AEPD (Spain) - EXP202105344
AEPD - PS-00134-2022 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 6(1) GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | 23.10.2021 |
Decided: | 31.08.2022 |
Published: | |
Fine: | 10,000 EUR |
Parties: | n/a |
National Case Number/Name: | PS-00134-2022 |
European Case Law Identifier: | n/a |
Appeal: | Not appealed |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | Carmen Jurado Taboada |
The Spanish DPA fined a private subject €10,000 for violating Article 6(1) GDPR by unlawfully publishing in their blog personal data of the data subject for defamatory purposes.
English Summary
Facts
A person publishes in their blog personal data about the data subject, who is a minor, with defamatory purposes. There are several posts with the data subject’s name, personal photos, and videos where neither was informed about being recorded nor gave their consent about the processing of their data.
The data subject requested to voluntarily withdraw the publications without success. A second try by the first instance jury was rejected and returned. Also, any allegations were made by the controller.
Holding
The Spanish DPA held that the processing of personal data without consent, nor any other legitimate reason, constitutes an infraction under Article 6(1) GDPR which establishes the cases in which the processing of personal data may be considered lawful.
The fine amounted to €10,000 after considering the defamatory purposes and the level of damage suffered by the data subject.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/7 File No.: EXP202105344 RESOLUTION OF PUNISHMENT PROCEDURE Of the procedure instructed by the Spanish Agency for Data Protection and based on to the following BACKGROUND FIRST: A.A.A. (hereinafter, the complaining party) dated October 23, 2021 filed a claim with the Spanish Data Protection Agency. The claim is directed against B.B.B. with NIF ***NIF.1 (hereinafter, the part claimed). The grounds on which the claim is based are as follows: The claimed party has been publishing a blog for some time under the pseudonym ***PSEUDONYM.1, which is titled “***BLOG.1” (***URL.1 in which he makes assertions such as that the complaining party is (...). There are many publications in which it is tacitly and even expressly mentioned by name to the complainant, also publishing images of himself. Below, the complainant highlights those that he considers most relevant: - The one published on May 24, 2021, updated on October 5: ***URL.2 In it, he publishes a video, without the consent of the claimant, that was made in the year 2011 or 2012, being a minor (there was not yet (...)) and, in addition, it was without him knowing he was being recorded. As you can see, to that video He titles it “***VIDEO.1”, and then says “(…)”. - ***URL.3 - ***URL.4 - ***URL.5 - ***URL.6 - ***URL.7 - ***URL.8 - ***URL.9 - ***URL.10 Likewise, it affirms that it has asked the respondent party to voluntarily withdraw the unsuccessful postings. Along with the notification, a copy of the order issued by the Court of First Instance and Instruction No. 1 of ***LOCATION.1 in the preliminary proceedings ***PROCEEDINGS.1 in which it is agreed to order and require the claimed party to that, while said procedure is in progress, refrain from making new C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 2/7 publications related to the accused, as well as to remove from his blog the existing publications. SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5 December, of Protection of Personal Data and guarantee of digital rights (in hereinafter LOPDGDD), said claim was transferred to the claimed party, to to proceed with its analysis and inform this Agency within a month of the actions carried out to adapt to the requirements set forth in the regulations of Data Protection. The transfer, which was carried out in accordance with the regulations established in Law 39/2015, of October 1, of the Common Administrative Procedure of the Administrations Public (hereinafter, LPACAP), was not collected by the person in charge; but it turned out returned by "unknown". No response has been received to this transfer letter. THIRD: On January 23, 2022, in accordance with article 65 of the LOPDGDD, the claim filed by the claimant was admitted for processing. FOURTH: On April 4, 2022, the Director of the Spanish Agency for Data Protection agreed to initiate a sanctioning procedure against the claimed party, for the alleged infringement of Article 6.1 of the RGPD, typified in Article 83.5 of the GDPR. FIFTH: Notification of the aforementioned start-up agreement in accordance with the rules established in Law 39/2015, of October 1, on the Common Administrative Procedure of the Public Administrations (hereinafter, LPACAP) and after the term granted for the formulation of allegations, it has been verified that no allegation has been received any by the claimed party. Article 64.2.f) of the LPACAP - provision of which the respondent was informed in the agreement to open the procedure - establishes that if no allegations within the stipulated period on the content of the initiation agreement, when it contains a precise statement about the imputed responsibility, may be considered a resolution proposal. In the present case, the agreement beginning of the sanctioning file determined the facts in which the imputation, the infraction of the RGPD attributed to the claimed and the sanction that could prevail. Therefore, taking into consideration that the respondent has not formulated allegations to the agreement to initiate the file and in attention to what established in article 64.2.f) of the LPACAP, the aforementioned initial agreement is considered in this case proposed resolution. In view of everything that has been done, by the Spanish Data Protection Agency In this proceeding, the following are considered proven facts: PROVEN FACTS C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 3/7 FIRST AND ONLY: The respondent has been making publications in the that uses personal data of the complaining party for defamatory purposes and without no cause that legitimizes its treatment. FOUNDATIONS OF LAW Yo In accordance with the powers that article 58.2 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter RGPD), grants each control authority and according to the provisions of articles 47 and 48.1 of the LOPDGDD, The Director of the Agency is competent to initiate and resolve this procedure. Spanish Data Protection. Likewise, article 63.2 of the LOPDGDD determines that: “The procedures processed by the Spanish Agency for Data Protection will be governed by the provisions in Regulation (EU) 2016/679, in this organic law, by the provisions regulations issued in its development and, as long as they do not contradict them, with a subsidiary, by the general rules on administrative procedures.” II The physical image of a person, in accordance with article 4.1 of the RGPD, is a personal data. nal and its protection, therefore, is the subject of said regulation. In article 4.2 of the GDPR defines the concept of "treatment" of personal data. It is, therefore, pertinent to analyze whether the processing of personal data carried out through the reported publications is in accordance with the provisions of the RGPD. In the first place and referring to the publications indicated in the background by of the claimed, article 6.1 of the RGPD, establishes the assumptions that allow consider the processing of personal data lawful: "1. The treatment will only be lawful if it meets at least one of the following conditions: a) the interested party gave their consent for the processing of their personal data for one or more specific purposes; b) the treatment is necessary for the execution of a contract in which the interested party is part of or for the application at the request of the latter of pre-contractual measures; c) the treatment is necessary for the fulfillment of a legal obligation applicable to the data controller; d) the treatment is necessary to protect the vital interests of the interested party or another Physical person. e) the treatment is necessary for the fulfillment of a mission carried out in the interest public or in the exercise of public powers vested in the data controller; f) the treatment is necessary for the satisfaction of legitimate interests pursued by the person in charge of the treatment or by a third party, provided that on said interests do not override the interests or fundamental rights and freedoms of the interested party that require the protection of personal data, in particular when the interested is a child. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 4/7 The provisions of letter f) of the first paragraph shall not apply to the processing carried out by public authorities in the exercise of their functions. On this issue of the legality of the treatment, Recital 40 also affects of the aforementioned RGPD, when it states that “In order for the treatment to be lawful, the personal data must be processed with the consent of the interested party or any other legitimate basis established in accordance with Law, either in the present Regulation or by virtue of another Law of the Union or of the Member States to which referred to in this Regulation, including the need to comply with the legal obligation applicable to the data controller or the need to perform a contract with which the interested party is a party or in order to take measures at the request of the concerned prior to the conclusion of a contract. In relation to the above, it is considered that there is evidence that the treatment of data of the people who appear in the publications object of this claim has been made without legitimizing cause of those included in article 6 of the GDPR. The GDPR applies to personal data. Said regulation defines as «data personal” means any information about an identified or identifiable natural person (“the interested"); An identifiable natural person shall be deemed to be any person whose identity can be determined, directly or indirectly, in particular by means of an identifier, such as a name, an identification number, location data, a online identifier or one or more elements of physical identity, physiological, genetic, psychic, economic, cultural or social of said person. III In accordance with the available evidence, it is considered that the party claimed has committed an infringement of the regulations applicable to the protection of personal data by publishing various entries on your blog in which data is collected of the claimed (image, name and surnames) without their consent, or any other legitimizing cause of data processing personal. The known facts constitute an infraction, attributable to the claimed party, for violation of article 6.1 of the RGPD. Said infringement is typified in article 83.5 of the RGPD, which provides the following: "Infractions of the following provisions will be sanctioned, in accordance with the paragraph 2, with administrative fines of a maximum of EUR 20,000,000 or, in the case of a company, an amount equivalent to a maximum of 4% of the global total annual turnover of the previous financial year, opting for the largest amount: a) the basic principles for the treatment, including the conditions for the consent under articles 5, 6, 7 and 9.” For the purposes of the limitation period of the infraction, the infraction indicated in paragraph above is considered very serious and prescribes after three years, in accordance with article 72.1 C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 5/7 of the LOPDGDD, which establishes that: "Based on the provisions of article 83.5 of Regulation (EU) 2016/679, considered very serious and will prescribe after three years the infractions that suppose a substantial violation of the articles mentioned therein and, in particular, the following: b) The processing of personal data without the concurrence of any of the license conditions treatment established in article 6 of Regulation (EU) 2016/679.» IV In order to determine the amount of the administrative fine to be imposed, the the provisions of articles 83.1 and 83.2 of the RGPD, precepts that indicate: “Each control authority will guarantee that the imposition of administrative fines under this Article for infringements of this Regulation indicated in sections 4, 9 and 6 are in each individual case effective, proportionate and dissuasive.” “Administrative fines will be imposed, depending on the circumstances of each individual case, in addition to or as a substitute for the measures contemplated in the Article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine administration and its amount in each individual case will be duly taken into account: a) the nature, seriousness and duration of the offence, taking into account the nature, scope or purpose of the processing operation in question as well such as the number of interested parties affected and the level of damages that have suffered; b) intentionality or negligence in the infringement; c) any measure taken by the controller or processor to alleviate the damages suffered by the interested parties; d) the degree of responsibility of the person in charge or of the person in charge of the treatment, taking into account the technical or organizational measures that they have applied under of articles 25 and 32; e) any previous infringement committed by the person in charge or the person in charge of the treatment; f) the degree of cooperation with the supervisory authority in order to remedy the infringement and mitigate the possible adverse effects of the infringement; g) the categories of personal data affected by the infringement; h) the way in which the supervisory authority became aware of the infringement, in particular whether the person in charge or the person in charge notified the infringement and, if so, in what measure; i) when the measures indicated in article 58, section 2, have been ordered previously against the person in charge or the person in charge in question in relation to the same matter, compliance with said measures; j) adherence to codes of conduct under article 40 or mechanisms of certification approved in accordance with article 42, and k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits obtained or losses avoided, directly or indirectly, through the infringement.” C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 6/7 Regarding section k) of article 83.2 of the RGPD, the LOPDGDD, article 76, “Sanctions and corrective measures”, provides: "two. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679 may also be taken into account: a) The continuing nature of the offence. b) The link between the activity of the offender and the performance of treatment of personal information. c) The profits obtained as a result of committing the offence. d) The possibility that the conduct of the affected party could have induced the commission of the offence. e) The existence of a merger by absorption process subsequent to the commission of the infringement, which cannot be attributed to the absorbing entity. f) Affectation of the rights of minors. g) Have, when not mandatory, a data protection delegate. h) Submission by the person in charge or person in charge, on a voluntary basis, to alternative conflict resolution mechanisms, in those cases in which there are controversies between them and any interested party.” In the present case, it is considered appropriate to graduate the sanction to be imposed from in accordance with the following criteria established in article 83.2 of the RGPD: a) The nature and seriousness of the infraction, taking into account the purpose of the treatment operation in question, as well as the level of damage and damages they have suffered, when trying to identify the defendant with behaviors reprehensible or even illegal; b) the intentionality in the infraction, which expressly intends to discredit the reclaimed; Considering the exposed factors, the fine for the imputed infraction is 10,000 € (TEN THOUSAND EUROS). Therefore, in accordance with the applicable legislation and having assessed the criteria for graduation of sanctions whose existence has been proven, the Director of the Spanish Data Protection Agency RESOLVES: FIRST: IMPOSE B.B.B., with NIF ***NIF.1, for an infraction of article 6.1 of the RGPD, typified in article 83.5 of the RGPD, a fine of €10,000 (TEN THOUSAND EUROS). SECOND: NOTIFY this resolution to B.B.B. THIRD: Warn the sanctioned party that he must make the imposed sanction effective once Once this resolution is enforceable, in accordance with the provisions of the art. 98.1.b) of Law 39/2015, of October 1, on Administrative Procedure Common Public Administrations (hereinafter LPACAP), within the payment term voluntary established in art. 68 of the General Collection Regulations, approved by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003, of December 17, through its entry, indicating the NIF of the sanctioned and the number of procedure that appears in the heading of this document, in the account C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 7/7 restricted number ES00 0000 0000 0000 0000 0000, opened on behalf of the Agency Spanish Department of Data Protection in the banking entity CAIXABANK, S.A.. In case Otherwise, it will be collected in the executive period. Received the notification and once executed, if the date of execution is between the 1st and 15th of each month, both inclusive, the term to make the payment voluntary will be until the 20th day of the following month or immediately after, and if between the 16th and last day of each month, both inclusive, the payment term It will be until the 5th of the second following month or immediately after. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the Interested parties may optionally file an appeal for reconsideration before the Director of the Spanish Agency for Data Protection within a month from counting from the day following the notification of this resolution or directly contentious-administrative appeal before the Contentious-Administrative Chamber of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-administrative jurisdiction, within a period of two months from the day following the notification of this act, as provided in article 46.1 of the aforementioned Law. Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP, may provisionally suspend the firm resolution in administrative proceedings if the The interested party expresses his intention to file a contentious-administrative appeal. If this is the case, the interested party must formally communicate this fact by writing addressed to the Spanish Agency for Data Protection, presenting it through Electronic Register of the Agency [https://sedeagpd.gob.es/sede-electronica- web/], or through any of the other registers provided for in art. 16.4 of the aforementioned Law 39/2015, of October 1. You must also transfer to the Agency the documentation proving the effective filing of the contentious appeal- administrative. If the Agency was not aware of the filing of the appeal contentious-administrative within a period of two months from the day following the notification of this resolution would end the precautionary suspension. 938-050522 Sea Spain Marti Director of the Spanish Data Protection Agency C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es