AEPD (Spain) - EXP202204530

From GDPRhub
Revision as of 13:26, 13 December 2023 by Ar (talk | contribs) (Ar moved page AEPD (Spain) - PS/00558/2022 to AEPD (Spain) - EXP202204530)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
AEPD - PS/00558/2022
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 6(1) GDPR
Article 83(5)(b) GDPR
Type: Complaint
Outcome: Upheld
Started: 08.03.2022
Decided: 28.08.2023
Published: 28.08.2023
Fine: 10,000 EUR
Parties: n/a
National Case Number/Name: PS/00558/2022
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: Mgrd

The Spanish DPA fined an individual €10,000 for publishing a video of a data subject in a vulnerable situation, without his consent, violating Article 6 (1) GDPR.

English Summary

Facts

In January 2022, the data subject was on a public road with his dog feeling unwell due to the ingestion of alcoholic beverages. When the data subject stopped, an unknown person approached in his car holding his mobile phone from the driver's seat.

Without the data subject’s consent, the driver recorded the data subject on the aforementioned public road for a period of 1 minute and 35 seconds. In the video it is evident that the face of the data subject can be seen, being perfectly recognisable.

Allegedly, the data subject was in very bad physical condition due to the ingestion of alcoholic beverages, holding on to the litter bin. The video has been disseminated and disclosed by the author, and more unknown persons, at first by Whatsapp, both to individual users and Whatsapp groups, but later was published and disseminated by other social networks: Facebook, Instagram, Twitter and YouTube.

In September 2022, it was confirmed that Facebook had removed the video in question.

Holding

The Spanish DPA fined an individual €10,000 for publishing a video of a data subject in a vulnerable situation, without his consent, violating Article 6 (1) GDPR.

In its decision, the AEPD concluded that the respondent disseminated through social networks a video of the data subject, without his consent or any other legal basis for processing of Article 6(1) GDPR, in which he appears in a clearly delicate situation.

In the video, the face of the data subject is visible, which allows him to be clearly identified.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

1/9










     File No.: EXP202204530



                RESOLUTION OF SANCTIONING PROCEDURE

From the procedure instructed by the Spanish Data Protection Agency and based
to the following


                                  BACKGROUND

FIRST: On 03/08/2022, a claim was entered into this Agency
presented by A.A.A. (hereinafter, the complaining party) for a possible

non-compliance with the provisions of the data protection regulations
staff.

The statement of claim is a reproduction of a complaint filed by the
complaining party in which it states the following:


“Complaint for massive dissemination of video recorded without the consent of the victim, in
social networks (Facebook, Instagram, etc.) and WhatsApp.

[…]


FIRST.- On January 6, 2022, around 3 a.m., he was in the
***ADDRESS.1, with his dog (…). My client (…) found himself quite
unwell due to the probable ingestion of alcoholic beverages, for which reason it was
To stop (…).


SECOND.- Subsequently and due to the video that we will now indicate, apparently a
unknown person approached with his vehicle driving and with his cell phone from the
driver's seat, without the consent of my client, recorded on the aforementioned route
public to my represented during a recording period of 1 minute and 35
seconds (…).


In it, it is clearly observed how the driver of the vehicle approaches with the
vehicle and records my client with evident bad faith, to such an extent that he tells him (he
transcribes part of what is said in the video).

In the image it is clearly observed how my client was in very

poor physical condition as described above, holding on to the trash can.

We understand that the attitude of the person who records the video is completely inconsiderate and
disproportionate, laughing and mocking D.A.A.A., without any cause, and not even
offers to help you in such a situation, omitting all possible help.


In the video it is evident that the face of my client can be seen, being
perfectly recognizable. My client is not a public person.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/9








THIRD.- The aforementioned video has been disseminated and disseminated by the author, and other people
unknown, initially by WhatsApp application both to users in a
individual as to whatsapp groups, but it has been published and disseminated through networks

social: Facebook, Instagram, Twitter and YouTube; to the point that he has had a
repercussion throughout the national territory (...).

Links are left of the diffusions of different social networks and of people who have
carried out massive dissemination (…)


SECOND: On 04/19/2022, in accordance with article 65 of the Law
Organic 3/2018, of December 5, Protection of Personal Data and guarantee of
digital rights (hereinafter, LOPDGDD), the claim was admitted for processing
presented by the complaining party.


THIRD: The General Subdirectorate of Data Inspection proceeded to carry out
of previous investigative actions to clarify the facts in
matter, by virtue of the functions assigned to the control authorities in the
article 57.1 and the powers granted in article 58.1 of the Regulation (EU)
2016/679 (General Data Protection Regulation, hereinafter GDPR), and
in accordance with the provisions of Title VII, Chapter I, Second Section, of the

LOPDGDD, having knowledge of the following points:

After having made a request to delete the content still published to the
claimed part, on 05/06/2022 and 06/07/2022, the content was only deleted from
the address of the social network FACEBOOK ***URL.1. Likewise, on 07/07/2022,

issued an agreement to adopt a provisional measure requiring the party
requested the removal and blocking of the reported content.

In response to the precautionary measure of urgent withdrawal issued on 08/17/2022 to
provider of the FACEBOOK social network service, on 09/12/2022

check that the video indicated in the claim is at the internet address
***URL.2 has been removed.

FOURTH: On 12/23/2022, the Director of the Spanish Protection Agency
of Data agreed to initiate sanctioning proceedings against the claimed party, in accordance with
the provisions of articles 63 and 64 of Law 39/2015, of October 1, of the

Common Administrative Procedure of Public Administrations (hereinafter,
LPACAP), for the alleged violation of article 6.1 of the RGPD, typified in article
83.5.a) of the RGPD.

The initiation agreement was notified to the claimed party by postal mail on

01/17/2023, as stated in the acknowledgment of receipt in the file.
Once the period granted for the formulation of allegations has elapsed, this Agency has not
received any allegation from the claimed party.

FIFTH: On 05/08/2023, the instructor body prepared a proposal for

resolution in which it was proposed to sanction the party with a fine of €10,000.00.
claimed, for the violation of article 6.1 of the RGPD, typified in article 83.5.a)
of the GDPR.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/9








The proposed resolution was notified to the claimed party by postal mail on
06/05/2023, as stated in the acknowledgment of receipt in the file.
Once the period granted for the formulation of allegations has elapsed, this Agency has not

received any allegation from the claimed party.


                                PROVEN FACTS

FIRST: On 01/07/2022 the claimed party publishes on its Facebook profile, under the

title “***TITLE.1”, a video of the complaining party, without his consent, in which
He appears in an obvious state of intoxication. The duration of the video is one minute and
thirty-five seconds.

SECOND: On 04/20/2022 it is verified that, of all the links reported by the

complaining party, the video object of the complaint is only available in the profile of
Facebook of the claimed party. Specifically, in the following addresses of
Internet:

    - ***URL.1


    - ***URL.2

THIRD: On 09/12/2022 it is confirmed that META PLATFORMS IRELAND LIMITED
(through FACEBOOK SPAIN, S.L.) has removed the video in question from the network
social Facebook and, specifically, the links indicated above.



                           FUNDAMENTALS OF LAW

                                            Yo

                          Competition and applicable regulations

In accordance with the powers that article 58.2 of the RGPD grants to each authority of
control and in accordance with the provisions of articles 47, 48.1, 64.2 and 68.1 of the LOPDGDD,
The Director of the Agency is competent to initiate and resolve this procedure.
Spanish Data Protection.


Likewise, article 63.2 of the LOPDGDD determines that: "The procedures
processed by the Spanish Data Protection Agency will be governed by the provisions
in Regulation (EU) 2016/679, in this organic law, by the provisions
regulations dictated in its development and, insofar as they do not contradict them, with a

subsidiary, by the general rules on administrative procedures."

                                           II
                                  Previous issues


Article 4 “Definitions” of the GDPR defines the following terms for the purposes of
Regulation:



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/9








"1) 'personal data': any information about an identified natural person or
identifiable ("the interested party"); Any person will be considered an identifiable natural person
whose identity can be determined, directly or indirectly, in particular by

an identifier, such as a name, an identification number, data
location, an online identifier or one or more elements of identity
physical, physiological, genetic, mental, economic, cultural or social of said person;”

“2) “treatment”: any operation or set of operations performed on
personal data or sets of personal data, whether by procedures

automated or not, such as the collection, registration, organization, structuring,
conservation, adaptation or modification, extraction, consultation, use,
communication by transmission, broadcast or any other form of enabling
access, collation or interconnection, limitation, deletion or destruction;”


In the present case, in accordance with article 4.1 of the GDPR, the physical image of a
person is personal data. In this way, its inclusion in web pages, forums,
publications, which identifies or makes a person identifiable, involves processing
of personal data.

                                            II

                     Legality of the processing of personal data

The principles that must govern the treatment are listed in the article
5 of the GDPR. In this sense, section 1 letter a), states that: “Personal data
will be:


    a) Treated in a lawful, loyal and transparent manner in relation to the interested party
        (legality, loyalty and transparency);

        (…)”


The principle of legality is fundamentally regulated in article 6 of the GDPR. The
assumptions that allow the processing of personal data to be considered lawful
listed in article 6.1 of the GDPR:

1. Treatment will only be legal if at least one of the following conditions is met.

nes:

    a) the interested party gave his/her consent to the processing of his/her personal data.
        them for one or more specific purposes;


    b) the processing is necessary for the execution of a contract in which the interested party
        sado is a party or for the application at his request of pre-contractual measures.
        them;

    c) the treatment is necessary for compliance with an applicable legal obligation.

        ble to the person responsible for the treatment;

    d) the processing is necessary to protect vital interests of the interested party or of
        another natural person;

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/9









    e) the treatment is necessary for the fulfillment of a mission carried out in
        public interest or in the exercise of public powers conferred on the person responsible

        of the treatment;

    f) the processing is necessary for the satisfaction of legitimate interests
        guided by the person responsible for the treatment or by a third party, provided that
        said interests do not prevail over the interests or functional rights and freedoms
        data of the interested party that require the protection of personal data, in

        particularly when the interested party is a child.

        The provisions of letter f) of the first paragraph will not apply to the treatment.
        “action carried out by public authorities in the exercise of their functions.”


Likewise, Recital 40 of the aforementioned GDPR provides that “In order for the
processing is lawful, personal data must be processed with consent
of the interested party or on some other legitimate basis established in accordance with Law, whether
whether in this Regulation or by virtue of other Union law or of the
Member States referred to in this Regulation, including the need to
comply with the legal obligation applicable to the data controller or the need to

execute a contract to which the interested party is a party or in order to take measures
at the request of the interested party prior to the conclusion of a contract.”

In light of the documentation in the administrative file, it is
It is evident that the claimed party spread a video of the

complaining party, without the legal basis provided for in article 6.1 of the RGPD that
legitimizes the processing of your image (expressly indicating the complaining party that
does not have his consent), in which he appears in a delicate situation. to the
Throughout the minute and thirty-five seconds that the video lasts, it can be seen by
completes the face of the affected person, allowing it to be clearly identified.


Consequently, in accordance with the evidence available in the
present moment of resolution of the sanctioning procedure, it is considered that the
Known facts constitute an infringement, attributable to the claimed party,
for violation of article 6.1 of the RGPD.


                                            IV.
          Classification and qualification of the violation of article 6.1 of the RGPD

The aforementioned violation of article 6.1 of the RGPD implies the commission of the violation
typified in article 83.5.a) of the RGPD that under the heading “General conditions

for the imposition of administrative fines” provides:

“Infringements of the following provisions will be sanctioned, in accordance with the
section 2, with administrative fines of a maximum of EUR 20,000,000 or,
In the case of a company, an amount equivalent to 4% of the business volume

global annual total of the previous financial year, choosing the highest amount:

    a) The basic principles for treatment, including the conditions for treatment
        consent under articles 5, 6, 7 and 9; (…)

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/9









In this regard, the LOPDGDD, in its article 71 “Infringements” establishes that
“The acts and conduct referred to in sections 4,

5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that result
contrary to this organic law.”

For the purposes of the limitation period, article 72 Offenses considered very
“serious” of the LOPDGDD indicates:


"1. Based on what is established in article 83.5 of Regulation (EU) 2016/679,
considered very serious and will prescribe after three years the infractions that involve
a substantial violation of the articles mentioned therein and, in particular, the
following:


    to) (…)

    b) The processing of personal data without any of the conditions concurring
       of legality of the treatment established in article 6 of the Regulation (EU)
       2016/679. (…)”.


                                           V
                  Penalty for violation of article 6.1 of the GDPR

The corrective powers available to the Spanish Agency for the Protection of
Data, as a supervisory authority, is established in article 58.2 of the GDPR. Between

They have the power to impose an administrative fine in accordance with the
article 83 of the RGPD -article 58.2 i)-, or the power to order the person responsible or
processor that the processing operations comply with the
provisions of the GDPR, where applicable, in a certain manner and within a
specified period -article 58.2 d).


In the present case, taking into account the facts presented, it is considered that the sanction
What should be imposed is an administrative fine. The fine imposed must
be, in each individual case, effective, proportionate and dissuasive, in accordance with the
article 83.1 of the GDPR. In order to determine the administrative fine to be imposed,
to observe the provisions of article 83.2 of the RGPD, which indicates:


"2. Administrative fines will be imposed, depending on the circumstances of each
individual case, as an additional or substitute for the measures contemplated in the
Article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine
administrative and its amount in each individual case will be duly taken into account:


a) the nature, severity and duration of the infringement, taking into account the
nature, scope or purpose of the processing operation in question, as well as
such as the number of interested parties affected and the level of damages that
have suffered;


b) intentionality or negligence in the infringement;



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/9








c) any measure taken by the person responsible or in charge of the treatment to
alleviate the damages and losses suffered by the interested parties;


d) the degree of responsibility of the person responsible or in charge of the treatment,
taking into account the technical or organizational measures that have been applied under
of articles 25 and 32;

e) any previous infringement committed by the controller or processor;


f) the degree of cooperation with the supervisory authority in order to remedy the
infringement and mitigate the possible adverse effects of the infringement;

g) the categories of personal data affected by the infringement;


h) the way in which the supervisory authority became aware of the infringement, in
particular whether the controller or processor notified the infringement and, if so, in what
extent;

i) when the measures indicated in Article 58, paragraph 2, have been ordered
previously against the person responsible or the person in charge in question in relation to the

same matter, compliance with said measures;

j) adherence to codes of conduct under article 40 or to mechanisms of
certification approved in accordance with article 42,


k) any other aggravating or mitigating factor applicable to the circumstances of the case,
such as financial benefits obtained or losses avoided, directly or
indirectly, through infringement.”

For its part, in relation to letter k) of article 83.2 of the GDPR, the LOPDGDD, in

its article 76, "Sanctions and corrective measures", provides:

"1. The sanctions provided for in sections 4, 5 and 6 of article 83 of the Regulation
(UE) 2016/679 will be applied taking into account the graduation criteria
established in section 2 of said article.


2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679
may also be taken into account:

a) The continuous nature of the infringement.


b) The link between the activity of the offender and the performance of data processing.
personal information.

c) The benefits obtained as a consequence of the commission of the infraction.


d) The possibility that the conduct of the affected party could have included the commission
of the offence.



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 8/9








e) The existence of a merger by absorption process subsequent to the commission of the
infringement, which cannot be attributed to the absorbing entity


f) The impact on the rights of minors

g) Have, when not mandatory, a data protection delegate.

h) The submission by the person responsible or in charge, on a voluntary basis, to
alternative conflict resolution mechanisms, in those cases in which

"There are disputes between those and any interested party."

These are aggravating circumstances:

    - The nature, severity and duration of the infraction, taking into account the
       nature, scope or purpose of the processing operation in question,

       as well as the level of damages they have suffered; the part
       claimed publishes the personal data of the image of the complaining party, since
       broadcasts a video of her in a delicate situation mocking, allowing this
       its unique identification. (art. 83.2.a) RGPD).


    - The offender's conduct reflects a clear intention to denigrate the party
       complainant, since he spreads the video through social networks whose
       diffusion is immediate (art. 83.2.b) RGPD),

The balance of the circumstances contemplated, with respect to the infraction committed

By violating the provisions of article 6.1 of the RGPD, it allows setting a fine of
€10,000.00 (ten thousand euros).

Therefore, in accordance with the applicable legislation and evaluated the criteria of
graduation of sanctions whose existence has been proven,


the Director of the Spanish Data Protection Agency RESOLVES:

FIRST: IMPOSE B.B.B., with NIF ***NIF.1, for a violation of article 6.1
of the RGPD, typified in article 83.5.b) of the RGPD, a fine of €10,000.00 (ten
a thousand euros).


SECOND: NOTIFY this resolution to B.B.B., with NIF ***NIF.1.

THIRD: Warn the sanctioned person that he must make the sanction imposed effective
once this resolution is executive, in accordance with the provisions of the

article 98.1.b) of the LPACAP, within the voluntary payment period established in the article
68 of the General Collection Regulation, approved by Royal Decree 939/2005, of
July 29, in relation to article 62 of Law 58/2003, of December 17,
through your entry, indicating the NIF of the sanctioned person and the procedure number
which appears at the header of this document, in the restricted account number IBAN:
ES00 0000 0000 0000 0000 0000 (BIC/SWIFT Code: XXXXXXXXXXXX), open to

name of the Spanish Data Protection Agency in the banking entity
CAIXABANK, S.A.. Otherwise, it will be collected within the period
executive.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 9/9









Once the notification is received and once enforceable, if the enforceable date is

between the 1st and 15th of each month, both inclusive, the deadline to make the payment
voluntary will be until the 20th of the following month or immediately following business month, and if
The payment period is between the 16th and last day of each month, both inclusive.
It will be until the 5th of the second following or immediately following business month.


In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.

Against this resolution, which puts an end to the administrative procedure in accordance with article 48.6
of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the

Interested parties may optionally file an appeal for reconsideration before the
Director of the Spanish Data Protection Agency within a period of one month to
count from the day following the notification of this resolution or directly
contentious-administrative appeal before the Contentious-administrative Chamber of the
National Court, in accordance with the provisions of article 25 and section 5 of

the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-administrative Jurisdiction, within a period of two months from the
day following the notification of this act, as provided for in article 46.1 of the
referred Law.


Finally, it is noted that in accordance with the provisions of article 90.3 a) of the LPACAP,
The final resolution may be provisionally suspended administratively if the
interested party expresses his intention to file a contentious-administrative appeal.
If this is the case, the interested party must formally communicate this fact through
writing addressed to the Spanish Data Protection Agency, presenting it through

of the Agency's Electronic Registry [https://sedeagpd.gob.es/sede-electronica-
web/], or through any of the other registries provided for in art. 16.4 of the
cited Law 39/2015, of October 1. You must also transfer to the Agency the
documentation that proves the effective filing of the contentious appeal
administrative. If the Agency was not aware of the filing of the appeal

contentious-administrative within a period of two months from the day following the
Notification of this resolution would terminate the precautionary suspension.


                                                                                 938-181022
Sea Spain Martí
Director of the Spanish Data Protection Agency















C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es