AEPD (Spain) - EXP202309210
AEPD - EXP202309210 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 6 GDPR |
Type: | Other |
Outcome: | n/a |
Started: | 06.02.2024 |
Decided: | |
Published: | 10.05.2024 |
Fine: | n/a |
Parties: | n/a |
National Case Number/Name: | EXP202309210 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | lm |
The DPA found that reposting a video that was originally posted without a data subject's consent is processing of personal data without a legal basis. However, it upheld an appeal and archived the decision because it could not verify the identity of the controller.
English Summary
Facts
A data subject filed various complaints with the Spanish DPA (AEPD) concerning a video, which featured his image and voice, that was shared on social media platforms without his consent. The complaints involved numerous users from Twitter, Youtube, Instagram and pacot.es (a nonprofit Spanish forum for user-generated content) who posted or reposted the video or its contents.
The video was first published by a user on Twitter and ultimately went viral, reaching over 440 thousand retweets or reposts of its content. On 3 September 2022, a user on pacot.es (the controller), a Spanish social media website, republished the video with a link to the original Twitter post. Other users on pacot.es commented on the video, including with screenshots of it that featured the data subject and with the data subject’s name.
In an effort to identify the individuals behind the social media accounts, the AEPD solicited information about User 4 and two other users from pacot.es on 16 January 2023. The webpage responded that it did not retain any personal data from its users except for their email addresses and the IP address of the last access made by the user. Accordingly, it provided the AEPD with the email addresses as well as the last-accessed IP addresses registered on 28 January 2023 (the day of their response to the AEPD) and 13 February 2023 (the day of a second response to the AEPD) of the requested users (including the controller). Based on the data, the AEPD determined identified a controller. However, the two IP addresses indicated different individuals.
On 30 March 2023, the identified controller wrote the DPA. He admitted to being the account holder, but argued that he was not the author of the post and that he did not have access to the page on 13 February 2023. He claimed that he did not remember accessing the forum on 13 February 2023 and that his account appears to have been hacked. He noted that pacot.es had frequently faced complaints of hacking. The controller also stressed that the proceedings failed to focus on the fact that the pacot.es post published a link rather than uploading the original video. Merely posting a link, it argued, should not be considered a processing of data.
On 8 January 2024, the AEPD concluded sanctioning proceedings against the controller, finding that he had violated Article 6 GDPR and issued a fine of €2,000. It noted that the controller had shared a video containing personal data without the consent of the recorded data subject, which constituted processing of personal data without a proper legal basis.
On 6 February 2024, the controller appealed the AEPD’s decision. It argued that the AEPD’s procedure was defective and that the chronology and facts at issue were inaccurate, and thus requested that the decision be annulled.
Holding
The AEPD considered that the inability to verify that the IP addresses corresponded to the same individual made it impossible to verify that the controller was actually responsible for the post. As a result, it could not be certain that the controller processed the data at issue. Given that the pacot.es platform had since been removed from the internet, the AEPD was unable to continue new investigation efforts.
As a result, the AEPD upheld the controller’s appeal.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/14 File no.: EXP202309210 RESOLUTION OF REPLACEMENT APPEAL Examined the appeal for reconsideration filed by A.A.A. (hereinafter referred to as the part appellant) against the resolution issued by the Director of the Spanish Agency for Data Protection dated January 8, 2024, and based on the following FACTS FIRST: B.B.B. (hereinafter, the claiming party) on 09/05/2022 filed two complaints before the Spanish Data Protection Agency directed against the users of the social network “Twitter” that are mentioned in the URLs indicated in such claims. The reasons on which these claims are based are: following: “Publication of a private video in which I appear without my consent. The video It has gone viral and I have not given permission to the editing of the video or its distribution. They were independent shots for a work purpose, not for publication on networks without my consent since it was not even I who distributed the video. Fact reported on Twitter and response received without any action being taken measures". In the first of the complaints received, it is stated that the video was published on the social network “Twitter” on date ***DATE.1 by the user “***USER.1”. He video consists of a montage of successive shots (...). Through the second claim, the complaining party “adds” documentation to the previous complaint and details the URLs that lead to the reported posts (22 videos and 2 images). Along with the claims, the following documentation is provided, among other documentation: . Screenshot corresponding to the “Twitter” user profile “***USER.2”, “***USER.1”. It includes the date “***DATE.1.”, the text “(...)” and an image of the video in question that corresponds to a photo of the complaining party. It is stated that the video has a duration of 38 seconds and that it has had “1.7 M reproductions”. . Screenshots corresponding to the “Twitter” user profiles that They released the video or images. Most of them include the dates (…); texts like “(…)”; etc.; and an image of the video in question that corresponds to a photo of the complaining party. The duration of the video (38 seconds) and the number of reproductions in each case (from 30 to 443.8 thousand reproductions). SECOND: On 09/05/2022, in accordance with article 65 of the LOPDGDD, the first of the claims outlined in the Background First. The Admission Agreement was notified to the complaining party in the same date. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 2/14 THIRD: On 09/06/2022, two new claims of the complaining party. The claims are directed against new “Twitter”, “Instagram” and “Youtube” users, who also shared the video on issue with comments similar to those reviewed above, which are add to those included in the previous claims, as well as against the responsible and users of the web pages indicated, in which it was inserted Also the video in question. Among the latter, there is a user of the website “pacot.es”, identified as “***USUARIO.3”, which published the video in question on 09/03/2022, accessible at the URL “***URL.1”, taken from the Twitter user “***USER.1”. Through the General Subdirectorate of Data Inspection, the thread generated by the user “***USER.3” with the label “(...)”, verifying that, on the same date of the 09/03/2022, other users of the “pacot.es” website made comments regarding the repeated video. The user identified as “***USER.4” made a comment at 5:03 p.m., with the text “There is no color. (...) has penetrated deeply into our hearts”, and included a screenshot corresponding to a photograph taken from the published video in which the complaining party can be seen together with another person. The photograph is not shown with complete clarity, but not in a way that prevents the Identification of the complaining party. FOURTH: The General Subdirectorate of Data Inspection proceeded to carry out of previous investigative actions to clarify the facts in issue, by virtue of the functions assigned to the control authorities in the article 57.1 and the powers granted in article 58.1 of the Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter GDPR), and in accordance with the provisions of Title VII, Chapter I, Second Section, of the LOPDGDD. The following checks and actions were carried out: 1. The Inspection Services inform that the website “pacot.es” is a forum without purpose for-profit (there is no user fee or advertising) focused on various hobbies such as video games, cinema, literature, etc., in which the content is generated by the own users. 2. On 09/08/2022, the Public Business Entity Red.es (REDES) was requested information about the entity responsible for the Dominican “pacot.es”. REDES responds that the owner is B.B.B., with address at ***ADDRESS.1, with email address “***EMAIL.1” and telephone number ***PHONE.1. According to the information provided, the administrative, technical and Billing is C.C.C., with address at ***ADDRESS.2. 3. On 10/03/2022, information was requested from the entity Orange Espagne, S.A.U. on the ownership of the ***PHONE line.1. As reported by this entity on date 10/19/2022, the line belongs to D.D.D., with address at ***ADDRESS.3. 4. Within the framework of the previous investigation actions, on 10/21/2022, the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 3/14 AEPD issued “Agreement for the adoption of provisional measures” by which it was ordered D.D.D. the removal of the content that is the subject of the claim inserted on the website “pacot.es”, accessible through the URL “***URL.1” (video about “(...)” by the user “***USER.3”). In this agreement, which was notified on 11/10/2022, it was expressly provided for: following: "1. Require D.D.D. (pacot.es) so that, within a maximum period of 5 calendar days, proceed to remove the aforementioned contents relating to the claimant from the addresses web from which they are accessible, avoiding to the extent that the state of the technology permits, the re-uploading or re-uploading of exact copies or replicas by the same or Other users. 2. Require D.D.D. (pacot.es) so that the withdrawal or modification of the contents is carried out in such a way that it makes it impossible for third parties to access and dispose of the original, but guarantee its conservation, in order to safeguard evidence that may be necessary in the course of the police or administrative investigation or judicial process that could educate yourself 3. Require D.D.D. (pacot.es) so that, within a maximum period of 5 calendar days, they report to this Spanish Data Protection Agency about the execution of the measure.” 5. Through requests dated 10/03, 11/17 and 11/21/2022, the responsible for “Wespec”, hosting and domain provider, information about the ownership of the email address “***EMAIL.1”, identification data and contacts of the domain “pacot.es” and the ownership and billing address of this domain. This entity responded on 11/25/2022 to the following: . The email address “***EMAIL.1” does not belong to the client. It was used for Anonymize your customer email address and prevent you from receiving spam emails. . The identification and contact data of the owner of the domain “pacot.es” registered in your systems: . (…) According to the aforementioned entity, the above data was provided by “E.E.E.” . Owner and billing address of the domain “pacot.es”: . (…) . 6. On 12/07/2022, E.E.E. was requested. (responsible for the website “pacot.es”) the removal of content published at the URL “***URL.1” and information about the entity that manages the website “pacot.es”. A response was received on 12/21/2022, indicating that the “thread” in the platform with the url: ***URL.1) has been deleted (a “thread” means the message C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 4/14 initial and all responses thereof) on the same day of receipt of the letter (12/21/2022) at 1:15 p.m. (GMT).” It indicates that the website only retains the information strictly necessary for the correct operation of the website, which does not store information or personal data or photographs of individuals, registered or third parties, and that the possibility of upload these files to the server. Regarding the photographs and videos indicated in the request, it clarifies that they come from another website (https://www.twitter.com) and that it is the users of “pacot.es” who have placed links to said content. To clearly indicate that these contents are not They come from “pacot.es”, but they do come from other websites, they fit into a framework that indicates which platform it is (the users who have published said platform are indicated). image on “twitter.com” and linked to “pacot.es”). He adds that “when an image from https://www.twitter.com is cited but not its “post” original, this appears with the domain https://pbs.twimg.com. No images are hosted at hrrps://pacot.es”. According to the documentation provided, this is the case of the image inserted with the comment made by the user “***USER.4”. If the content of said links is deleted at source, it no longer appears on “pacot.es”. 7. On 01/11/2023, the Inspection Services verified that the Content accessible through the URL “***URL.1” has been removed. In this same date it was found that the “pacot.es” page was not available. 8. On 01/16/2023, in order to determine the authorship of the publications, requested E.E.E. information about the IP address from which the user “***USUARIO.4” published the claimed content on 09/03/2022, at 17:03, as well as the identifying registration data for this profile. This same information was requested regarding two other users who participated in the same thread related to the video object of the actions. On 01/28/2023, a response was received indicating that the website does not save no personal data, beyond the IP address and an email address electronic. In the case of the user “***USER.4” provides the IP address ***IP.1 and the address “***EMAIL.2”. The same information is provided in relation to two other users by whom it was consulted (IP address and email address). Likewise, it adds that “the website does not record the IP address of each message individual for reasons of logistics and data protection, but the last one since the that the user accessed it”, which for the aforementioned user corresponds to the facilitated. Subsequently, details of the date and time recorded in their systems were requested. corresponding to the assignment of IP addresses reported above. In the response letter, dated 02/13/2023, E.E.E. Provides assigned IP addresses to the users consulted on the dates 01/28/2023, at 16:27:43 (Spain time), C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 5/14 and 02/13/2023, at 01:48:22 (Spain time). In relation to the user “***USER.4”, provides the following detail: . The IP address ***IP.1 assigned to the profile “***USER.4” corresponds to the day 01/28/2023, at 16:27:43 (Spain time). . The IP address of “***USER.4” on 02/13/2023, at 01:48:22 (Time Spain) was ***IP.2. 9. In response to the request made by the Inspection Services, Telefónica de España, S.A.U. provided this Agency, on 02/14/2023, with the data identification and address of the owners of the IP addresses indicated on the dates and specified hours: . On the date of 01/28/2023, between 16:00:00 and 17:00:00 hours, the owner of the IP ***IP.1 is F.F.F., with DNI ***NIF.1, and street address ***ADDRESS.4. . On the date of 02/13/2023 between 01:00:00 and 02:00:00 hours, the owner of the IP ***IP.2 is H.H.H., with DNI ***NIF.2, and address on the street ***ADDRESS.5. Likewise, Telefónica de España, S.A.U. provided different identities for each of the IP addresses indicated by E.E.E. in relation to another user of the website (the name, address and ID of the person to whom the IP address was assigned corresponding to 01/28/2023 do not match those of the person to whom the IP associated with the same user on 02/13/2023). 10. On 03/09/2023, F.F.F. identification data (name, surnames and NIF) and address of the person who used your internet connection on 01/28/2023, between 4:00 p.m. and 5:00 p.m. (user “***USER.4” on the site website “pacot.es”). On 03/27/2023, the indicated person stated that they do not know the website “pacot.es” does not even use the Internet, as he has a disabling visual deficiency, and does not know if “they will have used their WIFI network”. 11. On 03/09/2023, H.H.H. identification data (name, surnames and NIF) and address of the person who used your internet connection on 02/13/2023, between 01:00 a.m. and 02:00 a.m. (user “***USER.4” on the site website “pacot.es”). On 03/30/2023, the indicated person identified the user “***USER.4” as G.G.G. (hereinafter the claimed party), with the same address on street ***ADDRESS.5. On this same date of 03/30/2023, a letter was received from this user, the part claimed, in which he states that his privacy must have been violated in the forum, that he did not remember having accessed with your username on the date of 02/13/2023; and that in those dates the website was closed or about to close. He adds that in “pacot.es” there is no It was not possible to upload images as such, but only through “linking”, remaining the image hosted on the server where it was originally published, never on “pacot.es”. According to the claimed party, this website had numerous user complaints C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 6/14 due to account hacking and identity theft. 12. Finally, in order to clarify how the video jumped to social networks After the recording of the same, on two occasions the acting inspection requested the complaining party to identify the author of the recording. These requirements of information were notified on dates 03/28/2023 and 06/13/2023, but were not received any response. In the Report of Previous Investigation Actions, the Inspection Services of The AEPD emphasize that the video in question, in whose recording the complaining party participates voluntarily, it went viral after its publication last ***DATE.1 in Twitter by the user “***USUARIO.1” and that, due to this wide diffusion, found on dozens of sites and could be easily located with tags like "(...)" either "(...)". According to the Inspection Services, it is a replica of the videos that went viral on social networks since 2021 with the subject “(…)”. Dozens of pages of results can be found using the search engine. “Google” search. FIFTH: On July 25, 2023, the Director of the Spanish Agency for Data Protection agreed to initiate sanctioning proceedings against the claimed party, G.G.G., in accordance with the provisions of articles 63 and 64 of Law 39/2015, of 1 October, of the Common Administrative Procedure of Public Administrations (in hereinafter, LPACAP), for the alleged violation of article 6 of the RGPD, typified in the Article 83.5 of the GDPR, considering that the complained party disseminated the subject video of the claim without the consent of the complaining party and that this dissemination involves illegal processing of personal data. SIXTH: Once the aforementioned initiation agreement has been notified, the claimed party, after having obtained a copy of the proceedings, presented a document in which he formulated the allegations following: 1. Violation of the principle of typicality, considering that the complaining party consented to the recording of the video (he appears looking at the camera and (…)), so it is aware of the recording and use of your image. The video went viral, reaching the level of public or journalistic interest, as can be seen in some of the links indicated by the complaining party. So, understands that when exercising a fundamental right such as freedom of information about a fact that has achieved notoriety would be within the legitimate interest established in the RGPD and LOPDGDD. In this regard, it points out that the “pacot.es” forum did not allow uploading videos or saving files, as indicated by the administrator in the information provided to the Security Services AEPD inspection. The only thing it allowed was to copy the link to another website and viewed from that external source, it being the responsibility of “pacot.es” that said video would be inserted into the web and shown directly. The aforementioned principle of typicality is also violated by the lack of specification of the facts: the URL mentioned does not correspond to a post or thread opened by the party C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 7/14 claimed, the full URL of the mentioned video is not specified nor the number and order of the message that was published in said thread, and neither the external link, giving understand that the video was uploaded directly to “pacot.es”. It is also not specified whether Only a link was published or if it was the website itself that inserted the video. According to the claimed party, the operation of the website was as follows: . If a Twitter link was pasted, the website itself automatically inserted the profile of the owner of the video, without this meaning that the video had been uploaded to the Web. . If the message was cited, the inserted Twitter profile would appear again. automatically in the new message. But this did not mean that that person was the author of the insertion. . The website had a poorly executed UI/UX design error, so, sometimes, when making a comment on a thread opened by another forum member, inadvertently responding to the message from another user. According to the claimed party, the website was reported for hacking or modifications profile and forum messages and by forum members who received messages without permission. On the other hand, it highlights that the actions do not determine who, how and when uploaded the video. The AEPD carries out an extensive interpretation of what the treatment, without considering that placing a link should not be a treatment of data. The specific punishable act is not presented, nor the link, nor the author of the post, nor the date. In short, the claimed party considers that it is not acceptable to point out that it has tried images without consent, because you have not uploaded or downloaded the video from any website or social network, has not created or recorded it, nor has it been entered into “pacot.es” 2. Considers violated the principle of presumption of innocence and the principle accusatory. He reiterates that he did not upload the video, nor the link, to the website in question and warns again that the author of a message in a forum can be easily altered from a data base. “pacot.es” used the Discourse forum system, which is open source and has with extensions so that a thread or item can be changed author. I also know you can make that modification using a query directly in the database (PostgreSQL). Requests the audit log of database changes that ensures that the forum system administrator or administrators did not alter any messages, pointed out in this regard that it is mandatory to keep this unalterable record and that this will allow you to guarantee that your user, your messages or your data have not been altered, during or after the events. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 8/14 In addition, it requests that simple screenshots not be admitted as evidence, which can also be altered with any browser with access to inspection tools. Since the AEPD has accessed the message after the creation of the thread, its authorship has been able to be modified, something common in “pacot.es”. 3. Violation of the principle of proportionality, when the fine was determined without any argumentation, without motivating the criteria applied and to what extent they affect the amount of the fine. The degree of guilt has not been considered, since the video was broadcast by media and that suggests that the dissemination is legitimate, nor the fact that the damage was neutralized with the deletion of the video. 4. Finally, he alleges defenselessness for carrying out actions against third parties persons (the administrators or owners of the website) without the claimed party having could make any statement to the contrary or request that those people certify whether the messages could have been altered. He highlights that he responded to the request that was made to him by the Services of Inspection of the AEPD admitting to being the user “***USER.4”, but did not admit to being the author of the video publication nor access to the forum on the date indicated. indicated in that request (02/13/2023). At that time he had stopped frequent the forum. Regarding this detail, he clarifies that he was not asked about the date the video was uploaded, but for the date of 02/13/2023, which cannot correspond to the publication of the video, since the claim was submitted in September 2022. There is a contradiction in the disposition of the facts made by the AEPD. Furthermore, the same opening agreement refers to the closure of the website “pacot.es” on 02/13/2023, which is also not true. It indicates that the website was open until 02/17/2023, as announced by the administrator weeks in advance, and that it was not They carried out the appropriate investigations to confirm this fact. To all this, he adds that defenselessness also results from not having guaranteed the principle of contradiction and by the closure of the forum, which makes many of the facts. He ends his allegations by expressly requesting: . That the file be closed due to the absence of evidence and the impossibility of defending. . That the defect in form be admitted in the communications of the requirements and the sanctioning procedure, due to the inaccuracy of the facts, the actions and the presented chronology. . That the amount of the fine be reduced to one euro, as no aggravating criterion. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 9/14 SEVENTH: On 08/31/2023, the instructor of the procedure agreed to open a testing period in which they practiced the following: 1. The claim filed by the claiming party and its documentation, the documents obtained and generated during the phase of admission to processing of the claim, and the report of previous actions of investigation. 2. The allegations regarding the agreement were reproduced for evidentiary purposes. initiation of the sanctioning procedure presented by the claimed party, and the documentation that accompanies them. EIGHTH: On 10/13/2023, a proposed resolution was formulated, in the sense that by the director of the AEPD, the requested party was sanctioned for a violation of the article 6 of the RGPD, typified in article 83.5 of the RGPD, with a fine of €2,000 (two thousand euros). In this proposed resolution the following Proven Facts were determined: “FIRST: The defendant has broadcast a video, without having the consent of the recorded person, consisting of a montage of successive shots in which the affected, recorded by someone he knows, looks at the camera and (...), which represents a treatment of your image as personal data considered illicit, as it does not have your consent". It is concluded that “the claimed party publishes personal data of the complaining party, such image and voice of the claimant” and that “the facts exposed, that is, the dissemination of a video that can damage a person's image, by not having their consent, means that the processing of your image as personal data may be considered illegal, which would violate the provisions of article 6 of the RGPD, indicated in the legal basis III, so it could mean the commission of an infraction classified in article 83.5 of the RGPD.” NINTH: On 10/27/2023, the claimed party formulated allegations against the motion for a resolution, in which it basically reproduces its allegations above, mainly highlighting that their arguments have not been taken into account account and that his words have been transformed to emphasize in the proposal that he has acknowledged having released the video, something he has never stated. The proposed resolution states that “the claimed party further indicates that discloses the video based on legitimate interest”, when nowhere in its allegations or responses has acknowledged or implied this fact, nor has it invoked in any way the legitimate interest. Regarding the consent of the complaining party to the recording of the video, it indicates that the same report of previous actions recognizes that it participated “voluntarily” in the video recording and that this recording was made by a person that the complaining party “evidently knows,” to conclude that “no “we have been able to determine how the video ended up being published on social networks.” C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 10/14 Likewise, it highlights that the complaining party was subsequently requested in two occasions to collaborate with the investigation, without giving a response in any of them. Regarding the facts, he points out that it has become clear that the author of the thread on the web “pacot.es” was another user, who inserted a link to a Twitter user who uploaded the video to your personal account. These facts clash with the accusation contained in the Proven Facts, which indicate that the claimed party spread the video. With your username only a comment appears and, below, a blurry photo that It does not identify anyone, and not a video. Understands that, as the capture of screen obtained from the forum by the Inspection Services, it cannot be stated that the photo belongs to your comment or to the forum member who answered below. That photo is hosted on an external server, on Twitter and not on “pacot.es”. It warns, on the other hand, that the AEPD has not carried out an investigation of the operation of the forum, having been limited to the information provided by the web headlines. He once again invokes the principle of presumption of innocence and proportionality and He alleges again the helplessness caused. TENTH: On 01/08/2024, a resolution was issued by the Director of the Agency Spanish Data Protection Regulation, by virtue of which the claimed party was imposed, for a violation of article 6 of the RGPD, typified in article 83.5 of the RGPD, a fine of 2,000 euros (two thousand euros). ELEVENTH: On 02/06/2024, within the established period, the appeal for reconsideration by the claimed party (hereinafter the claimed party or appellant) against the resolution outlined in the Tenth Antecedent, dated 01/08/2024, in which the same circumstances and allegations are revealed collected the documents presented during the processing of the procedure and requests the following: 1. That, in the absence of evidence, the nullity or annulability of the appealed resolution. 2. That the defect in form in the procedure and in the requirements be admitted carried out by the AEPD, due to the inaccuracy of the events narrated, the chronology presented in the documents sent and in the actions of the AEPD. 3. That, in the absence of justification for the graduation of the sanction, the nullity or annulability of the appealed resolution. 4. That the nullity or annulability of the resolution appealed for violation be declared of the presumption of innocence, due to unfounded accusations, arguments falsely attributed and for the helplessness suffered. Through “Othersi, I say second”, he requests “that this time all my allegations, respecting the subject to which they refer, and not altering the sense and reasoning of these, which until now has caused "misinterpretations or false accusations." C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 11/14 From what was stated in the appeal, the following statements should be highlighted: . He reiterates that in his first allegation he requested the audit record of the database data, which guarantees that the forum administrator did not alter any messages. . That the investigations carried out by the AEPD have revealed difficulties to locate the real people behind the forum profiles. FOUNDATIONS OF LAW Yo Competence The Director of the Spanish Agency is competent to resolve this appeal. of Data Protection, in accordance with the provisions of article 123 of the Law 39/2015, of October 1, of the Common Administrative Procedure of the Public Administrations (hereinafter LPACAP) and article 48.1 of the Law Organic 3/2018, of December 5, Protection of Personal Data and guarantee of digital rights (hereinafter, LOPDGDD). II Absence of evidence In the present case, a claim was filed against several social network users for the dissemination of a video in which the image and voice of the party are shown complainant or photographs taken from said video, together with comments that, in In some cases, they alluded to his name. The claims made were directed also against those responsible and users of various web pages, in which He also inserted the video in question. Among the latter is the website “pacot.es”, in which a user identified as “***USUARIO.3” published the video in question on 09/03/2022, accessible on the URL “***URL.1”, taken from Twitter user “***USER.1”. On the same date of 09/03/2022, other users of “pacot.es” made comments in the thread generated by the user “***USER.3” with the label “(...)”, including the own video or an image taken from it. Specifically, a person identified with the username “***USUARIO.4” made a comment to the 17:03 hours, with the text “There is no color. (...) has penetrated deep into our hearts”, and included a screenshot corresponding to a photograph taken from the video published in which the complaining party can be seen with another person. To identify the person acting under that username and determine the authorship of the claimed events, the AEPD Inspection Services requested to the person responsible for “pacot.es” information about various users of the website, including the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 12/14 creator of the thread and the user “***USER.4”, specifically the IP address from which published the claimed content on 09/03/2022, at the time corresponding to each one of them, as well as the identifying registration data of those profiles. The three users to whom the information request referred had intervened in the same thread related to the video that is the subject of the proceedings. In the response received, the person responsible for the aforementioned website reported that the IP address of each individual message, but the one of the last access made by the user in question; and that no personal data is saved, except for that address IP and an email address. For the three users consulted, it provided an IP address corresponding to the date of 01/28/2023 (date of the response) and an e-mail address. Subsequently, the same person responsible for the website was requested to provide details of the date and time that appears in their systems corresponding to the assignment of IP addresses informed. In a new response letter, dated 02/13/2023, the IP addresses were provided assigned to the consulted users, corresponding to 01/28/2023, at 16:27:43 (Spain time), and on 02/13/2023, at 01:48:22 (Spain time). In In relation to the claimed party, the following detail was provided: . The IP address ***IP.1 assigned to the profile “***USER.4” corresponds to the day 01/28/2023, at 16:27:43 (Spain time). . The IP address of “***USER.4” on 02/13/2023, at 01:48:22 (Time Spain) was ***IP.2. Based on such data, in response to the request made by the Inspection Services, Telefónica de España, S.A.U. provided the AEPD with the data identification and address of the holders of the IP address assignments indicated, in the specified periods, it should be noted that in relation to the user “***USER.4” a different person was indicated, with a different address, for each of the IP addresses and date reported by the person responsible for the website: . On the date of 01/28/2023, between 16:00:00 and 17:00:00 hours, the owner of the IP ***IP.1 is F.F.F., with DNI ***NIF.1, and street address ***ADDRESS.4. . On the date of 02/13/2023 between 01:00:00 and 02:00:00 hours, the owner of the IP ***IP.2 is H.H.H., with DNI ***NIF.2, and address on the street ***ADDRESS.5. Thus, even though the claimed party has acknowledged being the user of “pacot.es” known as ““***USER.4”, the result of these checks does not allow ensure that all accesses made to the website with that username were actually carried out by the claimed party. It is also interesting to highlight that Telefónica de España, S.A.U. also facilitated different identities for each of the IP addresses associated by the person responsible from the website “pacot.es” to the user “***USUARIO.3” on the dates mentioned, being a person who accessed with that username on 01/28/2023 and a different one the one who accessed the website on 02/13/2023, also with that username, both C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 13/14 with different addresses. Only in the case of the third user consulted did the identity of the person coincide informed by the aforementioned operator for the two indicated dates. Given the result obtained, the information on IP addresses assigned to these users cannot be treated as reliable. It should also be noted that the IP addresses provided by the person responsible for “pacot.es” do not correspond to the time in which the events took place, that is, Those IP addresses were not those assigned to the users who participated in the forum, in the thread created by “***USUARIO.3”, on 09/03/2023. The information request made to the person responsible for “pacot.es” requested the IP address from which these users posted the claimed content, but the responsible for the website reported that the IP address of each message is not recorded individual and which retains only the IP address of the last access. Therefore, it has not been possible to verify whether under the username “***USER.4”, On that date in September 2022, F.F.F., the claimed party or a third party acted unknown, as the specific IP address assigned in that case was not available. exact moment, which would have offered some opportunity to identify the specific people who intervened in the post relating to the complaining party under verified usernames. Likewise, it should be noted that, according to the verifications highlighted by the Services of Inspection of this AEPD, the website was not available on 01/11/2023, date prior to the accesses reported by the person responsible for the website, which They supposedly took place on 01/28 and 02/13/2023. Consequently, it must be concluded that there is no certainty about the authorship of the facts analyzed in the contested resolution, supposedly committed by the party claimed under the username “***USER.4”, so there is no basis factual basis to impute a violation in terms of data protection or to sanction him for the same, proceeding to reconsider the validity of the resolution contested, with the approval of the appeal for reconsideration filed and the filing of the performances. It is taken into account that the website “pacot.es” was closed by its person in charge and that this makes it difficult for this AEPD to carry out new verifications. Considering the aforementioned precepts and others of general application, the Director of the Spanish Data Protection Agency RESOLVES: FIRST: ESTIMATE the appeal for reconsideration filed by A.A.A., with NIF ***NIF.3, against the resolution of this Spanish Data Protection Agency issued on January 8, 2024, in file EXP202309210, with file of the performances. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 14/14 SECOND: NOTIFY this resolution to A.A.A., with NIF ***NIF.3. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of Law 39/2015, of 1 October, of the Common Administrative Procedure of Public Administrations (LPACAP), interested parties may file a contentious-administrative appeal before the Contentious-Administrative Chamber of the National Court, in accordance with the provided in article 25 and in section 5 of the fourth additional provision of the Law 29/1998, of July 13, regulating the Contentious-Administrative Jurisdiction, within a period of two months counting from the day following notification of this act, as provided in article 46.1 of the aforementioned Law. Finally, it is noted that in accordance with the provisions of art. 90.3 a) LPACAP, it may be provisionally suspend the final resolution through administrative channels if the interested party expresses its intention to file a contentious-administrative appeal. If this is the case, the interested party must formally communicate this fact in writing addressed to the Spanish Data Protection Agency, presenting it through the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica-web/], or through any of the other records provided for in art. 16.4 of the aforementioned LPACAP. You must also transfer to the Agency the documentation that accredits the effective filing of the contentious-administrative appeal. If the Agency did not have knowledge of the filing of the contentious-administrative appeal within the period of two months from the day following the notification of this resolution, it would be considered the precautionary suspension has ended. 180-21112023 Sea Spain Martí Director of the Spanish Data Protection Agency C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es