AEPD (Spain) - PS/00433/2021
AEPD (Spain) - PS/00433/2021 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 6(1) GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | |
Published: | 17.01.2022 |
Fine: | 2000 EUR |
Parties: | n/a |
National Case Number/Name: | PS/00433/2021 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | Paola León |
The Spanish DPA fined a tobacco store €2000 for unlawfully publishing a photo of a data subject and their partner on Facebook and Instagram, accompanied by accusations that they were responsible for robberies in the area.
English Summary
Facts
A data subject filed a complaint with the Spanish DPA (AEPD) against a tobacco shop in Tenerife called Island Meeting Puerto C.B. (the shop) for disseminating their image, as well as that of their partner, on social media networks Facebook and Instagram. The posted images were accompanied with comments by the shop accusing them of several robberies.
The comments attached to the images read as follows:
"These two characters have been stealing from all tobacconists in the north. It never happens...Today it has happened to us again. We'll pay for data protection without problems. But it's okay that these people keep stealing and nothing happens. Where is the safe island where we lived in? Are we waiting for them to rob a bank? They have committed more than 20 robberies”
The AEPD contacted the shop about these allegations and gave them a month to carry out actions to bring its practices into compliance with GDPR, as well as preventing this type of incident from reoccurring. However, no response to this communication was received.
Holding
The AEPD considered that the shop violated Article 6(1) GDPR by disseminating the image of the claimant and their partner (accompanied by negative comments and accusations) without their consent.
The AEPD took certain aggravating and mitigating factors into consideration in order to determine how to sanction this violation. Some aggravating elements included the fact that the shop's posting on social networks had the immediate effect of disseminating the claimant's personal data, the fact that two people had been affected by the post, the damage caused not only by the dissemination of images but also of accusations, and the shop's lack of response to the AEPD's request to implement measures to ensure that this practice did not occur in the future.
Regarding the mitigating factors, the AEPD took into consideration that the shop's activity was not linked to any further processing of personal data, that it is a small business, that there is no evidence it had committed a previous offense, and that it had acted negligently but not maliciously.
Based on these considerations, the AEPD issued a €2,000 fine on the shop.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/9 File No.: PS/00433/2021 RESOLUTION OF PUNISHMENT PROCEDURE Of the procedure instructed by the Spanish Agency for Data Protection and based on to the following BACKGROUND FIRST: Ms. A.A.A. (hereinafter, the complaining party) dated 05/07/2021 filed a claim with the Spanish Data Protection Agency. The claim is directed against MEETING PUERTO C.B. with NIF E76518877 (in hereafter, the party claimed). The grounds on which the claim is based are following: the dissemination through the social networks Facebook and Instagram of your image, as well as that of his partner accompanied by comments trying to undermine his credibility. . SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5 December, of Protection of Personal Data and guarantee of digital rights (in hereinafter LOPDGDD), in the scope of file E/06473/2021, both on 06/10/2021, as on 06/22/2021, said claim was transferred to the claimed party for to proceed with its analysis and inform this Agency within a month of the actions carried out to adapt to the requirements set forth in the regulations of Data Protection. No response to these letters has been received. THIRD: On 08/23/2021 the Director of the Spanish Protection Agency Data agreed to admit the claim filed by the claimant for processing. FOURTH: On 11/19/2021, the Director of the Spanish Protection Agency of Data agreed to initiate a sanctioning procedure against the defendant, for the alleged violation of article 6.1 of the RGPD, sanctioned in accordance with the provisions of article 83.5.b) of the aforementioned GDPR and considered for prescription purposes in article 72.1.b) of the LOPDGDD. FIFTH: Once the initiation agreement has been notified, the one claimed at the time of this The resolution has not presented a written statement of allegations, for which reason the indicated in article 64 of Law 39/2015, of October 1, on the Procedure Common Administrative Law of Public Administrations, which in section f) establishes that in the event of not making allegations within the period established on the content of the initiation agreement, it may be considered a proposal for resolution when it contains a precise statement about the responsibility imputed, reason why a Resolution is issued. SIXTH: Of the actions carried out in this proceeding, they have been accredited the following: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 2/9 PROVEN FACTS FIRST: On 05/07/2021 the claimant submitted a letter to the Spanish Agency for Data Protection, noting that the defendant has spread through the networks social Facebook and Instagram your image, as well as that of your partner accompanied by comments trying to undermine your credibility. SECOND: There is a publication provided on Instagram in which the claimant appears and His couple; Superimposed on the images is the following comment: “These two characters have been stealing from all tobacconists in the north. It never happens... Today it was our turn again. We pay for data protection without problems. But it's okay that these people keep stealing and nothing happens. The safe island where we lived where is it? Are we waiting for them to rob a bank? They have more than 20 robberies”. FOUNDATIONS OF LAW I By virtue of the powers that article 58.2 of the RGPD recognizes to each control authority, and according to the provisions of articles 47 and 48 of the LOPDGDD, The Director of the Spanish Agency for Data Protection is competent to initiate and to solve this procedure. II Law 39/2015, of October 1, on the Common Administrative Procedure of the Public Administrations, in its article 64 "Agreement of initiation in the procedures of a sanctioning nature”, provides: "one. The initiation agreement will be communicated to the instructor of the procedure, with transfer of how many actions exist in this regard, and the interested parties will be notified, understanding in any case by such the accused. Likewise, the initiation will be communicated to the complainant when the rules regulators of the procedure so provide. 2. The initiation agreement must contain at least: a) Identification of the person or persons allegedly responsible. b) The facts that motivate the initiation of the procedure, its possible rating and sanctions that may apply, without prejudice to what result of the instruction. c) Identification of the instructor and, where appropriate, Secretary of the procedure, with express indication of the system of recusal of the same. d) Competent body for the resolution of the procedure and regulation that attribute such competence, indicating the possibility that the presumed responsible can voluntarily acknowledge their responsibility, with the effects provided for in article 85. e) Provisional measures that have been agreed by the body competent to initiate the sanctioning procedure, without prejudice to those that C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 3/9 may be adopted during the same in accordance with article 56. f) Indication of the right to formulate allegations and to the hearing in the procedure and the deadlines for its exercise, as well as an indication that, in If you do not make allegations within the stipulated period on the content of the initiation agreement, this may be considered a resolution proposal when it contains a precise statement about the responsibility imputed. 3. Exceptionally, when at the time of issuing the initiation agreement there are not sufficient elements for the initial qualification of the facts that motivate the initiation of the procedure, the aforementioned qualification may be carried out in a phase later by drawing up a List of Charges, which must be notified to the interested". In application of the previous precept and taking into account that no formulated allegations to the initial agreement, it is appropriate to resolve the initiated procedure. III The claimed facts materialize in the publication by the claimed without legitimation or consent through the social network Instagram of the images of the claimant and her partner accompanied by unfortunate comments which could suppose a violation of the regulations on the protection of personal data. Article 58 of the RGPD, Powers, states: "two. Each control authority will have all the following powers: rectives listed below: (…) i) impose an administrative fine pursuant to article 83, in addition to or instead of of the measures mentioned in this section, depending on the circumstances. tances of each particular case; (…)” Article 6, Legality of the treatment, of the RGPD establishes: "one. The treatment will only be lawful if at least one of the following is met terms: a) the interested party gave their consent for the processing of their personal data final for one or more specific purposes; b) the treatment is necessary for the execution of a contract in which the interested party is a party or for the application at its request of pre-contractual measures contractual; c) the treatment is necessary for the fulfillment of an applicable legal obligation. cable to the data controller; d) the processing is necessary to protect the vital interests of the data subject or of another natural person; e) the treatment is necessary for the fulfillment of a mission carried out in C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 4/9 public interest or in the exercise of public powers vested in the controller of the treatment; f) the treatment is necessary for the satisfaction of legitimate interests per- guided by the data controller or by a third party, provided that on such interests do not override the interests or fundamental rights and freedoms data of the interested party that require the protection of personal data, in particularly when the interested party is a child. The provisions of letter f) of the first paragraph shall not apply to the treatment ment carried out by public authorities in the exercise of their functions. (…)”. On this question of the legality of the treatment, the Consideration also affects 40 of the aforementioned RGPD, when it states that «In order for the treatment to be free- I quote, personal data must be treated with the consent of the interested party or on some other legitimate basis established in accordance with law, either in the present this Regulation or by virtue of another Law of the Union or of the Member States to referred to in this Regulation, including the need to comply with the obligation law applicable to the data controller or the need to perform a contract with which the interested party is a party or in order to take measures at the request of the interested party. resado prior to the conclusion of a contract.» Article 4 of the GDPR, Definitions, in section 11, states that: “11) «consent of the interested party»: any manifestation of free will, is- specific, informed and unequivocal by which the interested party accepts, either through a declaration or a clear affirmative action, the treatment of personal data that concern”. Also article 6, Treatment based on the consent of the affected party, of the new Organic Law 3/2018, of December 5, on the Protection of Personal Data- them and guarantee of digital rights (hereinafter LOPDGDD), states that: "one. In accordance with the provisions of article 4.11 of the Regulation (EU) 2016/679, consent of the affected party is understood to be any manifestation of will free, specific, informed and unequivocal by which he accepts, either through a declaration or a clear affirmative action, the treatment of personal data that concern. 2. When the data processing is intended to be based on consent of the affected for a plurality of purposes it will be necessary to state in a strict way specific and unequivocal that said consent is granted for all of them. 3. The execution of the contract may not be subject to the affected party consenting to the processing of personal data for purposes unrelated to the maintenance, development or control of the contractual relationship”. Therefore, in light of the facts, it is evident that the data processing carried out carried out by the respondent with the dissemination on Instagram of the image of the claimant and his partner accompanied by unfortunate comments has been made without cause C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 5/9 legitimizing of those collected in article 6 of the RGPD. III The infraction attributed to the defendant is typified in the article Article 83.5 a) of the RGPD, which considers that the infringement of “the basic principles for treatment, including the conditions for consent under the ar- Articles 5, 6, 7 and 9” is punishable, in accordance with section 5 of the aforementioned article. Article 83 of the aforementioned Regulation, "with administrative fines of €20,000,000 as maximum or, in the case of a company, an amount equivalent to 4% maximum amount of the global total annual turnover of the previous financial year, opting- I know for the highest amount”. The LOPDGDD in its article 71, Violations, states that: “They constitute violations tions the acts and behaviors referred to in sections 4, 5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that are contrary to this law organic”. And in its article 72, it considers for prescription purposes, which are: "Infringements considered very serious: 1. Based on the provisions of article 83.5 of the Regulation (EU) 2016/679 are considered very serious and the infractions that entail a substantial violation of the articles mentioned therein and, in particular, ticular, the following: (…) b) The treatment of personal personal data without the concurrence of any of the the conditions of legality of the treatment established in article 6 of the Re- regulation (EU) 2016/679. (…)” IV The documentation in the file shows that the defendant violates Article 6.1 of the RGPD, when proceeding to the dissemination of the image of the claimant and your partner, accompanied by certain comments, without any legitimizing cause such as consent or authorization in social networks. It should be noted that the GDPR excludes tacit consent and requires that it be explicit. With the entry into force of the RGPD and the new LOPDGDD, only the express consent. The most important novelty regarding the consent that incorporates the RGPD is based is that it must be granted through a clear affirmative act that evidences a free, specific, informed and unequivocal declaration of will of the interested party to admit the treatment of personal data that affect him; that there is not the slightest doubt that there has been manifest will on the part of the client, giving their express consent to be able to treat their personal data with the specific purposes detailed in the form. The request for consent must be clear and specific, that it does not unnecessarily alter the use of the service for which it is provided. All this only emphasizes the need that you expressly consent to the treatment. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 6/9 v In order to establish the administrative fine to be imposed, they must observe The provisions contained in articles 83.1 and 83.2 of the RGPD, which indicate: "one. Each control authority will guarantee that the imposition of the fines in accordance with this article for infringements of these Regulations. indicated in sections 4, 5 and 6 are in each individual case effective, proportionate tioned and dissuasive. 2. Administrative fines will be imposed, depending on the circumstances of each individual case, in addition to or as a substitute for the measures contemplated in article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine administration and its amount in each individual case will be duly taken into account: a) the nature, seriousness and duration of the offence, taking into account the nature, scope or purpose of the processing operation in question as well as the number of interested parties affected and the level of damages and losses. who have suffered; b) intentionality or negligence in the infringement; c) any measure taken by the controller or processor to alleviate the damages suffered by the interested parties; d) the degree of responsibility of the data controller or data processor. taking into account the technical or organizational measures that have been applied under articles 25 and 32; e) any previous infringement committed by the person in charge or the person in charge of the treatment- I lie; f) the degree of cooperation with the supervisory authority in order to remedy gave the infringement and mitigate the possible adverse effects of the infringement; g) the categories of personal data affected by the infringement; h) the way in which the supervisory authority became aware of the infringement, in particular if the person in charge or the person in charge notified the infringement and, in such case, what extent; i) when the measures indicated in article 58, paragraph 2, have been ordered previously against the person in charge or the person in charge in question in re- relationship with the same matter, compliance with said measures; j) adherence to codes of conduct under article 40 or mechanisms approved in accordance with article 42, and k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits realized or losses avoided, direct or indirectly, through infringement. In relation to letter k) of article 83.2 of the RGPD, the LOPDGDD, in its ar- Article 76, “Sanctions and corrective measures”, establishes that: "two. In accordance with the provisions of article 83.2.k) of the Regulation (EU) 2016/679 may also be taken into account: a) The continuing nature of the offence. b) The link between the activity of the offender and the performance of treatments C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 7/9 of personal data. c) The profits obtained as a result of committing the offence. d) The possibility that the conduct of the affected party could have induced the commission of the offence. e) The existence of a merger by absorption process after the commission of the infringement, which cannot be attributed to the absorbing entity. f) Affectation of the rights of minors. g) Have, when not mandatory, a data protection delegate. cough. h) The submission by the person in charge or person in charge, voluntarily to alternative conflict resolution mechanisms, in those su- positions in which there are controversies between them and any interested party.” In accordance with the transcribed precepts, and without prejudice to what results from the instruction of the procedure, in order to set the amount of the sanction of a fine to im- put in the present case for the infringement typified in article 83.5 of the RGPD of the that the defendant is responsible, in an initial assessment, they are estimated concurrent the following factors: Aggravating circumstances are: The scope of the treatment carried out by the claimed party, since we must not forget note that this has been done through the publication on the social network (Insta- gram) whose diffusion is immediate. Two people have been affected by the offending conduct. The damage caused is not only about the dissemination of the images of the claimant and his partner but they are accompanied by comments for the purpose of discrediting. The respondent has not indicated the measures to be established in order to prevent the produce incidents similar to the one that occurred, by not having responded to the informative request that was sent to you. There is no evidence that the defendant had acted maliciously, even though negligent behavior is observed. They are extenuating circumstances: The activity of the offender is not linked to the performance of treatment. personal data or there is no record of said link. lation. The respondent is a small business. There is no evidence that he had committed a previous offense. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 8/9 Therefore, in accordance with the applicable legislation and having assessed the criteria for graduation of sanctions whose existence has been proven, The Director of the Spanish Data Protection Agency RESOLVES: FIRST: IMPOSE MEETING PUERTO C.B., with NIF E76518877, for a infringement of Article 6.1 of the RGPD, typified in article 83.5.b) of the RGPD, a fine of €2,000 (two thousand euros). SECOND: NOTIFY this resolution to MEETING PUERTO C.B., with NIF E76518877. THIRD: Warn the sanctioned party that he must make the imposed sanction effective once Once this resolution is enforceable, in accordance with the provisions of the art. 98.1.b) of Law 39/2015, of October 1, on Administrative Procedure Common Public Administrations (hereinafter LPACAP), within the payment term voluntary established in art. 68 of the General Collection Regulations, approved by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003, of December 17, through its entry, indicating the NIF of the sanctioned and the number of procedure that appears in the heading of this document, in the account restricted number ES00 0000 0000 0000 0000 0000, opened on behalf of the Agency Spanish Department of Data Protection in the banking entity CAIXABANK, S.A.. In case Otherwise, it will be collected in the executive period. Received the notification and once executed, if the date of execution is between the 1st and 15th of each month, both inclusive, the term to make the payment voluntary will be until the 20th day of the following month or immediately after, and if between the 16th and last day of each month, both inclusive, the payment term It will be until the 5th of the second following month or immediately after. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the Interested parties may optionally file an appeal for reconsideration before the Director of the Spanish Agency for Data Protection within a month from counting from the day following the notification of this resolution or directly contentious-administrative appeal before the Contentious-Administrative Chamber of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-administrative jurisdiction, within a period of two months from the day following the notification of this act, as provided in article 46.1 of the aforementioned Law. Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP, may provisionally suspend the firm resolution in administrative proceedings if the The interested party expresses his intention to file a contentious-administrative appeal. If this is the case, the interested party must formally communicate this fact by writing addressed to the Spanish Agency for Data Protection, presenting it through C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 9/9 Electronic Register of the Agency [https://sedeagpd.gob.es/sede-electronica- web/], or through any of the other registers provided for in art. 16.4 of the aforementioned Law 39/2015, of October 1. You must also transfer to the Agency the documentation proving the effective filing of the contentious appeal- administrative. If the Agency was not aware of the filing of the appeal contentious-administrative within a period of two months from the day following the notification of this resolution would end the precautionary suspension. Sea Spain Marti Director of the Spanish Data Protection Agency C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es