AEPD - PS-00450-2022 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 6(1) GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | |
Published: | |
Fine: | 1,500 EUR |
Parties: | n/a |
National Case Number/Name: | PS-00450-2022 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Spanish |
Original Source: | PS-00450-2022 (in ES) |
Initial Contributor: | sh |
The Spanish DPA fined a landlord €1,500 for installing a camera, which captured a shared area, with only partial consent from all the affected tenants. This resulted in a breach of Article 6(1) GDPR.
English Summary
Facts
The landlord, with the consent of a tenant, installed a camera the façade of a shared villa which captured both a shared swimming pool and terrace. However, the other tenants in the same villa were not notified nor asked to consent to the installation of the cameras. One of them complained to the Spanish DPA.
Holding
The Spanish DPA initially found a breach under Article 5(1)(b) and (c) GDPR and fined the landlord €300. They also ordered the removal of the camera. The landlord ignored this request. On a second review of the case, the Spanish DPA raised the fine to €1,500 and changed the infringement to the lack of a legal basis under Article 6(1) GDPR. The camera was ordered to be removed within 10 working days.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/11 File No.: EXP202206825 RESOLUTION OF SANCTIONING PROCEDURE From the procedure instructed by the Spanish Data Protection Agency and based to the following BACKGROUND FIRST: On 06/13/2022, a document submitted to this Agency was entered by A.A.A. (hereinafter, the complaining party), through which the claim is made vs. B.B.B. with NIF ***NIF.1 (hereinafter, the claimed part), for the installation of a video surveillance system located in ***ADDRESS.1, there being indications of a possible non-compliance with the provisions of the data protection regulations of personal character. The reasons underlying the claim are the following: “A camera has been placed on the interior façade of the house located in ***ADDRESS 1. This home is a single-family chalet in which 3 of us live. tenants leased to Mr. B.B.B.. This house has a terrace and swimming pool for use shared. The aforementioned B.B.B., with the collaboration of C.C.C. has installed a camera on the facade of the aforementioned C.C.C.. The camera is focused on the shared-use terrace and pool. these spaces They are available to the tenants of the chalet in which we live. Said chalet consists of 3 separate rooms or “houses”. We live in one, in another C.C.C. and D.D.D., and in the last E.E.E.. B.B.B. He is the owner of the entire chalet. The installation of the camera has not been notified, nor have they asked for consent to record us. My wife, my daughter under 8 years old and I live in our home. (…)” Attached is a photographic report of the location of the video surveillance camera and the affected areas SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5 December, Protection of Personal Data and guarantee of digital rights (in hereinafter LOPDGDD), on 06/16/2022 said claim was transferred to the party claimed, so that it could proceed with its analysis and inform this Agency within the period of one month, of the actions carried out to adapt to the planned requirements in data protection regulations. The transfer, which was carried out in accordance with the rules established in Law 39/2015, of October 1, of the Common Administrative Procedure of Administrations Public (hereinafter, LPACAP), was collected on 06/27/2022 as stated in the acknowledgment of receipt that appears in the file, without having been received by the Agency response to it. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 2/11 THIRD: On 08/19/2022, in accordance with article 65 of the LOPDGDD, The claim presented by the complaining party was admitted for processing. FOURTH: On 11/14/2022, the Director of the Spanish Protection Agency of Data agreed to initiate sanctioning proceedings against the claimed party, in accordance with the provisions of articles 63 and 64 of LPACAP, for the alleged violation of the article 5.1.c) of Regulation (EU) 2016/679 (General Data Protection Regulation, typified in article 83.5.a) of the RGPD. A fine was set as an initial assessment administrative fee of €300 and, as a possible measure, the removal of the device from the place current or regularization in accordance with current regulations. FIFTH: The notification of the agreement to initiate this sanctioning procedure It was delivered on 11/15/2022 and, after the period granted for the formulation of allegations, it has been confirmed that no allegations have been received from the party claimed. SIXTH: On 04/27/2023, a proposed resolution was formulated in which, as As a result of the investigation, it was considered that the legal classification of the facts acquaintances had to be different. Thus, it was proposed to impose a fine of €5,000 on the claimed party, for the violation of article 6.1 of the RGPD due to the lack of basis legal entity that legitimizes the processing of personal data of the complaining party (your image). Likewise, it was ordered that, within a period of ten business days from the date on which the resolution in which it so agrees is notified, the claimed party proves having proceeded to remove the camera from its current location. SEVENTH: On 05/17/2023 the requested party was notified of the proposed resolution, without any response having been received from this Agency. PROVEN FACTS FIRST: Installation of a white video surveillance camera on top of the facade of the chalet owned by the claimed party, located at ***ADDRESS.1, oriented towards the exterior areas of the plot. SECOND: In the photograph taken by the complaining party from the position of the camera, it is proven that the device in question focuses towards the area of the pool and terrace. FOUNDATIONS OF LAW Yo Competition and applicable regulations In accordance with the powers that article 58.2 of the RGPD grants to each authority of control and in accordance with the provisions of articles 47, 48.1, 64.2 and 68.1 of the LOPDGDD, The Director of the Agency is competent to initiate and resolve this procedure. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 3/11 Spanish Data Protection. Likewise, article 63.2 of the LOPDGDD determines that: "The procedures processed by the Spanish Data Protection Agency will be governed by the provisions in Regulation (EU) 2016/679, in this organic law, by the provisions regulations dictated in its development and, insofar as they do not contradict them, with a subsidiary, by the general rules on administrative procedures." II Previous issues Article 4 “Definitions” of the GDPR defines the following terms for the purposes of Regulation: "1) 'personal data': any information about an identified natural person or identifiable ("the interested party"); Any person will be considered an identifiable natural person whose identity can be determined, directly or indirectly, in particular by an identifier, such as a name, an identification number, data location, an online identifier or one or more elements of identity physical, physiological, genetic, mental, economic, cultural or social of said person;” “2) “treatment”: any operation or set of operations performed on personal data or sets of personal data, whether by procedures automated or not, such as the collection, registration, organization, structuring, conservation, adaptation or modification, extraction, consultation, use, communication by transmission, broadcast or any other form of enabling access, collation or interconnection, limitation, deletion or destruction;” In the present case, in accordance with article 4.1 of the GDPR, the physical image of a person is personal data. In this way, the images generated by a system of cameras or video cameras are personal data, so their processing is subject to data protection regulations. III Legality of the processing of personal data Article 18 section 4 EC provides: “The law will limit the use of information technology to guarantee the honor and personal and family privacy of citizens and the full exercise of their rights.” Recital 40 of the GDPR states that “For the processing to be lawful, the Personal data must be processed with the consent of the interested party or on any other legitimate basis established in accordance with Law, whether in the present Regulation or under other law of the Union or of the Member States to which referred to in this Regulation, including the need to comply with the legal obligation applicable to the person responsible for the treatment or to the need to execute a contract with to which the interested party is a party or in order to take measures at the request of the interested prior to the conclusion of a contract.” C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 4/11 For its part, the principles that must govern the treatment are listed in article 5 of the GDPR. In this sense, section 1 letter a), states that: “The personal data will be: a) Treated in a lawful, loyal and transparent manner in relation to the interested party (legality, loyalty and transparency); (…)” The principle of legality is fundamentally regulated in article 6 of the GDPR. The assumptions that allow the processing of personal data to be considered lawful listed in article 6.1 of the GDPR: 1. Treatment will only be legal if at least one of the following conditions is met. nes: a) the interested party gave his/her consent to the processing of his/her personal data. them for one or more specific purposes; b) the processing is necessary for the execution of a contract in which the interested party sado is a party or for the application at his request of pre-contractual measures. them; c) the treatment is necessary for compliance with an applicable legal obligation. ble to the person responsible for the treatment; d) the processing is necessary to protect vital interests of the interested party or of another natural person; e) the treatment is necessary for the fulfillment of a mission carried out in public interest or in the exercise of public powers conferred on the person responsible of the treatment; f) the processing is necessary for the satisfaction of legitimate interests guided by the person responsible for the treatment or by a third party, provided that said interests do not prevail over the interests or functional rights and freedoms data of the interested party that require the protection of personal data, in particularly when the interested party is a child. The provisions of letter f) of the first paragraph will not apply to the treatment. “action carried out by public authorities in the exercise of their functions.” Therefore, the “data processing” carried out with the object video surveillance camera claim must be able to be justified on the so-called legitimizing bases, this is, that the legality of the treatment can be proven in the list of situations or suppositions. specific positions in which it is possible to process personal data. In the present case, a video surveillance camera has been installed at the top of the facade of the chalet owned by the claimed party, the claimant having rented it C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 5/11 part of the property (the contract has not been provided in the claim), with the right to use of common areas (terrace and pool) and towards which the device is oriented. As proof of these statements, the complaining party provided a report photograph in which the presence of a white video surveillance camera is observed in the upper part of the façade of the property mentioned, which, due to its height and position, is focusing towards the areas mentioned above. Thus, the presence of the camera in question involves the impact on spaces that are no longer “private” to the owner, to be enjoyed by a third party whose rights must be respected, both the right to privacy as the right to “protection of personal data”. Therefore, the “personal and domestic” scope in capturing images of the areas common (article 22.5 LOPDGDD) disappears when the temporary use and enjoyment of private housing to a third party, becoming an area reserved for their strictest personal and family privacy and also protected by the regulations of data protection, which does not generally allow the collection and processing of the same. The right to privacy, remember, consists of guaranteeing the free development of the individual private life of each one, without “there being interference from third parties”, the pre- The presence of cameras focusing on shared use areas not only represents a con- excessive control of the entrances/exits of the resident and/or companions, but a “data processing” that is not justified in this file. In this sense, the Constitutional Court affirms in STC 22/1984, that the right to The inviolability of the home constitutes an authentic fundamental right of the person. na, established, as we have said, to guarantee the scope of privacy of this within the space that the person himself chooses and that has to be precisely characterized. mind by being exempt or immune from foreign invasions or aggressions, from other persons or public authority. In this sense-- Contentious-Administrative Ruling No. 2923/2020, Supreme Court Court of Justice of Catalonia, Contentious Chamber, Section 3, Rec 237/2019 of 02 July 2020--. "As stated in STC 10/2002, of January 17 (FFJJ 5 and 6), cited by the Fiscal- cal and by the appellant in amparo, and it has been recalled later in STC 22/2003, of February 10, the constitutional norm that proclaims the inviolability of the home and the prohibition of home entry and search (art. 18.2 CE), despite the autonomy that the Spanish Constitution recognizes both rights, constitutes a manifestation celebration of the preceding norm (art. 18.1 CE) that guarantees the fundamental right to personal and family intimacy. So if the right proclaimed in art. 18.1 CE aims to protect a reserved area of people's lives. excluded from the knowledge of third parties, whether public or private powers, against their will, the right to home inviolability protects "an area "determined spatial" given that in it people exercise their most intimate freedom, free free from all subjection to social uses and conventions, being the object of protection of this right, both the physical space itself considered, and what in it there is emanation from the person and their private sphere. Therefore, we have stated that C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 6/11 The constitutional protection of the domicile is a protection of an instrumental nature, that defends the areas in which a person's private life takes place. Among other consequences, such instrumental character determines that the concept constitutes tutional domicile has greater scope than the private or legal legal concept administrative domicile and does not admit "reductionist conceptions" (for all SSTC 94/1999, of May 31, FJ 5, and 10/2002, of January 17, FJ 6 in fine). Thus, We have stated in legal basis 8 of the aforementioned STC 10/2002 that "the feature essential that defines the domicile for the purposes of the protection provided by art. 18.2 CE lies in the ability to develop a private life in it and in its specific destiny. fic to such development even if it is eventual. This means, first of all, that destination or use constitutes the essential element for the delimitation of spaces constitutionally protected, so that, in principle, their location is irrelevant. tion, its physical configuration, its movable or immovable character, the existence or type of ownership. legal title that enables its use, or, finally, the intensity and periodicity with which private life develops therein. Second, while cash de- development of private life is the determining factor of the specific aptitude for the place in which it takes place is considered domicile, it does not necessarily follow from this This aptitude cannot be inferred from some of these notes, or from others, in the to the extent that they represent objective characteristics according to which it is possible delimit the spaces that, in general, can and usually are used to develop private life." As well as that "the instrumental nature of constitutional protection tional of the home with respect to the protection of personal and family privacy requires that, regardless of the physical configuration of the space, its external signs reflect ensure the clear will of its owner to exclude said space and the activity carried out therein. "rollover of knowledge and interference from third parties." From there we extracted the conclusion consequently, by declaring the unconstitutionality of the provisions of art. 557 of the Law of criminal prosecution that "hotel rooms can constitute domicile of its guests, since, in principle, they are ideal places, due to their own characteristics. ristics, so that the private life of those can develop in them, having fact that the usual destination of hotel rooms is to carry out activities generically framed in private life" (*bold and underlined belongs to this organization). In the agreement to initiate this sanctioning procedure, the party was charged with claimed a violation of article 5.1.c) of the RGPD, typified in article 83.5.a) of the GDPR; considering that capturing images of shared areas (terrace and pool) gave rise to excessive and disproportionate treatment. Thus set as an initial assessment an administrative fine of €300 (three hundred euros) and, as a possible measure, the removal of the device from the current location or regularization of compliance with current regulations. However, taking into account the above and as a consequence of the instruction, it was considered that the legal classification of the known facts should be different. The lack of legal basis that legitimizes the processing of personal data of the complaining party (image) violates the provisions of article 6.1 of the RGPD. IV Classification and qualification of the violation of article 6.1 of the RGPD C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 7/11 In accordance with the evidence available herein sanctioning procedure, it is considered that the facts presented violate the established in article 6.1 of the RGPD, which means the commission of an infraction typified in article 83.5 of the RGPD which, under the heading “General conditions for the imposition of administrative fines” provides: “Infringements of the following provisions will be sanctioned, in accordance with the paragraph 2, with administrative fines of a maximum of EUR 20 000 000 or, In the case of a company, an amount equivalent to a maximum of 4% of the global total annual business volume of the previous financial year, opting for the largest amount: a) the basic principles for the treatment, including the conditions for the consent under articles 5, 6, 7 and 9; (…)” For the purposes of the limitation period for infractions, the infraction indicated in the previous paragraph is considered very serious in accordance with article 72.1 of the LOPDGDD, which establishes that: “Based on what is established in article 83.5 of the Regulation (EU) 2016/679 are considered very serious and will expire after three years. infringements that involve a substantial violation of the aforementioned articles in that and, in particular, the following: b) The processing of personal data without any of the conditions concurring of legality of the treatment established in article 6 of the Regulation (EU) 2016/679; (…)” V Penalty for violation of article 6.1 of the GDPR The corrective powers available to the Spanish Agency for the Protection of Data, as a supervisory authority, is established in article 58.2 of the GDPR. Between They have the power to impose an administrative fine in accordance with the article 83 of the RGPD -article 58.2 i)-, or the power to order the person responsible or processor that the processing operations comply with the provisions of the GDPR, where applicable, in a certain manner and within a specified period -article 58.2 d). According to the provisions of article 83.2 of the GDPR, the measure provided for in article 58.2 d) of the aforementioned Regulation is compatible with the sanction consisting of a fine administrative. In the present case, taking into account the facts, it is considered that the sanction that It would be appropriate to impose an administrative fine. The fine imposed must be, in each individual case, effective, proportionate and dissuasive, in accordance with the article 83.1 of the GDPR. In order to determine the administrative fine to be imposed, to observe the provisions of article 83.2 of the RGPD, which indicates: "2. Administrative fines will be imposed, depending on the circumstances of each individual case, as an additional or substitute for the measures contemplated in the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 8/11 Article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine administrative and its amount in each individual case will be duly taken into account: a) the nature, severity and duration of the infringement, taking into account the nature, scope or purpose of the processing operation in question, as well as such as the number of interested parties affected and the level of damages that have suffered; b) intentionality or negligence in the infringement; c) any measure taken by the person responsible or in charge of the treatment to alleviate the damages and losses suffered by the interested parties; d) the degree of responsibility of the person responsible or in charge of the treatment, taking into account the technical or organizational measures that have been applied under of articles 25 and 32; e) any previous infringement committed by the controller or processor; f) the degree of cooperation with the supervisory authority in order to remedy the infringement and mitigate the possible adverse effects of the infringement; g) the categories of personal data affected by the infringement; h) the way in which the supervisory authority became aware of the infringement, in particular whether the controller or processor notified the infringement and, if so, in what extent; i) when the measures indicated in Article 58, paragraph 2, have been ordered previously against the person responsible or the person in charge in question in relation to the same matter, compliance with said measures; j) adherence to codes of conduct under Article 40 or to mechanisms of certification approved in accordance with article 42, k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits obtained or losses avoided, direct or indirectly, through infringement.” For its part, in relation to letter k) of article 83.2 of the RGPD, the LOPDGDD, in its article 76, “Sanctions and corrective measures”, provides: "1. The sanctions provided for in sections 4, 5 and 6 of article 83 of the Regulation (EU) 2016/679 will be applied taking into account the graduation criteria established in section 2 of the aforementioned article. 2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679 may also be taken into account: a) The continuous nature of the infringement. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 9/11 b) The linking of the offender's activity with the performance of medical treatments. personal information. c) The benefits obtained as a consequence of the commission of the infraction. d) The possibility that the conduct of the affected person could have included the commission of the infringement. e) The existence of a merger by absorption process subsequent to the commission of the infringement, which cannot be attributed to the absorbing entity f) The impact on the rights of minors g) Have, when not mandatory, a data protection delegate. h) The submission by the person responsible or in charge, on a voluntary basis, to alternative conflict resolution mechanisms, in those cases in which "There are disputes between those and any interested party." These are aggravating circumstances: - The nature, severity and duration of the infraction (art. 83.2.a RGPD), given realize that, as has already been noted, the home is inviolable, and the installation of video cameras implies a significant attack on the privacy of the people who live therein. The balance of the circumstances listed above allows setting a fine of €5,000 (five thousand euros) for committing the violation of article 6.1 of the RGPD. SAW Adoption of measures Pursuant to the provisions of article 58.2 d) of the GDPR, the party is ordered claimed that, within a period of ten business days from the date on which this resolution is notified, proves that the camera has been removed from its current location. Therefore, in accordance with the applicable legislation and evaluated the criteria of graduation of sanctions whose existence has been proven, the Director of the Spanish Data Protection Agency RESOLVES: FIRST: IMPOSE B.B.B., with NIF ***NIF.1, for a violation of article 6.1 of the RGPD, typified in article 83.5.a) of the RGPD, a fine of €5,000 (five thousand euros). SECOND: NOTIFY this resolution to B.B.B.. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 10/11 THIRD: ORDER to B.B.B., with NIF ***NIF.1, which by virtue of article 58.2.d) of the RGPD, within a period of ten business days from the date on which this resolution is notified, proves that it has proceeded to remove the camera from the current location. FOURTH: Warn the sanctioned person that he must make the sanction imposed effective once this resolution is executive, in accordance with the provisions of the art. 98.1.b) of Law 39/2015, of October 1, on Administrative Procedure Common Public Administrations (hereinafter LPACAP), within the payment period voluntary established in art. 68 of the General Collection Regulations, approved by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003, of December 17, by entering it, indicating the NIF of the sanctioned person and the number of procedure that appears in the heading of this document, in the account restricted IBAN number: ES00-0000-0000-0000-0000-0000 (BIC/SWIFT Code: CAIXESBBXXX), opened on behalf of the Spanish Data Protection Agency in the banking entity CAIXABANK, S.A.. Otherwise, it will be collection in executive period. Once the notification is received and once enforceable, if the enforceable date is between the 1st and 15th of each month, both inclusive, the deadline to make the payment voluntary will be until the 20th of the following month or immediately following business month, and if The payment period is between the 16th and last day of each month, both inclusive. It will be until the 5th of the second following or immediately following business month. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the Interested parties may optionally file an appeal for reconsideration before the Director of the Spanish Data Protection Agency within a period of one month to count from the day following the notification of this resolution or directly contentious-administrative appeal before the Contentious-administrative Chamber of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-administrative Jurisdiction, within a period of two months from the day following the notification of this act, as provided for in article 46.1 of the referred Law. Finally, it is noted that in accordance with the provisions of art. 90.3 a) of the LPACAP, may provisionally suspend the final resolution through administrative channels if the interested party expresses his intention to file a contentious-administrative appeal. If this is the case, the interested party must formally communicate this fact through writing addressed to the Spanish Data Protection Agency, presenting it through of the Agency's Electronic Registry [https://sedeagpd.gob.es/sede-electronica- web/], or through any of the other registries provided for in art. 16.4 of the cited Law 39/2015, of October 1. You must also transfer to the Agency the documentation that proves the effective filing of the contentious appeal administrative. If the Agency was not aware of the filing of the appeal contentious-administrative within a period of two months from the day following the notification of this resolution would terminate the precautionary suspension. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 11/11 938-010623 Sea Spain Martí Director of the Spanish Data Protection Agency C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es