AEPD (Spain) - EXP202403915: Difference between revisions

AEPD - EXP202403915
Authority:	AEPD (Spain)
Jurisdiction:	Spain
Relevant Law:	Article 6(1) GDPR Article 9(1) GDPR
Type:	Complaint
Outcome:	Upheld
Started:
Decided:	05.07.2024
Published:
Fine:	10,000 EUR
Parties:	n/a
National Case Number/Name:	EXP202403915
European Case Law Identifier:	n/a
Appeal:	Appealed - Confirmed AEPD (Spain) REPOSICION-PS-00130-2024
Original Language(s):	Spanish
Original Source:	AEPD (in ES)
Initial Contributor:	fb

The DPA fined a plastic surgery clinic €10,000 after it shared on its social media pictures of a data subject without a legal basis.

English Summary

Facts

The data subject underwent plastic surgery in a private clinic (the controller).

The data subject consented to take pictures and record the surgery for medical, scientific or educational purposes.

After that, the controller published on its social media pictures of the data subject comparing her physical appearance before and after the surgery was performed in order to promote the clinic.

Therefore, the data subject filed a complaint with the DPA.

The controller pointed out that the data subject had consented to the processing of her images.

Holding

First, the DPA noted that the data subject consented to the taking of photographs and/or recording.

However, the DPA pointed out that the data subject had never given her consent for her pictures to be shared online. On the contrary, the data subject had consented to record her surgery only for medical, scientific or educational purposes.

Therefore, the DPA held that the controller shared this data without a legal basis and found a violation of Article 6(1) GDPR.

Moreover, it noted that the pictures had already been deleted from the websites and, thus, no corrective measures were needed.

Secondly, the DPA noted that the processing involved data concerning health, therefore falling under Article 9 GDPR. The DPA found a violation of this article.

On these grounds, the DPA issued a fine of €10,000.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

1/22

 File No.: EXP202403915

SANCTIONING PROCEDURE RESOLUTION

From the procedure instructed by the Spanish Data Protection Agency and based
on the following

BACKGROUND

FIRST: On December 28, 2022, A.A.A. (hereinafter, the
complainant) filed a claim with the Spanish Data Protection Agency.

The claim is directed against B.B.B., with NIF ***NIF.1, (hereinafter, the

respondent).

The reasons on which the claim is based are that Dr. C.C.C. (hereinafter, Ms.
C.C.C.), who performed plastic surgery on the complainant, provided B.B.B. (hereinafter, Mr. B.B.B.), before and after photos of the claimant's intervention.

These photos have been published by the respondent party to promote his private plastic surgery clinic on the social networks Facebook and Instagram.

He provides a Notarial Record, dated July 5, 2022, of the advertising and use

of his medical data without his consent.

Relevant documentation provided by the claimant:

- Copy of the Notarial Record, dated July 5, 2022, of the advertising and
use of his medical data without his consent.

- Copy of the Complaint and claim filed on 07/18/2022 before the Hospital
***HOSPITAL.1 for the same facts that appear in the claim filed before
the AEPD.

- Copy of the response from the Hospital ***HOSPITAL.1 dated 08/02/2022.

- Copy of the medical discharge report of the complainant dated 01/11/2017, issued
by Ms. C.C.C..

SECOND: In accordance with article 65.4 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and Guarantee of Digital Rights (hereinafter LOPDGDD), said claim was forwarded to Ms. C.C.C. and the respondent party on 02/14/2023, so that they could proceed with its analysis and inform this
Agency within one month of the actions taken to comply with the
requirements provided for in the data protection regulations.

Both transfers, which were carried out in accordance with the rules established in Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP), were collected on February 15, 2023, as stated in the acknowledgment of receipt in the file. On April 29, 2023, a written response to the transfer was received from the AEPD, where the respondent party states the following:

- On January 30, 2020, Ms. C.C.C. and he reached a commercial agreement in which Ms. C.C.C., could use the facilities of the Clinic of the respondent party
in Cuenca, (trade name (...)), for the performance of its sanitary work of consultation and follow-up of its clients/patients, as a plastic surgeon, without performing any operation in its facilities.

- On the other hand, and taking advantage of the visibility that the respondent party has on
social networks, an agreement was reached that he would publish some of the work of Ms. C.C.C., as long as she indicated it. Publishing the work
means publishing the before and after through photographic images, of the

surgical work that Ms. C.C.C. performs.

- He states that he does not process personal data of Ms. C.C.C.'s patients, unless it is the publication of this data, being he, in charge of
the treatment of Ms. C.C.C..

- He also wishes to state that he works as a cosmetic doctor in
Cuenca capital, and cannot perform plastic surgery operations, which means that he
does not need any publicity about the results of operations of this type to increase his
clients or benefit from treatments, which as a professional, he cannot perform.

- There is no direct relationship between the complainant and him. All relationship is
established through Ms. C.C.C..

- On 01/30/2020, the respondent party and Ms. C.C.C. signed the contract of
Data Processor, as established in article 28.3 of the
General Data Protection Regulation, where Ms. C.C.C. authorized the

respondent party to process personal data (ANNEX 1 contract).

- In said contract the purposes were:
o “Processing of data of patients/clients treated in the facilities of the Clinic of the data processor by the

data controller.

o Processing of personal data of patients/clients for advertising in facilities, media and social networks of the activities of the security officer, provided that the

controller so indicates in some communication”.

- On 12/12/2021, after a telephone conversation with Ms. C.C.C., in which the respondent party was
instructed to proceed to publish on social networks some images of the result of one of her operations, Ms. C.C.C. sent the respondent party an email with the photos. Completely unaware of the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/22

complainant, nor her name, only that the doctor had performed the
operation in Albacete.

- He acknowledges that the publication of the images was made without the
claimant's prior consent to him, but since the respondent party was in
charge of treating Ms. C.C.C., he should have obtained the
claimant's consent.

- At the time of receiving the claim, from the claimant whom he did
not know, and when he was told which photos they were, the photos were
immediately deleted from the social networks Instagram and Facebook, keeping

only the email of Ms. C.C.C., for evidence purposes and which will also be
deleted upon completion of the claim.

- He was carrying out the work entrusted to him, as the person in
charge of processing Ms. C.C.C.'s personal data. C.C.C., the latter being the

data controller, as a result of the existing commercial relationship
between the two.

- It has not carried out any improper processing or illegitimate
processing of the claimant's data, since it only acted in accordance
with the purposes entrusted by Ms. C.C.C., the latter being the party responsible
for said processing and for obtaining the informed consent of its client, the
claimant.

The relevant documentation provided by the respondent party is the following:

- Copy of the Data Processor Contract signed between Mr. B.B.B. and Ms.

C.C.C.. In the second stipulation of said contract under the heading "Purpose
of the processing" it is established that: "The purpose of the processing will be:

o Data of patients/clients treated at the Clinic facilities
of the data processor by the data controller.

o Advertising in facilities, media and social networks
of the activities of the security officer, provided that the
officer so indicates in a communication”.

- Copy of the email sent by Ms. C.C.C. on 12/12/2021, in which the subject

appears: “more photos of (...) doubles” and in which 4 files are attached,
two containing photos of the claimant and two others that appear hidden.

On 05/22/2023, a letter was received from Ms. C.C.C. in which, among other aspects,
she states that:

- Regarding the decision taken regarding this claim, firstly, it must be made clear that she was aware of the
publication of the images on the social networks of the Clinic (...), a commercial name used
by Mr. B.B.B. (the respondent party) following the complaint that the complainant filed with the Hospital's Customer Service

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/22

***HOSPITAL.1. After receiving said complaint, the complainant immediately contacted
the Clinic (...), a commercial name used by D. B.B.B. (the respondent party)
which proceeded to delete the aforementioned images.

- The purpose for which the images were taken was "for the purposes of

advances in medical education (...) for medical, scientific or
educational purposes"; as stated in document n.1 attached to
this document and which consists of the consent document for surgery
signed by the complainant; unaware of the publication on the social media
profiles of the Clinic (...), a commercial name used by D. B.B.B. (the
respondent party) until the time of receiving the claim from the complainant.

- I was unaware of the publication of the images until the time of the
claim to the Hospital's Customer Service Department.
***HOSPITAL.1.

- It should be emphasized that the publication of the images was made on the social networks of the Clinic (...), a commercial name used by Mr.
B.B.B. (the respondent party) and not on his own.

- He is aware that the Clinic deleted the images immediately as soon as he informed them of the complaint he had received through ***HOSPITAL.1.

- That as of the date of this writing the photographs are not available nor is there any possible way to locate them.

- He attaches as Annex I a Report on the causes that have motivated the incident that has given rise to the complaint. In said Report, among other aspects, he indicates:

o That on January 10, 2017, Ms. C.C.C. performed a cosmetic surgery on the complainant
the intervention was carried out at the current Clinic ***HOSPITAL.1.

o On the same day, the claimant signed the consent document for the intervention, section 6 of which expressly states the
consent for photographing or filming the operation for medical, scientific or educational purposes.

o That on January 11, 2017, the claimant was discharged.

o That on July 18, 2022, the claimant filed a claim
with the patient care service of ***HOSPITAL.1.

o That after receiving the claim, she contacted directly the
Clinic (...), a commercial name used by D. B.B.B., (the respondent party) who proceeded to immediately delete the images from
its social media profiles.

o That on February 15, 2023, she received notification of the

previous transfer of the claim and request for a report. C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/22

o That in relation to the reasons motivating the claim, it appears that the Clinic (...), a commercial name used by Mr. B.B.B. (the respondent party) published the images taken before and after the claimant's operation on its Facebook and Instagram profiles without her consent.

o That he was unaware of said publication, so when he received the claimant's claim, he immediately contacted the Clinic (...), a commercial name used by Mr. B.B.B., (the respondent party), who in turn deleted the images from their social media profiles.

o That as of the date of this writing, the images are still not

available and there is no possibility of them being accessible on the Internet

- Attached as Annex II Report on the measures adopted to prevent similar

incidents from occurring, implementation dates and controls carried out to verify their

effectiveness, as set out in the following table:

Measure Implementation date Control

Update and improvement of the consent document May 2023 Annual review of the document in order to
verify its suitability and adapt it, if necessary, to possible new situations.

Global review of the level of May-June 2023 Annual review to verify compliance with the GDPR and compliance with the regulations, detect new
LOPDGDD in the professional activity. treatments and adopt the necessary measures.

Relevant documentation provided by Ms. C.C.C.:

- Annex I Report on the causes that have motivated the incident that has
originated the claim.

- Annex II Report on the measures adopted to prevent similar incidents from occurring

dates of implementation and controls carried out to verify their effectiveness.

- Document No. 1 Copy of the document “CONSENT FOR

SURGERY/PROCEDURE OR TREATMENT” signed by the claimant, authorizing Ms. C.C.C. to perform the procedure or
treatment: (...). And in section 6 it states that: “For the purposes of advancement
in medical education, I give consent for the entry of

observers into the operating room and the photographing or filming of the
operation(s) or procedure(s) to be performed, for medical,
scientific or educational purposes since my identity will not be revealed in the

images”
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/22

THIRD: On March 28, 2023, in accordance with article 65 of the
LOPDGDD, the claim submitted by the claimant was admitted for processing.

FOURTH: The General Subdirectorate for Data Inspection proceeded to carry out preliminary investigation actions to clarify the facts in question, pursuant to the functions assigned to the control authorities in Article 57.1 and the powers granted in Article 58.1 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter GDPR), and in accordance with the provisions of Title VII, Chapter I, Section Two, of the LOPDGDD, having knowledge of the following:

Regarding the facts contained in the complaint, as well as the documents together with it submitted by the complaining party and the response to the transfer and the accompanying documents, made by Mr. B.B.B. (the respondent party) and by Ms. C.C.C., it is not disputed by the parties that Mr. B.B.B. published on the social media profiles (Facebook and Instagram) of the Clinic (...), which it uses as its
trade name, photographs of before and after the operation of (...) that Ms.

C.C.C. performed on the complainant in January 2017. And that said publication was
made without the consent of the complainant.

It has also been proven that there has never been any type of contractual
relationship between the complainant and Mr. B.B.B. (the respondent), or the Clinic (...),
which it uses as its trade name, as acknowledged by the complainant in its
complaint and by Mr. B.B.B. (the respondent) in its response to the

transfer.

It has been proven that the complainant underwent an operation of (...),
performed by Ms. C.C.C. and gave her consent for her to carry out the
“photographing or filming of the operation(s) or procedure(s) to be

performed, for medical, scientific or educational purposes since my identity will not be

revealed in the images” although only for “purposes of advancement in medical

education”, not for commercial advertising purposes of the activity of Ms. C.C.C. or of
third parties with whom she collaborates. And that the published photographs were taken by
Ms. C.C.C. when she performed the aforementioned operation in January 2017.

The photographs were sent from the email ***EMAIL.1 to the email ***EMAIL.2 on
12/12/2021, said email addresses being those of Ms. C.C.C. and the
respondent respectively.

These photographs were not published on the aforementioned profiles

(Instagram and Facebook) of the Clinic (...), commercial name used by Mr. B.B.B., on
10/02/2023, according to the evidence collected by the AEPD for this purpose.

According to statements by Ms. C.C.C. and Mr. B.B.B., these photographs would have been
removed from social networks after the claim filed by the complainant

to the Hospital ***HOSPITAL.1, in July 2022, and they are still not available and there is
no possibility that they will be accessible on the Internet.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/22

The contractual relationship between Ms. C.C.C. and Mr. B.B.B., in the existing contract for data processing between them dated 01/30/2020, the purposes of said contract are listed as follows: The processing of the “data of

patients/clients treated at the facilities of the Clinic of the data processor by the data controller”. As well as the “advertising in
facilities, media and social networks of the activities of the security officer, provided that the controller so indicates in a
communication”

Mr. B.B.B. has provided a communication (email) from Ms. C.C.C. in which
he sends the photos published by him on the social media profiles of the Clinic (...),
trade name used by Mr. B.B.B..

FIFTH: On March 18, 2024, the Director of the Spanish Data Protection Agency

agreed to initiate sanctioning proceedings against the respondent party,
in accordance with the provisions of articles 63 and 64 of Law 39/2015, of October 1,
on the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP), for the alleged violation of Article 6.1 of the GDPR and Article 9
of the GDPR, classified in Article 83.5 of the GDPR.

SIXTH: Having notified the aforementioned initiation agreement in accordance with the rules established in
Law 39/2015, of October 1, on the Common Administrative Procedure of
Public Administrations (hereinafter, LPACAP), the respondent party submitted a written statement
in which it stated the following:

“The facts reported do not correspond to the factual reality, since it is assumed
that the photographs published on social networks were for my own
benefit, which is totally contrary to reason, since I was only in charge
of data processing, as has been justified in the submission of the documents previously
provided to the file.

The reality is that Ms. C.C.C. has a clinic rented in the premises that I own, and
that the advertisement is for surgical treatments, having nothing to do with my
activity since I only perform aesthetic treatments without surgical interventions, so I can hardly benefit from the publication of these photographs.

I have to say that I have not incurred in any infringing conduct and that therefore the
sanction that has been imposed on me must be null, first of all and in accordance with article
6.1 of the GDPR

In accordance with what I have previously reported and with what is in the

file, as you transcribe, I am only the person in charge of data processing, the plastic surgeon being Ms. C.C.C. who has to obtain the
consent of the patient to whom he takes the photos before and after the
intervention, and who, as I have demonstrated and is already in the file,
sent me said photos and had the consent of the patient, as also stated

in the file, not knowing since I was not there at the time when he obtained it
whether it was for one purpose or for several as required by article 6.1 RGDP.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 8/22

Therefore, not being responsible for obtaining this consent, since I did not
participate in the intervention nor do I know the claimant at all, I could not act
negligently as indicated.”

SEVENTH: On May 7, 2024, the instructor of the procedure agreed to
reproduce for evidentiary purposes the claim filed by A.A.A. and its
documentation, the documents obtained and generated during the admission phase for processing of the
claim, and the report of prior investigation actions that are part of procedure AI/00146/2023.

Likewise, the allegations to the agreement to initiate the referenced sanctioning procedure, presented by B.B.B., and the
documentation that accompanies them, are reproduced for evidentiary purposes.

EIGHTH: On May 8, 2024, a resolution proposal is issued
proposing the following:

That the Director of the Spanish Data Protection Agency sanction
B.B.B., with NIF ***NIF.1, for an infringement of Article 6.1 of the GDPR and Article 9 of the
RGPD, classified in Article 83.5 of the GDPR, with a fine of 5,000 euros for the

infringement of Article 6.1 of the GDPR, and a second fine of 5,000 euros for the
infringement of Article 9 of the GDPR, which amounts to a total of €10,000 (ten thousand
euros),

That the Director of the Spanish Data Protection Agency order

B.B.B., with NIF ***NIF.1, that pursuant to Article 58.2.d) of the GDPR, within the term Within one month from the notification of the resolution of this sanctioning procedure,
documentarily prove to the AEPD that it has complied with the
adoption of measures taken consisting of preventing photographs of patients from this or another clinic from being disseminated on social networks without having

the necessary legitimacy to do so. NINTH: On June 3, 2024, the statements made by the respondent party in response to the resolution proposal are recorded, indicating
the following:

“The AEPD on page 9 of its resolution proposal assumes that I am a plastic surgeon, but this is not true, this premise being very important for the
proposed administrative sanction since I repeat again that I have not profited from the
publication of these photographs, I am only the owner of the property in which the
Doctor, who is a plastic surgeon, has a consultation room for rent, so

neither was the surgery performed in my establishment nor do I know this person at all, only
as a data processing agent I did what the person responsible for the processing of
this data indicated to me, understanding at all times that the consent that the doctor
has is valid for said publication, although this is something that I do not obtain,
since I am concerned with obtaining the consent of the patients who

authorize me to do so in my office. activity regarding the aesthetic treatments that I perform.

The claimant states that B.B.B. published on the social networks Facebook and
Instagram the before and after photos of the plastic surgery intervention,
performed by Ms. C.C.C., to the claimant A.A.A.. B.B.B. acted as the person in
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 9/22

charge of treatment for Dr. C.C.C., responsible for obtaining informed consent from his
patient, and adapting this to the current regulations LOPDGDD 3/2018, of 5
December. (The surgical intervention and consequently her consent, as

the claimant points out, was carried out prior to the entry into force of the Law, a fact that was
totally unknown to B.B.B.).

It has also become clear that the complainant did not contact me
directly to request that I remove the photographs, but even so, at the moment
that the Doctor indicated it to me, I removed them from my networks.

As for indicating that it has been done in order to prevent this from happening again
the images have been manually deleted both on Instagram
and on Facebook of Clínica (...). (trade name and identifier of the aesthetic medicine activity of B.B.B.).

A sweep has also been carried out on the Google search engine to evaluate the removal
of the images and videos from the Facebook and Instagram pages, the links to which
we attach for verification.

***URL.1 and ***URL.2

That is why the images of Mrs. A.A.A. and links to the content on the social networks Facebook and Instagram have been removed from all of them.

Furthermore, the same procedure has been followed with images or videos with identifiable data of any other person or they have been pixelated, despite having
informed consent from the persons, clients/patients of B.B.B. that appear
in ***URL.1 and ***URL.2”

From the actions carried out in the present procedure and the documentation

in the file, the following have been proven:

PROVEN FACTS

FIRST: Dissemination on the social networks Facebook and Instagram of photos of the

complainant without his consent, to advertise the private plastic surgery clinic of the respondent.

BASIS OF LAW

I

Competence

In accordance with the powers granted to each supervisory authority by article 58.2 of the GDPR and as established in articles 47, 48.1, 64.2 and 68.1 of the LOPDGDD, the Director of the Spanish Data Protection Agency is competent to initiate and resolve this procedure.

Likewise, article 63.2 of the LOPDGDD determines that: "The procedures
processed by the Spanish Data Protection Agency shall be governed by the provisions

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 10/22

of Regulation (EU) 2016/679, by this organic law, by the regulatory provisions issued in its development and, insofar as they do not contradict them, in a subsidiary
character, by the general rules on administrative procedures."

II

Preliminary issues

In the present case, it is alleged that the respondent party, owner of the Clinic (…),

has disseminated on social networks photos of the before and after of the surgical intervention that the complainant underwent, in order to advertise the clinic of the respondent party, without the consent of the complainant.

These photos have been published by the respondent party to promote his private plastic surgery clinic

on the social networks Facebook and Instagram.

The AEPD, after carrying out the investigation actions indicated in the
background, makes the following considerations:

1.- It has been proven that Ms. C.C.C. performed a treatment/operation of (...) on

the appellant in 2017.

2.- During said operation/treatment, Ms. C.C.C. took photographs of the before and
after of said treatment, with the consent of the complainant party
for the photograph for medical, scientific or educational purposes. There is no record that the

complainant party gave her consent to the photograph for the purposes of commercial
advertising of the activity of Ms. C.C.C. or of third parties with whom she collaborated.

3º.- The photographs of the aforementioned treatment/operation were sent from the email ***EMAIL.1 to the email ***EMAIL.2 on 12/12/2021 and published on the

social media profiles of the Clinic (...), a commercial name used by Mr. B.B.B., without
the consent of the complaining party.

4º.- There is a data processing contract, dated 01/30/2020, between Ms.
C.C.C. and Mr. B.B.B., with the following purposes appearing in said contract:
The processing of “data of patients/clients treated at the facilities of the

Clinic of the data processor by the data controller”. As well as the
“advertising in facilities, media and social networks of the
activities of the security officer, as long as the officer so indicates
in some communication”

5th.- In the evidence collected by the AEPD on 02/10/2023, the photographs
subject to the claim were not published on the social media profiles (Instagram and Facebook) of the Clinic (...), the commercial name used by Mr.
B.B.B..

III
Response to the allegations presented

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 11/22

The respondent party in response to the start agreement, sends a letter dated April 3,
2024, where he states that he is not responsible for the facts imputed to him since he did not
participate in the surgical intervention of the claimant, nor does he know the claimant, and the

dissemination of such photographs does not bring him any benefit since he only performs
aesthetic treatments without surgical interventions, so he is
exempt from all responsibility since he is only in charge of the treatment and not the
responsible party.

The respondent party in response to the resolution proposal, sends a letter dated June 3,

2024, stating that he is not a plastic surgeon, but the owner of the property
in which surgeon C.C.C. practices his profession, and that the consent that the doctor has is valid for the publication of the photographs of the complainant.

The respondent has also stated that, as he is not a surgeon, he did not participate in the

intervention performed on the complainant, and that the publication of the
images does not provide him with any benefit, since he is not the surgeon who operated on the
complainant, but rather the owner of the Clinic (…), and that the consent given by the
complainant to be operated on by C.C.C., is valid for the publication of the
photographs of the before and after the operation performed on the complainant.

Likewise, the respondent points out that the complainant did not contact him
to request that he remove the photographs, but even so at the time that surgeon
C.C.C. He was informed that he manually removed the images from both Instagram and
Facebook of Clínica (...), and the same procedure has been followed with the images or
videos with identifiable data of any other person.

In response to such statements, it must be indicated that it has been established that the
cosmetic operation that the complainant underwent was performed in a center
different from the clinic of the respondent, since the complainant was operated on at the
Clínica ***HOSPITAL.1, on January 10, 2017, and the clinic advertised by the
respondent is the Clínica (...), so it is an established fact that the respondent, whether
or not a surgeon, did not participate in the intervention performed on the complainant, there
being no contract that binds him to the complainant, and therefore he would have been
authorized to process the before and after photographs of the
operation performed by C.C.C., on the complainant. Therefore, using these photographs to advertise the Clinic that he owns implies the search for a

profit or benefit. Furthermore, the photos of the complainant were taken before and after the cosmetic surgery performed by the respondent on the complainant in 2017, that is, years before the formalization of the contract for the processing of data

between the complainant and C.C.C..

Therefore, the AEPD must indicate that we are not talking about a withdrawal of
consent, nor any other cause of legitimacy that entitles it to process the personal data of the respondent, in this case her image, so the complainant is not

required to exercise its right to cancellation, nor any of the other rights recognized in the GDPR, for the processing of said photographs to cease

by the respondent entity, since this would only be appropriate if the complainant had ever granted to the respondent party for its authorization for such
processing.

Ultimately, the respondent party is the sole party responsible for the dissemination of the
before and after photos of the operation performed on the complainant party, on social
networks.

IV
Article 6.1 of the GDPR

The physical image of a person, according to article 4.1 of the GDPR, is personal
data and its protection, therefore, is the subject of said Regulation. Article 4.2
of the GDPR defines the concept of “processing” of personal data

Article 6.1 of the GDPR establishes the assumptions that allow the processing of personal data to be considered lawful, indicating the following:

“1. The processing will only be lawful if at least one of the following
conditions is met:

a) the interested party gave his consent for the processing of his personal data
for one or more specific purposes;

(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

(c) processing is necessary for compliance with a legal obligation to which the controller is subject;

(d) processing is necessary to protect the vital interests of the data subject or of another natural person;

(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Point (f) of the first paragraph shall not apply to processing carried out by public authorities in the performance of their tasks.

Regarding the processing for video surveillance purposes, article 22 of the LOPDGDD
establishes that natural or legal persons, public or private, may carry out

the processing of images through camera or video camera systems
in order to preserve the security of people and property, as well as their
facilities.”

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 13/22

It is considered that the facts set forth, that is, that the respondent party, has
used photos of before and after the intervention of C.C.C., without having the
express consent of the respondent party, or any other cause of legitimacy,

owner of the image of the photographs in dispute, for the purpose of publishing them
on social networks and advertising his clinic, could constitute an illegal processing
of personal data, which would constitute a violation of article 6 of the RGPD.

The respondent claims that in 2017, the complainant signed her
consent authorizing the intervention itself and the taking of photographs and/or

recording, but not the communication of these photos to third parties.

Likewise, Dr. C.C.C. and the respondent party indicate that the before and after photos of the operation used to advertise the respondent party's clinic were obtained with the respondent party's consent, since it was

produced in the B.B.B.o of a treatment order contract entered into in 2020.

In response to such allegations from the respondent party, the AEPD considers that it cannot
be considered that the publication of the before and after photos of the claimant's cosmetic surgery can be covered by the contract entered into in 2020 by the respondent party and C.C.C., and therefore understand that the claimant's consent is available, for the following reasons:

Firstly, the cosmetic surgery that the claimant underwent was
performed in a centre other than the respondent party's clinic, since the claimant

was operated on at the ***HOSPITAL.1 Clinic, on January 10, 2017, and the clinic
advertised by the respondent is the Clinic (...).

Secondly, the photos of the complainant were taken before and after
the cosmetic surgery performed by the respondent on the complainant in

2017, that is, years before the formalization of the contract for the
treatment between the complainant and C.C.C..

Therefore, the respondent would be the exclusive party responsible for the dissemination of
the before and after photos of the operation performed on the complainant, on
social networks.

Thus, it must be taken into account that the present procedure focuses on the
alleged responsibility of the respondent for the dissemination of the before and
after photos of the operation performed by C.C.C. on the complainant.

V

Classification of Article 6.1 of the GDPR

The known facts could constitute an infringement, attributable to the respondent party, classified in Article 6.1 of the GDPR, indicated above, in legal basis II, and could therefore constitute the commission of an infringement classified in Article 83.5 of the GDPR, which provides as follows:

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 14/22

“Infringements of the following provisions shall be punishable, in accordance with
paragraph 2, by administrative fines of up to EUR 20,000,000 or, in the case of a company, an amount equivalent to a maximum of 4% of the

total global annual turnover of the previous financial year, whichever is higher:

a) the basic principles for the processing, including the conditions for consent pursuant to Articles 5, 6, 7 and 9; “

For the purposes of the limitation period for infringements, the infringement referred to in the
previous paragraph is considered very serious pursuant to Article 72.1 of the LOPDGDD,
which establishes that:

“In accordance with the provisions of Article 83.5 of Regulation (EU) 2016/679, infringements that constitute
a substantial violation of the articles mentioned therein and, in particular, the
following are considered very serious and shall be subject to a three-year limitation period:

b) The processing of personal data without any of the conditions for the
lawfulness of the processing established in Article 6 of Regulation (EU) 2016/679 being met. (…)

VI

Proposal for a sanction for infringement of Article 6.1 of the GDPR

In order to determine the administrative fine to be imposed, the provisions of Articles 83.1 and 83.2 of the GDPR must be observed, which state:

“Each supervisory authority shall ensure that the imposition of administrative fines
in accordance with this Article for infringements of this Regulation

referred to in paragraphs 4, 9 and 6 are effective,
proportionate and dissuasive in each individual case.”

Administrative fines shall be imposed, depending on the circumstances of each individual case, as an addition to or as a substitute for the measures provided for in
Article 58, paragraph 2, points (a) to (h) and (j).

When deciding whether to impose an administrative fine and its amount in each individual case, due account shall be taken of:

a) the nature, seriousness and duration of the infringement, taking into account the

nature, scope or purpose of the processing operation in question, as well as the number of data subjects affected and the level of damage suffered by them;

b) the intentionality or negligence of the infringement;

c) any measures taken by the controller or processor to mitigate the damage suffered by the data subjects;

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 15/22

d) the degree of responsibility of the controller or processor, taking into account any technical or organisational measures they have implemented pursuant to

Articles 25 and 32;

e) any previous infringement committed by the controller or processor;

(f) the degree of cooperation with the supervisory authority in order to remedy the

breach and mitigate any adverse effects of the breach;

(g) the categories of personal data affected by the breach;

(h) the manner in which the supervisory authority became aware of the breach, in

particular whether and, if so, to what extent the controller or processor notified the
breach;

(i) where measures referred to in Article 58(2) have been previously ordered
against the controller or processor concerned in relation to the same

matter, compliance with those measures;

(j) adherence to codes of conduct pursuant to Article 40 or to certification
mechanisms approved pursuant to Article 42; and

(k) any other aggravating or mitigating factors applicable to the circumstances of the case,
such as financial benefits obtained or losses avoided, directly or
indirectly, through the breach.”

Regarding section k) of article 83.2 of the GDPR, the LOPDGDD, article 76,

“Sanctions and corrective measures”, provides:

“2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679,
the following may also be taken into account:

a) The continued nature of the infringement.

b) The link between the offender's activity and the processing of personal data.

c) The benefits obtained as a result of the commission of the infringement.

d) The possibility that the conduct of the affected party could have led to the commission of the infringement.

e) The existence of a merger process by absorption subsequent to the commission of the infringement, which cannot be attributed to the absorbing entity.

f) The impact on the rights of minors.

g) Have, when not mandatory, a data protection officer”

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 16/22

In accordance with the transcribed provisions, for the purposes of setting the amount of the fine to be imposed in this case on the respondent as responsible for an infringement classified in article 83.5.a) of the GDPR, in an initial assessment, the following aggravating factors are considered to be concurrent:

- Intentionality/ Negligence in the infringement (section b): the notorious negligence observed in the commission of the infringement, to the extent that the respondent party has
disseminated on social networks photographs of the complainant, provided by C.C.C., without
having the consent or any other cause of legitimacy of the complainant.

The sanction to be imposed on the respondent must be graduated and set at €5,000
in accordance with article 58.2 of the GDPR

VII

Adoption of measures for the infringement of article 6.1 of the GDPR

If the infringement is confirmed, it may be agreed to impose on the person responsible the adoption of
appropriate measures to adjust its performance to the regulations mentioned in this

act, in accordance with the provisions of the aforementioned article 58.2 d) of the GDPR, which
provides the following:

“Each supervisory authority shall have all of the following corrective powers
indicated below:

d) order the person responsible or in charge of the treatment that the treatment operations comply with the provisions of this Regulation, where appropriate,
in a certain manner and within a specified period.

In this specific case, the respondent party and C.C.C. The latter is the person who
provided the photos to the respondent party, they have stated that as soon as they
became aware of the complaint filed, on 18/07/2022, the complainant's
photographs were removed.

In addition, in response to the resolution proposal, the respondent party has proven

that measures have been taken so that the data of its clients cannot be processed again
without having the legitimacy required by the data protection regulations
for which it has carried out a search on Google to evaluate the elimination of
the images and videos from the Facebook and Instagram pages whose links it attaches
for verification.

***URL.1 and ***URL.2

Therefore, it is noted that all the images of the complainant and
links to the content on the social networks Facebook and Instagram were deleted.

In addition, the same procedure has been followed with the images or videos with identifiable
data of any other person, whether they are clients or patients of B.B.B. which
appear in ***URL.1 and ***URL.2

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 17/22

VIII

Article 9 of the GDPR

Article 9 of the GDPR establishes the following:

1. The processing of personal data that reveal ethnic or racial origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data aimed at uniquely identifying a natural person, data relating to health or data relating to the sexual life or sexual orientations of a natural person is prohibited.

2. Paragraph 1 shall not apply where one of the following

conditions applies:

a) the data subject has given explicit consent to the processing of those personal

data for one or more of the specified purposes, except where Union or Member State law provides that the

prohibition referred to in paragraph 1 cannot be lifted by the data subject;

b) the processing is necessary for the performance of obligations and the exercise of
specific rights of the controller or of the data subject in the field of

labour law and social security and protection, insofar as this is authorised by Union law of the Member States or by a collective agreement
in accordance with Member State law providing for appropriate safeguards for the

respect of the fundamental rights and interests of the data subject;

c) the processing is necessary in order to protect the vital interests of the data subject or of another
natural person, where the data subject is not physically or legally capable of giving consent;

(d) the processing is carried out, within the scope of its legitimate activities and with appropriate
guarantees, by a foundation, association or any other non-profit-making
body, the purpose of which is political, philosophical, religious or
trade union, provided that the processing concerns only current or former members of
such bodies or persons who maintain regular contact with them in relation to their
purposes and provided that the personal data are not disclosed outside them without
the consent of the data subjects;

(e) the processing concerns personal data which the data subject has
manifestly made public;

(f) the processing is necessary for the establishment, exercise or defence of
claims or when the courts act in their judicial capacity;

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 18/22

g) the processing is necessary for reasons of essential public interest, on the basis of Union or Member State law, which must be proportionate to the objective pursued, substantially respect the right to data protection and provide for appropriate and specific measures to protect the interests and fundamental rights of the data subject;

h) the processing is necessary for the purposes of preventive or occupational medicine, assessment of the worker's work capacity, medical diagnosis, the provision of health care or treatment or the management of health care and social care systems and services, on the basis of Union or Member State law or under contract with a health care professional and without prejudice to the conditions and guarantees referred to in paragraph 3;

(i) the processing is necessary for reasons of public interest in the field of public health,

such as protecting against serious cross-border threats to health, or
to ensure high standards of quality and safety of healthcare and
medicines or medical devices, on the basis of Union or
Member State law which provides for appropriate and specific measures to
protect the rights and freedoms of the data subject, in particular professional secrecy,

(j) the processing is necessary for archiving purposes in the public interest, scientific or
historical research purposes or statistical purposes in accordance with Article

89(1), on the basis of Union or Member State law, which must be proportionate to the
aim pursued, substantially respect the right to data protection and provide for appropriate and specific measures to
protect the interests and fundamental rights of the data subject.

3. The personal data referred to in paragraph 1 may be processed for the purposes
referred to in paragraph 2(h) when the processing is carried out by a
professional subject to an obligation of professional secrecy, or under his responsibility,

in accordance with Union or Member State law or with rules established by competent national bodies, or by any other
person also subject to an obligation of secrecy in accordance with Union or Member State law or rules established by competent national bodies.

4. Member States may maintain or introduce additional conditions,
including limitations, with regard to the processing of genetic data, biometric data or data
relating to health.

In the present case, the dissemination on social networks by the respondent party of the
before and after photos of the cosmetic surgery carried out by Dr. C.C.C. to the
complainant, would violate article 9.1 of the GDPR, since health data has been disseminated, which are especially protected in article 9.1 of the GDPR.

It should also be noted that we are not in any of the situations where
exceptionally, by virtue of article 9.2 of the GDPR, it is possible to overcome the
prohibition of processing these data, so we would be faced with an alleged
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 19/22

violation of article 9 of the GDPR, indicated above.

IX

Classification of Article 9 of the GDPR

The infringement of Article 9 of the GDPR, for which the respondent is held responsible, is
provided for in Article 83.5 of the GDPR, which establishes that:

“Infringements of the following provisions shall be punishable, in accordance with
section 2, by administrative fines of a maximum of 20,000,000 Euros or,
in the case of a company, an amount equivalent to a maximum of 4% of the
total global annual turnover of the previous financial year, whichever is greater:
a) The basic principles for processing, including the conditions for
consent pursuant to Articles 5, 6, 7 and 9.”

In turn, the LOPDGDD in its article 72.1.e) classifies as a very serious infringement, for the purposes of prescription, "The processing of personal data of the categories referred to in article 9 of Regulation (EU) 2016/679 without any of the circumstances provided for in said provision and in the article of this Organic Law."

X
Proposed Penalty for infringement of article 9 of the GDPR

In order to determine the administrative fines to be imposed, the provisions of articles 83.1 and 83.2 of the GDPR must be observed, provisions already indicated in

ground VI.

In accordance with these provisions, for the purposes of setting the amount of the fine to be imposed on the respondent party as responsible for an infringement classified in Article 83.5.a) of the GDPR, the following factors are considered to be concurrent in the present case, as
aggravating factors:

- Intentionality/Negligence in the infringement (section b): the notorious negligence
appreciated in the commission of the infringement, to the extent that the respondent party,
responsible for the processing of health data, data especially protected by the

data protection regulations, has disseminated on social networks to publicize
its clinic, photographs of the complainant that were provided to it by C.C.C., despite not
being in any of the exceptional cases that allow its processing according to Article 9.2 of the GDPR.

The sanction to be imposed on the respondent must be graduated and set at €5,000
in accordance with article 58.2 of the GDPR

XI

Adoption of measures for the infringement of article 9 of the GDPR
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 20/22

It is agreed to impose on the controller the adoption of appropriate measures to adjust
its actions to the regulations mentioned in this act, in accordance with the provisions

of the aforementioned article 58.2 d) of the GDPR, which provides the following:

“Each supervisory authority shall have all of the following corrective powers
indicated below:

d) order the controller or processor to comply with the provisions of

this Regulation, where appropriate,
in a certain manner and within a specified period;

In this specific case, the respondent party and C.C.C., the surgeon who provided the photos of the complainant, have stated that as soon as they became aware of the

complaint filed, on 18/07/2022, the photographs of the complainant were
removed.

In addition, in response to the resolution proposal, the respondent party has proven
that measures have been taken to ensure that the data of its clients cannot be processed again
without having the legitimacy required by data protection regulations

for which it has carried out a search on Google to evaluate the elimination of
the images and videos from the Facebook and Instagram pages whose links it attaches
for verification.

***URL.1 and ***URL.2

Therefore, it is noted that all the images of the complainant and
links to the content on the social networks Facebook and Instagram were deleted.

In addition, the same procedure has been followed with images or videos containing identifiable

data of any other person, whether they are B.B.B. customers or patients. which
appear in ***URL.1 and ***URL.2

Therefore, in accordance with the applicable legislation and having assessed the criteria for
graduating the sanctions whose existence has been proven,

the Director of the Spanish Data Protection Agency RESOLVES:

FIRST: TO IMPOSE on B.B.B., with NIF ***NIF.1, for an infringement of Article 6.1
of the GDPR and Article 9 of the GDPR, classified in Article 83.5 of the GDPR, a
fine of 5,000 euros for the infringement of Article 6.1 of the GDPR, and a second fine

of 5,000 euros for the infringement of Article 9 of the GDPR, which amounts to a total of
€10,000 (ten thousand euros),

SECOND: TO NOTIFY this resolution to B.B.B.

THIRD: This resolution will be enforceable once the deadline for filing the optional appeal for reconsideration ends (one month from the day following the notification of this resolution) without the interested party having made use of this faculty.
The sanctioned party is warned that he must pay the imposed sanction once

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 21/22

this resolution becomes enforceable, in accordance with the provisions of art. 98.1.b)
of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter LPACAP), within the voluntary payment period

established in art. 68 of the General Collection Regulations, approved by Royal
Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003, of 17 December, by depositing it, indicating the NIF of the sanctioned party and the procedure number that appears in the heading of this document, in the restricted account nº IBAN: ES00-0000-0000-0000-0000-0000 (BIC/SWIFT Code:
CAIXESBBXXX), opened in the name of the Spanish Data Protection Agency in

the banking entity CAIXABANK, S.A. Otherwise, it will be collected during the enforcement period.

Once the notification has been received and is enforceable, if the date of enforceability is between the 1st and 15th of each month, both inclusive, the deadline for making the voluntary payment will be until the 20th of the following month or the next business day thereafter, and if it is between the 16th and last day of each month, both inclusive, the payment deadline will be until the 5th of the second following month or the next business day thereafter.

In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties.

Against this resolution, which ends the administrative procedure in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, interested parties may, at their discretion, lodge an appeal for reconsideration before the Director of the Spanish Data Protection Agency within one month from the day following notification of this resolution or directly lodge an administrative appeal before the Administrative Litigation Division of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of 13 July, regulating the Administrative Litigation Jurisdiction, within two months from the day following notification of this act, as provided for in article 46.1 of the aforementioned Law.

Finally, it is noted that in accordance with the provisions of art. 90.3 a) of the LPACAP, the final resolution may be provisionally suspended by administrative means if the interested party
expresses his intention to lodge an administrative appeal.

If this is the case, the interested party must formally communicate this fact by means of a
written document addressed to the Spanish Data Protection Agency, presenting it through
the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica-
web/], or through one of the other registries provided for in art. 16.4 of
the aforementioned Law 39/2015, of October 1. He must also transfer to the Agency the

documentation that proves the effective filing of the administrative appeal. If the Agency is not aware of the filing of the administrative appeal
within two months from the day following the notification of this resolution, it will terminate the provisional suspension.

938-16012024
Mar España Martí

Director of the Spanish Data Protection Agency

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 22/22

C/ Jorge Juan, 6 www.aepd.es

28001 – Madrid sedeagpd.gob.es