AEPD (Spain) - PS/00028/2020

From GDPRhub
Revision as of 12:30, 13 October 2020 by Miguel Garrido de Vega (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoES.jpg |DPA_Abbrevation=AEPD |DPA_With_Country=AEPD (Spain) |Case_Number_Name=PS/00...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
AEPD - PS/00028/2020
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 6 GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published: 06.10.2020
Fine: 4000 EUR
Parties: Callesgarcía, S.C.
National Case Number/Name: PS/00028/2020
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Spanish
Original Source: AEPD decision (in ES)
Initial Contributor: Miguel Garrido de Vega

6 October 2020 - The Spanish Data Protection Agency (AEPD) decided to impose a fine up to 4,000 € on business partnership Callesgarcía, S.C. (the defendant) for the infringement of the lawfulness principle, as per Article 6 of the GDPR.

English Summary

Facts

The decision is the consequence of a complaint submitted by a Spanish citizen stating that the defendant had unauthorizedly used a picture of his/her wedding (taken by a third party) in order to make promotion and advertising of its business.

Dispute

The defendant did not answer the AEPD investigation requests, so the AEPD started the corresponding sanction procedure.

Holding

Thus, the AEPD understood that the defendant has infringed the lawfulness principle included at Article 6 GDPR, as it has processed the personal data of the Spanish citizen without his/her consent. Consequently, after considering some circumstances [(i) there is an unintended negligent conduct by the defendant, and (ii) basic personal data are affected], the AEPD decided to impose a fine of 4,000 € to the defendant.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

Page 1
1/6Procedure Nº: PS / 00028/2020RESOLUTION OF SANCTIONING PROCEDUREOf the procedure instructed by the Spanish Agency for Data Protection andbased on the followingBACKGROUNDFIRST: AAA (hereinafter, the claimant) dated June 21, 2019filed a claim with the Spanish Agency for Data Protection.The claim is directed against CALLESGARCIA SC, with NIF J10460640 (inahead, the claimed one) because he is using a photo from his wedding report,made by the photographer BBB , to publicize his business, despite not havingwith your authorization to do so.SECOND: It is about informing the defendant of this claimon August 4, 2019 requiring you to refer to this within a monthAgency, information on the response given to the claimant for the factsreported, as well as the causes that have motivated the incidence and the measuresadopted to adapt its "Privacy Policy" to article 13 of the Regulation (EU)2016/679 of the European Parliament and of the Council of April 27, 2016 (RGPD).The Spanish Agency for Data Protection sends its notifications andelectronic communications through the Notific @ platform that sends thenotifications to the Citizen Folder and Enabled Electronic Address systems of theMinistry of Finance and Public Administration.Having sent the attached letter in relation to the fileE / 07129/2019 through the Notific @ system, according to art. 43.2 and 43.3 of the aforementionedLPACAP, the notification will be considered rejected when ten days have elapsednatural from the provision of the notification without accessing itscontent, understanding fulfilled the obligation to notify with the releasedisposition of the notification in the electronic office or in the electronic addressenabled only.Since you have not acceded to the aforementioned notification, exceptionally,informative title we proceed to its remission by postal mail on September 11,2019, reminding you that, from now on, notifications will be madeelectronically in accordance with the LPACAP.However, such request was returned by post, claiming “absent fromdistribution"C / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 2
2/6THIRD: On February 25, 2020, the Director of the Spanish Agency forData Protection agreed to initiate a sanctioning procedure to the claimed, by thealleged infringement of article 6 of the RGPD, typified in article 83.5 of the RGPD.FOURTH: On July 29, 2020, a resolution proposal was formulated,proposing that the Director of the Spanish Agency for Data Protectionsanction CALLESGARCIA SC, with NIF J10460640 , for an infraction of article6 of the RGPD, typified in article 83.5 of the RGPD, in relation to article 72.1 b)of the LOPDGDD, with a fine of € 4,000 (four thousand euros).In view of all the actions, by the Spanish Protection Agencyof Data in this procedure the following are considered proven facts,ACTSFIRST: The defendant has used a photo from the claimant's wedding report,made by the photographer BBB , to publicize his business, despite not havingwith the authorization or consent of the claimant to do so.SECOND: It is about informing the defendant of this claim,without positive result, despite the repeated attempt by this Agency, by means ofelectronic and through postal mail.FOUNDATIONS OF LAWIBy virtue of the powers that article 58.2 of the RGPD recognizes to eachcontrol authority, and as established in articles 47 and 48 of the LOPDGDD,the Director of the Spanish Data Protection Agency is competent to initiateand to solve this procedure.IIOrganic Law 3/2018, of December 5, on the Protection of Personal Dataand guarantee of digital rights, in its article 4.11 defines the consent of theinterested as “ any manifestation of free will, specific, informed andunequivocal by which the interested party accepts, either through a declaration or aclear affirmative action, the processing of personal data that concerns you ”.Article 6.1 of the RGPD establishes the following:1. The treatment will only be lawful if at least one of the following is metterms:a) the interested party gave their consent for the processing of their datapersonal for one or more specific purposes;C / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 3
3/6b) the treatment is necessary for the performance of a contract in which theinterested is part or for the application at the request of this of measurespre-contractual;c) the treatment is necessary for the fulfillment of a legal obligationapplicable to the person responsible for the treatment;d) the treatment is necessary to protect vital interests of the interested party orof another natural person;e) the treatment is necessary for the fulfillment of a mission carried out inpublic interest or in the exercise of public powers conferred on the person responsible fortreatment;f) the treatment is necessary for the satisfaction of legitimate interestspursued by the data controller or by a third party, provided that onsaid interests do not prevail the interests or the rights and freedomsfundamental data of the interested party that require the protection of personal data, inparticular when the interested party is a child.The provisions of letter f) of the first paragraph shall not apply to thetreatment carried out by public authorities in the exercise of their functions.In this sense, Article 6.1 of the RGPD establishes that “ in accordance withthe provisions of the Article 4.11 of Regulation (EU) 2016/679, is understood byconsent of the affected party any manifestation of free will, specific,informed and unequivocal by which it accepts, either through a statement ora clear affirmative action, the treatment of personal data that concerns him ”.IIIIn accordance with the evidence available, it is considered that,the denounced events, that is, use the photographic report of the wedding of theclaimant, for advertising purposes without the claimant's consent,suppose the violation of art. 6 of the RGPD.IVArticle 72.1.b) of the LOPDGDD states that “ depending on what it establisheshe Article 83.5 of Regulation (EU) 2016/679 are considered very serious andThe infractions that suppose a substantial violation will prescribe after three yearsof the articles mentioned therein and, in particular, the following:c) The processing of personal data without any of the conditionsof legality of the treatment in the Article 6 of Regulation (EU) 2016/679. "VArticle 58.2 of the RGPD provides the following: “Each control authoritywill have all of the following corrective powers listed below:C / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 4
4/6b) sanction any person responsible or in charge of the treatment withwarning when the processing operations have violated the provisions ofthese Regulations;d) order the person in charge of the treatment that the operations oftreatment are in accordance with the provisions of this Regulation, where appropriate,in a certain way and within a specified time;i) impose an administrative fine in accordance with article 83, in addition or inplace of the measures mentioned in this section, depending on the circumstancesof each particular case;SAWThis offense can be sanctioned with a fine of € 20,000,000 maximumor, in the case of a company, an amount equivalent to a maximum of 4% of thetotal annual global business volume of the previous financial year, opting for thehigher amount, in accordance with article 83.5 of the RGPD.Likewise, it is considered that the sanction to be imposed should be adjusted according towith the following criteria established in article 83.2 of the RGPD:As aggravating factors the following: In the present case we are dealing with unintentional negligent action, but it signifiesidentified catives (article 83.2 b) Basic personal identifiers -image- are affected (art 83.2g)VOn the other hand, article 83.7 of the RGPD provides that, without prejudice to thecorrective powers of the control authorities pursuant to art. 58, paragraph 2,Each Member State may lay down rules on whether and to what extent it is possible toimpose administrative fines on authorities and public bodies established inthat Member State.Therefore, in accordance with the applicable legislation and the criteria ofgraduation of sanctions whose existence has been proven,the Director of the Spanish Agency for Data Protection RESOLVES:FIRST: IMPOSE CALLESGARCIA SC, with NIF J10460640 , for aviolation of article 6 of the RGPD, typified in article 83.5 of the RGPD, in relation towith article 72.1 b) of the LOPDGDD, a fine of € 4,000 (four thousand euros).C / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 5
5/6SECOND: NOTIFY this resolution to CALLESGARCIA SC, with NIFJ10460640 .THIRD: Warn the sanctioned person that the sanction imposed by aOnce this resolution is enforceable, in accordance with the provisions of theart. 98.1.b) of Law 39/2015, of October 1, on Administrative ProcedureCommon of Public Administrations (hereinafter LPACAP), within the payment periodvoluntary established in art. 68 of the General Collection Regulations, approvedby Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003,of December 17, by means of their entry, indicating the NIF of the sanctioned person and the numberof procedure that appears in the heading of this document, in the accountrestricted number ES00 0000 0000 0000 0000 0000 , opened in the name of the AgencySpanish Data Protection Agency in the bank CAIXABANK, SA. In caseOtherwise, it will be collected in the executive period.Once the notification has been received and once it is executed, if the date of execution isfinds between the 1st and 15th of each month, both inclusive, the deadline to carry out thevoluntary payment will be until the 20th of the following or immediately subsequent business month, and ifis between the 16th and last days of each month, both inclusive, the term of thePayment will be up to the 5th of the second following or immediate business month.In accordance with the provisions of article 50 of the LOPDGDD, theThis Resolution will be made public once it has been notified to the interested parties.Against this resolution, which puts an end to the administrative procedure in accordance with art.48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of theLPACAP, the interested parties may optionally file an appeal for reversalbefore the Director of the Spanish Agency for Data Protection within a period ofmonth from the day after notification of this resolution or directlycontentious-administrative appeal before the Contentious-Administrative Chamber of theNational High Court, in accordance with the provisions of article 25 and section 5 ofthe fourth additional provision of Law 29/1998, of July 13, regulating theContentious-administrative jurisdiction, within a period of two months from theday following notification of this act, as provided in article 46.1 of thereferred Law.Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of theLPACAP, the final resolution may be suspended in an administrative wayIf the interested party expresses his intention to file a contentious appeal-administrative. If this is the case, the interested party must formally communicate thismade by writing to the Spanish Agency for Data Protection,Presenting it through the Electronic Registry of the Agency[https://sedeagpd.gob.es/sede-electronica-web/], or through any of the restrecords provided for in art. 16.4 of the aforementioned Law 39/2015, of October 1. Toomust forward to the Agency the documentation that proves the effective filingof the contentious-administrative appeal. If the Agency is not aware of thefiling of the contentious-administrative appeal within a period of two months from theday after the notification of this resolution, would terminate theprecautionary suspension.C / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 6
6/6
Mar España Martí
Director of the Spanish Agency for Data Protection