AEPD (Spain) - PS/00190/2020: Difference between revisions

AEPD - PS/00190/2020
Authority:	AEPD (Spain)
Jurisdiction:	Spain
Relevant Law:	Article 5(1)(f) GDPR
Type:	Complaint
Outcome:	Upheld
Started:
Decided:
Published:	12.03.2021
Fine:	None
Parties:	n/a
National Case Number/Name:	PS/00190/2020
European Case Law Identifier:	n/a
Appeal:	n/a
Original Language(s):	Spanish
Original Source:	AEPD decision (in ES)
Initial Contributor:	n/a

The Spanish DPA (AEPD) warned a Home Owners' Association for an infringement of Article 5(1)(f) GDPR, due to the disclosing of personal data in a debtors list.

English Summary

Facts

A Home Owners' Association released a debtors list, that was shown publicly in the building's hall, where address details, name and surname of the claimant could be found.

Dispute

Is a Home Owners' Association allowed to publish such data?

Holding

The AEPD determined that this behaviour infringed Article 5(1)(f) GDPR, because it discloses personal data without the consent of the data subject. The Spanish law regulating private ownership of housing allows in its Article 19(3) Home Owners' Associations to publish of (personal) data in certain cases: for notification purposes, when other means have not resulted, for calling for meetings and for the publication of meetings memorandum. However, they are not allowed to publish personal data for mere informative purposes that are not supported by a legal ground.

The AEPD warned the Home Owners' Association and gave them a month to rectify the level of security of the data.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

                                                                               1/5











     Procedure No.: PS / 00190/2020

                RESOLUTION OF SANCTIONING PROCEDURE

Of the procedure instructed by the Spanish Agency for Data Protection and based on

to the following

                                  BACKGROUND

FIRST: A.A.A. (hereinafter, the claimant) dated December 30, 2019

filed a claim with the Spanish Data Protection Agency. The
claim is directed against COMMUNITY OF OWNERS B.B.B. with NIF
*** NIF. 1 (hereinafter, the claimed one).

The reasons on which the claim is based are that your personal data (floor, letter,

name and surname) appear in a list of debtors published on the notice board.
announcements, located on the portal of the building in which you reside.

SECOND: In view of the events denounced, on 02/21/2020, the
the claim to the claimed so that “it analyzes said claim and communicates to the

the claimant the decision he adopts in this regard.
       Likewise, within a month from receipt of this letter, you must

send this Agency the following information:

1. Copy of the communications, of the adopted decision that has been sent to the
claimant regarding the transfer of this claim, and accreditation that the
claimant has received the communication of that decision.


2. Report on the causes that have motivated the incidence that has originated the
claim.

3. Report on the measures adopted to prevent incidents from occurring

Similar.


In response to the aforementioned request, on March 12, 2020, the president of the
community of owners object of this claim, responds stating that the
The decision to expose the claimant's personal data has been by agreement of
all the neighbors to pressure him to pay a debt that he owes for more than a
year, due to disagreements that it has with the community of owners for a

breakdown you had at home.

THIRD: On September 1, 2020, the Director of the Spanish Agency
of Data Protection agreed to initiate a sanctioning procedure to the claimed, by the
alleged violation of article 5.1.f) of the RGPD, typified in article 83.5 of the

GDPR.



C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 2/5








FOURTH: On October 7, 2020, the agreement to initiate this
procedure, becoming the same proposal for resolution of conformity
with articles 64.2.f) and 85 of Law 39/2015, of October 1, on the Procedure

Common Administrative of Public Administrations (LPACAP), by not carrying out
allegations within the indicated period.

In view of all the actions, by the Spanish Agency for Data Protection
In the present proceeding, the following are considered proven facts,


                                       ACTS

FIRST: The personal data of the claimant (floor and letter of your address, and
name and surname) appear in a list of debtors published on the notice board.
announcements, located on the portal of the building in which you reside.


SECOND: The defendant has not presented any allegation.

                           FOUNDATIONS OF LAW

                                            I


By virtue of the powers that article 58.2 of the RGPD recognizes to each authority of
control, and as established in arts. 47 and 48.1 of the LOPDGDD, the Director of
The Spanish Data Protection Agency is competent to resolve this
process.


                                            II

In this case, the respondent reveals personal data of an owner. (floor, letter,
name and surname) by placing on the notice board, located on the portal of the

building in which it resides.

It should be taken into account that for the exhibition on the bulletin board of the
Community, personal data must adhere to a series of principles
in order not to violate data protection regulations.


As a means of personal and individualized notification to the owner, the Law of
Horizontal Property, indicates the assumptions in which the data exposure is authorized
of a personal nature related to matters arising from the management of the
Community of owners.


Its article 9. h) indicates as an obligation of the owner “Communicate to whoever exercises the
functions of secretary of the community, by any means that allows to have
proof of receipt, the address in Spain for the purposes of subpoenas and
notifications of all kinds related to the community.


In the absence of this communication, the address will be for citations and
notifications of the apartment or premises belonging to the community, having full effect
those delivered to the occupant of the same. If a subpoena or notification was attempted
it was impossible for the owner to practice it in the place provided for in the previous paragraph,

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 3/5








It will be understood as carried out by placing the corresponding communication in
the community bulletin board, or in a visible place of general use enabled at the
effect, with expressive diligence of the date and reasons why this

notification form, signed by whoever exercises the functions of Secretary of the
community, with the approval of the President. The notification practiced in this way
it will produce full legal effects within three calendar days ”.

Article 19.3 of the LPH, second paragraph, indicates: “The minutes of the meetings are
will forward to the owners in accordance with the procedure established in article

9. "

In the present case, there is no evidence that the exposed note comes from a
call, meeting or minutes, but rather the desire to want to inform the
owners, although the community board should not serve as a board for

notify or inform when personal data is exposed, if the
requirements in each case indicated for said exposure and its functions shall be those of
notification or summons.

In the present case, an informative note is being presented to the owners,
making exposure in a space or place of transit of a note, which makes

identifiable to a person and attributes the status of debtor, which may affect their
honor. This note with the data as a means of information, in this case it does not fit
to the LPH and violates the right of the claimant to their data protection, by not
to proceed with the exposition in any of the cases provided for in the aforementioned LPH.


Therefore, the COMMUNITY OF OWNERS B.B.B. with NIF *** NIF.1, the

commission of an infringement of article 5.1. f) of the RGPD “1. Personal information
will be: f) “treated in such a way as to guarantee adequate security for the
personal data, including protection against unauthorized or illegal processing and
against their loss, destruction or accidental damage, by applying measures
appropriate technical or organizational ("integrity and confidentiality"). "


Article 83.5 a) of the RGPD, considers that the infringement of "the basic principles
for the treatment, including the conditions for consent under the
Articles 5, 6, 7 and 9 ”is punishable, in accordance with section 5 of the aforementioned

Article 83 of the aforementioned Regulation, with administrative fines of € 20,000,000 as
maximum or, in the case of a company, of an amount equivalent to 4% as
maximum total annual global business volume of the previous financial year,
opting for the highest amount.


 The LOPGDD in its article 5.1 indicates: "Duty of confidentiality":
"Those responsible and in charge of data processing as well as all persons

who intervene in any phase of this will be subject to the duty of confidentiality
referred to in article 5.1.f) of Regulation (EU) 2016/679. "


Its article 72.1.a) considers it: “Violations considered very serious

"1. In accordance with the provisions of article 83.5 of Regulation (EU) 2016/679,
considered very serious and will prescribe after three years the infractions that suppose
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 4/5








a substantial violation of the articles mentioned therein and, in particular, the
following:


a) The processing of personal data in violation of the principles and guarantees of the
established in Article 5 of Regulation (EU) 2016/679 ”.


Article 58.2 of the RGPD provides: “Each supervisory authority will have all the
following corrective powers listed below:

b) punish any person responsible or in charge of the treatment with warning
when the processing operations have infringed the provisions of this

Regulation;

d) order the person in charge of the treatment that the operations of
treatment comply with the provisions of this Regulation, where appropriate,
in a certain way and within a specified period "


In this sense, the actions taken by the claimed to the
know the claim that was reported by this AEPD and the measures
adopted, having to report them within the procedure, being able to
in the resolution to adopt the appropriate ones for its adjustment to the regulations.



       Therefore, in accordance with the applicable legislation and assessed the criteria of
graduation of sanctions whose existence has been proven,

the Director of the Spanish Data Protection Agency RESOLVES:


1. FIRST: IMPOSE COMMUNITY OF OWNERS B.B.B. with NIF
*** NIF. 1, for an infringement of article 5.1 f) of the RGPD, punishable in accordance with the provisions
put in art. 83.5 of the aforementioned RGPD, and classified as very serious in article 72.1 a)
of the LOPDGDD, a warning sanction.


SECOND: REQUIRE the claimed party so that within one month it accredits
before this body the adoption of the necessary measures to guarantee a
adequate security of the personal data processed, in accordance with what is required
in article 5.1 f) of the RGPD that regulates the principles of integrity and confidentiality
of the data.


THIRD: NOTIFY this resolution to the COMMUNITY OF
OWNERS B.B.B.

       In accordance with the provisions of article 50 of the LOPDGDD, the

This Resolution will be made public once it has been notified to the interested parties.

       Against this resolution, which ends the administrative procedure in accordance with art.
48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the
LPACAP, the interested parties may file, optionally, an appeal for reversal
before the Director of the Spanish Agency for Data Protection within a period of

month from the day following notification of this resolution or directly
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 5/5








contentious-administrative appeal before the Contentious-Administrative Chamber of the
National High Court, in accordance with the provisions of article 25 and section 5 of

the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-administrative jurisdiction, within two months from the
day following notification of this act, as provided in article 46.1 of the
referred Law.


       Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the
LPACAP, the firm resolution may be suspended in an administrative way
If the interested party expresses his intention to file a contentious appeal-
administrative. If this is the case, the interested party must formally communicate this
made by writing to the Spanish Data Protection Agency,

Presenting it through the Electronic Registry of the Agency
[https://sedeagpd.gob.es/sede-electronica-web/], or through any of the rest
records provided for in art. 16.4 of the aforementioned Law 39/2015, of October 1. As well
must forward to the Agency the documentation that proves the effective filing
of the contentious-administrative appeal. If the Agency is not aware of the

filing of the contentious-administrative appeal within a period of two months from the
day after the notification of this resolution, I would terminate the
precautionary suspension.

Mar Spain Martí

Director of the Spanish Agency for Data Protection

































C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es