AEPD (Spain) - EXP202207494
From GDPRhub
| AEPD - EXP202207494 | |
|---|---|
 | |
| Authority: | AEPD (Spain) |
| Jurisdiction: | Spain |
| Relevant Law: | Article 5(1)(f) GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | |
| Published: | |
| Fine: | 5000 EUR |
| Parties: | n/a |
| National Case Number/Name: | EXP202207494 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Spanish |
| Original Source: | EXP202207494 (in ES) |
| Initial Contributor: | n/a |
The Spanish DPA fined a controller €5,000 for sharing an employee's personal data on Whatsapp.
English Summary
Facts
A data subject filed a complaint against their employer (the controller). They had sent the controller a professional email about a labour issue. The controller then displayed a screenshot of this email on the company Whatsapp profile of the data subject. The screenshot included the name and surname of the data subject along with the related question about the labour issue.
The Spanish DPA reached out several times to the controller to ask for an explanation but was ignored at each turn, receiving no reply.
Holding
The Spanish DPA fined the controller €5,000 for an infraction of Article 5(1)(f) GDPR.
First, as the controller did not reply, the DPA used the evidence available to it (the screenshot) and considered that the controller had failed to ensure the security of their employee's personal data by disseminating it on the employee's company Whatsapp account.
Second, the DPA gave the controller the option to attend a hearing within 10 days of the decision. Should the controller acknowledge its responsibility, the fine will be reduced by 20% to €4,000. If the controller does not reply to the decision, the DPA will take this as an indication of the controller's final decision and mantain the original amount of the fine.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/9
File No.: EXP202207494
RESOLUTION OF TERMINATION OF THE PAYMENT PROCEDURE
VOLUNTEER
From the procedure instructed by the Spanish Data Protection Agency and based
to the following
BACKGROUND
FIRST: On March 31, 2023, the Director of the Spanish Agency for
Data Protection agreed to initiate sanctioning proceedings against SOLAR PROGRESS,
S.L. with NIF B76821586 (hereinafter, SOLAR PROGRESS), through the Agreement
which is transcribed:
AGREEMENT TO START SANCTIONING PROCEDURE
Of the actions carried out by the Spanish Data Protection Agency and in
based on the following
FACTS
FIRST: A.A.A. (hereinafter, the complaining party) dated May 20, 2022
filed a claim with the Spanish Data Protection Agency. The
claim is directed against SOLAR PROGRESS, S.L. with NIF B76821586 (in
forward, SOLAR PROGRESS). The grounds on which the claim is based are:
following:
The complaining party worked for SOLAR PROGRESS until ***DATE.1.
According to him, the commercial director of SOLAR PROGRESS exhibited on the date of
entry of the claim, in the WhatsApp profile of your business phone, the
screenshot of an email prepared by the complaining party with
professional purposes. The published document contains the name and surname of the
complaining party associated with a question he asked to resolve an issue
labor.
Along with the claim, provide a screenshot in which the information is displayed
published and a card from the commercial director of SOLAR PROGRESS.
SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5
December, Protection of Personal Data and guarantee of digital rights (in
hereinafter LOPDGDD), said claim was transferred to SOLAR PROGRESS,
to proceed with its analysis and report to this Agency within a period of one month,
of the actions carried out to adapt to the requirements provided for in the
data protection regulations.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/9
The transfer, which was carried out in accordance with the rules established in Law 39/2015, of
October 1, of the Common Administrative Procedure of Administrations
Public (hereinafter, LPACAP), was not collected by the person responsible.
The transfer was reiterated on July 27, 2022 by certified postal mail, which was
delivered on August 11, 2022 according to acknowledgment of receipt included in the
proceedings.
The transfer was reiterated again, in accordance with the rules established in the LPACAP,
and it was not picked up by SOLAR PROGRESS either.
No response has been received to this transfer letter.
THIRD: On August 20, 2022, in accordance with article 65.5 of the
LOPDGDD, the claim presented by the party is understood to be admitted for processing
claimant, since more than three months have passed since the entry of the
claim.
FOURTH: On December 15, 2022, and March 29, 2023, it is obtained at
through the WhatsApp number ***PHONE.1 the following information incorporated
to the diligence with the same date:
- Information that can be seen when opening the contact number ***PHONE.1
belonging to SOLAR PROGRESS
- email with the details of the complaining party that can be seen when expanding the
image of the contact of the aforementioned number on WhatsApp.
From this information it is concluded that the SOLAR PROGRESS WhatsApp profile does not
It has no display limitations to the profile photo.
FOUNDATIONS OF LAW
Yo
Competition and applicable regulations
In accordance with the powers that article 58.2 of Regulation (EU) 2016/679
(General Data Protection Regulation, hereinafter RGPD), grants each
control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the
Organic Law 3/2018, of December 5, on Protection of Personal Data and
guarantee of digital rights (hereinafter, LOPDGDD), is competent to
initiate and resolve this procedure the Director of the Spanish Protection Agency
of data.
Likewise, article 63.2 of the LOPDGDD determines that: "The procedures
processed by the Spanish Data Protection Agency will be governed by the provisions
in Regulation (EU) 2016/679, in this organic law, by the provisions
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/9
regulations dictated in its development and, insofar as they do not contradict them, with a
subsidiary, by the general rules on administrative procedures."
II
Previous issues
In the present case, in accordance with the provisions of article 4.1 and 4.2 of the RGPD,
involves processing personal data, since SOLAR
PROGRESS, S.L., collects and preserves, among others, the following
personal data of natural persons: name and surname, among other treatments.
SOLAR PROGRESS, S.L., carries out this activity in its capacity as responsible for the
treatment, given that it is the one who determines the purposes and means of such activity, by virtue
of article 4.7 of the GDPR.
For its part, article 5 of the RGPD includes the principles related to processing.
III
Principles relating to treatment
Article 5.1.f) of the GDPR, relating to the principles of processing, provides that
personal data will be “processed in such a way as to guarantee security
adequate protection of personal data, including protection against unauthorized processing.
authorized or illegal and against its loss, destruction or accidental damage, through the
application of appropriate technical or organizational measures (“integrity and
confidentiality").
In relation to this principle, Recital 39 of the aforementioned GDPR states that “(…)
Personal data must be processed in a way that guarantees security and
appropriate confidentiality of personal data, including to prevent access
or unauthorized use of said data and the equipment used in the treatment.”
This principle presents its correlation in national legislation in article 5 of the
LOPDGDD, “Duty of confidentiality” which establishes:
"1. Those responsible and in charge of data processing as well as all the
People who intervene in any phase of this will be subject to the duty of
confidentiality referred to in article 5.1.f) of Regulation (EU) 2016/679.
2. The general obligation indicated in the previous section will be complementary to the
duties of professional secrecy in accordance with applicable regulations.
3. The obligations established in the previous sections will be maintained even
when the relationship of the obligor with the person responsible or in charge of the
treatment."
In this case, it is taken into account that SOLAR PROGRESS, S.L. did not save
the due confidentiality to which it was obliged, when disseminating, through publication
from the photo published on your WhatsApp profile, from a screenshot of an email
electronic that has been prepared by the complaining party for professional purposes. In
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/9
The published document contains the name and surname of the complaining party
associated with a question you asked to resolve a work issue.
Therefore, in accordance with the evidence available at this time
agreement to initiate the sanctioning procedure, and without prejudice to what results from
the instruction, it is considered that the known facts could constitute a
infringement, attributable to SOLAR PROGRESS, S.L., due to violation of article 5.1.f)
of the GDPR.
IV
Classification and qualification of the violation of article 5 of the RGPD
If confirmed, the aforementioned violation of article 5.1.f) of the RGPD could mean the
commission of the infractions classified in article 83.5 of the RGPD that under the
The section “General conditions for the imposition of administrative fines” provides:
“Infringements of the following provisions will be sanctioned, in accordance with the
section 2, with administrative fines of a maximum of 20 000 000 euros, or
In the case of a company, an amount equivalent to a maximum of 4% of the
global total annual business volume of the previous financial year, opting for
the largest amount:
a) the basic principles for the treatment, including the conditions for the
consent under articles 5, 6, 7 and 9; (…)”
In this regard, the LOPDGDD, in its article 71 “Infringements” establishes that
“The acts and conduct referred to in sections 4,
5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that result
contrary to this organic law.”
For the purposes of the limitation period, article 72.1 “infringements considered very
“serious” of the LOPDGDD, establishes:
“Based on what is established in article 83.5 of Regulation (EU) 2019/678,
considered very serious and will prescribe after three years the infractions that involve
a substantial violation of the articles mentioned therein and, in particular, the
following:
a) the processing of personal data violating the principles and guarantees
established in article 5 of Regulation (EU) 2016/679. (…)”
V
Corrective powers for violation of article 5.1.f) GDPR
For the purposes of deciding on the imposition of an administrative fine and its amount,
in accordance with the evidence currently available
agreement to initiate the sanctioning procedure, and without prejudice to what results from the
instruction, it is considered appropriate to graduate the sanction to be imposed in accordance with
the following criteria established by article 83.2 of the RGPD:
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/9
As aggravating factors:
- The nature, severity and duration of the infraction, taking into account the
nature, scope or purpose of the processing operation in question
such as the number of interested parties affected and the level of damages that
have suffered (section a): for having disseminated the personal data of the party
complainant in the profile photo published on his WhatsApp, which affected the party
claimant, from at least May 20, 2022 (date of entry of the
complaint) as of March 29, 2023, according to the diligence incorporated into the file.
The balance of the circumstances contemplated in article 83.2 of the RGPD, with
regarding the infraction committed by violating the provisions of article 5.1.f) of the
GDPR allows you to initially set a fine of €5,000 (five thousand euros).
SAW
Imposition of measures
If the infringement is confirmed, it could be agreed to impose on the person responsible that, within the period
Within 1 day proceed to delete all the information from the WhatsApp profile photo
relating to the personal data of the complaining party, without prejudice to others that
could arise from the instruction of the procedure, in accordance with the provisions
in the aforementioned article 58.2 d) of the RGPD, according to which each control authority may
“order the person responsible or in charge of the treatment that the operations of
treatment comply with the provisions of this Regulation, where applicable,
in a certain way and within a specified period….” The imposition of
This measure is compatible with the sanction consisting of an administrative fine, according to
The provisions of the art. 83.2 of the GDPR.
Please note that failure to comply with the requirements of this organization may be
considered as an administrative offense in accordance with the provisions of the RGPD,
classified as an infraction in its articles 83.5 and 83.6, and such conduct may be motivated by
opening of a subsequent administrative sanctioning procedure.
Therefore, in accordance with the above, by the Director of the Agency
Spanish Data Protection,
HE REMEMBERS:
FIRST: START SANCTIONING PROCEDURE against SOLAR PROGRESS, S.L.,
with NIF B76821586, for the alleged violation of article 5.1.f), typified in 83.5
GDPR.
SECOND: APPOINT B.B.B. as instructor. and, as secretary, to C.C.C.,
indicating that any of them may be challenged, if applicable, in accordance with the
established in articles 23 and 24 of Law 40/2015, of October 1, on the Regime
Legal Department of the Public Sector (LRJSP).
THIRD: INCORPORATE into the sanctioning file, for evidentiary purposes, the
claim filed by the complaining party and its documentation, as well as the
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/9
documents obtained and generated by the General Subdirectorate of Inspection of
Data in the actions prior to the start of this sanctioning procedure.
FOURTH: THAT for the purposes provided for in art. 64.2 b) of law 39/2015, of 1
October, of the Common Administrative Procedure of Public Administrations the
The penalty that may apply would be 5,000 euros, without prejudice to what may result.
of the instruction.
FIFTH: NOTIFY this agreement to SOLAR PROGRESS, S.L., with NIF
B76821586, granting him a hearing period of ten business days to formulate
the allegations and present the evidence that you consider appropriate. In his writing of
allegations must provide your NIF and the procedure number that appears in the
heading of this document.
If within the stipulated period you do not make allegations to this initial agreement, the same
may be considered a proposal for a resolution, as established in the article
64.2.f) of Law 39/2015, of October 1, on the Common Administrative Procedure of
Public Administrations (hereinafter, LPACAP).
In accordance with the provisions of article 85 of the LPACAP, you may recognize your
responsibility within the period granted for the formulation of allegations to the
present initiation agreement; which will entail a 20% reduction in the
sanction that may be imposed in this procedure. With the application of this
reduction, the penalty would be established at 4,000 euros, resolving the
procedure with the imposition of this sanction.
Likewise, you may, at any time prior to the resolution of this
procedure, carry out the voluntary payment of the proposed sanction, which
will mean a 20% reduction in the amount. With the application of this reduction,
The penalty would be established at 4,000 euros and its payment will imply the termination of the
procedure.
The reduction for the voluntary payment of the penalty is cumulative with that corresponding
apply for recognition of responsibility, provided that this recognition
of the responsibility becomes evident within the period granted to formulate
allegations at the opening of the procedure. The voluntary payment of the referred amount
in the previous paragraph may be done at any time prior to the resolution. In
In this case, if both reductions were to be applied, the amount of the penalty would remain
established at 3,000 euros.
In any case, the effectiveness of any of the two mentioned reductions will be
conditioned upon the withdrawal or waiver of any action or appeal pending.
administrative against the sanction.
In the event that you choose to proceed with the voluntary payment of any of the amounts
indicated above 4,000 euros or 3,000 euros, you must make it effective through
your deposit into the account IBAN number: ES00-0000-0000-0000-0000-0000 opened in the name
of the Spanish Data Protection Agency in the banking entity CAIXABANK,
S.A., indicating in the concept the reference number of the procedure that appears in
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/9
the heading of this document and the reason for the reduction of the amount to which
welcomes
Likewise, you must send proof of income to the General Subdirectorate of
Inspection to continue the procedure in accordance with the quantity
entered.
The procedure will have a maximum duration of nine months counting from the
date of the initiation agreement or, where applicable, of the draft initiation agreement.
After this period, its expiration will occur and, consequently, the file of
performances; in accordance with the provisions of article 64 of the LOPDGDD.
In compliance with articles 14, 41 and 43 of the LPACAP, it is noted that, as far as
Subsequently, the notifications sent to you will be made exclusively
electronically, through the Unique Enabled Electronic Address (dehu.redsara.es) and the
Electronic Notification Service (notifications.060.es), and that, if you do not access
their rejection will be recorded in the file, considering the procedure completed and
following the procedure. You are informed that you can identify before this Agency
an email address to receive the notice of making available the
notices and that failure to comply with this notice will not prevent the notice
be considered fully valid.
Finally, it is noted that in accordance with the provisions of article 112.1 of the LPACAP,
There is no administrative appeal against this act.
935-110422
Sea Spain Martí
Director of the Spanish Data Protection Agency
SECOND: On September 22, 2023, SOLAR PROGRESS has proceeded to
payment of the penalty in the amount of 3,200 euros making use of the two reductions
provided for in the initiation Agreement transcribed above, which implies the
recognition of responsibility.
It is necessary to highlight that the penalty imposed on SOLAR PROGRESS was 5,000
euros. Applying the two reductions provided for in the Initiation Agreement, the amount of the
penalty is 3,000 euros, while SOLAR PROGRESS has paid 3,200
euros.
THIRD: On October 6, 2023, a
communication indicating the payment of an amount greater than the fine imposed, and
requesting that, so that the General Secretariat can order the return of the income
made more (200 euros), it was necessary to send the account number in the
that said return must be made.
This notification, which was carried out by telematic means, has not been collected
by SOLAR PROGRESS.
FOURTH: The payment made, within the period granted to formulate allegations to
The opening of the procedure entails the renunciation of any action or appeal pending.
administrative against sanction and recognition of responsibility in relation to
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 8/9
the facts referred to in the Initiation Agreement.
FIFTH: In the initiation agreement transcribed above, it was stated that,
If the infringement is confirmed, it could be agreed to impose on the person responsible that, within the period of
1 day proceed to delete all information related to the WhatsApp profile photo
the personal data of the complaining party, without prejudice to others that could
derived from the instruction of the procedure, in accordance with the provisions of the
cited article 58.2 d) of the RGPD, according to which each supervisory authority may
“order the person responsible or in charge of the treatment that the operations of
treatment comply with the provisions of this Regulation, where applicable,
in a certain way and within a specified period….”
Having recognized responsibility for the infraction, the imposition of penalties proceeds.
the measures included in the Initiation Agreement.
FOUNDATIONS OF LAW
Yo
Competence
In accordance with the powers that article 58.2 of Regulation (EU) 2016/679
(General Data Protection Regulation, hereinafter RGPD), grants each
control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the
Organic Law 3/2018, of December 5, on Protection of Personal Data and
guarantee of digital rights (hereinafter, LOPDGDD), is competent to
initiate and resolve this procedure the Director of the Spanish Protection Agency
of data.
Likewise, article 63.2 of the LOPDGDD determines that: "The procedures
processed by the Spanish Data Protection Agency will be governed by the provisions
in Regulation (EU) 2016/679, in this organic law, by the provisions
regulations dictated in its development and, insofar as they do not contradict them, with a
subsidiary, by the general rules on administrative procedures."
II
Termination of the procedure
Article 85 of Law 39/2015, of October 1, on Administrative Procedure
Common Public Administrations (hereinafter, LPACAP), under the heading
“Termination in sanctioning procedures” provides the following:
"1. A sanctioning procedure has been initiated, if the offender recognizes his responsibility,
The procedure may be resolved with the imposition of the appropriate sanction.
2. When the sanction is solely pecuniary in nature or a penalty can be imposed
pecuniary sanction and another of a non-pecuniary nature but the
inadmissibility of the second, the voluntary payment by the alleged responsible, in
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 9/9
Any time prior to the resolution, will imply the termination of the procedure,
except in relation to the restoration of the altered situation or the determination of the
compensation for damages caused by the commission of the infringement.
3. In both cases, when the sanction has only a pecuniary nature, the
body competent to resolve the procedure will apply reductions of, at least,
20% of the amount of the proposed penalty, these being cumulative with each other.
The aforementioned reductions must be determined in the initiation notification.
of the procedure and its effectiveness will be conditioned on the withdrawal or resignation of
any administrative action or appeal against the sanction.
The reduction percentage provided for in this section may be increased
“regularly.”
According to what was stated,
the Director of the Spanish Data Protection Agency RESOLVES:
FIRST: DECLARE the termination of the procedure to SOLAR PROGRESS, S.L.,
with NIF B76821586, in accordance with the provisions of article 85 of the
LPACAP.
SECOND: ORDER SOLAR PROGRESS, S.L., so that within one month
notify the Agency of the adoption of the measures described in the
legal foundations of the Initiation Agreement transcribed in this resolution.
THIRD: REQUEST SOLAR PROGRESS, S.L., to provide within ten
business days, the account number in which to make the deposit of 200 euros that
has been carried out, greater than the sanction with the two applicable discounts, to which
referred to in the background of this resolution
FOURTH: NOTIFY this resolution to SOLAR PROGRESS, S.L.
In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.
Against this resolution, which puts an end to the administrative procedure as prescribed by
the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations, interested parties may file an appeal
administrative litigation before the Administrative Litigation Chamber of the
National Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-Administrative Jurisdiction, within a period of two months from the
day following the notification of this act, as provided for in article 46.1 of the
referred Law.
938-250923
Sea Spain Martí
Director of the Spanish Data Protection Agency
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es
