AEPD (Spain) - PS/00292/2019

From GDPRhub
Revision as of 15:05, 19 February 2020 by Juliette Leportois (talk | contribs)
AEPD - PS/00292/2019
LogoAT.png
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 5(1)(a) GDPR
Article 6(1)(b) GDPR
Article 83(2)(b) GDPR
Article 83(2)(g) GDPR
Article 83(5)(a) GDPR
Article 4 Directive 2002/58/EC
§ 45 AVG
Type: Complaint
Outcome: Upheld
Started:
Decided: n/a
Published: 10. 2.2020
Fine: None
Parties: Anoymous
National Case Number/Name: PS/00292/2019
European Case Law Identifier: n/a
Appeal: Rejected
BVwG (Austria)
PS/00292/2019
Original Language(s): Spanish
Original Source: AEPD (in es)
Initial Contributor: n/a

The AEPD imposed a 1.000 € fine for a fake ad containing personal data in a website site aimed at offering services for adults, without the consent of the data subject.

English Summary

Facts

A website containing aimed at offering services for adults published the picture, name, telephone number and a sexual related description of a citizen – the complainant - as a contact person for the performance of those services without her consent. Followings the publication of her personal data on the website, the complainant received unsolicited phone calls from people who wanted to have sex with her. The complainant pointed it out that the pictures published had been obtained from her work intranet with an external IP address. Thus, she filed a complaint with the AEPD against the IP address owner which added her personal data on the website. Therefore, she complained that the advertiser who added the ad unlawfully processed her personal data and did not sue the service provider which removed the publication immediately.

Dispute

The AEPD had to pronounce itself on the legal basis of the processing of personal data – consent or performance of a contract – and had to decide which circumstances should be take into account for the administrative fine.

Holding

The AEPD stated that it was clear from the procedure that the advertiser added a fake ad on the web portal, containing the personal data of the complainant without her consent. Thus, it considered that the personal data published on the website were not necessary for the performance of the contract between the advertiser and the website. Therefore, it concluded that the advertiser violated Article 5(1)(a) and 6(1)(b) GDPR. In addition, the AEPD decided to impose a fine of 1.000 € in accordance with Article 83(5)(a) by taking into consideration that the action is intentional (Article 83(2)(b) GDPR), and that the personal data are sensitive (Article 83(2)(g) GDPR).


Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the **Spanish** original. Please refer to the **Spanish** original for more details.

to be completed