AEPD (Spain) - PS/00279/2020
AEPD - PS/00279/2020 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 6 GDPR Article 13 GDPR Article 83(5) GDPR 72 |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | |
Published: | 01.03.2021 |
Fine: | 9000 EUR |
Parties: | n/a |
National Case Number/Name: | PS/00279/2020 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | n/a |
The Spanish DPA (AEPD) imposed a fine of € 5,000 for the violation of Article 6 GDPR and of €4,000 for the violation of Article 13 GDPR. The defendant published personal data on its website without consent and informing the data subject in a privacy policy.
English Summary
Facts
A Spanish website has published personal photos and other personal data on its website without the consent of the data subject and without providing the data subject with a privacy policy containing the information required by article 13 GDPR.
Dispute
Is it publishing personal data without the consent of the data subject unlawful? Is it the lack of a privacy policy providing the data subject with the information required under GDPR unlawful?
Holding
The national law LOPDGDD considers the violation of articles 6 and 13 GDPR as "very serious" and therefore the Spanish DPA decided on imposing a fine of € 5 000 for the violation of Article 6 GDPR and € 4 000 for the violation of article 13, under the power conferred by Article 83(5) GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/7 Procedure Nº: PS / 00279/2020 RESOLUTION OF SANCTIONING PROCEDURE Of the procedure instructed by the Spanish Agency for Data Protection and based on to the following BACKGROUND FIRST: A.A.A. (hereinafter, the claimant) on July 9, 2019 filed claim before the Spanish Agency for Data Protection. The claim is directed against B.B.B. with NIF *** NIF.1 (hereinafter, the claimed one). The reasons on which the claim is based are that photographic material has been published and other personal data at “*** URL.1”, without your consent. On June 4, 2019, he requested the deletion of his personal data to the claimed, but this one does not respond. Likewise, the complained party states that on the aforementioned website the legal notice that publishes is insufficient and its privacy policy does not meet the required requirements regarding the processing of personal data. Among others, the following documentation is provided: Email addressed to the address *** EMAIL.1 exercising the right of sub- pressure of the claimant's personal data. The antecedents that appear are the following: Dated June 1, 2020, within the admission procedure E / 08088/2019 and without being able to transfer the claim to the claimed one, agrees to open these investigative actions in relation to the claim. tion submitted by the claimant. The claimant is notified on July 8, 2020. SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5 December, Protection of Personal Data and guarantee of digital rights (in hereinafter LOPDGDD), dated June 1, 2020, within the procedure of admission E / 08088/2019 this claim is transferred without having got answer. THIRD: On September 21, 2020, the Director of the Spanish Agency of Data Protection agreed to initiate a sanctioning procedure to the claimed, by the alleged violation of article 6 of the RGPD, article 13 of the RGPD, typified in the Article 83.5 of the RGPD. FOURTH: On October 7, 2020, the agreement to initiate this procedure, becoming the same proposal for resolution of conformity C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 2/7 with articles 64.2.f) and 85 of Law 39/2015, of October 1, on the Procedure Common Administrative of Public Administrations (LPACAP), by not carrying out allegations within the indicated period. In view of all the actions, by the Spanish Protection Agency of Data in this procedure the following are considered proven facts, ACTS FIRST: A claim is filed because photographic material has been published and other personal data in "*** URL.1", without the consent of the owner. SECOND: On June 1, 2020, within the admission procedure E / 08088/2019 this claim is transferred without a response having been obtained. THIRD: On October 7, 2020, the agreement to initiate this procedure, becoming the same proposal for resolution of conformity with articles 64.2.f) and 85 of Law 39/2015, of October 1, on the Procedure Common Administrative of Public Administrations (LPACAP), by not carrying out allegations within the indicated period. In view of all the actions, by the Spanish Protection Agency of Data in this procedure the following are considered proven facts, FOUNDATIONS OF LAW I By virtue of the powers that article 58.2 of the RGPD recognizes to each control authority, and as established in articles 47 and 48 of the LOPDGDD, the Director of the Spanish Data Protection Agency is competent to initiate and to solve this procedure. II Article 6.1 of the RGPD establishes that for the treatment to be lawful, will require that the interested party give their consent for the processing of their data personal for one or more specific purposes. Article 4 of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, regarding the protection of natural persons in the regarding the processing of personal data and the free circulation of these data (General Data Protection Regulation, hereinafter RGPD), under the rubric "Definitions", provides that: "For the purposes of these Regulations, the following shall be understood as: 1) "personal data": any information about an identified natural person or identifiable ("the interested party"); an identifiable natural person shall be considered any person whose identity can be determined, directly or indirectly, in particular by means of an identifier, such as a name, an identification number, data from C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 3/7 location, an online identifier or one or more elements of the identity physical, physiological, genetic, psychic, economic, cultural or social of said person; 2) "treatment": any operation or set of operations carried out on personal data or personal data sets, either by procedures automated or not, such as collection, registration, organization, structuring, conservation, adaptation or modification, extraction, consultation, use, communication by transmission, broadcast or any other form of authorization of access, collation or interconnection, limitation, deletion or destruction; " Therefore, in accordance with these definitions, the collection of data from personal character through forms included in a web page constitutes a data processing, in respect of which the data controller must give compliance with the provisions of article 13 of the RGPD, a precept that has displaced from May 25, 2018 to article 5 of Organic Law 15/1999, of May 13, December, Protection of Personal Data. In relation to this matter, it is observed that the Spanish Agency for Data Protection has available to citizens, the Guide for the compliance with the duty to inform (https://www.aepd.es/media/guias/guia-modelo- informative-clause.pdf) and, in the event of low-risk data processing, the Free Facilita tool (https://www.aepd.es/herramdamientos/facilita.html). In this sense, article 4.11 of the RGPD defines the "consent of the interested party »as any manifestation of free will, specific, informed and unequivocal by which the interested party accepts, either through a declaration or a clear affirmative action, the processing of personal data concerning you. For its part, article 7.1 of the RGPD establishes that “when the treatment is Based on the consent of the interested party, the person in charge must be able to demonstrate that he consented to the processing of his personal data. " Along these lines, article 6 of the LOPDGDD establishes that in accordance with The provisions of article 4.11 of Regulation (EU) 2016/679, is understood as consent of the affected party any manifestation of free, specific will, informed and unequivocal by which it accepts, either through a statement or a clear affirmative action, the processing of personal data concerning you. Article 13 of the RGPD, precept in which the information that must be provided to the interested party at the time of data collection, it has: "1.When personal data relating to him are obtained from an interested party, the responsible for the treatment, at the time these are obtained, will provide all the information indicated below: a) the identity and contact details of the person in charge and, where appropriate, of their representative; b) the contact details of the data protection officer, if applicable; c) the purposes of the treatment to which the personal data are destined and the basis legal treatment; C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 4/7 d) when the treatment is based on article 6, paragraph 1, letter f), the legitimate interests of the person in charge or of a third party; e) the recipients or categories of recipients of personal data, in your case; f) where appropriate, the intention of the person responsible to transfer personal data to a third country or international organization and the existence or absence of a decision of adequacy of the Commission, or, in the case of transfers indicated in the Articles 46 or 47 or Article 49, paragraph 1, second subparagraph, reference to the adequate or appropriate warranties and the means to obtain a copy of these or to the fact that they have been borrowed. 2. In addition to the information mentioned in section 1, the person responsible for the treatment will facilitate the interested party, at the time the data is obtained personal information, the following information necessary to guarantee data processing loyal and transparent: a) the period during which the personal data will be kept or, when not where possible, the criteria used to determine this deadline; b) the existence of the right to request the data controller for access to the personal data relating to the interested party, and its rectification or deletion, or the limitation of its treatment, or to oppose the treatment, as well as the right to data portability; c) when the treatment is based on article 6, paragraph 1, letter a), or the Article 9, paragraph 2, letter a), the existence of the right to withdraw consent in at any time, without affecting the legality of the treatment based on the consent prior to its withdrawal; d) the right to file a claim with a supervisory authority; e) if the communication of personal data is a legal or contractual requirement, or a necessary requirement to sign a contract, and if the interested party is obliged to provide personal data and are informed of the possible consequences of not provide such data; f) the existence of automated decisions, including profiling, to referred to in article 22, paragraphs 1 and 4, and, at least in such cases, information significant on the applied logic, as well as the importance and consequences provided for said treatment for the interested party. 3.When the person responsible for the treatment plans the subsequent treatment of personal data for a purpose other than that for which it was collected, will provide the interested party, prior to said further processing, information on that other purpose and any additional relevant information pursuant to section 2. 4.The provisions of paragraphs 1, 2 and 3 shall not apply when and in the extent to which the interested party already has the information ”. For its part, article 11 of the LOPDGDD, provides the following: "1. When the personal data is obtained from the affected party, the person in charge treatment may comply with the duty of information established in the Article 13 of Regulation (EU) 2016/679 providing the affected party with basic information referred to in the following section and indicating an email address or other C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 5/7 means that allows easy and immediate access to the rest of the information. 2. The basic information referred to in the previous section must contain, at least: a) The identity of the person responsible for the treatment and their representative, in their case. b) The purpose of the treatment. c) The possibility of exercising the rights established in articles 15 to 22 of Regulation (EU) 2016/679. If the data obtained from the affected party were to be processed for the preparation of profiles, the basic information will also include this circumstance. In this In this case, the affected party must be informed of their right to oppose the adoption of automated individual decisions that produce legal effects on him or her significantly affect in a similar way, when this right to agree with the provisions of article 22 of Regulation (EU) 2016/679. " III This claim focuses on the fact that images of the claimant have been published without consent on the website *** URL.1. It also states that both the legal notice and the privacy policy of the web page *** URL.1 is not in accordance with the data protection regulations. According to the available evidence, it is considered that the known facts constitute two infractions attributable to the defendant, one first offense for a violation of article 6 of the RGPD, for the treatment of your personal data without your consent, and another second violation by the violation of article 13 of the RGPD, for lacking the privacy policy of the page website object of this claim, of the requirements regarding the processing of personal data, indicated in foundation II. IV Article 72.1.b) and h) of the LOPDGDD states that “depending on what established in article 83.5 of Regulation (EU) 2016/679 are considered very serious and The infractions that suppose a substantial violation will prescribe after three years of the articles mentioned therein and, in particular, the following: b) The processing of personal data without the concurrence of any of the conditions of legality of the treatment established in article 6 of the Regulation (EU) 2016/679. h) The omission of the duty to inform the affected party about the treatment of their personal data in accordance with the provisions of articles 13 and 14 of the Regulation (EU) 2016/679 and 12 of this organic law. " V C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 6/7 Each offense can be sanctioned with a fine of € 20,000,000 as maximum or, in the case of a company, of an amount equivalent to 4% as maximum total annual global business volume of the previous financial year, opting for the highest amount, in accordance with article 83.5 of the RGPD. Likewise, it is considered that each sanction to be imposed should be graduated from in accordance with the following criteria established in article 83.2 of the RGPD: As aggravating factors the following: In the present case we are dealing with unintentional negligent action, but it signifies identified catives (article 83.2 b) Basic personal identifiers -image- are affected (art 83.2 g) Therefore, based on the foregoing, By the Director of the Spanish Data Protection Agency, Therefore, in accordance with the applicable legislation and assessed the criteria of graduation of sanctions whose existence has been proven, the Director of the Spanish Data Protection Agency RESOLVES: FIRST: IMPOSE B.B.B., with NIF *** NIF.1, for the violation of article 6 of the RGPD, a fine of five thousand euros (€ 5,000), and by article 13 of the RGPD, a fine of four thousand euros (€ 4,000), both typified in article 83.5 of the RGPD. SECOND: NOTIFY this resolution to B.B.B .. THIRD: Warn the sanctioned person that they must enforce the sanctions imposed once this resolution is enforceable, in accordance with the provisions of the art. 98.1.b) of Law 39/2015, of October 1, on Administrative Procedure Common of Public Administrations (hereinafter LPACAP), within the payment period voluntary established in art. 68 of the General Collection Regulations, approved by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003, of December 17, by means of their entry, indicating the NIF of the sanctioned person and the number procedure that appears in the heading of this document, in the account restricted number ES00 0000 0000 0000 0000 0000, opened in the name of the Agency Spanish Data Protection in the banking entity CAIXABANK, S.A .. In case Otherwise, it will be collected in the executive period. Received the notification and once executive, if the date of execution is found Between the 1st and the 15th of each month, both inclusive, the deadline for making the payment volunteer will be until the 20th of the following or immediately subsequent business month, and if between the 16th and the last day of each month, both inclusive, the payment term It will be until the 5th of the second following or immediate business month. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 7/7 In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which ends the administrative procedure in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the Interested parties may optionally file an appeal for reconsideration before the Director of the Spanish Agency for Data Protection within a month to counting from the day after the notification of this resolution or directly contentious-administrative appeal before the Contentious-Administrative Chamber of the National High Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-administrative jurisdiction, within two months from the day following notification of this act, as provided in article 46.1 of the referred Law. Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP, may provisionally suspend the final resolution through administrative channels if the interested party expresses his intention to file contentious-administrative appeal. If this is the case, the interested party must formally communicate this fact through writing addressed to the Spanish Agency for Data Protection, presenting it through of the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica- web /], or through any of the other records provided for in art. 16.4 of the cited Law 39/2015, of October 1. You must also transfer to the Agency the documentation that proves the effective filing of the contentious appeal- administrative. If the Agency was not aware of the filing of the appeal contentious-administrative within a period of two months from the day following the notification of this resolution would terminate the precautionary suspension. Mar Spain Martí Director of the Spanish Agency for Data Protection C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es