AEPD (Spain) - EXP202204461: Difference between revisions

From GDPRhub
No edit summary
No edit summary
Line 65: Line 65:
}}
}}


The Spanish DPA found a violation of Article 5(1)(f)GDPR and issued a reprimand on the Based on a complaint directed against a community of property owners for accessing video surveillance footage and sharing said footage without being authorised to do so.  
The Spanish DPA found a violation of Article 5(1)(f) GDPR and fined €2,000 a 'community of owners' for accessing video surveillance footage and sharing it without authorization.  


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
The complaint was filed in 2022 by a member of said community and originally directed at the president of the community as well as another person. The complaining party stated that the respondents had accessed recordings of the community's common area in which the complainant appeared from shared video surveillance system. They subsequently took additional videos of these recordings and shared them in a WhatsApp group with other neighbours.
The data subject was a member of an a community of owners, the controller. They complained with the president of the community association about video recordings in which they appeared.  
The complainant submitted the complaint because they felt that the data controller had violated the principle of integrity and confidentiality while processing their personal data as stated in [[Article 5 GDPR#1f|Article 5(1)(f) GDPR]]. After the complaint was forwarded to the respondent no response or explanation was provided at the appropriate procedural time.


The issue whether the president of the community of property owners had violated the principle of confidentiality was affirmed by an examination conducted by the DPA and furthermore acknowledged in a written statement by the respondent.  
Subsequently, the president shared these videos in a WhatsApp group with other neighbours.  


The Spanish DPA (Agencia Española de Protección de Datos) issued a 2000€ fine to the community of property owners (data controller).
The data subject then filed a complaint with the Spanish DPA, claiming that the controller violated the principle of integrity and confidentiality while processing their personal data, in breach of [[Article 5 GDPR#1f|Article 5(1)(f) GDPR]].
 
During the procedure, the controller alleged that it was an individual conduct of its president, so only the individual could be held liable, not the legal person.


=== Holding ===
=== Holding ===
The question that posed itself was whether only the president of the community or the community as a whole should be held responsible for these actions.
The DPA dismissed the controller's argument by stating that the community was acting as the controller as it jointly: a) approved the installation of the cameras, b) determined the purpose of the processing, and c) established the means to carry out said processing.
The respondent argued that only the president who carried out the actions, should be held responsible, as they claimed the group as a whole suffered from the situation.
 
This was counterargued by the DPA, stating that some members were aware of the events. Additionally, it was argued that the community itself functions as the controller of the system as it jointly 1) approved the installation 2) determined the purpose of the processing and 3) established the means to carry out said processing.  
It also stated that holding the president responsible individually was an issue to be carried out internally by the supervisory body of the community through mechanisms provided for in the Spanish Horizontal Property Law (HPL).


It was stated that holding the president responsible individually was an issue to be carried out internally by the supervisory body of the community through mechanisms provided for in the Spanish Horizontal Property Law (HPL).
Therefore, [[Article 5 GDPR#1f|Article 5(1)(f) GDPR]] was considered violated by the community of owners as a whole and a fine according to [[Article 83 GDPR#5|Article 83(5) GDPR]] was imposed.  


Therefore, [[Article 5 GDPR#1f|Article 5(1)(f) GDPR]] was considered violated by the community of property owners as a whole and a fine according to [[Article 83 GDPR#5|Article 83(5) GDPR]] was imposed.
When determining the amount, the DPA took the director’s individual action as well as the communal responsibility into account and issued a fine of €2,000 for the violation of [[Article 5 GDPR#1f|Article 5(1)(f) GDPR]] as classified under [[Article 83 GDPR#5|Article 83(5) GDPR]].
When determining the amount, the DPA took the director’s individual action as well as the communal responsibility into account and issued a fine of 2000€ for the violation of [[Article 5 GDPR#1f|Article 5(1)(f) GDPR]] as classified under [[Article 83 GDPR#5|Article 83(5) GDPR]].


== Comment ==
== Comment ==

Revision as of 12:55, 16 June 2023

AEPD - PS-00379-2022
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 5(1)(f) GDPR
Article 83(5) GDPR
Type: Complaint
Outcome: Upheld
Started: 29.03.2022
Decided: 07.12.2022
Published:
Fine: 2000 EUR
Parties: A.A.A.
COMUNIDAD DE PROPIETARIOS R.R.R.
National Case Number/Name: PS-00379-2022
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Spanish
Original Source: Expediente N.º: EXP202204461 (in ES)
Initial Contributor: michri

The Spanish DPA found a violation of Article 5(1)(f) GDPR and fined €2,000 a 'community of owners' for accessing video surveillance footage and sharing it without authorization.

English Summary

Facts

The data subject was a member of an a community of owners, the controller. They complained with the president of the community association about video recordings in which they appeared.

Subsequently, the president shared these videos in a WhatsApp group with other neighbours.

The data subject then filed a complaint with the Spanish DPA, claiming that the controller violated the principle of integrity and confidentiality while processing their personal data, in breach of Article 5(1)(f) GDPR.

During the procedure, the controller alleged that it was an individual conduct of its president, so only the individual could be held liable, not the legal person.

Holding

The DPA dismissed the controller's argument by stating that the community was acting as the controller as it jointly: a) approved the installation of the cameras, b) determined the purpose of the processing, and c) established the means to carry out said processing.

It also stated that holding the president responsible individually was an issue to be carried out internally by the supervisory body of the community through mechanisms provided for in the Spanish Horizontal Property Law (HPL).

Therefore, Article 5(1)(f) GDPR was considered violated by the community of owners as a whole and a fine according to Article 83(5) GDPR was imposed.

When determining the amount, the DPA took the director’s individual action as well as the communal responsibility into account and issued a fine of €2,000 for the violation of Article 5(1)(f) GDPR as classified under Article 83(5) GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

1/8








     File No.: EXP202204461



                RESOLUTION OF SANCTIONING PROCEDURE

Of the procedure instructed by the Spanish Agency for Data Protection and based on
to the following

                                   BACKGROUND


FIRST: A.A.A. (*hereinafter, the complaining party) dated March 29, 2022
filed a claim with the Spanish Data Protection Agency. claims her-
tion is directed against COMMUNITY OF OWNERS R.R.R. with NIF ***NIF.1 (in
below, the claimed party). The reasons on which the claim is based are the following:

you:

The claimant states that he resides in a property that the claimant is a resident of.
kitchen and, at the time of the facts that are the subject of the claim, she was President of the Community
of Owners and that is, taking advantage of said condition, together with the other person
claimed, accessed recordings from the video surveillance system of the

Community of Owners in which the claimant appeared, making to his
recordings of said videos, which they spread in a WHATSAPP Group to
other neighbors, the claimant understanding that the defendants have agreed and processed
provided data from the complaining party, as well as from other neighbors.


        Provide the broadcast recordings, as well as the Minutes of the Meeting of Owners
dated March 10, 2022 where the subject is discussed and where the defendant (a) recognises
know the facts and have acted together with the defendant in that regard (Annex I).

SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5

December, Protection of Personal Data and guarantee of digital rights (in
hereafter LOPDGDD), said claim was transferred to the party claimed on fe-
date 04/21/22 and 05/11/22, to proceed with its analysis and inform this Agency
within a month, of the actions carried out to adapt to the requirements
provided for in the data protection regulations.


       Made the transfer in accordance with the provisions of Law 39/2015
(October 1)-LPAC- No response was received in this regard, nor has an explanation been given.
made in relation to them at the appropriate procedural moment.

THIRD: On 04/07/22, communication was received from the AET providing the data

prosecutors of the COMMUNITY OF OWNERS R.R.R. that work in your system
form with NIF identifier associated with the claimed ***NIF.1.

FOURTH: On June 29, 2022, in accordance with article 65 of the LO-
PDGDD, the claim presented by the claimant party was admitted for processing.


FIFTH: On September 9, 2022, the Director of the Spanish Agency for
Data Protection agreed to initiate disciplinary proceedings against the claimed party,
in accordance with the provisions of articles 63 and 64 of Law 39/2015, of October 1,

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/8








of the Common Administrative Procedure of Public Administrations (hereinafter
te, LPACAP), for the alleged infringement of Article 5.1.f) of the GDPR, typified in the
Article 83.5 of the GDPR.


SIXTH: Notified the aforementioned start agreement in accordance with the rules established in
Law 39/2015, of October 1, on the Common Administrative Procedure of
Public Administrations (hereinafter, LPACAP), the claimed party submitted a written
of allegations dated 10/11/22 in which, in summary, he stated the following:


       "That by means of this document this party recognizes as adjusted to
Law and reality the factual and legal foundations of the complaint filed
for the affected (...) reason why my principal, the Community of owners
acknowledge the facts.


       Attached as document No. 1 Minutes with the dismissal of the President and various
agreements relevant to this sanction.

       In point 4, the undersigned is hired as the new Administrator of the
estate.


       Add that over the years who has controlled the room where
remains the monitor and image recorder have been the different Presidents
(as) therefore the negligent action of a President cannot imply a
sanction for the rest of the neighbors (as) that carry the Community of owners
of the same (…)


       It should be noted that the Community of owners has done everything possible
to put a solution and/or end to the facts denounced, by what this part understands
The proposed sanction is NOT adjusted to law (...) although the sanction must be directed
against the person who has carried out the offense described”.


SEVENTH: On 12/07/22 <Proposed Resolution> is issued in which
proposes a penalty of €2,000 for the misuse of images from the video-
surveillance installed, for the accredited violation of art. 5.1 f) GDPR, when testing the
access to the system without justified cause and the subsequent dissemination of the same.


EIGHTH: After consulting the information system of this Agency, it is reported
electronically the aforementioned act, in accordance with the provisions of
Article 16 Law 39/2015 (October 1).

Of the actions carried out in this procedure and of the documentation

in the file, the following have been accredited:


                                PROVEN FACTS


First. The facts bring cause of the claim before this body on the date
03/29/22 through which the following is transferred:



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/8








       “making recordings through the installed video surveillance system
in the Community of owners carried out on the reproduction of images of the
same being the object of recording in the common access/exit area of the same,

the images being distributed through WhatsApp (...)”—folio nº 1--.

Second. The entity COMUNIDAD DE
OWNERS R.R.R. with NIF ***NIF.1.

Third. The access of the main person in charge of the Community to the

room where the video surveillance camera system was installed, without
justified cause in the regulations in force.

Room. The obtaining of images obtained from the monitor of the system is accredited.
ma, as well as the dissemination of these through a private messaging application,

reaching the same knowledge of an indeterminate number of owners (as)
of the property, accompanied by derogatory expressions.

                           FUNDAMENTALS OF LAW

                                           Yo


In accordance with the powers that article 58.2 of Regulation (EU) 2016/679 (Re-
General Data Protection Regulation, hereinafter GDPR), grants each authori-
quality of control and as established in articles 47, 48.1, 64.2 and 68.1 of the Law
Organic 3/2018, of December 5, Protection of Personal Data and guarantee of

digital rights (hereinafter, LOPDGDD), is competent to initiate and resolve
this procedure the Director of the Spanish Data Protection Agency.

Likewise, article 63.2 of the LOPDGDD determines that: "The procedures processed
by the Spanish Data Protection Agency will be governed by the provisions of

Regulation (EU) 2016/679, in this organic law, by the regulations
comments dictated in its development and, insofar as they do not contradict them, with a sub-
sisidario, by the general rules on administrative procedures."

                                           II


In the present case, the claim dated 03/29/22 is examined by means of
from which the alleged non-consensual access and without justified cause to the
images obtained from the recording system of the Community of owners, being
object according to the claimant's statement of diffusion in a WhatsApp Group without
no apparent reason.


       "That he has been made aware of the recording in the facilities of the building of
images associated with your person considering your privacy and intimacy affected
(…)” –folio nº 1--.


       It should be noted that the Community of owners (as) holds the status of
"responsible for the treatment" (article 4 point 7 of the GDPR), regardless of whether the
access to the images has been made by a governing body of the same, without the
The reasons for accessing and obtaining the images have been clarified to date.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/8









       "responsible for the treatment" or "responsible": the natural or legal person,
public authority, service or other body that, alone or jointly with others, determines the

purposes and means of treatment; if the law of the Union or of the Member States
determines the purposes and means of processing, the controller or the criteria
Specific criteria for their appointment may be established by Union Law or
of the Member States;

Being one of the governing bodies, which holds the legal representation of the Co-

community, according to article 13.3 of the LPH, the President must comply with the
mandates, act with diligence and execute the agreements adopted by the Board of Pro-
owners, and may be affected by liability in the event of an alleged extrali-
limitation in the exercise of their duties.


       The facts described above may affect the article
5.1 f) GDPR.

       “processed in such a way as to ensure adequate data security
personal data, including protection against unauthorized or unlawful processing and against
its loss, destruction or accidental damage, through the application of technical measures

or organizational ("integrity and confidentiality").

Video surveillance in a community is the installation of cameras in the elements
common areas of the building that allows to improve surveillance and therefore security within
of the same. At the time of its installation, the obligations set forth must be complied with.

in the European Data Protection Regulation and the Organic Law 3/2018 of Protection
tion of Personal Data and Guarantee of Digital Rights.

       Article 22 section 3 of the LOPDGDD (LO 3/2018, December 5) provides as
following:


       "The data will be deleted within a maximum period of one month from its capture.
tion, except when they had to be kept to prove the commission of acts
that threaten the integrity of people, property or facilities. In such a case, the
Images must be made available to the competent authority within a period
maximum of seventy-two hours from when the existence of the

the recording” (* underlining belongs to this organization).

       Access to the recordings of the video surveillance systems can only be provided
occur in the legally determined cases and by a duly authorized person.
zada in his case, being equally “exceptional” the diffusion of the images that were

have obtained with it (them), respecting in any case the regulations in force in
personal data protection, as well as the other regulations
of the legal system in force.

                                           II


Based on the evidence available in this proceeding
disciplinary action, it is considered that the party claimed according to the statements made
has proceeded to access the recording system of the Community without just cause

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/8








owners, proceeding to disseminate data (images) of the claimant without
obey one (s) of the reasons provided for in the rule.


       Article 13 of the LPH (Law 49/1960, July 21) "The governing bodies of
the Community are as follows:

       b) The president, and if applicable, the vice-presidents (...).

       The claimed party in its current representative acknowledges, without ambiguity, the facts

rights transferred by this body "recognizes as adjusted to law and to
the reality of the factual and legal foundations" for which the Community of Property
The petitioners acknowledge the facts (folio no. 1 Statement of allegations 10/11/22).

       It is argued that the responsibility for the facts, however, should lie

on the President (a) who made them and not on the group of owners
that in his opinion they have suffered these actions "adopting the necessary measures
to alleviate the situation" that has even led to the rescission of the mandate conferred,
Hiring a new Property Manager.

       On this aspect, influence the responsibility of the Community as a whole.

of course, being the same knowledgeable in some (as) of its members of the facts described
as evidenced by the fact that the images are disseminated in a well-known mental system.
Sajería of private use of the same.

       Furthermore, in the installation of this type of device the “responsibility

saber" of the system is this and not the President who acts as a mere representative,
Since it is the Community as such that approves the installation, the purpose of the work
treatment and the means to carry out said treatment, being ultimately the
own Board of owners, the body to which it is subordinated, which can act
against excesses in the exercise of functions or situations that can be classified in

<abuse of power> by the same, through the mechanisms provided for in the
LPH (vgr. art. 14 LPH).

       The management of the President and other positions of the Community may have
consequences at the legal level if it is not done diligently, even if there are
when they use their position and authority to make decisions or behaviors

that may not be convenient for the Community of owners.

       The question of an alleged civil or criminal liability for damages
damages caused, where appropriate, to the Community of owners by the President of the
itself, due to willful or negligent breach in the exercise of its functions, it is

a question that, in its case, is the responsibility of all the owners of the property, exercising
in his case against the same the legal actions that are deemed pertinent in-
even in the case of an alleged abuse of power.

       Of the set of allegations and evidence provided, recognized by the re-

claimed, it can be concluded that there has been an access not protected by law to the
images (data) from the video surveillance system installed, which allowed the capture
of a community space without justified cause for access and dissemination of these
in the exposed form.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/8









       The measures adopted have been decided after the events occurred
described as a result of the intervention of both this body, as well as having knowledge

of criminal complaint as a result of the facts described in the Instruction Court No. 5
(Palmas de Gran Canaria) without them being complete in the opinion of this organization.
mine.

       It would be advisable to adopt additional measures such as clearly indicating
the main person responsible for access to them, establishing documentary-

an action protocol, which will avoid actions such as those described in the future.
tas, without prejudice to informing the set of owners (as) of the property.

The known facts are therefore constitutive of an infringement, attributable to the
claimed party, for violation of article 5.1 letter f) RGPD, previously cited.


                                           IV.

The art. 83.5 GDPR provides the following: "Violations of the following provisions
These will be penalized, in accordance with section 2, with administrative fines of 20
000 000 EUR maximum or, in the case of a company, an equivalent amount

to a maximum of 4% of the overall annual total turnover of the financial year
previous year, opting for the one with the highest amount:

       a) The basic principles for the treatment including the conditions for the
           consent in accordance with articles 5,6,7 and 9 (…)”.


       When motivating the sanction, it is taken into account that it is a person
physical person who has accessed the images (data), but who cannot ignore the
responsibilities of his position in the Community of owners, who has agreed to the
recording system of the same without just cause, proceeding to the diffusion

of the same without adequate guarantees through a well-known application of men-
sajeria, which entails gross negligence in the conduct described attributable differently.
directly to the Community itself by not adopting any guarantee in the dissemination to third parties.
ros (as) affecting the rights of the affected, as well as the insufficient reaction
from the first moment of having knowledge of these, reasons all of which justify
tify the imposition of a penalty of €2,000, according to the seriousness of the facts

taking into account the number of owners, the nature of the conduct described
and located in any case on the lower scale for this type of behavior.

Therefore, in accordance with the applicable legislation and assessed the graduation criteria
tion of the sanctions whose existence has been accredited,


the Director of the Spanish Data Protection Agency RESOLVES:

FIRST: IMPOSE on COMMUNITY OF OWNERS R.R.R., with NIF ***NIF.1,
for a violation of Article 5.1.f) of the GDPR, typified in Article 83.5 of the GDPR,

a fine of €2000.

SECOND: NOTIFY this resolution to the entity COMMUNITY OF PRO-
PIETARIOS R.R.R..

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/8









THIRD: Warn the penalized person that they must make the imposed sanction effective
Once this resolution is enforceable, in accordance with the provisions of Article

art. 98.1.b) of Law 39/2015, of October 1, on Co-Administrative Procedure
public administrations (hereinafter LPACAP), within the term of payment vo-
volunteer established in art. 68 of the General Collection Regulations, approved
by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003,
of December 17, by means of its income, indicating the NIF of the sanctioned and the number
of procedure that appears in the heading of this document, in the account

restricted IBAN number: ES00-0000-0000-0000-0000-0000 (BIC/SWIFT Code: CAIXES-
BBXXX), opened on behalf of the Spanish Data Protection Agency in the entity
banking entity CAIXABANK, S.A. Otherwise, it will be collected in
executive period.


Once the notification has been received and once executed, if the execution date is
between the 1st and 15th of each month, both inclusive, the term to make the payment
voluntary will be until the 20th day of the following or immediately following business month, and if
between the 16th and the last day of each month, both inclusive, the payment period is
It will run until the 5th of the second following or immediately following business month.


In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once the interested parties have been notified.

Against this resolution, which puts an end to the administrative process in accordance with art. 48.6 of the
LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the interested parties

Respondents may optionally file an appeal for reinstatement before the Director
of the Spanish Agency for Data Protection within a period of one month from the
the day following the notification of this resolution or directly contentious appeal
before the Contentious-Administrative Chamber of the National Court,
in accordance with the provisions of article 25 and section 5 of the additional provision

fourth clause of Law 29/1998, of July 13, regulating the Contentious Jurisdiction-
administration, within a period of two months from the day following the notification
tion of this act, as provided for in article 46.1 of the aforementioned Law.

Finally, it is noted that in accordance with the provisions of art. 90.3 a) of the LPACAP,
may provisionally suspend the firm resolution in administrative proceedings if the interested party

do states its intention to file a contentious-administrative appeal. If it is-
As the case may be, the interested party must formally communicate this fact in writing
addressed to the Spanish Data Protection Agency, presenting it through the Re-
Electronic registry of the Agency [https://sedeagpd.gob.es/sede-electronica-web/], or to
through any of the other registries provided for in art. 16.4 of the aforementioned Law

39/2015, of October 1. You must also transfer the documentation to the Agency
proving the effective filing of the contentious-administrative appeal. if the
Agency was not aware of the filing of the contentious-administrative appeal
treatment within two months from the day following notification of this
resolution, would terminate the precautionary suspension.



                                                                                  938-181022
Mar Spain Marti
Director of the Spanish Data Protection Agency
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 8/8


































































































C/ Jorge Juan, 6 www.aepd.es

28001 – Madrid sedeagpd.gob.es