AEPD (Spain) - EXP202310185

From GDPRhub
AEPD - EXP202310185
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 6(1) GDPR
Type: Complaint
Outcome: Upheld
Started: 06.06.2023
Decided:
Published: 18.07.2024
Fine: 600 EUR
Parties: n/a
National Case Number/Name: EXP202310185
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: lm

The DPA fined a councillor €600 for publishing a data subject's personal data in a Facebook group with 400 people without a legal basis. The personal data was contained in a note of a municipal plenary session handling a complaint by the data subject.

English Summary

Facts

A data subject filed a complaint with his local municipality which was later dismissed. A councillor of the municipality’s town council (the controller) published a note of a municipal plenary session containing the personal data of the data subject and his wife on his personal Facebook profile as well as in a Facebook group of 400 people.

On 6 June 2023, a data subject filed a complaint with the Spanish DPA (AEPD) concerning the publication. The data subject claimed that the controller intended to publicly shame the data subject.

On August 24, 2023, the municipality responded to the complaint by noting that the publication was posted on the personal profile of the controller, not on any account of theirs. Nonetheless, it argued that the personal data in the post is not sensitive and that in any case, it was not possible to omit the data because the decision was directed against the data subject and the session was public. The municipality also mentioned that the data subject had been condemned by town council; in fact, the published note from the municipal plenary session concerned the possibility of criminal proceedings against the data subject and his wife for false accusations. Two weeks later, the controller provided similar arguments to the AEPD. It acknowledged that it posted the document containing personal data on its profile.

Holding

On 28 May 2024, the AEPD initiated sanctioning proceedings against the controller. The AEPD considered that the publication of the name of the data subject and his wife on the controller’s personal profile and in a Facebook group of 400 people consisted of processing of personal data pursuant to the GDPR. The controller did not have a legal basis under Article 6(1) GDPR for this processing.

The AEPD recommended a sanction of €1,000 and instructed the controller to eliminate the published content from his profile and the Facebook group in which he posted it.

Pursuant to Law 39/2015, a Spanish law concerning administrative proceedings, the AEPD informed the controller that it may acknowledge its responsibility for the alleged violations and/or pay the proposed fine. Each of these actions reduces the imposed fine by 20%. The controller opted to reduce the fine by 40%, both acknowledging its responsibility for the violations and paying the reduced sanction amount of €600.

Comment

In noting that the posting of the personal data to a personal account and to a group containing 400 people constitutes processing under the GDPR, the AEPD seems to consider that an audience of 400 does not meet the household activity or purely personal exemption from the GDPR pursuant to Article 2(c) GDPR.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

1/11

File No.: EXP202310185

RESOLUTION TO TERMINATE THE PROCEDURE FOR VOLUNTARY

PAYMENT

From the procedure instructed by the Spanish Data Protection Agency and based
on the following

BACKGROUND

FIRST: On May 28, 2024, the Director of the Spanish Data Protection Agency
agreed to initiate sanctioning proceedings against B.B.B. (hereinafter,
the respondent party), through the Agreement transcribed below:

<<

File No.: EXP202310185

AGREEMENT TO START SANCTIONING PROCEDURE

From the actions carried out by the Spanish Data Protection Agency and

based on the following

FACTS

FIRST: On 06/06/2023, this Agency received a document submitted

by A.A.A. (hereinafter, the complaining party), through which it files a claim
against B.B.B. with NIF ***NIF.1 (hereinafter, the respondent party), for a possible
breach of the provisions of the personal data protection regulations.

The reasons on which the claim is based are the following:

“B.B.B. being aware of a complaint filed and later dismissal of the same and using the position of councilor of the City Council of ***LOCALITY.1,
publishes a note from a municipal plenary session as proven, attaching personal data

of myself and my wife, with the purpose of creating defenselessness and public
lynching since it is not only based on publishing it on his personal profile, but also, he
expands it to a group of 400 people, ***GROUP.1, many of them neighbors of the Municipality, in order to create a damage to the image of both me and my
wife. (…)”

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/11

In addition, the respondent distributed this note in a group made up of 400 people,
***GROUP.1, many of them residents of the municipality, with the aim of damaging his
image and that of his wife.

Along with the claim, the following is provided:

 Screenshots of the publication subject to the claim made on
05/26/2023 at 8:10 a.m. on the personal profile of the Facebook social network of

the respondent (B.B.B.) and in the group on that social network “***GROUP.1…”.
Its content states:

“(…).”.

SECOND: In accordance with article 65.4 of Organic Law 3/2018, of December 5, on the

Protection of Personal Data and Guarantee of Digital Rights (hereinafter LOPDGDD), on 24 and 26/07/2023, said claim was transferred to the
respondent party and to the City Council of ***LOCALIDAD.1, so that they could proceed with its
analysis and inform this Agency within one month of the actions carried out to comply with the requirements provided for in the data protection regulations.

The transfer, which was carried out in accordance with the rules established in Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP), was collected on August 22 and 01, 2023, as stated in the acknowledgment of receipt that is in the file, respectively.

On August 24, 2023, this Agency received a written response from the City Council of ***LOCALIDAD.1 in a timely manner, in which it stated the following:

 Prior nature.

o The claimant has been convicted by final judgments for coercion of (…). In fact, one of the points to be discussed that appear in the published municipal plenary note deals with the possibility of
bringing criminal actions against the claimant and his wife for

false accusations. o The complainant filed a complaint and subsequently filed a complaint
against (…); both cases were dismissed. Furthermore, the complainant published the admission of the complaint on social networks
where the name of (…) appears, and provided it to the media.

o The complainant did not exercise any right in relation to this matter before the City Council of ***LOCALITY.1.

 That the Provincial Office for the Protection of Personal Data of (…)

acts as the Data Protection Officer of the City Council of
***LOCALITY.1.

 That the publication that is the subject of the complaint was published on the personal profile of the

complainant, not on that of the City Council, and that it transcribes a call

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/11

to the Plenary Session where the principle of publicity of the plenary sessions is

set out and specified.

 That the data that appear in the publication are not sensitive, only nominal; its omission is not possible since the proposal for agreement is
addressed to the complainant and the session is public. It mentions the
Seventh Additional Provision of the LOPDGDD.

Along with the document, the following documentation was provided:

 Document No. 1 “***DOCUMENT.1”.
 Document No. 2 “AEPD Resolution”
 Document No. 3 “AEPD Report”:

On 05/09/2023, this Agency received a written response from the respondent party in a timely manner, in which it stated the same as that previously stated by the City Council.

THIRD: On 06/09/2023, in accordance with article 65 of the LOPDGDD,
the claim submitted by the complainant was admitted for processing.

FUNDAMENTALS OF LAW

I
Competence and procedure

In accordance with the powers granted to each supervisory authority by article 58.2 of the GDPR and as established in articles 47, 48.1, 64.2 and 68.1 of the LOPDGDD, the Director of the Spanish Data Protection Agency is competent to initiate and resolve this procedure.

Likewise, article 63.2 of the LOPDGDD determines that: "The procedures
processed by the Spanish Data Protection Agency will be governed by the provisions
of Regulation (EU) 2016/679, by this organic law, by the regulatory provisions issued in its development and, as long as they do not contradict them, on a subsidiary basis, by the general rules on administrative procedures."

II
Preliminary questions

Article 4 “Definitions” of the GDPR defines the following terms for the purposes of the

Regulation:

"1) “personal data” means any information relating to an identified or identifiable natural person

(“data subject”); an identifiable natural person shall be any person
whose identity can be determined, directly or indirectly, in particular by reference

to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the
physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;”

“2) “processing” means any operation or set of operations which is performed on
personal data or on sets of personal data, whether or not by automated means,
such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use,
disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;”

In the present case, pursuant to Article 4.1 of the GDPR, the display of the name and surname of the complainant and his wife in the publication of the respondent's personal Facebook profile and in the group “***GROUP.1…” constitutes processing of personal data; since it identifies or makes those affected identifiable.

III
Lawfulness of processing personal data

The principles that must govern processing are listed in Article

5 of the GDPR. In this regard, section 1 letter a) states that: “Personal data
shall be:

a) Processed in a lawful, fair and transparent manner in relation to the data subject

(lawfulness, fairness and transparency);

(…)”

The principle of lawfulness is fundamentally regulated in Article 6 of the GDPR. The
cases that allow the processing of personal data to be considered lawful are

listed in Article 6.1 of the GDPR. GDPR:

1. Processing will only be lawful if at least one of the following conditions is met:

a) the data subject has given consent to the processing of his or her personal

data for one or more specific purposes;

a) processing is necessary for the performance of a contract to which the
data subject is a party or in order to take pre-contractual measures at the request of the
data subject;

b) processing is necessary for compliance with a legal obligation to which the
controller is subject;

c) processing is necessary to protect the vital interests of the data subject or of

another natural person;

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/11

d) processing is necessary for the performance of a task carried out in the
public interest or in the exercise of official authority vested in the
controller;

e) the processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Point (f) of the first paragraph shall not apply to
processing carried out by public authorities in the exercise of their
tasks.”

In this regard, Recital 40 of the GDPR states that “For lawful processing, personal data must be processed with the consent of the
data subject or on another legitimate basis established by law, either
by this Regulation or by virtue of another Union or Member State law to which this Regulation refers, including the need to comply with a
legal obligation applicable to the controller or the need to perform a contract with which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.”

In the specific case examined, as indicated, on 05/26/2023 the respondent party published on his personal profile on the social network Facebook (B.B.B.) and in the group “***GROUP.1…” a text with the title “TITLE.1”. The publication contains
data on a complaint filed by the complainant and his wife against (…) the
City Council of ***LOCALITY.1, as well as the names and surnames of these
(A.A.A. and C.C.C.).

In his response to the transfer, the respondent party acknowledged having made the
publication subject to complaint on his personal profile, but that he limited himself to transcribing
a call to a Plenary Session of the City Council of ***LOCALITY.1 without
including sensitive data of the complainant and his wife, only nominal,
and cannot be omitted in order to discuss the matter.

In accordance with Article 6.1 of the GDPR, in addition to consent, there are
other possible bases that legitimize the processing of data without the need for
the authorization of the data subject. In particular, when it is necessary for the execution of
a contract to which the data subject is a party or for the application, at the request of the
data subject, of pre-contractual measures, or when it is necessary for the satisfaction of
legitimate interests pursued by the data controller or by a third party, provided that
such interests are not overridden by the interests or fundamental rights and freedoms of the
data subject that require the protection of such data. Processing is
also considered lawful when it is necessary for compliance with a
legal obligation applicable to the data controller, to protect the
vital interests of the data subject or another natural person or for the performance of a task
carried out in the public interest or in the exercise of official authority conferred on the
data controller.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/11

However, in the present case it is evident that the data processing
carried out by the respondent party is not covered by any of the legal causes
mentioned above.

Consequently, in accordance with the evidence available at this time of the agreement to initiate sanctioning proceedings, and without prejudice to what
results from the investigation, it is considered that the known facts could constitute an infringement, attributable to the respondent party, for violation of
article 6.1 of the GDPR.

IV
Classification and qualification of the infringement of Article 6.1 of the GDPR

If confirmed, the aforementioned infringement of Article 6.1 of the GDPR could entail the
commission of the infringement classified in Article 83.5 of the GDPR, which under the heading
“General conditions for the imposition of administrative fines” provides:

“Infringements of the following provisions shall be punishable, in accordance with
paragraph 2, by administrative fines of up to EUR 20 000 000 or,

in the case of an undertaking, an amount equivalent to a maximum of 4% of the
total global annual turnover of the preceding financial year, whichever is higher:

a) the basic principles for processing, including the conditions for

consent pursuant to Articles 5, 6, 7 and 9; (…)”

For the purposes of the limitation period, article 72.1 “Infringements considered very serious” of the LOPDGDD indicates:

“1. In accordance with the provisions of article 83.5 of Regulation (EU) 2016/679, infringements that constitute a
substantial violation of the articles mentioned therein and, in particular, the
following are considered very serious and will be subject to a three-year statute of limitations:

a) (…)

a) The processing of personal data without any of the conditions for the lawfulness of the processing established in article 6 of Regulation (EU)
2016/679; (…)”

V
Proposal for a sanction for the infringement of article 6.1 of the GDPR

For the purposes of deciding on the imposition of an administrative fine and its amount, in

accordance with the evidence available at the time of the agreement to initiate sanctioning proceedings, and without prejudice to the results of the
instruction, it is considered that the balance of the circumstances contemplated in
article 83.2 of the GDPR and 76.2 of the LOPDGDD, with respect to the infringement committed

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/11

by violating the provisions of article 6.1 of the GDPR, allows for an initial
administrative fine of €1,000 (one thousand euros) to be set.

VI
Adoption of measures

If the infringement is confirmed, it may be agreed to impose on the controller the adoption of
appropriate measures to adjust its performance to the regulations mentioned in this

act, in accordance with the provisions of the aforementioned article 58.2 d) of the RGPD, according to which
each supervisory authority may “order the controller or processor to comply with the provisions of
this Regulation, where appropriate, in a certain manner and within a specified period…”. The imposition of this measure is compatible with the sanction

consisting of an administrative fine, as provided for in art. 83.2 of the RGPD.

Specifically, the following are proposed as possible measures to be adopted, within 10
business days:

 The elimination of the content published in the private profile of the social

network Facebook of the respondent party (B.B.B.) and in the group “***GROUP.1…” that is the subject of the
complaint.

It is noted that failure to comply with the possible order to adopt measures imposed by
this body in the resolution that ends this procedure may be
considered an administrative violation in accordance with the provisions of the RGPD,

classified as an infraction in its article 83.5 and 83.6, and such conduct may motivate the
opening of a subsequent administrative sanctioning procedure.

Therefore, in accordance with the above, by the Director of the Spanish Data Protection Agency,
IT IS AGREED:

FIRST: TO INITIATE SANCTIONING PROCEDURE against B.B.B., with NIF ***NIF.1,
for the alleged violation of article 6.1 of the RGPD, classified in article 83.5.a) of the

RGPD.

SECOND: TO APPOINT D.D.D. as instructor. and, as secretary, to E.E.E.,
indicating that they may be challenged, if applicable, in accordance with the provisions of
articles 23 and 24 of Law 40/2015, of October 1, on the Legal Regime of the
Public Sector (LRJSP).

THIRD: INCORPORATE into the sanctioning file, for evidentiary purposes, the
claim filed by the claimant and its documentation, as well as the
documents obtained and generated by the Subdirectorate General of Data Inspection
in the actions prior to the start of this sanctioning procedure.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 8/11

FOURTH: THAT for the purposes provided for in article 64.2 b) of the LPACAP, the sanction that may apply
would be an ADMINISTRATIVE FINE of 1,000 (one thousand euros),
without prejudice to the results of the investigation.

FIFTH: NOTIFY this agreement to B.B.B., with NIF ***NIF.1, granting him a
hearing period of ten working days to formulate the allegations and present
the evidence he considers appropriate. In his written allegations he must provide
his NIF and the file number that appears in the heading of this
document.

If you do not make any objections to this initiation agreement within the stipulated period, it may be considered a resolution proposal, as established in article 64.2.f) of the LPACAP.

In accordance with the provisions of article 85 of the LPACAP, you may acknowledge your responsibility within the period granted for the formulation of objections to this initiation agreement; which will entail a 20% reduction of the penalty to be imposed in this procedure. With the application of this reduction, the penalty would be set at €800.00 (eight hundred euros), and the procedure will be resolved with the imposition of this penalty.

Likewise, you may, at any time prior to the resolution of this procedure, make the voluntary payment of the proposed penalty, which will entail a 20% reduction of its amount. With the application of this reduction,
the penalty would be set at €800.00 (eight hundred euros), and its payment will imply the

termination of the procedure, without prejudice to the imposition of the corresponding
measures.

The reduction for voluntary payment of the fine can be added to the reduction that must be applied for the recognition of responsibility, provided that this recognition of responsibility is made clear within the period granted to make allegations at the opening of the procedure. The voluntary payment of the amount referred to in the previous paragraph may be made at any time prior to the resolution. In this case, if both reductions were to be applied, the amount of the fine would be set at €600.00 (six hundred euros).

In any case, the effectiveness of either of the two reductions mentioned will be subject to the withdrawal or waiver of any action or appeal in administrative proceedings against the fine.

If you choose to make a voluntary payment of any of the amounts

indicated above (€800.00 or €600.00), you must make the payment by
depositing it into the account number IBAN: ES00 0000 0000 0000 0000 0000 (BIC/SWIFT Code:
XXXXXXXXXXX) opened in the name of the Spanish Data Protection Agency at
the banking entity CAIXABANK, S.A., indicating in the concept the reference number of the procedure that appears in the heading of this document and the

reason for the reduction of the amount to which you are entitled.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 9/11

You must also send proof of payment to the Subdirectorate General of Inspection
to continue with the procedure in accordance with the amount paid.

The sanctioning procedure will have a maximum duration of twelve months from the date of the
initiation agreement or, where appropriate, the draft initiation agreement.
After this period, the procedure will expire and, consequently, the proceedings will be filed, in accordance with the provisions of article 64 of the LOPDGDD.

Finally, it is noted that in accordance with the provisions of article 112.1 of the LPACAP,
there is no administrative appeal against this act.

935-30102023
Mar España Martí

Director of the Spanish Data Protection Agency

>>

SECOND: On June 4, 2024, the respondent party has proceeded to pay
the penalty in the amount of 600 euros using the two reductions provided
in the Agreement of initiation transcribed above, which implies the recognition of
responsibility.

THIRD: The payment made, within the period granted to formulate allegations at
the opening of the procedure, entails the waiver of any action or appeal in administrative
course against the penalty and the recognition of responsibility in relation to
the facts referred to in the Agreement of Initiation.

FOURTH: The aforementioned initiation agreement indicated that, if the infringement is confirmed, it may be agreed to impose on the controller the adoption of appropriate measures to adjust its performance to the regulations mentioned in this act, in accordance with the provisions of the aforementioned article 58.2 d) of the GDPR, according to which each supervisory authority may “order the controller or processor to comply with the provisions of this Regulation, where appropriate, in a certain manner and within a specified period…”.

Having recognized the responsibility for the infringement, the imposition of the measures included in the initiation agreement is appropriate.

BASIS OF LAW

I
Competence

In accordance with the powers granted to each supervisory authority by article 58.2 of Regulation (EU) 2016/679
(General Data Protection Regulation, hereinafter RGPD) and according to the provisions of articles 47, 48.1, 64.2 and 68.1 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 10/11

guarantee of digital rights (hereinafter LOPDGDD), the Director of the Spanish Data Protection Agency is competent to
initiate and resolve this procedure.

Likewise, article 63.2 of the LOPDGDD determines that: "The procedures
processed by the Spanish Data Protection Agency will be governed by the provisions
of Regulation (EU) 2016/679, in this organic law, by the regulatory
provisions issued in its development and, insofar as they do not contradict them,
on a subsidiary basis, by the general rules on administrative procedures."

II
Termination of the procedure

Article 85 of Law 39/2015, of October 1, on the Common Administrative Procedure

of Public Administrations (hereinafter, LPACAP), under the heading
"Termination of sanctioning procedures" provides the following:

"1. Once a sanctioning procedure has been initiated, if the offender acknowledges his responsibility,
the procedure may be resolved with the imposition of the appropriate sanction.

2. When the sanction is of a purely monetary nature or when it is possible to impose a
monetary sanction and another of a non-monetary nature but the
inappropriateness of the second has been justified, voluntary payment by the presumed responsible party, at
any time prior to the resolution, will imply the termination of the procedure,
except in relation to the restoration of the altered situation or the determination of
compensation for damages caused by the commission of the infringement.

3. In both cases, when the sanction is of a purely monetary nature, the
body competent to resolve the procedure will apply reductions of at least
20% on the amount of the proposed sanction, these being cumulative with each other.

The aforementioned reductions must be determined in the notification of the initiation
of the procedure and their effectiveness will be conditional on the withdrawal or waiver of
any action or appeal in administrative proceedings against the sanction.

The percentage of reduction provided for in this section may be increased
by regulation.”

In accordance with the above,
the Director of the Spanish Data Protection Agency RESOLVES:

FIRST: DECLARE the termination of procedure EXP202310185, in

accordance with the provisions of article 85 of the LPACAP.

SECOND: ORDER B.B.B. to notify the Agency within 10 days from the date this resolution becomes final and enforceable of the adoption of the
measures described in the legal grounds of the initiation Agreement

transcribed in this resolution.

THIRD: NOTIFY this resolution to B.B.B..

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 11/11

In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.

Against this resolution, which ends the administrative process as prescribed by
art. 114.1.c) of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations, interested parties may file an administrative appeal

before the Administrative Litigation Division of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Administrative Litigation Jurisdiction, within two months from the

day following the notification of this act, as provided for in article 46.1 of the aforementioned Law.

1259-16012024

Mar España Martí
Director of the Spanish Data Protection Agency

28001 – Madrid 6 sedeagpd.gob.es