AEPD (Spain) - PS/00416/2019

From GDPRhub
Revision as of 18:50, 1 December 2020 by Miguel Garrido de Vega (talk | contribs) (Adding link to the Supreme Court sentence)
AEPD - PS/00416/2019
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 6 GDPR
Article 13 GDPR
Article 14 GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published: 25.11.2020
Fine: 40.000 EUR
Parties: Miraclia Telecomunicaciones, S.L.
National Case Number/Name: PS/00416/2019
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Spanish
Original Source: AEPD decision (in ES)
Initial Contributor: Miguel Garrido de Vega

The Spanish Data Protection Agency (AEPD) decided to impose two fines (20,000€ each) on Miraclia Telecomunicaciones, S.L. (the defendant): one of them for the infringement of the lawfulness of processing principle (Article 6 GDPR), and the other for the infringement of the transparency principle (Articles 13 and 14 GDPR), both due the unconsented use, record and assignment of personal data in the context of telephone jokes.

English Summary

Facts

The decision is the consequence of two complaints submitted by different subjects. One of them (the claimant A) stated that he had received a telephone joke made with an app (the App) according to which an alleged policeman was calling him, but he had never given any consent to such processing of his personal data, nor received any information on the same; besides, the call was assigned to third parties, and had been made from a hidden number that, in order to allow claimant A to get back, required him an additional charge. The other (the claimant B) stated that he also received a telephone joke with the App, according to which an alleged politician was thanking him for his vote, but he had never given any consent to such processing of his personal data, nor received any information on the same, and that the recorded file of the call had been uploaded to the social networks even tagging claimant B by his name; besides, the audio file contained xenophobic messages.

Dispute

The defendant answered the first requirements of the AEPD stating that: (i) after receiving a joke, data subjects can avoid the creation of the file by pressing a button; (ii) once the joke is made, in case the joking subject decided to record it and the affected subject decides not to avoid it, the defendant does not keep any kind of personal data, which is entirely managed and stored by the joking subject in his/her phone; (iii) the joking subjects are warned that their personal data, containing the files of the jokes they have made, will be deleted in six months in case they do not use the App. The AEPD made its technical and legal research, and then started the corresponding sanction procedure, informing the defendant that the proposed fine for the conduct would amount to 50,000€ for each infringement (so 100,000€ in all); to such proposal, the defendant requested a reduction, considering, among other reasons, that: (i) it was not processing personal data, as the App worked as a telephone line, a surprise gifts company or Instagram/Twitter, in which the companies are not responsible for the use and the content the users make of the network; (ii) it had no possibility to identify the affected subject nor to link his/her number/voice with any personal data without using disproportionate efforts, so the telephone number and voice of the affected subject would not be considered personal data; (iii) despite the fact that the defendant considered that no personal data were involved in his activity, it had adopted some information measures "ad cautelam"; (iv) the defendant considered that, even in case personal data were considered to this case, the legal basis for its processing would be the legitimate interest of the defendant, and not the consent of the data subjects; (v) the joke happened in a leisure context in which no real harm was made to the affected data subjects; (vi) the only personal data affected is the telephone number, as the recorded file of the call is directly made by the joking subject and cannot be linked to the number; (vii) the defendant intention has always been to respect the legislation and to collaborate with the AEPD, and so it has facilitated the right to erasure whenever it has been requested to do so. Additionally, the AEPD also received a third complaint against the defendant submitted by a European citizen before the Slovenian data protection authority, so the situation became a cross-border case; once determined the AEPD would be the lead authority, it made the corresponding legal and technical research, and considered that this third complaint was essentially very similar to the other two, so it did not open a new procedure, but was added to the existing one in Spain. Finally, the AEPD considered that: (i) the data processing activity carried out by a company in the framework of its commercial activity cannot be excluded from its data protection obligations on the basis of being considered an exclusively personal or domestic activity, even if the service provided by the company consists of providing a relationship between natural persons; (ii) the recording of the human voice, associated with other data such as the telephone number, must be considered personal data, and the fact of making it available to third parties who can identify who such voice belongs to, must be clearly considered an automated personal data processing activity; and (iii) the commercial interests of a data controller must yield to the legitimate data protection interests of the owner of such personal data.

Holding

Thus, the AEPD understood that the defendant has infringed not only the lawfulness principle included at Article 6 GDPR (as there is no consent by the data subject receiving the joke, nor any other valid legal basis to process his/her personal data), but also the transparency principle at Articles 13 and 14 GDPR (as the data subject is never informed nor knows in any manner that his/her personal data are used in the App and that they will be assigned to a third party). Consequently, after considering some circumstances [(i) the nature, severity and duration of the infringement; (ii) the serious and wilful misconduct of the defendant, specially taking into account that the App did not take into consideration any data protection requirements even after the defendant being fined in the past due to a similar infringement; (iii) the continued nature of the infraction; (iv) the evident connection between the activity of the defendant and the processing of personal data, and the advantages obtained from such; (v) the amount of personal data processed by the defendant and the amount of affected data subjects; (vi) the unpredictable nature of the damages caused to the data subjects due to the assignment of personal data without any safety measure being adopted by the defendant; (vii) the lack of any internal procedures by the defendant regarding obtainment and processing of personal data; (viii) the defendant requested a reduction on the predicted fine, estimated 100,000€, as it would suppose 25% of its yearly turnover, which finished with economic losses], the AEPD decided to impose a fine of 40,000 € to the defendant (20,000€ for each infringement), and required it to solve all the data protection problems herein mentioned within the period of three (3) months since the decision.

Comment

It is relevant to bear in mind that the defendant had been already fined in the past with 7,500€ for a similar infringement also related to the App (that was even confirmed by the Spanish Supreme Court recently).

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.