AEPD (Spain) - EXP202207199: Difference between revisions
No edit summary |
No edit summary |
||
(2 intermediate revisions by the same user not shown) | |||
Line 61: | Line 61: | ||
}} | }} | ||
The Spanish DPA fined a | The Spanish DPA fined a landlord €4,000 for installing, a camera that affects the tenant's private area, without sufficient legal basis under [[Article 6 GDPR|Article 6 GDPR.]] | ||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
The data subject | The data subject rented a room with the right to a kitchen and noted that the Landlord has installed a video surveillance camera in the kitchen of the property, without the data subject having at any time consented to the processing of his data or having signed any document in this regard. | ||
Despite been notified | Despite been notified of the complaint, the Landlord did not respond to the DPA request. | ||
=== Holding === | === Holding === |
Latest revision as of 10:03, 18 October 2023
AEPD - PS/00466/2022 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 6 GDPR Article 58 GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | 22.06.2022 |
Decided: | |
Published: | 22.09.2023 |
Fine: | 4,000 EUR |
Parties: | n/a |
National Case Number/Name: | PS/00466/2022 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | João Pedro F Teixeira |
The Spanish DPA fined a landlord €4,000 for installing, a camera that affects the tenant's private area, without sufficient legal basis under Article 6 GDPR.
English Summary
Facts
The data subject rented a room with the right to a kitchen and noted that the Landlord has installed a video surveillance camera in the kitchen of the property, without the data subject having at any time consented to the processing of his data or having signed any document in this regard.
Despite been notified of the complaint, the Landlord did not respond to the DPA request.
Holding
The DPA first confirmed that the rental of a property or part thereof to a third party entails a series of rights and obligations for the parties, so that those relating to the protection of personal data must also be taken into account, especially if the installation of recording devices affects the privacy of the third party or leads to data processing in a way that is disproportionate to the intended purpose.
The Spanish DPA than considered that with the total or partial transfer of the property, the notion of "personal and domestic sphere" is excluded. Exemptions therefore do not apply and the camera falls within the scope of the GDPR. This meant that the presence of the camera must be in accordance with the purpose pursued, and its presence cannot be imposed by contractual clause, as the home in this case is "a space in which the individual lives without necessarily being subject to the uses and social conventions and exercises his most intimate freedom".
Considering this, the Spanish DPA found that the Landlord should be considered as a data controller and that the data processing activity related to the video surveillance camera was held without sufficient legal basis as no consent was gathered from the data subject.
For violating Article 6 GDPR, the DPA fined the controller €4,000 and ordered, in accordance with Article 58(2) GDPR, the removal of the device in question from the interior of the dwelling, granting a period of 15 working days from the day following notification of the decision.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/7 File No.: EXP202207199 RESOLUTION OF SANCTIONING PROCEDURE From the procedure instructed by the Spanish Data Protection Agency and based to the following BACKGROUND FIRST: A.A.A. (*hereinafter, the complaining party) dated June 22, 2022 filed a claim with the Spanish Data Protection Agency. The claim- tion is directed against B.B.B. with NIF ***NIF.1 (hereinafter, the claimed part). The The reasons on which the claim is based are the following: “has rented to the claimed party a room with the right to a kitchen in a home and that the claimed party has installed a video surveillance camera in the community. cina of the property, without at any time the claiming party having consented to the processing of your data or has signed a document in this regard”—page number 1--. Provides image of the camera, conversation held with the claimed party about the camera made through WhatsApp and image of room rental receipt with the right to kitchen (annex I). SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5 December, Protection of Personal Data and guarantee of digital rights (in hereinafter LOPDGDD), said claim was transferred to the claimed party in faith. cha 01/07/22 and 01/08/22, to proceed with its analysis and inform this Agency within one month, of the actions carried out to adapt to the requirements provided for in the data protection regulations. The transfer, which was carried out in accordance with the rules established in Law 39/2015, of October 1, of the Common Administrative Procedure of Public Administrations cas (hereinafter, LPACAP), appearing in the information system of this organization <Absent in delivery>. THIRD: On August 29, 2022, in accordance with article 65 of the LOPDGDD, the claim presented by the complaining party was admitted for processing. FOURTH: On October 13, 2022, the Director of the Spanish Agency for Data Protection agreed to initiate sanctioning proceedings against the claimed party, for the alleged violation of Article 5.1.c) of the RGPD, typified in Article 83.5 of the GDPR. FIFTH: The aforementioned initiation agreement has been notified in accordance with the rules established in Law 39/2015, of October 1, on the Common Administrative Procedure of Admissions Public Administrations (hereinafter, LPACAP) and after the period granted for the formulation of allegations, it has been verified that no allegation has been received by the claimed party. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 2/7 Article 64.2.f) of the LPACAP - provision of which the claimed party was informed in the agreement to open the procedure - establishes that if no allegations are made - within the stipulated period regarding the content of the initiation agreement, when it contains has a precise statement about the imputed responsibility, it may be considered motion for resolution. In the present case, the agreement to initiate the ex- disciplinary petitioner determined the facts in which the accusation was made, the GDPR violation attributed to the person complained of and the sanction that could be imposed. Therefore, taking into consideration that the claimed party has not made allegations nes to the agreement to initiate the file and in accordance with the provisions of the article 64.2.f) of the LPACAP, the aforementioned initiation agreement is considered in the present case resolution proposal. SIXTH: On 11/03/22, the corresponding announcement was published in the BOE. position in relation to PS/00466/2022 type of act “Opening Agreement”. SEVENTH: When the database of this Agency was consulted on 01/09/22, there is no information no allegation, nor has any corrective measure been adopted in this regard. EIGHTH: On 04/28/23, <Proposal for resolution> was issued, proposing ne a penalty estimated in the amount of €4,000, for the violation of article 6 RGPD, when have a camera inside the rented home without counting with a legitimizing basis for this, proposing measures to correct the situation. tion described. After consulting the database of this organization, the double attempt to notify fication being returned by the Official Postal Service (for Not withdrawn in Post Office). NINTH: On 06/13/23, the Resolution Proposal was published in the BOE. lution associated with PS/00466/2022 in accordance with the provisions of article 44 Law 39/2015 (October 1), after the notification at the address of the dressed PROVEN FACTS First: The facts give rise to the claim dated 06/22/22 through the which transfers the following: “has rented a room to the claimed party with de- right to a kitchen in a home and that the claimed party has installed a camera video surveillance in the kitchen of the property, without at any time the party claiming You have consented to the processing of your data or have signed a document to said respect”—folio no. 1--. Second: It is identified as the main person responsible for the B.B.B. installation, with Associated DNI ***NIF.1. Third: The presence of a video surveillance camera in the interior is proven. property that affects areas reserved for the claimant, without just cause. fied, proceeding to the processing of your personal data. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 3/7 Fourth: The defendant has not made any allegation in the exercise of the right to defense, not even the slightest explanation has been made about the presence of the device. vo in question or the way to inform rights under the current GDPR. FOUNDATIONS OF LAW Yo In accordance with the powers that article 58.2 of Regulation (EU) 2016/679 (Re- General Data Protection Regulation, hereinafter RGPD), grants each authorization control and in accordance with the provisions of articles 47, 48.1, 64.2 and 68.1 of the Law Organic 3/2018, of December 5, Protection of Personal Data and guarantee of digital rights (hereinafter, LOPDGDD), is competent to initiate and resolve this procedure the Director of the Spanish Data Protection Agency. Likewise, article 63.2 of the LOPDGDD determines that: "The procedures processed ted by the Spanish Data Protection Agency will be governed by the provisions of Regulation (EU) 2016/679, in this organic law, by the regulatory provisions- dictated in its development and, insofar as they do not contradict them, with a sub- subsidiary, by the general rules on administrative procedures." II In the present case, we proceed to examine the claim dated 06/22/22 by means of gave of which the following is transferred as the main fact: “presence of a camera inside the rented home in the kitchen area” dining room, thereby eliminating your privacy by controlling your entrances/exits without cause justified (…)—page number 1--. Article 18 section 4 EC provides: “The law will limit the use of information technology to guarantee the honor and personal and family privacy of citizens and the full exercise of their rights.” In Recital number 40 GDPR it is indicated that for a “processing to be lawful” to, personal data must be processed on one of the legitimizing bases established in accordance with Law (…)”. Therefore, the “data processing” carried out with the camera (s) installed inside rior of the property must be able to be justified on the so-called legitimizing bases, this is, that the legality of the treatment can be proven in the list of situations or suppositions. specific positions in which it is possible to process personal data. The events described above may affect the content of the article 6 GDPR (regulation 2016/679/EU, April 27). The first requirement for the processing of personal data to be lawful is that have a legitimizing basis. It must be able to support itself on one of the six bases. ses enabling conditions established in accordance with article 6.1 RGPD, the tenor of which is the following: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 4/7 1. Treatment will only be legal if at least one of the following conditions is met: conditions: a) the interested party gave his consent for the processing of his personal data for one or more specific purposes; b) the processing is necessary for the execution of a contract in which the interested party sado is a party or for the application at his request of pre-contractual measures; c) the treatment is necessary for compliance with an applicable legal obligation. ble to the person responsible for the treatment; d) the processing is necessary to protect vital interests of the interested party or of another natural person; e) the treatment is necessary for the fulfillment of a mission carried out in public interest or in the exercise of public powers conferred on the person responsible for the treatment; f) the processing is necessary for the satisfaction of legitimate interests pursued two by the person responsible for the treatment or by a third party, provided that on said interests do not prevail over interests or fundamental rights and freedoms of the interested party that require the protection of personal data, particularly when “when the interested party is a child (…)”. The general purpose of video surveillance cameras is protection of goods, people and facilities, although certain precautions must be taken when time to install them given that their presence may collide with other property rights. fundamental character at play. It should be remembered that individuals are responsible for ensuring that the systems installed felled comply with current legislation, proving that it complies with all the requirements demanded by the regulations in force. III In accordance with the evidence provided in this document, sanctioning procedure, it is considered that the claimed party has proceeded to install For apparent security reasons, a camera that affects a free privacy area of its tenant, thereby affecting their personal data. Housing lease contracts are regulated in the Leasing Law. Urban Regulations 29/1994 of November 24 (LAU). It should be remembered that the rental of a property or part of it to a third party entails a series of rights and obligations for the parties, in such a way that the relating to the protection of personal data must also be taken into account. account, especially if the installation of recording devices affects the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 5/7 privacy of the same or data processing occurs in a manner disproportionate to the purpose pursued. Article 4 section 11 of the GDPR provides: "consent of the interested party": any manifestation of free, specific, informed and unequivocal will by which the interested party accepts, either by a declaration or a clear affirmative action, the processing of personal data that concerns you (…)” (*bold belongs to this organism). With the total or partial transfer of the property, the notion of “area” is excluded. personal and domestic” so it is not a case of exclusion from the scope of application of the RGPD, the presence of the camera must be in accordance with the purpose persecuted, not even being able to impose its presence through contractual clause, since in this case the home is “a space in which the individual lives without necessarily being subject to social uses and conventions and exercises its freedom most intimate freedom" (STC no. 22/1984, February 17). The known facts constitute an infringement, attributable to the complaining party. mada, for violation of the content of article 6 RGPD, cited above. IV Article 69 LOPDGDD (LO 3/2018) provides: 1. During the carrying out of the previous investigation actions or initiated a procedure for the exercise of sanctioning power, the Spanish Agency of Data Protection may agree to the necessary provisional measures with reasons. sary and proportionate to safeguard the fundamental right to the protection of data and, in particular, those provided for in article 66.1 of Regulation (EU) 2016/679, the precautionary blocking of the data and the immediate obligation to attend to the right to request ted (…). On the other hand, article 64.1 e) Law 39/2015 (October 1) provides the following: e) Provisional measures that have been agreed upon by the joint body. competent to initiate the sanctioning procedure, without prejudice to those that may be adopt during the same in accordance with article 56” The installed camera is affecting an area reserved for the privacy of the tenant of the rented home, carrying out continuous treatment of his personal and/or third party coughs, without their consent being recorded or explained the reasons for the presence of the device in said area, which represents a deviation from the primary purpose of this type of device. V The art. 83.5 GDPR provides the following: “Violation of the following provisions: These will be sanctioned, in accordance with section 2, with administrative fines of 20 EUR 000 000 maximum or, in the case of a company, an amount equivalent to C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 6/7 to a maximum of 4% of the overall total annual turnover of the financial year. above, opting for the highest amount: a) The basic principles for treatment including the conditions for treatment consent in accordance with articles 5,6,7 and 9 (…)”. When motivating the sanction, it is taken into account that the individual does not have sanctions. previous tions of this organization, although it has installed a device that affects the privacy of the claimant, and may even record the conversations of the same, affecting an area reserved for your personal and/or family privacy, being a measure disproportionate to the alleged purpose pursued, which denotes a con- serious conduct in the conduct described, which entails imposing a sanction encrypted in the amount of €4,000, according to the facts described, on the lower scale for this type of sanctions. Given the absence of prior allegations of the set of facts described, it is takes into account the rental situation of a room in your property, although it also The initial lack of adoption of measures in response to the claim of the tenant of the property; aspects taken into account for the motivation of the administrative sanction. SAW The text of the resolution establishes what infractions have been committed and the events that have given rise to the violation of the data protection regulations cough, from which it is clearly inferred what measures to adopt, without prejudice to that the type of procedures, mechanisms or specific instruments to implement tarlas corresponds to the sanctioned party, since it is the person responsible for the treatment who knows its organization fully and must decide, based on the responsibility active and risk-focused, how to comply with the RGPD and the LOPDGDD. Therefore, in accordance with the applicable legislation and evaluated the graduation criteria tion of sanctions whose existence has been proven, the Director of the Spanish Data Protection Agency RESOLVES: FIRST: IMPOSE B.B.B., with NIF ***NIF.1, for a violation of Article 6 of the RGPD, typified in Article 83.5 a) of the RGPD, a fine of €4,000 (Four Thousand euros). ros). SECOND: ORDER in accordance with article 58.2 RGPD, in connection with the article 69 LOPDGDD as a measure the removal of the device in question from the interior of the home granting a period of 15 business days from the day following the notification of this act, and must prove such point through the corresponding evidence (eg. photograph date and time before/after uninstallation). THIRD: NOTIFY this resolution to Ms. B.B.B.. FOURTH: Warn the sanctioned person that he must make the sanction imposed effective once this resolution is executive, in accordance with the provisions of the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 7/7 art. 98.1.b) of Law 39/2015, of October 1, of the Administrative Procedure of the Public Administrations (hereinafter LPACAP), within the voluntary payment period. lunary established in art. 68 of the General Collection Regulations, approved by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003, of December 17, by entering it, indicating the NIF of the sanctioned person and the number of procedure that appears in the heading of this document, in the account restricted IBAN number: ES00 0000 0000 0000 0000 0000 (BIC/SWIFT Code: XXXXXX- XXXXX), opened in the name of the Spanish Data Protection Agency in the entity banking entity CAIXABANK, S.A.. Otherwise, it will be collected in executive period. Once the notification is received and once enforceable, if the enforceable date is between the 1st and 15th of each month, both inclusive, the period to make the voluntary payment voluntary will be until the 20th of the following month or immediately following business month, and if falls between the 16th and last day of each month, both inclusive, the payment period is until the 5th of the second following or immediately following business month. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the inter- rescheduled may optionally file an appeal for reconsideration before the Director of the Spanish Data Protection Agency within a period of one month from the day following notification of this resolution or directly contentious appeal administrative before the Contentious-administrative Chamber of the National Court, in accordance with the provisions of article 25 and section 5 of the additional provision final fourth of Law 29/1998, of July 13, regulating the Contentious Jurisdiction- administrative, within a period of two months counting from the day following the notification. tion of this act, as provided for in article 46.1 of the aforementioned Law. Finally, it is noted that in accordance with the provisions of art. 90.3 a) of the LPACAP, may provisionally suspend the final resolution through administrative channels if the interested party do expresses his intention to file a contentious-administrative appeal. If so- If applicable, the interested party must formally communicate this fact in writing. addressed to the Spanish Data Protection Agency, presenting it through the Re- Electronic register of the Agency [https://sedeagpd.gob.es/sede-electronica-web/], or to through one of the remaining records provided for in art. 16.4 of the aforementioned Law 39/2015, of October 1. You must also transfer the documentation to the Agency that proves the effective filing of the contentious-administrative appeal. If the Agency was not aware of the filing of the contentious-administrative appeal treatment within a period of two months from the day following notification of this resolution, would end the precautionary suspension. 938-181022 Sea Spain Martí Director of the Spanish Data Protection Agency C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es