AEPD (Spain) - EXP202207084

From GDPRhub
Revision as of 17:34, 24 November 2022 by Patrikmatos (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoES.jpg |DPA_Abbrevation=AEPD |DPA_With_Country=AEPD (Spain) |Case_Number_Name=00276...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
AEPD - 00276-2022
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 2(2)(c) GDPR
Type: Complaint
Outcome: Rejected
Started:
Decided: 26.08.2022
Published:
Fine: n/a
Parties: n/a
National Case Number/Name: 00276-2022
European Case Law Identifier: AI
Appeal: Unknown
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: Patrikmatos

AEPD denied a complaint regarding an e-mail sent from a businessman to his ex-wife, with a copy to the counselor of the school where their son studies, informing the existence of a criminal proceeding against her, as it was seen as a private matter.

English Summary

Facts

The defendant sent an e-mail to his ex-wife, with copy to the counselor of the school where their child study, in which he informs the existence of a criminal proceeding against her, awaiting final trial. The ex-wife has made a complaint because, although the defendant sent this e-mail as a director of a company, he received the information about the criminal situation - not related to the company - of his ex-wife as an individual. In response to the complaint, the defendant stated that it was the claimant herself who firstly sent an e-mail to the school’s counselor, which was answered and generated a chain of e-mails. He also stated that this e-mail address is the one he uses for personal purposes, a circumstance widely known by the claimant, once she has always sent him private messages on that e-mail address. The AEPD has denied the complaint because it considered that the mails took place in an exclusively private and domestic context and, in this context, the claimant involved the school generation an email chain.

Holding

According to AEPD, the message sent by the respondent was sent within the framework of his personal and familiar sphere, and not as a company’s director, as the first e-mail in the chain was forwarded by the claimant, who copied the school’s e-mail address on it. It has been considered that the exchange of mail between the former spouses was limited to an exclusively private or domestic activity, which is lawful, based on the 2.2.c de la GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

RESOLUTION OF ACTIONS FILE
Of the actions carried out by the Spanish Data Protection Agency and based on the following: FACTS
FIRST: Ms. A.A.A. (hereinafter, the complaining party) on February 5, 2022 filed a claim with the Spanish Agency for Data Protection. The claim is directed against D. B.B.B. with NIF ***NIF.1 (hereinafter, the claimed party). The reasons on which the claim is based are the following: The claimant states that her ex-husband, from the corporate email address of the company ARXÓN ESTRATEGIA, S.L. (...), on January 10, 2022, he sent an email with a copy to the concierge of the school where the minor son of both is studying, to the address ***EMAIL.1.
Thus, the aforementioned email reports the existence of a criminal proceeding against the claimant, who is awaiting an oral trial. This communication was signed by the "Managing Partner" of the company, with his name and surname. The claimant states that the company is not a party to said process and that "the knowledge it has of the existence of said criminal process is that of its managing partner, as a natural person and not as managing partner or administrator of the
itself". Likewise, it declares that it does not have any type of commercial, labor or business relationship
with said merchant. And, the following relevant documentation is attached: Email dated January 10, 2022 from ***EMAIL.2, containing the company logos and signed by the managing partner (the claimed party), addressed to the claimant and with copy to the counseling office of the SCHOOL ***SCHOOL.1, ***EMAIL.1,
in which the following information is stated: "the only person who behaves unlawfully is you, I remind you not in vain, (...)". SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5
December, Protection of Personal Data and guarantee of digital rights (hereinafter LOPDGDD), the claim was forwarded to the claimed party, so that they proceed to analyze it and inform this Agency within a month of the actions carried out to adapt to the requirements established in the data protection regulations. The transfer, which was carried out in accordance with the regulations established in Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP), was collected on March 18 and May 30, 2022 by the claimed party, as stated in the acknowledgment of receipt in the file. On April 18 and June 3, 2022, this Agency received a written response stating: <<It was the claimant herself who sent an email to my client on December 21, 2021 and did so by putting "with a copy" to the
address ***EMAIL.1, email that was answered by my client and a chain of emails was generated in which, at the initiative of the claimant, a copy was introduced to the email address of the SCHOOL ***SCHOOL.1. The email chain is attached as document number ONE. Secondly, and no less important, is the fact that the email account ***EMAIL.2 is the personal account of the appearing party within the domain "***URL.1"
of your property. Circumstance well known to the claimant as she always directs her emails to said account. We attach as an example another email from the claimant dated March 24, 2021 addressed to the appearing party with a copy to ***EMAIL.1, where it is evident that she is Mrs. A.A.A. the one that he introduces in the mail to the College by means of a copy, which corroborates the following: A.- That the claimant knows and
knows perfectly well that the email account ***EMAIL.2 is the personal email account of the appearing party D.B.B.B.. B.- That it is the claimant herself who directs the emails related to the common child to the email account of the appearing party *** EMAIL.2, which shows that it is a personal account of the person appearing, otherwise
Otherwise, the claimant herself would not direct the emails related to the common child to the aforementioned email account. C.- That it is the claimant herself who shares the emails to the email address of the SCHOOL ***COLEGIO.1, ***EMAIL.1, and does so by adding "with a copy" as recipients. D.- That the appearing party only replied to the email of December 21, 2021 in which the claimant had
introduced to the College in copy, reason for which the successive emails continued
including a copy to the College>>. THIRD: On April 26, 2022, in accordance with article 65 of the LOPDGDD, the claim presented by the claimant was admitted for processing.
FUNDAMENTALS OF LAW
Yo
 Competition
In accordance with the functions that article 57.1 a), f) and h) of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter RGPD) confers on each control authority and according to the provisions of articles 47 and 48.1 of Organic Law 3/2018, of December 5, Protection of Personal Data and guarantee of digital rights (hereinafter LOPDGDD), the Director of the Spanish Agency for the Protection of Data is competent to resolve these investigative actions. Data. Likewise, article 63.2 of the LOPDGDD determines that: "The procedures processed by the Spanish Agency for Data Protection will be governed by the provisions of Regulation (EU) 2016/679, in this organic law, by the provisions
regulations dictated in its development and, as long as they do not contradict them, with a subsidiary character, by the general rules on administrative procedures.” II Legality of the treatment Article 6 of the GDPR details in its section 1 the cases in which the processing of third-party data is considered lawful: “1. Processing will only be lawful if at least one of the following is fulfilled
conditions: a) the interested party gave his consent for the processing of his personal data
for one or more specific purposes; b) the treatment is necessary for the execution of a contract in which the interested party is a party or for the application at his request of pre-contractual measures;
c) the processing is necessary for compliance with a legal obligation applicable to the
responsible for the treatment; d) the processing is necessary to protect the vital interests of the data subject or of another natural person; e) the processing is necessary for the fulfillment of a task carried out in the public interest or in the exercise of public powers vested in the controller;
f) the processing is necessary for the satisfaction of legitimate interests pursued by the data controller or by a third party, provided that the interests or fundamental rights and freedoms of the data subject that require the protection of personal data, in particular when the interested party is a child. The provisions of letter f) of the first paragraph shall not apply.
application to processing carried out by public authorities in the exercise of their
functions”. III Regulation (EU) 2016/679, of April 27, 2016, General Data Protection
(GDPR), in its recital 18, indicates that this Regulation does not apply to the processing of personal data by a natural person in the course of an exclusively personal or domestic activity and, therefore, without any connection to a professional activity. or commercial. Personal or domestic activities may include correspondence and keeping a list of addresses, or
activity on social networks and online activity carried out in the context of said activities. However, this Regulation applies to controllers or processors who provide the means to process personal data related to such personal or household activities. Regulation (EU) 2016/679, of April 27, 2016, General Data Protection
(RGPD), establishes its material scope of application in article 2, which provides for its application to the totally or partially automated processing of personal data, as well as to the non-automated processing of personal data contained or intended to be included in a file. As established in section 2 of the same article, it does not apply to the processing of personal data: a) in the exercise of an activity not included in the scope of application of Union Law; b) by the Member States when they carry out activities falling within the scope of application of Chapter 2 of Title V of the TEU;
c) carried out by a natural person in the exercise of exclusively personal or domestic activities;
d) by the competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offenses, or execution of criminal sanctions, including protection against threats to public safety and its prevention. On the other hand, the Supreme Court in its STS 815/2020, of June 18, indicates that on this matter <<the Court of Justice of the European Union (TJUE) has already ruled in the Judgment of November 6, 2003 (case Lindqvist) and more recently in the Judgment of December 11, 2014, case C-212/2013, in which we are going to stop. In the aforementioned Judgment of December 11, 2014, the CJEU makes the following considerations, for what interests us here: "Directive 95/46 is not limited to providing that its provisions will not apply to the processing of personal data in the exercise of personal or domestic activities, but rather
requires that it be the exercise of “exclusively” personal or domestic activities”>>.
Taking the above into consideration, the Supreme Court concludes: <<there are two legal requirements for the exclusion clause to come into play, that the data processing be done by an individual and that it be done within the framework of an exclusively private activity or domestic>>. In the present case, the facts under analysis refer to the fact that the claimed party used his professional account to send the email to the claimant. It must be taken into account that this message was sent by the claimed party within the framework of his personal and family sphere and not as (...) of the company ARXÓN ESTRATEGIA, S.L.
Therefore, there is no doubt, given the regulation, that there is no evidence that the claimed party processes data of the complaining party outside the scope of domestic relations established between the parties, nor is there evidence of a violation of the data protection regulations that must be evaluated by this Agency. Hence, said relationship is circumscribed within the framework of an exclusively private or domestic activity. In this regard, it should be noted that the right to data protection is independent of the rights granted by Organic Law 1/1982, of May 5, on civil protection of the right to honor, personal and family privacy and one's own image. , which can be exercised by the affected party not before this Agency, but before the competent jurisdictional body. In short, based on what is indicated in the previous paragraphs, no evidence has been found that proves the existence of an infringement in the area of competence of the Spanish Agency for Data Protection. Thus, in accordance with what has been indicated by the Director of the Spanish Agency for Data Protection, IT IS AGREED:
FIRST: PROCEED TO THE ARCHIVE of the present actions. SECOND: NOTIFY this resolution to Ms. A.A.A. and to D.B.B.B.. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once the interested parties have been notified. Against this resolution, which puts an end to the administrative process as prescribed by art. 114.1.c) of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations, and in accordance with the provisions of arts. 112 and 123 of the aforementioned Law 39/2015, of October 1, interested parties may optionally file an appeal for reversal before the Director of the Spanish Agency for Data Protection within a period of one month from the day after the notification of this resolution or directly contentious-administrative appeal before the Contentious-administrative Chamber of the National Court,
in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-Administrative Jurisdiction, within a period of two months from the day following the notification of this act, as provided for in article 46.1 of the aforementioned Law.