AEPD (Spain) - PS/00050/2020

From GDPRhub
AEPD - PS/00050/2020
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 5(1)(a) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 18.12.2020
Published:
Fine: None
Parties: n/a
National Case Number/Name: PS/00050/2020
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: n/a

An natural person received a warning from the Spanish DPA (AEPD) for tweeting a photo of a bill where the name, surname, fiscal ID and bank account of a restaurant owner was visible. This constituted a breach of Article 5(1)(a) GDPR.

English Summary

Facts

The owner of a restaurant lodge a complaint with the Spanish DPA (AEPD) against another natural person that had published a tweet with a picture of a bill from that restaurant which included name, surname, fiscal ID and bank account number of the restaurant owner. This was in connection with a political discussion about the expenses of a political party when in power of the city administration.

The person that posted the tweet argued that it was not the intention to unlawfully publish personal data but that the purpose was to showcase the expenses of the political party in the restaurant owned by the complainant and that this information is of public and political interest. He also argued that most of the data showed in the photo of the tweet was of public domain as the same data could be obtained from other public sources of information such as public procurement procedures that the owner of the restaurant had obtained.

The Spanish DPA argued that even if the tweet with the attached photo might have some public interest for political debate, the photo still included personal data of a natural person that was not relevant for the debate. And also that some of the personal data (namely the bank account) was not an information that was available in other public sources.

Dispute

Is publishing a photo that includes personal data of a restaurant owner lawful in line of Article 5(1)(a) GDPR?

Holding

The Spanish DPA concluded that there has been a breach of Article 5(1)(a) GDPR because the uploading of such personal data was not lawful, as it was not based on any lawful legal basis.

Given that the offender was an physical person that does not process personal data on regular basis and that he had no previous convictions or any record of infractions related to data protection, the Spanish DPA decided to just issue a warning and request the removal of the tweet.

Comment

This is an interesting decision because there are several issues that are slightly sketched but not thoroughly discussed by the Spanish DPA.

One of them is the application of Article 19 of the new Spanish Data Protection Law (LOPDGDD). This article says that contact data of a natural person when acting on behalf of or representing a legal person, are presumed to be processed under the legal basis of "legitimate interest", only as far as the purpose of the processing is to establish and keep communication with such legal person. However, in this case, the Spanish DPA considers that this article is not applicable as the purpose condition is not met in this case.

Furthermore, although not discussed in the decision, there could be also an issue of processing special categories of personal data of Article 9 GDPR of the restaurant owner. The tweet with the picture and other tweets of the debate pointed that the restaurant owner was a supporter of the political party that was under discussion. However, the restaurant owner does not make any claim on that regard and the Spanish DPA does not mention it either.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

                                                                               1/10










     Procedure No.: PS / 00050/2020


               RESOLUTION OF SANCTIONING PROCEDURE

       Of the procedure instructed by the Spanish Agency for Data Protection and
based on the following


                                  BACKGROUND

FIRST: A.A.A. (hereinafter, the claimant) on 11/5/2019 filed
claim before the Spanish Data Protection Agency against B.B.B. with NIF
*** NIF. 1 (hereinafter, the claimed one).



       The claimant states that on 10/12/2019 at 9:02 p.m., from the account of the
social network *** ACCOUNT.1, belonging to B.B.B. (claimed) XXXXXXXX in the city
autonomous of *** LOCALIDAD.1, published two messages accompanied by a photograph

that showed an invoice issued by the premises of his property, restaurant
*** RESTAURANT. 1, which also contained name and surname, NIF number
and bank account number.

       Provides an impression of the tweet in which the one claimed under the heading B.B.B. in

response to C.C.C., PP *** LOCALIDAD.1 and *** ACCOUNT.2, titled “without a doubt
celebrations in *** RESTAURANT. 1 at the expense of the public treasury to the PP nobody
improvement, your invoices will already be made public, at € 45 per cover, since that
celebrations no one like the PP ”and you see the INVOICE document, with the data
CLIENT "Presidency-General Directorate Council" "in description of the UNED 14 dinner
diners "," unit price 45 euros "and a full bank account is listed in the

lower left, and in the upper the data of *** RESTAURANT. 1, address
and NIF.

       The tweet is recorded in the Inspection access procedure of 12/2/2019.
The date of the invoice, 05/02/2019, and the NIF associated with the claimant, with the

Property name. Under the invoice is 12/10/2019, 12:02. They consist
response comments addressed to the respondent. No reference to participation
of the claimant in the text messages related to said tweet.

SECOND: In view of the facts reported in the claim and the

documents provided by the claimant, on 12/11/2019 the
claim from the defendant, and information was requested, specifically the causes that
motivated the claim, the decision adopted, the measures to be adopted to
avoid similar incidents and any other issue you consider.

       The defendant, dated 01/21/2020, states that “there was no will to

disseminate the personal data of the complainant, as it is not noticed that in the image
hung they could be observed, because the same day another message was broadcast
on several minor contracts awarded to the one who did not present this incident ”.


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 2/10








       It states that the presentation of the claimant's data responds to a debate
administrative policy raised in *** LOCALIDAD.1 in relation to “the contracting
minor by the Autonomous City "and," especially to payments made in favor of the
owner of the establishment of "*** RESTAURANTE.1", complainant. States that
the claimant is a prominent supporter of the Popular Party, and his place is a place

of meeting and leisure of the militants and political positions of said formation.

       Provide a copy of a tweet dated 06/15/2019 from the former president, Mr. D.D.D., who
as stated, "the same day of the Constitution of the autonomous government
made up of the tripartite PSOE, CITIZENS, COALITION FOR
*** LOCALIDAD.1 that displaces him from power, used the social network Twitter ”with the

content: “from *** RESTAURANT.1 from *** LOCALIDAD.1 I hug everyone
voters of the PP for winning the elections although there are unscrupulous traitors who
they twist democracy ”.

       Also, in the digital newspaper “*** DIARIO.1”, the *** DATE.1 is published, a

report on the economic-political relationship of the claimant and the previous government
local, in which, among other things, the relationship between
"*** RESTAURANTE.1" and the members of the Popular Party. In the news is
relates the claimant's daughter, an artist who participated in a television event, to
identifies, with his father, not with name and surname, and mentions the tavern as a place
close to the headquarters of the PP and where sponsored events or

promoted by people of this political tendency.

       It states that the information disclosed about the owner of
"*** RESTAURANTE.1" responds to a justified public and political interest, and also,
“It has been taken from publicly accessible sources such as the Yellow Pages, which lists
hospitality with its owner, as well as in the profile of the city contractor

of *** LOCALIDAD.1 where contracts have been published on various occasions
minors granted or in official gazettes of *** LOCALIDAD.1, including the
data of name and surname and NIF as beneficiary of subsidies. "

       The exposed data is of a business nature, and is contained in a document
commercial, and “of public, social and political interest”. It refers to article 2.3 of the RD

1720/2007 of 12/21, approving the regulations for the development of the Law
Organic 15/1999 of 12/13 of Protection of Personal Data, which indicates
that “the data relating to individual entrepreneurs, when they refer to them
In their capacity as merchants, shipping industrialists, they will also be understood to be excluded
of the application regime of the Protection of Personal Data. "


THIRD: On 02/04/2020 the claim was admitted for processing.

FOURTH: On 03/30/2020, the Director of the AEPD agrees:

       "INITIATE SANCTIONING PROCEDURE of APERCIBIMENTO to B.B.B.,

with NIF *** NIF.1, for the alleged violation of article 5.1.a) of the RGPD, in accordance with
Article 83.5.a) and 58.2.b) and d) of the aforementioned RGPD. "

       No allegations were received.


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 3/10










                                PROVEN FACTS



    1) The claimant files a claim against the defendant for tweeting
       from "*** ACCOUNT.1" your personal data of NIF, name and surname,
       related to the establishment he runs, "*** RESTAURANTE.1" and the
       bank account number of your ownership.


    2) The personal data appear on an invoice that the claimed photograph and
       exposes in the tweet.

    3) In the tweet, under the heading B.B.B., in response to C.C.C., PP *** LOCALIDAD.1 and
       *** ACCOUNT.2, titled: “no doubt about celebrations in *** RESTAURANT.1 a

       cost of the public purse to the PP nobody improves him, his
       invoices, at € 45 the cover, because that of celebrations nobody like the PP ”and
       see the document, invoice, with the client data "Presidency Council-
       Directorate General ”“ in description: UNED dinner 14 people ”,“ price
       45 euros unit ”and can be seen in the lower left, the full digits

       from a bank account. At the top the data of
       *** RESTAURANT. 1, address and NIF, with the name and surname of your
       headline.



    4) In the inspection procedure of 12/2/2010, it is verified that the tweet exists, it is
       see the date of the invoice, 05/02/2019, and under the invoice photo you can see
       10/12/2019, 12:02. They consist of response comments addressed to the respondent.
       There is no reference to the complainant's participation in the aforementioned tweet.

    5) In the tweet posted by the claimant, nothing is indicated of the payments obtained by

       the claimant, awarded contracts etc. Although the defendant indicates that with
       exposition, wanted to signify the contracts awarded to the claimant,
       making it necessary to have the photograph containing the invoice in which the
       had the aforementioned food and claimant data, which is also

       sympathizer of the PP, his establishment being a meeting place for militants
       tes and political positions of said political formation.


                           FOUNDATIONS OF LAW

                                           I


       By virtue of the powers that article 58.2 of Regulation (EU) 2016/679 of the
European Parliament and of the Council, of 04/27/2016, regarding the protection of
natural persons with regard to the processing of personal data and the free
circulation of these data (hereinafter, RGPD); recognizes each authority of

control, and as established in articles 47 and 48 of Organic Law 3/2018, of
5/12, Protection of Personal Data and guarantee of digital rights (as


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 4/10








successive LOPDGDD), the Director of the Spanish Agency for Data Protection is
competent to initiate and resolve this procedure.


                                             II

        The RGPD defines in its article 4:

1) "personal data": any information about an identified natural person or
identifiable ("the interested party"); an identifiable natural person shall be considered any person
whose identity can be determined, directly or indirectly, in particular by means of
an identifier, such as a name, an identification number, data from

location, an online identifier or one or more elements of the identity
physical, physiological, genetic, psychic, economic, cultural or social of said person; "

  2) "treatment": any operation or set of operations carried out on
personal data or sets of personal data, whether by procedures
automated or not, such as collection, registration, organization, structuring,

conservation, adaptation or modification, extraction, consultation, use,
communication by transmission, broadcast or any other form of authorization of
access, collation or interconnection, limitation, deletion or destruction;

  4) "file": any structured set of personal data, accessible in accordance with
  to certain criteria, whether centralized, decentralized or distributed in a

  functional or geographic;

  7) "data controller" or "controller": the natural or legal person,
public authority, service or other body that, alone or together with others, determines the
purposes and means of treatment; whether the law of the Union or of the Member States

determines the purposes and means of the treatment, the person responsible for the treatment or
Specific criteria for their appointment may be established by Union law
or from the Member States;


        Both on the date of issuance of the invoice, 5/2019, and that of the exhibition,
October of the same year, the RGPD is in force. The LOPDGDD establishes in its dis-
Unique repeal position: "Normative repeal":

  1. Without prejudice to the provisions of the fourteenth additional provision and the
Fourth transitory provision, Organic Law 15/1999, of December 13, is repealed.

December, Protection of Personal Data.

  2. Royal Decree-Law 5/2018, of July 27, on urgent measures is hereby repealed
for the adaptation of Spanish law to the regulations of the European Union in
data protection matters.


  3. Likewise, any provisions of equal or lower rank are repealed
contradict, oppose, or are incompatible with the provisions of the Regulation
(EU) 2016/679 and in this organic law. "




   The RGPD indicates in its article 2:
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 5/10








   "1. This Regulation applies to the treatment totally or partially
  automated personal data, as well as the non-automated processing of
  personal data contained or intended to be included in a file.


  2. This Regulation does not apply to the processing of personal data:

  a) in the exercise of an activity not included in the scope of the
Union law;

  b) by Member States when carrying out activities

included in the scope of application of Chapter 2 of Title V of the TEU;

  c) carried out by a natural person in the exercise of activities exclusively
personal or domestic;

  d) by the competent authorities for the purposes of prevention, investigation,

detection or prosecution of criminal offenses, or execution of sanctions
criminal offenses, including protection against threats to public safety and
prevention.




  The LOPDGDD in its article 2.2 indicates:

  "two. This organic law will not apply:

  a) To the treatments excluded from the scope of application of the General Regulation of
data protection by its article 2.2, without prejudice to the provisions of sections 3

and 4 of this article. "

       And in article 19: ”Treatment of contact data of individual businessmen

dual and liberal professionals ”:

  1. Unless proven otherwise, it shall be presumed covered by the provisions of article
6.1.f) of Regulation (EU) 2016/679 the treatment of contact data and in its
case those related to the function or position held by natural persons who
provide services in a legal entity provided that the following are met
requirements:


  a) That the treatment refers only to the data necessary for its
professional localization.

  b) That the purpose of the treatment is solely to maintain relationships of any
nature with the legal person in which the affected person provides their services.


  2. The same presumption will operate for the treatment of data related to
sole proprietorships and liberal professionals, when referred to
only in that condition and are not tried to establish a relationship with the
themselves as natural persons.


  3. Those responsible or in charge of the treatment referred to in the article
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 6/10








77.1 of this organic law may also process the data mentioned in the two
previous sections when this is derived from a legal obligation or is necessary
for the exercise of its powers. "


       About the claimant's data, which are additionally found in the
invoice, it is not relevant in this case and context, the use of these data as a person
legal, no activity is commented on as a contractor, but as a reference
identifying as a person of the establishment. In addition, its owner is identified not
only with the name, but the NIf and the bank account are added, and they are used to

relate to people belonging to the PP environment in *** LOCALIDAD.1,
as the claimant means, that is, as a way of identifying the owner
establishment, center where people who feel related to the
popular party attended and held various events. The claimant is a
secondary in the exposition of the facts, insofar as the protagonists are the
group that attended the celebration or meal, on which the opinion is expressed by the

reclaimed. Freedom of expression is manifested in this regard, being able to
add that *** RESTAURANT.1 or its headline is akin to the party's ideas, but not
violating the right of the owner of the data that by the fact of being the owner of the
establishment, has to sacrifice their personal data, so that the claimed
reveal. One of the limits to the aforementioned right is respect for rights

fundamental, and in this case, the protagonist was not the claimant, being the only
that is fully identified through a data set, when not even
participate in the tweet.

       The tweet is used as a criticism of public spending, being the owner of the
establishment also related to said group, and according to the complainant, it was necessary

know their identity, even if they did not participate in the aforementioned tweet.



       There is no doubt that the reference to public spending by a political group is
of interest, but if fully identifying data is included, not only name and

surnames, but NIF and bank account of someone who does not participate in said event, but
who is responsible for the establishment, no matter how closely related to the political ideas
In other words, the objective of expressing itself conflicts with the ownership of personal data,
those that govern some basic principles. Said data in this case and context is
considered included within the scope of application of the protection regulations of

data.

                                           III

       The document presented by the claimant certifies that the defendant carries out
a data processing by exposing on the social network an invoice with data from the

claimant in which their personal data is contained, listing local, NIF
issuer of the invoice and bank account, in order to state that said meal is
went to the treasury. The origin, title and reason why the
claimed has said document and the competence purpose attributed in the
handling of the same in relation to its private use on your Twitter. The fact of including the

invoice, without realizing it, even if it had been done without bad faith, including
data, reveals a lack of diligence in the elements that are exposed in the social network.

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 7/10










        It does not follow that for the knowledge of third parties through the
social network of the expenses of a group of people related to a match, which was

the literal of the expression expressed in the tweet, the personal data must be given
full details of the issuer of the invoice, and the complete bank account. This does not participate in
food, is not relevant compared to the group, and it does not seem that
even if there is interest in informing that its owner is a sympathizer, it must be identified
with said data, with the own repercussion that the treatment carried out may have

out on social media.

        The claimed, in a private capacity, with his name and surname on Twitter, expresses
their opinions, and identifies the data of the claimant. In the use of the data, you must
concur with any legitimate basis provided for in article 6.1 of the RGPD. The right
fundamental of the claimant, that their data is not used in social networks,

prevails when what it is about is to comment on a meal of a PP group
that goes to the treasury, or that they meet very often in that place, without it being necessary
in addition, express and graphically expose the claimant's data in the photograph,
also, owner of the establishment.

        The aforementioned statement in relation to the intention of the news does not add or is

of interest or relevant for the data to appear in the photograph, not being adequate,
necessary or justified, and if, on the contrary invasive as to are provided in addition,
financial data such as the bank account, the NIF and the name and surname,
with the associated risks that it may entail.


        It is considered that in front of its nominal quote and the object of the comment, it does not add
nothing significant the fact of knowing your identity, the NIF and the bank account that you
make identified or identifiable without problems, since the expression of the expenditure goes
related in their case to the site where they often meet, not to the data of
the person who owns the site where they often meet, who does not appear related
with the comment.

        Under the principles of adequacy, pertinence, congruence, and relevance in the
use of the data, when treating them without the consent of the claimant, you can
serve Twitter to express opinions. However, in this case, the identity of that

person is not relevant to what is meant in the comment, which was that
the food was to be paid for from the public budget.

        The same results would have been obtained by covering the account and the NIF, and
name and surname of the claimant, since the right of its owner has been limited, to

your data is not exposed in a medium in which your data can be multiplied
effects when the message is shared.

        In accordance with the constitutional jurisprudence that defines the profile of the right
of data protection, in this case, the use of the claimant's data on Twitter is
a use that has not been consented to by its owner, and no legitimate basis is credited in the
treatment of said data in relation to the purpose that is to be understood
in the message that the defendant spread.


        The complainant is considered to have violated article 5.1.a) of the RGPD that
indicates: “The personal data will be:
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 8/10








  a) treated in a lawful, loyal and transparent manner in relation to the interested party
("Lawfulness, fairness and transparency"); as the sending of the aforementioned is not considered lawful

data exposed in the photo that associates the expressive literal of your opinion, which uploads it to
the aforementioned network.

        The respondent does not certify that the treatment of the claimant's data
appears embedded in some legitimating scheme of the assumptions that would enable
the treatment, for which the commission of the alleged infringement of the article is estimated

5.1.a of the RGPD.

                                              IV



        Regarding the fact that the data had been obtained from “Public Access Sources
co".

On this point, we limit ourselves to indicating -reiterating what was stated by this Agency-
cia in its Report of 03/10/2019, entry record 045824 / 2019- that “from the
entry into force of the RGPD can not speak of a legal concept of "accessible sources

sible to the public ”such as the one that existed in the previous Organic Law 15/1999 (...)
RGPD only talks about publicly accessible sources when regulating the right to information
if the data has not been collected from the interested party ”.

Therefore, the concept of a source of public access does not exist in the RGPD or in the LO-
PDGDD and, what is more, despite the terms in which article 6.2 of the
repealed LOPD, it was not a valid concept in our legal system during

during the validity of the repealed Organic Law 15/1999 as a result of the STS of 02/08/2012
(Rec. 25/2008). The STS relied on the STJUE of 04/24/2011 which resolved the issue
preliminary ruling from Spain; declared invalid article 6.2 LOPD for being contrary to
Article 7.f) of Directive 95/46 and considered that, given the incorrect transposition of the
Directive 95/46 that the LOPD made at that point, article 7.f) of the Directive was of

direct application. Article 7.f) of Directive 95/46, the text of which was practically identical.
co to the current article 6.1.f) of the RGPD. Also, the bank account number does not appear
in those supposed sources of public access.

        Nor can the allegation that the fact that the data
appear in this type of legitimate sources without further treatment. The GDPR only speaks
sources of public access when regulating the right to information if the data is not

have collected from the interested party.

           Article 14 of the RGPD indicates:


     "1.When the personal data have not been obtained from the interested party, the
     responsible for the treatment will provide you with the following information:


     2.f) the source from which the personal data come and, where appropriate, if they come from
   public access sources; "





C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 9/10








     Neither the publication in official gazettes, in which it will not foreseeably appear
the bank account of the affected party, supposes the existence of a legitimate basis for the
treatment of the claimant's data, especially when the data is exposed as a

ferencia, in a social network open to the general public.
       As for the news of the newspaper "*** DIARIO.1", the report does not identify

with personal data as does the tweet that is the subject of the claim.

                                              V


       Article 83.5 a) of the RGPD, considers that the violation of "the basic principles
for the treatment, including the conditions for consent in accordance with the articles
the 5, 6, 7 and 9 ”is punishable, in accordance with section 5 of the aforementioned article 83

of the aforementioned Regulation, with administrative fines of a maximum of € 20,000,000 or,
for a company, an amount equivalent to a maximum of 4% of the volume
total annual global business of the previous financial year, opting for the one with the highest
amount. "


      Article 58.2 of the RGPD indicates: "Each control authority will have all the
following corrective powers listed below:

       b) sanction any person responsible or in charge of the treatment with warning
When the processing operations have violated the provisions of this Re-
regulation;


       d) order the person in charge of the treatment that the operations of
treatment are in accordance with the provisions of this Regulation, where appropriate,
in a certain way and within a specified period ”.

       In this case, the defendant is a natural person, who does not carry out on a regular basis
or professional, mainly personal data processing, and does not include
history of previous infringements in the field of data protection, so it is
opted for a warning sanction. It would be advisable, if it has not yet been
made, that the data of the claimant exposed and related to the matter of this

complaint will be removed from the aforementioned tweet, in order not to persist in the behavior that
motivates this procedure.


       Therefore,


       the Director of the Spanish Agency for Data Protection RESOLVES:

FIRST: IMPOSE B.B.B., with NIF *** NIF.1, for a violation of article 5.1.a)
of the RGPD, as indicated in Article 83.5 a) of the RGPD, a warning sanction.


SECOND: NOTIFY this resolution to B.B.B ..

THIRD: In accordance with the provisions of article 50 of the LOPDGDD, the
This Resolution will be made public once it has been notified to the interested parties.



C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 10/10








Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the

LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the
Interested parties may file, optionally, an appeal for reconsideration before the Director
of the Spanish Agency for Data Protection within a month from the
day after notification of this resolution or directly contentious appeal

administrative before the Contentious-Administrative Chamber of the National Court, with
in accordance with the provisions of article 25 and section 5 of the additional provision
fourth of Law 29/1998, of July 13, regulating the Contentious Jurisdiction-
administrative, within a period of two months from the day following notification

of this act, as provided in article 46.1 of the aforementioned Law.

Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP,
may provisionally suspend the final resolution through administrative channels if the interested party
expresses its intention to file a contentious-administrative appeal. If this is the

In this case, the interested party must formally communicate this fact by writing to
the Spanish Agency for Data Protection, presenting it through the Registry
Electronic Office of the Agency [https://sedeagpd.gob.es/sede-electronica-web/], or through
any of the remaining records provided for in art. 16.4 of the aforementioned Law 39/2015, of 1

October. You must also send the Agency the documentation that proves the
effective filing of the contentious-administrative appeal. If the Agency did not have
knowledge of the filing of the contentious-administrative appeal within the period of
two months from the day following the notification of this resolution, it would

end of the precautionary suspension.


                                                                                       938-131120
Mar Spain Martí
Director of the Spanish Agency for Data Protection





























C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es