AEPD (Spain) - EXP202211618: Difference between revisions

From GDPRhub
No edit summary
No edit summary
 
(One intermediate revision by the same user not shown)
Line 28: Line 28:
|Currency=EUR
|Currency=EUR


|GDPR_Article_1=Article 4(1) GDPR
|GDPR_Article_1=Article 6(1) GDPR
|GDPR_Article_Link_1=Article 4 GDPR#1
|GDPR_Article_Link_1=Article 6 GDPR#1
|GDPR_Article_2=Article 4(2) GDPR
|GDPR_Article_Link_2=Article 4 GDPR#2
|GDPR_Article_3=Article 4(11) GDPR
|GDPR_Article_Link_3=Article 4 GDPR#11
|GDPR_Article_4=Article 5(1)(f) GDPR
|GDPR_Article_Link_4=Article 5 GDPR#1f
|GDPR_Article_5=Article 6(1) GDPR
|GDPR_Article_Link_5=Article 6 GDPR#1
|GDPR_Article_6=Article 32(1) GDPR
|GDPR_Article_Link_6=Article 32 GDPR#1
|GDPR_Article_7=Article 83(2) GDPR
|GDPR_Article_Link_7=Article 83 GDPR#2
|GDPR_Article_8=Article 83(4)(a) GDPR
|GDPR_Article_Link_8=Article 83 GDPR#4a
|GDPR_Article_9=Article 83(5)(a) GDPR
|GDPR_Article_Link_9=Article 83 GDPR#5a
|GDPR_Article_10=
|GDPR_Article_Link_10=
|GDPR_Article_11=
|GDPR_Article_Link_11=


|EU_Law_Name_1=
|EU_Law_Name_1=
Line 55: Line 35:
|EU_Law_Name_2=
|EU_Law_Name_2=
|EU_Law_Link_2=
|EU_Law_Link_2=
|National_Law_Name_1=LOPDGDD art. 71
|National_Law_Link_1=
|National_Law_Name_2=LOPDGDD art. 72
|National_Law_Link_2=
|National_Law_Name_3=LOPDGDD art. 92
|National_Law_Link_3=
|National_Law_Name_4=
|National_Law_Link_4=
|National_Law_Name_5=
|National_Law_Link_5=


|Party_Name_1=NANDIVALE, S.L.
|Party_Name_1=NANDIVALE, S.L.
Line 90: Line 59:


=== Facts ===
=== Facts ===
The data subject was a 4 year old minor, who attended a birthday party at one of the establishments of the controller, Nandivale, a company that organizes events. The controller posted images showing the faces of children present at the party in the stories of its Instagram profile.  
The data subject was a 4 year old minor, who attended a birthday party at one of the establishments of the controller, Nandivale. The controller posted images showing the faces of children present at the party in the stories of its Instagram profile.  


After seeing the stories, the mother of the data sent an Instagram message to the controller, asking it to delete the image. However, the controller did not comply with the request and she filed a complaint with the Spanish DPA, claiming that she never gave her consent for the publication of her child's image.  
After seeing the stories, the mother of the data sent an Instagram message to the controller, asking it to delete the image. However, the controller did not comply with the request and she filed a complaint with the Spanish DPA, claiming that she never gave her consent for the publication of her child's image.  
Line 97: Line 66:
The DPA stressed that the physical image of a person must be considered as personal data under Article 4(1) GDPR, and thus, it requires a legal ground to be processed. The DPA also emphasized that, in addition to consent, there are other possible bases that legitimize the processing of data without the need for the authorization of the data subject. For instance, when it is necessary for the performance of a contract or for the satisfaction of legitimate interests pursued by the data controller or by a third party.   
The DPA stressed that the physical image of a person must be considered as personal data under Article 4(1) GDPR, and thus, it requires a legal ground to be processed. The DPA also emphasized that, in addition to consent, there are other possible bases that legitimize the processing of data without the need for the authorization of the data subject. For instance, when it is necessary for the performance of a contract or for the satisfaction of legitimate interests pursued by the data controller or by a third party.   


In the present case, the DPA noted that the controller did not inform data subjects about the processing of personal data that it carried out, neither before nor after it took place, nor in its Privacy Policy or in the Risk Analysis. In other words, there was no information about the recording and dissemination of images of celebrations in its social media profile. The controller also did not inform if it relied on consent of the parents, in the case of minors under 14 years of age, or the consent of minors, over 14 years of age, differentiating this circumstance. Therefore,the DPA concluded that there was no accredited basis for the processing of minors' personal data and issued a fine of €10,000 for the violation of [[Article 6 GDPR#1|Article 6(1)]] GDPR.
In the present case, the DPA noted that the controller did not inform data subjects about the processing of personal data that it carried out, neither before nor after it took place. In other words, there was no information about the recording of images in parties organized at the controller's venur and their publication on its social media profile. The controller also did not inform if it relied on consent of the parents, in the case of minors under 14 years of age, or the consent of minors, over 14 years of age, differentiating this circumstance. Therefore,the DPA concluded that there was no accredited basis for the processing of minors' personal data and issued a fine of €10,000 for the violation of [[Article 6 GDPR#1|Article 6(1)]] GDPR.


== Comment ==
== Comment ==

Latest revision as of 13:23, 2 August 2023

AEPD - EXP202211618
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 6(1) GDPR
Type: Investigation
Outcome: Violation Found
Started: 29.04.2022
Decided: 14.07.2023
Published:
Fine: 10000 EUR
Parties: NANDIVALE, S.L.
Data subject
National Case Number/Name: EXP202211618
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: n/a

The Spanish DPA fined a company €10,000 for recording and publishing images of minors on its social media without having the consent of their parents.

English Summary

Facts

The data subject was a 4 year old minor, who attended a birthday party at one of the establishments of the controller, Nandivale. The controller posted images showing the faces of children present at the party in the stories of its Instagram profile.

After seeing the stories, the mother of the data sent an Instagram message to the controller, asking it to delete the image. However, the controller did not comply with the request and she filed a complaint with the Spanish DPA, claiming that she never gave her consent for the publication of her child's image.

Holding

The DPA stressed that the physical image of a person must be considered as personal data under Article 4(1) GDPR, and thus, it requires a legal ground to be processed. The DPA also emphasized that, in addition to consent, there are other possible bases that legitimize the processing of data without the need for the authorization of the data subject. For instance, when it is necessary for the performance of a contract or for the satisfaction of legitimate interests pursued by the data controller or by a third party.

In the present case, the DPA noted that the controller did not inform data subjects about the processing of personal data that it carried out, neither before nor after it took place. In other words, there was no information about the recording of images in parties organized at the controller's venur and their publication on its social media profile. The controller also did not inform if it relied on consent of the parents, in the case of minors under 14 years of age, or the consent of minors, over 14 years of age, differentiating this circumstance. Therefore,the DPA concluded that there was no accredited basis for the processing of minors' personal data and issued a fine of €10,000 for the violation of Article 6(1) GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

11/1










     File No.: EXP202211618



                RESOLUTION OF SANCTIONING PROCEDURE

Of the procedure instructed by the Spanish Agency for Data Protection and based on
to the following


                                  BACKGROUND

FIRST: Ms. A.A.A. (hereinafter the claimant) on 10/23/2022 filed
claim before the Catalan Data Protection Authority and on 10/26/2022 the

Said Authority notified the Spanish Agency for Data Protection on
10/26/2022 for being competent to hear the matter. The claim is directed
against NANDIVALE, S.L. with NIF B66070012 (hereinafter the claimed). The motives
on which the claim is based are the following: the claimant mother of a 4-year-old girl
years old that on 08/07/2022 attended a birthday party organized at the
place of the claimed; points out that, without the consent of the parents of the children

attendees, images of the celebration were taken in which the minors appeared,
and they were published on the Instagram profile ***PERFIL.1 as a "story". The claimant,
being aware of the publication of the images in which her daughter appeared,
contacted the author of the publication through the messaging service
provided by the service provider, in order to request that the

publication or covering the face of minors; states that he received no response and
that the publication was available 24 hours for which, by default, they are
configured the "stories" of Instagram.

       Along with the notification, a publication with images of the minors is provided.



SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5
December, Protection of Personal Data and guarantee of digital rights (in
forward LOPDGDD), said claim was transferred to the claimed party, for
to proceed with its analysis and inform this Agency within a month of the

actions carried out to adapt to the requirements established in the regulations of
Data Protection.

       The transfer, which was carried out in accordance with the norms established in the Law
39/2015, of October 1, of the Common Administrative Procedure of the

Public Administrations (hereinafter, LPACAP), was collected on 11/03/2022
as stated in the acknowledgment of receipt in the file.

       The defendant responded on 01/03/2023 stating in summary: that it is
of an entity dedicated to events and leisure activities as well as the organization of

child parties; that the claim presented requested the deletion of the video and the
It was withdrawn 24 hours after its publication, since the withdrawal request
It was made through a friend request from the Instagram profile and not from the channel
planned for it, therefore, it was not until after said hours that they had

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/11








knowledge of said request; that you have been aware of the error that this
situation; that measures have been intensified to prevent these
situations requiring consent and created a protocol to avoid

incidences; that the disciplinary procedure be filed or that the
warning; secondarily, it is considered a minor infraction.

       On 01/05/2023, it provided the document Risk Analysis in the Treatment of
Personal information.


THIRD: On 01/09/2023, in accordance with article 65 of the LOPDGDD,
The claim presented by the complaining party was admitted for processing.

FOURTH: On 04/29/2022, the Director of the Spanish Protection Agency
of Data agreed to initiate a sanctioning procedure against the defendant, for the alleged

violation of articles 32.1 and 5.1.f) of the GDPR, typified in article 83.4.a) and
83.5.a) of the GDPR, with warning. Receipt by the claimant of the
agreement to start the file.

FIFTH: Once the initiation agreement has been notified, the claimant has elapsed the term
established, I do not present a written statement of allegations, so the following is applicable.

indicated in article 64 of Law 39/2015, of October 1, on the Procedure
Common Administrative Law of Public Administrations, which in its section f)
establishes that in the event of not making allegations within the period established on the
content of the initiation agreement, it may be considered a proposal for
resolution when it contains a precise pronouncement about the responsibility

accused, for which reason a Resolution is issued.

SEVENTH: Of the actions carried out in this procedure, have been
the following accredited:


                                PROVEN FACTS

FIRST: The claimant, on 10/23/2022 filed a claim with the Authority
Catalan Data Protection Agency and on 10/26/2022 the aforementioned Authority notified the
Spanish Agency for Data Protection as it is competent to know about the
affair. The claimant stated that she is the mother of a minor and that on 08/07/2022

attended a birthday party organized at the premises of the defendant; notes that,
without the express consent of the parents of the attending children, the
images of the celebration in which the minors appeared, later
published on the Instagram profile ***PERFIL.1 as a "story"; due
therefore contacted the author of the publication through the messaging service

provided by the service provider, in order to request that the
publication or the face of minors will be pixelated, without receiving a response while the
Publication available 24 hours, which are the ones that are configured by default.
Instagram stories.


SECOND: It has provided screenshots of the Instagram account
***PROFILE.1 containing address, telephone number, logo and web address where the
can see different photographs of minors and parents in the celebration of
a children's party

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/11









THIRD: There are screenshots of the children's party (4 photographs)
and the following messages from the mother of the minor sent to the account of

***ACCOUNT.1:

“Hello, I am one of the mothers who attended the birthday today. I have not given
consent to upload images where my daughter appears. We haven't even given
consent to the recording of images, and to upload them you should have covered
the faces of the minors. So please either cover his face by raising the

videos or delete the stories where it is clearly identified. It is the girl of the
right to the most visible. Thank you".

Hello, I have written to you before.


“I will hit you again what I have written before.
Hello, I am one of the mothers who had a birthday today. I have not given
consent to upload images where my daughter appears. We haven't even given
consent to the recording of images, and to upload them you should have covered
the faces of the minors. So please either cover his face by raising the
videos or delete the stories where it is clearly identified. It is the girl of the

right to the most visible. Thank you. Maybe it is the first time that you meet before
this situation but capturing images of minors and uploading them to networks is typified
as a crime with fines of up to 300,000 euros. I do not want images of my daughter in
Internet".


FOURTH: The defendant in writing of 01/31/2023 has stated "That he has always
It has been the will of "XXXXXXXX" to process the personal data entrusted to it with the
maximum guarantees, and has been aware of the error that this situation implies, and has
proceeded to rectify this situation in such a way that it adapts to the demands that
marks the data protection regulations and, consequently, to be able to deal with the

greater guarantees the data of the people who trust them, as it has always been
his intentions.

FIFTH: The defendant has provided on 01/05/2023 Risk Analysis in the
Treatment of Personal Data of Nanvidale, S.L. and later the
01/31/2023 the Video Surveillance Zone Announcement Poster in accordance with the GDPR and

Form for Information and Consent for data processing
Customer personal. Likewise, the Policy of
privacy of the defendant.

                          FUNDAMENTALS OF LAW


                                          Yo
       In accordance with the powers that article 58.2 of Regulation (EU) 2016/679
(General Data Protection Regulation, hereinafter GDPR), grants each
control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the

Organic Law 3/2018, of December 5, Protection of Personal Data and
guarantee of digital rights (hereinafter, LOPDGDD), is competent to
initiate and resolve this procedure the Director of the Spanish Protection Agency
of data.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/11









       Likewise, article 63.2 of the LOPDGDD determines that: "The
procedures processed by the Spanish Data Protection Agency will be governed
by the provisions of Regulation (EU) 2016/679, in this organic law, for the
regulatory provisions dictated in its development and, as soon as they are not

contradict, on a subsidiary basis, by the general rules on the
administrative procedures."

                                           II
       Law 39/2015, of October 1, on the Common Administrative Procedure of
Public Administrations, in its article 64 "Initiation agreement in the

procedures of a sanctioning nature”, provides:

       "1. The initiation agreement will be communicated to the instructor of the procedure, with
transfer of any actions that exist in this regard, and the interested parties will be notified,
Understanding in any case as such the accused.

       Likewise, the initiation will be communicated to the complainant when the rules
regulators of the procedure so provide.

       2. The initiation agreement must contain at least:

       a) Identification of the person or persons allegedly responsible.

       b) The facts that motivate the initiation of the procedure, its possible
       rating and sanctions that may correspond, without prejudice to what
       results from the instruction.
       c) Identification of the instructor and, where appropriate, Secretary of the procedure, with
       express indication of the recusal regime of the same.
       d) Competent body for the resolution of the procedure and norm that

       attributes such jurisdiction, indicating the possibility that the alleged
       responsible can voluntarily acknowledge his responsibility, with the
       effects provided for in article 85.
       e) Measures of a provisional nature that have been agreed by the body
       competent to initiate the disciplinary procedure, without prejudice to those that
       may be adopted during the same in accordance with article 56.

       f) Indication of the right to make allegations and to the hearing in the
       procedure and the deadlines for its exercise, as well as an indication that, in
       In the event of not making allegations within the established term on the content of the
       initiation agreement, this may be considered a resolution proposal
       when it contains a precise pronouncement about the responsibility
       accused.


       3. Exceptionally, when at the time of issuing the initiation agreement
there are not enough elements for the initial qualification of the facts that motivate
the initiation of the procedure, said qualification may be carried out in one phase
through the preparation of a Statement of Objections, which must be notified to

the interested".

       In application of the previous precept and taking into account that no
made allegations to the initiation agreement, it is appropriate to resolve the procedure initiated.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/11








                                           II
       The denounced facts materialize in the taking of images of the event in the
containing minors and their publication on the Instagram profile ***PERFIL.1

as a "story", without the consent of their parents being accredited.

       Article 58 of the GDPR, Powers, states:

       "2. Each supervisory authority shall have all the following powers
corrections listed below:


       (…)
       i) impose an administrative fine in accordance with article 83, in addition to or in
       instead of the measures mentioned in this paragraph, according to the
       circumstances of each particular case;

       (…)”

       It should be noted that the physical image of a person, according to article 4.1
of the GDPR, it is personal data and its protection, therefore, is the subject of said
Regulation. Article 4.2 of the GDPR defines the concept of "processing" of
personal information.


       It is therefore necessary to analyze whether the processing of personal data (image
of natural persons) carried out through recording and broadcasting, in which
minors appear, in social networks is in accordance with the provisions of the GDPR.


       Article 6, Legality of the treatment, of the GDPR in its section 1, establishes
that:

       "1. Processing will only be lawful if at least one of the following is fulfilled
conditions:


       a) the interested party gave his consent for the processing of his data
       personal for one or more specific purposes;
       b) the processing is necessary for the performance of a contract in which the
       interested party or for the application at the request of this of measures
       pre-contractual;

       c) the processing is necessary for compliance with a legal obligation
       applicable to the data controller;
       d) the processing is necessary to protect vital interests of the data subject or
       of another physical person;
       e) the treatment is necessary for the fulfillment of a mission carried out in

       public interest or in the exercise of public powers conferred on the person responsible
       of the treatment;
       f) the processing is necessary for the satisfaction of legitimate interests
       pursued by the data controller or by a third party, provided that
       such interests are not overridden by the interests or the rights and freedoms

       of the interested party that require the protection of personal data,
       in particular when the interested party is a child.



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/11








       The provisions of letter f) of the first paragraph shall not apply to the
treatment carried out by public authorities in the exercise of their functions”.


       And article 4 of the GDPR, Definitions, in its sections 1, 2 and 11, states that:

       “1) “personal data” means any information about an identified natural person
or identifiable ("the data subject"); Any identifiable natural person shall be considered
person whose identity can be determined, directly or indirectly, in particular
by means of an identifier, such as a name, an identification number,

location data, an online identifier or one or more elements of the
physical, physiological, genetic, psychological, economic, cultural or social identity of said
person;

       "2) "processing": any operation or set of operations carried out

on personal data or sets of personal data, either by procedures
automated or not, such as the collection, registration, organization, structuring,
conservation, adaptation or modification, extraction, consultation, use,
communication by transmission, diffusion or any other form of authorization of
access, collation or interconnection, limitation, deletion or destruction;


       "11) "consent of the interested party": any manifestation of free will,
specific, informed and unequivocal for which the interested party accepts, either through
a statement or a clear affirmative action, the processing of personal data that
concern him."


       On the other hand, article 92 of the LOPDGDD, Data Protection of
minors on the Internet, points out that:

       "Educational centers and any physical or legal persons who
develop activities in which minors participate will guarantee the

protection of the best interests of the minor and their fundamental rights,
especially the right to the protection of personal data, in the publication or
dissemination of your personal data through services of the society of the
information.

       When said publication or diffusion were to take place through services of

social networks or equivalent services must have the consent of the
minor or their legal representatives, in accordance with the provisions of article 7 of this
organic Law".

                                           IV.

       It should be noted that data processing requires the existence of a database
law that legitimizes it.

       In accordance with article 6.1 of the GDPR, in addition to consent,
There are other possible bases that legitimize the processing of data without the need for

have the authorization of its owner, in particular, when necessary for the
execution of a contract in which the affected party is a party or for the application, upon request
of this, of pre-contractual measures, or when necessary for the satisfaction of
legitimate interests pursued by the controller or by a third party,

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/11








provided that such interests do not prevail over the interests or rights and
fundamental freedoms of the data subject that require the protection of such data. He
treatment is also considered lawful when necessary for the fulfillment of

a legal obligation applicable to the data controller, to protect interests
of the data subject or of another natural person or for the fulfillment of a mission
carried out in the public interest or in the exercise of public powers vested in the
responsible for the treatment.

       In the present case, the defendant in relation to the processing of personal data

personal character, neither before nor after the infringement, nor in
its Privacy Policy or in the Risk Analysis provides for the treatment carried out
cabo: disseminate or publish images of the celebrations on social networks.

       On the other hand, regarding the publication of images, it is not specified

where it is provided (web page of the defendant, social networks, etc.) and as soon as
to the consent that they transfer in their response, nothing indicates about this treatment
specifically, if you collect parental consent in the case of children under 14
years or the consent to minors, over 14 years of age, differentiating this
circumstance of age (Neither does it appear in the case of adults if it is collected
their consent for the publication of their images, etc.).


       Therefore, in the case examined, there is no accredited basis of legitimacy
any for the treatment of data of minors.

                                           V

       The infringement attributed to the defendant is typified in the
Article 83.5 a) of the GDPR, which considers that the infringement of "the basic principles
for processing, including the conditions for consent under the terms of the
Articles 5, 6, 7 and 9" is punishable, in accordance with section 5 of the aforementioned
Article 83 of the aforementioned Regulation, "with administrative fines of €20,000,000 as

maximum or, in the case of a company, of an amount equivalent to 4% as
maximum of the overall annual total turnover of the previous financial year,
opting for the one with the highest amount”.

       The LOPDGDD in its article 71, Violations, states that: "They constitute
offenses the acts and behaviors referred to in sections 4, 5 and 6 of the

Article 83 of Regulation (EU) 2016/679, as well as those that are contrary to the
present organic law”.

       And in its article 72, it considers for the purposes of prescription, which are: "Infractions
considered very serious:


       1. Based on what is established in article 83.5 of the Regulation (EU)
2016/679 are considered very serious and the infractions that
suppose a substantial violation of the articles mentioned in that and, in
particular, the following:


       (…)



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 8/11








       b) The processing of personal data without the concurrence of any of the
       conditions of legality of the treatment established in article 6 of the
       Regulation (EU) 2016/679.

       (…)”

                                           SAW
       In order to establish the administrative fine that should be imposed, the
observe the provisions contained in articles 83.1 and 83.2 of the GDPR, which
point out:


       "1. Each control authority will guarantee that the imposition of fines
administrative proceedings under this article for violations of this
Regulations indicated in sections 4, 5 and 6 are in each individual case
effective, proportionate and dissuasive.


       2. Administrative fines will be imposed, depending on the circumstances
of each individual case, as an addition to or substitute for the measures contemplated
in article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine
administration and its amount in each individual case shall be duly taken into account:


       a) the nature, seriousness and duration of the offence, taking into account the
       nature, scope or purpose of the processing operation in question
       as well as the number of stakeholders affected and the level of damage and
       damages they have suffered;
       b) intentionality or negligence in the infringement;

       c) any measure taken by the controller or processor
       to alleviate the damages and losses suffered by the interested parties;
       d) the degree of responsibility of the controller or the person in charge of the
       processing, taking into account the technical or organizational measures that have
       applied under articles 25 and 32;

       e) any previous infringement committed by the person in charge or in charge of the
       treatment;
       f) the degree of cooperation with the supervisory authority in order to put
       remedy the breach and mitigate the potential adverse effects of the breach;
       g) the categories of personal data affected by the infringement;
       h) the way in which the supervisory authority became aware of the infringement, in

       particularly if the person in charge or the person in charge notified the infringement and, in such a case,
       what extent;
       i) when the measures indicated in article 58, paragraph 2, have been
       previously ordered against the person in charge or in charge in question
       in relation to the same matter, compliance with said measures;

       j) adherence to codes of conduct under article 40 or to mechanisms
       of certification approved in accordance with article 42, and
       k) any other aggravating or mitigating factor applicable to the circumstances of the
       case, such as the financial benefits obtained or the losses avoided, direct
       or indirectly, through the infringement.


       In relation to letter k) of article 83.2 of the GDPR, the LOPDGDD, in its
Article 76, "Sanctions and corrective measures", establishes that:


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 9/11








       "2. In accordance with the provisions of article 83.2.k) of the Regulation (EU)
2016/679 may also be taken into account:


       a) The continuing nature of the offence.
       b) Linking the activity of the offender with the performance of processing
       of personal data.
       c) The benefits obtained as a consequence of the commission of the infraction.
       d) The possibility that the conduct of the affected party could have led to the
       commission of the offence.

       e) The existence of a merger process by absorption after the commission
       of the infringement, which cannot be attributed to the absorbing entity.
       f) The affectation of the rights of minors.
       g) Have, when it is not mandatory, a data protection delegate
data.

       h) The submission by the person in charge or in charge, with character
       voluntary, alternative conflict resolution mechanisms, in those
       cases in which there are controversies between them and any
       interested."

       - In accordance with the precepts transcribed, for the purpose of setting the amount of the

sanction for the infringement typified in article 83.5.a) and article 6.1 of the GDPR of the
that the defendant is held responsible, the following factors are considered concurrent
as aggravating circumstances:

        The categories of personal data affected by the infringement;

We must not forget that we are facing the infringement of a fundamental right
aggravated by the category of data processed, since the image that is disseminated is of
minors (article 83.2.g) of the GDPR).

        The intentionality or negligence in the infraction. Connected this circumstance

with the degree of diligence that the data controller is obliged to
deploy in compliance with the obligations imposed by the regulations of
Data Protection; the SAN of 10/17/2007 can be cited, which although it was issued before
of the validity of the GDPR, its pronouncement can be perfectly extrapolated to the
Of course we analyze The ruling, after alluding to the fact that the entities in which
that the development of its activity involves continuous processing of customer data

and third parties must observe an adequate level of diligence, specified that "(...) the
The Supreme Court has understood that there is imprudence whenever
disregards a legal duty of care, that is, when the offender does not behave
with the due diligence” (article 83.2, b) of the GDPR).



       Therefore, in accordance with the applicable legislation and assessed the criteria of
graduation of sanctions whose existence has been accredited,

       The Director of the Spanish Data Protection Agency RESOLVES:


FIRST: IMPOSE NANDIVALE, S.L., with NIF B66070012, for a violation of the
Article 6.1 of the GDPR, typified in Article 83.5.a) of the GDPR, a fine of 10,000
€ (ten thousand euros).

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 10/11









SECOND: NOTIFY this resolution to NANDIVALE, S.L.

Warn the penalized person that they must make the imposed sanction effective once the
This resolution is enforceable, in accordance with the provisions of art. 98.1.b)

of Law 39/2015, of October 1, on the Common Administrative Procedure of
Public Administrations (hereinafter LPACAP), within the voluntary payment term
established in art. 68 of the General Collection Regulations, approved by Royal
Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003, of 17
December, by means of its income, indicating the NIF of the sanctioned and the number of
procedure that appears in the heading of this document, in the account

restricted IBAN number: ES00 0000 0000 0000 0000 0000 (BIC/SWIFT Code:
XXXXXXXXXXXX), opened on behalf of the Spanish Agency for Data Protection in
the banking entity CAIXABANK, S.A. Otherwise, it will proceed to its
collection in executive period.


       Once the notification has been received and once executed, if the execution date is
between the 1st and 15th of each month, both inclusive, the deadline for making the
voluntary payment will be until the 20th day of the following or immediately following business month, and if
is between the 16th and the last day of each month, both inclusive, the term of the
Payment will be until the 5th of the second following or immediate business month.


       In accordance with the provisions of article 50 of the LOPDGDD, the
This Resolution will be made public once the interested parties have been notified.

       Against this resolution, which puts an end to the administrative process in accordance with art.
48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the
LPACAP, interested parties may optionally file an appeal for reversal

before the Director of the Spanish Data Protection Agency within a period of one
month from the day following the notification of this resolution or directly
contentious-administrative appeal before the Contentious-administrative Chamber of the
National Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-administrative jurisdiction, within a period of two months from the

day following the notification of this act, as provided for in article 46.1 of the
referred Law.

       Finally, it is noted that in accordance with the provisions of art. 90.3 a) of the
LPACAP, the firm resolution may be temporarily suspended in administrative proceedings
If the interested party expresses his intention to file a contentious appeal-

administrative. If this is the case, the interested party must formally communicate this
made by writing to the Spanish Agency for Data Protection,
presenting it through the Electronic Registry of the Agency
[https://sedeagpd.gob.es/sede-electronica-web/], or through any of the other
records provided for in art. 16.4 of the aforementioned Law 39/2015, of October 1. Also

must transfer to the Agency the documentation that proves the effective filing
of the contentious-administrative appeal. If the Agency were not aware of the
filing of the contentious-administrative appeal within a period of two months from the
day following the notification of this resolution, would terminate the
injunction suspension

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 11/11













                                                                                            Mar Spain Marti

                                        Director of the Spanish Data Protection Agency





































































C/ Jorge Juan, 6 www.aepd.es

28001 – Madrid sedeagpd.gob.es