AEPD (Spain) - PS/00491/2020
AEPD - PS/00491/2020 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 6(1) GDPR Article 13 GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | 06.04.2021 |
Published: | |
Fine: | 8000 EUR |
Parties: | HIGHCLIFFE ESTATES MARBELLA, S.L. BUSINESS & LAW PARTNERS |
National Case Number/Name: | PS/00491/2020 |
European Case Law Identifier: | n/a |
Appeal: | Not appealed |
Original Language(s): | Spanish |
Original Source: | AEPD decision (in ES) |
Initial Contributor: | Francesc Julve Falcó |
The Spanish DPA fined a real estate company €8000 for a violation of Article 6(1) GDPR and issued a warning for a violation of Article 13 GDPR.
English Summary
Facts
A law firm filed a complaint before the AEPD on 29 July 2020 against a real estate company for failing to comply with the GDPR on its corporate website (www.higclffeestates.com).
The complaint was based:
- Firstly, on the lack of information regarding the processing of data collected by the form of the website.
- Secondly, on the fact that the image and personal data of one of the partners of the complainant's law firm was displayed without their consent.
- Lastly, on the fact that the Privacy Policy of the company's website made reference to the derogated Data Protection Act from 1999.
Dispute
- Can the reference to a repealed law in the privacy policy be considered to constitute a breach of Article 13 of the GDPR?
- Is the publication of a photograph and personal data without the data subject's express consent a violation of Article 6 (1) GDPR?
Holding
The AEPD found that publishing the image of the data subject without his consent was a violation of Article 6 (1) GDPR, and decided to fine the controller €8000.
Secondly, the AEPD decided that the lack of the necessary information and making reference to the derogated Data Protection Act was a violation of Article 13 GDPR and issued a warning to the controller.
The AEPD took into account the following aggravating factors (Article 83 (2) GDPR) to determine the level of the sanction:
- It is an intentional negligent action (art. 83 (2) (b) GDPR).
- The AEPD became aware of the infringement through the complainant's filing of a complaint (Art. 83 (2) (h) GDPR).
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/6 Procedure No.: PS / 00491/2020 RESOLUTION OF SANCTIONING PROCEDURE In the sanctioning procedure PS / 00491/2020, instructed by the Spanish Agency for Data Protection, to the entity, HIGHCLIFFE ESTATES MARBELLA, S.L., with CIF .: B93407872, owner of the website: www.higcliffeestates.com, (hereinafter, “the entity claimed ”), by virtue of the claim presented by the entity, BUSINESS & LAW PARTNERS with CIF .: B87322913, (hereinafter, “the claimant entity”), by alleged violation of data protection regulations, and taking into account the following following: BACKGROUND FIRST: On 07/29/20, the complaining entity sent this Agency a written claim, indicating, among others: "It has been known that the website www.higcliffeestates.com does not comply the regulations on the processing of personal data reflected in the LOPDGDD and the GDPR. The website lacks a Legal Notice, Privacy Policy and a acceptance of this policy in the contact form where data from personal character. Therefore, the treatment that will be given to the data is unknown. collected ”. In addition, within the web page, (…) the following link: *** URL.1, as stated verified. a warning is reached in which the image of one of the partners of the BUSINESS & LAW office, without their consent ”. SECOND: In view of the facts presented in the claim and the documents provided by the claimant, the SG of Data Inspection proceeded to carry out actions for its clarification, under the protection of the powers of investigation granted to the control authorities in article 57.1 of Regulation (EU) 2016/679 (GDPR). Thus, dated 10/06/22, an informative request is addressed to the entity claimed. According to a certificate from the State Postal and Telegraph Society, the request to send to the claimed entity, on 10/06/20, through the SICER service, it was returned to origin with the message of "unknown" on 10/28/20. THIRD: On 12/17/20 by the Director of the Spanish Agency for Data Protection an agreement is issued for the admission of processing of the complaint presented. given by the claimant, in accordance with article 65 of Organic Law 3/2018, of December 5, Protection of Personal Data and guarantee of digital rights (LPDGDD), considering that the response given by the complainant to this Agency In relation to the facts claimed, it does not prove its submission to the current legislation. people. FOURTH: by this Agency, checks are made on the Policy of Privacy, Legal Notice and Cookie Policy of the reported website, www.higcliffeestates.com, verifying the following characteristics in this regard: C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 2/6 - About the processing of personal data on the website: On the home page, through the link <<contact>>, located at the bottom of the itself, is redirected to a form, http://www.highcliffeestates.com/en/contact, where Users' personal data is collected, such as name, telephone number and email. On the same page where the form is located http://www.highcliffeestates.com/en/contact, there is the following information about the responsible for the processing of personal data: - e-mail: info @ highcliffeesta- tes.com, - Telephone +34 661 869 811. - About the "Privacy Policy" of the website: Through the link << Privacy Policy >>, existing at the bottom of the page contact details indicated above, as well as at the bottom of the main page, the web redirects to a new page, http://www.highcliffeestates.com/es/politica-priva- city, which provides, the identification of the person responsible for data processing personal, on intellectual and industrial property, the responsibility of the content nests; Reproduction of content; on the legitimacy of the processing of personal data sonal and the exercise of user rights; and on the applicable law - About the "Cookies Policy" of the website: On the initial page of the indicated website (first layer), no banner is displayed to report the use of cookies, however, it is verified that only uses a session cookie, for technical purposes, as indicated by the entity in its "Privacy Policy". - On the non-consensual treatment of personal data: Within the web page (…) and following the link: *** URL.1, (…) you can see the photograph of a person and a "Notice to Local Agencies", warning of the alleged actions of two people belonging to the complaining entity. FOURTH: In view of the facts denounced and the evidence observed in the website, the Director of the Spanish Agency for Data Protection, dated 02/12/21, agreed to initiate a sanctioning procedure against the claimed entity, by virtue of of the established powers, for failing to comply with the provisions of articles 13 with a sanction of warning and for violation of article 6.1 of the RGPD with sanction of 8,000 euros. FIFTH: Notified the initiation agreement, the claimed entity, no type of allegations to the initiation of file, in the time granted to the effect. PROVEN FACTS 1.- As stated in the claim, the website www.higcliffeestates.com does not complies with the regulations on the processing of personal data. Also, inside of the website, personal images are used without express consent to this or any other cause that legitimizes the processing of personal data. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 3/6 2.- As this Agency has been able to verify, on the website in question, you can collect personal data from users, however, its privacy policy follows referring to the repealed Organic Law 15/1999, of December 13, on Pro- Protection of Personal Data (LOPD). 3.- Regarding the non-consensual treatment of personal data, it has been possible to confirm bar that on the website, through *** URL.1 (…) you can see the photograph of a person and a "Notice to Local Agencies", warning of the alleged actions irregularities of two people belonging to the claimant entity. FOUNDATIONS OF LAW I The Director of the Spanish Agency is competent to resolve this procedure of Data Protection, in accordance with the provisions of art. 58.2 of the GDPR in the art. 47 of LOPDGDD. II Article 64.2.f) of Law 39/2015, of October 1, on Administrative Procedure Common of Public Administrations, of October 2, 2015, hereinafter LPA- CAP, provides that: “The initiation agreement must contain at least: (…) f) Indication of the right to make allegations and to a hearing in the procedure and of the deadlines for its exercise, as well as an indication that, in case of not carrying out allegations within the established period on the content of the initiation agreement, it may It shall be considered a resolution proposal when it contains a pronouncement precise about the imputed responsibility. " (the underlining corresponds to the AEPD). In the present case, such requirements have been observed, since in the agreement of at the beginning, the provisions of article 64.2.f) of the LPACAP were specified, the alleged offense committed together with its corresponding classification, is determined The amount of the sanction according to the graduation criteria taken into account account based on the evidence obtained at that date, also reporting on the planned reductions on the amount set by virtue of the provisions of article section 85 of the LPACAP. In consideration of the foregoing and in accordance with the provisions of article 64.2.f) of the LPACAP, the agreement to initiate this file is considered Pro- Resolution, since it contained a precise pronouncement about the imputed liability and, after notification in the manner described in the foregoing in fact fourth, the defendant has not formulated allegations to it within the specified term. assigned for such purposes. III The joint assessment of the documentary evidence in the procedure brings to knowledge of the AEPD, a vision of the denounced action that has been reflected in the facts declared proven above related. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 4/6 Regarding the "Privacy Policy" of the website, it has been found that it refers to the repealed Organic Law 15/1999, of December 13, on Protec- tion of Personal Data (LOPD). According to article 99 of the RGPD, the entry into force and application of the new RGPD was, "Twenty days after its publication in the Official Journal of the European Union (05/25/16)" and it would be applicable as of May 25, 2018 ”. Therefore, as of 05/25/18, the LO was repealed. 15/1999, (LOPD), applying compulsorily, from that date date, the current RGPD and as of 12/07/18 the new LOPDGDD. The known facts could be constitutive of an infraction, attributable to the claimed, for violation of article 13 of the RGPD, which establishes the information that must be provided to the interested party at the time of collection of their data personal. For its part, article 72.1.h) of the LOPDGDD, considers very serious, for the purposes of prescription, “the omission of the duty to inform the affected party about the treatment of your personal data in accordance with the provisions of articles 13 and 14 of the RGPD " This offense may be punished with a fine of a maximum of € 20,000,000 or, in the case of a company, an amount equivalent to a maximum of 4% of the total annual global business volume of the previous financial year, opting for the of a higher amount, in accordance with article 83.5.b) of the RGPD. However, Article 58.2) of the RGPD provides that: “Each control authority have all of the following corrective powers listed below: b) sanction any person responsible or in charge of the treatment with warning when the treatment operations have infringed the provisions of this Regulation; (…); i) impose an administrative fine in accordance with article 83, in addition to or instead of the measures mentioned in this section, according to the circumstances of each particular case ”, therefore, the sanction would be "Warning." IV Regarding the non-consensual treatment of personal data, it has been verified that there is a publication of a photograph of the interested party and their personal data, according to claim, without the express consent of the interested party. The known facts are constitutive of an infraction, attributable to the defendant, for violation of art. 6.1 of the RGPD, when publishing personal data of the claimant without the legitimation necessary for it. For its part, article 72.1.b) of the LOPDGDD, considers very serious, for the purposes of prescription, "Failure to comply with the requirements of article 6 of the RGPD". This offense may be punished with a fine of a maximum of € 20,000,000 or, in the case of a company, an amount equivalent to a maximum of 4% of the total annual global business volume of the previous financial year, opting for the of a higher amount, in accordance with article 83.5.b) of the RGPD. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 5/6 In accordance with the indicated precepts, in order to set the amount of the sanction to impose in the present case, the sanction to be imposed should be adjusted in accordance with the following aggravating criteria established in article 83.2 of the RGPD: - The intentionality or negligence in the infringement. In the present case we are before intentional negligent action, (section b). - The way in which the supervisory authority learned of the infringement. The The way in which this AEPD has been made aware has been through the filing of the complaint by the claimant, (section h). The balance of the circumstances contemplated in article 83.2 of the RGPD, with Regarding the offense committed by violating the provisions of its article 6.1, it allows set a penalty of 8,000 euros, (eight thousand euros). In accordance with the above, the Director of the Spanish Agency for the Protection of Data RESOLVES: FIRST: IMPOSE the entity HIGHCLIFFE ESTATES MARBELLA, S.L., with CIF .: B93407872, owner of the website: www.higcliffeestates.com, a sanction of "Warning", for the violation of article 13) of the RGPD, and a sanction of 8,000 euros (eight thousand euros), for the violation of article 6.1) of the RGPD. SECOND: NOTIFY this resolution to the entity HIGHCLIFFE ESTATES MARBELLA, S.L., and the claimant on the result of the claim. Warn the sanctioned person that the sanction imposed must be effective once it is executive this resolution, in accordance with the provisions of article 98.1.b) of Law 39/2015, of October 1, on the Common Administrative Procedure of the Ad- Public Ministries (LPACAP), within the voluntary payment period indicated in article 68 of the General Collection Regulation, approved by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003, of December 17, me- when entering the restricted account number ES00 0000 0000 0000 0000 0000, opened on behalf of the Spanish Agency for Data Protection in Banco CAIXABANK, S.A. or otherwise, it will be collected in the executive period. Received the notification and once executive, if the date of execution is found between the 1st and the 15th of each month, both inclusive, the deadline for making the vo- luntario will be until the 20th day of the following or immediately subsequent business month, and if between the 16th and the last day of each month, both inclusive, the payment term It will be until the 5th of the second following or immediate business month. In accordance with the provisions of article 82 of Law 62/2003, of December 30- of fiscal, administrative and social order measures, this Resolution is will be made public, once it has been notified to the interested parties. The publication is made- It will be in accordance with the provisions of Instruction 1/2004, of December 22, of the Agency Spanish Data Protection Agency on the publication of its Resolutions. Against this resolution, which puts an end to administrative proceedings, and in accordance with established in articles 112 and 123 of the LPACAP, the interested parties may interpose C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 6/6 ner, optionally, appeal for reconsideration before the Director of the Spanish Agency of Data Protection within a period of one month from the day following the notification fication of this resolution, or, directly administrative contentious appeal before the Contentious-administrative Chamber of the National Court, in accordance with the provisions set out in article 25 and in section 5 of the fourth additional provision of the Law 29/1998, of 07/13, regulating the Contentious-administrative Jurisdiction, in the or two months from the day following the notification of this act, according to the provisions of article 46.1 of the aforementioned legal text. Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP, may provisionally suspend the final resolution through administrative channels if the interested party do manifests its intention to file a contentious-administrative appeal. Of being In this case, the interested party must formally communicate this fact in writing addressed to the Spanish Agency for Data Protection, presenting it through the Re- Electronic registry of the Agency [https://sedeagpd.gob.es/sede-electronicaweb/], or to through any of the other records provided for in art. 16.4 of the aforementioned Law 39/2015, of October 1. You must also forward the documentation to the Agency that certifies the effective filing of the contentious-administrative appeal. If the Agency was not aware of the filing of the contentious-administrative appeal trative within two months from the day following notification of this resolution, would terminate the precautionary suspension. Mar Spain Martí Director of the Spanish Agency for Data Protection. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es