AEPD (Spain) - PS/00043/2021
AEPD (Spain) - PS/00043/2021 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 5(1)(f) GDPR Article 58(2) GDPR Article 83(2) GDPR Article 83(5) GDPR Article 65, LOPDGDD Articles 47, 48(1) LOPDGDD |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | |
Published: | |
Fine: | 500 EUR |
Parties: | n/a |
National Case Number/Name: | PS/00043/2021 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | Jennifer Vidal Ferreira |
The Spanish DPA issued a fine of €500 against an association of property owners for violating Article 5(1)(f) GDPR by posting the personal data of its members, including their debtor status, on a residential building's display board.
English Summary
Facts
A data subject lodged a complaint with the Spanish DPA (AEPD) claiming that the home owner association of the residential blocks where he resides had disclosed the personal data of all its members on display boards placed on the ground portal of the three buildings included in the community. The information sheet on the display board contained the data subjects' name and surname, as well as apartment details (building, floor, and apartment number) and their condition as debtors or non-debtors. Because of the fact that the display boards were located on the ground floor portal of the buildings, the data subject argued that his personal data was exposed to third parties who might not be members of the residential community and the home owner association.
The association initially claimed that the disclosure of this information within the community was not subject to data protection laws, and that placing the information on the display board was a decision taken by the owner assembly, and hence with the association members' consent. However, once the AEPD initiated the proceedings, the association changed its stance and acknowledged that placing the information on the display boards was in breach of GDPR, and that the information had been displayed in this way as an exceptional measure to provide relevant information normally disclosed in their regular association meetings, which had been cancelled due to the COVID-19 pandemic.
Additionally, the association stated that it had not only taken down the information sheet from the display boards, but that it had also personally apologised to the data subject through a representative, informing him that they had not acted in bad faith or with any intent to damage his reputation.
Holding
The AEPD held that the home owner association had violated the principle of integrity and confidentiality under Article 5(1)(f) GDPR, and issued a fine of €500 euros. When determining the sum of the fine, the AEPD took into consideration as mitigating factors: the fact that the association had not committed any previous GDPR violations; that it had remedied the situation by taking down the information sheet from the display board; that it had given the data subject ample explanations and apologies; and lastly, that the breach occurred due to exceptional circumstances.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/7 File No.: PS/00043/2021 RESOLUTION OF PUNISHMENT PROCEDURE Of the procedure instructed by the Spanish Agency for Data Protection and based on to the following BACKGROUND FIRST: D.A.A.A. (hereinafter, the claimant) dated September 1, 2020 filed a claim with the Spanish Data Protection Agency. The claim is directed against the OWNERS COMMUNITY ***ADDRESS.1, with CIF *** CIF.1 (hereinafter, the claimed one). The reasons on which the claim is based are that it has proceeded, by the Presidency of the Community of Owners, to be placed on the bulletin boards a list of debtor owners, including the claimant. Specifically, the first on the list. The reason for its publication is discretionary, because it does not obey any Assembly call, nor any publication of any past Assembly Minutes. The Community of Owners consists of three blocks, with their respective boards of advertisements. These publications have been in the 3 boards of the community. The location of the respective bulletin boards is inside the portals, all boards are locked and exposed to third party viewing people outside this community. Along with the claim, it provides a photograph of the community bulletin board, with the lists of owners of all the blocks (debtors and non-debtors) in which consists of name and surnames, block, floor and letter. It also provides other photographs in the It can be seen that the bulletin board is located on the ground floor, which would correspond to the portal of the building. SECOND: In view of the facts denounced in the claim and the documents provided by the claimant, the claim was transferred to the claimant, the October 7, 2020 (repeated on October 19, 2020), requiring you to: "Within a maximum period of one month, from the receipt of this letter, you must analyze the claim and send this Agency the following information: The decision made regarding this claim. In the event of exercising the rights regulated in articles 15 to 22 of the RGPD, accreditation of the response provided to the claimant. Report on the causes that have motivated the incidence that has originated the claim. Report on the measures adopted to prevent incidents from occurring similar, dates of implementation and controls carried out to verify their effectiveness. Any other that you consider relevant.” In response to the aforementioned request, the Administrator of the Community of Owners states that "... we consider that, in general, the publication C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 2/7 on the notice board of the community of a list of owners that is not are up to date in payment of their fees is not covered by the regulations of Data Protection." “That, on August 12, 2020, a letter was sent to all the owners of this Community where they were informed: “Due to the situation created by the pandemic of COVID-19 we have not been able to convene the ordinary meeting in order to present annual accounts, renewal of charges, pending issues, etc. However we have decided, for the purposes of greater information of the owners, to publish the accounts for the entire year 2019, and from January to July 2020, and leave the other Topics for a next regular meeting.” “That, in accordance with the provisions of the Horizontal Property Law, public, in those annual accounts, the identity of the debtors and their debts with the community, allowing this same Law to be published on the Notice Board of community, (….). However, the aforementioned publication has been made in compliance with an express agreement adopted by the Board of Owners, so We humbly believe that we will find ourselves before a transfer of data with prior consent of the interested parties, which in principle would not violate the regulations on the protection of personal data.” The Administrator of the Community of Owners provides a copy of the letter that says having sent to all the owners, without it being indicated that the posting on the Community Notice Board is to be made in compliance with an express agreement of the Board of Owners. This letter is signed by the Administrator, although the names of the President and of the two vowels, one from block 3-4 and another from block 6-7, but not a vowel from block 5. On the other hand, although the letter is dated August 12, 2020, the signature of the Administrator in said letter is dated November 9, 2020, a date that coincides with the signature of the response to the request of this Agency. THIRD: On February 1, 2021, in accordance with article 65 of the LOPDGDD, the Director of the Spanish Data Protection Agency agreed admit for processing the claim filed by the claimant against the entity claimed. FOURTH: On June 11, 2021, the Director of the Spanish Agency for Data Protection agreed to initiate a sanctioning procedure against the claimed entity, in accordance with the provisions of articles 63 and 64 of Law 39/2015, of October 1, of the Common Administrative Procedure of the Public Administrations (in hereinafter, LPACAP), for the alleged infringement of article 5.1.f) of the RGPD, typified in article 83.5 of the RGPD. FIFTH: Having been notified of the aforementioned initiation agreement, the entity claimed submitted a written of allegations in which, in summary, it stated that it expressly recognizes that the established legal precepts have been infringed, but without any intention of cause damage to the owner, to the claimant. The community never wanted damage the honor or acted with intent towards the claimant, proof of this is that the administrator and representative of the community, contacted him and gave him all possible explanations, in addition to personally apologizing, explained that the facts that he mentioned in his claim in no case existed bad faith on the part of the community and that in future calls the community will publicly retract such non-compliance, non-compliance that is derived from C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 3/7 an exceptional situation due to the impossibility of holding the ordinary meeting scheduled. It has ordered that the listings subject to the claim, as evidenced in the attached document (Photographs of the planks). SIXTH: On January 19, 2022, a resolution proposal was formulated, proposing that the Director of the Spanish Data Protection Agency sanction to the OWNERS COMMUNITY ***ADDRESS.1, with CIF ***CIF.1, for a infringement of Article 5.1.f) of the RGPD, typified in Article 83.5 of the RGPD, with a fine of FIVE HUNDRED € (500 euros). SEVENTH: On January 30, 2022, ten calendar days after the made available to the notification, without the claimed party having agreed to its content, is understood to be rejected, in accordance with article 43.2 of the LPACAP. Of the actions carried out in this procedure and the documentation in the file, the following have been accredited: ACTS FIRST: The Presidency of the Community of Owners, to post on the bulletin boards a list of debtor owners, among which is the complaining party (the first on the list), and non-debtors. The Community of Owners consists of three blocks, with their respective boards of advertisements. These publications have been in the 3 boards of the community. The location of the respective bulletin boards is inside the portals, all boards are locked and exposed to third party viewing people outside this community. In the lists of owners of all the blocks (debtors and non-debtors) includes name and surname, block, floor and letter. The notice board is located on the ground floor, which would correspond to the portal of the building. SECOND: The claimed entity expressly acknowledges that the established legal precepts, but without any intention of causing damage to the owner, to the claimant. The community at no time wanted to harm the honor or acted with intent towards the claimant, proof of this is that the administrator and representative of the community, contacted him and gave him all possible explanations, in addition to personally apologizing, explained that the facts that he mentioned in his claim in no case existed bad faith on the part of the community and that in future calls the community will publicly retract such non-compliance, non-compliance that is derived from an exceptional situation due to the impossibility of holding the ordinary meeting scheduled. It has ordered that the listings subject to the claim, as evidenced in the attached document (Photographs of the planks). FOUNDATIONS OF LAW I In accordance with the powers that article 58.2 of (EU) 2016/679 (Regulation General Data Protection, hereinafter RGPD), grants each authority of C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 4/7 control and according to the provisions of articles 47 and 48.1 of Organic Law 3/2018, of December 5, Protection of Personal Data and guarantee of rights (hereinafter, LOPDGDD), is competent to initiate and resolve this procedure the Director of the Spanish Data Protection Agency. Likewise, article 63.2 of the LOPDGDD determines that: “The procedures processed by the Spanish Agency for Data Protection will be governed by the provisions in Regulation (EU) 2016/679, in this organic law, by the provisions regulations issued in its development and, as long as they do not contradict them, with a subsidiary, by the general rules on administrative procedures.” II In accordance with the evidence available at the present time of the sanctioning procedure, it is considered that the proven facts constitute of infraction. The defendant is accused of committing an infraction for violation of the Article 5.1.f) of the RGPD, which states that: "one. The personal data will be: “f) processed in such a way as to guarantee adequate security of the data including protection against unauthorized or unlawful processing and against your transcript. The infringement is typified in Article 83.5.a) of the RGPD, which considers as such: “the basic principles for treatment, including the conditions for the consent under articles 5, 6, 7 and 9”. III This infraction can be sanctioned with a maximum fine of €20,000,000 or, in the case of a company, an amount equivalent to a maximum of 4% of the global total annual turnover of the previous financial year, opting for the of greater amount, in accordance with article 83.5 of the RGPD. In this sense, the actions taken by the claimed party are relevant. upon learning of the claim of which it was informed by this AEPD and the measures adopted, having to report on them within the procedure, being able to in the resolution, adopt the appropriate ones for its adjustment to the regulations. IV Likewise, it is considered appropriate to graduate the sanction to be imposed in accordance with the following criteria established by article 83.2 of the RGPD: 2. Administrative fines will be imposed, depending on the circumstances of each individual case, in addition to or as a substitute for the measures contemplated in the Article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine administration and its amount in each individual case will be duly taken into account: a) the nature, seriousness and duration of the offence, taking into account the nature, scope or purpose of the processing operation in question, as well such as the number of interested parties affected and the level of damages that have suffered; C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 5/7 b) intentionality or negligence in the infringement; c) any measure taken by the controller or processor to alleviate the damages suffered by the interested parties; d) the degree of responsibility of the person in charge or of the person in charge of the treatment, taking into account the technical or organizational measures that they have applied under of articles 25 and 32; e) any previous infringement committed by the person in charge or the person in charge of the treatment; f) the degree of cooperation with the supervisory authority in order to remedy the infringement and mitigate the possible adverse effects of the infringement; g) the categories of personal data affected by the infringement; h) the way in which the supervisory authority became aware of the infringement, in particular whether the person in charge or the person in charge notified the infringement and, if so, in what extent; i) when the measures indicated in article 58, section 2, have been ordered previously against the person in charge or the person in charge in question in relation to the same matter, compliance with said measures; j) adherence to codes of conduct under article 40 or mechanisms of certification approved in accordance with article 42, k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits obtained or losses avoided, directly or indirectly, through the infringement.” v In accordance with the precepts transcribed, in order to set the amount of the penalty for infringement of article 5.1 f) to the claimed party, as responsible for the aforementioned infringement typified in article 83.5 of the RGPD, and estimated the allegations filed by the respondent, due to the circumstances of the case, it is appropriate to graduate the fine taking into account the following mitigating factors: . Non-existence of antecedents. . Recognition of the infraction, which has been remedied in its entirety once received the agreement to start this procedure, deleting all the data bulletin board staff. . Compliance with the measures imposed in the Start Agreement, by the person in charge or in charge of the treatment, so that the treatment operations are adjusted to the GDPR provisions. . Measures taken to mitigate damages and losses suffered: the administrator and representative of the community, contacted the complaining party and gave him all possible explanations, in addition to personally apologizing, explained that the facts that he mentioned in his claim in no case existed bad faith on the part of the community and that in future calls the community will retract such non-compliance publicly. . The breach is derived from an exceptional situation due to the impossibility of carry out the regular scheduled meeting of the Community of Owners. Considering the exposed factors, the valuation that reaches the amount of the fine is €500 for violation of article 5.1 f) of the RGPD. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 6/7 Therefore, in accordance with the applicable legislation and having assessed the criteria for graduation of the sanctions whose existence has been proven, the Director of the Spanish Data Protection Agency RESOLVES: FIRST: IMPOSE the OWNERS COMMUNITY *** ADDRESS.1, with CIF *** CIF.1, for an infringement of Article 5.1.f) of the RGPD, typified in Article 83.5 of the RGPD, a fine of €500 (FIVE HUNDRED euros). SECOND: NOTIFY this resolution to the OWNERS COMMUNITY ***ADDRESS 1. THIRD: Warn the sanctioned party that he must make the imposed sanction effective once Once this resolution is enforceable, in accordance with the provisions of the art. 98.1.b) of Law 39/2015, of October 1, on Administrative Procedure Common Public Administrations (hereinafter LPACAP), within the payment term voluntary established in art. 68 of the General Collection Regulations, approved by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003, of December 17, through its entry, indicating the NIF of the sanctioned and the number of procedure that appears in the heading of this document, in the account restricted number ES00 0000 0000 0000 0000 0000, opened on behalf of the Agency Spanish Department of Data Protection in the banking entity CAIXABANK, S.A.. In case Otherwise, it will be collected in the executive period. Received the notification and once executed, if the date of execution is between the 1st and 15th of each month, both inclusive, the term to make the payment voluntary will be until the 20th day of the following month or immediately after, and if between the 16th and last day of each month, both inclusive, the payment term It will be until the 5th of the second following month or immediately after. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the Interested parties may optionally file an appeal for reconsideration before the Director of the Spanish Agency for Data Protection within a month from counting from the day following the notification of this resolution or directly contentious-administrative appeal before the Contentious-Administrative Chamber of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-administrative jurisdiction, within a period of two months from the day following the notification of this act, as provided in article 46.1 of the aforementioned Law. Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP, may provisionally suspend the firm resolution in administrative proceedings if the The interested party expresses his intention to file a contentious-administrative appeal. If this is the case, the interested party must formally communicate this fact by writing addressed to the Spanish Agency for Data Protection, presenting it through C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 7/7 Electronic Register of the Agency [https://sedeagpd.gob.es/sede-electronica- web/], or through any of the other registers provided for in art. 16.4 of the aforementioned Law 39/2015, of October 1. You must also transfer to the Agency the documentation proving the effective filing of the contentious appeal- administrative. If the Agency was not aware of the filing of the appeal contentious-administrative within a period of two months from the day following the notification of this resolution would end the precautionary suspension. 938-270122 Sea Spain Marti Director of the Spanish Data Protection Agency C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es