed at the time of this The resolution has not presented a written statement of allegations, for which reason the indicated in article 64 of Law 39/2015, of October 1, on the Procedure Common Administrative Law of Public Administrations, which in section f) establishes that in the event of not making allegations within the period established on the content of the initiation agreement, it may be considered a proposal for resolution when it contains a precise statement about the responsibility imputed, reason why a Resolution is issued. SEVENTH: Of the actions carried out in this procedure, they have been accredited the following: PROVEN FACTS FIRST: On 11/01/2020 the claimant filed with the Spanish Agency for Data Protection, Diligence of proof of the Court indicating the diffusion by part of the claimed in your TWITTER social network profile, without consent or authorization, of audiovisual material captured during the oral trial held on the date ***DATE.1 in Criminal Court no. 2 of Manresa (Barcelona), where you can see and They listen to witnesses and procedural parties. SECOND: The respondent in writing dated 05/03/2021 has indicated that he does not keep copy of the published video, which was destroyed on an unspecified date and which He knows the approximate time that he could remain published in his account of Twitter. THIRD: Record dated 10/19/2021 Diligence of the instructor incorporating the actions documentation obtained from the web https://web.archive.org through Internet after clearing cookies and cache using Firefox browser: Content of the following urls: ***URL.1 ***URL.2 ***URL.3 No video could be viewed on this website, but there is evidence of tweets with the following texts and a non-viewable video, published on 10/21/2020 and on 10/22/2020: (…) C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 3/10 FOUNDATIONS OF LAW I By virtue of the powers that article 58.2 of the RGPD recognizes to each control authority, and according to the provisions of articles 47 and 48 of the LOPDGDD, The Director of the Spanish Agency for Data Protection is competent to initiate and to solve this procedure. II Law 39/2015, of October 1, on the Common Administrative Procedure of the Public Administrations, in its article 64 "Agreement of initiation in the procedures of a sanctioning nature”, provides: "1. The initiation agreement will be communicated to the instructor of the procedure, with transfer of how many actions exist in this regard, and the interested parties will be notified, understanding in any case by such the accused. Likewise, the initiation will be communicated to the complainant when the rules regulators of the procedure so provide. 2. The initiation agreement must contain at least: a) Identification of the person or persons allegedly responsible. b) The facts that motivate the initiation of the procedure, its possible rating and sanctions that may apply, without prejudice to what result of the instruction. c) Identification of the instructor and, where appropriate, Secretary of the procedure, with express indication of the system of recusal of the same. d) Competent body for the resolution of the procedure and regulation that attribute such competence, indicating the possibility that the presumed responsible can voluntarily acknowledge their responsibility, with the effects provided for in article 85. e) Provisional measures that have been agreed by the body competent to initiate the sanctioning procedure, without prejudice to those that may be adopted during the same in accordance with article 56. f) Indication of the right to formulate allegations and to the hearing in the procedure and the deadlines for its exercise, as well as an indication that, in If you do not make allegations within the stipulated period on the content of the initiation agreement, this may be considered a resolution proposal when it contains a precise statement about the responsibility imputed. 3. Exceptionally, when at the time of issuing the initiation agreement there are not sufficient elements for the initial qualification of the facts that motivate the initiation of the procedure, the aforementioned qualification may be carried out in a phase later by drawing up a List of Charges, which must be notified to the interested". C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 4/10 In application of the previous precept and taking into account that no formulated allegations to the initial agreement, it is appropriate to resolve the procedure initiated. III The claimed facts materialize in the publication without legitimation or consent or authorization by the person claimed in their TWITTER social network profile of audiovisual material captured during the oral trial held on ***DATE.1 in the Criminal Court no. 2 of Manresa, of the different procedural parts and interveners, which supposes the violation of the regulations in terms of protection of personal data. Article 58 of the RGPD, Powers, states: "two. Each supervisory authority will have all of the following powers corrections listed below: (…) i) impose an administrative fine under article 83, in addition to or in Instead of the measures mentioned in this section, according to the circumstances of each particular case; (…)” Article 6, Legality of the treatment, of the RGPD establishes: 1. The treatment will only be lawful if at least one of the following is met terms: a) the interested party gave their consent for the processing of their data personal for one or more specific purposes; b) the treatment is necessary for the execution of a contract in which the interested party is a party or for the application at the request of the latter of measures pre-contractual; c) the treatment is necessary for the fulfillment of a legal obligation applicable to the data controller; d) the processing is necessary to protect the vital interests of the data subject or of another natural person; e) the treatment is necessary for the fulfillment of a mission carried out in public interest or in the exercise of public powers vested in the controller of the treatment; f) the treatment is necessary for the satisfaction of legitimate interests pursued by the data controller or by a third party, provided that over said interests do not prevail the interests or the rights and freedoms fundamental data of the interested party that require the protection of personal data, in particular when the interested party is a child. The provisions of letter f) of the first paragraph shall not apply to treatment carried out by public authorities in the exercise of their functions. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 5/10 (…)”. On this question of the legality of the treatment, it also affects the Recital 40 of the aforementioned RGPD, when it states that "For the processing is lawful, personal data must be processed with the consent of the interested party or on any other legitimate basis established in accordance with Law, either either in this Regulation or by virtue of other law of the Union or of the Member States covered by this Regulation, including the need to comply with the legal obligation applicable to the data controller or the need to to execute a contract to which the interested party is a party or in order to take measures at the request of the interested party prior to the conclusion of a contract.» Article 4 of the GDPR, Definitions, in section 11, states that: “11) «consent of the interested party»: any manifestation of free will, specific, informed and unequivocal by which the interested party accepts, either through a statement or a clear affirmative action, the processing of personal data that concern him”. Also article 6, Treatment based on the consent of the affected party, of the new Organic Law 3/2018, of December 5, on Data Protection Personal and guarantee of digital rights (hereinafter LOPDGDD), indicates what: "1. In accordance with the provisions of article 4.11 of the Regulation (EU) 2016/679, consent of the affected party is understood to be any manifestation of will free, specific, informed and unequivocal by which he accepts, either through a declaration or a clear affirmative action, the treatment of personal data that concern. 2. When the data processing is intended to be based on consent of the affected party for a plurality of purposes, it will be necessary to state specific and unequivocal that said consent is granted for all of them. 3. The execution of the contract may not be subject to the affected party consenting to the processing of personal data for purposes unrelated to the maintenance, development or control of the contractual relationship”. Therefore, there is evidence that the data processing carried out by the claimed with the broadcast of the video that reproduces parts of the judicial process in the that contain the images of the personnel involved in it as a witness or other procedural condition has been carried out without legitimate cause of those included in the article 6.1 of the RGPD. IV The infraction attributed to the defendant is typified in the article 83.5 a) of the RGPD, which considers that the infringement of “the basic principles for processing, including the conditions for consent under the articles 5, 6, 7 and 9” is punishable, in accordance with section 5 of the aforementioned Article 83 of the aforementioned Regulation, "with administrative fines of €20,000,000 as C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 6/10 maximum or, in the case of a company, an amount equivalent to 4% as maximum of the overall annual total turnover of the previous financial year, opting for the highest amount. The LOPDGDD in its article 71, Violations, states that: "They constitute infractions the acts and behaviors referred to in sections 4, 5 and 6 of the Article 83 of Regulation (EU) 2016/679, as well as those that are contrary to the present organic law”. And in its article 72, it considers for prescription purposes, which are: "Infringements considered very serious: 1. Based on the provisions of article 83.5 of the Regulation (EU) 2016/679 are considered very serious and the infractions that suppose a substantial violation of the articles mentioned in that and, in particularly the following: (…) b) The treatment of personal personal data without the concurrence of any of the the conditions of legality of the treatment established in article 6 of the Regulation (EU) 2016/679. (…)” v The documentation in the file offers clear indications that the claimed violated article 6.1 of the RGPD, by proceeding to the dissemination without consent or authorization on the social network twitter of entire fragments of the trial oral held on 09-21-2020 of the Criminal Court No. 2 of Manresa through its Twitter account ***USER.1 in which you can see and listen to different intervening in it. In addition, in the copy of the Diligence of proof of the Lawyer provided to the The file indicates that in all the documented procedural actions of said procedure has always been warned in relation to the RGPD. The claim itself in writing dated 05/03/2021 implicitly recognizes the publication by informing that although he does not keep a copy of the published video, he could not specify the approximate time that could remain published on your Twitter account. It should be noted that the GDPR excludes tacit consent and requires that it be explicit. With the entry into force of the RGPD and the new LOPDGDD, only the express consent. The most important novelty regarding the consent that incorporates the RGPD is based is that it must be granted through a clear affirmative act that evidences a free, specific, informed and unequivocal declaration of will of the interested party to admit the treatment of personal data that affect him; that there is not the slightest doubt that there has been manifest will on the part of the client, giving their express consent to be able to treat their personal data with the specific purposes detailed in the form. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 7/10 The request for consent must be clear and specific, that it does not unnecessarily alter the use of the service for which it is provided. All this only emphasizes the need that you expressly consent to the treatment. SAW In order to establish the administrative fine to be imposed, observe the provisions contained in articles 83.1 and 83.2 of the RGPD, which point out: "1. Each control authority will guarantee that the imposition of fines administrative actions under this article for violations of this Regulation indicated in sections 4, 5 and 6 are in each individual case effective, proportionate and dissuasive. 2. Administrative fines will be imposed, depending on the circumstances of each individual case, in addition to or as a substitute for the measures contemplated in article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine administration and its amount in each individual case will be duly taken into account: a) the nature, seriousness and duration of the offence, taking into account the nature, scope or purpose of the processing operation in question as well as the number of stakeholders affected and the level of damage and damages they have suffered; b) intentionality or negligence in the infringement; c) any measure taken by the controller or processor to alleviate the damages suffered by the interested parties; d) the degree of responsibility of the person in charge or of the person in charge of the treatment, taking into account the technical or organizational measures that have applied under articles 25 and 32; e) any previous infraction committed by the person in charge or the person in charge of the treatment; f) the degree of cooperation with the supervisory authority in order to put remedying the breach and mitigating the possible adverse effects of the breach; g) the categories of personal data affected by the infringement; h) the way in which the supervisory authority became aware of the infringement, in particular if the person in charge or the person in charge notified the infringement and, in such case, what extent; i) when the measures indicated in article 58, paragraph 2, have been previously ordered against the person in charge or the person in charge in question in relation to the same matter, compliance with said measures; j) adherence to codes of conduct under article 40 or mechanisms approved in accordance with article 42, and k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits realized or losses avoided, direct or indirectly, through infringement. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 8/10 In relation to letter k) of article 83.2 of the RGPD, the LOPDGDD, in its Article 76, “Sanctions and corrective measures”, establishes that: "two. In accordance with the provisions of article 83.2.k) of the Regulation (EU) 2016/679 may also be taken into account: a) The continuing nature of the offence. b) The link between the activity of the offender and the performance of treatments of personal data. c) The profits obtained as a result of committing the offence. d) The possibility that the conduct of the affected party could have induced the commission of the offence. e) The existence of a merger by absorption process after the commission of the infringement, which cannot be attributed to the absorbing entity. f) Affectation of the rights of minors. g) Have, when it is not mandatory, a delegate for the protection of data. h) The submission by the person in charge or person in charge, with voluntary, to alternative conflict resolution mechanisms, in those assumptions in which there are controversies between those and any interested." In accordance with the precepts transcribed, in order to set the amount of the sanction of a fine to be imposed in the present case for the infraction typified in the article 83.5 of the RGPD for which the claimed person is responsible, they are estimated concurrent the following factors: Aggravating circumstances are: The scope of the treatment carried out by the claimed party, since it is not necessary to forget that this has been done through the publication by the social network Twitter whose diffusion is immediate. Several people have been affected by the offending conduct. The damage caused, since it is the dissemination of parts of a judicial process before which due guarantees must be kept. The respondent has not indicated the measures to be established in order to prevent the produce incidents similar to the one that occurred. There is no evidence that the defendant had acted maliciously, although negligent action is observed. They are extenuating circumstances: The activity of the offender is not linked to the performance of processing of personal data or there is no record of such bonding. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 9/10 The respondent is a natural person. Therefore, in accordance with the applicable legislation and having assessed the criteria for graduation of sanctions whose existence has been proven, The Director of the Spanish Data Protection Agency RESOLVES: FIRST: IMPOSE A.A.A., with NIF ***NIF.1, for an infraction of article 6.1.a) of the RGPD, typified in article 83.5.a) of the RGPD, a fine of €2,000 (two thousand euros). SECOND: NOTIFY this resolution to A.A.A. THIRD: Warn the sanctioned party that he must make the imposed sanction effective once Once this resolution is enforceable, in accordance with the provisions of the art. 98.1.b) of Law 39/2015, of October 1, on Administrative Procedure Common Public Administrations (hereinafter LPACAP), within the payment term voluntary established in art. 68 of the General Collection Regulations, approved by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003, of December 17, through its entry, indicating the NIF of the sanctioned and the number of procedure that appears in the heading of this document, in the account restricted number ES00 0000 0000 0000 0000 0000, opened on behalf of the Agency Spanish Department of Data Protection in the banking entity CAIXABANK, S.A.. In case Otherwise, it will be collected in the executive period. Received the notification and once executed, if the date of execution is is between the 1st and 15th of each month, both inclusive, the term to carry out the voluntary payment will be until the 20th day of the following month or immediately after, and if is between the 16th and last day of each month, both inclusive, the term of the payment will be until the 5th of the second following month or immediately after. In accordance with the provisions of article 50 of the LOPDGDD, the This Resolution will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the interested parties may optionally file an appeal for reconsideration before the Director of the Spanish Agency for Data Protection within a period of month from the day following the notification of this resolution or directly contentious-administrative appeal before the Contentious-Administrative Chamber of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-administrative jurisdiction, within a period of two months from the day following the notification of this act, as provided in article 46.1 of the aforementioned Law. Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP, the firm resolution may be provisionally suspended in administrative proceedings if the interested party expresses his intention to file a contentious appeal- C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 10/10 administrative. If this is the case, the interested party must formally communicate this made by writing to the Spanish Agency for Data Protection, presenting it through the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica-web/], or through any of the other records provided for in art. 16.4 of the aforementioned Law 39/2015, of October 1. As well must transfer to the Agency the documentation that proves the effective filing of the contentious-administrative appeal. If the Agency were not aware of the filing of the contentious-administrative appeal within two months from the day following the notification of this resolution, it would end the precautionary suspension. Sea Spain Marti Director of the Spanish Data Protection Agency C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es