AEPD (Spain) - PS/00192/2022: Difference between revisions
(Created page with "{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoES.jpg |DPA_Abbrevation=AEPD |DPA_With_Country=AEPD (Spain) |Case_Number_Name=PS-00...") |
No edit summary |
||
Line 71: | Line 71: | ||
}} | }} | ||
The Spanish DPA fined a public broadcaster (Radiotelevision Española) €30,000 for failing to | The Spanish DPA fined a public broadcaster (Radiotelevision Española) €30,000 for failing to disguise the voice of a rape victim before publishing an audio recording of her testimony before a judge. | ||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
The data subject was a rape | The data subject was the victim in a rape case that had garnered public attention. She complained to the Spanish DPA (''Agencia Española de Protección de Datos - AEPD'') that the controller, Corporación de Radio y Televisión Española, S.A. (RTVE), had published an unaltered audio recording of her speaking in court. | ||
An investigation by the DPA confirmed multiple instances where the audio recording was not distorted before publication, and it sent the controller an urgent request to either take down the recordings or alter them so as to render the data subject's voice unrecognizable. The controller complied, removing or distorting instances of the recording both published and archived. | An investigation by the DPA confirmed multiple instances where the audio recording was not distorted before publication, and it sent the controller an urgent request to either take down the recordings or alter them so as to render the data subject's voice unrecognizable. The controller complied, removing or distorting instances of the recording both published and archived. | ||
=== Holding === | === Holding === | ||
The DPA first confirmed that publishing a voice recording is processing of personal data. A voice is a personal attribute unique to each person and thus falls under the definition of personal data in Article 4(1)GDPR. Furthermore, it can reveal identifiers like age, sex, state of health, culture, and emotional state. This combined with the fact that [[Article 4 GDPR#2|Article 4(2) GDPR]] includes "transmission" and "dissemination" in the definition of processing means that publishing a recording of a person's voice is processing of personal data. | The DPA first confirmed that publishing a voice recording is processing of personal data. A voice is a personal attribute unique to each person and thus falls under the definition of personal data in Article 4(1)GDPR. Furthermore, it can reveal identifiers like age, sex, state of health, culture, and emotional state. This combined with the fact that [[Article 4 GDPR#2|Article 4(2) GDPR]] includes "transmission" and "dissemination" in the definition of processing means that publishing a recording of a person's voice is processing of personal data. | ||
The DPA then considered the balance of fundamental rights at stake, noting that [[ | |||
The DPA then considered the balance of fundamental rights at stake, noting that [[Article 85 GDPR]] mandates the reconciliation of the right to freedom of information with the right to privacy. The DPA held that the identifying characteristics of the victim were unrelated to the public's news interest in criminal proceedings; thus, the principle of data minimisation ([[Article 5 GDPR#1c|Article 5(1)(c) GDPR]]) required the controller to implement measures to avoid voice recognition, like distorting the recording or reading a transcript. | |||
For violating [[Article 5 GDPR#1c|Article 5(1)(c) GDPR]], the DPA fined the controller €50,000. In its assessment of the fine, the DPA noted three aggravating factors per [[Article 83 GDPR#2|Article 83(2) GDPR]]: (1) the seriousness of revealing sensitive data of a person who has already been the victim of a violent crime against sexual integrity, (2) the negligence displayed in failing to implement appropriate safeguards for news subjects, and (3) the disclosure of a special category of data. The fine was ultimately reduced by 40% because the controller acknowledged responsibility and paid before resolution of the sanctioning procedure. | For violating [[Article 5 GDPR#1c|Article 5(1)(c) GDPR]], the DPA fined the controller €50,000. In its assessment of the fine, the DPA noted three aggravating factors per [[Article 83 GDPR#2|Article 83(2) GDPR]]: (1) the seriousness of revealing sensitive data of a person who has already been the victim of a violent crime against sexual integrity, (2) the negligence displayed in failing to implement appropriate safeguards for news subjects, and (3) the disclosure of a special category of data. The fine was ultimately reduced by 40% because the controller acknowledged responsibility and paid before resolution of the sanctioning procedure. | ||
Revision as of 16:03, 28 June 2022
AEPD - PS-00192-2022 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 4(1) GDPR Article 4(2) GDPR Article 5(1)(c) GDPR Article 83(2)(a) GDPR Article 83(2)(b) GDPR Article 83(2)(g) GDPR Article 85 GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | 08.04.2021 |
Decided: | 26.04.2022 |
Published: | 23.06.2022 |
Fine: | 30,000 |
Parties: | n/a |
National Case Number/Name: | PS-00192-2022 |
European Case Law Identifier: | n/a |
Appeal: | Not appealed |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | MW |
The Spanish DPA fined a public broadcaster (Radiotelevision Española) €30,000 for failing to disguise the voice of a rape victim before publishing an audio recording of her testimony before a judge.
English Summary
Facts
The data subject was the victim in a rape case that had garnered public attention. She complained to the Spanish DPA (Agencia Española de Protección de Datos - AEPD) that the controller, Corporación de Radio y Televisión Española, S.A. (RTVE), had published an unaltered audio recording of her speaking in court.
An investigation by the DPA confirmed multiple instances where the audio recording was not distorted before publication, and it sent the controller an urgent request to either take down the recordings or alter them so as to render the data subject's voice unrecognizable. The controller complied, removing or distorting instances of the recording both published and archived.
Holding
The DPA first confirmed that publishing a voice recording is processing of personal data. A voice is a personal attribute unique to each person and thus falls under the definition of personal data in Article 4(1)GDPR. Furthermore, it can reveal identifiers like age, sex, state of health, culture, and emotional state. This combined with the fact that Article 4(2) GDPR includes "transmission" and "dissemination" in the definition of processing means that publishing a recording of a person's voice is processing of personal data.
The DPA then considered the balance of fundamental rights at stake, noting that Article 85 GDPR mandates the reconciliation of the right to freedom of information with the right to privacy. The DPA held that the identifying characteristics of the victim were unrelated to the public's news interest in criminal proceedings; thus, the principle of data minimisation (Article 5(1)(c) GDPR) required the controller to implement measures to avoid voice recognition, like distorting the recording or reading a transcript.
For violating Article 5(1)(c) GDPR, the DPA fined the controller €50,000. In its assessment of the fine, the DPA noted three aggravating factors per Article 83(2) GDPR: (1) the seriousness of revealing sensitive data of a person who has already been the victim of a violent crime against sexual integrity, (2) the negligence displayed in failing to implement appropriate safeguards for news subjects, and (3) the disclosure of a special category of data. The fine was ultimately reduced by 40% because the controller acknowledged responsibility and paid before resolution of the sanctioning procedure.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
9/18 In this case, the situation of the victim (who is not in the same level of equality as the accused) and what it means to spread your voice with all its nuances, as well as the special protection that the legal system that, without restricting the provision of information, must be done compatible with the principle of data minimization, applicable on the form, the means in which the information is supplied and disseminated due to the immediate effect on the data personal information and the identification of the victim. Precisely because the evident informative public interest in the news is not denied, given the general interest in criminal cases, in this specific case, it is not about to decay the Fundamental Right to Freedom of Information due to the prevalence of the Fundamental Right to the Protection of Personal Data, but of make them fully compatible so that both are absolutely guaranteed. That is, the freedom of information of the media is not questioned. of communication but the weighting with the right to data protection based on to the proportionality and need to publish the specific personal data of the voice. Such situation could have been solved with the use of technical procedures to prevent voice recognition, such as, for example, the distortion of the voice of the victim or the transcript of the account of the multiple rape, security measures both, applied depending on the case in an ordinary way by means of communication. At older we have to mean that the victim is an anonymous person and our Constitutional Court, by all STC 58/2018 of June 4, affirms that the public authorities, public officials and public figures or dedicated to activities that carry public notoriety “voluntarily accept the risk of that their subjective rights of personality are affected by criticism, opinions or adverse disclosures and, therefore, the right to information reaches, in relation to with them, their maximum level of legitimating efficacy, insofar as their life and conduct morality participate in the general interest with a greater intensity than that of those private persons who, without a vocation for public projection, see themselves circumstantially involved in matters of public importance, to which Therefore, a higher level of privacy must be recognized, which prevents grant general importance to facts or behaviors that would have it if they were referred to to public figures. The STJUE (Second Chamber) of February 14, 2019, in case C 345/17, Sergejs Buivids mentions various criteria to weigh between the right to respect for privacy and the right to freedom of expression, among which are “the contribution to a debate of general interest, the notoriety of the person concerned, the object of the report, the previous behavior of the interested party, the content, the form and the repercussions of the publication, the form and the circumstances in which it was obtained information and its veracity (see, in this sense, the judgment of the ECHR of 27 June 2017, Satakunnan Markkinapörssi Oy and Satamedia Oy v. Finland, CE:ECHR:2017:0627JUD000093113, section 165)”. In such a way, that for a matter to be considered of general interest, public relevance, they will be so not only because of the person who intervenes, but also because of the matter to which it refers. Both requirements must be met, resulting, the greater the abundance of what is meant in the previous section, which in the case examined C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 11/18 Processing of excessive data In accordance with the evidence available at the present time of agreement to initiate the sanctioning procedure, and without prejudice to what results from the instruction, the respondent party is deemed to have processed data that was excessive as they are not necessary for the purpose for which they were processed. The known facts could constitute an infringement, attributable to the party claimed, of article 5.1.c) of the RGPD, with the scope expressed in the Previous grounds of law, which, if confirmed, could lead to the commission of the offense typified in article 83.5, section a) of the RGPD, which under the heading “General conditions for the imposition of administrative fines” provides that: “The infractions of the following dispositions will be sanctioned, in accordance with the paragraph 2, with administrative fines of a maximum of EUR 20,000,000 or, in the case of a company, an amount equivalent to a maximum of 4% of the global total annual turnover of the previous financial year, opting for the of greater amount: a) the basic principles for the treatment, including the conditions for the consent under articles 5, 6, 7 and 9; In this regard, the LOPDGDD, in its article 71 establishes that "They constitute infractions the acts and behaviors referred to in sections 4, 5 and 6 of the Article 83 of Regulation (EU) 2016/679, as well as those that are contrary to the present organic law”. For the purposes of the limitation period, article 72 of the LOPDGDD indicates: Article 72. Infractions considered very serious. "1. Based on the provisions of article 83.5 of Regulation (EU) 2016/679, considered very serious and will prescribe after three years the infractions that suppose a substantial violation of the articles mentioned therein and, in particular, the following: a) The processing of personal data violating the principles and guarantees established in article 5 of Regulation (EU) 2016/679. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 16/18 In any case, the effectiveness of any of the two reductions mentioned will be conditioned to the abandonment or renunciation of any action or resource in via administrative against the sanction. In case you chose to proceed to the voluntary payment of any of the amounts indicated above €40,000 (forty thousand euros), or €30,000 (thirty thousand euros), You must make it effective by depositing it in account number ES00 0000 0000 0000 0000 0000 opened in the name of the Spanish Agency for Data Protection in the banking entity CAIXABANK, S.A., indicating in the concept the reference number of the procedure that appears in the heading of this document and the cause of reduction of the amount to which it is accepted. Likewise, you must send proof of payment to the General Subdirectorate of Inspection to proceed with the procedure in accordance with the quantity entered. The procedure will have a maximum duration of nine months from the date of the start-up agreement or, where appropriate, of the draft start-up agreement. Once this period has elapsed, it will expire and, consequently, the file of performances; in accordance with the provisions of article 64 of the LOPDGDD. Finally, it is pointed out that in accordance with the provisions of article 112.1 of the LPACAP, there is no administrative appeal against this act. 935-150322 Sea Spain Marti Director of the Spanish Data Protection Agency >> SECOND: On May 9, 2022, the claimed party has proceeded to pay the sanction in the amount of 30,000 euros making use of the two reductions provided for in the Start Agreement transcribed above, which implies the acknowledgment of responsibility. THIRD: The payment made, within the period granted to formulate allegations to the opening of the procedure, entails the waiver of any action or resource in via administrative action against the sanction and acknowledgment of responsibility in relation to the facts referred to in the Initiation Agreement. FOUNDATIONS OF LAW Yo In accordance with the powers that article 58.2 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter RGPD), grants each control authority and as established in articles 47 and 48.1 of the Law C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 17/18 Organic 3/2018, of December 5, on the Protection of Personal Data and guarantee of digital rights (hereinafter, LOPDGDD), is competent to initiate and resolve this procedure the Director of the Spanish Data Protection Agency. Likewise, article 63.2 of the LOPDGDD determines that: “The procedures processed by the Spanish Agency for Data Protection will be governed by the provisions in Regulation (EU) 2016/679, in this organic law, by the provisions regulations issued in its development and, as long as they do not contradict them, with a subsidiary, by the general rules on administrative procedures.” II Article 85 of Law 39/2015, of October 1, on Administrative Procedure Common to Public Administrations (hereinafter, LPACAP), under the rubric "Termination in sanctioning procedures" provides the following: "1. Started a sanctioning procedure, if the offender acknowledges his responsibility, the procedure may be resolved with the imposition of the appropriate sanction. 2. When the sanction is solely pecuniary in nature or it is possible to impose a pecuniary sanction and another of a non-pecuniary nature, but the inadmissibility of the second, the voluntary payment by the alleged perpetrator, in any time prior to the resolution, will imply the termination of the procedure, except in relation to the replacement of the altered situation or the determination of the compensation for damages caused by the commission of the infringement. 3. In both cases, when the sanction is solely pecuniary in nature, the competent body to resolve the procedure will apply reductions of, at least, 20% of the amount of the proposed sanction, these being cumulative with each other. The aforementioned reductions must be determined in the notification of initiation of the procedure and its effectiveness will be conditioned to the withdrawal or resignation of any administrative action or recourse against the sanction. The reduction percentage provided for in this section may be increased regulations." According to what was stated, the Director of the Spanish Data Protection Agency RESOLVES: FIRST: TO DECLARE the termination of procedure PS/00192/2022, of in accordance with the provisions of article 85 of the LPACAP. SECOND: NOTIFY this resolution to CORPORACIÓN DE RADIO Y SPANISH TELEVISION S.A. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 18/18 Against this resolution, which puts an end to the administrative procedure as prescribed by the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure Common of the Public Administrations, the interested parties may file an appeal contentious-administrative before the Contentious-administrative Chamber of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-Administrative Jurisdiction, within a period of two months from the day following the notification of this act, as provided in article 46.1 of the aforementioned Law. 936-240122 Sea Spain Marti Director of the Spanish Data Protection Agency