AEPD (Spain) - PS/00119/2021: Difference between revisions
(Created page with "{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoES.jpg |DPA_Abbrevation=AEPD (Spain) |DPA_With_Country=AEPD (Spain) |Case_Number_Na...") |
(Just minor changes in wording, the summary is clear and concise.) |
||
Line 55: | Line 55: | ||
=== Facts === | === Facts === | ||
A worker lodged a complaint with the Spanish DPA (AEPD) against their employer, alleging that the company was using their image on their new website | A worker lodged a complaint with the Spanish DPA (AEPD) against their employer, alleging that the company was using their image on their new website, Facebook and Instagram. | ||
The data subject asked the controller to take down the images | The data subject asked the controller to take down the images. The controller replied that they had obtained the data subject's consent, although provided no evidence of it. The data subject pointed that the controller did not have their consent, and additionally that they thought that the images being used would remain in the internal sphere of the company. | ||
The DPA required the controller | The DPA required clarification from the controller, but did not receive any response. | ||
=== Holding === | === Holding === | ||
The AEPD concluded that the controller had violated [[Article 6 GDPR#1|Article 6(1) GDPR]], since they could not prove they had obtained the data subject's consent. For this violation, the DPA fined the controller €6000. | The AEPD concluded that the controller had violated [[Article 6 GDPR#1|Article 6(1) GDPR]], since they could not prove they had obtained the data subject's consent to publicly display their image online. For this violation, the DPA fined the controller €6000. | ||
Additionally, the DPA determined that the controller had violated [[Article 17 GDPR|Article 17 GDPR]], since they had not complied with the data subject's erasure request. For this violation, the DPA fined the controller €3000. | Additionally, the DPA determined that the controller had violated [[Article 17 GDPR|Article 17 GDPR]], since they had not complied with the data subject's erasure request. For this violation, the DPA fined the controller an additional €3000. | ||
== Comment == | == Comment == |
Revision as of 10:32, 17 January 2022
AEPD (Spain) - PS/00119/2021 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 6(1) GDPR Article 17 GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | |
Published: | 11.01.2022 |
Fine: | 9000 EUR |
Parties: | EDUCANDO JUNTOS SL |
National Case Number/Name: | PS/00119/2021 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | Carmen Villarroel |
The Spanish DPA fined a company €9000 for sharing the pictures of one of their workers on its website and social networks without their consent, and for not complying with their erasure request regarding these pictures.
English Summary
Facts
A worker lodged a complaint with the Spanish DPA (AEPD) against their employer, alleging that the company was using their image on their new website, Facebook and Instagram.
The data subject asked the controller to take down the images. The controller replied that they had obtained the data subject's consent, although provided no evidence of it. The data subject pointed that the controller did not have their consent, and additionally that they thought that the images being used would remain in the internal sphere of the company.
The DPA required clarification from the controller, but did not receive any response.
Holding
The AEPD concluded that the controller had violated Article 6(1) GDPR, since they could not prove they had obtained the data subject's consent to publicly display their image online. For this violation, the DPA fined the controller €6000.
Additionally, the DPA determined that the controller had violated Article 17 GDPR, since they had not complied with the data subject's erasure request. For this violation, the DPA fined the controller an additional €3000.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/10 File No.: PS / 00119/2021 RESOLUTION OF SANCTIONING PROCEDURE Of the procedure instructed by the Spanish Agency for Data Protection and based on the following BACKGROUND FIRST: A.A.A. (hereinafter, the claimant) filed a claim on 11/9/2020 before the Spanish Agency for Data Protection. The claim is directed against EDUCANDO JUNTOS SL with NIF B85634681 (hereinafter, the claimed one. The reasons on which the claim are: “The company EDUCANDO JUNTOS creates a new web page schooleducando.com using Photographs of employees without requesting authorization from each one. In my case, I have urged them to several times to remove the images in which I appear, but they ignore it. Too it is extended to publications on social networks such as FACEBOOK and INSTAGRAM ”. Provide a copy of: -E-mails exchanged with the claimed web address, on file: notices 1, of 10/24/2020, requesting the removal of their photos from their website, Instagram and social networks. -Copies of emails sent to the same address above, in a notice file 2. In date 3/11/2020. It affects that you request the deletion of your photos, images and videos, in the es- children's school in which he performed his work. -File with “web” photographs containing three photos, one of a group and two of two and three people- nas in the foreground respectively. Below these are three others. All under the label "Educational team", with the addition "they have not asked permission from any of the employees." -File that contains a handwritten, dates and photo numbers in which they claim it- informs you that their photos are to be deleted, in INSTAGRAM (five dates), FACEBOOK (twenty-four dates), with the same literal as the absence of permission to upload any of the Photos. Dates range from 2017 to 2020. SECOND: In view of the facts reported in the claim and the documents provided by the claimant, the claim is transferred to the claimed electronically, being made available from 12/21/2020, and automatic rejection after the ten calendar days from its availability for access (art. 43.2 of Law 39/2015, of the Common Administrative Procedure of Public Administrations (LPACAP). The shipment is repeated by post, appearing absent in delivery in the two attempts, left notice, and returned by not withdrawn on 02/08/2021. THIRD: On 03/15/2020, the claim is accepted for processing. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 2/10 FOURTH: The claimed corporate purpose, according to the BORME publication, is: “exploitation of schools, academies, kindergartens, kindergartens, toy libraries, as well as all activities related to education of all kinds of subjects "," date of incorporation: 02/26/2009 ". FIFTH: On 05/14/2021, it was agreed by the Director of the AEPD: -INITIATE SANCTIONING PROCEDURE to EDUCANDO JUNTOS SL, with NIF B85634681, for the alleged infractions of the articles: -6.1 of the RGPD, in accordance with article 83.5.a) of the RGPD. -17 of the RGPD, in accordance with article 83.5.b) of the RGPD. -For the purposes specified in the art. 64.2 b) of Law 39/2015, of 1/10, of the Procedure Common Administrative of Public Administrations, the sanctions that could correspond would be two administrative fines, six thousand euros for the infraction of the article 6.1 and three thousand euros for that of article 17 of the RGPD, without prejudice to what results from The instruction." Once the agreement was notified, it resulted in: "expired", with this literal: "The Support service of the Electronic Notifications and Electronic Address Service Enabled CERTIFIES: - That the Ministry of Economic Affairs and Digital Transformation (to through the General Secretariat of Digital Administration) is currently the owner of the Service of Electronic Notifications (SNE) and Authorized Electronic Address (DEH) in accordance with Order PRE / 878/2010 and Royal Decree 139/2020, of January 28. The provider of said Service since June 26, 2015 is the National Mint and Stamp Factory-Real Casa of the Currency (FNMT-RCM), according to the Management Commission in force of the Ministry of Finance and Public Administrations. -That the notification was sent through said service: Reference: 124439560a1392b77f27 Acting Administration: Spanish Protection Agency Data (AEPD) Owner: - B85634681 Subject: "Notification" with the following result: Date made available: 05/16/2021 17:25:02 Automatic rejection date: 05/27/2021 00:00:00 Automatic rejection generally occurs after ten days have elapsed natural since they are made available for access according to paragraph 2, article 43, of the Law 39/2015, of October 1, of the Common Administrative Procedure of the Administrations Public. And in a particular way, after the deadline established by the acting Administration according to the specific legal regulations that are applicable. What is certified to timely effects in Madrid on May 27, 2021 " SIXTH: After the term granted for the formulation of allegations to the initiation agreement of the procedure, it has been verified that no allegation has been received from the reclaimed. Article 64.2.f) of LPACAP -which is outlined in the opening agreement of the procedure- establishes that if allegations are not made within the established period on the content of the initiation agreement, when it contains a precise statement about of the imputed responsibility, may be considered a resolution proposal. In the present In this case, the agreement to initiate the disciplinary proceedings determined the facts in which the specified the imputation, the violation of the RGPD attributed to the defendant and the sanction that could C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 3/10 impose. Therefore, taking into consideration that the defendant has not made any allegations to the agreement to initiate the file and in accordance with the provisions of the aforementioned article, the aforementioned The initiation agreement is considered in this case, a proposal for a resolution. In view of all the actions, by the Spanish Agency for Data Protection in the In this proceeding, the following are considered proven facts, FACTS 1) The claimant, who was employed by the defendant, requests on 10/22/2020 by mail electronic (provide a copy in your claim) that "the photos of the website, Instagram, Facebook ”, in which it appears, are eliminated. In a first response, the claimed The next day, by e-mail, he says that "we get down to it." Follow a exchange of emails that ends with that of the claimed one, of 10/24/2020, in which he states that "the photos have always been with your consent, since you have always consented to the Furthermore, their use has always been posted by the teachers ”. 2) In the email of 3/11/2020, the claimant sends a message to the claimant, noting that “they do not have the consent for their image to appear on the website, social networks and similar means of external diffusion of the school ”,“ in which it came performed ”his work, and that he was not informed that the photos and videos would leave the scope private from school. It reiterates the request for the removal of the images and videos, presenting claim before this AEPD on 11/9/2020. 3) The claimed: to. It provides six photographs of the claimed website, all under the heading “Equipo edu- cative ”, with the addition“ they have not asked permission from any of the employees ”. Of the same- But, two are from a group, and in the foreground: two from two and two from three people respectively. valy. b. Provides a handwritten list in which the claimant indicates the places and dates in those that appear their photos: INSTAGRAM (five dates), the first of 2017, last May 2020, FACEBOOK between 2017 and 2020 (twenty-four dates), with the same literal as the au- permission to upload any of the photos. 4) The AEPD transfers the claim to the defendant, consigning the shipment as put to provision from 12/21/2020, with automatic rejection after ten calendar days have elapsed from being made available for access (art. 43.2 of the LPACAP. Sending is repeated on by post, appearing absent in delivery in the two attempts, left notice, and returned by no withdrawn on 02/08/2021. 5) The initiation agreement was made available to the complainant on 05/16/2021, by electronic notification, through the provider of said service, certifying their non-access to the same, with what is understood to be rejected (art 43.2 LPCAP). 6) It is not proven that the complainant has attended the right to delete data from the claimant, or removed the claimant's photos. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 4/10 7) It is not proven that the defendant has a legitimate basis for the treatment of the photos of the claimant. FOUNDATIONS OF LAW I By virtue of the powers that article 58.2 of the RGPD recognizes to each control authority, and as established in arts. 47 and 48.1 of the LOPDGDD, the Director of the Agency Spanish Data Protection is competent to resolve this procedure. II The RGPD defines data processing in article 4.2 of the RGPD: "Any operation or set of operations carried out on personal data or sets of personal data, whether by automated procedures or not, such as the collection, registration, organization, structuring, conservation, adaptation or modification, extraction, consultation, use, communication by transmission, diffusion or any other form to enable access, collation or interconnection, limitation, deletion or destruction " The treatment of images, in this case in photos, must have a legitimation basis, of some listed in article 6.1 of the RGPD. By having images of the claimant, personal data, considering that no There is a legitimate basis for this, the defendant is charged with the commission of an alleged infringement of article 6.1 of the RGPD that indicates: 1. The treatment will only be lawful if at least one of the following conditions is met: a) the interested party gave their consent for the processing of their personal data for one or various specific purposes; b) the treatment is necessary for the execution of a contract in which the interested party is part or for the application at his request of pre-contractual measures; c) the treatment is necessary for the fulfillment of a legal obligation applicable to the responsible for the treatment; d) the treatment is necessary to protect vital interests of the interested party or another person physical; e) the treatment is necessary for the fulfillment of a mission carried out in the interest public or in the exercise of public powers conferred on the data controller; f) the treatment is necessary for the satisfaction of legitimate interests pursued by the responsible for the treatment or by a third party, provided that such interests are not the interests or fundamental rights and freedoms of the interested party prevail require the protection of personal data, in particular when the interested party is a child. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 5/10 The provisions of letter f) of the first paragraph will not apply to the treatment carried out by public authorities in the exercise of their functions. " Once the positive fact of the treatment has been accredited, it corresponds to prove compliance with the requirements to the claimed. In this sense, it is not proven that the exposure of the object photographs of the claim in various social networks on the website itself will have one of the bases legitimizing that indicates the article 6 of the RGPD, the commission of the infraction is accredited charged. III The right of deletion is the right of the interested party to demand from the person responsible for the treatment, in this case, the complained party, who excludes personal data from the processing. The right The deletion process is a reflection of the informative self-determination of control of the data of its tular. The right of deletion is contained in article 17 of the RGPD as the right of the interested party, or concerning your data, and at the same time implies an obligation of the person in charge (of the treatment ment), indicating: 1. The interested party shall have the right to obtain without undue delay from the person responsible for the the deletion of personal data concerning him, which will be obliged to primary without undue delay the personal data when any of the circumstances concur following: a) the personal data is no longer necessary in relation to the purposes for which were collected or otherwise treated; b) the interested party withdraws the consent on which the treatment in accordance is based with Article 6, paragraph 1, letter a), or Article 9, paragraph 2, letter a), and this is not based on other legal basis; c) the interested party opposes the treatment in accordance with article 21, paragraph 1, and does not other legitimate reasons for the treatment prevail, or the interested party opposes the treatment pursuant to Article 21 (2); d) the personal data has been unlawfully processed; Failure to comply with the right to delete photographs exhibited by the claimed in its website and social networks violate article 17 of the RGPD. IV Article 58.2 of the RGPD provides: “Each control authority will have all the following corrective powers listed below: C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 6/10 d) order the person in charge of the treatment that the operations of treatment comply with the provisions of this Regulation, where appropriate, of a in a certain way and within a specified time; i) impose an administrative fine in accordance with article 83, in addition to or instead of the measures mentioned in this section, according to the circumstances of each case particular; A fine is imposed for not responding to the right of the claimed and not making effective the same, in addition the exposed images come from several years and date back to 2017. V Regarding these two offenses and the penalties, Article 83.5 of the RGPD refers: "Violations of the following provisions will be sanctioned, in accordance with section 2, with administrative fines of a maximum of EUR 20,000,000 or, in the case of a company, of an amount equivalent to a maximum of 4% of the total annual global business volume of the previous financial year, opting for the one with the highest amount: a) the basic principles for the treatment, including the conditions for consent in accordance with articles 5, 6, 7 and 9; b) the rights of the interested parties in accordance with articles 12 to 22. " SAW The offenses are classified in article 72 of the LOPDGDD: 1. In accordance with the provisions of article 83.5 of Regulation (EU) 2016/679, considered very serious and will prescribe after three years the infractions that suppose a substantial violation of the articles mentioned therein and, in particular, the following: b) The processing of personal data without the concurrence of any of the conditions of legality of the treatment established in article 6 of Regulation (EU) 2016/679. k) The impediment or the obstruction or the repeated neglect of the exercise of rights established in articles 15 to 22 of Regulation (EU) 2016/679. VII The determination of the sanctions to be imposed in the present case requires observing the provisions of articles 83.1) and .2) of the RGPD, precepts that, respectively, provide what is following: "one. Each control authority will guarantee that the imposition of administrative fines in accordance with this article for the infractions of this Regulation indicated in the Sections 4, 9 and 6 are in each individual case effective, proportionate and dissuasive. " C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 7/10 "two. Administrative fines will be imposed, depending on the circumstances of each case. individual, as an additional or substitute for the measures contemplated in article 58, section do 2, letters a) to h) and j). When deciding to impose an administrative fine and its amount in each individual case will be duly taken into account: a) the nature, seriousness and duration of the offense, taking into account the nature, al- cance or purpose of the processing operation in question, as well as the number of inte- affected parties and the level of damages they have suffered; b) intentionality or negligence in the infringement; c) Any measure taken by the person in charge or in charge of the treatment to alleviate the damages suffered by the interested parties; d) the degree of responsibility of the person in charge or the person in charge of the treatment, having account of the technical or organizational measures that have been applied by virtue of articles 25 and 32; e) any previous infringement committed by the person in charge or the person in charge of the treatment; f) the degree of cooperation with the supervisory authority in order to remedy the infringement fraction and mitigate the possible adverse effects of the infringement; g) the categories of personal data affected by the infringement; h) the way in which the supervisory authority learned of the infringement, in particular if the controller or the processor notified the infringement and, if so, to what extent; i) when the measures indicated in article 58, paragraph 2, have been ordered prior to directly against the person in charge or the person in charge in relation to the same matter. to, compliance with said measures; j) adherence to codes of conduct under article 40 or to certification mechanisms cation approved in accordance with article 42, and k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits obtained or losses avoided, directly or indirectly, through through the offense. " Within this section, the LOPDGDD contemplates in its article 76, entitled “Sanctions and me- corrective measures ”: "one. The sanctions provided for in paragraphs 4, 5 and 6 of article 83 of the Regulation (EU) 2016/679 will be applied taking into account the graduation criteria established in the section 2 of the aforementioned article. 2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679 also may be taken into account: a) The continuing nature of the offense. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 8/10 b) The linking of the offender's activity with the performance of data processing personal. c) The benefits obtained as a result of the commission of the offense. d) The possibility that the affected person's conduct could have led to the commission of the infringement. e) The existence of a merger by absorption process after the commission of the infringement, which cannot be attributed to the absorbing entity. f) Affecting the rights of minors. g) Have, when not mandatory, a data protection officer. h) The submission by the person in charge or in charge, on a voluntary basis, to alternative dispute resolution mechanisms, in those cases in which there are controversies between those and any interested party. 3. It will be possible, complementary or alternative, the adoption, when appropriate, of the remaining corrective measures referred to in article 83.2 of the Regulation (EU) 2016/679. " In accordance with the transcribed precepts, in order to set the amount of the fine for impose, in the present case, for the violation of article 6.1 of the RGPD, of which holds the claimed liable, the following are considered to be concurrent as aggravating factors Factors that reveal greater unlawfulness and / or culpability in the conduct of the defendant: -Article 83.2.a) RGPD: "Nature, seriousness and duration of the offense taking into account the nature, scope or purpose of the processing operation in question as well as the number of interested parties affected and the level of damages they have suffered ”. It is tra- number of treatments that come from afar, year 2017, last in 2018, until 2020, their quantity which are not rare, and the scope it has, as highlighted, contained in two networks social networks and the website itself, valuing the amount at six thousand euros (6,000 euros). In the infraction for lack of attention of the right to suppression of data, article 17 of the RGPD, for the purpose of setting the amount of the fine to impose, which is holds the claimed liable, the following are considered to be concurrent as aggravating factors Factors that reveal greater unlawfulness and / or culpability in the conduct of the defendant: -Article 83.2b) "intentionality or negligence in the offense", not being an action intentionally, it was requested up to two occasions, without obtaining any response, which denotes a special fault of diligence in the fulfillment of the duties that correspond to him, valuing the offense, at three thousand euros (3,000 euros). C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 9/10 Therefore, in accordance with the applicable legislation and proving the infractions, the Director of the Spanish Agency for Data Protection RESOLVES: FIRST: IMPOSE EDUCANDO JUNTOS SL, with NIF B85634681, for an infraction of article 6.1 of the RGPD, typified in article 83.5 a) of the RGPD, and for the purposes of prescription in article 72.1.a) of the LOPDGDD, a fine of 6,000 euros (six thousand euros). SECOND: IMPOSE EDUCANDO JUNTOS SL, with NIF B85634681, for an offense of Article 17 of the RGPD, typified in Article 83.5 b) of the RGPD, and for the purposes of prescription in article 72.1.k) of the LOPDGDD, a fine of 3,000 euros (three thousand euros). THIRD: NOTIFY this resolution to EDUCANDO JUNTOS SL. FOURTH: Warn the sanctioned person that he must make the imposed sanction effective once this resolution is executive, in accordance with the provisions of art. 98.1.b) of the LPACAP, within the voluntary payment term established in art. 68 of the General Regulations of Collection, approved by Royal Decree 939/2005, of 07/29, in relation to art. 62 of the Law 58/2003, of 12/17, by means of their entry, indicating the NIF of the sanctioned person and the number of procedure that appears in the heading of this document, in the restricted account nº ES00 0000 0000 0000 0000 0000, opened in the name of the Spanish Protection Agency of Data in the banking entity CAIXABANK, S.A .. Otherwise, it will proceed to your collection in executive period. Once the notification has been received and once it is executed, if the date of execution is between the 1st and 15th of each month, both inclusive, the deadline for making the voluntary payment will be up to on the 20th of the following or immediately subsequent business month, and if it is between the 16th and last of each month, both inclusive, the payment term will be until the 5th of the second month next or immediate after business. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution It will be made public once it has been notified to the interested parties. Against this resolution, which ends the administrative procedure in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the interested parties They may file, optionally, an appeal for reconsideration before the Director of the Agency Spanish Data Protection within a period of one month from the day following the notification of this resolution or directly administrative contentious appeal before the Chamber of the Contentious-administrative of the National Court, in accordance with the provisions of the Article 25 and in section 5 of the fourth additional provision of Law 29/1998, of 13 of July, regulating the Contentious-Administrative Jurisdiction, within a period of two months to count from the day following notification of this act, as provided in article 46.1 of the aforementioned Law. Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP, you may provisionally suspend the final administrative resolution if the interested party manifests his intention to file a contentious-administrative appeal. If this is the case, the The interested party must formally communicate this fact by writing to the Agency Spanish Data Protection, presenting it through the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica-web/], or through any of the C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 10/10 remaining records provided for in art. 16.4 of the aforementioned Law 39/2015, of October 1. You must also send the Agency the documentation that proves the effective filing of the contentious-administrative appeal. If the Agency is not aware of the filing of the contentious-administrative appeal within a period of two months from the following the notification of this resolution, it would terminate the suspension precautionary. 938-231221 Mar Spain Martí Director of the Spanish Agency for Data Protection C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es