AEPD (Spain) - EXP202202837
AEPD - ps-00107-2022 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 6(1) GDPR Article 83(2) GDPR §169(1) Criminal Code §7 LOPDGDD §76(2)(a) LOPDGDD |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | |
Published: | |
Fine: | 5.000 EUR |
Parties: | n/a |
National Case Number/Name: | ps-00107-2022 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | Michelle Ayora |
The Spanish DPA imposed a €5,000 fine on a 16 years-old teenager for using videos and pictures received via WhatsApp to blackmail a 13 year-old minor who could not express valid consent. The DPA also ordered the teenager to delete any other personal data regarding the data subject and to report about the measures adopted to do so.
English Summary
Facts
The 16 year-old (controller) and the 13 year-old (data subject) were in contact through Instagram and WhatsApp, where the data subject sent intimate images to the controller. After some time, the controller asked for more images and, to obtain that, the controller threatened and blackmailed the data subject by stating that those videos and images will be made public on social media. As a result, the data subject sent more images. For the above-mentioned facts, the defendant was sentenced by the Juvenile Court.
The data subject’s parent also submitted a complaint before the Spanish DPA, which initiated an investigative proceeding for an alleged violation of Article 6(1) GDPR.
The defendant claimed the violation of the constitutional principle non bis in idem since the controller was already found guilty of criminal threats by a juvenile court.
Holding
In the first place, the DPA challenged the claim regarding the principle non bis in idem. The DPA stated the necessary elements to consider sanctioning concurrence, that is, the similarity between subject, facts and ground. In the present case, there was only similarity regarding the subject; however, there was neither a factual nor a causal similarity. About the correlation of facts, the DPA stated that the juvenile criminal proceedings started and ended due to the violation of Article 169(1) of the Spanish Criminal Code (threatening the data subject) whereas the present sanctioning proceeding started due to the alleged violation of Article 6(1)(a) GDPR (unlawful processing of data subject’s personal data and void consent). Regarding the ground or reason, the DPA stated that in the juvenile criminal proceedings, the protected legal good was the right to freedom of choice whereas, in this administrative proceeding, it was the right to have one's personal data protected.
Secondly, the DPA mentioned that the mere collection, register, and storage of the data subject’s images and videos made by the controller were enough to be considered as processing of personal data under Article 4(2) GDPR, hence making the GDPR applicable.
In third place, the DPA recalled the need for a legal basis for processing. Regarding consent, since the data subject was a minor, Article 7 of the National Legislation was applicable. The provision foresees that consent is only valid if given by someone over 14 years old. Otherwise, the consent of parents or another legal representative is mandatory. In the present case, the minor was 13 years old, therefore, the processing could not be based on consent in relation to Article 6(1)(a) GDPR since the consent could not be considered valid.
Finally, the DPA applied two aggravating circumstances of Article 83(2) GDPR: the nature scope and purpose of the processing concerned as well as the level of damage for the data subjects, and the intentional character of the infringement, since the defendant threatened the data subject, and this was proven by a judicial sentence. Similarly, the DPA applied one aggravating circumstance contained in Article 76(2)(a) of the National Legislation: prejudice to a minor.
On the other hand, the DPA applied the principle of proportionality as well as individualisation of sanctions and considered the defendant’s testimony about the deletion of the images and videos, which stopped the processing of such data.
The DPA imposed a fine of €5,000 for a lack of valid legal basis for processing under Article 6 GDPR, ordered the contrroller to delete any other personal data regarding the data subject and requested the controller to report about the measures adopted to do so.
Comment
In Spain, the administrative law allows minors over 14 years old to be administratively sanctioned for violations of such laws. In those cases, their parents become responsible for the payment (indirect liability) as explained by the DPA in this brochure: https://www.aepd.es/es/documento/responsabilidad-menores-padres-madres.pdf . The legal basis for this measure is Article 3 LPAC .
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/18 Procedure No.: PS/00107/2022 (EXP202202837) RESOLUTION SANCTION PROCEDURE By Agreement dated 03/11/22, the sanctioning procedure was initiated, PS/0107/2022, instructed by the Spanish Data Protection Agency before D. A.A.A., by virtue of the claim presented by D. B.B.B., on behalf of its minor daughter, for the alleged violation of the regulations for the protection of Data: Regulation (EU) 2016/679, of the European Parliament and of the Council, of 04/27/16, regarding the Protection of Physical Persons with regard to the Processing of Personal Data and the Free Movement of these Data (RGPD), and violation of Organic Law 3/2018, of December 5, on Data Protection Personal Rights and Guarantee of Digital Rights (LOPDGDD), and based on the following: BACKGROUND FIRST: On 03/02/22, you have an entry in this Agency, writing presented by the claimant, in which he indicated, among other things, the following: "In the court ruling it is described how the defendant threatened and blackmailed my underage daughter to send her sensitive images via chat Instagram and WhatsApp. Through Instagram communications begin on 10/15/19 at 23:20 and by WhatsApp the communications that are preserved They are as of 01/02/20.” Along with the claim document, provide the data and dates of the Instagram accounts and WhatsApp and telephone numbers of the defendant and his underage daughter. A copy of Judgment No. XX/02020 of Juvenile Court No. (...).- Reform File number XXX/2020 (Prosecutor's Office number XXX/2020), where The following is stated in the “Proven Facts” of the Judgment: That the defendant, browsing the Instagram application, met the minor of age (Claimant's daughter) aged 13, entering into such a close relationship of confidence that the minor sent him videos and photos of an intimate nature, both through the Instagram application and through WhatsApp. That, after some time, the defendant demanded that the girl follow him sending photos and videos, but since she refused, the defendant intimidated her telling him that he would upload the photos and videos he already had to social media. That the minor, fearful of her threats, sent (...). SECOND: On 03/09/22, by the Director of the Spanish Agency for Protection of Data, an agreement is issued to admit the processing of the claim presented by the claimant, in accordance with article 65 of the LOPDGDD Law, when assessing possible rational indications of a violation of the rules in the field of the powers of the Spanish Data Protection Agency. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 2/18 THIRD: On 03/11/22, by the Board of Directors of the Spanish Agency for Data Protection, sanctioning procedure begins when appreciating indications reasonable violation of the provisions of article 6.1 of the GDPR, imposing an initial penalty of 10,000 euros (ten thousand euros). FOURTH: Once the initiation agreement has been notified to the claimed person, the latter by means of brief dated 04/06/22 made the following allegations: "PREVIOUS. - Go ahead that at the time of the facts my represented was a minor, and was 16 years old, without even He will not even be forced to delete the videos that are the object of litigation because in his statement stated that they had been deleted and that inferring to the minor that send him more videos because if he didn't post them on the internet it was and was for what has been sentenced, that is to say for that conditional threat requiring more videos, insisting that they were deleted. VIOLATION OF THE CONSTITUTIONAL PRINCIPLE "NON BIS IN IDEM" The defendant was convicted criminally in the referenced File of Reform as author of a crime of conditional threats, in accordance between the parties the measure of four months maximum of socio-educational tasks, oriented to a sexual affective program and gender perspective. This fundamental right is recognized in art. 18.4 C.E. is the one is violated. Said article provides that "The Law shall limit the use of the information technology to guarantee the honor and personal and family privacy of the citizens and the full exercise of their rights". According to repeated jurisprudence of the Constitutional Court, article 78.4 EC contains a institute for the guarantee of the rights to privacy and honor, and to full enjoy the remaining rights of citizens, and therefore also, "the fundamental right to data protection, understood as the right to freedom from potential attacks on the dignity and freedom of the person from an illegitimate use of the automated treatment of data, what the Constitution calls "informatics". (STC 290/2000 of 30 November, in its Fundamental'7"; SRC 743/7994' of May 9 in its Foundation J"; STC 17/7998 of January 13, in its Foundation 4"). The constitutional and legal configuration of the fundamental right to protection of data (specifically through the Organic Law on Data Protection) confers on its holder a series of powers to guarantee its protection, and Ie gives peculiarities in its content, which distinguishes it from others since confers on its owner a series of powers consisting of imposing on third parties, certain legal duties, which, for example, are contained in the law fundamental to privacy, that is, "guarantees the person a power of control over your personal data", which is only possible and effective imposing on third parties certain duties to do (namely: the right to that prior consent is required for the collection and use of data personal information, the right to know and be informed about the destination and use of the data, and the right to access, rectify and cancel said data. to avoid this type of interference, the LOPD grants the Spanish Agency of C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 3/18 Data Protection the protective and preventive nature of such rights, to ensure, through its exercise, the safeguarding and ensuring the right fundamental to the protection of said personal rights in relation to the limits, to the use of computing. The Spanish Data Protection Agency, after completing the proceedings previous inspection carried out since the month of May, has given transfer the final inspection report to the Investigating Court No. XX of Madrid, and has launched a disciplinary procedure, which is suspended until the resolution of the criminal judicial procedure given the pendency of the same, as provided for in the Administrative Procedure legislation. The criminal process will question the sanctioning reaction of the AEPD in due course, since the judicial resolution that is definitively handed down in the criminal process will condition its action as a consequence of respect for the non bis principle in idem, included in article 25.7 of the Constitution, which constitutes a true fundamental right of the citizen in our Law. The "non bis in idem" principle has a double dimension, as explained by the STC 188/2005, of July 7: a) Material or substitute that prevents sanctioning the same fact with the same same disproportionate punitive. b. The procedural or formal, which proscribes the duplication of procedures sanctions in case there is a triple identity of subject, fact and foundation, and which has as its first concretion "the rule of preference or precedence of the criminal judicial authority over the Administration with respect to its performance in disciplinary matters in those cases in which the facts to sanction may be, not only constituting an administrative infraction, but also also crime or misdemeanor according to the Penal Code. Therefore, it will be necessary determine whether both in the criminal procedure and in the procedure sanctioner there is total identity, or on the contrary, there is some element novelty that excludes the application of the Principle. The ECHR did not begin to consider the question of the criminal characterization of a procedure with the first application of art. 4, but had already entered to assess these disquisitions on the occasion of the application of the guarantees of the art. 6 of the Convention relating to fair trial. First, you enter to consider the classification of the offense and its sanction by law national. In the event that domestic law classifies these as criminal or criminals, will automatically be classified as such for the purposes of the convention. TWO.- LACK OF PUBLICATION TO THIRD PARTIES OF ANY THE VIDEOS THAT THE MINOR (14 YEARS OLD) SENT TO THE MINOR (16 YEARS OLD) YEARS). There is no evidence whatsoever, with which it can be determined that the data of personal nature in terms of videos sent some voluntarily by the minor through the INSTAGRAM and WHATSSAP applications, have been C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 4/18 disclosed to third parties and not only that there is no proof that said personal data have not been disclosed to third parties, but rather stated that said videos had been deleted and that those sent without consent of the minor are exclusively due to criminal reproach suffered with the Judgment that, according to the complainant, contributes to his written complaint, in addition to the ignorance of the age of the minor, but for whose acts he was sentenced for conditional threats, threats that were based not on the own sending of said vices but on the demand that could be carried out for the minor, regarding the person who was also a minor. THIRD.- REGARDING THE CONSENT OF THE MINOR, THE ILLEGITIMATE USE BY THE LESSER OF THE NETWORKS SOCIAL, BREACH OF PARENTAL OBLIGATIONS OR IMPLIED CONSENT FOR THE USE OF NETWORKS SOCIAL COMPANIES THAT DO NOT REPORT THEIR APPS TO MINORS. The Royal Decree 1720/2001, of December 27, which approves the Regulations for the development of Organic Law 15/1999, of December 13, of protection of personal data, literally says: Section 1 Obtaining the consent of the affected party Article 12. General principles. 1.- The data controller must obtain the consent of the interested personal character unless required in accordance with the treatment of your data itself from in no to those cases in which the Io provided in laws. The request for consent must refer to a treatment or series of specific treatments, with delimitation of the purpose for which they are collects, as well as the remaining conditions that occur in the treatment or series of treatments. 2.- When the consent of the affected party is requested for the assignment of their data, he must be informed in such a way that he knows unequivocally the the purpose for which the data will be used with respect to whose communication requests the consent and the type of activity carried out by the assignee. Otherwise. consent will be void. 3.- The person responsible for the treatment will be responsible for the existence of the consent by any means of evidence admissible by law. Article 13. Consent for the treatment of data of minors. 1.- The data of those over fourteen may be processed years with your consent, except in those cases in which the Law requires for its provision the assistance of the holders of parental authority or guardianship. In the case of minors under fourteen years of age, the consent of parents or guardians. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 5/18 2.- In no case may data be collected from the minor that allows obtaining information about the other members of the family group, or about the characteristics thereof, such as data relating to the professional activity of parents, economic information, sociological data or any other others. In no case may data be collected from the minor that allows obtaining information about the other members of the family group, or about the characteristics of the same, such as the data related to the professional activity of parents, economic information, sociological data or any others, without the consent of the owners of such data. However, they may collect the identity and address data of the father, mother or guardian with the sole purpose of obtaining the authorization provided for in the previous section. 3.- When the treatment refers to data of minors, the information addressed to them must be expressed in a language that is easily understandable by those, with express indication of the provisions in this article. 4.- It will correspond to the person in charge of the file or joint treatment the procedures to ensure that the correctness of the age of the minor and the authenticity of the consent given in his case, for parents, guardians or legal representatives. Article 14. Form of obtaining consent. 1.- The controller may request the consent of the interested party through the procedure established in this article, except when the Law requires the same to obtain express consent for the treatment. 2.- The person in charge may address the affected party, informing him in the terms provided for in articles 5 of LO 15/1999, of December 13 and 12.2 of this regulation and must grant them a period of thirty days to express refusal to treatment, warning him that in case of ruling to such effect, it will be understood that you consent to the processing of your personal data staff. In other words, in Instagram's own conditions of use you can clearly read what is the minimum age to create a profile on Instagram just like WhatsApp. But of course, made the Law cheated. If a preteen under the age of 14 years old, you want to create a profile on Instagram, all you have to do is vary a few numbers of your date of birth. There is also the issue of parental control, that is, if our inferior son or daughter 14 year old wants an Instagram profile, we can create it with our authorization and then activate parental control, which we understand that this must be the case... right?... Without the existence of consent being controversial express of a minor under 13 years of age from an Instagram and WhatsApp account. Who has consented for the minor to have an account on Instagram and on C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 6/18 WhatsApp? Parents? , Who has bought the mobile to the minor? , the fathers? , because the parents do not report, activate or control what their 13 year old daughter with a mobile. The defendant has responded with respect to criminal justice. Parents shouldn't to answer anything regarding their parental obligations? At the most favorable point for parents.... Consequently, is the tacit consent? That is, that consent has been obtained by writing and that this has not been expressly stated (although neither YOUR opposition) what is understood that there is authorization for it, since it is not there is evidence against the fact that the parents were unaware that their daughter was not had the Instagram or WhatsApp applications, or documented that he fences without hesitation, the express opposition to his daughter having Instagram. Is there that tacit consent of the person who holds parental authority, for application of Article 14.2 of the Regulation? Are parents responsible for non-compliance with Article 154 of the Code Civil, insofar as this is defined as ... Parental authority, as Parental responsibility will always be exercised in the interests of the sons and daughters, in accordance with their personality, and with respect for their rights, their integrity physical and mental... this is also being breached by the parents, they must Does the Social Services have knowledge of said individual? Instagram prevents adults from sending private messages to people under 18 if they are not followed. In this way, if an adult pretends write to a teenager, a notification will come that it is not possible to send him a Direct Message. As for WhatsApp, its security and privacy positioning is still more severe and says: ...About the minimum age to use WhatsApp If you reside in a country of the European Economic Area (including the Union Union) or in any other country or territory that is part of it (collectively referred to as the European Region), you must be at least 16 years of age (or more, if required by the legislation of your country) to register in WhatsApp. If you reside in a country that does not belong to the European Region, you must have at least 13 years (or more, if required by the legislation of your country) to register in WhatsApp and use the service. For more information, see our Terms of Service. Note: Creating accounts with false information constitutes a breach of our Conditions. The registration of accounts on behalf of other minors also constitutes a breach of our Conditions. report a minor age C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 7/18 If a minor in your care created a WhatsApp account, you can show them how to remove it For information on how to delete an account, Check out our Help Center. If you want to report an account that belongs to a minor, please, send us an email. In your email, provide the following documentation and delete or hide any personal information not related: Proof that the WhatsApp number belongs to you (for example, a copy of a government-issued ID and a phone bill with the same name) Proof that you are the minor's legal representative (for example, copy of the child's birth or adoption certificate) Proof of the minor's date of birth (for example, a copy of the certificate of birth or adoption of the minor) If we can verify that the WhatsApp account belongs to a minor old, we will deactivate it immediately. You will not receive any confirmation of this action. Our ability to review and take action about a report is greatly improved if you provide us with all information that we just requested. If we cannot verify that the reported account belongs to a minor, it is we may not be able to take action on it. case, if you are not representative of the minor, we recommend that you encourage the person representing him to that you contact us using the instructions described above. A question that their own parents never did. The already claimed responded regarding the more punitive justice such as criminal justice, should they answer the parents of the minor regarding their obligations that typify the parental authority of 154 of the Civil Code? Should an investigation be initiated into through social services about whether parents do not comply with their obligations and consequently the minor must be protected? FOURTH.- SCOPE OF THE PSYCHOLOGICAL OR MORAL DAMAGE SUFFERED BY THE MINOR. There is no accredited psychological or moral damage in the criminal procedure nor is there evidence of civil liability attributable to the defendant. By all of it, I REQUEST THE DIRECTOR: That she consider this document presented, as admit, so that, after the appropriate legal procedures, the ARCHIVE proceeds, of this file for all the arguments put forward in the body of the this document, and all this prior to the practice of the evidence requested in the body of this document: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 8/18 - That, as means of proof, it is requested that the Court of Minors (...) to send a complete and witnessed copy of the Record of Reform No. XXX/20. -That the company Instagram S.L. located in Finca la Vaqueria. crta Belvis del Jarama k, MADRID, to provide supporting documents of the privacy policy and also that it be provided, upon request to the parents of the minor of the name of his Instagram profile as well as the parental consent for use by the minor, or if in his case the data was falsified in order to create a Instagram at only 13 years old. -That it be officiated at the WhatsApp Inc company, with smb email web@support.whatsapp.com and tax address at 1601 Willow Road (MenIo Park of California 94025 ), to provide supporting documents of the privacy policy and also that it be provided, upon request to the parents of the minor of the phone associated with WhatsApp as well as the parental consent for use by the minor, or if in his case the data was falsified in order to create a Instagram at only 13 years old. - That the parents of the minor are required to provide the invoice Telephone purchase of the telephone or the telephone bill to which your associated phone to open said apps and justify that they were knowing that his daughter was the owner of said mobile phone. .- That the parents of the minor be required to contribute a single indication about the transmission to third parties of the videos of sexual content that allegedly the defendant has spread on the Internet. .- That the Juvenile Court of (...) be required to report on the measures or socio-educational plan that my principal is studying and he barely there are a few days left for compliance and consequently said report is not has at disposal. ANOTHER I SAY: This part anticipates the nullity of full-fledged Actions for depriving my principal of the right of defense and not officiating or requesting or putting implement the requested measures. FIFTH: On 07/27/22, the claimant is notified of the proposed resolution in which responded to the allegations raised and proposed that, due to the Director of the Spanish Data Protection Agency proceed, in accordance with the provisions of articles 63 and 64 of Law 39/2015, of October 1, of Common Administrative Procedure of Public Administrations (LPACAP), to impose a penalty of 10,000 euros (ten thousand euros) on the defendant, for the infringement of article 6.1 of the GDPR and that it proceed to order, as a measure, the suspension of all processing of personal data relating to the girl, minor and deletion of said data, in accordance with the provisions of art. 69 of the LOPDGDD. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 9/18 SIXTH: Once the proposed resolution was notified to the claimant on 07/27/22, the dated 08/12/22, in this Agency writing of allegations to the proposal of Resolution that is an identical reproduction of the one presented against the initiation agreement of the present proceeding and which is reproduced in its entirety above. PROVEN FACTS. Of the actions carried out in this procedure and of the information and documentation submitted, the following circumstances have been accredited: First: As can be seen from Judgment No. XX/02020 of the Juvenile Court Nº (…) (Reform File number XXX/2020), the defendant demanded from the girl, underage, to continue sending her photos and videos, but since she denied, he intimidated her by telling her that he would upload the photos and videos that he already had to the networks social. Despite his opposition and refusal for the defendant to continue obtaining photos and intimate videos of her, fearful of her threats, she sent (...) with images of you to the claimant. FUNDAMENTALS OF LAW YO- Competition. It is competent to initiate and resolve this Disciplinary Procedure, the Director of the Spanish Data Protection Agency, by virtue of the powers that art 58.2 of the GDPR recognizes the control authority, as well as what is established in arts. 47, 64.2 and 68.1 of the Law, LOPDGDD. II.- On the allegations presented to the proposed resolution of the file sanctioning. As a preliminary matter, it is stated that for the Resolution of this disciplinary proceedings have taken into account the allegations presented by the claimed throughout the entire procedure and that, in order not to repeat itself, considers them reproduced. However, before assessing the offense committed in this case, it must be make the following considerations regarding the allegations presented to the resolution proposal: On the concurrence of the principle "non bis in idem": This principle, developed in article 31.1 of Law 40/2015, of October 1, on Legal Regime of the Public Sector (LRJSP), "Concurrence of sanctions", establishes: "1. Acts that have been criminal or administratively, in the cases in which the identity of the subject is appreciated, fact and foundation. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 10/18 And it has the task of guaranteeing the “favor libertatis”, that is, guaranteeing freedom by contributing legal certainty to the process, through the prohibition, in our case, of the application of an administrative sanction in those cases in which, to the same subject, for carrying out a certain act, a criminal sanction could be imposed. EITHER which is the same, the prohibition of the imposition of a double penal sanction- administrative, in those cases in which there is identity of subject, fact and basis. Its application is subsequent to the sanction of a first event that has already been sanctioned, worth the redundancy, in criminal proceedings. However, a problem arises when a fact injures two different legally protected assets, in this case it is administrative sanction together with the criminal one. Therefore, in order for you to operate this In principle, the following elements must be present: - Subjective identity: in this case the affected subject always has to be the itself, regardless of the nature, the body that has resolved, the accuser or if there is concurrence or not of others affected. - The factual identity: this implies that the facts prosecuted must be the themselves. - Causal identity: sanctioning measures cannot apply if They respond to the same nature. Well, in our case, regarding the Identity of subjects, we can verify as in Judgment No. XX/2022 of the Juvenile Court (...) (Exp. De Reforma No. XXX/2020.- Prosecutor's Office No. XXX/2020) dated 01/25/22, appears as the author of the facts prosecuted, the defendant, and in this disciplinary file (PS/107/2022), appears as responsible, the same person, so we can indicate that there is, in In this case, identity of subjects. Regarding the identity of the facts, if we read the Ruling of Judgment No. XX/2022 of the Juvenile Court (...) (Reform Case No. XXX/2020.- Prosecutor's Office No. XXX/2020) of dated 01/25/22, as a socio-educational measure is imposed on the claimant for a crime of conditional threats, which occur when the evil with which threat carries with it a condition, which may or may not be fulfilled and the imposed condition may be legal or illegal and it may consist of the claim of an amount or any other circumstance, as established in the Article 169.1 of the Penal Code: "Whoever threatens another with causing him, his family or other persons with which is closely linked to an evil that constitutes crimes of homicide, injuries, abortion, against freedom, torture and against moral integrity, the sexual freedom, privacy, honor, heritage and socioeconomic order, He will be punished: 1st With a prison sentence of one to five years, if the threatens by demanding an amount or imposing any other condition, even if it is not illegal, and the culprit has achieved his purpose. Not C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 11/18 achieve it, a prison sentence of six months to three years will be imposed. but this must be possible (…)”, While the present sanctioning procedure (PS/0107/2022), begins for an alleged illegal treatment (without consent) of the personal data of the girl, minor, contemplated in article 6.1 GDPR: "1. Processing will only be lawful if it meets at least one of the following conditions: a) the interested party gave his consent for the processing of his data personal for one or more specific purposes (…); Therefore, in this case, as we could verify, there is no identity in the facts to which the principle of "non bis in idem" obliges, since in criminal proceedings sanctioned a conditional threat to the underage girl and in the present sanctioning administrative procedure is sanctioning an illegal treatment of the girl's personal information. Lastly, the identity of the foundation occurs when the legal right protected for the two (or more) infractions is the same, which brings us to the contest of laws and the crime contest. Well, in our case, the legal right protected in a crime of conditional threats, in criminal proceedings, we could define it as the right to freedom of formation of the will of the threatened person, while the good legal protection in administrative proceedings would be the protection of the person in relation to with the processing of your personal data, in this case, the images of the girl. Fundamental right protected by article 18.4 of the Spanish Constitution. Therefore, after analyzing the elements that concur in the principle "non bis in idem" we can determine that, in the present case, its application is not possible, since identity in the facts or in the grounds, as required by article 31.1 LRJSP. About the non-existence of the publication of images or videos On this point we must start by remembering that recital (26) GDPR indicates that: "The principles of data protection must be applied to the entire information relating to an identified or identifiable natural person (…)”. Leaving the above established, article 4 GDPR, defines, among others, the following concepts: 1) As "personal data": "all information about a natural person identified or identifiable ("the data subject"); will be considered a natural person identifiable any person whose identity can be determined, directly or indirectly, in particular by means of an identifier, such as a name, an identification number, location data, an identifier in line or one or several elements proper to the physical, physiological, genetic, psychological, economic, cultural or social of said person; C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 12/18 2) As "data processing": any operation or set of operations performed on personal data or sets of personal data, either by automated procedures or not, such as the collection, registration, organization, structuring, conservation, adaptation or modification, extraction, consultation, use, communication by transmission, diffusion or any other form of authorization of access, comparison or interconnection, limitation, deletion or destruction; (…) 7) As "data controller": any natural or legal person, authority, service or other body which, alone or jointly with others, determines the purposes and means of processing (…) While in article 1 of the GDPR, it is established that: 1. This Regulation establishes the rules relating to the protection of natural persons with regard to the processing of personal data and the rules relating to the free movement of such data. And article 2 GDPR: 1. This Regulation applies to the processing in whole or in part automated processing of personal data, as well as the non-automated processing of personal data contained or intended to be included in a file. Therefore, at no time is it established that, in order for the GDPR to be applied it is necessary that the person responsible for the processing of personal data has assigned to a third party. For the GDPR to be fully applicable, it is therefore necessary that the processing of personal data carried out by the person responsible for them, be it Apart from communication by transmission, broadcast or any other form of authorization of access, collation or interconnection, any other operation or set of operations carried out on them, be it the collection, registration, organization, their structuring, their conservation, their adaptation or modification, its extraction, its consultation, its use, or its limitation, deletion or destruction. Therefore, in the case at hand, the mere collection, registration and conservation of the images of the girl, a minor, made by the defendant (responsible for the treatment) are sufficient cause for the application of the GDPR. On the consent of the minor and the illegitimate use by the social media minor, Reference is made at this point to Royal Decree 1720/2001, of December 27, by which approves the Regulations for the development of Organic Law 15/1999, of 13 December December, protection of personal data. Well then, as can be seen from the claim, the communications and the sending of images of the girl, begin between both minors on 10/15/19 at 11:20 p.m. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 13/18 Instagram and WhatsApp. However, the last ones that are conserved made by this last means are from 01/02/20. According to article 99 of the GDPR, the entry into force and application of the new GDPR was, “twenty days after its publication in the Official Journal of the European Union, the 05/25/16”, being mandatory as of May 25, 2018”. By Therefore, as of this date (05/25/18), Organic Law 15/1999 was repealed, (LOPD), applying mandatorily, from that date, the current RGPD. Regarding Organic Law 3/2018, of December 5, on Data Protection Personal Rights and Guarantee of Digital Rights (LOPDGDD), published on 12/06/18 It is indicated, upon its entry into force, in its sixteenth final provision that: "The This organic law will enter into force the day after its publication in the Official State Gazette" so from 12/07/18 it is mandatory. For its part, the sole repeal provision of the LOPDGDD establishes: 1. Without prejudice to the provisions of the fourteenth additional provision and the fourth transitory provision, the Organic Law 15/1999, of 13 December, Protection of Personal Data. 2. Royal Decree-Law 5/2018, of July 27, on measures urgent for the adaptation of Spanish Law to the regulations of the Union European Union on data protection. 3. Likewise, any provisions of equal or lower rank are repealed contradict, oppose, or are incompatible with the provisions of the Regulation (EU) 2016/679 and in this organic law. Therefore, in accordance with section 3 of the Sole Repealing Provision, the Royal Decree 1720/2007 was repealed as of 12/07/18 in those provisions that "contradict, oppose, or are incompatible with the provisions of the Regulation (UE) 2016/679 and in the LOPDGDD." In the present case, for the processing of personal data to be carried out legally, these must be processed with the consent of the interested party or on some other legitimate basis established in accordance with Law, (Considering 40 GDPR), Article 6.1 of the GDPR is therefore applicable and not RD 1720/2007 used by the defendant. Thus, the aforementioned article 6.1 GDPR establishes that the processing of data Personal information will only be lawful if it meets at least one of the following conditions: a) the interested party gave his consent for the processing of his data personal for one or more specific purposes; b) the processing is necessary for the performance of a contract in which the interested party or for the application at the request of this of measures pre-contractual; C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 14/18 c) the processing is necessary for compliance with a legal obligation applicable to the data controller; d) the processing is necessary to protect vital interests of the data subject or of another natural person. e) the treatment is necessary for the fulfillment of a mission carried out in public interest or in the exercise of public powers conferred on the person responsible of the treatment; f) the processing is necessary for the satisfaction of legitimate interests pursued by the data controller or by a third party, provided that such interests are not overridden by the interests or the rights and freedoms of the interested party that require the protection of personal data, in particular when the interested party is a child. The provisions of letter f) of the first paragraph shall not apply to the treatment carried out by the authorities in the exercise of their functions. But, what's more, since the interested party is a minor, as is the case in our case, We must bear in mind the provisions of art. 7 LOPDGDD: "1. The processing of personal data of a minor only may be based on your consent when you are over fourteen years of age. I know Except for those cases in which the law requires the attendance of the holders of the parental authority or guardianship for the celebration of the legal act or business in which context the consent for the treatment is obtained. 2. The treatment of the data of minors under fourteen years of age, based on the consent, it will only be lawful if that of the holder of parental authority or guardianship, with the scope determined by the holders of parental authority or guardianship." The minors whose data has been processed by the defendant are perfectly identifiable and that their identity can be determined, directly or indirectly. Therefore, Articles 2, 13 and 14 of the Articles cannot be considered in the present case. Royal Decree 1720/2001, of December 27, which approves the Regulation of development of Organic Law 15/1999, of December 13, alleged by the party claimed by being repealed by this LOPDGDD, and being applicable in this case, articles 6 and 7 of the GDPR. On the illegitimate use by the minor of social networks and breach of parental obligations, it should be noted that, in the present procedure is not assessing the degree of compliance of social networks (WhatsApp or Instagram), in the parental control of the same. In this procedure the degree of legality that has occurred in the treatment of the data has been assessed of the girl, a minor, by the defendant. Regarding the scope of the psychological or moral damage suffered by the minor C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 15/18 On this point, just indicate that this Agency is not competent to assess the degree of psychological or moral damage suffered by the people they have treated your personal data without your consent. On the practice of proposed tests: It is considered that the information and documentation provided to the procedure is sufficient cient to be able to elucidate whether or not there is an infringement of the current regulations on of data protection and this has been demonstrated throughout this proposal for resolution, based on Judgment No. XX/02020 of the Juvenile Court (...).- Ex- Reform request number XXX/2020 (Prosecutor's Office number XXX/2020), in the "Facts Proven", in its "Fundamentals of Law" and in the "Failure" issued. This is so because- that this administrative sanctioning procedure is initiated after having carried out The AEPD has carried out intense previous work, which substitutes sufficient evidence for this instruction. tion. In this case, the information provided by the parties is assumed to be true. Nope However, the foregoing, the already mentioned so many times, Article 24.2 of the EC, applicable Also in this case, it recognizes the right of the claimed entity “to use all the pertinent means of proof for his defense", leaving at his discretion to be able to present take as many means of proof as it deems pertinent throughout the procedure. Therefore, the testimonial evidence requested by the claimed party is considered to be are not necessary in this case, in application of the principle of "procedural economy" to the the attributable facts must already be sufficiently accredited, and, therefore, it must be re- reject the request for the practice of evidence as unnecessary at this time, by under the provisions of article 77.3 of the LPACAP. III.- Violation for the illegal treatment of the personal data of the minor. In this case, according to the information and documentation presented in the claim, the defendant, browsing the Instagram application, met the minor of age (Claimant's daughter) aged 13 engaging in such a close relationship with her confidence that the minor sent her videos and photos of an intimate nature, both by the Instagram application as by WhatsApp. After some time, the defendant demanded that the girl continue sending him photos and videos, but since she refused, the defendant intimidated her by telling her that he would upload the photos and videos that he already had on social networks, in the face of whose threats, the minor Shipping (…). As we have explained in the previous section, for data processing personal information can be carried out lawfully, they must be treated with the consent of the interested party or on some other legitimate basis established in accordance a Law, (Recital 40 GDPR) For its part, article 6.1 of the GDPR establishes that processing will only be lawful if meets at least one of the following conditions: a) the interested party gave his consent for the processing of his data personal for one or more specific purposes; C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 16/18 b) the processing is necessary for the performance of a contract in which the interested party or for the application at the request of this of measures pre-contractual; c) the processing is necessary for compliance with a legal obligation applicable to the data controller; d) the processing is necessary to protect vital interests of the data subject or of another physical person. e) the treatment is necessary for the fulfillment of a mission carried out in public interest or in the exercise of public powers conferred on the person responsible of the treatment; f) the processing is necessary for the satisfaction of legitimate interests pursued by the data controller or by a third party, provided that such interests are not overridden by the interests or the rights and freedoms of the interested party that require the protection of personal data, in particular when the interested party is a child. The provisions of letter f) of the first paragraph shall not apply to the treatment carried out by the authorities in the exercise of their functions. But, what's more, since the interested party is a minor, as is the case in our case, We must bear in mind the provisions of art. 7 LOPDGDD: "1. The processing of personal data of a minor only may be based on your consent when you are over fourteen years of age. I know Except for those cases in which the law requires the attendance of the holders of the parental authority or guardianship for the celebration of the legal act or business in which context the consent for the treatment is obtained. 2. The treatment of the data of minors under fourteen years of age, based on the consent, it will only be lawful if that of the holder of parental authority or guardianship, with the scope determined by the holders of parental authority or guardianship." The minors whose data has been processed by the defendant are perfectly identifiable and that their identity can be determined, directly or indirectly. Therefore, according to the available evidence, it is considered that the facts exposed do not comply with the provisions of articles 6.1 of the GDPR, by unlawful processing of the personal data of the minor girl. It is considered appropriate to apply the following aggravating criteria established by the Article 83.2 of the GDPR: a).- The scope or purpose of the data processing operation and the level of the damages and losses caused, since it has been confirmed through final court ruling that the defendant required the girl to follow him sending photos and videos, but since she refused, the defendant intimidated her C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 17/18 telling him that he would upload the photos and videos that he already had to social networks and that the minor, fearful of her threats, sent (...) to the reclaimed. (section a). b).- The intent of the offense, by the defendant, by intimidating to the girl telling her that she would upload the photos and videos that she already had to the networks achieving with it (...) of the girl. (section b). It is also considered that the following aggravating criteria should be applied, which Article 76.2 of the LOPDGDD establishes: a).- The affectation of the rights of minors, since the victim is a girl minor at the time of the facts (section f). Notwithstanding the foregoing, in the present case, it is worth considering what is stipulated in the Article 83.1 of the GDPR which establishes that: "Each control authority ensure that the imposition of administrative fines under this article for the infringements of this Regulation indicated in sections 4, 5 and 6 are in each individual case effective, proportionate and dissuasive”. Therefore, taking into account the principle of proportionality and the individualization of the sanction chosen in such a way that it represents an adequate response to illegality of the fact and the guilt of the author, in the present case, it is considered reasonable attend to what was stated by the defendant when he alleges that, in court, the processing of personal data of the minor girl had ceased to exist for having deleted the videos from his mobile. Pursuant to the foregoing, the Director of the Spanish Agency for Data Protection, RESOLVES: FIRST: IMPOSE D.A.A.A., a penalty of 5,000 euros (five thousand euros) for the violation of article 6.1 of the GDPR, regarding the illegal processing of the images of the girl, minor. SECOND: ORDER D. A.A.A., the elimination of any personal data from the girl that is in their power, as well as inform this Agency about the measures adopted for it. THIRD: NOTIFY this resolution to D. A.A.A. FOURTH: Warn the penalized party that the sanction imposed must be made effective by Once this resolution is enforceable, in accordance with the provisions of Article Article 98.1.b) of Law 39/2015, of October 1, on Administrative Procedure Common of Public Administrations, within the voluntary payment period indicated in the Article 68 of the General Collection Regulations, approved by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003, of 17 December, by depositing it in the restricted account No. ES00 0000 0000 0000 0000 0000, opened in the name of the Spanish Data Protection Agency in the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 18/18 Banco CAIXABANK, S.A. or otherwise, it will proceed to its collection in executive period. Once the notification has been received and once executed, if the execution date is between the 1st and 15th of each month, both inclusive, the term to make the payment voluntary will be until the 20th day of the following or immediately following business month, and if between the 16th and the last day of each month, both inclusive, the payment term It will be until the 5th of the second following or immediately following business month. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once the interested parties have been notified. Against this resolution, which puts an end to the administrative process (article 48.6 of the LOPDGDD), and in accordance with the provisions of articles 112 and 123 of the Law 39/2015, of October 1, of the Common Administrative Procedure of the Public Administrations, interested parties may optionally file appeal for reversal before the Director of the Spanish Agency for Data Protection within a month from the day following notification of this resolution or directly contentious-administrative appeal before the Chamber of contentious-administrative of the National Court, in accordance with the provisions of the article 25 and in section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-administrative Jurisdiction, within the period of two months from the day following the notification of this act, according to what provided for in article 46.1 of the aforementioned legal text. Finally, it is noted that in accordance with the provisions of art. 90.3 a) of Law 39/2015, of October 1, of the Common Administrative Procedure of the Administrations Public, the firm resolution may be temporarily suspended in administrative proceedings if The interested party declares his intention to file a contentious-administrative appeal. If this is the case, the interested party must formally communicate this fact through writing addressed to the Spanish Data Protection Agency, presenting it through of the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica- web/], or through any of the other registries provided for in art. 16.4 of the aforementioned Law 39/2015, of October 1. You must also transfer to the Agency the documentation proving the effective filing of the contentious appeal- administrative. If the Agency was not aware of the filing of the appeal contentious-administrative proceedings within a period of two months from the day following the Notification of this resolution would terminate the precautionary suspension. Mar Spain Marti Director of the Spanish Data Protection Agency. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es