AEPD (Spain) - PS/00279/2020: Difference between revisions

AEPD - PS/00279/2020
Authority:	AEPD (Spain)
Jurisdiction:	Spain
Relevant Law:	Article 6 GDPR Article 13 GDPR Article 83(5) GDPR 72
Type:	Complaint
Outcome:	Upheld
Started:
Decided:
Published:	01.03.2021
Fine:	9000 EUR
Parties:	n/a
National Case Number/Name:	PS/00279/2020
European Case Law Identifier:	n/a
Appeal:	n/a
Original Language(s):	Spanish
Original Source:	AEPD (in ES)
Initial Contributor:	n/a

The Spanish DPA (AEPD) imposed a fine of € 5,000 for the violation of Article 6 GDPR and of €4,000 for the violation of Article 13 GDPR. The defendant published personal data on its website without consent and informing the data subject in a privacy policy.

English Summary

Facts

A Spanish website has published personal photos and other personal data on its website without the consent of the data subject and without providing the data subject with a privacy policy containing the information required by article 13 GDPR.

Dispute

Is it publishing personal data without the consent of the data subject unlawful? Is it the lack of a privacy policy providing the data subject with the information required under GDPR unlawful?

Holding

The national law LOPDGDD considers the violation of articles 6 and 13 GDPR as "very serious" and therefore the Spanish DPA decided on imposing a fine of € 5 000 for the violation of Article 6 GDPR and € 4 000 for the violation of article 13, under the power conferred by Article 83(5) GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

                                                                                 1/7








     Procedure Nº: PS / 00279/2020

                RESOLUTION OF SANCTIONING PROCEDURE


Of the procedure instructed by the Spanish Agency for Data Protection and based on
to the following

                                   BACKGROUND


FIRST: A.A.A. (hereinafter, the claimant) on July 9, 2019 filed
claim before the Spanish Agency for Data Protection.

The claim is directed against B.B.B. with NIF *** NIF.1 (hereinafter, the claimed one).


The reasons on which the claim is based are that photographic material has been published
and other personal data at “*** URL.1”, without your consent.

On June 4, 2019, he requested the deletion of his personal data to the claimed,
but this one does not respond.


Likewise, the complained party states that on the aforementioned website the legal notice that
publishes is insufficient and its privacy policy does not meet the required requirements
regarding the processing of personal data.


Among others, the following documentation is provided:

    Email addressed to the address *** EMAIL.1 exercising the right of sub-
       pressure of the claimant's personal data.

The antecedents that appear are the following:


Dated June 1, 2020, within the admission procedure
E / 08088/2019 and without being able to transfer the claim to the claimed one,
agrees to open these investigative actions in relation to the claim.
tion submitted by the claimant. The claimant is notified on July 8,

2020.

SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5
December, Protection of Personal Data and guarantee of digital rights (in
hereinafter LOPDGDD), dated June 1, 2020, within the procedure

of admission E / 08088/2019 this claim is transferred without having
got answer.

THIRD: On September 21, 2020, the Director of the Spanish Agency
of Data Protection agreed to initiate a sanctioning procedure to the claimed, by the
alleged violation of article 6 of the RGPD, article 13 of the RGPD, typified in the

Article 83.5 of the RGPD.

FOURTH: On October 7, 2020, the agreement to initiate this
procedure, becoming the same proposal for resolution of conformity

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 2/7








with articles 64.2.f) and 85 of Law 39/2015, of October 1, on the Procedure
Common Administrative of Public Administrations (LPACAP), by not carrying out
allegations within the indicated period.


       In view of all the actions, by the Spanish Protection Agency
of Data in this procedure the following are considered proven facts,

                                        ACTS


FIRST: A claim is filed because photographic material has been published and
other personal data in "*** URL.1", without the consent of the owner.

SECOND: On June 1, 2020, within the admission procedure
E / 08088/2019 this claim is transferred without a response having been obtained.


THIRD: On October 7, 2020, the agreement to initiate this
procedure, becoming the same proposal for resolution of conformity
with articles 64.2.f) and 85 of Law 39/2015, of October 1, on the Procedure
Common Administrative of Public Administrations (LPACAP), by not carrying out
allegations within the indicated period.


       In view of all the actions, by the Spanish Protection Agency
of Data in this procedure the following are considered proven facts,

                            FOUNDATIONS OF LAW


                                             I

       By virtue of the powers that article 58.2 of the RGPD recognizes to each
control authority, and as established in articles 47 and 48 of the LOPDGDD,

the Director of the Spanish Data Protection Agency is competent to initiate
and to solve this procedure.

                                            II

       Article 6.1 of the RGPD establishes that for the treatment to be lawful,

will require that the interested party give their consent for the processing of their data
personal for one or more specific purposes.


       Article 4 of Regulation (EU) 2016/679 of the European Parliament and of the
Council of April 27, 2016, regarding the protection of natural persons in the
regarding the processing of personal data and the free circulation of these data
(General Data Protection Regulation, hereinafter RGPD), under the rubric

"Definitions", provides that:
       "For the purposes of these Regulations, the following shall be understood as:

       1) "personal data": any information about an identified natural person or
identifiable ("the interested party"); an identifiable natural person shall be considered any person
whose identity can be determined, directly or indirectly, in particular by means of

an identifier, such as a name, an identification number, data from
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 3/7








location, an online identifier or one or more elements of the identity
physical, physiological, genetic, psychic, economic, cultural or social of said person;

       2) "treatment": any operation or set of operations carried out
on personal data or personal data sets, either by procedures
automated or not, such as collection, registration, organization, structuring,
conservation, adaptation or modification, extraction, consultation, use,

communication by transmission, broadcast or any other form of authorization of
access, collation or interconnection, limitation, deletion or destruction; "

       Therefore, in accordance with these definitions, the collection of data from
personal character through forms included in a web page constitutes a
data processing, in respect of which the data controller must give
compliance with the provisions of article 13 of the RGPD, a precept that has displaced
from May 25, 2018 to article 5 of Organic Law 15/1999, of May 13,
December, Protection of Personal Data.

       In relation to this matter, it is observed that the Spanish Agency for
Data Protection has available to citizens, the Guide for the

compliance with the duty to inform (https://www.aepd.es/media/guias/guia-modelo-
informative-clause.pdf) and, in the event of low-risk data processing, the
Free Facilita tool (https://www.aepd.es/herramdamientos/facilita.html).

       In this sense, article 4.11 of the RGPD defines the "consent of the

interested party »as any manifestation of free will, specific, informed and
unequivocal by which the interested party accepts, either through a declaration or a
clear affirmative action, the processing of personal data concerning you.

       For its part, article 7.1 of the RGPD establishes that “when the treatment is
Based on the consent of the interested party, the person in charge must be able to

demonstrate that he consented to the processing of his personal data. "

       Along these lines, article 6 of the LOPDGDD establishes that in accordance with
The provisions of article 4.11 of Regulation (EU) 2016/679, is understood as
consent of the affected party any manifestation of free, specific will,

informed and unequivocal by which it accepts, either through a statement or a
clear affirmative action, the processing of personal data concerning you.


       Article 13 of the RGPD, precept in which the information that
must be provided to the interested party at the time of data collection, it has:

        "1.When personal data relating to him are obtained from an interested party, the
responsible for the treatment, at the time these are obtained, will provide

all the information indicated below:
       a) the identity and contact details of the person in charge and, where appropriate, of their

representative;
       b) the contact details of the data protection officer, if applicable;

       c) the purposes of the treatment to which the personal data are destined and the basis
legal treatment;


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 4/7








        d) when the treatment is based on article 6, paragraph 1, letter f), the
legitimate interests of the person in charge or of a third party;

        e) the recipients or categories of recipients of personal data,
in your case;

        f) where appropriate, the intention of the person responsible to transfer personal data to a
third country or international organization and the existence or absence of a decision of
adequacy of the Commission, or, in the case of transfers indicated in the
Articles 46 or 47 or Article 49, paragraph 1, second subparagraph, reference to the

adequate or appropriate warranties and the means to obtain a copy of these or
to the fact that they have been borrowed.
        2. In addition to the information mentioned in section 1, the person responsible for the

treatment will facilitate the interested party, at the time the data is obtained
personal information, the following information necessary to guarantee data processing
loyal and transparent:

        a) the period during which the personal data will be kept or, when not
where possible, the criteria used to determine this deadline;

        b) the existence of the right to request the data controller for access
to the personal data relating to the interested party, and its rectification or deletion, or the
limitation of its treatment, or to oppose the treatment, as well as the right to
data portability;

        c) when the treatment is based on article 6, paragraph 1, letter a), or the
Article 9, paragraph 2, letter a), the existence of the right to withdraw consent in
at any time, without affecting the legality of the treatment based on the

consent prior to its withdrawal;
        d) the right to file a claim with a supervisory authority;

        e) if the communication of personal data is a legal or contractual requirement, or
a necessary requirement to sign a contract, and if the interested party is obliged to
provide personal data and are informed of the possible consequences of

not provide such data;
        f) the existence of automated decisions, including profiling, to

referred to in article 22, paragraphs 1 and 4, and, at least in such cases, information
significant on the applied logic, as well as the importance and consequences
provided for said treatment for the interested party.

        3.When the person responsible for the treatment plans the subsequent treatment of
personal data for a purpose other than that for which it was collected,
will provide the interested party, prior to said further processing, information
on that other purpose and any additional relevant information pursuant to section 2.

        4.The provisions of paragraphs 1, 2 and 3 shall not apply when and in
the extent to which the interested party already has the information ”.

        For its part, article 11 of the LOPDGDD, provides the following:

        "1. When the personal data is obtained from the affected party, the person in charge
treatment may comply with the duty of information established in the
Article 13 of Regulation (EU) 2016/679 providing the affected party with basic information
referred to in the following section and indicating an email address or other

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 5/7








means that allows easy and immediate access to the rest of the information.

       2. The basic information referred to in the previous section must
contain, at least:

       a) The identity of the person responsible for the treatment and their representative, in their
case.

       b) The purpose of the treatment.
       c) The possibility of exercising the rights established in articles 15 to 22

of Regulation (EU) 2016/679.
       If the data obtained from the affected party were to be processed for the preparation of
profiles, the basic information will also include this circumstance. In this

In this case, the affected party must be informed of their right to oppose the adoption of
automated individual decisions that produce legal effects on him or her
significantly affect in a similar way, when this right to agree
with the provisions of article 22 of Regulation (EU) 2016/679. "


                                            III

       This claim focuses on the fact that images of the claimant have been published
without consent on the website *** URL.1.

       It also states that both the legal notice and the privacy policy of the

web page *** URL.1 is not in accordance with the data protection regulations.

       According to the available evidence, it is considered that the
known facts constitute two infractions attributable to the defendant, one
first offense for a violation of article 6 of the RGPD, for the treatment of

your personal data without your consent, and another second violation by the
violation of article 13 of the RGPD, for lacking the privacy policy of the page
website object of this claim, of the requirements regarding the
processing of personal data, indicated in foundation II.


                                            IV

       Article 72.1.b) and h) of the LOPDGDD states that “depending on what
established in article 83.5 of Regulation (EU) 2016/679 are considered very serious and
The infractions that suppose a substantial violation will prescribe after three years
of the articles mentioned therein and, in particular, the following:


       b) The processing of personal data without the concurrence of any of the
conditions of legality of the treatment established in article 6 of the Regulation
(EU) 2016/679.


       h) The omission of the duty to inform the affected party about the treatment of their
personal data in accordance with the provisions of articles 13 and 14 of the Regulation
(EU) 2016/679 and 12 of this organic law. "

                                            V


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 6/7








       Each offense can be sanctioned with a fine of € 20,000,000 as
maximum or, in the case of a company, of an amount equivalent to 4% as
maximum total annual global business volume of the previous financial year,

opting for the highest amount, in accordance with article 83.5 of the RGPD.

       Likewise, it is considered that each sanction to be imposed should be graduated from
in accordance with the following criteria established in article 83.2 of the RGPD:

       As aggravating factors the following:


     In the present case we are dealing with unintentional negligent action, but it signifies
        identified catives (article 83.2 b)

     Basic personal identifiers -image- are affected (art 83.2

        g)

       Therefore, based on the foregoing,


       By the Director of the Spanish Data Protection Agency,

Therefore, in accordance with the applicable legislation and assessed the criteria of
graduation of sanctions whose existence has been proven,

the Director of the Spanish Data Protection Agency RESOLVES:


FIRST: IMPOSE B.B.B., with NIF *** NIF.1, for the violation of article 6 of the
RGPD, a fine of five thousand euros (€ 5,000), and by article 13 of the RGPD, a
fine of four thousand euros (€ 4,000), both typified in article 83.5 of the RGPD.


SECOND: NOTIFY this resolution to B.B.B ..

THIRD: Warn the sanctioned person that they must enforce the sanctions imposed
once this resolution is enforceable, in accordance with the provisions of
the art. 98.1.b) of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations (hereinafter LPACAP), within the payment period

voluntary established in art. 68 of the General Collection Regulations, approved
by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003,
of December 17, by means of their entry, indicating the NIF of the sanctioned person and the number
procedure that appears in the heading of this document, in the account
restricted number ES00 0000 0000 0000 0000 0000, opened in the name of the Agency

Spanish Data Protection in the banking entity CAIXABANK, S.A .. In case
Otherwise, it will be collected in the executive period.

Received the notification and once executive, if the date of execution is found
Between the 1st and the 15th of each month, both inclusive, the deadline for making the payment

volunteer will be until the 20th of the following or immediately subsequent business month, and if
between the 16th and the last day of each month, both inclusive, the payment term
It will be until the 5th of the second following or immediate business month.



C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 7/7








In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.


Against this resolution, which ends the administrative procedure in accordance with art. 48.6 of the
LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the
Interested parties may optionally file an appeal for reconsideration before the
Director of the Spanish Agency for Data Protection within a month to

counting from the day after the notification of this resolution or directly
contentious-administrative appeal before the Contentious-Administrative Chamber of the
National High Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-administrative jurisdiction, within two months from the

day following notification of this act, as provided in article 46.1 of the
referred Law.

Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP,
may provisionally suspend the final resolution through administrative channels if the

interested party expresses his intention to file contentious-administrative appeal.
If this is the case, the interested party must formally communicate this fact through
writing addressed to the Spanish Agency for Data Protection, presenting it through
of the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica-
web /], or through any of the other records provided for in art. 16.4 of the

cited Law 39/2015, of October 1. You must also transfer to the Agency the
documentation that proves the effective filing of the contentious appeal-
administrative. If the Agency was not aware of the filing of the appeal
contentious-administrative within a period of two months from the day following the
notification of this resolution would terminate the precautionary suspension.


Mar Spain Martí
Director of the Spanish Agency for Data Protection

























C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es