AEPD (Spain) - PS/00050/2020
AEPD - PS/00050/2020 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 5(1)(a) GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | 18.12.2020 |
Published: | |
Fine: | None |
Parties: | n/a |
National Case Number/Name: | PS/00050/2020 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | n/a |
An natural person received a warning from the Spanish DPA for tweeting a photo of a bill where the name, surname, fiscal ID and bank account of a restaurant owner was visible.
English Summary
Facts
The owner of a restaurant lodge a complaint with the Spanish DPA (AEPD) against another natural person that had published a tweet with a picture of a bill from that restaurant which included name, surname, fiscal ID and bank account number of the restaurant owner. This was in connection with a political discussion about the expenses of a political party when in power of the city administration.
The person that posted the tweet argued that it was not the intention to unlawfully publish personal data but that the purpose was to showcase the expenses of the political party in the restaurant owned by the complainant and that this information is of public and political interest. He also argued that most of the data showed in the photo of the tweet was of public domain as the same data could be obtained from other public sources of information such as public procurement procedures that the owner of the restaurant had obtained.
The Spanish DPA argued that even if the tweet with the attached photo might have some public interest for political debate, the photo still included personal data of a natural person that was not relevant for the debate. And also that some of the personal data (namely the bank account) was not an information that was available in other public sources.
Dispute
Is publishing a photo that includes personal data of a restaurant owner lawful in line of Article 5(1)(a) GDPR?
Holding
The Spanish DPA concluded that there has been a breach of Article 5(1)(a) GDPR because the uploading of such personal data was not lawful, as it was not based on any lawful legal basis.
Given that the offender was an physical person that does not process personal data on regular basis and that he had no previous convictions or any record of infractions related to data protection, the Spanish DPA decided to just issue a warning and request the removal of the tweet.
Comment
This is an interesting decision because there are several issues that are slightly sketched but not thoroughly discussed by the Spanish DPA.
One of them is the application of article 19 of the new Spanish Data Protection Law (LOPDGDD). This article says that contact data of a natural person when acting on behalf of or representing a legal person, are presumed to be processed under the legal basis of "legitimate interest", only as far as the purpose of the processing is to establish and keep communication with such legal person. However, in this case, the Spanish DPA considers that this article is not applicable as the purpose condition is not met in this case.
Furthermore, although not discussed in the decision, there could be also an issue of processing special categories of personal data of article 9 GDPR of the restaurant owner. The tweet with the picture and other tweets of the debate pointed that the restaurant owner was a supporter of the political party that was under discussion. However, the restaurant owner does not make any claim on that regard and the Spanish DPA does not mention it either.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/10 Procedure No.: PS / 00050/2020 RESOLUTION OF SANCTIONING PROCEDURE Of the procedure instructed by the Spanish Agency for Data Protection and based on the following BACKGROUND FIRST: A.A.A. (hereinafter, the claimant) on 11/5/2019 filed claim before the Spanish Data Protection Agency against B.B.B. with NIF *** NIF. 1 (hereinafter, the claimed one). The claimant states that on 10/12/2019 at 9:02 p.m., from the account of the social network *** ACCOUNT.1, belonging to B.B.B. (claimed) XXXXXXXX in the city autonomous of *** LOCALIDAD.1, published two messages accompanied by a photograph that showed an invoice issued by the premises of his property, restaurant *** RESTAURANT. 1, which also contained name and surname, NIF number and bank account number. Provides an impression of the tweet in which the one claimed under the heading B.B.B. in response to C.C.C., PP *** LOCALIDAD.1 and *** ACCOUNT.2, titled “without a doubt celebrations in *** RESTAURANT. 1 at the expense of the public treasury to the PP nobody improvement, your invoices will already be made public, at € 45 per cover, since that celebrations no one like the PP ”and you see the INVOICE document, with the data CLIENT "Presidency-General Directorate Council" "in description of the UNED 14 dinner diners "," unit price 45 euros "and a full bank account is listed in the lower left, and in the upper the data of *** RESTAURANT. 1, address and NIF. The tweet is recorded in the Inspection access procedure of 12/2/2019. The date of the invoice, 05/02/2019, and the NIF associated with the claimant, with the Property name. Under the invoice is 12/10/2019, 12:02. They consist response comments addressed to the respondent. No reference to participation of the claimant in the text messages related to said tweet. SECOND: In view of the facts reported in the claim and the documents provided by the claimant, on 12/11/2019 the claim from the defendant, and information was requested, specifically the causes that motivated the claim, the decision adopted, the measures to be adopted to avoid similar incidents and any other issue you consider. The defendant, dated 01/21/2020, states that “there was no will to disseminate the personal data of the complainant, as it is not noticed that in the image hung they could be observed, because the same day another message was broadcast on several minor contracts awarded to the one who did not present this incident ”. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 2/10 It states that the presentation of the claimant's data responds to a debate administrative policy raised in *** LOCALIDAD.1 in relation to “the contracting minor by the Autonomous City "and," especially to payments made in favor of the owner of the establishment of "*** RESTAURANTE.1", complainant. States that the claimant is a prominent supporter of the Popular Party, and his place is a place of meeting and leisure of the militants and political positions of said formation. Provide a copy of a tweet dated 06/15/2019 from the former president, Mr. D.D.D., who as stated, "the same day of the Constitution of the autonomous government made up of the tripartite PSOE, CITIZENS, COALITION FOR *** LOCALIDAD.1 that displaces him from power, used the social network Twitter ”with the content: “from *** RESTAURANT.1 from *** LOCALIDAD.1 I hug everyone voters of the PP for winning the elections although there are unscrupulous traitors who they twist democracy ”. Also, in the digital newspaper “*** DIARIO.1”, the *** DATE.1 is published, a report on the economic-political relationship of the claimant and the previous government local, in which, among other things, the relationship between "*** RESTAURANTE.1" and the members of the Popular Party. In the news is relates the claimant's daughter, an artist who participated in a television event, to identifies, with his father, not with name and surname, and mentions the tavern as a place close to the headquarters of the PP and where sponsored events or promoted by people of this political tendency. It states that the information disclosed about the owner of "*** RESTAURANTE.1" responds to a justified public and political interest, and also, “It has been taken from publicly accessible sources such as the Yellow Pages, which lists hospitality with its owner, as well as in the profile of the city contractor of *** LOCALIDAD.1 where contracts have been published on various occasions minors granted or in official gazettes of *** LOCALIDAD.1, including the data of name and surname and NIF as beneficiary of subsidies. " The exposed data is of a business nature, and is contained in a document commercial, and “of public, social and political interest”. It refers to article 2.3 of the RD 1720/2007 of 12/21, approving the regulations for the development of the Law Organic 15/1999 of 12/13 of Protection of Personal Data, which indicates that “the data relating to individual entrepreneurs, when they refer to them In their capacity as merchants, shipping industrialists, they will also be understood to be excluded of the application regime of the Protection of Personal Data. " THIRD: On 02/04/2020 the claim was admitted for processing. FOURTH: On 03/30/2020, the Director of the AEPD agrees: "INITIATE SANCTIONING PROCEDURE of APERCIBIMENTO to B.B.B., with NIF *** NIF.1, for the alleged violation of article 5.1.a) of the RGPD, in accordance with Article 83.5.a) and 58.2.b) and d) of the aforementioned RGPD. " No allegations were received. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 3/10 PROVEN FACTS 1) The claimant files a claim against the defendant for tweeting from "*** ACCOUNT.1" your personal data of NIF, name and surname, related to the establishment he runs, "*** RESTAURANTE.1" and the bank account number of your ownership. 2) The personal data appear on an invoice that the claimed photograph and exposes in the tweet. 3) In the tweet, under the heading B.B.B., in response to C.C.C., PP *** LOCALIDAD.1 and *** ACCOUNT.2, titled: “no doubt about celebrations in *** RESTAURANT.1 a cost of the public purse to the PP nobody improves him, his invoices, at € 45 the cover, because that of celebrations nobody like the PP ”and see the document, invoice, with the client data "Presidency Council- Directorate General ”“ in description: UNED dinner 14 people ”,“ price 45 euros unit ”and can be seen in the lower left, the full digits from a bank account. At the top the data of *** RESTAURANT. 1, address and NIF, with the name and surname of your headline. 4) In the inspection procedure of 12/2/2010, it is verified that the tweet exists, it is see the date of the invoice, 05/02/2019, and under the invoice photo you can see 10/12/2019, 12:02. They consist of response comments addressed to the respondent. There is no reference to the complainant's participation in the aforementioned tweet. 5) In the tweet posted by the claimant, nothing is indicated of the payments obtained by the claimant, awarded contracts etc. Although the defendant indicates that with exposition, wanted to signify the contracts awarded to the claimant, making it necessary to have the photograph containing the invoice in which the had the aforementioned food and claimant data, which is also sympathizer of the PP, his establishment being a meeting place for militants tes and political positions of said political formation. FOUNDATIONS OF LAW I By virtue of the powers that article 58.2 of Regulation (EU) 2016/679 of the European Parliament and of the Council, of 04/27/2016, regarding the protection of natural persons with regard to the processing of personal data and the free circulation of these data (hereinafter, RGPD); recognizes each authority of control, and as established in articles 47 and 48 of Organic Law 3/2018, of 5/12, Protection of Personal Data and guarantee of digital rights (as C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 4/10 successive LOPDGDD), the Director of the Spanish Agency for Data Protection is competent to initiate and resolve this procedure. II The RGPD defines in its article 4: 1) "personal data": any information about an identified natural person or identifiable ("the interested party"); an identifiable natural person shall be considered any person whose identity can be determined, directly or indirectly, in particular by means of an identifier, such as a name, an identification number, data from location, an online identifier or one or more elements of the identity physical, physiological, genetic, psychic, economic, cultural or social of said person; " 2) "treatment": any operation or set of operations carried out on personal data or sets of personal data, whether by procedures automated or not, such as collection, registration, organization, structuring, conservation, adaptation or modification, extraction, consultation, use, communication by transmission, broadcast or any other form of authorization of access, collation or interconnection, limitation, deletion or destruction; 4) "file": any structured set of personal data, accessible in accordance with to certain criteria, whether centralized, decentralized or distributed in a functional or geographic; 7) "data controller" or "controller": the natural or legal person, public authority, service or other body that, alone or together with others, determines the purposes and means of treatment; whether the law of the Union or of the Member States determines the purposes and means of the treatment, the person responsible for the treatment or Specific criteria for their appointment may be established by Union law or from the Member States; Both on the date of issuance of the invoice, 5/2019, and that of the exhibition, October of the same year, the RGPD is in force. The LOPDGDD establishes in its dis- Unique repeal position: "Normative repeal": 1. Without prejudice to the provisions of the fourteenth additional provision and the Fourth transitory provision, Organic Law 15/1999, of December 13, is repealed. December, Protection of Personal Data. 2. Royal Decree-Law 5/2018, of July 27, on urgent measures is hereby repealed for the adaptation of Spanish law to the regulations of the European Union in data protection matters. 3. Likewise, any provisions of equal or lower rank are repealed contradict, oppose, or are incompatible with the provisions of the Regulation (EU) 2016/679 and in this organic law. " The RGPD indicates in its article 2: C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 5/10 "1. This Regulation applies to the treatment totally or partially automated personal data, as well as the non-automated processing of personal data contained or intended to be included in a file. 2. This Regulation does not apply to the processing of personal data: a) in the exercise of an activity not included in the scope of the Union law; b) by Member States when carrying out activities included in the scope of application of Chapter 2 of Title V of the TEU; c) carried out by a natural person in the exercise of activities exclusively personal or domestic; d) by the competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offenses, or execution of sanctions criminal offenses, including protection against threats to public safety and prevention. The LOPDGDD in its article 2.2 indicates: "two. This organic law will not apply: a) To the treatments excluded from the scope of application of the General Regulation of data protection by its article 2.2, without prejudice to the provisions of sections 3 and 4 of this article. " And in article 19: ”Treatment of contact data of individual businessmen dual and liberal professionals ”: 1. Unless proven otherwise, it shall be presumed covered by the provisions of article 6.1.f) of Regulation (EU) 2016/679 the treatment of contact data and in its case those related to the function or position held by natural persons who provide services in a legal entity provided that the following are met requirements: a) That the treatment refers only to the data necessary for its professional localization. b) That the purpose of the treatment is solely to maintain relationships of any nature with the legal person in which the affected person provides their services. 2. The same presumption will operate for the treatment of data related to sole proprietorships and liberal professionals, when referred to only in that condition and are not tried to establish a relationship with the themselves as natural persons. 3. Those responsible or in charge of the treatment referred to in the article C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 6/10 77.1 of this organic law may also process the data mentioned in the two previous sections when this is derived from a legal obligation or is necessary for the exercise of its powers. " About the claimant's data, which are additionally found in the invoice, it is not relevant in this case and context, the use of these data as a person legal, no activity is commented on as a contractor, but as a reference identifying as a person of the establishment. In addition, its owner is identified not only with the name, but the NIf and the bank account are added, and they are used to relate to people belonging to the PP environment in *** LOCALIDAD.1, as the claimant means, that is, as a way of identifying the owner establishment, center where people who feel related to the popular party attended and held various events. The claimant is a secondary in the exposition of the facts, insofar as the protagonists are the group that attended the celebration or meal, on which the opinion is expressed by the reclaimed. Freedom of expression is manifested in this regard, being able to add that *** RESTAURANT.1 or its headline is akin to the party's ideas, but not violating the right of the owner of the data that by the fact of being the owner of the establishment, has to sacrifice their personal data, so that the claimed reveal. One of the limits to the aforementioned right is respect for rights fundamental, and in this case, the protagonist was not the claimant, being the only that is fully identified through a data set, when not even participate in the tweet. The tweet is used as a criticism of public spending, being the owner of the establishment also related to said group, and according to the complainant, it was necessary know their identity, even if they did not participate in the aforementioned tweet. There is no doubt that the reference to public spending by a political group is of interest, but if fully identifying data is included, not only name and surnames, but NIF and bank account of someone who does not participate in said event, but who is responsible for the establishment, no matter how closely related to the political ideas In other words, the objective of expressing itself conflicts with the ownership of personal data, those that govern some basic principles. Said data in this case and context is considered included within the scope of application of the protection regulations of data. III The document presented by the claimant certifies that the defendant carries out a data processing by exposing on the social network an invoice with data from the claimant in which their personal data is contained, listing local, NIF issuer of the invoice and bank account, in order to state that said meal is went to the treasury. The origin, title and reason why the claimed has said document and the competence purpose attributed in the handling of the same in relation to its private use on your Twitter. The fact of including the invoice, without realizing it, even if it had been done without bad faith, including data, reveals a lack of diligence in the elements that are exposed in the social network. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 7/10 It does not follow that for the knowledge of third parties through the social network of the expenses of a group of people related to a match, which was the literal of the expression expressed in the tweet, the personal data must be given full details of the issuer of the invoice, and the complete bank account. This does not participate in food, is not relevant compared to the group, and it does not seem that even if there is interest in informing that its owner is a sympathizer, it must be identified with said data, with the own repercussion that the treatment carried out may have out on social media. The claimed, in a private capacity, with his name and surname on Twitter, expresses their opinions, and identifies the data of the claimant. In the use of the data, you must concur with any legitimate basis provided for in article 6.1 of the RGPD. The right fundamental of the claimant, that their data is not used in social networks, prevails when what it is about is to comment on a meal of a PP group that goes to the treasury, or that they meet very often in that place, without it being necessary in addition, express and graphically expose the claimant's data in the photograph, also, owner of the establishment. The aforementioned statement in relation to the intention of the news does not add or is of interest or relevant for the data to appear in the photograph, not being adequate, necessary or justified, and if, on the contrary invasive as to are provided in addition, financial data such as the bank account, the NIF and the name and surname, with the associated risks that it may entail. It is considered that in front of its nominal quote and the object of the comment, it does not add nothing significant the fact of knowing your identity, the NIF and the bank account that you make identified or identifiable without problems, since the expression of the expenditure goes related in their case to the site where they often meet, not to the data of the person who owns the site where they often meet, who does not appear related with the comment. Under the principles of adequacy, pertinence, congruence, and relevance in the use of the data, when treating them without the consent of the claimant, you can serve Twitter to express opinions. However, in this case, the identity of that person is not relevant to what is meant in the comment, which was that the food was to be paid for from the public budget. The same results would have been obtained by covering the account and the NIF, and name and surname of the claimant, since the right of its owner has been limited, to your data is not exposed in a medium in which your data can be multiplied effects when the message is shared. In accordance with the constitutional jurisprudence that defines the profile of the right of data protection, in this case, the use of the claimant's data on Twitter is a use that has not been consented to by its owner, and no legitimate basis is credited in the treatment of said data in relation to the purpose that is to be understood in the message that the defendant spread. The complainant is considered to have violated article 5.1.a) of the RGPD that indicates: “The personal data will be: C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 8/10 a) treated in a lawful, loyal and transparent manner in relation to the interested party ("Lawfulness, fairness and transparency"); as the sending of the aforementioned is not considered lawful data exposed in the photo that associates the expressive literal of your opinion, which uploads it to the aforementioned network. The respondent does not certify that the treatment of the claimant's data appears embedded in some legitimating scheme of the assumptions that would enable the treatment, for which the commission of the alleged infringement of the article is estimated 5.1.a of the RGPD. IV Regarding the fact that the data had been obtained from “Public Access Sources co". On this point, we limit ourselves to indicating -reiterating what was stated by this Agency- cia in its Report of 03/10/2019, entry record 045824 / 2019- that “from the entry into force of the RGPD can not speak of a legal concept of "accessible sources sible to the public ”such as the one that existed in the previous Organic Law 15/1999 (...) RGPD only talks about publicly accessible sources when regulating the right to information if the data has not been collected from the interested party ”. Therefore, the concept of a source of public access does not exist in the RGPD or in the LO- PDGDD and, what is more, despite the terms in which article 6.2 of the repealed LOPD, it was not a valid concept in our legal system during during the validity of the repealed Organic Law 15/1999 as a result of the STS of 02/08/2012 (Rec. 25/2008). The STS relied on the STJUE of 04/24/2011 which resolved the issue preliminary ruling from Spain; declared invalid article 6.2 LOPD for being contrary to Article 7.f) of Directive 95/46 and considered that, given the incorrect transposition of the Directive 95/46 that the LOPD made at that point, article 7.f) of the Directive was of direct application. Article 7.f) of Directive 95/46, the text of which was practically identical. co to the current article 6.1.f) of the RGPD. Also, the bank account number does not appear in those supposed sources of public access. Nor can the allegation that the fact that the data appear in this type of legitimate sources without further treatment. The GDPR only speaks sources of public access when regulating the right to information if the data is not have collected from the interested party. Article 14 of the RGPD indicates: "1.When the personal data have not been obtained from the interested party, the responsible for the treatment will provide you with the following information: 2.f) the source from which the personal data come and, where appropriate, if they come from public access sources; " C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 9/10 Neither the publication in official gazettes, in which it will not foreseeably appear the bank account of the affected party, supposes the existence of a legitimate basis for the treatment of the claimant's data, especially when the data is exposed as a ferencia, in a social network open to the general public. As for the news of the newspaper "*** DIARIO.1", the report does not identify with personal data as does the tweet that is the subject of the claim. V Article 83.5 a) of the RGPD, considers that the violation of "the basic principles for the treatment, including the conditions for consent in accordance with the articles the 5, 6, 7 and 9 ”is punishable, in accordance with section 5 of the aforementioned article 83 of the aforementioned Regulation, with administrative fines of a maximum of € 20,000,000 or, for a company, an amount equivalent to a maximum of 4% of the volume total annual global business of the previous financial year, opting for the one with the highest amount. " Article 58.2 of the RGPD indicates: "Each control authority will have all the following corrective powers listed below: b) sanction any person responsible or in charge of the treatment with warning When the processing operations have violated the provisions of this Re- regulation; d) order the person in charge of the treatment that the operations of treatment are in accordance with the provisions of this Regulation, where appropriate, in a certain way and within a specified period ”. In this case, the defendant is a natural person, who does not carry out on a regular basis or professional, mainly personal data processing, and does not include history of previous infringements in the field of data protection, so it is opted for a warning sanction. It would be advisable, if it has not yet been made, that the data of the claimant exposed and related to the matter of this complaint will be removed from the aforementioned tweet, in order not to persist in the behavior that motivates this procedure. Therefore, the Director of the Spanish Agency for Data Protection RESOLVES: FIRST: IMPOSE B.B.B., with NIF *** NIF.1, for a violation of article 5.1.a) of the RGPD, as indicated in Article 83.5 a) of the RGPD, a warning sanction. SECOND: NOTIFY this resolution to B.B.B .. THIRD: In accordance with the provisions of article 50 of the LOPDGDD, the This Resolution will be made public once it has been notified to the interested parties. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 10/10 Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the Interested parties may file, optionally, an appeal for reconsideration before the Director of the Spanish Agency for Data Protection within a month from the day after notification of this resolution or directly contentious appeal administrative before the Contentious-Administrative Chamber of the National Court, with in accordance with the provisions of article 25 and section 5 of the additional provision fourth of Law 29/1998, of July 13, regulating the Contentious Jurisdiction- administrative, within a period of two months from the day following notification of this act, as provided in article 46.1 of the aforementioned Law. Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP, may provisionally suspend the final resolution through administrative channels if the interested party expresses its intention to file a contentious-administrative appeal. If this is the In this case, the interested party must formally communicate this fact by writing to the Spanish Agency for Data Protection, presenting it through the Registry Electronic Office of the Agency [https://sedeagpd.gob.es/sede-electronica-web/], or through any of the remaining records provided for in art. 16.4 of the aforementioned Law 39/2015, of 1 October. You must also send the Agency the documentation that proves the effective filing of the contentious-administrative appeal. If the Agency did not have knowledge of the filing of the contentious-administrative appeal within the period of two months from the day following the notification of this resolution, it would end of the precautionary suspension. 938-131120 Mar Spain Martí Director of the Spanish Agency for Data Protection C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es