AEPD - PS-00379-2022 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 5(1)(f) GDPR Article 83(5) GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | 29.03.2022 |
Decided: | 07.12.2022 |
Published: | |
Fine: | 2000 EUR |
Parties: | A.A.A. COMUNIDAD DE PROPIETARIOS R.R.R. |
National Case Number/Name: | PS-00379-2022 |
European Case Law Identifier: | n/a |
Appeal: | Not appealed |
Original Language(s): | Spanish |
Original Source: | Expediente N.º: EXP202204461 (in ES) |
Initial Contributor: | michri |
The Spanish DPA found a violation of Article 5(1)(f) GDPR and fined €2,000 a 'community of owners' for accessing video surveillance footage and sharing it without authorization.
English Summary
Facts
The data subject was a member of an a community of owners, the controller. They complained with the president of the community association about video recordings in which they appeared.
Subsequently, the president shared these videos in a WhatsApp group with other neighbours.
The data subject then filed a complaint with the Spanish DPA, claiming that the controller violated the principle of integrity and confidentiality while processing their personal data, in breach of Article 5(1)(f) GDPR.
During the procedure, the controller alleged that it was an individual conduct of its president, so only the individual could be held liable, not the legal person.
Holding
The DPA dismissed the controller's argument by stating that the community was acting as the controller as it jointly: a) approved the installation of the cameras, b) determined the purpose of the processing, and c) established the means to carry out said processing.
It also stated that holding the president responsible individually was an issue to be carried out internally by the supervisory body of the community through mechanisms provided for in the Spanish Horizontal Property Law (HPL).
Therefore, Article 5(1)(f) GDPR was considered violated by the community of owners as a whole and a fine according to Article 83(5) GDPR was imposed.
When determining the amount, the DPA took the director’s individual action as well as the communal responsibility into account and issued a fine of €2,000 for the violation of Article 5(1)(f) GDPR as classified under Article 83(5) GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/8 File No.: EXP202204461 RESOLUTION OF SANCTIONING PROCEDURE Of the procedure instructed by the Spanish Agency for Data Protection and based on to the following BACKGROUND FIRST: A.A.A. (*hereinafter, the complaining party) dated March 29, 2022 filed a claim with the Spanish Data Protection Agency. claims her- tion is directed against COMMUNITY OF OWNERS R.R.R. with NIF ***NIF.1 (in below, the claimed party). The reasons on which the claim is based are the following: you: The claimant states that he resides in a property that the claimant is a resident of. kitchen and, at the time of the facts that are the subject of the claim, she was President of the Community of Owners and that is, taking advantage of said condition, together with the other person claimed, accessed recordings from the video surveillance system of the Community of Owners in which the claimant appeared, making to his recordings of said videos, which they spread in a WHATSAPP Group to other neighbors, the claimant understanding that the defendants have agreed and processed provided data from the complaining party, as well as from other neighbors. Provide the broadcast recordings, as well as the Minutes of the Meeting of Owners dated March 10, 2022 where the subject is discussed and where the defendant (a) recognises know the facts and have acted together with the defendant in that regard (Annex I). SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5 December, Protection of Personal Data and guarantee of digital rights (in hereafter LOPDGDD), said claim was transferred to the party claimed on fe- date 04/21/22 and 05/11/22, to proceed with its analysis and inform this Agency within a month, of the actions carried out to adapt to the requirements provided for in the data protection regulations. Made the transfer in accordance with the provisions of Law 39/2015 (October 1)-LPAC- No response was received in this regard, nor has an explanation been given. made in relation to them at the appropriate procedural moment. THIRD: On 04/07/22, communication was received from the AET providing the data prosecutors of the COMMUNITY OF OWNERS R.R.R. that work in your system form with NIF identifier associated with the claimed ***NIF.1. FOURTH: On June 29, 2022, in accordance with article 65 of the LO- PDGDD, the claim presented by the claimant party was admitted for processing. FIFTH: On September 9, 2022, the Director of the Spanish Agency for Data Protection agreed to initiate disciplinary proceedings against the claimed party, in accordance with the provisions of articles 63 and 64 of Law 39/2015, of October 1, C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 2/8 of the Common Administrative Procedure of Public Administrations (hereinafter te, LPACAP), for the alleged infringement of Article 5.1.f) of the GDPR, typified in the Article 83.5 of the GDPR. SIXTH: Notified the aforementioned start agreement in accordance with the rules established in Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP), the claimed party submitted a written of allegations dated 10/11/22 in which, in summary, he stated the following: "That by means of this document this party recognizes as adjusted to Law and reality the factual and legal foundations of the complaint filed for the affected (...) reason why my principal, the Community of owners acknowledge the facts. Attached as document No. 1 Minutes with the dismissal of the President and various agreements relevant to this sanction. In point 4, the undersigned is hired as the new Administrator of the estate. Add that over the years who has controlled the room where remains the monitor and image recorder have been the different Presidents (as) therefore the negligent action of a President cannot imply a sanction for the rest of the neighbors (as) that carry the Community of owners of the same (…) It should be noted that the Community of owners has done everything possible to put a solution and/or end to the facts denounced, by what this part understands The proposed sanction is NOT adjusted to law (...) although the sanction must be directed against the person who has carried out the offense described”. SEVENTH: On 12/07/22 <Proposed Resolution> is issued in which proposes a penalty of €2,000 for the misuse of images from the video- surveillance installed, for the accredited violation of art. 5.1 f) GDPR, when testing the access to the system without justified cause and the subsequent dissemination of the same. EIGHTH: After consulting the information system of this Agency, it is reported electronically the aforementioned act, in accordance with the provisions of Article 16 Law 39/2015 (October 1). Of the actions carried out in this procedure and of the documentation in the file, the following have been accredited: PROVEN FACTS First. The facts bring cause of the claim before this body on the date 03/29/22 through which the following is transferred: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 3/8 “making recordings through the installed video surveillance system in the Community of owners carried out on the reproduction of images of the same being the object of recording in the common access/exit area of the same, the images being distributed through WhatsApp (...)”—folio nº 1--. Second. The entity COMUNIDAD DE OWNERS R.R.R. with NIF ***NIF.1. Third. The access of the main person in charge of the Community to the room where the video surveillance camera system was installed, without justified cause in the regulations in force. Room. The obtaining of images obtained from the monitor of the system is accredited. ma, as well as the dissemination of these through a private messaging application, reaching the same knowledge of an indeterminate number of owners (as) of the property, accompanied by derogatory expressions. FUNDAMENTALS OF LAW Yo In accordance with the powers that article 58.2 of Regulation (EU) 2016/679 (Re- General Data Protection Regulation, hereinafter GDPR), grants each authori- quality of control and as established in articles 47, 48.1, 64.2 and 68.1 of the Law Organic 3/2018, of December 5, Protection of Personal Data and guarantee of digital rights (hereinafter, LOPDGDD), is competent to initiate and resolve this procedure the Director of the Spanish Data Protection Agency. Likewise, article 63.2 of the LOPDGDD determines that: "The procedures processed by the Spanish Data Protection Agency will be governed by the provisions of Regulation (EU) 2016/679, in this organic law, by the regulations comments dictated in its development and, insofar as they do not contradict them, with a sub- sisidario, by the general rules on administrative procedures." II In the present case, the claim dated 03/29/22 is examined by means of from which the alleged non-consensual access and without justified cause to the images obtained from the recording system of the Community of owners, being object according to the claimant's statement of diffusion in a WhatsApp Group without no apparent reason. "That he has been made aware of the recording in the facilities of the building of images associated with your person considering your privacy and intimacy affected (…)” –folio nº 1--. It should be noted that the Community of owners (as) holds the status of "responsible for the treatment" (article 4 point 7 of the GDPR), regardless of whether the access to the images has been made by a governing body of the same, without the The reasons for accessing and obtaining the images have been clarified to date. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 4/8 "responsible for the treatment" or "responsible": the natural or legal person, public authority, service or other body that, alone or jointly with others, determines the purposes and means of treatment; if the law of the Union or of the Member States determines the purposes and means of processing, the controller or the criteria Specific criteria for their appointment may be established by Union Law or of the Member States; Being one of the governing bodies, which holds the legal representation of the Co- community, according to article 13.3 of the LPH, the President must comply with the mandates, act with diligence and execute the agreements adopted by the Board of Pro- owners, and may be affected by liability in the event of an alleged extrali- limitation in the exercise of their duties. The facts described above may affect the article 5.1 f) GDPR. “processed in such a way as to ensure adequate data security personal data, including protection against unauthorized or unlawful processing and against its loss, destruction or accidental damage, through the application of technical measures or organizational ("integrity and confidentiality"). Video surveillance in a community is the installation of cameras in the elements common areas of the building that allows to improve surveillance and therefore security within of the same. At the time of its installation, the obligations set forth must be complied with. in the European Data Protection Regulation and the Organic Law 3/2018 of Protection tion of Personal Data and Guarantee of Digital Rights. Article 22 section 3 of the LOPDGDD (LO 3/2018, December 5) provides as following: "The data will be deleted within a maximum period of one month from its capture. tion, except when they had to be kept to prove the commission of acts that threaten the integrity of people, property or facilities. In such a case, the Images must be made available to the competent authority within a period maximum of seventy-two hours from when the existence of the the recording” (* underlining belongs to this organization). Access to the recordings of the video surveillance systems can only be provided occur in the legally determined cases and by a duly authorized person. zada in his case, being equally “exceptional” the diffusion of the images that were have obtained with it (them), respecting in any case the regulations in force in personal data protection, as well as the other regulations of the legal system in force. II Based on the evidence available in this proceeding disciplinary action, it is considered that the party claimed according to the statements made has proceeded to access the recording system of the Community without just cause C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 5/8 owners, proceeding to disseminate data (images) of the claimant without obey one (s) of the reasons provided for in the rule. Article 13 of the LPH (Law 49/1960, July 21) "The governing bodies of the Community are as follows: b) The president, and if applicable, the vice-presidents (...). The claimed party in its current representative acknowledges, without ambiguity, the facts rights transferred by this body "recognizes as adjusted to law and to the reality of the factual and legal foundations" for which the Community of Property The petitioners acknowledge the facts (folio no. 1 Statement of allegations 10/11/22). It is argued that the responsibility for the facts, however, should lie on the President (a) who made them and not on the group of owners that in his opinion they have suffered these actions "adopting the necessary measures to alleviate the situation" that has even led to the rescission of the mandate conferred, Hiring a new Property Manager. On this aspect, influence the responsibility of the Community as a whole. of course, being the same knowledgeable in some (as) of its members of the facts described as evidenced by the fact that the images are disseminated in a well-known mental system. Sajería of private use of the same. Furthermore, in the installation of this type of device the “responsibility saber" of the system is this and not the President who acts as a mere representative, Since it is the Community as such that approves the installation, the purpose of the work treatment and the means to carry out said treatment, being ultimately the own Board of owners, the body to which it is subordinated, which can act against excesses in the exercise of functions or situations that can be classified in <abuse of power> by the same, through the mechanisms provided for in the LPH (vgr. art. 14 LPH). The management of the President and other positions of the Community may have consequences at the legal level if it is not done diligently, even if there are when they use their position and authority to make decisions or behaviors that may not be convenient for the Community of owners. The question of an alleged civil or criminal liability for damages damages caused, where appropriate, to the Community of owners by the President of the itself, due to willful or negligent breach in the exercise of its functions, it is a question that, in its case, is the responsibility of all the owners of the property, exercising in his case against the same the legal actions that are deemed pertinent in- even in the case of an alleged abuse of power. Of the set of allegations and evidence provided, recognized by the re- claimed, it can be concluded that there has been an access not protected by law to the images (data) from the video surveillance system installed, which allowed the capture of a community space without justified cause for access and dissemination of these in the exposed form. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 6/8 The measures adopted have been decided after the events occurred described as a result of the intervention of both this body, as well as having knowledge of criminal complaint as a result of the facts described in the Instruction Court No. 5 (Palmas de Gran Canaria) without them being complete in the opinion of this organization. mine. It would be advisable to adopt additional measures such as clearly indicating the main person responsible for access to them, establishing documentary- an action protocol, which will avoid actions such as those described in the future. tas, without prejudice to informing the set of owners (as) of the property. The known facts are therefore constitutive of an infringement, attributable to the claimed party, for violation of article 5.1 letter f) RGPD, previously cited. IV. The art. 83.5 GDPR provides the following: "Violations of the following provisions These will be penalized, in accordance with section 2, with administrative fines of 20 000 000 EUR maximum or, in the case of a company, an equivalent amount to a maximum of 4% of the overall annual total turnover of the financial year previous year, opting for the one with the highest amount: a) The basic principles for the treatment including the conditions for the consent in accordance with articles 5,6,7 and 9 (…)”. When motivating the sanction, it is taken into account that it is a person physical person who has accessed the images (data), but who cannot ignore the responsibilities of his position in the Community of owners, who has agreed to the recording system of the same without just cause, proceeding to the diffusion of the same without adequate guarantees through a well-known application of men- sajeria, which entails gross negligence in the conduct described attributable differently. directly to the Community itself by not adopting any guarantee in the dissemination to third parties. ros (as) affecting the rights of the affected, as well as the insufficient reaction from the first moment of having knowledge of these, reasons all of which justify tify the imposition of a penalty of €2,000, according to the seriousness of the facts taking into account the number of owners, the nature of the conduct described and located in any case on the lower scale for this type of behavior. Therefore, in accordance with the applicable legislation and assessed the graduation criteria tion of the sanctions whose existence has been accredited, the Director of the Spanish Data Protection Agency RESOLVES: FIRST: IMPOSE on COMMUNITY OF OWNERS R.R.R., with NIF ***NIF.1, for a violation of Article 5.1.f) of the GDPR, typified in Article 83.5 of the GDPR, a fine of €2000. SECOND: NOTIFY this resolution to the entity COMMUNITY OF PRO- PIETARIOS R.R.R.. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 7/8 THIRD: Warn the penalized person that they must make the imposed sanction effective Once this resolution is enforceable, in accordance with the provisions of Article art. 98.1.b) of Law 39/2015, of October 1, on Co-Administrative Procedure public administrations (hereinafter LPACAP), within the term of payment vo- volunteer established in art. 68 of the General Collection Regulations, approved by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003, of December 17, by means of its income, indicating the NIF of the sanctioned and the number of procedure that appears in the heading of this document, in the account restricted IBAN number: ES00-0000-0000-0000-0000-0000 (BIC/SWIFT Code: CAIXES- BBXXX), opened on behalf of the Spanish Data Protection Agency in the entity banking entity CAIXABANK, S.A. Otherwise, it will be collected in executive period. Once the notification has been received and once executed, if the execution date is between the 1st and 15th of each month, both inclusive, the term to make the payment voluntary will be until the 20th day of the following or immediately following business month, and if between the 16th and the last day of each month, both inclusive, the payment period is It will run until the 5th of the second following or immediately following business month. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once the interested parties have been notified. Against this resolution, which puts an end to the administrative process in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the interested parties Respondents may optionally file an appeal for reinstatement before the Director of the Spanish Agency for Data Protection within a period of one month from the the day following the notification of this resolution or directly contentious appeal before the Contentious-Administrative Chamber of the National Court, in accordance with the provisions of article 25 and section 5 of the additional provision fourth clause of Law 29/1998, of July 13, regulating the Contentious Jurisdiction- administration, within a period of two months from the day following the notification tion of this act, as provided for in article 46.1 of the aforementioned Law. Finally, it is noted that in accordance with the provisions of art. 90.3 a) of the LPACAP, may provisionally suspend the firm resolution in administrative proceedings if the interested party do states its intention to file a contentious-administrative appeal. If it is- As the case may be, the interested party must formally communicate this fact in writing addressed to the Spanish Data Protection Agency, presenting it through the Re- Electronic registry of the Agency [https://sedeagpd.gob.es/sede-electronica-web/], or to through any of the other registries provided for in art. 16.4 of the aforementioned Law 39/2015, of October 1. You must also transfer the documentation to the Agency proving the effective filing of the contentious-administrative appeal. if the Agency was not aware of the filing of the contentious-administrative appeal treatment within two months from the day following notification of this resolution, would terminate the precautionary suspension. 938-181022 Mar Spain Marti Director of the Spanish Data Protection Agency C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 8/8 C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es