AEPD (Spain) - EXP202403915: Difference between revisions
m (→Facts) |
No edit summary |
||
(One intermediate revision by the same user not shown) | |||
Line 61: | Line 61: | ||
}} | }} | ||
The DPA fined a plastic surgery clinic €10,000 after it shared on its social media pictures | The DPA fined a plastic surgery clinic €10,000 after it unlawfully shared before and after pictures of a data subject on its social media account. The DPA highlighted that the pictures contained health data under Article 9(1) GDPR. | ||
== English Summary == | == English Summary == | ||
Line 68: | Line 68: | ||
The data subject underwent plastic surgery in a private clinic (the controller). | The data subject underwent plastic surgery in a private clinic (the controller). | ||
The data subject consented to take pictures and record the surgery. | The data subject consented to take pictures and record the surgery for medical, scientific or educational purposes. | ||
After that, the controller published on its social media pictures of the data subject comparing her physical appearance before and after the surgery was performed | After that, the controller published on its social media pictures of the data subject comparing her physical appearance before and after the surgery was performed in order to promote the clinic. | ||
Therefore, the data subject filed a complaint with the DPA. | Therefore, the data subject filed a complaint with the DPA. | ||
Line 79: | Line 79: | ||
First, the DPA noted that the data subject consented to the taking of photographs and/or recording. | First, the DPA noted that the data subject consented to the taking of photographs and/or recording. | ||
However, the DPA pointed out that the data subject had never given her consent for her pictures to be shared online. | However, the DPA pointed out that the data subject had never given her consent for her pictures to be shared online. On the contrary, the data subject had consented to record her surgery only for medical, scientific or educational purposes. | ||
Moreover, it noted that the pictures had already been deleted from the websites. | Therefore, the DPA held that the controller shared this data without a legal basis and found a violation of [[Article 6 GDPR#1|Article 6(1) GDPR]]. | ||
Moreover, it noted that the pictures had already been deleted from the websites and, thus, no corrective measures were needed. | |||
Secondly, the DPA noted that the processing involved data concerning health, therefore falling under [[Article 9 GDPR|Article 9 GDPR]]. The DPA found a violation of this article. | Secondly, the DPA noted that the processing involved data concerning health, therefore falling under [[Article 9 GDPR|Article 9 GDPR]]. The DPA found a violation of this article. |
Latest revision as of 08:44, 22 October 2024
AEPD - EXP202403915 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 6(1) GDPR Article 9(1) GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | 05.07.2024 |
Published: | |
Fine: | 10,000 EUR |
Parties: | n/a |
National Case Number/Name: | EXP202403915 |
European Case Law Identifier: | n/a |
Appeal: | Appealed - Confirmed AEPD (Spain) REPOSICION-PS-00130-2024 |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | fb |
The DPA fined a plastic surgery clinic €10,000 after it unlawfully shared before and after pictures of a data subject on its social media account. The DPA highlighted that the pictures contained health data under Article 9(1) GDPR.
English Summary
Facts
The data subject underwent plastic surgery in a private clinic (the controller).
The data subject consented to take pictures and record the surgery for medical, scientific or educational purposes.
After that, the controller published on its social media pictures of the data subject comparing her physical appearance before and after the surgery was performed in order to promote the clinic.
Therefore, the data subject filed a complaint with the DPA.
The controller pointed out that the data subject had consented to the processing of her images.
Holding
First, the DPA noted that the data subject consented to the taking of photographs and/or recording.
However, the DPA pointed out that the data subject had never given her consent for her pictures to be shared online. On the contrary, the data subject had consented to record her surgery only for medical, scientific or educational purposes.
Therefore, the DPA held that the controller shared this data without a legal basis and found a violation of Article 6(1) GDPR.
Moreover, it noted that the pictures had already been deleted from the websites and, thus, no corrective measures were needed.
Secondly, the DPA noted that the processing involved data concerning health, therefore falling under Article 9 GDPR. The DPA found a violation of this article.
On these grounds, the DPA issued a fine of €10,000.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/22 File No.: EXP202403915 SANCTIONING PROCEDURE RESOLUTION From the procedure instructed by the Spanish Data Protection Agency and based on the following BACKGROUND FIRST: On December 28, 2022, A.A.A. (hereinafter, the complainant) filed a claim with the Spanish Data Protection Agency. The claim is directed against B.B.B., with NIF ***NIF.1, (hereinafter, the respondent). The reasons on which the claim is based are that Dr. C.C.C. (hereinafter, Ms. C.C.C.), who performed plastic surgery on the complainant, provided B.B.B. (hereinafter, Mr. B.B.B.), before and after photos of the claimant's intervention. These photos have been published by the respondent party to promote his private plastic surgery clinic on the social networks Facebook and Instagram. He provides a Notarial Record, dated July 5, 2022, of the advertising and use of his medical data without his consent. Relevant documentation provided by the claimant: - Copy of the Notarial Record, dated July 5, 2022, of the advertising and use of his medical data without his consent. - Copy of the Complaint and claim filed on 07/18/2022 before the Hospital ***HOSPITAL.1 for the same facts that appear in the claim filed before the AEPD. - Copy of the response from the Hospital ***HOSPITAL.1 dated 08/02/2022. - Copy of the medical discharge report of the complainant dated 01/11/2017, issued by Ms. C.C.C.. SECOND: In accordance with article 65.4 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and Guarantee of Digital Rights (hereinafter LOPDGDD), said claim was forwarded to Ms. C.C.C. and the respondent party on 02/14/2023, so that they could proceed with its analysis and inform this Agency within one month of the actions taken to comply with the requirements provided for in the data protection regulations. Both transfers, which were carried out in accordance with the rules established in Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP), were collected on February 15, 2023, as stated in the acknowledgment of receipt in the file. On April 29, 2023, a written response to the transfer was received from the AEPD, where the respondent party states the following: - On January 30, 2020, Ms. C.C.C. and he reached a commercial agreement in which Ms. C.C.C., could use the facilities of the Clinic of the respondent party in Cuenca, (trade name (...)), for the performance of its sanitary work of consultation and follow-up of its clients/patients, as a plastic surgeon, without performing any operation in its facilities. - On the other hand, and taking advantage of the visibility that the respondent party has on social networks, an agreement was reached that he would publish some of the work of Ms. C.C.C., as long as she indicated it. Publishing the work means publishing the before and after through photographic images, of the surgical work that Ms. C.C.C. performs. - He states that he does not process personal data of Ms. C.C.C.'s patients, unless it is the publication of this data, being he, in charge of the treatment of Ms. C.C.C.. - He also wishes to state that he works as a cosmetic doctor in Cuenca capital, and cannot perform plastic surgery operations, which means that he does not need any publicity about the results of operations of this type to increase his clients or benefit from treatments, which as a professional, he cannot perform. - There is no direct relationship between the complainant and him. All relationship is established through Ms. C.C.C.. - On 01/30/2020, the respondent party and Ms. C.C.C. signed the contract of Data Processor, as established in article 28.3 of the General Data Protection Regulation, where Ms. C.C.C. authorized the respondent party to process personal data (ANNEX 1 contract). - In said contract the purposes were: o “Processing of data of patients/clients treated in the facilities of the Clinic of the data processor by the data controller. o Processing of personal data of patients/clients for advertising in facilities, media and social networks of the activities of the security officer, provided that the controller so indicates in some communication”. - On 12/12/2021, after a telephone conversation with Ms. C.C.C., in which the respondent party was instructed to proceed to publish on social networks some images of the result of one of her operations, Ms. C.C.C. sent the respondent party an email with the photos. Completely unaware of the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 3/22 complainant, nor her name, only that the doctor had performed the operation in Albacete. - He acknowledges that the publication of the images was made without the claimant's prior consent to him, but since the respondent party was in charge of treating Ms. C.C.C., he should have obtained the claimant's consent. - At the time of receiving the claim, from the claimant whom he did not know, and when he was told which photos they were, the photos were immediately deleted from the social networks Instagram and Facebook, keeping only the email of Ms. C.C.C., for evidence purposes and which will also be deleted upon completion of the claim. - He was carrying out the work entrusted to him, as the person in charge of processing Ms. C.C.C.'s personal data. C.C.C., the latter being the data controller, as a result of the existing commercial relationship between the two. - It has not carried out any improper processing or illegitimate processing of the claimant's data, since it only acted in accordance with the purposes entrusted by Ms. C.C.C., the latter being the party responsible for said processing and for obtaining the informed consent of its client, the claimant. The relevant documentation provided by the respondent party is the following: - Copy of the Data Processor Contract signed between Mr. B.B.B. and Ms. C.C.C.. In the second stipulation of said contract under the heading "Purpose of the processing" it is established that: "The purpose of the processing will be: o Data of patients/clients treated at the Clinic facilities of the data processor by the data controller. o Advertising in facilities, media and social networks of the activities of the security officer, provided that the officer so indicates in a communication”. - Copy of the email sent by Ms. C.C.C. on 12/12/2021, in which the subject appears: “more photos of (...) doubles” and in which 4 files are attached, two containing photos of the claimant and two others that appear hidden. On 05/22/2023, a letter was received from Ms. C.C.C. in which, among other aspects, she states that: - Regarding the decision taken regarding this claim, firstly, it must be made clear that she was aware of the publication of the images on the social networks of the Clinic (...), a commercial name used by Mr. B.B.B. (the respondent party) following the complaint that the complainant filed with the Hospital's Customer Service C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 4/22 ***HOSPITAL.1. After receiving said complaint, the complainant immediately contacted the Clinic (...), a commercial name used by D. B.B.B. (the respondent party) which proceeded to delete the aforementioned images. - The purpose for which the images were taken was "for the purposes of advances in medical education (...) for medical, scientific or educational purposes"; as stated in document n.1 attached to this document and which consists of the consent document for surgery signed by the complainant; unaware of the publication on the social media profiles of the Clinic (...), a commercial name used by D. B.B.B. (the respondent party) until the time of receiving the claim from the complainant. - I was unaware of the publication of the images until the time of the claim to the Hospital's Customer Service Department. ***HOSPITAL.1. - It should be emphasized that the publication of the images was made on the social networks of the Clinic (...), a commercial name used by Mr. B.B.B. (the respondent party) and not on his own. - He is aware that the Clinic deleted the images immediately as soon as he informed them of the complaint he had received through ***HOSPITAL.1. - That as of the date of this writing the photographs are not available nor is there any possible way to locate them. - He attaches as Annex I a Report on the causes that have motivated the incident that has given rise to the complaint. In said Report, among other aspects, he indicates: o That on January 10, 2017, Ms. C.C.C. performed a cosmetic surgery on the complainant the intervention was carried out at the current Clinic ***HOSPITAL.1. o On the same day, the claimant signed the consent document for the intervention, section 6 of which expressly states the consent for photographing or filming the operation for medical, scientific or educational purposes. o That on January 11, 2017, the claimant was discharged. o That on July 18, 2022, the claimant filed a claim with the patient care service of ***HOSPITAL.1. o That after receiving the claim, she contacted directly the Clinic (...), a commercial name used by D. B.B.B., (the respondent party) who proceeded to immediately delete the images from its social media profiles. o That on February 15, 2023, she received notification of the previous transfer of the claim and request for a report. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 5/22 o That in relation to the reasons motivating the claim, it appears that the Clinic (...), a commercial name used by Mr. B.B.B. (the respondent party) published the images taken before and after the claimant's operation on its Facebook and Instagram profiles without her consent. o That he was unaware of said publication, so when he received the claimant's claim, he immediately contacted the Clinic (...), a commercial name used by Mr. B.B.B., (the respondent party), who in turn deleted the images from their social media profiles. o That as of the date of this writing, the images are still not available and there is no possibility of them being accessible on the Internet - Attached as Annex II Report on the measures adopted to prevent similar incidents from occurring, implementation dates and controls carried out to verify their effectiveness, as set out in the following table: Measure Implementation date Control Update and improvement of the consent document May 2023 Annual review of the document in order to verify its suitability and adapt it, if necessary, to possible new situations. Global review of the level of May-June 2023 Annual review to verify compliance with the GDPR and compliance with the regulations, detect new LOPDGDD in the professional activity. treatments and adopt the necessary measures. Relevant documentation provided by Ms. C.C.C.: - Annex I Report on the causes that have motivated the incident that has originated the claim. - Annex II Report on the measures adopted to prevent similar incidents from occurring dates of implementation and controls carried out to verify their effectiveness. - Document No. 1 Copy of the document “CONSENT FOR SURGERY/PROCEDURE OR TREATMENT” signed by the claimant, authorizing Ms. C.C.C. to perform the procedure or treatment: (...). And in section 6 it states that: “For the purposes of advancement in medical education, I give consent for the entry of observers into the operating room and the photographing or filming of the operation(s) or procedure(s) to be performed, for medical, scientific or educational purposes since my identity will not be revealed in the images” C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 6/22 THIRD: On March 28, 2023, in accordance with article 65 of the LOPDGDD, the claim submitted by the claimant was admitted for processing. FOURTH: The General Subdirectorate for Data Inspection proceeded to carry out preliminary investigation actions to clarify the facts in question, pursuant to the functions assigned to the control authorities in Article 57.1 and the powers granted in Article 58.1 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter GDPR), and in accordance with the provisions of Title VII, Chapter I, Section Two, of the LOPDGDD, having knowledge of the following: Regarding the facts contained in the complaint, as well as the documents together with it submitted by the complaining party and the response to the transfer and the accompanying documents, made by Mr. B.B.B. (the respondent party) and by Ms. C.C.C., it is not disputed by the parties that Mr. B.B.B. published on the social media profiles (Facebook and Instagram) of the Clinic (...), which it uses as its trade name, photographs of before and after the operation of (...) that Ms. C.C.C. performed on the complainant in January 2017. And that said publication was made without the consent of the complainant. It has also been proven that there has never been any type of contractual relationship between the complainant and Mr. B.B.B. (the respondent), or the Clinic (...), which it uses as its trade name, as acknowledged by the complainant in its complaint and by Mr. B.B.B. (the respondent) in its response to the transfer. It has been proven that the complainant underwent an operation of (...), performed by Ms. C.C.C. and gave her consent for her to carry out the “photographing or filming of the operation(s) or procedure(s) to be performed, for medical, scientific or educational purposes since my identity will not be revealed in the images” although only for “purposes of advancement in medical education”, not for commercial advertising purposes of the activity of Ms. C.C.C. or of third parties with whom she collaborates. And that the published photographs were taken by Ms. C.C.C. when she performed the aforementioned operation in January 2017. The photographs were sent from the email ***EMAIL.1 to the email ***EMAIL.2 on 12/12/2021, said email addresses being those of Ms. C.C.C. and the respondent respectively. These photographs were not published on the aforementioned profiles (Instagram and Facebook) of the Clinic (...), commercial name used by Mr. B.B.B., on 10/02/2023, according to the evidence collected by the AEPD for this purpose. According to statements by Ms. C.C.C. and Mr. B.B.B., these photographs would have been removed from social networks after the claim filed by the complainant to the Hospital ***HOSPITAL.1, in July 2022, and they are still not available and there is no possibility that they will be accessible on the Internet. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 7/22 The contractual relationship between Ms. C.C.C. and Mr. B.B.B., in the existing contract for data processing between them dated 01/30/2020, the purposes of said contract are listed as follows: The processing of the “data of patients/clients treated at the facilities of the Clinic of the data processor by the data controller”. As well as the “advertising in facilities, media and social networks of the activities of the security officer, provided that the controller so indicates in a communication” Mr. B.B.B. has provided a communication (email) from Ms. C.C.C. in which he sends the photos published by him on the social media profiles of the Clinic (...), trade name used by Mr. B.B.B.. FIFTH: On March 18, 2024, the Director of the Spanish Data Protection Agency agreed to initiate sanctioning proceedings against the respondent party, in accordance with the provisions of articles 63 and 64 of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP), for the alleged violation of Article 6.1 of the GDPR and Article 9 of the GDPR, classified in Article 83.5 of the GDPR. SIXTH: Having notified the aforementioned initiation agreement in accordance with the rules established in Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP), the respondent party submitted a written statement in which it stated the following: “The facts reported do not correspond to the factual reality, since it is assumed that the photographs published on social networks were for my own benefit, which is totally contrary to reason, since I was only in charge of data processing, as has been justified in the submission of the documents previously provided to the file. The reality is that Ms. C.C.C. has a clinic rented in the premises that I own, and that the advertisement is for surgical treatments, having nothing to do with my activity since I only perform aesthetic treatments without surgical interventions, so I can hardly benefit from the publication of these photographs. I have to say that I have not incurred in any infringing conduct and that therefore the sanction that has been imposed on me must be null, first of all and in accordance with article 6.1 of the GDPR In accordance with what I have previously reported and with what is in the file, as you transcribe, I am only the person in charge of data processing, the plastic surgeon being Ms. C.C.C. who has to obtain the consent of the patient to whom he takes the photos before and after the intervention, and who, as I have demonstrated and is already in the file, sent me said photos and had the consent of the patient, as also stated in the file, not knowing since I was not there at the time when he obtained it whether it was for one purpose or for several as required by article 6.1 RGDP. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 8/22 Therefore, not being responsible for obtaining this consent, since I did not participate in the intervention nor do I know the claimant at all, I could not act negligently as indicated.” SEVENTH: On May 7, 2024, the instructor of the procedure agreed to reproduce for evidentiary purposes the claim filed by A.A.A. and its documentation, the documents obtained and generated during the admission phase for processing of the claim, and the report of prior investigation actions that are part of procedure AI/00146/2023. Likewise, the allegations to the agreement to initiate the referenced sanctioning procedure, presented by B.B.B., and the documentation that accompanies them, are reproduced for evidentiary purposes. EIGHTH: On May 8, 2024, a resolution proposal is issued proposing the following: That the Director of the Spanish Data Protection Agency sanction B.B.B., with NIF ***NIF.1, for an infringement of Article 6.1 of the GDPR and Article 9 of the RGPD, classified in Article 83.5 of the GDPR, with a fine of 5,000 euros for the infringement of Article 6.1 of the GDPR, and a second fine of 5,000 euros for the infringement of Article 9 of the GDPR, which amounts to a total of €10,000 (ten thousand euros), That the Director of the Spanish Data Protection Agency order B.B.B., with NIF ***NIF.1, that pursuant to Article 58.2.d) of the GDPR, within the term Within one month from the notification of the resolution of this sanctioning procedure, documentarily prove to the AEPD that it has complied with the adoption of measures taken consisting of preventing photographs of patients from this or another clinic from being disseminated on social networks without having the necessary legitimacy to do so. NINTH: On June 3, 2024, the statements made by the respondent party in response to the resolution proposal are recorded, indicating the following: “The AEPD on page 9 of its resolution proposal assumes that I am a plastic surgeon, but this is not true, this premise being very important for the proposed administrative sanction since I repeat again that I have not profited from the publication of these photographs, I am only the owner of the property in which the Doctor, who is a plastic surgeon, has a consultation room for rent, so neither was the surgery performed in my establishment nor do I know this person at all, only as a data processing agent I did what the person responsible for the processing of this data indicated to me, understanding at all times that the consent that the doctor has is valid for said publication, although this is something that I do not obtain, since I am concerned with obtaining the consent of the patients who authorize me to do so in my office. activity regarding the aesthetic treatments that I perform. The claimant states that B.B.B. published on the social networks Facebook and Instagram the before and after photos of the plastic surgery intervention, performed by Ms. C.C.C., to the claimant A.A.A.. B.B.B. acted as the person in C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 9/22 charge of treatment for Dr. C.C.C., responsible for obtaining informed consent from his patient, and adapting this to the current regulations LOPDGDD 3/2018, of 5 December. (The surgical intervention and consequently her consent, as the claimant points out, was carried out prior to the entry into force of the Law, a fact that was totally unknown to B.B.B.). It has also become clear that the complainant did not contact me directly to request that I remove the photographs, but even so, at the moment that the Doctor indicated it to me, I removed them from my networks. As for indicating that it has been done in order to prevent this from happening again the images have been manually deleted both on Instagram and on Facebook of Clínica (...). (trade name and identifier of the aesthetic medicine activity of B.B.B.). A sweep has also been carried out on the Google search engine to evaluate the removal of the images and videos from the Facebook and Instagram pages, the links to which we attach for verification. ***URL.1 and ***URL.2 That is why the images of Mrs. A.A.A. and links to the content on the social networks Facebook and Instagram have been removed from all of them. Furthermore, the same procedure has been followed with images or videos with identifiable data of any other person or they have been pixelated, despite having informed consent from the persons, clients/patients of B.B.B. that appear in ***URL.1 and ***URL.2” From the actions carried out in the present procedure and the documentation in the file, the following have been proven: PROVEN FACTS FIRST: Dissemination on the social networks Facebook and Instagram of photos of the complainant without his consent, to advertise the private plastic surgery clinic of the respondent. BASIS OF LAW I Competence In accordance with the powers granted to each supervisory authority by article 58.2 of the GDPR and as established in articles 47, 48.1, 64.2 and 68.1 of the LOPDGDD, the Director of the Spanish Data Protection Agency is competent to initiate and resolve this procedure. Likewise, article 63.2 of the LOPDGDD determines that: "The procedures processed by the Spanish Data Protection Agency shall be governed by the provisions C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 10/22 of Regulation (EU) 2016/679, by this organic law, by the regulatory provisions issued in its development and, insofar as they do not contradict them, in a subsidiary character, by the general rules on administrative procedures." II Preliminary issues In the present case, it is alleged that the respondent party, owner of the Clinic (…), has disseminated on social networks photos of the before and after of the surgical intervention that the complainant underwent, in order to advertise the clinic of the respondent party, without the consent of the complainant. These photos have been published by the respondent party to promote his private plastic surgery clinic on the social networks Facebook and Instagram. The AEPD, after carrying out the investigation actions indicated in the background, makes the following considerations: 1.- It has been proven that Ms. C.C.C. performed a treatment/operation of (...) on the appellant in 2017. 2.- During said operation/treatment, Ms. C.C.C. took photographs of the before and after of said treatment, with the consent of the complainant party for the photograph for medical, scientific or educational purposes. There is no record that the complainant party gave her consent to the photograph for the purposes of commercial advertising of the activity of Ms. C.C.C. or of third parties with whom she collaborated. 3º.- The photographs of the aforementioned treatment/operation were sent from the email ***EMAIL.1 to the email ***EMAIL.2 on 12/12/2021 and published on the social media profiles of the Clinic (...), a commercial name used by Mr. B.B.B., without the consent of the complaining party. 4º.- There is a data processing contract, dated 01/30/2020, between Ms. C.C.C. and Mr. B.B.B., with the following purposes appearing in said contract: The processing of “data of patients/clients treated at the facilities of the Clinic of the data processor by the data controller”. As well as the “advertising in facilities, media and social networks of the activities of the security officer, as long as the officer so indicates in some communication” 5th.- In the evidence collected by the AEPD on 02/10/2023, the photographs subject to the claim were not published on the social media profiles (Instagram and Facebook) of the Clinic (...), the commercial name used by Mr. B.B.B.. III Response to the allegations presented C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 11/22 The respondent party in response to the start agreement, sends a letter dated April 3, 2024, where he states that he is not responsible for the facts imputed to him since he did not participate in the surgical intervention of the claimant, nor does he know the claimant, and the dissemination of such photographs does not bring him any benefit since he only performs aesthetic treatments without surgical interventions, so he is exempt from all responsibility since he is only in charge of the treatment and not the responsible party. The respondent party in response to the resolution proposal, sends a letter dated June 3, 2024, stating that he is not a plastic surgeon, but the owner of the property in which surgeon C.C.C. practices his profession, and that the consent that the doctor has is valid for the publication of the photographs of the complainant. The respondent has also stated that, as he is not a surgeon, he did not participate in the intervention performed on the complainant, and that the publication of the images does not provide him with any benefit, since he is not the surgeon who operated on the complainant, but rather the owner of the Clinic (…), and that the consent given by the complainant to be operated on by C.C.C., is valid for the publication of the photographs of the before and after the operation performed on the complainant. Likewise, the respondent points out that the complainant did not contact him to request that he remove the photographs, but even so at the time that surgeon C.C.C. He was informed that he manually removed the images from both Instagram and Facebook of Clínica (...), and the same procedure has been followed with the images or videos with identifiable data of any other person. In response to such statements, it must be indicated that it has been established that the cosmetic operation that the complainant underwent was performed in a center different from the clinic of the respondent, since the complainant was operated on at the Clínica ***HOSPITAL.1, on January 10, 2017, and the clinic advertised by the respondent is the Clínica (...), so it is an established fact that the respondent, whether or not a surgeon, did not participate in the intervention performed on the complainant, there being no contract that binds him to the complainant, and therefore he would have been authorized to process the before and after photographs of the operation performed by C.C.C., on the complainant. Therefore, using these photographs to advertise the Clinic that he owns implies the search for a profit or benefit. Furthermore, the photos of the complainant were taken before and after the cosmetic surgery performed by the respondent on the complainant in 2017, that is, years before the formalization of the contract for the processing of data between the complainant and C.C.C.. Therefore, the AEPD must indicate that we are not talking about a withdrawal of consent, nor any other cause of legitimacy that entitles it to process the personal data of the respondent, in this case her image, so the complainant is not required to exercise its right to cancellation, nor any of the other rights recognized in the GDPR, for the processing of said photographs to cease by the respondent entity, since this would only be appropriate if the complainant had ever granted to the respondent party for its authorization for such processing. Ultimately, the respondent party is the sole party responsible for the dissemination of the before and after photos of the operation performed on the complainant party, on social networks. IV Article 6.1 of the GDPR The physical image of a person, according to article 4.1 of the GDPR, is personal data and its protection, therefore, is the subject of said Regulation. Article 4.2 of the GDPR defines the concept of “processing” of personal data Article 6.1 of the GDPR establishes the assumptions that allow the processing of personal data to be considered lawful, indicating the following: “1. The processing will only be lawful if at least one of the following conditions is met: a) the interested party gave his consent for the processing of his personal data for one or more specific purposes; (b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; (c) processing is necessary for compliance with a legal obligation to which the controller is subject; (d) processing is necessary to protect the vital interests of the data subject or of another natural person; (e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; (f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. Point (f) of the first paragraph shall not apply to processing carried out by public authorities in the performance of their tasks. Regarding the processing for video surveillance purposes, article 22 of the LOPDGDD establishes that natural or legal persons, public or private, may carry out the processing of images through camera or video camera systems in order to preserve the security of people and property, as well as their facilities.” C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 13/22 It is considered that the facts set forth, that is, that the respondent party, has used photos of before and after the intervention of C.C.C., without having the express consent of the respondent party, or any other cause of legitimacy, owner of the image of the photographs in dispute, for the purpose of publishing them on social networks and advertising his clinic, could constitute an illegal processing of personal data, which would constitute a violation of article 6 of the RGPD. The respondent claims that in 2017, the complainant signed her consent authorizing the intervention itself and the taking of photographs and/or recording, but not the communication of these photos to third parties. Likewise, Dr. C.C.C. and the respondent party indicate that the before and after photos of the operation used to advertise the respondent party's clinic were obtained with the respondent party's consent, since it was produced in the B.B.B.o of a treatment order contract entered into in 2020. In response to such allegations from the respondent party, the AEPD considers that it cannot be considered that the publication of the before and after photos of the claimant's cosmetic surgery can be covered by the contract entered into in 2020 by the respondent party and C.C.C., and therefore understand that the claimant's consent is available, for the following reasons: Firstly, the cosmetic surgery that the claimant underwent was performed in a centre other than the respondent party's clinic, since the claimant was operated on at the ***HOSPITAL.1 Clinic, on January 10, 2017, and the clinic advertised by the respondent is the Clinic (...). Secondly, the photos of the complainant were taken before and after the cosmetic surgery performed by the respondent on the complainant in 2017, that is, years before the formalization of the contract for the treatment between the complainant and C.C.C.. Therefore, the respondent would be the exclusive party responsible for the dissemination of the before and after photos of the operation performed on the complainant, on social networks. Thus, it must be taken into account that the present procedure focuses on the alleged responsibility of the respondent for the dissemination of the before and after photos of the operation performed by C.C.C. on the complainant. V Classification of Article 6.1 of the GDPR The known facts could constitute an infringement, attributable to the respondent party, classified in Article 6.1 of the GDPR, indicated above, in legal basis II, and could therefore constitute the commission of an infringement classified in Article 83.5 of the GDPR, which provides as follows: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 14/22 “Infringements of the following provisions shall be punishable, in accordance with paragraph 2, by administrative fines of up to EUR 20,000,000 or, in the case of a company, an amount equivalent to a maximum of 4% of the total global annual turnover of the previous financial year, whichever is higher: a) the basic principles for the processing, including the conditions for consent pursuant to Articles 5, 6, 7 and 9; “ For the purposes of the limitation period for infringements, the infringement referred to in the previous paragraph is considered very serious pursuant to Article 72.1 of the LOPDGDD, which establishes that: “In accordance with the provisions of Article 83.5 of Regulation (EU) 2016/679, infringements that constitute a substantial violation of the articles mentioned therein and, in particular, the following are considered very serious and shall be subject to a three-year limitation period: b) The processing of personal data without any of the conditions for the lawfulness of the processing established in Article 6 of Regulation (EU) 2016/679 being met. (…) VI Proposal for a sanction for infringement of Article 6.1 of the GDPR In order to determine the administrative fine to be imposed, the provisions of Articles 83.1 and 83.2 of the GDPR must be observed, which state: “Each supervisory authority shall ensure that the imposition of administrative fines in accordance with this Article for infringements of this Regulation referred to in paragraphs 4, 9 and 6 are effective, proportionate and dissuasive in each individual case.” Administrative fines shall be imposed, depending on the circumstances of each individual case, as an addition to or as a substitute for the measures provided for in Article 58, paragraph 2, points (a) to (h) and (j). When deciding whether to impose an administrative fine and its amount in each individual case, due account shall be taken of: a) the nature, seriousness and duration of the infringement, taking into account the nature, scope or purpose of the processing operation in question, as well as the number of data subjects affected and the level of damage suffered by them; b) the intentionality or negligence of the infringement; c) any measures taken by the controller or processor to mitigate the damage suffered by the data subjects; C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 15/22 d) the degree of responsibility of the controller or processor, taking into account any technical or organisational measures they have implemented pursuant to Articles 25 and 32; e) any previous infringement committed by the controller or processor; (f) the degree of cooperation with the supervisory authority in order to remedy the breach and mitigate any adverse effects of the breach; (g) the categories of personal data affected by the breach; (h) the manner in which the supervisory authority became aware of the breach, in particular whether and, if so, to what extent the controller or processor notified the breach; (i) where measures referred to in Article 58(2) have been previously ordered against the controller or processor concerned in relation to the same matter, compliance with those measures; (j) adherence to codes of conduct pursuant to Article 40 or to certification mechanisms approved pursuant to Article 42; and (k) any other aggravating or mitigating factors applicable to the circumstances of the case, such as financial benefits obtained or losses avoided, directly or indirectly, through the breach.” Regarding section k) of article 83.2 of the GDPR, the LOPDGDD, article 76, “Sanctions and corrective measures”, provides: “2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679, the following may also be taken into account: a) The continued nature of the infringement. b) The link between the offender's activity and the processing of personal data. c) The benefits obtained as a result of the commission of the infringement. d) The possibility that the conduct of the affected party could have led to the commission of the infringement. e) The existence of a merger process by absorption subsequent to the commission of the infringement, which cannot be attributed to the absorbing entity. f) The impact on the rights of minors. g) Have, when not mandatory, a data protection officer” C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 16/22 In accordance with the transcribed provisions, for the purposes of setting the amount of the fine to be imposed in this case on the respondent as responsible for an infringement classified in article 83.5.a) of the GDPR, in an initial assessment, the following aggravating factors are considered to be concurrent: - Intentionality/ Negligence in the infringement (section b): the notorious negligence observed in the commission of the infringement, to the extent that the respondent party has disseminated on social networks photographs of the complainant, provided by C.C.C., without having the consent or any other cause of legitimacy of the complainant. The sanction to be imposed on the respondent must be graduated and set at €5,000 in accordance with article 58.2 of the GDPR VII Adoption of measures for the infringement of article 6.1 of the GDPR If the infringement is confirmed, it may be agreed to impose on the person responsible the adoption of appropriate measures to adjust its performance to the regulations mentioned in this act, in accordance with the provisions of the aforementioned article 58.2 d) of the GDPR, which provides the following: “Each supervisory authority shall have all of the following corrective powers indicated below: d) order the person responsible or in charge of the treatment that the treatment operations comply with the provisions of this Regulation, where appropriate, in a certain manner and within a specified period. In this specific case, the respondent party and C.C.C. The latter is the person who provided the photos to the respondent party, they have stated that as soon as they became aware of the complaint filed, on 18/07/2022, the complainant's photographs were removed. In addition, in response to the resolution proposal, the respondent party has proven that measures have been taken so that the data of its clients cannot be processed again without having the legitimacy required by the data protection regulations for which it has carried out a search on Google to evaluate the elimination of the images and videos from the Facebook and Instagram pages whose links it attaches for verification. ***URL.1 and ***URL.2 Therefore, it is noted that all the images of the complainant and links to the content on the social networks Facebook and Instagram were deleted. In addition, the same procedure has been followed with the images or videos with identifiable data of any other person, whether they are clients or patients of B.B.B. which appear in ***URL.1 and ***URL.2 C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 17/22 VIII Article 9 of the GDPR Article 9 of the GDPR establishes the following: 1. The processing of personal data that reveal ethnic or racial origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data aimed at uniquely identifying a natural person, data relating to health or data relating to the sexual life or sexual orientations of a natural person is prohibited. 2. Paragraph 1 shall not apply where one of the following conditions applies: a) the data subject has given explicit consent to the processing of those personal data for one or more of the specified purposes, except where Union or Member State law provides that the prohibition referred to in paragraph 1 cannot be lifted by the data subject; b) the processing is necessary for the performance of obligations and the exercise of specific rights of the controller or of the data subject in the field of labour law and social security and protection, insofar as this is authorised by Union law of the Member States or by a collective agreement in accordance with Member State law providing for appropriate safeguards for the respect of the fundamental rights and interests of the data subject; c) the processing is necessary in order to protect the vital interests of the data subject or of another natural person, where the data subject is not physically or legally capable of giving consent; (d) the processing is carried out, within the scope of its legitimate activities and with appropriate guarantees, by a foundation, association or any other non-profit-making body, the purpose of which is political, philosophical, religious or trade union, provided that the processing concerns only current or former members of such bodies or persons who maintain regular contact with them in relation to their purposes and provided that the personal data are not disclosed outside them without the consent of the data subjects; (e) the processing concerns personal data which the data subject has manifestly made public; (f) the processing is necessary for the establishment, exercise or defence of claims or when the courts act in their judicial capacity; C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 18/22 g) the processing is necessary for reasons of essential public interest, on the basis of Union or Member State law, which must be proportionate to the objective pursued, substantially respect the right to data protection and provide for appropriate and specific measures to protect the interests and fundamental rights of the data subject; h) the processing is necessary for the purposes of preventive or occupational medicine, assessment of the worker's work capacity, medical diagnosis, the provision of health care or treatment or the management of health care and social care systems and services, on the basis of Union or Member State law or under contract with a health care professional and without prejudice to the conditions and guarantees referred to in paragraph 3; (i) the processing is necessary for reasons of public interest in the field of public health, such as protecting against serious cross-border threats to health, or to ensure high standards of quality and safety of healthcare and medicines or medical devices, on the basis of Union or Member State law which provides for appropriate and specific measures to protect the rights and freedoms of the data subject, in particular professional secrecy, (j) the processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1), on the basis of Union or Member State law, which must be proportionate to the aim pursued, substantially respect the right to data protection and provide for appropriate and specific measures to protect the interests and fundamental rights of the data subject. 3. The personal data referred to in paragraph 1 may be processed for the purposes referred to in paragraph 2(h) when the processing is carried out by a professional subject to an obligation of professional secrecy, or under his responsibility, in accordance with Union or Member State law or with rules established by competent national bodies, or by any other person also subject to an obligation of secrecy in accordance with Union or Member State law or rules established by competent national bodies. 4. Member States may maintain or introduce additional conditions, including limitations, with regard to the processing of genetic data, biometric data or data relating to health. In the present case, the dissemination on social networks by the respondent party of the before and after photos of the cosmetic surgery carried out by Dr. C.C.C. to the complainant, would violate article 9.1 of the GDPR, since health data has been disseminated, which are especially protected in article 9.1 of the GDPR. It should also be noted that we are not in any of the situations where exceptionally, by virtue of article 9.2 of the GDPR, it is possible to overcome the prohibition of processing these data, so we would be faced with an alleged C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 19/22 violation of article 9 of the GDPR, indicated above. IX Classification of Article 9 of the GDPR The infringement of Article 9 of the GDPR, for which the respondent is held responsible, is provided for in Article 83.5 of the GDPR, which establishes that: “Infringements of the following provisions shall be punishable, in accordance with section 2, by administrative fines of a maximum of 20,000,000 Euros or, in the case of a company, an amount equivalent to a maximum of 4% of the total global annual turnover of the previous financial year, whichever is greater: a) The basic principles for processing, including the conditions for consent pursuant to Articles 5, 6, 7 and 9.” In turn, the LOPDGDD in its article 72.1.e) classifies as a very serious infringement, for the purposes of prescription, "The processing of personal data of the categories referred to in article 9 of Regulation (EU) 2016/679 without any of the circumstances provided for in said provision and in the article of this Organic Law." X Proposed Penalty for infringement of article 9 of the GDPR In order to determine the administrative fines to be imposed, the provisions of articles 83.1 and 83.2 of the GDPR must be observed, provisions already indicated in ground VI. In accordance with these provisions, for the purposes of setting the amount of the fine to be imposed on the respondent party as responsible for an infringement classified in Article 83.5.a) of the GDPR, the following factors are considered to be concurrent in the present case, as aggravating factors: - Intentionality/Negligence in the infringement (section b): the notorious negligence appreciated in the commission of the infringement, to the extent that the respondent party, responsible for the processing of health data, data especially protected by the data protection regulations, has disseminated on social networks to publicize its clinic, photographs of the complainant that were provided to it by C.C.C., despite not being in any of the exceptional cases that allow its processing according to Article 9.2 of the GDPR. The sanction to be imposed on the respondent must be graduated and set at €5,000 in accordance with article 58.2 of the GDPR XI Adoption of measures for the infringement of article 9 of the GDPR C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 20/22 It is agreed to impose on the controller the adoption of appropriate measures to adjust its actions to the regulations mentioned in this act, in accordance with the provisions of the aforementioned article 58.2 d) of the GDPR, which provides the following: “Each supervisory authority shall have all of the following corrective powers indicated below: d) order the controller or processor to comply with the provisions of this Regulation, where appropriate, in a certain manner and within a specified period; In this specific case, the respondent party and C.C.C., the surgeon who provided the photos of the complainant, have stated that as soon as they became aware of the complaint filed, on 18/07/2022, the photographs of the complainant were removed. In addition, in response to the resolution proposal, the respondent party has proven that measures have been taken to ensure that the data of its clients cannot be processed again without having the legitimacy required by data protection regulations for which it has carried out a search on Google to evaluate the elimination of the images and videos from the Facebook and Instagram pages whose links it attaches for verification. ***URL.1 and ***URL.2 Therefore, it is noted that all the images of the complainant and links to the content on the social networks Facebook and Instagram were deleted. In addition, the same procedure has been followed with images or videos containing identifiable data of any other person, whether they are B.B.B. customers or patients. which appear in ***URL.1 and ***URL.2 Therefore, in accordance with the applicable legislation and having assessed the criteria for graduating the sanctions whose existence has been proven, the Director of the Spanish Data Protection Agency RESOLVES: FIRST: TO IMPOSE on B.B.B., with NIF ***NIF.1, for an infringement of Article 6.1 of the GDPR and Article 9 of the GDPR, classified in Article 83.5 of the GDPR, a fine of 5,000 euros for the infringement of Article 6.1 of the GDPR, and a second fine of 5,000 euros for the infringement of Article 9 of the GDPR, which amounts to a total of €10,000 (ten thousand euros), SECOND: TO NOTIFY this resolution to B.B.B. THIRD: This resolution will be enforceable once the deadline for filing the optional appeal for reconsideration ends (one month from the day following the notification of this resolution) without the interested party having made use of this faculty. The sanctioned party is warned that he must pay the imposed sanction once C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 21/22 this resolution becomes enforceable, in accordance with the provisions of art. 98.1.b) of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter LPACAP), within the voluntary payment period established in art. 68 of the General Collection Regulations, approved by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003, of 17 December, by depositing it, indicating the NIF of the sanctioned party and the procedure number that appears in the heading of this document, in the restricted account nº IBAN: ES00-0000-0000-0000-0000-0000 (BIC/SWIFT Code: CAIXESBBXXX), opened in the name of the Spanish Data Protection Agency in the banking entity CAIXABANK, S.A. Otherwise, it will be collected during the enforcement period. Once the notification has been received and is enforceable, if the date of enforceability is between the 1st and 15th of each month, both inclusive, the deadline for making the voluntary payment will be until the 20th of the following month or the next business day thereafter, and if it is between the 16th and last day of each month, both inclusive, the payment deadline will be until the 5th of the second following month or the next business day thereafter. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which ends the administrative procedure in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, interested parties may, at their discretion, lodge an appeal for reconsideration before the Director of the Spanish Data Protection Agency within one month from the day following notification of this resolution or directly lodge an administrative appeal before the Administrative Litigation Division of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of 13 July, regulating the Administrative Litigation Jurisdiction, within two months from the day following notification of this act, as provided for in article 46.1 of the aforementioned Law. Finally, it is noted that in accordance with the provisions of art. 90.3 a) of the LPACAP, the final resolution may be provisionally suspended by administrative means if the interested party expresses his intention to lodge an administrative appeal. If this is the case, the interested party must formally communicate this fact by means of a written document addressed to the Spanish Data Protection Agency, presenting it through the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica- web/], or through one of the other registries provided for in art. 16.4 of the aforementioned Law 39/2015, of October 1. He must also transfer to the Agency the documentation that proves the effective filing of the administrative appeal. If the Agency is not aware of the filing of the administrative appeal within two months from the day following the notification of this resolution, it will terminate the provisional suspension. 938-16012024 Mar España Martí Director of the Spanish Data Protection Agency C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 22/22 C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es