AEPD (Spain) - EXP202209511

From GDPRhub
AEPD - PS/00618/2022
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 6(1) GDPR
Article 13 GDPR
Article 83(5) GDPR
Type: Complaint
Outcome: Upheld
Started: 23.08.2022
Decided: 30.08.2023
Published: 31.08.2023
Fine: 1,500 EUR
Parties: n/a
National Case Number/Name: PS/00618/2022
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: Mgrd

The Spanish DPA fined a resident €1,500 for installing a camera in a common area, without following the mandatory legal requirements to do so, violating Article 6(1) and Article 13 GDPR.

English Summary

Facts

A resident has installed, without the authorization of the Comunidad de Propietarios ("Community of Property Owners"), video surveillance cameras oriented to common areas of said Community/neighborhood, with signs of video surveillance area without information of the data controller, the purpose of the system and the proper address for the exercise of data subject's rights.

Holding

The Spanish DPA highlighted that in order to install cameras in common areas, it is necessary to have the authorization of the Neighbors Council, the request must be presented in the corresponding agenda of the Council's meeting and the approval must follow the terms of the LPH (Horizontal Property Law).

AEPD also stated that cameras installed by private individuals must be oriented towards their private space, avoiding the capture of the private area of third parties.

In its conclusion, AEPD stated that there was no informative poster(s) with an effective address or information identifying the data controller and that in no case shall the use of surveillance practices be allowed beyond the surroundings of the installation and in particular, they may not affect surrounding public spaces, adjacent buildings and vehicles other than those accessing the monitored space.

Security cameras installed in private spaces may not obtain images of public spaces, since the security function of public spaces corresponds exclusively to the State Security Forces and Corps. Likewise, in the case of false cameras, they must be oriented towards a private area to avoid intimidation of adjacent neighbors who do not know whether or not they are processing personal data.

The Spanish DPA fined the resident €1,500 for installing a camera in a common area, without following the mandatory legal requirements to do so, violating Article 6.1 and Article 13 GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

1/7










     File No.: EXP202209511



                RESOLUTION OF SANCTIONING PROCEDURE

From the procedure instructed by the Spanish Data Protection Agency and based
to the following


                                   BACKGROUND

FIRST: A.A.A. (*hereinafter, the complaining party) dated August 23, 2022
filed a claim with the Spanish Data Protection Agency. The claim-

tion is directed against B.B.B. with NIF ***NIF.1 (hereinafter, the claimed part). The
The reasons on which the claim is based are the following:

       “has installed, without authorization from the Community of Owners in which it has
your home, video surveillance cameras aimed at common areas of said Community.
ity, having installed video surveillance zone signs without information on the person in charge.

know about the treatment and the direction to go for the exercise of
rights”—folio nº1--.

Provides images of the location of the cameras at the access door to the home
(Annex I).


SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5
December, Protection of Personal Data and guarantee of digital rights (in
hereinafter LOPDGDD), said claim was transferred to the claimed party in faith.
cha 09/14/22 and 10/10/22, to proceed with its analysis and inform this Agency

within one month, of the actions carried out to adapt to the requirements
provided for in the data protection regulations.

       After consulting the database of this Agency, it is clear that the attempt(s) to notify
cation of this organization was returned by the official Post and Telegraph Service
for “Absent in delivery”.


THIRD: On November 15, 2022, in accordance with article 65 of
the LOPDGDD, the claim presented by the complaining party was admitted for processing.

FOURTH: On January 17, 2023, the Director of the Spanish Agency for

Data Protection agreed to initiate sanctioning proceedings against the claimed party,
in accordance with the provisions of articles 63 and 64 of Law 39/2015, of October 1,
of the Common Administrative Procedure of Public Administrations (hereinafter
te, LPACAP), for the alleged violation of Article 6.1 and 13 of the RGPD, typified in the
Article 83.5 of the GDPR.


FIFTH: The database of this organization was consulted on April 19, 2023
It is clear that the notification was carried out by the Official Post and Telegraph Service.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/7








on 01/30/23 and a second notification attempt on 01/31/23 leaving
“notice” in the claimant's mailbox.


       Item was published via B.O.E on 02/15/23 in accordance
with article 44 of Law 39/2015 (October 1) as the
postal notification made.

SIXTH: On 02/20/23, a request for collaboration is requested from the Forces and
State Security Corps to travel to the scene of the events, without

that any response has been produced to date.

SEVENTH: On 04/27/23, <Proposal for Resolution> is issued through the
which confirms the presence of a camera in a community area without having a sign
informative, which justifies the proposal of a penalty of €1,500 (€1,000+€500) for the

violation of articles 6 and 13 GDPR.

EIGHTH: On 05/26/23, the associated proposal is published in the B.O.E.
to PS/00618/22 after postal notification to the associated address was unsuccessful
to the investigated (responsible).


Of the actions carried out in this procedure and the documentation
recorded in the file, the following have been accredited:

                                 PROVEN FACTS


First. The facts give rise to the claim dated 08/23/22 through the
which transfers the following facts:

       “has installed, without authorization from the Community of Owners in which it has
your home, video surveillance cameras aimed at common areas of said Community.

ity, having installed video surveillance zone signs without information on the person in charge.
know about the treatment and the direction to go for the exercise of
rights”—folio nº1--.

Second. B.B.B. is accredited as the main person responsible. with NIF ***NIF.1.


Third. The presence of video surveillance cameras installed in
community area without informing the person responsible for processing the data or the final
ity of the system.

Room. There is no evidence that the defendant has proceeded to inform the governing bodies

of the Community of owners, nor has it proceeded to place an informative badge.
I command that it is a video-surveillance area.







                           FOUNDATIONS OF LAW

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/7









                                            Yo


In accordance with the powers that article 58.2 of Regulation (EU) 2016/679 (Re-
General Data Protection Regulation, hereinafter RGPD), grants each authorization
control and in accordance with the provisions of articles 47, 48.1, 64.2 and 68.1 of the Law
Organic 3/2018, of December 5, Protection of Personal Data and guarantee of
digital rights (hereinafter, LOPDGDD), is competent to initiate and resolve
this procedure the Director of the Spanish Data Protection Agency.


Likewise, article 63.2 of the LOPDGDD determines that: "The procedures processed
ted by the Spanish Data Protection Agency will be governed by the provisions of
Regulation (EU) 2016/679, in this organic law, by the regulatory provisions-
dictated in its development and, insofar as they do not contradict them, with a sub-

subsidiary, by the general rules on administrative procedures."

                                            II

In the present case, we proceed to examine the claim that is being transferred to this
Agency through which the presence of a video surveillance camera is communicated

in common areas, affecting the rights of third parties without authorization from the board of
owners.

       To install cameras in common areas, authorization from the Board is required.
of neighbors of the property, and must request it in the corresponding order of the

day, and must in all cases be approved in the terms of the LPH (Property Law).
Horizontal).

Individuals are responsible for ensuring that the video surveillance systems installed are
comply with current legislation, and must be able to prove such extremes.

before the competent authority.

Cameras installed by individuals must be oriented towards their private space.
vative avoiding the capture of third parties' private area without justified cause.

In no case will the use of surveillance practices beyond the target environment be permitted.

of the installation and in particular, not being able to affect the surrounding public spaces.
dantes, adjacent buildings and vehicles other than those that access the monitored space.

Security cameras installed in private spaces will not be able to obtain images.
tions of public spaces, the security function of public spaces corresponding

It exclusively applies to the State Security Forces and Bodies.

       Likewise, in the case of false cameras, they must be oriented
towards the private area, avoiding intimidation to the neighboring neighbors who do not know
They do not know whether or not they process personal data.


       Fake cameras can also affect personal privacy.
sonal of the claimed, in such a way that it is a criterion maintained by this Agency that
They limit their radius of action (orientation) towards the private area, respecting the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/7








tranquility of the private life of the affected person, who does not have to know the nature-
of the system, but also cannot bear to be intimidated by it in its sphere
personal and/or domestic.


       Remember that there are less invasive measures for the protection of property.
privacy, such as alarm systems or interior cameras, avoiding the
use of this type of cameras in outdoor areas that affect neighbor coexistence.
nal.


                                            III

In accordance with the evidence provided in this document,
sanctioning procedure, it is considered that the claimed party has proceeded to install
a camera on the common wall affecting the common area, without having the backup

necessary for this in the terms set forth.

       The evidence provided allows us to verify the irregularities described in the
claim, as well as the obvious misorientation of the device that affects areas
common and with them to the data of third parties without justified cause.


       The known facts constitute an infringement, attributable to the party
claimed, for violation of the content of article 6.1 letter e) RGPD.

       e) the processing is necessary for the fulfillment of a mission carried out in
public interest or in the exercise of public powers conferred on the person responsible for the

treatment (…).

       Article 72.1 letter b) LOPDGDD (LO 3/2018), “Based on what is established-
ce article 83.5 of Regulation (EU) 2016/679 are considered very serious and prescribed.
Infractions that involve a substantial violation of the rights of the

articles mentioned in that and, in particular, the following:

       b) The processing of personal data without any of the conditions concurring.
ns of legality of the treatment established in article 6 of the Regulation (EU)
2016/679.


                                               IV

       The claim reflects the claimant's statement of absence of
information on the information sign that indicates the purpose of the “treatment” or the
responsible for the same for the appropriate legal purposes.


       “The duty of information provided for in article 12 of the Regulation (EU)
2016/679 will be understood to be fulfilled through the placement of an information device.
in a sufficiently visible place identifying, at least, the existence of the treatment.
to, the identity of the person responsible and the possibility of exercising the rights provided for in

Articles 15 to 22 of Regulation (EU) 2016/679.




C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/7








       A connection code or code may also be included in the information device.
Internet address to this information” (*bold belongs to this organization)—art.
22 section 4 of the LOPDGDD--.


       The events described above imply an impact on the content of the
article 13 RGPD, lacking informative sign(s) with an effective address to the
that, where appropriate, be able to address or indicate, where appropriate, the main person responsible for the treatment.
ment of the data.


        Article 13 GDPR “Information that must be provided when the data per-
“sonals are obtained from the interested party.”

       1. When personal data relating to him or her is obtained from an interested party, the res-
responsible for the treatment, at the time these are obtained, will provide you with all the

information indicated below: a) the identity and contact details of the person responsible
sable and, where appropriate, his representative; b) the contact details of the product representative
data protection, if applicable; c) the purposes of the processing for which the data are intended
personal and the legal basis of the treatment (…).

       Article 72 section 1 of the LOPDGDD (LO 3/2018, December 5) in relation to

tion to the limitation period for very serious infractions “the three
years” and in particular the following:

       h) The omission of the duty to inform the affected person about the treatment of their
personal data in accordance with the provisions of articles 13 and 14 of the Regulation

(EU) 2016/679 and 12 of this organic law.

                                                V

       The art. 83.5 GDPR provides the following: “Violation of the provisions

following will be sanctioned, in accordance with section 2, with administrative fines
of a maximum of EUR 20 000 000 or, in the case of a company, an equivalent amount.
valued at a maximum of 4% of the total global annual turnover of the financial year.
previous financial statement, opting for the highest amount:

       a) the basic principles for the treatment, including the conditions for the

           consent under articles 5, 6, 7 and 9;
       b) the rights of the interested parties under articles 12 to 22 (..).

In the present case, it is taken into account when motivating the sanction that it is
a particular, although the events must be classified as serious, as they affect communal areas.

disproportionately and ignoring the recommendations
of the governing bodies of the Community of owners, which justifies a sanction
tion of €1,500, for the violation of article 6 RGPD (€1,000) and 13 of the RGPD (€500), upon
be considered the conduct as gross negligence, a sanction located on the
rior for this type of behavior.


                                            SAW



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/7








The text of the resolution establishes what infractions have been committed and
the events that have given rise to the violation of the data protection regulations
cough, from which it is clearly inferred what measures to adopt, without prejudice to

that the type of procedures, mechanisms or specific instruments to implement
tarlas corresponds to the sanctioned party, since it is the person responsible for the treatment who
knows its organization fully and must decide, based on the responsibility
active and risk-focused, how to comply with the RGPD and the LOPDGDD.

It is warned that failure to comply with the possible order to adopt measures imposed by

this body in the sanctioning resolution may be considered as an infraction.
administrative action in accordance with the provisions of the RGPD, classified as an infraction in
its article 83.5 and 83.6, such conduct may motivate the opening of a subsequent procedure.
administrative sanctioning order.


Therefore, in accordance with the applicable legislation and evaluated the graduation criteria
tion of sanctions whose existence has been proven,

the Director of the Spanish Data Protection Agency RESOLVES:

FIRST: IMPOSE B.B.B., with NIF ***NIF.1, for a violation of Article 6.1 and

another of article 13 of the RGPD, typified in Article 83.5 letters a) and b) of the RGPD,
a fine of €1,500 (€1,000+€500).

SECOND: ORDER the defendant so that within a period of 15 business days from
from the following to the notification of this act:


       -Remove the data collection device(s) from its current location.
images of community area.

       -Proceed to provide a photograph (date and time) of the before and after that proves

uninstalling the system.

THIRD: NOTIFY this resolution to B.B.B..

FOURTH: Warn the sanctioned person that he must make the sanction imposed effective
once this resolution is executive, in accordance with the provisions of the

art. 98.1.b) of Law 39/2015, of October 1, of the Administrative Procedure
of the Public Administrations (hereinafter LPACAP), within the voluntary payment period.
lunary established in art. 68 of the General Collection Regulations, approved
by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003,
of December 17, by entering it, indicating the NIF of the sanctioned person and the number

of procedure that appears in the heading of this document, in the account
restricted IBAN number: ES00 0000 0000 0000 0000 0000 (BIC/SWIFT Code: XXXXXX-
XX), opened in the name of the Spanish Data Protection Agency in the entity
bank CAIXABANK, S.A.. Otherwise, it will be collected in person.
executive river.


Once the notification is received and once enforceable, if the enforceable date is
between the 1st and 15th of each month, both inclusive, the period to make the voluntary payment
voluntary will be until the 20th of the following month or immediately following business month, and if

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/7








falls between the 16th and last day of each month, both inclusive, the payment period is
until the 5th of the second following or immediately following business month.


In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.


Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the
LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the inter-
rescheduled may optionally file an appeal for reconsideration before the Director
of the Spanish Data Protection Agency within a period of one month from
the day following notification of this resolution or directly contentious appeal

administrative before the Contentious-Administrative Chamber of the National Court,
in accordance with the provisions of article 25 and section 5 of the additional provision
final fourth of Law 29/1998, of July 13, regulating the Contentious Jurisdiction-
administrative, within a period of two months counting from the day following the notification.

tion of this act, as provided for in article 46.1 of the aforementioned Law.

Finally, it is noted that in accordance with the provisions of art. 90.3 a) of the LPACAP,
may provisionally suspend the final resolution through administrative channels if the interested party
do expresses his intention to file a contentious-administrative appeal. If so-

If applicable, the interested party must formally communicate this fact in writing.
addressed to the Spanish Data Protection Agency, presenting it through the Re-
Electronic register of the Agency [https://sedeagpd.gob.es/sede-electronica-web/], or to
through one of the remaining records provided for in art. 16.4 of the aforementioned Law
39/2015, of October 1. You must also transfer the documentation to the Agency

that proves the effective filing of the contentious-administrative appeal. If the
Agency was not aware of the filing of the contentious-administrative appeal
treatment within a period of two months from the day following notification of this
resolution, would end the precautionary suspension.



                                                                                   938-181022
Sea Spain Martí
Director of the Spanish Data Protection Agency





















C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es