AEPD (Spain) - PS/00043/2021: Difference between revisions
From GDPRhub
No edit summary |
No edit summary |
||
| Line 64: | Line 64: | ||
=== Facts === | === Facts === | ||
A data subject lodged a complaint with the Spanish DPA (AEPD) claiming that | A data subject lodged a complaint with the Spanish DPA (AEPD) claiming that their name, surname, and apartment details (building, floor, and apartment number) were disclosed on a display board as a defaulter. | ||
The display board were located at the first building’s floor and every single resident could see it. The complainant’s name was the first of a list of defaulters and non-defaulters gathering all the property owners’ names. | The display board were located at the first building’s floor and every single resident could see it. The complainant’s name was the first of a list of defaulters and non-defaulters gathering all the property owners’ names. | ||
Revision as of 14:56, 20 April 2022
| AEPD (Spain) - PS/00043/2021 | |
|---|---|
 | |
| Authority: | AEPD (Spain) |
| Jurisdiction: | Spain |
| Relevant Law: | Article 5(1)(f) GDPR Article 58(2) GDPR Article 83(2) GDPR Article 83(5) GDPR Article 65, LOPDGDD Articles 47, 48(1) LOPDGDD |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | |
| Published: | |
| Fine: | 500 EUR |
| Parties: | n/a |
| National Case Number/Name: | PS/00043/2021 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Spanish |
| Original Source: | AEPD (in ES) |
| Initial Contributor: | Jennifer Vidal Ferreira |
The Spanish DPA issued a fine of €500 against an association of property owners for violating Article 5(1)(f) GDPR by sharing information about an owner’s debt on a residential building's display board.
English Summary
Facts
A data subject lodged a complaint with the Spanish DPA (AEPD) claiming that their name, surname, and apartment details (building, floor, and apartment number) were disclosed on a display board as a defaulter.
The display board were located at the first building’s floor and every single resident could see it. The complainant’s name was the first of a list of defaulters and non-defaulters gathering all the property owners’ names.
Holding
The controller itself have had recognized the violation of the GDPR through its actions but have raised that those were either with any bad faith nor in the intention to cause any damage to the complainant’s honor.
The association also highlighted and proved that as soon as they were notified about the complaint, they took the lists out of the display and looked for the complainant to apologized with, providing all the information about the reasons why the situation happened.
The Data Procession Authority considered this context involving de absence of bad faith to determine the fine’s amount.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/7
File No.: PS/00043/2021
RESOLUTION OF PUNISHMENT PROCEDURE
Of the procedure instructed by the Spanish Agency for Data Protection and based on
to the following
BACKGROUND
FIRST: D.A.A.A. (hereinafter, the claimant) dated September 1,
2020 filed a claim with the Spanish Data Protection Agency. The
claim is directed against the OWNERS COMMUNITY ***ADDRESS.1, with
CIF *** CIF.1 (hereinafter, the claimed one).
The reasons on which the claim is based are that it has proceeded, by the
Presidency of the Community of Owners, to be placed on the bulletin boards
a list of debtor owners, including the claimant.
Specifically, the first on the list. The reason for its publication is discretionary,
because it does not obey any Assembly call, nor any publication of
any past Assembly Minutes.
The Community of Owners consists of three blocks, with their respective boards of
advertisements. These publications have been in the 3 boards of the community. The
location of the respective bulletin boards is inside the portals,
all boards are locked and exposed to third party viewing
people outside this community.
Along with the claim, it provides a photograph of the community bulletin board, with
the lists of owners of all the blocks (debtors and non-debtors) in which
consists of name and surnames, block, floor and letter. It also provides other photographs in the
It can be seen that the bulletin board is located on the ground floor, which
would correspond to the portal of the building.
SECOND: In view of the facts denounced in the claim and the
documents provided by the claimant, the claim was transferred to the claimant, the
October 7, 2020 (repeated on October 19, 2020), requiring you to:
"Within a maximum period of one month, from the receipt of this letter, you must analyze the
claim and send this Agency the following information:
The decision made regarding this claim.
In the event of exercising the rights regulated in articles 15 to 22 of the
RGPD, accreditation of the response provided to the claimant.
Report on the causes that have motivated the incidence that has originated the
claim.
Report on the measures adopted to prevent incidents from occurring
similar, dates of implementation and controls carried out to verify their effectiveness.
Any other that you consider relevant.”
In response to the aforementioned request, the Administrator of the Community of
Owners states that "... we consider that, in general, the publication
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 2/7
on the notice board of the community of a list of owners that is not
are up to date in payment of their fees is not covered by the regulations of
Data Protection."
“That, on August 12, 2020, a letter was sent to all the owners of this
Community where they were informed: “Due to the situation created by the pandemic
of COVID-19 we have not been able to convene the ordinary meeting in order to present
annual accounts, renewal of charges, pending issues, etc. However we have
decided, for the purposes of greater information of the owners, to publish the
accounts for the entire year 2019, and from January to July 2020, and leave the other
Topics for a next regular meeting.”
“That, in accordance with the provisions of the Horizontal Property Law,
public, in those annual accounts, the identity of the debtors and their debts with the
community, allowing this same Law to be published on the Notice Board of
community, (….). However, the aforementioned publication has been made in
compliance with an express agreement adopted by the Board of Owners, so
We humbly believe that we will find ourselves before a transfer of data with
prior consent of the interested parties, which in principle would not violate the
regulations on the protection of personal data.”
The Administrator of the Community of Owners provides a copy of the letter that says
having sent to all the owners, without it being indicated that the
posting on the Community Notice Board is to be made in
compliance with an express agreement of the Board of Owners. This letter is
signed by the Administrator, although the names of the President and of the
two vowels, one from block 3-4 and another from block 6-7, but not a vowel from block 5.
On the other hand, although the letter is dated August 12, 2020, the signature of the
Administrator in said letter is dated November 9, 2020, a date that coincides with the
signature of the response to the request of this Agency.
THIRD: On February 1, 2021, in accordance with article 65 of the
LOPDGDD, the Director of the Spanish Data Protection Agency agreed
admit for processing the claim filed by the claimant against the entity
claimed.
FOURTH: On June 11, 2021, the Director of the Spanish Agency for
Data Protection agreed to initiate a sanctioning procedure against the claimed entity,
in accordance with the provisions of articles 63 and 64 of Law 39/2015, of October 1,
of the Common Administrative Procedure of the Public Administrations (in
hereinafter, LPACAP), for the alleged infringement of article 5.1.f) of the RGPD, typified
in article 83.5 of the RGPD.
FIFTH: Having been notified of the aforementioned initiation agreement, the entity claimed submitted a written
of allegations in which, in summary, it stated that it expressly recognizes that
the established legal precepts have been infringed, but without any intention of
cause damage to the owner, to the claimant. The community never wanted
damage the honor or acted with intent towards the claimant, proof of this is that the
administrator and representative of the community, contacted him and gave him
all possible explanations, in addition to personally apologizing,
explained that the facts that he mentioned in his claim in no case existed
bad faith on the part of the community and that in future calls the community
will publicly retract such non-compliance, non-compliance that is derived from
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 3/7
an exceptional situation due to the impossibility of holding the ordinary meeting
scheduled. It has ordered that the listings subject to the
claim, as evidenced in the attached document (Photographs of the planks).
SIXTH: On January 19, 2022, a resolution proposal was formulated,
proposing that the Director of the Spanish Data Protection Agency sanction
to the OWNERS COMMUNITY ***ADDRESS.1, with CIF ***CIF.1, for a
infringement of Article 5.1.f) of the RGPD, typified in Article 83.5 of the RGPD, with a
fine of FIVE HUNDRED € (500 euros).
SEVENTH: On January 30, 2022, ten calendar days after the
made available to the notification, without the claimed party having agreed to its
content, is understood to be rejected, in accordance with article 43.2 of the LPACAP.
Of the actions carried out in this procedure and the documentation
in the file, the following have been accredited:
ACTS
FIRST: The Presidency of the Community of
Owners, to post on the bulletin boards a list of debtor owners,
among which is the complaining party (the first on the list), and non-debtors.
The Community of Owners consists of three blocks, with their respective boards of
advertisements. These publications have been in the 3 boards of the community. The
location of the respective bulletin boards is inside the portals,
all boards are locked and exposed to third party viewing
people outside this community. In the lists of owners of all the
blocks (debtors and non-debtors) includes name and surname, block, floor and letter. The
notice board is located on the ground floor, which would correspond to the portal
of the building.
SECOND: The claimed entity expressly acknowledges that the
established legal precepts, but without any intention of causing damage to the
owner, to the claimant. The community at no time wanted to harm the
honor or acted with intent towards the claimant, proof of this is that the
administrator and representative of the community, contacted him and gave him
all possible explanations, in addition to personally apologizing,
explained that the facts that he mentioned in his claim in no case existed
bad faith on the part of the community and that in future calls the community
will publicly retract such non-compliance, non-compliance that is derived from
an exceptional situation due to the impossibility of holding the ordinary meeting
scheduled. It has ordered that the listings subject to the
claim, as evidenced in the attached document (Photographs of the planks).
FOUNDATIONS OF LAW
I
In accordance with the powers that article 58.2 of (EU) 2016/679 (Regulation
General Data Protection, hereinafter RGPD), grants each authority of
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 4/7
control and according to the provisions of articles 47 and 48.1 of Organic Law 3/2018, of
December 5, Protection of Personal Data and guarantee of rights
(hereinafter, LOPDGDD), is competent to initiate and resolve this
procedure the Director of the Spanish Data Protection Agency.
Likewise, article 63.2 of the LOPDGDD determines that: “The procedures
processed by the Spanish Agency for Data Protection will be governed by the provisions
in Regulation (EU) 2016/679, in this organic law, by the provisions
regulations issued in its development and, as long as they do not contradict them, with a
subsidiary, by the general rules on administrative procedures.”
II
In accordance with the evidence available at the present time of the
sanctioning procedure, it is considered that the proven facts constitute
of infraction.
The defendant is accused of committing an infraction for violation of the
Article 5.1.f) of the RGPD, which states that:
"one. The personal data will be:
“f) processed in such a way as to guarantee adequate security of the data
including protection against unauthorized or unlawful processing and against
your transcript.
The infringement is typified in Article 83.5.a) of the RGPD, which considers as such:
“the basic principles for treatment, including the conditions for the
consent under articles 5, 6, 7 and 9”.
III
This infraction can be sanctioned with a maximum fine of €20,000,000 or,
in the case of a company, an amount equivalent to a maximum of 4% of the
global total annual turnover of the previous financial year, opting for the
of greater amount, in accordance with article 83.5 of the RGPD.
In this sense, the actions taken by the claimed party are relevant.
upon learning of the claim of which it was informed by this AEPD and the measures
adopted, having to report on them within the procedure, being able to
in the resolution, adopt the appropriate ones for its adjustment to the regulations.
IV
Likewise, it is considered appropriate to graduate the sanction to be imposed in accordance with the
following criteria established by article 83.2 of the RGPD:
2. Administrative fines will be imposed, depending on the circumstances of each
individual case, in addition to or as a substitute for the measures contemplated in the
Article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine
administration and its amount in each individual case will be duly taken into account:
a) the nature, seriousness and duration of the offence, taking into account the
nature, scope or purpose of the processing operation in question, as well
such as the number of interested parties affected and the level of damages that
have suffered;
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 5/7
b) intentionality or negligence in the infringement;
c) any measure taken by the controller or processor to
alleviate the damages suffered by the interested parties;
d) the degree of responsibility of the person in charge or of the person in charge of the treatment,
taking into account the technical or organizational measures that they have applied under
of articles 25 and 32;
e) any previous infringement committed by the person in charge or the person in charge of the treatment;
f) the degree of cooperation with the supervisory authority in order to remedy the
infringement and mitigate the possible adverse effects of the infringement;
g) the categories of personal data affected by the infringement;
h) the way in which the supervisory authority became aware of the infringement, in
particular whether the person in charge or the person in charge notified the infringement and, if so, in what
extent;
i) when the measures indicated in article 58, section 2, have been ordered
previously against the person in charge or the person in charge in question in relation to the
same matter, compliance with said measures;
j) adherence to codes of conduct under article 40 or mechanisms of
certification approved in accordance with article 42,
k) any other aggravating or mitigating factor applicable to the circumstances of the case,
such as financial benefits obtained or losses avoided, directly or
indirectly, through the infringement.”
v
In accordance with the precepts transcribed, in order to set the amount of the penalty for
infringement of article 5.1 f) to the claimed party, as responsible for the aforementioned
infringement typified in article 83.5 of the RGPD, and estimated the allegations
filed by the respondent, due to the circumstances of the case, it is appropriate to graduate
the fine taking into account the following mitigating factors:
. Non-existence of antecedents.
. Recognition of the infraction, which has been remedied in its entirety once
received the agreement to start this procedure, deleting all the data
bulletin board staff.
. Compliance with the measures imposed in the Start Agreement, by the person in charge
or in charge of the treatment, so that the treatment operations are adjusted to the
GDPR provisions.
. Measures taken to mitigate damages and losses suffered: the administrator and
representative of the community, contacted the complaining party and gave him
all possible explanations, in addition to personally apologizing,
explained that the facts that he mentioned in his claim in no case existed
bad faith on the part of the community and that in future calls the community
will retract such non-compliance publicly.
. The breach is derived from an exceptional situation due to the impossibility of
carry out the regular scheduled meeting of the Community of Owners.
Considering the exposed factors, the valuation that reaches the amount of the fine
is €500 for violation of article 5.1 f) of the RGPD.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 6/7
Therefore, in accordance with the applicable legislation and having assessed the criteria for
graduation of the sanctions whose existence has been proven, the Director of the
Spanish Data Protection Agency RESOLVES:
FIRST: IMPOSE the OWNERS COMMUNITY *** ADDRESS.1, with CIF
*** CIF.1, for an infringement of Article 5.1.f) of the RGPD, typified in Article 83.5
of the RGPD, a fine of €500 (FIVE HUNDRED euros).
SECOND: NOTIFY this resolution to the OWNERS COMMUNITY
***ADDRESS 1.
THIRD: Warn the sanctioned party that he must make the imposed sanction effective once
Once this resolution is enforceable, in accordance with the provisions of the
art. 98.1.b) of Law 39/2015, of October 1, on Administrative Procedure
Common Public Administrations (hereinafter LPACAP), within the payment term
voluntary established in art. 68 of the General Collection Regulations, approved
by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003,
of December 17, through its entry, indicating the NIF of the sanctioned and the number
of procedure that appears in the heading of this document, in the account
restricted number ES00 0000 0000 0000 0000 0000, opened on behalf of the Agency
Spanish Department of Data Protection in the banking entity CAIXABANK, S.A.. In case
Otherwise, it will be collected in the executive period.
Received the notification and once executed, if the date of execution is
between the 1st and 15th of each month, both inclusive, the term to make the payment
voluntary will be until the 20th day of the following month or immediately after, and if
between the 16th and last day of each month, both inclusive, the payment term
It will be until the 5th of the second following month or immediately after.
In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.
Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the
LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the
Interested parties may optionally file an appeal for reconsideration before the
Director of the Spanish Agency for Data Protection within a month from
counting from the day following the notification of this resolution or directly
contentious-administrative appeal before the Contentious-Administrative Chamber of the
National Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-administrative jurisdiction, within a period of two months from the
day following the notification of this act, as provided in article 46.1 of the
aforementioned Law.
Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP,
may provisionally suspend the firm resolution in administrative proceedings if the
The interested party expresses his intention to file a contentious-administrative appeal.
If this is the case, the interested party must formally communicate this fact by
writing addressed to the Spanish Agency for Data Protection, presenting it through
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 7/7
Electronic Register of the Agency [https://sedeagpd.gob.es/sede-electronica-
web/], or through any of the other registers provided for in art. 16.4 of the
aforementioned Law 39/2015, of October 1. You must also transfer to the Agency the
documentation proving the effective filing of the contentious appeal-
administrative. If the Agency was not aware of the filing of the appeal
contentious-administrative within a period of two months from the day following the
notification of this resolution would end the precautionary suspension.
938-270122
Sea Spain Marti
Director of the Spanish Data Protection Agency
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es
