AEPD (Spain) - EXP202206302
AEPD - PS/00584/2022 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 6 GDPR Article 83(5)(a) GDPR Article 1903 Spanish Civil Code |
Type: | Complaint |
Outcome: | Upheld |
Started: | 20.04.2022 |
Decided: | |
Published: | 20.11.2023 |
Fine: | 10,000 EUR |
Parties: | n/a |
National Case Number/Name: | PS/00584/2022 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | R_e_ |
The Spanish DPA imposed a €10,000 fine on the father of a minor who used the photo of another minor to create a fake Instagram account which displayed a sexually explicit video. There was no legal grounds for processing the photo in this manner.
English Summary
Facts
On 20 April 2022 a mother made a complaint to Instagram and the Spanish Civil Guard because a photo of her 13 year old son was used as the profile picture of a false Instagram account. The account included a video of man masturbating, face hidden. The DPA requested from Meta Platforms Ireland, as the data controller of the Instagram portal, the date, time and IP address from which the profile was created, and the identification and contact information of the profile's creator. As of July 14 2022, the profile had been deleted and the profile was at least available until 22 April 2022.
On August 8 2022, the controller responded that there was an error in the profile name. On August 29, the DPA made the same request as above with the corrected profile name. A response from the controller was received on September 23, and on September 26 the DPA determined that the IP address came from Digi Spain Telecom SL. Digi Spain then provided the details of the profile creator, AAA. The DPA proceeded to initiate a sanctioning procedure, under Article 83(5)(a) of the GDPR, against AAA on 21 December 2022, due to a infringement of Article 6. AAA was the father of the minor who created the profile. He gave a written statement in response to the allegations, generally stating that the infraction was committed by a knowing minor who had no intention or knowledge of causing harm, that no damage was caused, that the violation had no social repercussions and that it only lasted a few hours.
The DPA decided to fine AAA €10,000 on February 27 2023, although AAA reiterated his previous statements on March 23 in response to the decision.
Holding
The DPA held that Article 6 of the GDPR had been violated because AAA could not show that using the data subject's photograph to create a false profile on Instagram was with the consent of the data subject, or that any other legal ground for processing could be relied on.
The DPA also referred to a Spanish Supreme Court, second chamber, case STS 363/2017 of 15 February 2017, where it was noted that in opening a social network account, while 'the owner of the profile has“uploaded” a photograph of himself that is accessible to the general public, it does not authorize a third party to reproduce it in a media without the owner's consent. Such an action cannot be considered a natural consequence of the accessible nature of the data and images of a public profile.'
AAA was held to be responsible for the actions of his minor child, since Article 1903 of the Spanish Civil Code states that 'parents are responsible for damages caused by children under their care.…' and therefore 'whoever holds parental authority has the obligation to monitor what his minor children do.' No evidence indicated that AAA had complied with his duty of care when his child posted the photograph of another minor.
In imposing a fine of €10,000, the DPA took into consideration seriousness of the facts, since the image was used in a profile with images of sexual content, the type of data processed, since it affected a minor, and the intentionality of the action.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
• File No.: EXP202206302 RESOLUTION OF SANCTIONING PROCEDURE From the procedure instructed by the Spanish Data Protection Agency and based on the following BACKGROUND FIRST: On June 7, 2022, the Director of the Spanish Data Protection Agency is aware of the complaint filed for a possible infringement in the processing of personal data, against A.A.A. with NIF ***NIF.1 (hereinafter, the accused party), for the use of the image of B.B.B., minor son of C.C.C.. The reported facts are the following: “The Civil Guard of ***LOCALIDAD forwards the complaint filed by the mother of a 13-year-old boy, which shows that on April 20, 2022 she was aware of the creation of a false profile on Instagram that she uses as a photo in profile a picture of his son. He points out that when accessing the profile, a published video was available, which corresponded to images of a man, whose face is not hidden, masturbating. The complainant told the Guard that she reported the facts to Instagram.” In the complaint sent by the Civil Guard, a copy of the report is attached, from its analysis the following is extracted: (...) (...) either (...) - - - - - (...) (...) (...) (...) (...) C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es SECOND: The General Subdirectorate of Data Inspection proceeded to carry out prior investigative actions to clarify the facts in question, by virtue of the functions assigned to the control authorities in article 57.1 and the powers granted in the article 58.1 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter RGPD), and in accordance with the provisions of Title VII, Chapter I, Second Section, of the LOPDGDD, being aware of the following points: After verifying the documentation provided by the Civil Guard, it is confirmed that the photo on the Instagram profile corresponds to the photo on the DNI provided. However, this accreditation has been carried out by comparing the Instagram screenshot attached to the complaint with the DNI also attached to it, since as of July 14, 2022, the reported Instagram profile had been deleted. On July 14, 2022, it was decided to request information from META PLATFORMS IRELAND LIMITED, data controller of the Instagram portal, marked by the following line of investigation: - Report the complaint received in relation to the creation of a social network profile that made use of the photograph of a minor who had nothing to do with him. - Request the date, time and IP address from which the profile was created. - Request the identification and contact information of the creator of said profile. On August 8, 2022, a response to the previous request was received informing us that there was an error in the name of the Instagram profile that had been provided and for which the information was requested, urging us to proceed with its clarification and correction. On August 29, 2022, a new information request was made to the person responsible for META PLATFORMS IRELAND LIMITED with the correction requested in the previous response, once again requesting the following information: - Date, time and IP address from which the profile was created. - Identification and contact information of the profile creator. On September 23, 2022, a response to the previous information request was received, from its analysis the following is extracted: - (...) - (...) - (...) C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es either (...) either (...) On September 26, 2022, this inspector confirmed that the IP addresses provided by META PLATFORMS IRELAND LIMITED correspond to the operator DIGI SPAIN TELECOM SL, recording this finding through the corresponding diligence. On September 26, 2022, a new information request is made to DIGI SPAIN TELECOM S.L marked by the following line of investigation: - (...) - (...) On October 5, 2022, a response to the previous request was received providing the following: - (...) either (...) either (...) either (...) THIRD: On December 21, 2022, the Director of the Spanish Data Protection Agency agreed to initiate a sanctioning procedure against the reported party, in accordance with the provisions of articles 63 and 64 of Law 39/2015, of 1 October, of the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP), for the alleged violation of article 6 of the RGPD, typified in Article 83.5 of the RGPD. FOURTH: Once the aforementioned initiation agreement was notified in accordance with the rules established in Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP), the father of the accused party presented a written statement of allegations. in which, in summary, it stated that the infraction was committed by a knowing minor who had no intention or knowledge of causing harm. No damage was caused. The violation had no social repercussions. The violation only lasted a few hours. FIFTH: On February 13, 2023, the procedure instructor agreed to perform the following tests: The claim filed by B.B.B. is considered reproduced for evidentiary purposes. and its documentation, the documents obtained and generated during the admission phase of the claim for processing, and the report of previous investigation actions that are part of the AI/00242/2022 procedure. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es Likewise, the allegations to the agreement to initiate the referenced sanctioning procedure, presented by A.A.A., and the documentation that accompanies them, are reproduced for evidentiary purposes. SIXTH: On February 27, 2023, a proposed resolution was formulated, proposing that the Director of the Spanish Data Protection Agency sanction A.A.A., with NIF ***NIF.1, for a violation of article 6 of the RGPD, classified in article 83.5 of the RGPD, with a fine of €10,000 (ten thousand euros). SEVENTH: On March 23, 2023, allegations are presented to the proposed resolution by the defendant, reiterating his statements regarding the initial agreement where he states that the profile on the Instagram platform was created by his minor son, D.D.D., through the email ***EMAIL.1, which belongs to his youngest son, who was also 13 years old like the affected person at the time the events occurred. Likewise, it is reiterated that the minor had no intention or knowledge of causing harm, and stating that no harm was caused since the infraction had no social repercussions, because the infraction only lasted a few hours. Of the actions carried out by the Spanish Data Protection Agency and based on the following PROVEN FACTS FIRST: The photograph of a minor under 13 years of age has been used by a minor to create a profile This profile was created on February 4, 2022 at 22:39 Spanish time (20:39 UTC time), and was available until April 22, 2022. SECOND: The father of the accused party is the owner of the IP, and considers that it was a joke between children that has not generated any damage or social repercussions. FOUNDATIONS OF LAW Yo In accordance with the provisions of articles 47, 48.1, 64.2 and 68.1 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and guarantee of digital rights (hereinafter, LOPDGDD), it is competent to initiate and resolve this procedure by the Director of the Spanish Data Protection Agency. Likewise, article 63.2 of the LOPDGDD determines that: "The procedures processed by the Spanish Data Protection Agency will be governed by the provisions of Regulation (EU) 2016/679, in this organic law, by the regulatory provisions issued in its development and, insofar as they do not contradict them, on a subsidiary basis, by the general rules on administrative procedures." II C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es In relation to the legality of the processing of personal data, article 6 of the GDPR establishes the following: "1. Treatment will only be legal if at least one of the following conditions is met: a) the interested party gave his or her consent to the processing of his or her personal data for one or more specific purposes; b) the processing is necessary for the execution of a contract to which the interested party is a party or for the application at the request of the interested party of pre-contractual measures; c) the processing is necessary for compliance with a legal obligation applicable to the controller; d) the processing is necessary to protect the vital interests of the interested party or another natural person; e) the processing is necessary for the fulfillment of a mission carried out in the public interest or in the exercise of public powers conferred on the controller; f) the processing is necessary for the satisfaction of legitimate interests pursued by the data controller or by a third party, provided that the interests or fundamental rights and freedoms of the interested party that require data protection do not prevail over said interests. personal, particularly when the interested party is a child. The provisions of letter f) of the first paragraph will not apply to the processing carried out by public authorities in the exercise of their functions.” III By virtue of the provisions of article 58.2 of the RGPD, the Spanish Data Protection Agency, as a control authority, has a set of corrective powers in the event of a violation of the precepts of the RGPD. Article 58.2 of the GDPR provides the following: “2 Each supervisory authority will have all of the following corrective powers indicated below: (...) “d) order the controller or processor to ensure that processing operations comply with the provisions of this Regulation, where applicable, in a certain manner and within a specified period;” “i) impose an administrative fine in accordance with Article 83, in addition to or instead of the measures mentioned in this section, depending on the circumstances of each particular case;” Article 83.5.a) of the GDPR establishes that: “Infringements of the following provisions shall be punished, in accordance with paragraph 2, with administrative fines of a maximum of EUR 20 000 000 or, C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es In the case of a company, an amount equivalent to a maximum of 4% of the total global annual turnover of the previous financial year, choosing the highest amount: a) the basic principles for processing, including the conditions for consent pursuant to articles 5, 6, 7 and 9;” In turn, article 72.1 b) of the LOPDGDD, under the heading “Infringements considered very serious, provides: “The remaining infractions that involve a substantial violation of the articles mentioned in article 83.5 of Regulation (EU) 2016/679 and, in particular, the following are considered very serious and will expire after 3 years: b) The processing of personal data without any of the conditions of legality of the processing established in article 6 of Regulation (EU) 2016/679. IV In this case, a claim filed by a woman before the Civil Guard is revealed, upon learning on April 20, 2022 that a minor had used the image of her son, a minor under 13 years of age, for the creation of a fake profile on Instagram. The investigative actions carried out by this Agency have made it possible to verify that the profile reported used as a profile the photograph of the minor subject of this claim, it was created on February 4, 2022 at 10:39 p.m. Spanish time (8:39 p.m. UTC time ), and was available until at least April 22, 2022. Both the creation of the profile and the subsequent login were carried out from two IP addresses assigned by the operator to the father of the minor who created the false profile, whose personal data are: · NAME AND SURNAME: A.A.A. · DNI: ***NIF.1 · ADDRESS: ***ADDRESS.1 In his allegations, the father of the minor who used the photo of another minor as his Instagram profile, acknowledges the facts, and limits himself to stating that the violation only lasted a few hours. In relation to the use of photographic content, it is worth mentioning STS 363/2017, of February 15, which indicates the following: “... that, in the account opened on a social network on the Internet, the owner of the profile has “uploaded” a photograph of himself that is accessible to the general public, does not authorize a third party to reproduce it in a media without the consent of the owner because such action cannot be considered a natural consequence of the accessible nature of the data and images of a public profile on a social network on the Internet. The purpose of an account opened on a social network on the Internet is the communication of its owner with third parties and the possibility that these third parties may have access to the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es content of that account and interact with its owner, but not that the image of the owner of that account can be published in a media. [...] The consent of the owner of the image so that the general public, or a certain number of people, can see his photograph on a blog or in an account opened on the website of a social network does not entail authorization to make use of that photograph and publish or disseminate it in a different way.” It must also be taken into account that in accordance with article 1903 of the civil code, which provides that: "Parents are responsible for damages caused by children who are under their custody...", the denounced party is responsible for the actions of their minor child who was subject to the parental authority of their parents on the date of the events, since whoever holds parental authority has the obligation to monitor what their minor children do and are responsible for non-compliance or poor compliance with this duty, as stated by the TS in its ruling of May 4, 1984, which declared: "Given the complexity of modern life and its consequent increase in risk, the tendency to make those who create them responsible for the damages derived from these risks is evident, and in this sense the parent or caregiver of a minor is responsible for the damages that he causes to third parties, since with his lack of care he created the risk of harmful conduct of the minor translated into effective and real damage and must, therefore, compensate him, unless he proves that he has used the diligence required by the Law, which is not the case. occurred in the case discussed." In this case there is also no evidence that the accused party, the father of the minor who posted the photograph of another minor, has complied with his duty of care, which makes his responsibility clear. In this order of ideas, it must be specified that the minor responsible for the events was 13 years old when they occurred, so the provision of article 52.4 of Organic Law 8/2021, of June 4, on protection is not applicable. integral to childhood and adolescence in the face of violence, which provides that "Persons over fourteen years of age may be sanctioned for acts constituting an administrative offense in accordance with the regulations on the protection of personal data", therefore the defendant is responsible for the infraction, since as the holder of parental authority he must comply with the duty of care and supervision of his child, which includes, for what is of interest here, the supervision of the use given to technological elements. Therefore, this Agency, after having verified that the minor son of the accused party has used the photograph of a third party to create a false profile on Instagram, without his consent, it must be indicated that in accordance with the legal argument indicated On the above legal grounds, data processing has been carried out without legitimacy, since the contrary has not been proven by the accused party, and therefore it is considered that the accused party may have incurred a violation of article 6. of the GDPR. In order to determine the administrative fine to be imposed, the provisions of articles 83.1 and 83.2 of the RGPD must be observed, precepts that indicate: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es “Each supervisory authority shall ensure that the imposition of administrative fines in accordance with this Article for the infringements of this Regulation indicated in paragraphs 4, 9 and 6 are in each individual case effective, proportionate and dissuasive.” “Administrative fines will be imposed, depending on the circumstances of each individual case, in addition to or in lieu of the measures referred to in Article 58, paragraph 2, letters a) to h) and j). When deciding on the imposition of an administrative fine and its amount in each individual case, due account will be taken of: a) the nature, severity and duration of the infringement, taking into account the nature, scope or purpose of the processing operation in question as well as the number of interested parties affected and the level of damages incurred. have suffered; b) intentionality or negligence in the infringement; c) any measure taken by the person responsible or in charge of the treatment to alleviate the damages suffered by the interested parties; d) the degree of responsibility of the person responsible or in charge of the treatment, taking into account the technical or organizational measures that they have applied under articles 25 and 32; e) any previous infringement committed by the controller or processor; f) the degree of cooperation with the supervisory authority in order to remedy the infringement and mitigate the possible adverse effects of the infringement; g) the categories of personal data affected by the infringement; h) the way in which the supervisory authority became aware of the infringement, in particular whether the controller or processor notified the infringement and, if so, to what extent; i) where the measures indicated in Article 58(2) have been previously ordered against the person responsible or in charge in question in relation to the same matter, compliance with those measures; j) adherence to codes of conduct under Article 40 or certification mechanisms approved under Article 42, and k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as the financial benefits obtained or the losses avoided, directly or indirectly, through the infringement.” Regarding section k) of article 83.2 of the RGPD, the LOPDGDD, article 76, “Sanctions and corrective measures”, provides: "2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679, the following may also be taken into account: a) The continuous nature of the infringement. b) The linking of the offender's activity with the processing of personal data. c) The benefits obtained as a consequence of the commission of the infraction. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es d) The possibility that the conduct of the affected party could have induced the commission of the infraction. e) The existence of a merger by absorption process after the commission of the infringement, which cannot be attributed to the absorbing entity. f) The impact on the rights of minors. g) Have, when not mandatory, a data protection delegate. h) The submission by the person responsible or in charge, on a voluntary basis, to alternative conflict resolution mechanisms, in those cases in which there are disputes between them and any interested party.” In accordance with the transcribed precepts, for the purposes of setting the amount of the fine to be imposed in the present case on the party reported as responsible for an infraction classified in article 83.5.a) of the RGPD, the following factors are considered concurrent aggravating factors: o Seriousness of the facts, since the image is used in a profile with images of sexual content. o Type of data processed, since it affects a minor. o Intentionality in action. The sanction to be imposed on the accused party should be graduated and set at the amount of €10,000 in accordance with article 58.2 of the RGPD. Therefore, in accordance with the applicable legislation and having assessed the criteria for grading the sanctions whose existence has been proven, the Director of the Spanish Data Protection Agency RESOLVES: FIRST: IMPOSE on A.A.A., with NIF ***NIF.1, for a violation of article 6 of the RGPD, typified in article 83.5 of the RGPD, a fine of €10,000 (ten thousand euros) SECOND: NOTIFY this resolution to A.A.A.. THIRD: Warn the sanctioned person that he must make the imposed sanction effective once this resolution is enforceable, in accordance with the provisions of art. 98.1.b) of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter LPACAP), within the voluntary payment period established in art. 68 of the General Collection Regulation, approved by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003, of December 17, by entering it, indicating the NIF of the sanctioned person and the procedure number that appears in the heading of this document, in the restricted account number IBAN: ES00-0000-0000-0000 -0000-0000 (BIC/SWIFT Code: CAIXESBBXXX), opened in the name of the Spanish Data Protection Agency in the banking entity CAIXABANK, S.A.. Otherwise, it will be collected during the executive period. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es Once the notification is received and once it is executed, if the date of execution is between the 1st and 15th of each month, both inclusive, the deadline to make the voluntary payment will be until the 20th of the following month or the immediately following business month, and if is between the 16th and last day of each month, both inclusive, the payment period will be until the 5th of the second following month or immediately following business month. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, interested parties may optionally file an appeal for reconsideration before the Director of the Spanish Data Protection Agency within a period of one month from the date of day following the notification of this resolution or directly a contentious-administrative appeal before the Contentious-Administrative Chamber of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/ 1998, of July 13, regulating the Contentious-Administrative Jurisdiction, within a period of two months from the day following the notification of this act, as provided for in article 46.1 of the aforementioned Law. Finally, it is noted that in accordance with the provisions of art. 90.3 a) of the LPACAP, the final administrative resolution may be provisionally suspended if the interested party expresses his intention to file a contentious-administrative appeal. If this is the case, the interested party must formally communicate this fact by writing to the Spanish Data Protection Agency, presenting it through the Agency's Electronic Registry [https://sedeagpd.gob.es/sede-electronica-web /], or through any of the other records provided for in art. 16.4 of the aforementioned Law 39/2015, of October 1. You must also transfer to the Agency the documentation that proves the effective filing of the contentious-administrative appeal. If the Agency were not aware of the filing of the contentious-administrative appeal within a period of two months from the day following notification of this resolution, it would terminate the precautionary suspension. 938-181022 Sea Spain Marti Director of the Spanish Data Protection Agency C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es