AEPD (Spain) - EXP202309210: Difference between revisions

Revision as of 14:45, 28 May 2024

AEPD - EXP202309210

Authority:	AEPD (Spain)
Jurisdiction:	Spain
Relevant Law:	Article 6 GDPR
Type:	Other
Outcome:	n/a
Started:	06.02.2024
Decided:
Published:	10.05.2024
Fine:	n/a
Parties:	n/a
National Case Number/Name:	EXP202309210
European Case Law Identifier:	n/a
Appeal:	Unknown
Original Language(s):	Spanish
Original Source:	AEPD (in ES)
Initial Contributor:	lm

The DPA found that posting a link to social media of a video featuring a data subject, which was originally uploaded without their consent, is processing without a legal basis. However, it upheld an appeal and archived the decision because it could not verify the controller's identity.

English Summary

Facts

A data subject filed various complaints with the Spanish DPA (AEPD) concerning a video, which featured his image and voice, that was shared on social media platforms without his consent. The complaints involved numerous users from Twitter, Youtube, Instagram and pacot.es (a nonprofit Spanish forum for user-generated content) who posted or reposted the video or its contents.

The video was first published by a user on Twitter and ultimately went viral, reaching over 440 thousand retweets or reposts of its content. On 3 September 2022, a user on pacot.es (the controller), a Spanish social media website, republished the video with a link to the original Twitter post. Other users on pacot.es commented on the video, including with screenshots of it that featured the data subject and with the data subject’s name.

In an effort to identify the individuals behind the social media accounts, the AEPD solicited information about User 4 and two other users from pacot.es on 16 January 2023. The webpage responded that it did not retain any personal data from its users except for their email addresses and the IP address of the last access made by the user. Accordingly, it provided the AEPD with the email addresses as well as the last-accessed IP addresses registered on 28 January 2023 (the day of their response to the AEPD) and 13 February 2023 (the day of a second response to the AEPD) of the requested users (including the controller). Based on the data, the AEPD identified a controller. However, the two IP addresses indicated different individuals.

On 30 March 2023, the identified controller wrote the DPA. He admitted to being the account holder, but argued that he was not the author of the post and that he did not have access to the page on 13 February 2023. He claimed that he did not remember accessing the forum on 13 February 2023 and that his account appears to have been hacked. He noted that pacot.es had frequently faced complaints of hacking. The controller also stressed that the proceedings failed to focus on the fact that the pacot.es post published a link rather than uploading the original video. Merely posting a link, it argued, should not be considered a processing of data.

On 8 January 2024, the AEPD concluded sanctioning proceedings against the controller, finding that he had violated Article 6 GDPR and issued a fine of €2,000. It noted that the controller had shared a video containing personal data without the consent of the recorded data subject, which constituted processing of personal data without a proper legal basis.

On 6 February 2024, the controller appealed the AEPD’s decision internally. It argued that the AEPD’s procedure was defective and that the chronology and facts at issue were inaccurate, and thus requested that the decision be annulled.

Holding

The AEPD appeal body considered that the inability to verify that the IP addresses corresponded to the same individual made it impossible to verify that the controller was actually responsible for the post. As a result, it could not be certain that the controller processed the data at issue. Given that the pacot.es platform had since been removed from the internet, the AEPD was unable to continue new investigation efforts.

As a result, the AEPD upheld the controller’s internal appeal.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

1/14

 File no.: EXP202309210

RESOLUTION OF REPLACEMENT APPEAL

Examined the appeal for reconsideration filed by A.A.A. (hereinafter referred to as the part
appellant) against the resolution issued by the Director of the Spanish Agency for
Data Protection dated January 8, 2024, and based on the following

FACTS

FIRST: B.B.B. (hereinafter, the claiming party) on 09/05/2022 filed
two complaints before the Spanish Data Protection Agency directed against
the users of the social network “Twitter” that are mentioned in the URLs indicated in
such claims. The reasons on which these claims are based are:

following:

“Publication of a private video in which I appear without my consent. The video
It has gone viral and I have not given permission to the editing of the video or its distribution.
They were independent shots for a work purpose, not for publication on networks
without my consent since it was not even I who distributed the

video. Fact reported on Twitter and response received without any action being taken
measures".

In the first of the complaints received, it is stated that the video was published on
the social network “Twitter” on date ***DATE.1 by the user “***USER.1”. He
video consists of a montage of successive shots (...).

Through the second claim, the complaining party “adds” documentation to the
previous complaint and details the URLs that lead to the reported posts
(22 videos and 2 images).

Along with the claims, the following documentation is provided, among other documentation:

. Screenshot corresponding to the “Twitter” user profile
“***USER.2”, “***USER.1”. It includes the date “***DATE.1.”, the text “(...)” and
an image of the video in question that corresponds to a photo of the complaining party.
It is stated that the video has a duration of 38 seconds and that it has had “1.7 M
reproductions”.

. Screenshots corresponding to the “Twitter” user profiles that
They released the video or images. Most of them include the dates (…);
texts like “(…)”; etc.; and an image of the video in question that corresponds to a
photo of the complaining party. The duration of the video (38 seconds) and the number

of reproductions in each case (from 30 to 443.8 thousand reproductions).

SECOND: On 09/05/2022, in accordance with article 65 of the
LOPDGDD, the first of the claims outlined in the
Background First. The Admission Agreement was notified to the complaining party in
the same date.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/14

THIRD: On 09/06/2022, two new
claims of the complaining party. The claims are directed against new

“Twitter”, “Instagram” and “Youtube” users, who also shared the video on
issue with comments similar to those reviewed above, which are
add to those included in the previous claims, as well as against the
responsible and users of the web pages indicated, in which it was inserted
Also the video in question.

Among the latter, there is a user of the website “pacot.es”, identified as
“***USUARIO.3”, which published the video in question on 09/03/2022, accessible at
the URL “***URL.1”, taken from the Twitter user “***USER.1”.

Through the General Subdirectorate of Data Inspection, the thread generated by the

user “***USER.3” with the label “(...)”, verifying that, on the same date of the
09/03/2022, other users of the “pacot.es” website made comments regarding
the repeated video. The user identified as “***USER.4” made a comment
at 5:03 p.m., with the text “There is no color. (...) has penetrated deeply into our
hearts”, and included a screenshot corresponding to a photograph
taken from the published video in which the complaining party can be seen together with another

person. The photograph is not shown with complete clarity, but not in a way that prevents the
Identification of the complaining party.

FOURTH: The General Subdirectorate of Data Inspection proceeded to carry out
of previous investigative actions to clarify the facts in

issue, by virtue of the functions assigned to the control authorities in the
article 57.1 and the powers granted in article 58.1 of the Regulation (EU)
2016/679 (General Data Protection Regulation, hereinafter GDPR), and
in accordance with the provisions of Title VII, Chapter I, Second Section, of the
LOPDGDD. The following checks and actions were carried out:

1. The Inspection Services inform that the website “pacot.es” is a forum without purpose
for-profit (there is no user fee or advertising) focused on various hobbies
such as video games, cinema, literature, etc., in which the content is generated by the
own users.

2. On 09/08/2022, the Public Business Entity Red.es (REDES) was requested
information about the entity responsible for the Dominican “pacot.es”.

REDES responds that the owner is B.B.B., with address at ***ADDRESS.1, with
email address “***EMAIL.1” and telephone number ***PHONE.1.

According to the information provided, the administrative, technical and
Billing is C.C.C., with address at ***ADDRESS.2.

3. On 10/03/2022, information was requested from the entity Orange Espagne, S.A.U.

on the ownership of the ***PHONE line.1. As reported by this entity on date
10/19/2022, the line belongs to D.D.D., with address at ***ADDRESS.3.

4. Within the framework of the previous investigation actions, on 10/21/2022, the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/14

AEPD issued “Agreement for the adoption of provisional measures” by which it was ordered
D.D.D. the removal of the content that is the subject of the claim inserted on the website

“pacot.es”, accessible through the URL “***URL.1” (video about “(...)” by the user
“***USER.3”).

In this agreement, which was notified on 11/10/2022, it was expressly provided for:

following:

"1. Require D.D.D. (pacot.es) so that, within a maximum period of 5 calendar days,
proceed to remove the aforementioned contents relating to the claimant from the addresses
web from which they are accessible, avoiding to the extent that the state of the
technology permits, the re-uploading or re-uploading of exact copies or replicas by the same or
Other users.

2. Require D.D.D. (pacot.es) so that the withdrawal or modification of the contents is
carried out in such a way that it makes it impossible for third parties to access and dispose of the original, but
guarantee its conservation, in order to safeguard evidence that may be necessary
in the course of the police or administrative investigation or judicial process that could
educate yourself

3. Require D.D.D. (pacot.es) so that, within a maximum period of 5 calendar days, they report
to this Spanish Data Protection Agency about the execution of the measure.”

5. Through requests dated 10/03, 11/17 and 11/21/2022, the
responsible for “Wespec”, hosting and domain provider, information about the
ownership of the email address “***EMAIL.1”, identification data and
contacts of the domain “pacot.es” and the ownership and billing address of this

domain.

This entity responded on 11/25/2022 to the following:

. The email address “***EMAIL.1” does not belong to the client. It was used for

Anonymize your customer email address and prevent you from receiving spam emails.

. The identification and contact data of the owner of the domain “pacot.es” registered in
your systems:

. (…)

According to the aforementioned entity, the above data was provided by “E.E.E.”

. Owner and billing address of the domain “pacot.es”:

. (…)
.

6. On 12/07/2022, E.E.E. was requested. (responsible for the website “pacot.es”) the
removal of content published at the URL “***URL.1” and information about the
entity that manages the website “pacot.es”.

A response was received on 12/21/2022, indicating that the “thread” in the
platform with the url: ***URL.1) has been deleted (a “thread” means the message
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/14

initial and all responses thereof) on the same day of receipt of the letter
(12/21/2022) at 1:15 p.m. (GMT).”

It indicates that the website only retains the information strictly necessary for the correct
operation of the website, which does not store information or personal data or
photographs of individuals, registered or third parties, and that the possibility of
upload these files to the server.

Regarding the photographs and videos indicated in the request, it clarifies that they come from

another website (https://www.twitter.com) and that it is the users of “pacot.es” who have
placed links to said content. To clearly indicate that these contents are not
They come from “pacot.es”, but they do come from other websites, they fit into a framework that
indicates which platform it is (the users who have published said platform are indicated).
image on “twitter.com” and linked to “pacot.es”).

He adds that “when an image from https://www.twitter.com is cited but not its “post”
original, this appears with the domain https://pbs.twimg.com. No images are hosted
at hrrps://pacot.es”. According to the documentation provided, this is the case of the image
inserted with the comment made by the user “***USER.4”.

If the content of said links is deleted at source, it no longer appears on
“pacot.es”.

7. On 01/11/2023, the Inspection Services verified that the
Content accessible through the URL “***URL.1” has been removed. In this same

date it was found that the “pacot.es” page was not available.

8. On 01/16/2023, in order to determine the authorship of the publications,
requested E.E.E. information about the IP address from which the user
“***USUARIO.4” published the claimed content on 09/03/2022, at 17:03, as well as

the identifying registration data for this profile. This same information was requested
regarding two other users who participated in the same thread related to the video
object of the actions.

On 01/28/2023, a response was received indicating that the website does not save
no personal data, beyond the IP address and an email address

electronic. In the case of the user “***USER.4” provides the IP address ***IP.1 and the
address “***EMAIL.2”. The same information is provided in relation to two other
users by whom it was consulted (IP address and email address).

Likewise, it adds that “the website does not record the IP address of each message

individual for reasons of logistics and data protection, but the last one since the
that the user accessed it”, which for the aforementioned user corresponds to the
facilitated.

Subsequently, details of the date and time recorded in their systems were requested.

corresponding to the assignment of IP addresses reported above.

In the response letter, dated 02/13/2023, E.E.E. Provides assigned IP addresses
to the users consulted on the dates 01/28/2023, at 16:27:43 (Spain time),

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/14

and 02/13/2023, at 01:48:22 (Spain time). In relation to the user
“***USER.4”, provides the following detail:

. The IP address ***IP.1 assigned to the profile “***USER.4” corresponds to the day
01/28/2023, at 16:27:43 (Spain time).
. The IP address of “***USER.4” on 02/13/2023, at 01:48:22 (Time
Spain) was ***IP.2.

9. In response to the request made by the Inspection Services,

Telefónica de España, S.A.U. provided this Agency, on 02/14/2023, with the data
identification and address of the owners of the IP addresses indicated on the dates and
specified hours:

. On the date of 01/28/2023, between 16:00:00 and 17:00:00 hours, the owner of the IP

***IP.1 is F.F.F., with DNI ***NIF.1, and street address ***ADDRESS.4.
. On the date of 02/13/2023 between 01:00:00 and 02:00:00 hours, the owner of the IP
***IP.2 is H.H.H., with DNI ***NIF.2, and address on the street ***ADDRESS.5.

Likewise, Telefónica de España, S.A.U. provided different identities for each of
the IP addresses indicated by E.E.E. in relation to another user of the website (the

name, address and ID of the person to whom the IP address was assigned
corresponding to 01/28/2023 do not match those of the person to whom the
IP associated with the same user on 02/13/2023).

10. On 03/09/2023, F.F.F. identification data (name,
surnames and NIF) and address of the person who used your internet connection on
01/28/2023, between 4:00 p.m. and 5:00 p.m. (user “***USER.4” on the site
website “pacot.es”).

On 03/27/2023, the indicated person stated that they do not know the website
“pacot.es” does not even use the Internet, as he has a disabling visual deficiency, and does not know
if “they will have used their WIFI network”.

11. On 03/09/2023, H.H.H. identification data (name,
surnames and NIF) and address of the person who used your internet connection on

02/13/2023, between 01:00 a.m. and 02:00 a.m. (user “***USER.4” on the site
website “pacot.es”).

On 03/30/2023, the indicated person identified the user “***USER.4” as
G.G.G. (hereinafter the claimed party), with the same address on street

***ADDRESS.5.

On this same date of 03/30/2023, a letter was received from this user, the part
claimed, in which he states that his privacy must have been violated in the forum, that he did not
remember having accessed with your username on the date of 02/13/2023; and that in those

dates the website was closed or about to close. He adds that in “pacot.es” there is no
It was not possible to upload images as such, but only through “linking”, remaining
the image hosted on the server where it was originally published, never on
“pacot.es”. According to the claimed party, this website had numerous user complaints

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/14

due to account hacking and identity theft.

12. Finally, in order to clarify how the video jumped to social networks

After the recording of the same, on two occasions the acting inspection requested
the complaining party to identify the author of the recording. These requirements of
information were notified on dates 03/28/2023 and 06/13/2023, but were not
received any response.

In the Report of Previous Investigation Actions, the Inspection Services of
The AEPD emphasize that the video in question, in whose recording the complaining party
participates voluntarily, it went viral after its publication last ***DATE.1 in
Twitter by the user “***USUARIO.1” and that, due to this wide diffusion,
found on dozens of sites and could be easily located with tags like

"(...)" either "(...)". According to the Inspection Services, it is a replica of the
videos that went viral on social networks since 2021 with the subject
“(…)”. Dozens of pages of results can be found using the search engine.
“Google” search.

FIFTH: On July 25, 2023, the Director of the Spanish Agency for

Data Protection agreed to initiate sanctioning proceedings against the claimed party,
G.G.G., in accordance with the provisions of articles 63 and 64 of Law 39/2015, of 1
October, of the Common Administrative Procedure of Public Administrations (in
hereinafter, LPACAP), for the alleged violation of article 6 of the RGPD, typified in the
Article 83.5 of the GDPR, considering that the complained party disseminated the subject video

of the claim without the consent of the complaining party and that this dissemination
involves illegal processing of personal data.

SIXTH: Once the aforementioned initiation agreement has been notified, the claimed party, after having
obtained a copy of the proceedings, presented a document in which he formulated the allegations

following:

1. Violation of the principle of typicality, considering that the complaining party
consented to the recording of the video (he appears looking at the camera and (…)), so it is
aware of the recording and use of your image.

The video went viral, reaching the level of public or journalistic interest,
as can be seen in some of the links indicated by the complaining party. So,
understands that when exercising a fundamental right such as freedom of information
about a fact that has achieved notoriety would be within the legitimate interest
established in the RGPD and LOPDGDD.

In this regard, it points out that the “pacot.es” forum did not allow uploading videos or saving
files, as indicated by the administrator in the information provided to the Security Services
AEPD inspection. The only thing it allowed was to copy the link to another website and
viewed from that external source, it being the responsibility of “pacot.es” that said

video would be inserted into the web and shown directly.

The aforementioned principle of typicality is also violated by the lack of specification of the
facts: the URL mentioned does not correspond to a post or thread opened by the party

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/14

claimed, the full URL of the mentioned video is not specified nor the number and
order of the message that was published in said thread, and neither the external link, giving
understand that the video was uploaded directly to “pacot.es”. It is also not specified whether

Only a link was published or if it was the website itself that inserted the video.

According to the claimed party, the operation of the website was as follows:

. If a Twitter link was pasted, the website itself automatically inserted the
profile of the owner of the video, without this meaning that the video had been uploaded to the

Web.

. If the message was cited, the inserted Twitter profile would appear again.
automatically in the new message. But this did not mean that that person was the
author of the insertion.

. The website had a poorly executed UI/UX design error, so, sometimes, when
making a comment on a thread opened by another forum member, inadvertently responding to the
message from another user.

According to the claimed party, the website was reported for hacking or modifications

profile and forum messages and by forum members who received messages without permission.

On the other hand, it highlights that the actions do not determine who, how and when
uploaded the video. The AEPD carries out an extensive interpretation of what the
treatment, without considering that placing a link should not be a treatment of

data. The specific punishable act is not presented, nor the link, nor the author of the post,
nor the date.

In short, the claimed party considers that it is not acceptable to point out that it has tried
images without consent, because you have not uploaded or downloaded the video from any

website or social network, has not created or recorded it, nor has it been entered into “pacot.es”

2. Considers violated the principle of presumption of innocence and the principle
accusatory.

He reiterates that he did not upload the video, nor the link, to the website in question and warns

again that the author of a message in a forum can be easily altered from
a data base.

“pacot.es” used the Discourse forum system, which is open source and has
with extensions so that a thread or item can be changed author. I also know

you can make that modification using a query directly in the database
(PostgreSQL).

Requests the audit log of database changes that ensures that the
forum system administrator or administrators did not alter any messages,

pointed out in this regard that it is mandatory to keep this unalterable record and that this
will allow you to guarantee that your user, your messages or your data have not been altered,
during or after the events.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 8/14

In addition, it requests that simple screenshots not be admitted as evidence,
which can also be altered with any browser with access to
inspection tools.

Since the AEPD has accessed the message after the creation of the thread, its
authorship has been able to be modified, something common in “pacot.es”.

3. Violation of the principle of proportionality, when the fine was determined without any
argumentation, without motivating the criteria applied and to what extent they affect the amount

of the fine.

The degree of guilt has not been considered, since the video was broadcast by
media and that suggests that the dissemination is legitimate, nor the fact
that the damage was neutralized with the deletion of the video.

4. Finally, he alleges defenselessness for carrying out actions against third parties
persons (the administrators or owners of the website) without the claimed party having
could make any statement to the contrary or request that those people
certify whether the messages could have been altered.

He highlights that he responded to the request that was made to him by the Services of
Inspection of the AEPD admitting to being the user “***USER.4”, but did not admit to being
the author of the video publication nor access to the forum on the date indicated.
indicated in that request (02/13/2023). At that time he had stopped
frequent the forum.

Regarding this detail, he clarifies that he was not asked about the date the video was uploaded,
but for the date of 02/13/2023, which cannot correspond to the publication of the
video, since the claim was submitted in September 2022. There is a
contradiction in the disposition of the facts made by the AEPD.

Furthermore, the same opening agreement refers to the closure of the website “pacot.es” on
02/13/2023, which is also not true. It indicates that the website was open until
02/17/2023, as announced by the administrator weeks in advance, and that it was not
They carried out the appropriate investigations to confirm this fact.

To all this, he adds that defenselessness also results from not having guaranteed the
principle of contradiction and by the closure of the forum, which makes many of
the facts.

He ends his allegations by expressly requesting:

. That the file be closed due to the absence of evidence and the impossibility of
defending.
. That the defect in form be admitted in the communications of the requirements and the
sanctioning procedure, due to the inaccuracy of the facts, the actions and the

presented chronology.
. That the amount of the fine be reduced to one euro, as no
aggravating criterion.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 9/14

SEVENTH: On 08/31/2023, the instructor of the procedure agreed to open a
testing period in which they practiced the following:

1. The claim filed by the
claiming party and its documentation, the documents obtained and generated during

the phase of admission to processing of the claim, and the report of previous actions of
investigation.

2. The allegations regarding the agreement were reproduced for evidentiary purposes.
initiation of the sanctioning procedure presented by the claimed party, and the

documentation that accompanies them.

EIGHTH: On 10/13/2023, a proposed resolution was formulated, in the sense that
by the director of the AEPD, the requested party was sanctioned for a violation of the
article 6 of the RGPD, typified in article 83.5 of the RGPD, with a fine of €2,000
(two thousand euros).

In this proposed resolution the following Proven Facts were determined:

“FIRST: The defendant has broadcast a video, without having the consent of the
recorded person, consisting of a montage of successive shots in which the
affected, recorded by someone he knows, looks at the camera and (...), which represents a

treatment of your image as personal data considered illicit, as it does not have your
consent".

It is concluded that “the claimed party publishes personal data of the complaining party,
such image and voice of the claimant” and that “the facts exposed, that is, the dissemination
of a video that can damage a person's image, by not having their

consent, means that the processing of your image as personal data may be
considered illegal, which would violate the provisions of article 6 of the
RGPD, indicated in the legal basis III, so it could mean the
commission of an infraction classified in article 83.5 of the RGPD.”

NINTH: On 10/27/2023, the claimed party formulated allegations against the

motion for a resolution, in which it basically reproduces its allegations
above, mainly highlighting that their arguments have not been taken into account
account and that his words have been transformed to emphasize in the proposal that he has
acknowledged having released the video, something he has never stated.

The proposed resolution states that “the claimed party further indicates that

discloses the video based on legitimate interest”, when nowhere in its
allegations or responses has acknowledged or implied this fact, nor has it invoked
in any way the legitimate interest.

Regarding the consent of the complaining party to the recording of the video, it indicates that the

same report of previous actions recognizes that it participated
“voluntarily” in the video recording and that this recording was made by a
person that the complaining party “evidently knows,” to conclude that “no
“we have been able to determine how the video ended up being published on social networks.”

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 10/14

Likewise, it highlights that the complaining party was subsequently requested in two
occasions to collaborate with the investigation, without giving a response in any of them.

Regarding the facts, he points out that it has become clear that the author of the thread on the web
“pacot.es” was another user, who inserted a link to a Twitter user who uploaded
the video to your personal account. These facts clash with the accusation contained in the
Proven Facts, which indicate that the claimed party spread the video.

With your username only a comment appears and, below, a blurry photo that

It does not identify anyone, and not a video. Understands that, as the capture of
screen obtained from the forum by the Inspection Services, it cannot be stated that the
photo belongs to your comment or to the forum member who answered below. That photo is
hosted on an external server, on Twitter and not on “pacot.es”.

It warns, on the other hand, that the AEPD has not carried out an investigation of the
operation of the forum, having been limited to the information provided by the
web headlines.

He once again invokes the principle of presumption of innocence and proportionality and
He alleges again the helplessness caused.

TENTH: On 01/08/2024, a resolution was issued by the Director of the Agency
Spanish Data Protection Regulation, by virtue of which the claimed party was imposed,
for a violation of article 6 of the RGPD, typified in article 83.5 of the RGPD, a
fine of 2,000 euros (two thousand euros).

ELEVENTH: On 02/06/2024, within the established period, the
appeal for reconsideration by the claimed party (hereinafter the claimed party or
appellant) against the resolution outlined in the Tenth Antecedent, dated

01/08/2024, in which the same circumstances and allegations are revealed
collected the documents presented during the processing of the procedure and requests the
following:

1. That, in the absence of evidence, the nullity or annulability of the
appealed resolution.

2. That the defect in form in the procedure and in the requirements be admitted
carried out by the AEPD, due to the inaccuracy of the events narrated, the chronology
presented in the documents sent and in the actions of the AEPD.
3. That, in the absence of justification for the graduation of the sanction, the
nullity or annulability of the appealed resolution.

4. That the nullity or annulability of the resolution appealed for violation be declared
of the presumption of innocence, due to unfounded accusations, arguments
falsely attributed and for the helplessness suffered.

Through “Othersi, I say second”, he requests “that this time all

my allegations, respecting the subject to which they refer, and not altering the
sense and reasoning of these, which until now has caused
"misinterpretations or false accusations."

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 11/14

From what was stated in the appeal, the following statements should be highlighted:

. He reiterates that in his first allegation he requested the audit record of the database

data, which guarantees that the forum administrator did not alter any messages.

. That the investigations carried out by the AEPD have revealed difficulties
to locate the real people behind the forum profiles.

FOUNDATIONS OF LAW

Yo
Competence

The Director of the Spanish Agency is competent to resolve this appeal.
of Data Protection, in accordance with the provisions of article 123 of the Law
39/2015, of October 1, of the Common Administrative Procedure of the

Public Administrations (hereinafter LPACAP) and article 48.1 of the Law
Organic 3/2018, of December 5, Protection of Personal Data and guarantee of
digital rights (hereinafter, LOPDGDD).

II
Absence of evidence

In the present case, a claim was filed against several social network users
for the dissemination of a video in which the image and voice of the party are shown

complainant or photographs taken from said video, together with comments that, in
In some cases, they alluded to his name. The claims made were directed
also against those responsible and users of various web pages, in which
He also inserted the video in question.

Among the latter is the website “pacot.es”, in which a user identified as

“***USUARIO.3” published the video in question on 09/03/2022, accessible on the
URL “***URL.1”, taken from Twitter user “***USER.1”.

On the same date of 09/03/2022, other users of “pacot.es” made comments
in the thread generated by the user “***USER.3” with the label “(...)”, including the

own video or an image taken from it. Specifically, a person
identified with the username “***USUARIO.4” made a comment to the
17:03 hours, with the text “There is no color. (...) has penetrated deep into our hearts”,
and included a screenshot corresponding to a photograph taken from the video
published in which the complaining party can be seen with another person.

To identify the person acting under that username and determine the
authorship of the claimed events, the AEPD Inspection Services requested
to the person responsible for “pacot.es” information about various users of the website, including the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 12/14

creator of the thread and the user “***USER.4”, specifically the IP address from which
published the claimed content on 09/03/2022, at the time corresponding to each
one of them, as well as the identifying registration data of those profiles. The three

users to whom the information request referred had intervened in the
same thread related to the video that is the subject of the proceedings.

In the response received, the person responsible for the aforementioned website reported that the
IP address of each individual message, but the one of the last access made by the
user in question; and that no personal data is saved, except for that address

IP and an email address. For the three users consulted, it provided
an IP address corresponding to the date of 01/28/2023 (date of the response) and
an e-mail address.

Subsequently, the same person responsible for the website was requested to provide details of the date and

time that appears in their systems corresponding to the assignment of IP addresses
informed.

In a new response letter, dated 02/13/2023, the IP addresses were provided
assigned to the consulted users, corresponding to 01/28/2023, at
16:27:43 (Spain time), and on 02/13/2023, at 01:48:22 (Spain time). In

In relation to the claimed party, the following detail was provided:

. The IP address ***IP.1 assigned to the profile “***USER.4” corresponds to the day
01/28/2023, at 16:27:43 (Spain time).
. The IP address of “***USER.4” on 02/13/2023, at 01:48:22 (Time

Spain) was ***IP.2.

Based on such data, in response to the request made by the
Inspection Services, Telefónica de España, S.A.U. provided the AEPD with the data
identification and address of the holders of the IP address assignments

indicated, in the specified periods, it should be noted that in relation to the
user “***USER.4” a different person was indicated, with a different address,
for each of the IP addresses and date reported by the person responsible for the website:

. On the date of 01/28/2023, between 16:00:00 and 17:00:00 hours, the owner of the IP
***IP.1 is F.F.F., with DNI ***NIF.1, and street address ***ADDRESS.4.

. On the date of 02/13/2023 between 01:00:00 and 02:00:00 hours, the owner of the IP
***IP.2 is H.H.H., with DNI ***NIF.2, and address on the street ***ADDRESS.5.

Thus, even though the claimed party has acknowledged being the user of “pacot.es”

known as ““***USER.4”, the result of these checks does not allow
ensure that all accesses made to the website with that username were
actually carried out by the claimed party.

It is also interesting to highlight that Telefónica de España, S.A.U. also facilitated

different identities for each of the IP addresses associated by the person responsible
from the website “pacot.es” to the user “***USUARIO.3” on the dates mentioned, being a
person who accessed with that username on 01/28/2023 and a different one
the one who accessed the website on 02/13/2023, also with that username, both

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 13/14

with different addresses.

Only in the case of the third user consulted did the identity of the person coincide

informed by the aforementioned operator for the two indicated dates.

Given the result obtained, the information on IP addresses assigned to these
users cannot be treated as reliable.

It should also be noted that the IP addresses provided by the person responsible for

“pacot.es” do not correspond to the time in which the events took place, that is,
Those IP addresses were not those assigned to the users who participated in the forum,
in the thread created by “***USUARIO.3”, on 09/03/2023.

The information request made to the person responsible for “pacot.es” requested the

IP address from which these users posted the claimed content, but the
responsible for the website reported that the IP address of each message is not recorded
individual and which retains only the IP address of the last access.

Therefore, it has not been possible to verify whether under the username “***USER.4”,
On that date in September 2022, F.F.F., the claimed party or a third party acted

unknown, as the specific IP address assigned in that case was not available.
exact moment, which would have offered some opportunity to identify the
specific people who intervened in the post relating to the complaining party under
verified usernames.

Likewise, it should be noted that, according to the verifications highlighted by the Services
of Inspection of this AEPD, the website was not available on 01/11/2023,
date prior to the accesses reported by the person responsible for the website, which
They supposedly took place on 01/28 and 02/13/2023.

Consequently, it must be concluded that there is no certainty about the authorship of the
facts analyzed in the contested resolution, supposedly committed by the party
claimed under the username “***USER.4”, so there is no basis
factual basis to impute a violation in terms of data protection or to
sanction him for the same, proceeding to reconsider the validity of the resolution
contested, with the approval of the appeal for reconsideration filed and the filing of the

performances.

It is taken into account that the website “pacot.es” was closed by its person in charge and that this
makes it difficult for this AEPD to carry out new verifications.

Considering the aforementioned precepts and others of general application,

the Director of the Spanish Data Protection Agency RESOLVES:

FIRST: ESTIMATE the appeal for reconsideration filed by A.A.A., with NIF
***NIF.3, against the resolution of this Spanish Data Protection Agency
issued on January 8, 2024, in file EXP202309210, with file
of the performances.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 14/14

SECOND: NOTIFY this resolution to A.A.A., with NIF ***NIF.3.

In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.

Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the
LOPDGDD, and in accordance with the provisions of article 123 of Law 39/2015, of 1
October, of the Common Administrative Procedure of Public Administrations
(LPACAP), interested parties may file a contentious-administrative appeal before
the Contentious-Administrative Chamber of the National Court, in accordance with the

provided in article 25 and in section 5 of the fourth additional provision of the
Law 29/1998, of July 13, regulating the Contentious-Administrative Jurisdiction,
within a period of two months counting from the day following notification of this act,
as provided in article 46.1 of the aforementioned Law.

Finally, it is noted that in accordance with the provisions of art. 90.3 a) LPACAP, it may be
provisionally suspend the final resolution through administrative channels if the interested party
expresses its intention to file a contentious-administrative appeal. If this is
the case, the interested party must formally communicate this fact in writing

addressed to the Spanish Data Protection Agency, presenting it through the
Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica-web/], or
through any of the other records provided for in art. 16.4 of the aforementioned
LPACAP. You must also transfer to the Agency the documentation that accredits the
effective filing of the contentious-administrative appeal. If the Agency did not have

knowledge of the filing of the contentious-administrative appeal within the period of
two months from the day following the notification of this resolution, it would be considered
the precautionary suspension has ended.

180-21112023
Sea Spain Martí

Director of the Spanish Data Protection Agency

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es

@@ Line 68: / Line 68: @@
 The video was first published by a user on Twitter and ultimately went viral, reaching over 440 thousand retweets or reposts of its content. On 3 September 2022, a user on pacot.es (the controller), a Spanish social media website, republished the video with a link to the original Twitter post. Other users on pacot.es commented on the video, including with screenshots of it that featured the data subject and with the data subject’s name.
-In an effort to identify the individuals behind the social media accounts, the AEPD solicited information about User 4 and two other users from pacot.es on 16 January 2023. The webpage responded that it did not retain any personal data from its users except for their email addresses and the IP address of the last access made by the user. Accordingly, it provided the AEPD with the email addresses as well as the last-accessed IP addresses registered on 28 January 2023 (the day of their response to the AEPD) and 13 February 2023 (the day of a second response to the AEPD) of the requested users (including the controller). Based on the data, the AEPD determined identified a controller. However, the two IP addresses indicated different individuals.
+In an effort to identify the individuals behind the social media accounts, the AEPD solicited information about User 4 and two other users from pacot.es on 16 January 2023. The webpage responded that it did not retain any personal data from its users except for their email addresses and the IP address of the last access made by the user. Accordingly, it provided the AEPD with the email addresses as well as the last-accessed IP addresses registered on 28 January 2023 (the day of their response to the AEPD) and 13 February 2023 (the day of a second response to the AEPD) of the requested users (including the controller). Based on the data, the AEPD identified a controller. However, the two IP addresses indicated different individuals.
 On 30 March 2023, the identified controller wrote the DPA. He admitted to being the account holder, but argued that he was not the author of the post and that he did not have access to the page on 13 February 2023. He claimed that he did not remember accessing the forum on 13 February 2023 and that his account appears to have been hacked. He noted that pacot.es had frequently faced complaints of hacking. The controller also stressed that the proceedings failed to focus on the fact that the pacot.es post published a link rather than uploading the original video. Merely posting a link, it argued, should not be considered a processing of data.
@@ Line 74: / Line 74: @@
 On 8 January 2024, the AEPD concluded sanctioning proceedings against the controller, finding that he had violated [[Article 6 GDPR|Article 6 GDPR]] and issued a fine of €2,000. It noted that the controller had shared a video containing personal data without the consent of the recorded data subject, which constituted processing of personal data without a proper legal basis.
-On 6 February 2024, the controller appealed the AEPD’s decision. It argued that the AEPD’s procedure was defective and that the chronology and facts at issue were inaccurate, and thus requested that the decision be annulled.
+On 6 February 2024, the controller appealed the AEPD’s decision internally. It argued that the AEPD’s procedure was defective and that the chronology and facts at issue were inaccurate, and thus requested that the decision be annulled.
 === Holding ===
-The AEPD considered that the inability to verify that the IP addresses corresponded to the same individual made it impossible to verify that the controller was actually responsible for the post. As a result, it could not be certain that the controller processed the data at issue. Given that the pacot.es platform had since been removed from the internet, the AEPD was unable to continue new investigation efforts.
+The AEPD appeal body considered that the inability to verify that the IP addresses corresponded to the same individual made it impossible to verify that the controller was actually responsible for the post. As a result, it could not be certain that the controller processed the data at issue. Given that the pacot.es platform had since been removed from the internet, the AEPD was unable to continue new investigation efforts.
-As a result, the AEPD upheld the controller’s appeal.
+As a result, the AEPD upheld the controller’s internal appeal.
 == Comment ==