Banner2.png

AEPD (Spain) - EXP202300016

From GDPRhub
AEPD - EXP202300016
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 6(1) GDPR
Article 58(2)(d) GDPR
Type: Complaint
Outcome: Upheld
Started: 03.01.2023
Decided: 27.01.2025
Published: 27.01.2025
Fine: 10,000 EUR
Parties: n/a
National Case Number/Name: EXP202300016
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: ao

The DPA fined an adult entertainment provider €10,000 for processing a pornographic video because it based the processing on the performance of a contract which the data subject had not been a party to.

English Summary

Facts

On the 3 January 2023, the data subject filed a complaint against Kenai Media, the provider of an adult entertainment website, with the Spanish DPA (Agencia Española de Protección de Datos – AEPD).

On the 21 June 2012, the data subject had signed a contract with a producer of pornographic videos allowing them to distribute the video including selling it to other parties. Later, the company Interseleccion entered into a contract with the producer and acquired the rights to the video.

Subsequent to the complaint, the AEPD sent an urgent withdrawal order to Kenai Media (the controller) on the 4 January 2023. Kenai Media responded by supplying a copy of a contract with Interseleccion SL allowing Kenai Media to process the video. Kenai Media however obliged to the order and deleted the video off its website.

Kenai Media argued that they were entitled to process the data based on the supplied contract therefore complying with Article 6(1)(b) GDPR. It explained that in the contract, the data subject had handed over processing rights to Interseleccion as well as allowing Interseleccion to share the data with third parties.

Holding

The AEPD extracted that the data subject was not party to the contract between Interseleccion and the controller. Therefore, the controller, Kenai Media, could not rely on Article 6(1)(b) GDPR for the processing of the video. As no explicit consent to the processing had been given, Article 6(1)(a) GDPR could not apply.

The AEPD ordered the controller to cease processing the data subject’s data immediately on the 20 November 2024 under Article 58(2)(d) GDPR.

The AEPD issued a fine of €10,000 for processing data without a legal basis under Article 6(1) GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details. 

1/18

 File No.: EXP202300016

SANCTIONING PROCEDURE RESOLUTION

From the procedure instructed by the Spanish Data Protection Agency and based
on the following

BACKGROUND

FIRST: On 03/01/2023, this Agency received a document submitted
by A.A.A. (hereinafter, the complaining party), in which it makes a claim

against KENAI MEDIA, S.L. with NIF B67684514 (hereinafter, KENAI), for a possible
breach of personal data protection regulations.

The reasons on which the claim is based are the following:

“Good morning,
I am writing because a few days ago a friend called me to alert me that I appeared in
a video on an adult content page. After making sure that it was really
me, I discovered that the video appeared on several different pages. I wrote to all of them
requesting the removal of the video and, apparently, they are pending review and cannot be seen on
the pages at the moment, although the links are still there.

This morning my friend called me again because he found the video on the
server, a Spanish page that supposedly links it to the international ones.
In the video (…), (…).
The video can be found by searching for "(…)" on the Internet, but if they change the name it will be
very difficult to find it again because there are millions of videos. (…)

I attach some websites where I found the video, the websites that answered
my messages, the links to the page where I still appear and a screenshot of the
conversation. ***URL.1”

Along with the claim, he provides the following documentation:

- Screenshot of a sequence of the video in question published on the
website ***URL.1. The video description states the following:

“(…)”

- Screenshot of the web portal ***URL.2 in which the phrase “video
is unavaible pending review” appears.

- Screenshot of the web portal ***URL.3 in which the phrase “video
is unavaible pending review” appears.

- Screenshot of the web portal ***URL.4 in which the phrase “This
video has been Flagged for review” appears.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/18

SECOND: On 03/01/2023, this Agency carried out the following
checks:

- In the URL ***URL.5 it appears (unofficial translation from English): “This video has been
flagged for review”.

- The URL ***URL.6 contains (unofficial translation from English): “Video not available pending review”.

- The URL ***URL.7 contains (unofficial translation from English): “Video not available pending review”.

- The URL ***URL.1 contains a sequence of a pornographic video with the following description:

“(…)”.

THIRD: On 01/04/2023, in accordance with article 65 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and Guarantee of Digital Rights (hereinafter, LOPDGDD), the claim submitted by the complaining party was admitted for processing.

FOURTH: The General Subdirectorate of Data Inspection proceeded to carry out preliminary investigation actions to clarify the facts in question, pursuant to the functions assigned to the control authorities in Article 57.1 and the powers granted in Article 58.1 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter GDPR), and in accordance with the provisions of Title VII, Chapter I, Section Two, of the LOPDGDD, having knowledge of the following:

1) On 01/04/2023, this Agency sent an urgent withdrawal order to the data controller KENAI, regarding the dissemination of the reported video published at the URL ***URL.1. According to the Privacy Policy of the aforementioned website, this legal entity is responsible for the processing of personal data carried out therein.

The date of receipt of this order is recorded as 01/11/2023.

2) On 01/11/2023, this Agency received, with entry registration number ***REFERENCE.1, a response letter from KENAI in which it states:

“We have proceeded to remove the requested scene and clarify that we have all
the relevant authorizations signed by the person making the claim at your disposal.

We are responding in this way because we have not been able to find another way.”

3) On 12/01/2023, this Agency received a new letter from KENAI, with
entry registration number ***REFERENCE.2, in which it provided the following
documentation:

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/18

- A document with the name “***DOCUMENT.1” that includes a digital copy
of B.B.B.'s ID and a second page with the following content: “(…)”,
with the signature attached.

- Document with the name “***DOCUMENT.2” that stores a digital copy

of A.A.A.'s ID (complainant) and a text with the following content:
“(…)”, with the signature attached.

- Document with the name “***DOCUMENT.3” with the following content:

 A contract signed by the parties C.C.C. (***NIF.1) and D.D.D., representing

INTERSELECCION SL (hereinafter,
INTERSELECCION) agreeing:

o That C.C.C. is the legitimate owner of all rights to the

audiovisual production of pornographic genre provisionally entitled: THE NAME DOES NOT APPEAR.
o That INTERSELECCIÓN is interested in acquiring all rights to the
aforementioned production, exclusively, in perpetuity
and for the entire world.
o That C.C.C. declares that it assumes the responsibilities of

any kind that may be incurred by claims from third parties, directly or indirectly related to the ownership of
the rights to the aforementioned audiovisual production, for which reason INTERSELECCION declines any
responsibility in any eventual litigation that may arise.

o That C.C.C. assigns to INTERESELECCION all rights to the audiovisual
production exclusively, in perpetuity and for the entire world.
o INTERSELECCION will pay the total purchase price, which amounts to ***AMOUNT.1, and may market the audiovisual production in the manner it deems appropriate, even in installments...
o The parties formally and definitively waive their own jurisdiction, if any, and submit to the jurisdiction of the Courts and Tribunals of Justice of Barcelona.

 A digital copy of the DNI of C.C.C. is attached.

 The following signed rights transfer texts are attached to this document:

or (…)

- Document with the name “***DOCUMENT.4" and with the following content:

“(…)”

4) On 01/27/2023, the inspection proceedings were incorporated into the diligence
carried out by this Agency on 01/13/2023, in which the withdrawal of the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/18

content by KENAI in relation to the precautionary measure of 01/04/2023,
linked to the content published in ***URL.1.

FIFTH: According to the report collected from the AXESOR tool, the entity
KENAI MEDIA, S.L. is (…).

SIXTH: On 12/19/2023, the Director of the Spanish Data Protection Agency agreed to initiate sanctioning proceedings against KENAI, in accordance with the provisions of
articles 63 and 64 of Law 39/2015, of October 1, on the Common Administrative Procedure of

Public Administrations (hereinafter, LPACAP), for the
alleged violation of article 6.1 of the GDPR, classified in article 83.5.a) of the
RGPD.

This initiation agreement, in accordance with the rules established in the LPACAP, was

notified to KENAI on 12/20/2023, as stated in the acknowledgment of receipt that is
in the file.

SEVENTH: On 12/27/2023, KENAI submitted, in a timely manner, a written statement of
allegations in which it reiterated what it had stated in the framework of the
preliminary investigation actions (third point of the “Background” section) and provided the

same documentation. In addition, it attached the following documents to the document:

- Doc. “***DOCUMENT.5”. According to KENAI, it corresponds to a “certificate
accrediting that the scene initially called “***TITLE.1” is the
same as the one later called “(...)” that was acquired by the

responded entity.

- Doc. “***DOCUMENT.6”. Contract signed between C.C.C. and ***COMPANY.1, on
06/26/2012, for the acquisition of the latter of “the audiovisual production of the pornographic genre provisionally titled ***TITLE.1

(handwritten title)”

EIGHTH: On 11/20/2024, the instructor of the procedure issued a resolution proposal imposing a fine of €10,000 on KENAI, in accordance with the provisions of
articles 63 and 64 of the LPACAP, for the violation of article 6.1 of the
RGPD, classified in article 83.5 of the RGPD, in which it was indicated that it had a

period of ten days to present allegations.

Furthermore, KENAI was ordered, pursuant to article 58.2.d) of the GDPR, to prove on the day following notification of the resolution of the sanctioning procedure that it had adopted the necessary measures to ensure that the image of the complaining party was not subject to processing or dissemination if one of the bases for legitimation of article 6 of the GDPR was not met or, where appropriate, to have suspended the processing of personal data subject to the complaint by removing the content published on ***URL.1.

This proposed resolution, which was notified to KENAI in accordance with the rules established in the LPACAP, was collected on 11/20/2024, as stated in the acknowledgment of receipt in the file.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/18

NINTH: On 11/26/2024, this Agency received, in a timely manner, a letter from KENAI in which it presented objections to the proposed resolution. In these objections, in summary, it stated that:

- KENAI is entitled to publish the video that is the subject of this sanctioning procedure under article 6.1.b) of the GDPR, since
the complaining party signed a contract by which it not only transferred its image rights derived from the film “***TITLE.1” to C.C.C., but also authorized it to transfer them to third parties.

- KENAI understands that this may be a civil matter.
- KENAI alleges that the complainant gave consent to the transfer of his/her image rights to the scene in question and, consequently, authorized the
processing of his/her personal data.
- KENAI indicates that it has withdrawn the pornographic scene entitled (...), following the

request of this Agency.
- KENAI considers that, in accordance with the provisions of the GDPR, the maximum
penalty to be imposed would amount to ***AMOUNT.2, since its turnover in the 2022 financial year was ***AMOUNT.3. A certificate
proving its registration is attached.

KENAI provides the following document:

 Doc. “Deposit accounts 2022”. Its content includes, among others, the following
information:

BARCELONA COMMERCIAL REGISTRY.
ENTRY NO: 99/154963 DATE: 07/31/2023 JOURNAL: 1278 ENTRY: 2988
KENAI MEDIA S.L. NIF B67684514
Registration data: Has filed the Own annual accounts corresponding
to the fiscal year ended 12/31/2022 with file number 43126339

Volume 48034 Folio 98 Sheet number B-570161

In view of all the actions taken, the following facts are considered proven by the Spanish Data Protection Agency
in the present procedure:

PROVEN FACTS

FIRST: On 01/03/2023, the pornographic video subject to

complaint was available at the following electronic address: ***URL.1. The
description was as follows:

“(…)”.

SECOND: Following the agreement to adopt a provisional withdrawal measure, dated

04/01/2023, issued to KENAI, on 13/01/2023, the video in question had been
removed from the electronic address indicated above.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/18

THIRD: On 12/01/2023, KENAI submitted a letter to this Agency in which
it provided the following documentation:

- Document “***DOCUMENT.1”. It includes a scan of B.B.B.'s ID and
a second page with the following content: “(…)”, with the handwritten

signature attached.

- Document “***DOCUMENT.2”. It includes a scan of A.A.A.'s ID
(complainant) and a text with the following content: “(…)”, with the
handwritten signature attached.

- Document “***DOCUMENT.3” with the following content:

 A contract, dated 26/06/2012 and handwritten signatures, entered into between
C.C.C. (***NIF.1) and D.D.D., representing INTERSELECCION
agreeing:

o That C.C.C. is the legitimate owner of all rights to the
audiovisual production of the pornographic genre provisionally titled: (blank).

o That INTERSELECCIÓN is interested in acquiring all rights to the
aforementioned production, exclusively, in perpetuity
and for the entire world.

o That C.C.C. declares that it assumes the responsibilities of

any kind that may be incurred by claims from third parties, directly or indirectly related to the ownership of
the rights to the aforementioned audiovisual production, for which reason INTERSELECCION declines any
responsibility in any eventual disputes that may arise.

o That C.C.C. assigns to INTERESELECCION all rights to the audiovisual
production exclusively, in perpetuity and for the entire world.

o That INTERSELECCION will pay the total purchase price, which

amounts to ***AMOUNT.1, and may market the audiovisual production in the manner it deems appropriate, even in installments (…).

o The parties formally and definitively waive their own jurisdiction, if any, and submit to the competence and jurisdiction of the Courts

and Tribunals of Justice of Barcelona.

 A digital copy of the ID of C.C.C. is attached.

 The following texts of transfer of rights are attached to this document,

dated 06/21/2012 and signed manually:

or (…)
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/18

- Document “***DOCUMENT.4", dated 09/22/2022 and with handwritten
signatures, with the following content:

 “(…)
FOURTH: On 12/27/2023, in the written allegations to the agreement to start the
present sanctioning procedure, KENAI provides:

- Doc.”***DOCUMENT.5”. According to KENAI, it corresponds to a “certificate

proving that the scene initially called “***TITLE.1” is the
same as the one later called “(...)” that was acquired by the
entity claimed.

- Doc. “***DOCUMENT.6”. Contract signed between C.C.C. and ***COMPANY.1, on

26/06/2012, for the acquisition by the latter of “the audiovisual
production of pornographic genre provisionally titled ***TITLE.1
(handwritten title)”.

LEGAL BASIS

I

Competence and applicable regulations

In accordance with the powers that article 58.2 RGPD grants to each control
authority and as established in articles 47, 48.1, 64.2 and 68.1 of the LOPDGDD,
the Director of the Spanish Data Protection Agency is competent to
initiate and resolve this procedure.

Likewise, article 63.2 of the LOPDGDD determines that: "The procedures
processed by the Spanish Data Protection Agency will be governed by the provisions
of Regulation (EU) 2016/679, in this organic law, by the regulatory provisions
issued in its development and, insofar as they do not contradict them, on a

subsidiary basis, by the general rules on administrative procedures."

II
Preliminary questions

Article 4 “Definitions” of the GDPR defines the following terms for the purposes of the
Regulation:

"1) “personal data” means any information relating to an identified or

identifiable natural person (“data subject”); an identifiable natural person is one
whose identity can be determined, directly or indirectly, in particular by reference to an

identifier such as a name, an identification number, location data, an online

identifier or to one or more factors specific to the physical, physiological, genetic,

mental, economic, cultural or social identity of that natural person;”

(2) 'processing' means any operation or set of operations which is performed on
personal data or on sets of personal data, whether or not by automated

means, such as collection, recording, organisation, structuring,
storage, adaptation or alteration, retrieval, consultation, use,
disclosure by transmission, dissemination or otherwise making available,
alignment or combination, restriction, erasure or destruction.

7) 'controller' or 'controller' means the natural or legal person,

public authority, agency or other body which, alone or jointly with others,
determines the purposes and means of the processing; where the purposes and means of the
processing are determined by Union or Member State law, the controller or the
specific criteria for its nomination may be provided for by Union or Member State law;

11) 'consent of the data subject' means any freely given, specific,
informed and unambiguous indication of the data subject's wishes by which he or she gives his or her consent, whether by a
clear affirmative action or statement, the processing of personal data concerning him/her.”

In the present case, pursuant to Article 4.1 of the GDPR, the physical image of a person is personal data. Thus, the publication of a video with adult content in which the naked face and body of the complaining party can be seen constitutes
the processing of personal data, since it allows his/her identification or makes him/her identifiable.

KENAI carries out this activity in its capacity as data controller, since
it is the one who determines the purposes and means of such activity, pursuant to article 4.7 of the
RGPD. The Privacy Policy of the ***URL.8 portal contains its contact details
as the controller of the personal data that is processed therein.

III
Allegations adduced

In relation to the allegations adduced to the proposed resolution of this
sanctioning procedure, the following are answered in the order set out by KENAI:

KENAI alleges that it was entitled to publish the video that is the subject of this
sanctioning procedure pursuant to article 6.1.b) of the RGPD, insofar as,
since there was a transfer of contract, it was not necessary for the complaining party
to sign the contract for the transfer of rights that KENAI signed with

INTERSELECCIÓN. The complainant had already signed a contract under which he not only transferred his image rights from the film “***TITLE.1”
to C.C.C., but also authorized it to transfer them to third parties. Thus, C.C.C.
entered into a contract with INTERSELECCIÓN and this entity subsequently entered into a contract with
KENAI.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 9/18

However, he adds that “The substance of this procedure is a civil matter rather than
a matter relating to data protection regulations; if the

transfer of a contract agreed between the parties is possible from a civil point of view, it is clear that my
representative has not committed any infringement in the processing of the data of the
complainant; if such transfer is not possible, my client has committed an infringement by
processing data obtained illegally.”

In this regard, this Agency wishes to point out that its jurisdiction does not

come within its scope of competence to determine the validity of a contract, but rather to analyze whether or not there is a
legitimizing basis that supports the processing of personal data carried out, in the present case, by KENAI.

Given the above, it must be noted that the document provided by KENAI in which

INTERSELECCIÓN would certify that the content of the pornographic scene entitled
“***TITLE.1” is the same as that of “(...)”, does not prove that the statement made by
the latter corresponds to reality. And, furthermore, even if it were, this Agency
reiterates that for the assumption provided for in article 6.1.b) of the GDPR to occur,
it is necessary that the interested party, whose personal data are the object of processing, is a
party to the contract. In the present case, it has not been proven that the

complainant is a party to the contract signed between INTERSELECCIÓN and KENAI in
2022 or, at least, that (...) has signed a contract with KENAI.

The Agency does not assess the validity of the contract carried out between
INTERSELECCIÓN and KENAI, it only analyses whether the processing of the image of (...)

carried out by KENAI can be covered by any basis of legitimacy of article 6.1
of the GDPR, since it cannot be forgotten that the image of a natural person is a personal data
and that the protection provided by the fundamental right to data protection
extends to all personal data of a natural person, whether known to third parties or not.

In the present case, the complainant would have transferred the image rights in
the film entitled “***TITLE.1” in favour of C.C.C. who would have also authorized
to sell them to third parties, which C.C.C. did in favor of INTERSELECCIÓN. However,
INTERSELECCIÓN transferred the image rights of the complainant to
KENAI, without the complainant being a party to such a contract and without

having authorized INTERESELECCIÓN to carry out such a sale. Therefore, the processing carried out
by KENAI in this case cannot be based on the cause of legitimacy provided for in
Article 6.1.b) of the GDPR, since it expressly requires that the processing be
necessary for the execution of a contract to which the interested party is a party, which is not
the case in this case.

KENAI considers that, in view of the document signed by the complainant in
2012, there is no doubt that (...) he gave his consent to the transfer of his image rights
of the scene in question. And, therefore, consent to the transfer of their
image rights entails authorization to the processing of their personal data.

In this regard, this Agency reiterates that the processing carried out by KENAI
is not covered by the consent of (...), since the declaration that

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 10/18

is provided signed (...) does not meet the requirements set out in article 4.11 of the GDPR
for consent to be valid.

Finally, KENAI points out that it has removed the pornographic scene entitled (...), following
the request of this Agency. It adds that, “Article 83.2 of the GDPR establishes that
in the case of infringements derived from art. 6 of the GDPR, in the case of a company, the amount of the penalty will amount to a maximum of 4% of the turnover of the annual turnover of the previous year" and, therefore, given that its turnover in the year 2022 was ***AMOUNT.3, the maximum penalty to be imposed

would amount to ***AMOUNT.2. A certificate proving its registration is attached.

In this regard, this Agency wishes to point out that the section of article 83 of the GDPR that is applicable in the present case is the fifth, not the second. That said, it should be noted that KENAI, in the extract from article 83 of the GDPR, omits a

very relevant fact, and that is that, when the offending party is a company, the amount of the
administrative fine cannot exceed €20,000,000 or the amount equivalent to 4%
as a maximum of the total global annual turnover of the previous financial year,
and the higher amount must be chosen. Therefore, the administrative fine
of €10,000 that was proposed to be imposed on KENAI is within the legal limits,
since the maximum to be taken into account in this case is €20 million, as it is
higher than the amount resulting from applying 4% to KENAI's turnover in the 2022 financial year.

For the reasons set forth above, these allegations are rejected.

IV
Lawfulness of processing personal data

The principles that must govern the processing are listed in article
5 of the GDPR. In this regard, section 1 letter a), states that: “Personal data
shall be:

a) Processed lawfully, fairly and in a transparent manner in relation to the interested party
(lawfulness, fairness and transparency);

(…)”

The assumptions that allow the processing of personal data to be considered lawful are
listed in article 6.1 of the GDPR:

1. Processing will only be lawful if at least one of the following

conditions is met:

a) the interested party has given his consent to the processing of his personal

data for one or more specific purposes;

b) processing is necessary for the execution of a contract to which the

interested party is a party or for the application at the request of the latter of pre-contractual measures;

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 11/18

b) the processing is necessary for compliance with a legal obligation to which the controller is subject;

c) the processing is necessary to protect the vital interests of the data subject or of another natural person;

d) the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

e) the processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, provided that such interests are not overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

The provisions of point (f) of the first paragraph shall not apply to processing carried out by public authorities in the exercise of their functions.”

Likewise, Recital 40 of the aforementioned GDPR provides that “In order for the processing to be lawful, personal data must be processed with the consent of the data subject or on another legitimate basis established in accordance with law, either in this Regulation or by virtue of another Union or Member State law to which this Regulation refers, including the need to comply with the legal obligation applicable to the controller or the need to execute a contract with which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract.”

In the present case, as indicated in the proven facts, on 21/06/2012 the complainant signed a declaration by which he transferred his image rights in the film “***TITLE.1” to the producer C.C.C. and authorized him to sell them to third parties. Subsequently, the entity INTERSELECCIÓN signed a contract with
this producer through which it acquired all the rights to the audiovisual production of the pornographic genre entitled “***TITLE.1”.

On 09/22/2022, KENAI acquired from INTERSELECCION the rights to
exploit the pornographic scene “(...)” included in the film entitled “(...)”. The
video in question was published on ***URL.8, specifically, on the URL ***URL.1, under the
title “(...)”, and with the following description: “(...)”. In the screenshot of the video

provided by the complainant, the naked face and body of the complainant can be clearly seen
while having sexual relations (...).

Although it is true that KENAI submitted, together with the written allegations to the start agreement, a document in which INTERSELECCIÓN claims that the content of the pornographic scenes cited above is the same, the existence of any of the legitimizing bases of article 6 of the GDPR that
support the processing of the image of the complainant by KENAI has not been proven.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 12/18

It is the respondent party that must prove that the processing of personal data it carries out is lawful. KENAI cannot base the processing of the image of (...) on the
existence of the consent of (...). In order for consent to be considered

validly given, the elements set out in article
4.11 of the GDPR must be present, that is, that consent consists of a manifestation of free,
specific, informed and unequivocal will by which the interested party accepts, either
through a declaration or a clear affirmative action, the processing of personal data
concerning him or her.

As the National Court clarifies in its judgment of 14 February 2023, rec.
463/2020, “data protection regulations currently exclude
tacit consent and require that it be explicit. The Court therefore considers that
only express consent will be valid, which must be given through a
clear affirmative act that shows a declaration of free, specific,

informed and unequivocal will of the owner of the personal data, in the sense
that there is not the slightest doubt that there has been a manifest will on the part of
said affected party”. (emphasis added).

In this case, the claimant would have signed a document with the following
content: I SAY, (…). In Madrid on 21/06/2012”,

However, this declaration does not comply with the requirements that a
valid consent must meet.

Recital 42 of the GDPR indicates that “(…) in the context of a written

declaration made on another matter, there must be guarantees that the interested party is
aware of the fact that he gives his consent and the extent to which he does so. (…).
Guarantees that cannot be said to exist in this case, since (...) is not even informed that the transfer of image rights implies consent for the processing of his personal data, so (...) was not aware that he was giving his consent for the processing of his personal data.

In particular, consent must be specific and the interested party must have given his consent for one or more specific purposes so that the processing of the data can be based on article 6.1.a) of the GDPR

As stated by the European Data Protection Board (hereinafter EDPB) in the
“Guidelines 5/2020 on consent within the meaning of Regulation (EU)
2016/679. version 1.1 “The requirement that consent must be “specific”
is intended to ensure a level of control and transparency for the interested party”. Thus,
it considers that in order to comply with the “specific” character, the controller

must apply:

i the specification of the purpose as a guarantee against misuse,
ii the dissociation in the requests for consent, and
iii a clear separation between the information related to obtaining consent

for data processing activities and the information related to other issues. (paragraph 55)

In relation to these requirements, the EDPB states that:

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 13/18

“56 Ad. i): In accordance with article 5, section 1, letter b), of the GDPR, the
obtaining of valid consent is always preceded by the determination of a

specific, explicit and legitimate purpose for the intended processing activity. The
need for specific consent in combination with the notion of purpose limitation in Article 5(1)(b) acts as a safeguard
against the gradual broadening or blurring of the purposes for which data processing is carried
out once a data subject has given consent to the initial collection of data. This phenomenon, also known as use drift,
poses a risk for data subjects as it may lead to unintended use of personal data by the controller or
third parties and to loss of control by the data subject.

57 If the controller relies on Article 6(1)(a), data subjects must always give their consent for a specific purpose for the
processing of data. In line with the concept of purpose limitation,
with Article 5(1)(b) and with the recital, consent may cover different operations, provided that those operations have the same purpose.
It goes without saying that specific consent can only be obtained when data subjects are
expressly informed about the intended purposes for which the data concerning them will be used.

58. Without prejudice to provisions on compatibility of purposes, consent must be specific to each purpose. Data subjects give their
consent on the understanding that they have control over their data and that it will only be
processed for those specific purposes. If a controller processes data on the basis of consent and, in addition, wishes to process the data for another purpose, it must obtain consent for that other purpose, unless there is another legal basis that better reflects the situation.

(…)

60. Ad. ii): Consent mechanisms must not only be separate in order to comply with the requirement for "free" consent, but must also comply with the requirement for "specific" consent. This means that a controller seeking consent for several different purposes must provide
opt-in options for each purpose, so that users can give specific
consent for specific purposes.

61. Ad. iii): Finally, controllers must provide, with each separate request for consent, specific information about the data to be
processed for each purpose, so that data subjects are aware of the impact of the
different options available to them. In this way, data subjects are allowed to give
specific consent. This issue overlaps with the requirement for controllers to provide clear
information, as set out above in
section 3.3.

It is clear, in this case, that no specific consent was obtained from (...) authorizing the
processing of their data. (...) was not provided
with information about the specific, explicit and legitimate purpose for which the

personal data were to be processed, so that he or she was aware of the specific use to which his or her
personal data would be put, in order to avoid unwanted uses.

Nor was informed consent obtained from (...), since for consent to be informed, the interested party must know at least the identity
of the data controller and the purposes of the processing for which the personal data are
intended (recital 42 GDPR).

The EDPB explains in the Guidelines that “the requirement of transparency is one of

the fundamental principles, closely related to the principles of loyalty and lawfulness. Providing information to data subjects before obtaining their consent is
essential to enable them to make informed decisions, understand what they are
authorising and, for example, exercise their right to withdraw consent. If the

controller does not provide accessible information, user control will be illusory and
consent will not constitute a valid basis for data processing”
(paragraph 62).

And in this case, that information was missing. The document provided by KENAI does
not contain any information related to the processing of personal data. Therefore,

(...) was not provided with any information about the use of their personal data, nor about the
purposes, nor about the assignees, nor about the use that such assignees were going to make of their data, nor
about how to exercise their rights. Even the complaining party was not informed of its
right to withdraw consent.

Article 7(3) of the GDPR states that the controller
must ensure that the data subject can withdraw consent at any
time and that it will be as easy to withdraw consent as it was to give consent.

The EDPB on this issue interprets that “the controller must inform the

data subject of the right to withdraw consent before that consent is given. Also, as part of the transparency obligation, the
controller must inform data subjects about how to exercise their rights” and
adds that “the requirement that withdrawal of consent be simple is described
in the GDPR as a necessary aspect for valid consent. If the right of
withdrawal does not meet the requirements of the GDPR, then the controller's

mechanism does not comply with the GDPR.”

In short, the respondent party has not obtained the consent of (...) in accordance with the
RGPD.

Finally, it must be reiterated that the processing of the complainant's data
cannot be based on the cause of legitimacy of article 6.1.b) of the RGPD, since
for this to happen it is necessary that the interested party, whose personal data are subject to
processing, is a party to the contract. And in this case, as indicated, it would be a
contract concluded without the intervention of the claimant party, which also causes

harm to his rights and freedoms.

Therefore, in accordance with the evidence available at this time
of the resolution of the sanctioning procedure, it is considered that the known facts

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 15/18

constitute an infringement, attributable to KENAI, for violation of article 6.1
of the GDPR.

V
Classification and qualification of the infringement of article 6.1 of the GDPR

The aforementioned infringement of article 6.1 of the GDPR involves the commission of the infringement
classified in article 83.5 of the GDPR which under the heading “General conditions for

the imposition of administrative fines” provides:

“Infringements of the following provisions shall be punishable, in accordance with
paragraph 2, by administrative fines of a maximum of EUR 20 000 000 or,
in the case of a company, an amount equivalent to a maximum of 4% of the

total global annual turnover of the previous financial year, whichever is higher:

a) the basic principles for processing, including the conditions for
consent pursuant to articles 5, 6, 7 and 9; (…)”

For the purposes of the limitation period, article 72.1 “Infringements considered very serious” of the LOPDGDD indicates:

“1. In accordance with the provisions of article 83.5 of Regulation (EU) 2016/679, infringements that constitute a substantial violation of the articles mentioned therein and, in particular, the following are considered very serious and will be subject to a three-year statute of limitations:

(…)

b) The processing of personal data without any of the conditions for the lawfulness of the processing established in article 6 of Regulation (EU) 2016/679; (…)”

VI

Penalty for infringement of article 6.1 of the GDPR

For the purposes of deciding on the imposition of an administrative fine and its amount, in accordance
with the evidence available at the time of the resolution of the sanctioning procedure, it is considered that it is appropriate to graduate the

penalty to be imposed in accordance with the following criteria established in article
83.2 of the GDPR:

The following circumstances are taken into account:

- The nature, seriousness and duration of the infringement, taking into account the

nature, scope or purpose of the processing operation in question, as well as the level of damages suffered; KENAI publicly disseminated a video of sexual content showing the face and body

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 16/18

of the complainant, without his consent, allowing his identification (article 83.2.a) of the RGPD).

- The type of data processed, the image of the complainant in a video of sexual content (article 83.2. g) RGPD).

- The link between the offender's activity and the processing of personal data; KENAI is an entity whose activity involves the
continuous processing of personal data, such as the image (article 76.2.b) of

the LOPDGDD).

The balance of the circumstances contemplated allows a fine of €10,000.00
(ten thousand euros) to be set for the infringement of article 6.1 of the RGPD.

VII
Adoption of measures

In accordance with the provisions of the aforementioned article 58.2 d) of the GDPR, according to which
each supervisory authority may “order the controller or processor to

comply with the provisions of this Regulation, where appropriate, in a certain manner and

within a specified period…”, KENAI is required to prove, on the day following the notification of the
resolution of the sanctioning procedure:

- Having adopted the necessary measures so that the image of the
complainant is not subject to processing or dissemination if one of the
legitimacy bases of article 6 of the GDPR is not met or, where appropriate, having
suspended the processing of personal data subject to the complaint through
the withdrawal of the content published on ***URL.1.

The imposition of this measure is compatible with the sanction consisting of an administrative
fine, as provided for in art. 83.2 of the GDPR.

Please note that failure to comply with the possible order to adopt measures imposed by
this body in the sanctioning resolution may be considered as an

administrative infringement in accordance with the provisions of the GDPR, classified as an
infringement in its article 83.5 and 83.6, and such conduct may motivate the opening of a
subsequent administrative sanctioning procedure.

Therefore, in accordance with the applicable legislation and having assessed the
criteria for grading sanctions whose existence has been proven,
the Director of the Spanish Data Protection Agency RESOLVES:

FIRST: TO IMPOSE on KENAI MEDIA, S.L., with NIF B67684514, for an infringement
of article 6.1 of the GDPR, classified in article 83.5.a) of the GDPR, a fine of

€10,000.00 (ten thousand euros).

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 17/18

SECOND: ORDER KENAI MEDIA, S.L., with NIF B67684514, pursuant to
article 58.2.d) of the GDPR, within the day following notification of the
resolution of the sanctioning procedure, to prove:

- Having adopted the necessary measures so that the image of the
complaining party is not subject to processing or dissemination if one of the
bases of legitimacy of article 6 of the GDPR is not met or, where appropriate, having
suspended the processing of personal data subject to the complaint through
the withdrawal of the content published on ***URL.1.

THIRD: NOTIFY this resolution to KENAI MEDIA, S.L.

FOURTH: This resolution will be enforceable once the deadline for filing the optional appeal for reconsideration ends (one month from the day following the notification of this resolution) without the interested party having made use of this faculty.
The sanctioned party is warned that he must pay the imposed sanction once

this resolution is enforceable, in accordance with the provisions of art. 98.1.b)
of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter LPACAP), within the voluntary payment period
established in art. 68 of the General Collection Regulations, approved by Royal
Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003, of 17 December, by depositing it, indicating the NIF of the sanctioned party and the procedure number that appears in the heading of this document, in the restricted account nº IBAN: ES00-0000-0000-0000-0000-0000 (BIC/SWIFT Code:
CAIXESBBXXX), opened in the name of the Spanish Data Protection Agency in
the banking entity CAIXABANK, S.A. Otherwise, it will be collected during the enforcement period.

Once the notification has been received and has become enforceable, if the date of enforceability is between the 1st and 15th of each month, both inclusive, the deadline for making the voluntary payment will be until the 20th of the following month or the next business day thereafter, and if it is between the 16th and the last day of each month, both inclusive, the payment deadline will be until the 5th of the second following month or the next business day thereafter.

In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties.

Against this resolution, which ends the administrative procedure in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the interested parties may, at their discretion, lodge an appeal for reconsideration before the Director of the Spanish Data Protection Agency within one month from the day following the notification of this resolution or directly

an administrative appeal before the Administrative Litigation Division of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Administrative Litigation Jurisdiction, within two months from the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 18/18

day following the notification of this act, as provided for in article 46.1 of the
referenced Law.

Finally, it is noted that in accordance with the provisions of art. 90.3 a) of the LPACAP, the final decision in administrative proceedings may be
suspended as a precautionary measure if the interested party
expresses his intention to lodge an administrative appeal.
If this is the case, the interested party must formally communicate this fact by means of

a letter addressed to the Spanish Data Protection Agency, presenting it through
the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica-
web/], or through one of the other registries provided for in art. 16.4 of
the aforementioned Law 39/2015, of October 1. He must also transfer to the Agency the

documentation that proves the effective filing of the administrative appeal. If the Agency is not aware of the filing of the administrative appeal within two months from the day following the notification of this resolution, it will terminate the precautionary suspension.

938-16012024
Mar España Martí
Director of the Spanish Data Protection Agency

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es
Retrieved from "https://gdprhub.eu/index.php?title=AEPD_(Spain)_-_EXP202300016&oldid=45598"
Creative Commons Attribution-NonCommercial-ShareAlike
Powered by MediaWiki