AEPD (Spain) - PS/00136/2020: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoES.jpg |DPA_Abbrevation=AEPD |DPA_With_Country=AEPD (Spain) |Case_Number_Name=PS/00...")
 
Line 58: Line 58:
The Spanish Data Protection Authority (AEPD) fined Filigrana Comunicación with € 8000 for the infringement of Articles 6(1), 13 and 14 GDPR, as the company gathered and re-used data from the Andalusian Education Department without a legitimate basis, and they did not fulfill their information obligations.  
The Spanish Data Protection Authority (AEPD) fined Filigrana Comunicación with € 8000 for the infringement of Articles 6(1), 13 and 14 GDPR, as the company gathered and re-used data from the Andalusian Education Department without a legitimate basis, and they did not fulfill their information obligations.  


== English Summary ==
==English Summary==


=== Facts ===
===Facts===
Filigrana Comunicación gathered public data from the Andalusian Education Department and re-posted them in their webpage. They did it without a legitimate basis, and they did not fulfill their information obligations, regarding both Article 14, about data obtained from a source different than the data subject (in this case, the Andalusian Education Department), and Article 13, regarding general information obligation.  
Filigrana Comunicación gathered public data from the Andalusian Education Department and re-posted them in their webpage. They did it without a legitimate basis, and they did not fulfill their information obligations, regarding both Article 14, about data obtained from a source different than the data subject (in this case, the Andalusian Education Department), and Article 13, regarding general information obligation.  


=== Dispute ===
===Dispute===
Can a company re-post public data in their webpage without a legitimate basis?  
Can a company re-post public data in their webpage without a legitimate basis?  


=== Holding ===
===Holding===
The fact that a public administration or body publish documents containing personal data does not mean that they are "open data". The fact that a data is accessible to anyone does not necessarily result in the lawfulness of processing without a basis from Article 6. Therefore, the AEPD considered that there has been an infringement of Article 6.1, entailing a fine of € 2000.
The fact that a public administration or body publish documents containing personal data does not mean that they are "open data". The fact that the data is accessible to anyone does not necessarily result in the lawfulness of processing without a basis from Article 6. Therefore, the AEPD considered that there has been an infringement of Article 6.1, entailing a fine of € 2000.


Article 14 refers to the information that must be provided when the data have not been obtained directly from the data subject, as is the case. The fine for this infringement is € 2000.
Article 14 refers to the information that must be provided when the data have not been obtained directly from the data subject, as is the case. The fine for this infringement is € 2000.
Line 73: Line 73:
Article 13 specifies the information that must be provided to the data subject. In this case, the privacy policy does not provide the information about the data controller or about the rights to which the data subject is entitled. In addition, the company had a subscription form to their system, in which it is understood that consent is granted through the "acceptance" of the privacy policy. The privacy policy was not in line with the general information requirements. The fine for the violation of Article 13 is € 4000.
Article 13 specifies the information that must be provided to the data subject. In this case, the privacy policy does not provide the information about the data controller or about the rights to which the data subject is entitled. In addition, the company had a subscription form to their system, in which it is understood that consent is granted through the "acceptance" of the privacy policy. The privacy policy was not in line with the general information requirements. The fine for the violation of Article 13 is € 4000.


== Comment ==
==Comment==
''Share your comments here!''
''Share your comments here!''


== Further Resources ==
==Further Resources==
''Share blogs or news articles here!''
''Share blogs or news articles here!''


== English Machine Translation of the Decision ==
==English Machine Translation of the Decision==
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.



Revision as of 13:28, 14 March 2021

AEPD - PS/00136/2020
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 6(1)(a) GDPR
Article 6(1)(f) GDPR
Article 6(1) GDPR
Article 13 GDPR
Article 14 GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published: 10.03.2021
Fine: 8000 EUR
Parties: n/a
National Case Number/Name: PS/00136/2020
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Spanish
Original Source: AEPD decision (in ES)
Initial Contributor: n/a

The Spanish Data Protection Authority (AEPD) fined Filigrana Comunicación with € 8000 for the infringement of Articles 6(1), 13 and 14 GDPR, as the company gathered and re-used data from the Andalusian Education Department without a legitimate basis, and they did not fulfill their information obligations.

English Summary

Facts

Filigrana Comunicación gathered public data from the Andalusian Education Department and re-posted them in their webpage. They did it without a legitimate basis, and they did not fulfill their information obligations, regarding both Article 14, about data obtained from a source different than the data subject (in this case, the Andalusian Education Department), and Article 13, regarding general information obligation.

Dispute

Can a company re-post public data in their webpage without a legitimate basis?

Holding

The fact that a public administration or body publish documents containing personal data does not mean that they are "open data". The fact that the data is accessible to anyone does not necessarily result in the lawfulness of processing without a basis from Article 6. Therefore, the AEPD considered that there has been an infringement of Article 6.1, entailing a fine of € 2000.

Article 14 refers to the information that must be provided when the data have not been obtained directly from the data subject, as is the case. The fine for this infringement is € 2000.

Article 13 specifies the information that must be provided to the data subject. In this case, the privacy policy does not provide the information about the data controller or about the rights to which the data subject is entitled. In addition, the company had a subscription form to their system, in which it is understood that consent is granted through the "acceptance" of the privacy policy. The privacy policy was not in line with the general information requirements. The fine for the violation of Article 13 is € 4000.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.