AEPD (Spain) - PS/00143/2020
AEPD - PS/00143/2020 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 5(1)(f) GDPR Article 19(3) Law on Horizontal Properties Article 9(1)(h) Law on Horizontal Properties |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | 21.10.2020 |
Published: | 23.10.2020 |
Fine: | None |
Parties: | n/a |
National Case Number/Name: | PS/00143/2020 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | n/a |
The Spanish DPA (AEPD) held that posting the name and outstanding debt of the claimant on a public notice board was in violation of Article 5(1)(f) GDPR.
English Summary
Facts
The claimant's personal data was written on a notification document posted on a public notice board. The notification document was posted by the defendant (the neighbourhood community) as a call for the claimant to attend a General Assembly meeting. The notification document included the claimant's name and an outstanding debt of €286,81 in his name.
The defendant claimed that notifying via the public notice board was standard practice since 2014 as well as notifying through a more direct means of communication (such as ordinary mail or 'burofax'). The defendant claimed that it had not notified the defendant via a more direct means of communication as this notification would not have arrived on time.
Dispute
Is posting a data subject's name and outstanding debt on a public notice board in breach of Article 5(1)(f) GDPR?
Holding
The Spanish DPA held that the defendant cannot rely on the argument that the notification would arrive too late using burofax. The defendant could just send the notification earlier.
The DPA nonetheless outlined that notification via notification on the public notice board was authorised by virtue of Article 9(1)(h) of the Law on Horizontal Properties ("Ley de Propiedad Horizontal"). However, it also held that publishing the claimant's personal data on a public notice board was in breach of Article 5(1)(f) GDPR ("integrity and confidentiality").
Therefore, the Spanish DPA held that there was an infringement of the GDPR. It imposed a warning sanction on the neighbourhood community.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
Page 1 1/6 Procedure No.: PS / 00143/2020 RESOLUTION OF SANCTIONING PROCEDURE Of the procedure instructed by the Spanish Agency for Data Protection and based on the following BACKGROUND FIRST: AAA (hereinafter, the claimant) on April 12, 2019 filed claim before the Spanish Agency for Data Protection. The claim is directed against COMMUNITY OF OWNERS RRR with NIF *** NIF.1 (hereinafter, the claimed). The reasons on which the claim is based are that the administrator, BBB , mailed to all owners the annual meeting call and at the same time exposed in the community notice board, the main sheet of the call with data relating to outstanding debts, which were to be discussed in the aforementioned meeting. And, among others, attach the following documentation: Copy of the minutes of the ordinary meeting of 03/21/2019 where it appears: o In the "Settlement pending debt" section, the complainant with an amount of € 286.81. o That the complainant is informed that the placement of the call on the notice board has been the only way to carry out the reliable notification. Photograph of the call to the Ordinary General Meeting session to be held on March 21, 2019 from the COMMUNITY OF OWNERS RRR, located on a bulletin board. In said call it appears, within the section of the debt, the name and surname of the complainant along with the amount of € 286.81. SECOND: On May 9, 2019, the complaint was transferred to COMMUNITY OF OWNERS RRR , in the actions with reference E / 04557/2019. The notification is made electronically through notific @. According to this notification system, the automatic rejection has occurred when ten calendar days have elapsed since it was made available and not proceed to its reading. THIRD: On June 5, 2020, the Director of the Spanish Agency for Data Protection agreed to initiate a sanctioning procedure to the claimed, by the alleged violation of Article 5.1.f) of the RGPD, typified in Article 83.5 of the RGPD. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 2 2/6 FOURTH: On August 29, 2020, a resolution proposal was formulated, proposing that it be imposed on the COMMUNITY OF OWNERS RRR , with NIF *** NIF. 1 , for an infringement of article 5.1.f) of the RGPD, typified in article 83.5 of the RGPD, a warning sanction. In view of all the actions, by the Spanish Protection Agency of Data in this procedure the following are considered proven facts, ACTS FIRST: Publication on the notice board of the claimed community, the debt of the claimant together with his name and surname. SECOND: The claimed neighborhood community states that since 2014 communications are made through mailboxes, postal mail, email and notice board for three days. The document in which the claimant's data works is the call for the Meeting of the Ordinary General Meeting on March 21, 2019. The summons to said neighbors meeting was held between March 12 and 13, 2019, so the bulletin board was chosen as a means of communication for ensure that all summoned attended. FOUNDATIONS OF LAW I By virtue of the powers that article 58.2 of the RGPD recognizes to each control authority, and as established in arts. 47 and 48.1 of the LOPDGDD, the Director of the Spanish Agency for Data Protection is competent to resolve this procedure. II Article 6.1 of the RGPD establishes the assumptions that allow considering lawful processing of personal data. For its part, article 5 of the RGPD establishes that personal data will be: "A) treated in a lawful, loyal and transparent manner in relation to the interested party ("Lawfulness, fairness and transparency"); b) collected for specific, explicit and legitimate purposes, and will not be processed subsequently in a manner incompatible with said purposes; in accordance with article 89, section 1, the further processing of personal data for archiving purposes in public interest, scientific and historical research purposes or statistical purposes are not deemed incompatible with the original purposes ("purpose limitation"); C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 3 3/6 c) adequate, relevant and limited to what is necessary in relation to the purposes for those who are processed ("data minimization"); d) accurate and, if necessary, updated; all measures will be taken reasonable so that the personal data that are inaccurate with respect to the purposes for which they are processed ("accuracy"); e) maintained in a way that allows the identification of the interested parties for no longer than is necessary for the purposes of data processing personal; personal data may be kept for longer periods provided that they are treated exclusively for archival purposes in the public interest, scientific or historical research or statistical purposes, in accordance with article 89, paragraph 1, without prejudice to the application of technical and organizational measures appropriate measures imposed by this Regulation in order to protect the rights and freedoms of the interested party ("limitation of the conservation period"); f) treated in such a way as to guarantee adequate security for the personal data, including protection against unauthorized or illegal processing and against their loss, destruction or accidental damage, by applying measures appropriate technical or organizational ("integrity and confidentiality"). The person responsible for the treatment will be responsible for compliance with the provided for in section 1 and capable of demonstrating it ("proactive responsibility"). " III In the present case, it has been verified that in the convocation of the Ordinary General Meeting to be held on March 21, 2019 of the COMMUNITY OF OWNERS RRR, located on a notice board, consists, within the section of the debt, the name and surname of the claimant together with the amount of € 286.81. The claimed neighborhood community states that since 2014 the distribution of the call is made by mailing to the owners residents in the property, sending by ordinary mail to non-resident owners in Calanda 19, by email to all the owners who so requested and by placing it on the bulletin board surface for three days. In addition, notifications that require it are sent through burofax with delivery notification and content certificate. However, the claimant He usually claims that he does not receive the notifications that the rest of the neighbors do receive with ordinary character. The defendant justifies his action by noting that as the call for the Meeting of the Ordinary General Meeting of March 21, 2019 was held between March 12 and 13, 2019, and the maximum period to collect a burofax is 30 days and this owner always usually runs out of time, the probability that it was not notified in time said call, was very high. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 4 4/6 This argument is not in accordance with the law, since, if the claimed decides to notify by burofax, the denounced facts would be solved, simply issuing said communication with enough time for the claimant receives it. Also note that as a means of personal and individualized notification to the owner, the Horizontal Property Law, indicates the assumptions in which the exposure of personal data related to matters derived from the management of the Community of Owners. Its article 9. h) indicates as an obligation of the owner “Communicate to whoever exercises the functions of secretary of the community, any means that allows proof of receipt, the address in Spain for the purposes of citations and notifications of all kinds related to the community. In the absence of this communication, the address will be for citations and notifications of the apartment or premises belonging to the community, having full effect those delivered to the occupant thereof. If you attempted a subpoena or notification it was impossible for the owner to practice it in the place provided in the previous paragraph, It will be understood as carried out by placing the corresponding communication in the community bulletin board, or in a visible place of general use enabled by effect, with expressive diligence of the date and reasons why this notification form, signed by whoever exercises the functions of Secretary of the community, with the approval of the President. The notification practiced in this way it will produce full legal effects within a period of three calendar days ”. Article 19.3 of the LPH, second paragraph, indicates: " The minutes of the meetings are will forward to the owners in accordance with the procedure established in article 9. " According to the available evidence, it is considered proven the public exposure of a document on the notice board of the aforementioned community, showing the claimant's personal data, and therefore it is understood that the claimed entity has violated article 5.1 f) of the RGPD, which governs the principles integrity and confidentiality of personal data, as well as responsibility proactive of the person in charge of the treatment to demonstrate its fulfillment ”. IV Article 72.1.a) of the LOPDGDD states that “ depending on what is established Article 83.5 of Regulation (EU) 2016/679 are considered very serious and The infractions that suppose a substantial violation will prescribe after three years of the articles mentioned therein and, in particular, the following: a) The processing of personal data violating the principles and guarantees established in article 5 of Regulation (EU) 2016/679 V Article 58.2 of the RGPD provides the following: “Each control authority will have all of the following corrective powers listed below: C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 5 5/6 b) sanction any person responsible or in charge of the treatment with warning when the processing operations have violated the provisions of these Regulations; d) order the person in charge of the treatment that the operations of treatment are in accordance with the provisions of this Regulation, where appropriate, in a certain way and within a specified time; i) impose an administrative fine in accordance with article 83, in addition or in place of the measures mentioned in this section, depending on the circumstances of each particular case; The art. 83.5 of the RGPD establishes that the infractions that affect: “A) the basic principles for the treatment, including the conditions for consent in accordance with articles 5, 6, 7 and 9; b) the rights of the interested parties in accordance with articles 12 to 22. " SAW On the other hand, article 83.7 of the RGPD provides that, without prejudice to the corrective powers of the control authorities pursuant to art. 58, paragraph 2, Each Member State may lay down rules on whether and to what extent it is possible to impose administrative fines on authorities and public bodies established in that Member State. In view of the above, the following is issued Therefore, in accordance with the applicable legislation and the criteria of graduation of sanctions whose existence has been proven, the Director of the Spanish Agency for Data Protection RESOLVES: FIRST: IMPOSE the COMMUNITY OF OWNERS RRR , with NIF *** NIF.1 , for an infraction of Article 5.1.f) of the RGPD, typified in Article 83.5 of the RGPD, a warning sanction. SECOND: REQUIRE the claimed party to accredit within one month before this body the compliance that proceeds to the adoption of all the measures necessary for the respondent to act in accordance with the principles of "Integrity and confidentiality" of art. 5.1 f) of the RGPD. THIRD: NOTIFY this resolution to the COMMUNITY OF OWNERS RRR . In accordance with the provisions of article 50 of the LOPDGDD, the This Resolution will be made public once it has been notified to the interested parties. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 6 6/6 Against this resolution, which ends the administrative procedure in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the interested parties may optionally file an appeal for reversal before the Director of the Spanish Agency for Data Protection within a period of month from the day after notification of this resolution or directly contentious-administrative appeal before the Contentious-Administrative Chamber of the National High Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-administrative jurisdiction, within a period of two months from the day following notification of this act, as provided in article 46.1 of the referred Law. Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP, the firm resolution may be suspended in an administrative way If the interested party expresses his intention to file a contentious appeal- administrative. If this is the case, the interested party must formally communicate this made by writing to the Spanish Agency for Data Protection, Presenting it through the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica-web/], or through any of the rest records provided for in art. 16.4 of the aforementioned Law 39/2015, of October 1. Too must forward to the Agency the documentation that proves the effective filing of the contentious-administrative appeal. If the Agency is not aware of the filing of the contentious-administrative appeal within a period of two months from the day after the notification of this resolution, I would terminate the precautionary suspension. Mar Spain Martí Director of the Spanish Agency for Data Protection C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es