AEPD (Spain) - EXP202310185
AEPD - EXP202310185 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 6(1) GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | 06.06.2023 |
Decided: | |
Published: | 18.07.2024 |
Fine: | 600 EUR |
Parties: | n/a |
National Case Number/Name: | EXP202310185 |
European Case Law Identifier: | n/a |
Appeal: | Not appealed |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | lm |
The DPA fined a councillor €600 for lacking a legal basis to post a municipal plenary session note containing the personal data of the individual who filed the local complaint in a Facebook group with 400 people.
English Summary
Facts
A data subject filed a complaint with his local municipality which was later dismissed. A councillor of the municipality’s town council (the controller) published a note of a municipal plenary session containing the personal data of the data subject and his wife on his personal Facebook profile as well as in a Facebook group of 400 people.
On 6 June 2023, a data subject filed a complaint with the Spanish DPA (AEPD) concerning the publication. The data subject claimed that the controller intended to publicly shame the data subject.
On August 24, 2023, the municipality responded to the complaint by noting that the publication was posted on the personal profile of the controller, not on any account of theirs. Nonetheless, it argued that the personal data in the post is not sensitive and that in any case, it was not possible to omit the data because the agreement was directed against the data subject and the session was public. The municipality also mentioned that the data subject had been condemned by town council; in fact, the published note from the municipal plenary session concerned the possibility of criminal proceedings against the data subject and his wife for false accusations. Two weeks later, the controller provided similar arguments to the AEPD. It acknowledged that it posted the document containing personal data on its profile.
Holding
On 28 May 2024, the AEPD initiated sanctioning proceedings against the controller. The AEPD considered that the publication of the name of the data subject and his wife on the controller’s personal profile and in a Facebook group of 400 people consisted of processing of personal data pursuant to the GDPR. The controller did not have a legal basis under Article 6(1) GDPR for this processing.
The AEPD recommended a sanction of €1,000 and instructed the controller to eliminate the published content from his profile and the Facebook group in which he posted it.
Pursuant to Law 39/2015, a Spanish law concerning administrative proceedings, the AEPD informed the controller that it may acknowledge its responsibility for the alleged violations and/or pay the proposed fine. Each of these actions reduces the imposed fine by 20%. The controller opted to reduce the fine by 40%, both acknowledging its responsibility for the violations and paying the reduced sanction amount of €600.
Comment
In noting that the posting of the personal data to a personal account and to a group containing 400 people constitutes processing under the GDPR, the AEPD seems to consider that an audience of 400 does not meet the household activity or purely personal exemption from the GDPR pursuant to Article 2(c) GDPR.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/11 File No.: EXP202310185 RESOLUTION TO TERMINATE THE PROCEDURE FOR VOLUNTARY PAYMENT From the procedure instructed by the Spanish Data Protection Agency and based on the following BACKGROUND FIRST: On May 28, 2024, the Director of the Spanish Data Protection Agency agreed to initiate sanctioning proceedings against B.B.B. (hereinafter, the respondent party), through the Agreement transcribed below: << File No.: EXP202310185 AGREEMENT TO START SANCTIONING PROCEDURE From the actions carried out by the Spanish Data Protection Agency and based on the following FACTS FIRST: On 06/06/2023, this Agency received a document submitted by A.A.A. (hereinafter, the complaining party), through which it files a claim against B.B.B. with NIF ***NIF.1 (hereinafter, the respondent party), for a possible breach of the provisions of the personal data protection regulations. The reasons on which the claim is based are the following: “B.B.B. being aware of a complaint filed and later dismissal of the same and using the position of councilor of the City Council of ***LOCALITY.1, publishes a note from a municipal plenary session as proven, attaching personal data of myself and my wife, with the purpose of creating defenselessness and public lynching since it is not only based on publishing it on his personal profile, but also, he expands it to a group of 400 people, ***GROUP.1, many of them neighbors of the Municipality, in order to create a damage to the image of both me and my wife. (…)” C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 2/11 In addition, the respondent distributed this note in a group made up of 400 people, ***GROUP.1, many of them residents of the municipality, with the aim of damaging his image and that of his wife. Along with the claim, the following is provided: Screenshots of the publication subject to the claim made on 05/26/2023 at 8:10 a.m. on the personal profile of the Facebook social network of the respondent (B.B.B.) and in the group on that social network “***GROUP.1…”. Its content states: “(…).”. SECOND: In accordance with article 65.4 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and Guarantee of Digital Rights (hereinafter LOPDGDD), on 24 and 26/07/2023, said claim was transferred to the respondent party and to the City Council of ***LOCALIDAD.1, so that they could proceed with its analysis and inform this Agency within one month of the actions carried out to comply with the requirements provided for in the data protection regulations. The transfer, which was carried out in accordance with the rules established in Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP), was collected on August 22 and 01, 2023, as stated in the acknowledgment of receipt that is in the file, respectively. On August 24, 2023, this Agency received a written response from the City Council of ***LOCALIDAD.1 in a timely manner, in which it stated the following: Prior nature. o The claimant has been convicted by final judgments for coercion of (…). In fact, one of the points to be discussed that appear in the published municipal plenary note deals with the possibility of bringing criminal actions against the claimant and his wife for false accusations. o The complainant filed a complaint and subsequently filed a complaint against (…); both cases were dismissed. Furthermore, the complainant published the admission of the complaint on social networks where the name of (…) appears, and provided it to the media. o The complainant did not exercise any right in relation to this matter before the City Council of ***LOCALITY.1. That the Provincial Office for the Protection of Personal Data of (…) acts as the Data Protection Officer of the City Council of ***LOCALITY.1. That the publication that is the subject of the complaint was published on the personal profile of the complainant, not on that of the City Council, and that it transcribes a call C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 3/11 to the Plenary Session where the principle of publicity of the plenary sessions is set out and specified. That the data that appear in the publication are not sensitive, only nominal; its omission is not possible since the proposal for agreement is addressed to the complainant and the session is public. It mentions the Seventh Additional Provision of the LOPDGDD. Along with the document, the following documentation was provided: Document No. 1 “***DOCUMENT.1”. Document No. 2 “AEPD Resolution” Document No. 3 “AEPD Report”: On 05/09/2023, this Agency received a written response from the respondent party in a timely manner, in which it stated the same as that previously stated by the City Council. THIRD: On 06/09/2023, in accordance with article 65 of the LOPDGDD, the claim submitted by the complainant was admitted for processing. FUNDAMENTALS OF LAW I Competence and procedure In accordance with the powers granted to each supervisory authority by article 58.2 of the GDPR and as established in articles 47, 48.1, 64.2 and 68.1 of the LOPDGDD, the Director of the Spanish Data Protection Agency is competent to initiate and resolve this procedure. Likewise, article 63.2 of the LOPDGDD determines that: "The procedures processed by the Spanish Data Protection Agency will be governed by the provisions of Regulation (EU) 2016/679, by this organic law, by the regulatory provisions issued in its development and, as long as they do not contradict them, on a subsidiary basis, by the general rules on administrative procedures." II Preliminary questions Article 4 “Definitions” of the GDPR defines the following terms for the purposes of the Regulation: "1) “personal data” means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person shall be any person whose identity can be determined, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;” “2) “processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;” In the present case, pursuant to Article 4.1 of the GDPR, the display of the name and surname of the complainant and his wife in the publication of the respondent's personal Facebook profile and in the group “***GROUP.1…” constitutes processing of personal data; since it identifies or makes those affected identifiable. III Lawfulness of processing personal data The principles that must govern processing are listed in Article 5 of the GDPR. In this regard, section 1 letter a) states that: “Personal data shall be: a) Processed in a lawful, fair and transparent manner in relation to the data subject (lawfulness, fairness and transparency); (…)” The principle of lawfulness is fundamentally regulated in Article 6 of the GDPR. The cases that allow the processing of personal data to be considered lawful are listed in Article 6.1 of the GDPR. GDPR: 1. Processing will only be lawful if at least one of the following conditions is met: a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes; a) processing is necessary for the performance of a contract to which the data subject is a party or in order to take pre-contractual measures at the request of the data subject; b) processing is necessary for compliance with a legal obligation to which the controller is subject; c) processing is necessary to protect the vital interests of the data subject or of another natural person; C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 5/11 d) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; e) the processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. Point (f) of the first paragraph shall not apply to processing carried out by public authorities in the exercise of their tasks.” In this regard, Recital 40 of the GDPR states that “For lawful processing, personal data must be processed with the consent of the data subject or on another legitimate basis established by law, either by this Regulation or by virtue of another Union or Member State law to which this Regulation refers, including the need to comply with a legal obligation applicable to the controller or the need to perform a contract with which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.” In the specific case examined, as indicated, on 05/26/2023 the respondent party published on his personal profile on the social network Facebook (B.B.B.) and in the group “***GROUP.1…” a text with the title “TITLE.1”. The publication contains data on a complaint filed by the complainant and his wife against (…) the City Council of ***LOCALITY.1, as well as the names and surnames of these (A.A.A. and C.C.C.). In his response to the transfer, the respondent party acknowledged having made the publication subject to complaint on his personal profile, but that he limited himself to transcribing a call to a Plenary Session of the City Council of ***LOCALITY.1 without including sensitive data of the complainant and his wife, only nominal, and cannot be omitted in order to discuss the matter. In accordance with Article 6.1 of the GDPR, in addition to consent, there are other possible bases that legitimize the processing of data without the need for the authorization of the data subject. In particular, when it is necessary for the execution of a contract to which the data subject is a party or for the application, at the request of the data subject, of pre-contractual measures, or when it is necessary for the satisfaction of legitimate interests pursued by the data controller or by a third party, provided that such interests are not overridden by the interests or fundamental rights and freedoms of the data subject that require the protection of such data. Processing is also considered lawful when it is necessary for compliance with a legal obligation applicable to the data controller, to protect the vital interests of the data subject or another natural person or for the performance of a task carried out in the public interest or in the exercise of official authority conferred on the data controller. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 6/11 However, in the present case it is evident that the data processing carried out by the respondent party is not covered by any of the legal causes mentioned above. Consequently, in accordance with the evidence available at this time of the agreement to initiate sanctioning proceedings, and without prejudice to what results from the investigation, it is considered that the known facts could constitute an infringement, attributable to the respondent party, for violation of article 6.1 of the GDPR. IV Classification and qualification of the infringement of Article 6.1 of the GDPR If confirmed, the aforementioned infringement of Article 6.1 of the GDPR could entail the commission of the infringement classified in Article 83.5 of the GDPR, which under the heading “General conditions for the imposition of administrative fines” provides: “Infringements of the following provisions shall be punishable, in accordance with paragraph 2, by administrative fines of up to EUR 20 000 000 or, in the case of an undertaking, an amount equivalent to a maximum of 4% of the total global annual turnover of the preceding financial year, whichever is higher: a) the basic principles for processing, including the conditions for consent pursuant to Articles 5, 6, 7 and 9; (…)” For the purposes of the limitation period, article 72.1 “Infringements considered very serious” of the LOPDGDD indicates: “1. In accordance with the provisions of article 83.5 of Regulation (EU) 2016/679, infringements that constitute a substantial violation of the articles mentioned therein and, in particular, the following are considered very serious and will be subject to a three-year statute of limitations: a) (…) a) The processing of personal data without any of the conditions for the lawfulness of the processing established in article 6 of Regulation (EU) 2016/679; (…)” V Proposal for a sanction for the infringement of article 6.1 of the GDPR For the purposes of deciding on the imposition of an administrative fine and its amount, in accordance with the evidence available at the time of the agreement to initiate sanctioning proceedings, and without prejudice to the results of the instruction, it is considered that the balance of the circumstances contemplated in article 83.2 of the GDPR and 76.2 of the LOPDGDD, with respect to the infringement committed C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 7/11 by violating the provisions of article 6.1 of the GDPR, allows for an initial administrative fine of €1,000 (one thousand euros) to be set. VI Adoption of measures If the infringement is confirmed, it may be agreed to impose on the controller the adoption of appropriate measures to adjust its performance to the regulations mentioned in this act, in accordance with the provisions of the aforementioned article 58.2 d) of the RGPD, according to which each supervisory authority may “order the controller or processor to comply with the provisions of this Regulation, where appropriate, in a certain manner and within a specified period…”. The imposition of this measure is compatible with the sanction consisting of an administrative fine, as provided for in art. 83.2 of the RGPD. Specifically, the following are proposed as possible measures to be adopted, within 10 business days: The elimination of the content published in the private profile of the social network Facebook of the respondent party (B.B.B.) and in the group “***GROUP.1…” that is the subject of the complaint. It is noted that failure to comply with the possible order to adopt measures imposed by this body in the resolution that ends this procedure may be considered an administrative violation in accordance with the provisions of the RGPD, classified as an infraction in its article 83.5 and 83.6, and such conduct may motivate the opening of a subsequent administrative sanctioning procedure. Therefore, in accordance with the above, by the Director of the Spanish Data Protection Agency, IT IS AGREED: FIRST: TO INITIATE SANCTIONING PROCEDURE against B.B.B., with NIF ***NIF.1, for the alleged violation of article 6.1 of the RGPD, classified in article 83.5.a) of the RGPD. SECOND: TO APPOINT D.D.D. as instructor. and, as secretary, to E.E.E., indicating that they may be challenged, if applicable, in accordance with the provisions of articles 23 and 24 of Law 40/2015, of October 1, on the Legal Regime of the Public Sector (LRJSP). THIRD: INCORPORATE into the sanctioning file, for evidentiary purposes, the claim filed by the claimant and its documentation, as well as the documents obtained and generated by the Subdirectorate General of Data Inspection in the actions prior to the start of this sanctioning procedure. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 8/11 FOURTH: THAT for the purposes provided for in article 64.2 b) of the LPACAP, the sanction that may apply would be an ADMINISTRATIVE FINE of 1,000 (one thousand euros), without prejudice to the results of the investigation. FIFTH: NOTIFY this agreement to B.B.B., with NIF ***NIF.1, granting him a hearing period of ten working days to formulate the allegations and present the evidence he considers appropriate. In his written allegations he must provide his NIF and the file number that appears in the heading of this document. If you do not make any objections to this initiation agreement within the stipulated period, it may be considered a resolution proposal, as established in article 64.2.f) of the LPACAP. In accordance with the provisions of article 85 of the LPACAP, you may acknowledge your responsibility within the period granted for the formulation of objections to this initiation agreement; which will entail a 20% reduction of the penalty to be imposed in this procedure. With the application of this reduction, the penalty would be set at €800.00 (eight hundred euros), and the procedure will be resolved with the imposition of this penalty. Likewise, you may, at any time prior to the resolution of this procedure, make the voluntary payment of the proposed penalty, which will entail a 20% reduction of its amount. With the application of this reduction, the penalty would be set at €800.00 (eight hundred euros), and its payment will imply the termination of the procedure, without prejudice to the imposition of the corresponding measures. The reduction for voluntary payment of the fine can be added to the reduction that must be applied for the recognition of responsibility, provided that this recognition of responsibility is made clear within the period granted to make allegations at the opening of the procedure. The voluntary payment of the amount referred to in the previous paragraph may be made at any time prior to the resolution. In this case, if both reductions were to be applied, the amount of the fine would be set at €600.00 (six hundred euros). In any case, the effectiveness of either of the two reductions mentioned will be subject to the withdrawal or waiver of any action or appeal in administrative proceedings against the fine. If you choose to make a voluntary payment of any of the amounts indicated above (€800.00 or €600.00), you must make the payment by depositing it into the account number IBAN: ES00 0000 0000 0000 0000 0000 (BIC/SWIFT Code: XXXXXXXXXXX) opened in the name of the Spanish Data Protection Agency at the banking entity CAIXABANK, S.A., indicating in the concept the reference number of the procedure that appears in the heading of this document and the reason for the reduction of the amount to which you are entitled. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 9/11 You must also send proof of payment to the Subdirectorate General of Inspection to continue with the procedure in accordance with the amount paid. The sanctioning procedure will have a maximum duration of twelve months from the date of the initiation agreement or, where appropriate, the draft initiation agreement. After this period, the procedure will expire and, consequently, the proceedings will be filed, in accordance with the provisions of article 64 of the LOPDGDD. Finally, it is noted that in accordance with the provisions of article 112.1 of the LPACAP, there is no administrative appeal against this act. 935-30102023 Mar España Martí Director of the Spanish Data Protection Agency >> SECOND: On June 4, 2024, the respondent party has proceeded to pay the penalty in the amount of 600 euros using the two reductions provided in the Agreement of initiation transcribed above, which implies the recognition of responsibility. THIRD: The payment made, within the period granted to formulate allegations at the opening of the procedure, entails the waiver of any action or appeal in administrative course against the penalty and the recognition of responsibility in relation to the facts referred to in the Agreement of Initiation. FOURTH: The aforementioned initiation agreement indicated that, if the infringement is confirmed, it may be agreed to impose on the controller the adoption of appropriate measures to adjust its performance to the regulations mentioned in this act, in accordance with the provisions of the aforementioned article 58.2 d) of the GDPR, according to which each supervisory authority may “order the controller or processor to comply with the provisions of this Regulation, where appropriate, in a certain manner and within a specified period…”. Having recognized the responsibility for the infringement, the imposition of the measures included in the initiation agreement is appropriate. BASIS OF LAW I Competence In accordance with the powers granted to each supervisory authority by article 58.2 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter RGPD) and according to the provisions of articles 47, 48.1, 64.2 and 68.1 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 10/11 guarantee of digital rights (hereinafter LOPDGDD), the Director of the Spanish Data Protection Agency is competent to initiate and resolve this procedure. Likewise, article 63.2 of the LOPDGDD determines that: "The procedures processed by the Spanish Data Protection Agency will be governed by the provisions of Regulation (EU) 2016/679, in this organic law, by the regulatory provisions issued in its development and, insofar as they do not contradict them, on a subsidiary basis, by the general rules on administrative procedures." II Termination of the procedure Article 85 of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP), under the heading "Termination of sanctioning procedures" provides the following: "1. Once a sanctioning procedure has been initiated, if the offender acknowledges his responsibility, the procedure may be resolved with the imposition of the appropriate sanction. 2. When the sanction is of a purely monetary nature or when it is possible to impose a monetary sanction and another of a non-monetary nature but the inappropriateness of the second has been justified, voluntary payment by the presumed responsible party, at any time prior to the resolution, will imply the termination of the procedure, except in relation to the restoration of the altered situation or the determination of compensation for damages caused by the commission of the infringement. 3. In both cases, when the sanction is of a purely monetary nature, the body competent to resolve the procedure will apply reductions of at least 20% on the amount of the proposed sanction, these being cumulative with each other. The aforementioned reductions must be determined in the notification of the initiation of the procedure and their effectiveness will be conditional on the withdrawal or waiver of any action or appeal in administrative proceedings against the sanction. The percentage of reduction provided for in this section may be increased by regulation.” In accordance with the above, the Director of the Spanish Data Protection Agency RESOLVES: FIRST: DECLARE the termination of procedure EXP202310185, in accordance with the provisions of article 85 of the LPACAP. SECOND: ORDER B.B.B. to notify the Agency within 10 days from the date this resolution becomes final and enforceable of the adoption of the measures described in the legal grounds of the initiation Agreement transcribed in this resolution. THIRD: NOTIFY this resolution to B.B.B.. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 11/11 In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which ends the administrative process as prescribed by art. 114.1.c) of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations, interested parties may file an administrative appeal before the Administrative Litigation Division of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Administrative Litigation Jurisdiction, within two months from the day following the notification of this act, as provided for in article 46.1 of the aforementioned Law. 1259-16012024 Mar España Martí Director of the Spanish Data Protection Agency 28001 – Madrid 6 sedeagpd.gob.es