AEPD (Spain) - PS/00192/2022: Difference between revisions

From GDPRhub
No edit summary
Line 71: Line 71:
}}
}}


The Spanish DPA fined a public broadcaster (Radiotelevision Española) €30,000 for failing to disguise the voice of a rape victim before publishing an audio recording of her testimony before a judge.
The Spanish DPA fined a public broadcaster (Radiotelevision Española) €30,000 for failing to disguise the voice of a rape victim before publishing an audio recording of her testimony at trial.


== English Summary ==
== English Summary ==
Line 78: Line 78:
The data subject was the victim in a rape case that had garnered public attention. She complained to the Spanish DPA (''Agencia Española de Protección de Datos - AEPD'') that the controller, Corporación de Radio y Televisión Española, S.A. (RTVE), had published an unaltered audio recording of her speaking in court.  
The data subject was the victim in a rape case that had garnered public attention. She complained to the Spanish DPA (''Agencia Española de Protección de Datos - AEPD'') that the controller, Corporación de Radio y Televisión Española, S.A. (RTVE), had published an unaltered audio recording of her speaking in court.  


An investigation by the DPA confirmed multiple instances where the audio recording was not distorted before publication, and it sent the controller an urgent request to either take down the recordings or alter them so as to render the data subject's voice unrecognizable. The controller complied, removing or distorting instances of the recording both published and archived.
An investigation by the DPA confirmed multiple instances where the audio recording was not distorted before publication, and the DPA sent the controller an urgent request to either take down the recordings or alter them so as to render the data subject's voice unrecognizable. The controller complied, removing or distorting instances of the recording both published and archived.


=== Holding ===
===Holding===
The DPA first confirmed that publishing a voice recording is processing of personal data. A voice is a personal attribute unique to each person and thus falls under the definition of personal data in Article 4(1)GDPR. Furthermore, it can reveal identifiers like age, sex, state of health, culture, and emotional state. This combined with the fact that [[Article 4 GDPR#2|Article 4(2) GDPR]] includes "transmission" and "dissemination" in the definition of processing means that publishing a recording of a person's voice is processing of personal data.
The DPA first confirmed that publishing a voice recording is processing of personal data. A voice is a personal attribute unique to each person and thus falls under the definition of personal data in [[Article 4 GDPR#1|Article 4(1)GDPR]]. Furthermore, a voice can reveal identifiers like age, sex, state of health, culture, and emotional state. This combined with the fact that [[Article 4 GDPR#2|Article 4(2) GDPR]] includes "transmission" and "dissemination" in the definition of processing means that publishing a recording of a person's voice is processing of personal data.


The DPA then considered the balance of fundamental rights at stake, noting that [[Article 85 GDPR]] mandates the reconciliation of the right to freedom of information with the right to privacy. The DPA held that the identifying characteristics of the victim were unrelated to the public's news interest in criminal proceedings; thus, the principle of data minimisation ([[Article 5 GDPR#1c|Article 5(1)(c) GDPR]]) required the controller to implement measures to avoid voice recognition, like distorting the recording or reading a transcript.
The DPA then considered the balance of fundamental rights at stake, noting that [[Article 85 GDPR]] mandates the reconciliation of the right to freedom of information with the right to privacy. The DPA held that the identifying characteristics of the victim were unrelated to the public's news interest in criminal proceedings. Thus, the principle of data minimisation ([[Article 5 GDPR#1c|Article 5(1)(c) GDPR]]) required the controller to implement measures to avoid voice recognition, like distorting the recording or reading a transcript.


For violating [[Article 5 GDPR#1c|Article 5(1)(c) GDPR]], the DPA fined the controller €50,000. In its assessment of the fine, the DPA noted three aggravating factors per [[Article 83 GDPR#2|Article 83(2) GDPR]]: (1) the seriousness of revealing sensitive data of a person who has already been the victim of a violent crime against sexual integrity, (2) the negligence displayed in failing to implement appropriate safeguards for news subjects, and (3) the disclosure of a special category of data. The fine was ultimately reduced by 40% because the controller acknowledged responsibility and paid before resolution of the sanctioning procedure.
For violating [[Article 5 GDPR#1c|Article 5(1)(c) GDPR]], the DPA fined the controller €50,000. In its assessment of the fine, the DPA noted three aggravating factors per [[Article 83 GDPR#2|Article 83(2) GDPR]]: (1) the seriousness of revealing sensitive data of a person who has already been the victim of a violent crime against sexual integrity, (2) the negligence displayed in failing to implement appropriate safeguards for news subjects, and (3) the disclosure of a special category of data. The fine was ultimately reduced by 40% because the controller acknowledged responsibility and paid before resolution of the sanctioning procedure.
Line 90: Line 90:




== Comment ==
==Comment==
''Share your comments here!''
''Share your comments here!''


== Further Resources ==
==Further Resources==
''Share blogs or news articles here!''
''Share blogs or news articles here!''


== English Machine Translation of the Decision ==
==English Machine Translation of the Decision==
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.



Revision as of 09:05, 29 June 2022

AEPD - PS-00192-2022
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 4(1) GDPR
Article 4(2) GDPR
Article 5(1)(c) GDPR
Article 83(2)(a) GDPR
Article 83(2)(b) GDPR
Article 83(2)(g) GDPR
Article 85 GDPR
Type: Complaint
Outcome: Upheld
Started: 08.04.2021
Decided: 26.04.2022
Published: 23.06.2022
Fine: 30,000
Parties: n/a
National Case Number/Name: PS-00192-2022
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: MW

The Spanish DPA fined a public broadcaster (Radiotelevision Española) €30,000 for failing to disguise the voice of a rape victim before publishing an audio recording of her testimony at trial.

English Summary

Facts

The data subject was the victim in a rape case that had garnered public attention. She complained to the Spanish DPA (Agencia Española de Protección de Datos - AEPD) that the controller, Corporación de Radio y Televisión Española, S.A. (RTVE), had published an unaltered audio recording of her speaking in court.

An investigation by the DPA confirmed multiple instances where the audio recording was not distorted before publication, and the DPA sent the controller an urgent request to either take down the recordings or alter them so as to render the data subject's voice unrecognizable. The controller complied, removing or distorting instances of the recording both published and archived.

Holding

The DPA first confirmed that publishing a voice recording is processing of personal data. A voice is a personal attribute unique to each person and thus falls under the definition of personal data in Article 4(1)GDPR. Furthermore, a voice can reveal identifiers like age, sex, state of health, culture, and emotional state. This combined with the fact that Article 4(2) GDPR includes "transmission" and "dissemination" in the definition of processing means that publishing a recording of a person's voice is processing of personal data.

The DPA then considered the balance of fundamental rights at stake, noting that Article 85 GDPR mandates the reconciliation of the right to freedom of information with the right to privacy. The DPA held that the identifying characteristics of the victim were unrelated to the public's news interest in criminal proceedings. Thus, the principle of data minimisation (Article 5(1)(c) GDPR) required the controller to implement measures to avoid voice recognition, like distorting the recording or reading a transcript.

For violating Article 5(1)(c) GDPR, the DPA fined the controller €50,000. In its assessment of the fine, the DPA noted three aggravating factors per Article 83(2) GDPR: (1) the seriousness of revealing sensitive data of a person who has already been the victim of a violent crime against sexual integrity, (2) the negligence displayed in failing to implement appropriate safeguards for news subjects, and (3) the disclosure of a special category of data. The fine was ultimately reduced by 40% because the controller acknowledged responsibility and paid before resolution of the sanctioning procedure.



Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

9/18
In this case, the situation of the victim (who is not in the
same level of equality as the accused) and what it means to spread your voice with
all its nuances, as well as the special protection that the
legal system that, without restricting the provision of information, must be done
compatible with the principle of data minimization, applicable on the form, the
means in which the information is supplied and disseminated due to the immediate effect on the data
personal information and the identification of the victim.
Precisely because the evident informative public interest in the news is not denied,
given the general interest in criminal cases, in this specific case, it is not about
to decay the Fundamental Right to Freedom of Information due to the prevalence
of the Fundamental Right to the Protection of Personal Data, but of
make them fully compatible so that both are absolutely
guaranteed. That is, the freedom of information of the media is not questioned.
of communication but the weighting with the right to data protection based on
to the proportionality and need to publish the specific personal data of the voice. Such
situation could have been solved with the use of technical procedures to
prevent voice recognition, such as, for example, the distortion of the voice of
the victim or the transcript of the account of the multiple rape, security measures
both, applied depending on the case in an ordinary way by means of
communication.
At older we have to mean that the victim is an anonymous person and our
Constitutional Court, by all STC 58/2018 of June 4, affirms that the
public authorities, public officials and public figures or dedicated to
activities that carry public notoriety “voluntarily accept the risk of
that their subjective rights of personality are affected by criticism, opinions
or adverse disclosures and, therefore, the right to information reaches, in relation to
with them, their maximum level of legitimating efficacy, insofar as their life and conduct
morality participate in the general interest with a greater intensity than that of those
private persons who, without a vocation for public projection, see themselves
circumstantially involved in matters of public importance, to which
Therefore, a higher level of privacy must be recognized, which prevents
grant general importance to facts or behaviors that would have it if they were referred to
to public figures.
The STJUE (Second Chamber) of February 14, 2019, in case C 345/17, Sergejs
Buivids mentions various criteria to weigh between the right to respect for
privacy and the right to freedom of expression, among which are “the
contribution to a debate of general interest, the notoriety of the person concerned, the
object of the report, the previous behavior of the interested party, the content, the form and
the repercussions of the publication, the form and the circumstances in which it was obtained
information and its veracity (see, in this sense, the judgment of the ECHR of 27
June 2017, Satakunnan Markkinapörssi Oy and Satamedia Oy v. Finland,
CE:ECHR:2017:0627JUD000093113, section 165)”.
In such a way, that for a matter to be considered of general interest,
public relevance, they will be so not only because of the person who intervenes, but also because of the
matter to which it refers. Both requirements must be met, resulting, the greater the
abundance of what is meant in the previous section, which in the case examined
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es
11/18
Processing of excessive data
In accordance with the evidence available at the present time of
agreement to initiate the sanctioning procedure, and without prejudice to what results from the
instruction, the respondent party is deemed to have processed data that was excessive
as they are not necessary for the purpose for which they were processed.
The known facts could constitute an infringement, attributable to the party
claimed, of article 5.1.c) of the RGPD, with the scope expressed in the
Previous grounds of law, which, if confirmed, could lead to the
commission of the offense typified in article 83.5, section a) of the RGPD, which under
the heading “General conditions for the imposition of administrative fines”
provides that:
“The infractions of the following dispositions will be sanctioned, in accordance with the
paragraph 2, with administrative fines of a maximum of EUR 20,000,000 or,
in the case of a company, an amount equivalent to a maximum of 4% of the
global total annual turnover of the previous financial year, opting for the
of greater amount:
a) the basic principles for the treatment, including the conditions for the
consent under articles 5, 6, 7 and 9;
In this regard, the LOPDGDD, in its article 71 establishes that "They constitute
infractions the acts and behaviors referred to in sections 4, 5 and 6 of the
Article 83 of Regulation (EU) 2016/679, as well as those that are contrary to the
present organic law”.
For the purposes of the limitation period, article 72 of the LOPDGDD indicates:
Article 72. Infractions considered very serious.
"1. Based on the provisions of article 83.5 of Regulation (EU) 2016/679,
considered very serious and will prescribe after three years the infractions that suppose
a substantial violation of the articles mentioned therein and, in particular, the
following:
a) The processing of personal data violating the principles and guarantees
established in article 5 of Regulation (EU) 2016/679.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es
16/18
In any case, the effectiveness of any of the two reductions mentioned will be
conditioned to the abandonment or renunciation of any action or resource in via
administrative against the sanction.
In case you chose to proceed to the voluntary payment of any of the amounts
indicated above €40,000 (forty thousand euros), or €30,000 (thirty thousand euros),
You must make it effective by depositing it in account number ES00 0000 0000 0000
0000 0000 opened in the name of the Spanish Agency for Data Protection in the
banking entity CAIXABANK, S.A., indicating in the concept the reference number
of the procedure that appears in the heading of this document and the cause of
reduction of the amount to which it is accepted.
Likewise, you must send proof of payment to the General Subdirectorate of
Inspection to proceed with the procedure in accordance with the quantity
entered.
The procedure will have a maximum duration of nine months from the
date of the start-up agreement or, where appropriate, of the draft start-up agreement.
Once this period has elapsed, it will expire and, consequently, the file of
performances; in accordance with the provisions of article 64 of the LOPDGDD.
Finally, it is pointed out that in accordance with the provisions of article 112.1 of the
LPACAP, there is no administrative appeal against this act.
935-150322
Sea Spain Marti
Director of the Spanish Data Protection Agency
>>
SECOND: On May 9, 2022, the claimed party has proceeded to pay
the sanction in the amount of 30,000 euros making use of the two reductions
provided for in the Start Agreement transcribed above, which implies the
acknowledgment of responsibility.
THIRD: The payment made, within the period granted to formulate allegations to
the opening of the procedure, entails the waiver of any action or resource in via
administrative action against the sanction and acknowledgment of responsibility in relation to
the facts referred to in the Initiation Agreement.
FOUNDATIONS OF LAW
Yo
In accordance with the powers that article 58.2 of Regulation (EU) 2016/679
(General Data Protection Regulation, hereinafter RGPD), grants each
control authority and as established in articles 47 and 48.1 of the Law
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es
17/18
Organic 3/2018, of December 5, on the Protection of Personal Data and guarantee of
digital rights (hereinafter, LOPDGDD), is competent to initiate and resolve
this procedure the Director of the Spanish Data Protection Agency.
Likewise, article 63.2 of the LOPDGDD determines that: “The procedures
processed by the Spanish Agency for Data Protection will be governed by the provisions
in Regulation (EU) 2016/679, in this organic law, by the provisions
regulations issued in its development and, as long as they do not contradict them, with a
subsidiary, by the general rules on administrative procedures.”
II
Article 85 of Law 39/2015, of October 1, on Administrative Procedure
Common to Public Administrations (hereinafter, LPACAP), under the rubric
"Termination in sanctioning procedures" provides the following:
"1. Started a sanctioning procedure, if the offender acknowledges his responsibility,
the procedure may be resolved with the imposition of the appropriate sanction.
2. When the sanction is solely pecuniary in nature or it is possible to impose a
pecuniary sanction and another of a non-pecuniary nature, but the
inadmissibility of the second, the voluntary payment by the alleged perpetrator, in
any time prior to the resolution, will imply the termination of the procedure,
except in relation to the replacement of the altered situation or the determination of the
compensation for damages caused by the commission of the infringement.
3. In both cases, when the sanction is solely pecuniary in nature, the
competent body to resolve the procedure will apply reductions of, at least,
20% of the amount of the proposed sanction, these being cumulative with each other.
The aforementioned reductions must be determined in the notification of initiation
of the procedure and its effectiveness will be conditioned to the withdrawal or resignation of
any administrative action or recourse against the sanction.
The reduction percentage provided for in this section may be increased
regulations."
According to what was stated,
the Director of the Spanish Data Protection Agency RESOLVES:
FIRST: TO DECLARE the termination of procedure PS/00192/2022, of
in accordance with the provisions of article 85 of the LPACAP.
SECOND: NOTIFY this resolution to CORPORACIÓN DE RADIO Y
SPANISH TELEVISION S.A.
In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es
18/18
Against this resolution, which puts an end to the administrative procedure as prescribed by
the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure
Common of the Public Administrations, the interested parties may file an appeal
contentious-administrative before the Contentious-administrative Chamber of the
National Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-Administrative Jurisdiction, within a period of two months from the
day following the notification of this act, as provided in article 46.1 of the
aforementioned Law.
936-240122
Sea Spain Marti
Director of the Spanish Data Protection Agency