AEPD (Spain) - EXP202211618
AEPD - EXP202211618 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 4(1) GDPR Article 4(2) GDPR Article 4(11) GDPR Article 5(1)(f) GDPR Article 6(1) GDPR Article 32(1) GDPR Article 83(2) GDPR Article 83(4)(a) GDPR Article 83(5)(a) GDPR LOPDGDD art. 71 LOPDGDD art. 72 LOPDGDD art. 92 |
Type: | Investigation |
Outcome: | Violation Found |
Started: | 29.04.2022 |
Decided: | 14.07.2023 |
Published: | |
Fine: | 10000 EUR |
Parties: | NANDIVALE, S.L. Data subject |
National Case Number/Name: | EXP202211618 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | n/a |
Spanish Data Protection Authority found that when processing the image of minors under 14 the consent of the legal guardians must be obtained by the controller.
English Summary
Facts
The data subject was a 4 year old minor, who attended a birthday party at one of the establishments of the controller, Nandivale, a company that organizes events. The controller posted images showing the faces of children present at the party in the stories of its Instagram profile.
After seeing the stories, the mother of the data sent an Instagram message to the controller, asking it to delete the image. However, the controller did not comply with the request and she filed a complaint with the Spanish DPA, claiming that she never gave her consent for the publication of her child's image.
Holding
The DPA stressed that the physical image of a person must be considered as personal data under Article 4(1) GDPR, and thus, it requires a legal ground to be processed. The DPA also recognized that consent is not the only legal basis for the processing of a person's image. However,
In the case at hand, the DPA The AEPD found that while consent is not the only lawful ground to process personal data, in case of processing personal data of minors under 14 the consent of legal guardians or parent must be obtained.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
11/1 File No.: EXP202211618 RESOLUTION OF SANCTIONING PROCEDURE Of the procedure instructed by the Spanish Agency for Data Protection and based on to the following BACKGROUND FIRST: Ms. A.A.A. (hereinafter the claimant) on 10/23/2022 filed claim before the Catalan Data Protection Authority and on 10/26/2022 the Said Authority notified the Spanish Agency for Data Protection on 10/26/2022 for being competent to hear the matter. The claim is directed against NANDIVALE, S.L. with NIF B66070012 (hereinafter the claimed). The motives on which the claim is based are the following: the claimant mother of a 4-year-old girl years old that on 08/07/2022 attended a birthday party organized at the place of the claimed; points out that, without the consent of the parents of the children attendees, images of the celebration were taken in which the minors appeared, and they were published on the Instagram profile ***PERFIL.1 as a "story". The claimant, being aware of the publication of the images in which her daughter appeared, contacted the author of the publication through the messaging service provided by the service provider, in order to request that the publication or covering the face of minors; states that he received no response and that the publication was available 24 hours for which, by default, they are configured the "stories" of Instagram. Along with the notification, a publication with images of the minors is provided. SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5 December, Protection of Personal Data and guarantee of digital rights (in forward LOPDGDD), said claim was transferred to the claimed party, for to proceed with its analysis and inform this Agency within a month of the actions carried out to adapt to the requirements established in the regulations of Data Protection. The transfer, which was carried out in accordance with the norms established in the Law 39/2015, of October 1, of the Common Administrative Procedure of the Public Administrations (hereinafter, LPACAP), was collected on 11/03/2022 as stated in the acknowledgment of receipt in the file. The defendant responded on 01/03/2023 stating in summary: that it is of an entity dedicated to events and leisure activities as well as the organization of child parties; that the claim presented requested the deletion of the video and the It was withdrawn 24 hours after its publication, since the withdrawal request It was made through a friend request from the Instagram profile and not from the channel planned for it, therefore, it was not until after said hours that they had C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 2/11 knowledge of said request; that you have been aware of the error that this situation; that measures have been intensified to prevent these situations requiring consent and created a protocol to avoid incidences; that the disciplinary procedure be filed or that the warning; secondarily, it is considered a minor infraction. On 01/05/2023, it provided the document Risk Analysis in the Treatment of Personal information. THIRD: On 01/09/2023, in accordance with article 65 of the LOPDGDD, The claim presented by the complaining party was admitted for processing. FOURTH: On 04/29/2022, the Director of the Spanish Protection Agency of Data agreed to initiate a sanctioning procedure against the defendant, for the alleged violation of articles 32.1 and 5.1.f) of the GDPR, typified in article 83.4.a) and 83.5.a) of the GDPR, with warning. Receipt by the claimant of the agreement to start the file. FIFTH: Once the initiation agreement has been notified, the claimant has elapsed the term established, I do not present a written statement of allegations, so the following is applicable. indicated in article 64 of Law 39/2015, of October 1, on the Procedure Common Administrative Law of Public Administrations, which in its section f) establishes that in the event of not making allegations within the period established on the content of the initiation agreement, it may be considered a proposal for resolution when it contains a precise pronouncement about the responsibility accused, for which reason a Resolution is issued. SEVENTH: Of the actions carried out in this procedure, have been the following accredited: PROVEN FACTS FIRST: The claimant, on 10/23/2022 filed a claim with the Authority Catalan Data Protection Agency and on 10/26/2022 the aforementioned Authority notified the Spanish Agency for Data Protection as it is competent to know about the affair. The claimant stated that she is the mother of a minor and that on 08/07/2022 attended a birthday party organized at the premises of the defendant; notes that, without the express consent of the parents of the attending children, the images of the celebration in which the minors appeared, later published on the Instagram profile ***PERFIL.1 as a "story"; due therefore contacted the author of the publication through the messaging service provided by the service provider, in order to request that the publication or the face of minors will be pixelated, without receiving a response while the Publication available 24 hours, which are the ones that are configured by default. Instagram stories. SECOND: It has provided screenshots of the Instagram account ***PROFILE.1 containing address, telephone number, logo and web address where the can see different photographs of minors and parents in the celebration of a children's party C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 3/11 THIRD: There are screenshots of the children's party (4 photographs) and the following messages from the mother of the minor sent to the account of ***ACCOUNT.1: “Hello, I am one of the mothers who attended the birthday today. I have not given consent to upload images where my daughter appears. We haven't even given consent to the recording of images, and to upload them you should have covered the faces of the minors. So please either cover his face by raising the videos or delete the stories where it is clearly identified. It is the girl of the right to the most visible. Thank you". Hello, I have written to you before. “I will hit you again what I have written before. Hello, I am one of the mothers who had a birthday today. I have not given consent to upload images where my daughter appears. We haven't even given consent to the recording of images, and to upload them you should have covered the faces of the minors. So please either cover his face by raising the videos or delete the stories where it is clearly identified. It is the girl of the right to the most visible. Thank you. Maybe it is the first time that you meet before this situation but capturing images of minors and uploading them to networks is typified as a crime with fines of up to 300,000 euros. I do not want images of my daughter in Internet". FOURTH: The defendant in writing of 01/31/2023 has stated "That he has always It has been the will of "XXXXXXXX" to process the personal data entrusted to it with the maximum guarantees, and has been aware of the error that this situation implies, and has proceeded to rectify this situation in such a way that it adapts to the demands that marks the data protection regulations and, consequently, to be able to deal with the greater guarantees the data of the people who trust them, as it has always been his intentions. FIFTH: The defendant has provided on 01/05/2023 Risk Analysis in the Treatment of Personal Data of Nanvidale, S.L. and later the 01/31/2023 the Video Surveillance Zone Announcement Poster in accordance with the GDPR and Form for Information and Consent for data processing Customer personal. Likewise, the Policy of privacy of the defendant. FUNDAMENTALS OF LAW Yo In accordance with the powers that article 58.2 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter GDPR), grants each control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the Organic Law 3/2018, of December 5, Protection of Personal Data and guarantee of digital rights (hereinafter, LOPDGDD), is competent to initiate and resolve this procedure the Director of the Spanish Protection Agency of data. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 4/11 Likewise, article 63.2 of the LOPDGDD determines that: "The procedures processed by the Spanish Data Protection Agency will be governed by the provisions of Regulation (EU) 2016/679, in this organic law, for the regulatory provisions dictated in its development and, as soon as they are not contradict, on a subsidiary basis, by the general rules on the administrative procedures." II Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations, in its article 64 "Initiation agreement in the procedures of a sanctioning nature”, provides: "1. The initiation agreement will be communicated to the instructor of the procedure, with transfer of any actions that exist in this regard, and the interested parties will be notified, Understanding in any case as such the accused. Likewise, the initiation will be communicated to the complainant when the rules regulators of the procedure so provide. 2. The initiation agreement must contain at least: a) Identification of the person or persons allegedly responsible. b) The facts that motivate the initiation of the procedure, its possible rating and sanctions that may correspond, without prejudice to what results from the instruction. c) Identification of the instructor and, where appropriate, Secretary of the procedure, with express indication of the recusal regime of the same. d) Competent body for the resolution of the procedure and norm that attributes such jurisdiction, indicating the possibility that the alleged responsible can voluntarily acknowledge his responsibility, with the effects provided for in article 85. e) Measures of a provisional nature that have been agreed by the body competent to initiate the disciplinary procedure, without prejudice to those that may be adopted during the same in accordance with article 56. f) Indication of the right to make allegations and to the hearing in the procedure and the deadlines for its exercise, as well as an indication that, in In the event of not making allegations within the established term on the content of the initiation agreement, this may be considered a resolution proposal when it contains a precise pronouncement about the responsibility accused. 3. Exceptionally, when at the time of issuing the initiation agreement there are not enough elements for the initial qualification of the facts that motivate the initiation of the procedure, said qualification may be carried out in one phase through the preparation of a Statement of Objections, which must be notified to the interested". In application of the previous precept and taking into account that no made allegations to the initiation agreement, it is appropriate to resolve the procedure initiated. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 5/11 II The denounced facts materialize in the taking of images of the event in the containing minors and their publication on the Instagram profile ***PERFIL.1 as a "story", without the consent of their parents being accredited. Article 58 of the GDPR, Powers, states: "2. Each supervisory authority shall have all the following powers corrections listed below: (…) i) impose an administrative fine in accordance with article 83, in addition to or in instead of the measures mentioned in this paragraph, according to the circumstances of each particular case; (…)” It should be noted that the physical image of a person, according to article 4.1 of the GDPR, it is personal data and its protection, therefore, is the subject of said Regulation. Article 4.2 of the GDPR defines the concept of "processing" of personal information. It is therefore necessary to analyze whether the processing of personal data (image of natural persons) carried out through recording and broadcasting, in which minors appear, in social networks is in accordance with the provisions of the GDPR. Article 6, Legality of the treatment, of the GDPR in its section 1, establishes that: "1. Processing will only be lawful if at least one of the following is fulfilled conditions: a) the interested party gave his consent for the processing of his data personal for one or more specific purposes; b) the processing is necessary for the performance of a contract in which the interested party or for the application at the request of this of measures pre-contractual; c) the processing is necessary for compliance with a legal obligation applicable to the data controller; d) the processing is necessary to protect vital interests of the data subject or of another physical person; e) the treatment is necessary for the fulfillment of a mission carried out in public interest or in the exercise of public powers conferred on the person responsible of the treatment; f) the processing is necessary for the satisfaction of legitimate interests pursued by the data controller or by a third party, provided that such interests are not overridden by the interests or the rights and freedoms of the interested party that require the protection of personal data, in particular when the interested party is a child. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 6/11 The provisions of letter f) of the first paragraph shall not apply to the treatment carried out by public authorities in the exercise of their functions”. And article 4 of the GDPR, Definitions, in its sections 1, 2 and 11, states that: “1) “personal data” means any information about an identified natural person or identifiable ("the data subject"); Any identifiable natural person shall be considered person whose identity can be determined, directly or indirectly, in particular by means of an identifier, such as a name, an identification number, location data, an online identifier or one or more elements of the physical, physiological, genetic, psychological, economic, cultural or social identity of said person; "2) "processing": any operation or set of operations carried out on personal data or sets of personal data, either by procedures automated or not, such as the collection, registration, organization, structuring, conservation, adaptation or modification, extraction, consultation, use, communication by transmission, diffusion or any other form of authorization of access, collation or interconnection, limitation, deletion or destruction; "11) "consent of the interested party": any manifestation of free will, specific, informed and unequivocal for which the interested party accepts, either through a statement or a clear affirmative action, the processing of personal data that concern him." On the other hand, article 92 of the LOPDGDD, Data Protection of minors on the Internet, points out that: "Educational centers and any physical or legal persons who develop activities in which minors participate will guarantee the protection of the best interests of the minor and their fundamental rights, especially the right to the protection of personal data, in the publication or dissemination of your personal data through services of the society of the information. When said publication or diffusion were to take place through services of social networks or equivalent services must have the consent of the minor or their legal representatives, in accordance with the provisions of article 7 of this organic Law". IV. It should be noted that data processing requires the existence of a database law that legitimizes it. In accordance with article 6.1 of the GDPR, in addition to consent, There are other possible bases that legitimize the processing of data without the need for have the authorization of its owner, in particular, when necessary for the execution of a contract in which the affected party is a party or for the application, upon request of this, of pre-contractual measures, or when necessary for the satisfaction of legitimate interests pursued by the controller or by a third party, C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 7/11 provided that such interests do not prevail over the interests or rights and fundamental freedoms of the data subject that require the protection of such data. He treatment is also considered lawful when necessary for the fulfillment of a legal obligation applicable to the data controller, to protect interests of the data subject or of another natural person or for the fulfillment of a mission carried out in the public interest or in the exercise of public powers vested in the responsible for the treatment. In the present case, the defendant in relation to the processing of personal data personal character, neither before nor after the infringement, nor in its Privacy Policy or in the Risk Analysis provides for the treatment carried out cabo: disseminate or publish images of the celebrations on social networks. On the other hand, regarding the publication of images, it is not specified where it is provided (web page of the defendant, social networks, etc.) and as soon as to the consent that they transfer in their response, nothing indicates about this treatment specifically, if you collect parental consent in the case of children under 14 years or the consent to minors, over 14 years of age, differentiating this circumstance of age (Neither does it appear in the case of adults if it is collected their consent for the publication of their images, etc.). Therefore, in the case examined, there is no accredited basis of legitimacy any for the treatment of data of minors. V The infringement attributed to the defendant is typified in the Article 83.5 a) of the GDPR, which considers that the infringement of "the basic principles for processing, including the conditions for consent under the terms of the Articles 5, 6, 7 and 9" is punishable, in accordance with section 5 of the aforementioned Article 83 of the aforementioned Regulation, "with administrative fines of €20,000,000 as maximum or, in the case of a company, of an amount equivalent to 4% as maximum of the overall annual total turnover of the previous financial year, opting for the one with the highest amount”. The LOPDGDD in its article 71, Violations, states that: "They constitute offenses the acts and behaviors referred to in sections 4, 5 and 6 of the Article 83 of Regulation (EU) 2016/679, as well as those that are contrary to the present organic law”. And in its article 72, it considers for the purposes of prescription, which are: "Infractions considered very serious: 1. Based on what is established in article 83.5 of the Regulation (EU) 2016/679 are considered very serious and the infractions that suppose a substantial violation of the articles mentioned in that and, in particular, the following: (…) C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 8/11 b) The processing of personal data without the concurrence of any of the conditions of legality of the treatment established in article 6 of the Regulation (EU) 2016/679. (…)” SAW In order to establish the administrative fine that should be imposed, the observe the provisions contained in articles 83.1 and 83.2 of the GDPR, which point out: "1. Each control authority will guarantee that the imposition of fines administrative proceedings under this article for violations of this Regulations indicated in sections 4, 5 and 6 are in each individual case effective, proportionate and dissuasive. 2. Administrative fines will be imposed, depending on the circumstances of each individual case, as an addition to or substitute for the measures contemplated in article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine administration and its amount in each individual case shall be duly taken into account: a) the nature, seriousness and duration of the offence, taking into account the nature, scope or purpose of the processing operation in question as well as the number of stakeholders affected and the level of damage and damages they have suffered; b) intentionality or negligence in the infringement; c) any measure taken by the controller or processor to alleviate the damages and losses suffered by the interested parties; d) the degree of responsibility of the controller or the person in charge of the processing, taking into account the technical or organizational measures that have applied under articles 25 and 32; e) any previous infringement committed by the person in charge or in charge of the treatment; f) the degree of cooperation with the supervisory authority in order to put remedy the breach and mitigate the potential adverse effects of the breach; g) the categories of personal data affected by the infringement; h) the way in which the supervisory authority became aware of the infringement, in particularly if the person in charge or the person in charge notified the infringement and, in such a case, what extent; i) when the measures indicated in article 58, paragraph 2, have been previously ordered against the person in charge or in charge in question in relation to the same matter, compliance with said measures; j) adherence to codes of conduct under article 40 or to mechanisms of certification approved in accordance with article 42, and k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as the financial benefits obtained or the losses avoided, direct or indirectly, through the infringement. In relation to letter k) of article 83.2 of the GDPR, the LOPDGDD, in its Article 76, "Sanctions and corrective measures", establishes that: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 9/11 "2. In accordance with the provisions of article 83.2.k) of the Regulation (EU) 2016/679 may also be taken into account: a) The continuing nature of the offence. b) Linking the activity of the offender with the performance of processing of personal data. c) The benefits obtained as a consequence of the commission of the infraction. d) The possibility that the conduct of the affected party could have led to the commission of the offence. e) The existence of a merger process by absorption after the commission of the infringement, which cannot be attributed to the absorbing entity. f) The affectation of the rights of minors. g) Have, when it is not mandatory, a data protection delegate data. h) The submission by the person in charge or in charge, with character voluntary, alternative conflict resolution mechanisms, in those cases in which there are controversies between them and any interested." - In accordance with the precepts transcribed, for the purpose of setting the amount of the sanction for the infringement typified in article 83.5.a) and article 6.1 of the GDPR of the that the defendant is held responsible, the following factors are considered concurrent as aggravating circumstances: The categories of personal data affected by the infringement; We must not forget that we are facing the infringement of a fundamental right aggravated by the category of data processed, since the image that is disseminated is of minors (article 83.2.g) of the GDPR). The intentionality or negligence in the infraction. Connected this circumstance with the degree of diligence that the data controller is obliged to deploy in compliance with the obligations imposed by the regulations of Data Protection; the SAN of 10/17/2007 can be cited, which although it was issued before of the validity of the GDPR, its pronouncement can be perfectly extrapolated to the Of course we analyze The ruling, after alluding to the fact that the entities in which that the development of its activity involves continuous processing of customer data and third parties must observe an adequate level of diligence, specified that "(...) the The Supreme Court has understood that there is imprudence whenever disregards a legal duty of care, that is, when the offender does not behave with the due diligence” (article 83.2, b) of the GDPR). Therefore, in accordance with the applicable legislation and assessed the criteria of graduation of sanctions whose existence has been accredited, The Director of the Spanish Data Protection Agency RESOLVES: FIRST: IMPOSE NANDIVALE, S.L., with NIF B66070012, for a violation of the Article 6.1 of the GDPR, typified in Article 83.5.a) of the GDPR, a fine of 10,000 € (ten thousand euros). C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 10/11 SECOND: NOTIFY this resolution to NANDIVALE, S.L. Warn the penalized person that they must make the imposed sanction effective once the This resolution is enforceable, in accordance with the provisions of art. 98.1.b) of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter LPACAP), within the voluntary payment term established in art. 68 of the General Collection Regulations, approved by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003, of 17 December, by means of its income, indicating the NIF of the sanctioned and the number of procedure that appears in the heading of this document, in the account restricted IBAN number: ES00 0000 0000 0000 0000 0000 (BIC/SWIFT Code: XXXXXXXXXXXX), opened on behalf of the Spanish Agency for Data Protection in the banking entity CAIXABANK, S.A. Otherwise, it will proceed to its collection in executive period. Once the notification has been received and once executed, if the execution date is between the 1st and 15th of each month, both inclusive, the deadline for making the voluntary payment will be until the 20th day of the following or immediately following business month, and if is between the 16th and the last day of each month, both inclusive, the term of the Payment will be until the 5th of the second following or immediate business month. In accordance with the provisions of article 50 of the LOPDGDD, the This Resolution will be made public once the interested parties have been notified. Against this resolution, which puts an end to the administrative process in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, interested parties may optionally file an appeal for reversal before the Director of the Spanish Data Protection Agency within a period of one month from the day following the notification of this resolution or directly contentious-administrative appeal before the Contentious-administrative Chamber of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-administrative jurisdiction, within a period of two months from the day following the notification of this act, as provided for in article 46.1 of the referred Law. Finally, it is noted that in accordance with the provisions of art. 90.3 a) of the LPACAP, the firm resolution may be temporarily suspended in administrative proceedings If the interested party expresses his intention to file a contentious appeal- administrative. If this is the case, the interested party must formally communicate this made by writing to the Spanish Agency for Data Protection, presenting it through the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica-web/], or through any of the other records provided for in art. 16.4 of the aforementioned Law 39/2015, of October 1. Also must transfer to the Agency the documentation that proves the effective filing of the contentious-administrative appeal. If the Agency were not aware of the filing of the contentious-administrative appeal within a period of two months from the day following the notification of this resolution, would terminate the injunction suspension C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 11/11 Mar Spain Marti Director of the Spanish Data Protection Agency C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es