AEPD (Spain) - PS-00085-2024

From GDPRhub
AEPD - PS-00085-2024
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 4(1) GDPR
Article 4(2) GDPR
Article 4(7) GDPR
Article 4(12) GDPR
Article 5(1)(f) GDPR
Article 6(4) GDPR
Article 14 GDPR
Article 21 GDPR
Article 58(2) GDPR
Article 83(2) GDPR
Article 83(5) GDPR
Article 83(6) GDPR
Article 112(1) LPACAP
Article 118 LPACAP
Article 14 LPACAP
Article 41 LPACAP
Article 43 LPACAP
Article 47 LOPDGDD
Article 48(1) LOPDGDD
Article 63(2) LOPDGDD
Article 64(2) LOPDGDD
Article 64(2) LPACAP
Article 65(4) LOPDGDD
Article 68(1) LOPDGDD
Article 72 LOPDGDD
Article 76(2) LOPDGDD
Article 85 LPACAP
Article 85 LPACAP
Type: Complaint
Outcome: Other Outcome
Started: 18.04.2024
Decided:
Published: 10.05.2024
Fine: n/a
Parties: Comunidad de Proprietarios R.R.R.
A.A.A.
National Case Number/Name: PS-00085-2024
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: isabela.maria.rosal

The Spanish DPA settled a complaint against the data controller after the conclusion of an agreement for the possible breach of Article 5(1)(f) GDPR. The case was finalized after the payment of a reduced value of the foreseen fine.

English Summary

Facts

The data subject submitted a complaint against the data controller, a legal entity representing the community of residents, for sharing with all members of the community a document with individualized heating consumption. Since the information would identify the number of each house, it was considered that the document held personal data. The Spanish DPA, then, proposed an agreement with the data controller for the payment of a reduced amount of the foreseen fine, considering the likelihood of the data breach.

Holding

The Spanish DPA finalized an agreement with the data controller after the start of an investigation of a probable infraction to Article 5(1)(f) GDPR. The alleged and possible GDPR breach was connected to the controller message sent to all community residents with individualized information about their heating consumption. Since this information is considered personal data, it could be understood as an illegal sharing of personal information.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

1/9








     File No.: EXP202304214



       RESOLUTION OF TERMINATION OF THE PAYMENT PROCEDURE
                                    VOLUNTEER

From the procedure instructed by the Spanish Data Protection Agency and based

to the following



                                  BACKGROUND


FIRST: On April 18, 2024, the Director of the Spanish Agency for
Data Protection agreed to initiate sanctioning proceedings against COMUNIDAD DE
OWNERS R.R.R. (hereinafter, the claimed party), through the Agreement that

is transcribed:

<<



File No.: EXP202304214


            AGREEMENT TO START SANCTIONING PROCEDURE


Of the actions carried out by the Spanish Data Protection Agency and in
based on the following

                                      FACTS


FIRST: A.A.A. (hereinafter, the complaining party) dated September 15,
2023 filed a claim with the Spanish Data Protection Agency. The
The claim is directed against COMMUNITY OF R.R.R. OWNERS. with NIF
***NIF.1 (hereinafter, the claimed part). The grounds on which the claim is based
are the following:


Complaints for having sent all community members an email, on the occasion
of the next owners meeting, where a list of consumption is attached
Individualized heating month by month, identified by floor and letter.


A copy of the list received is provided along with the claim.

SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5
December, Protection of Personal Data and guarantee of digital rights (in
hereinafter LOPDGDD), said claim was transferred to the claimed party, to

to proceed with its analysis and inform this Agency within a period of one month, of the
actions carried out to adapt to the requirements provided for in the regulations of
Data Protection.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/9








The transfer, which was carried out in accordance with the rules established in Law 39/2015, of
October 1, of the Common Administrative Procedure of Administrations
Public (hereinafter, LPACAP), was collected on 04/11/2023 as stated in the

acknowledgment of receipt that appears in the file.

On 04/27/2023, this Agency received a written response indicating between
other things the following:

“…in 2019 and following the installation of heating cost allocators,

Several owners requested the sending of the list of consumption, in order to
justify and prove the reduction in costs after it, due to the continuous
complaints from several neighbors about it.
With this list it was justified and proven that in most of the
housing was paid the same or less than previously to delivery drivers

costs…

One of the assumptions contemplated by the General Data Protection Regulation
that legitimizes the processing of personal data is the satisfaction of the legitimate interest
alleged by the person responsible or a third party. We believe that this interest would be applied in
this assumption by announcing the savings that the installation of delivery drivers

costs it has meant for the owners.”

THIRD: On 08/22/2023, the proceedings were filed since,
of the actions carried out and the documentation in the file, it is not
inferred the existence of an infringing action by the claimed party in the area

jurisdiction of the AEPD, so the claim was filed.

FOURTH: On 09/05/2023, the complaining party requested a copy of the file that
It was sent on 09/06/2023.


FIFTH: On 09/15/2023, the claimant filed an appeal for reconsideration
in which he alleges that an error has occurred in the legal classification of the facts
reported, that there has been an absence of investigative activity on the part of the AEPD,
that individualized energy consumption data for each supply point
may be considered personal data insofar as it refers to a
identifiable person, that the data protection regulations have been breached in their

articles 14, 6.4 and 21 among others of the RGPD. Requests the annulment of the resolution of
file and that an investigative phase be opened, that a correct qualification be made
legal nature of the reported facts, that the illegality of the actions of the
claimed party and that the repetition of the reported treatment in the future is prohibited.


SIXTH: On 01/03/2024 and in accordance with the provisions of article 118 of
the LPACAP, the requested party was granted a hearing procedure, attaching the
documentation provided by the appellant, so that, within a maximum period of ten
business days, will formulate the allegations and present the documents and supporting documents that
deemed appropriate.


The transfer of the hearing procedure, which was carried out in accordance with the regulations
established in the LPACAP, was collected on 01/12/2024 as stated in the
acknowledgment of receipt that appears in the file.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/9









On 01/19/2024, this Agency received a response letter indicating between
other things the following:


“Agree with the resolution of the AEPD, which supports and legitimizes the
sending a list, the object of this appeal, made by the Community of
Owners Paseo de Yeserías 33, due to the request of several owners, including
the vice president, due to the continuous complaints that there were after the installation of the
heating cost allocators. With this list it was justified and remained

proven that in the majority of the homes they paid the same or less than with
prior to the cost allocators. We emphasize that sending the listing
"It only had the purpose of satisfying the legitimate interest alleged by the person responsible."

SEVENTH: On 02/08/2024, the appeal for reconsideration filed by

A.A.A. against the resolution of this Agency issued on August 22, 2023,
which agreed to file the claim referred to the COMMUNITY OF
R.R.R. OWNERS, in order for the processing to continue.

The notification, which was carried out in accordance with the rules established in the LPACAP, was
collected on 02/09/2024 as stated in the acknowledgment of receipt that is in the

proceedings.

                           FOUNDATIONS OF LAW

                                           Yo

                                     Competence

In accordance with the powers that article 58.2 of Regulation (EU) 2016/679
(General Data Protection Regulation, hereinafter RGPD), grants each
control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the

LOPDGDD, is competent to initiate and resolve this procedure the Director of the
Spanish Data Protection Agency.

Likewise, article 63.2 of the LOPDGDD determines that: "The procedures
processed by the Spanish Data Protection Agency will be governed by the provisions
in Regulation (EU) 2016/679, in this organic law, by the provisions

regulations dictated in its development and, insofar as they do not contradict them, with a
subsidiary, by the general rules on administrative procedures."

                                           II
                                 Previous issues


Analyzing the issue, STS 2484/2019 of the Contentious-Administrative Chamber
(SAN 1711/2018) establishes in its Third Legal Foundation in fine that: “[…]
We estimate that the measurements referring to the individual consumption of electrical energy
associated with each supply point and its code, which the distribution companies
are obliged to send to the system operator, as soon as they contain information
concerning the behavioral habits of an identifiable natural person, are data

personal (art. 2.a) of Directive 95/46/EC and art. 3.a) of the Organic Law of
Data Protection 15/1999, of December 13), and, as such, are
protected by the guarantees established by data protection regulations.”
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/9








Therefore, extrapolating to the energy consumption of each resident, it should be noted that
These data are protected by data protection regulations.

In the present case, in accordance with the provisions of article 4.1 and 4.2 of the RGPD,
involves the processing of personal data, since the party

claimed carries out the collection, registration, organization and conservation of, among others,
the following personal data of natural persons: name, identification number
and location data, among other treatments.

The claimed party carries out this activity in its capacity as responsible for the

treatment, given that it is the one who determines the purposes and means of such activity, by virtue
of article 4.7 of the GDPR.

Article 4 section 12 of the GDPR broadly defines “violations of
security of personal data” as “all those security violations
that cause accidental or unlawful destruction, loss or alteration of data

personal data transmitted, preserved or otherwise processed, or the communication or
unauthorized access to said data.”

                                           III
                       Principle of integrity and confidentiality

Article 5.1.f) “Principles relating to processing” of the GDPR establishes:

"1. The personal data will be:


(…)

f) processed in such a way as to ensure adequate data security
personal data, including protection against unauthorized or unlawful processing and against
its loss, destruction or accidental damage, through the application of technical measures
or organizational arrangements (“integrity and confidentiality”).”

In the present case, it is clear that the personal data of the complaining party,

considering gas consumption as personal data (as has been
argued in the previous foundation), have been unduly exposed to all
the community members, since they have been sent by email as a report, previously
to the holding of the Meeting, which shows the month-by-month heating consumption
individualized, through the floor/door indicator, of each and every one of the
neighbors, resulting in a loss of confidentiality.


In accordance with the evidence available in this agreement of
initiation of the sanctioning procedure, and without prejudice to what results from the
instruction, it is considered that the known facts could constitute a
infringement, attributable to the claimed party, due to violation of article 5.1.f) of the
GDPR.








C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/9









                                            IV
                Classification of the violation of article 5.1.f) of the RGPD


If confirmed, the aforementioned violation of article 5.1.f) of the RGPD could mean the
commission of the infractions classified in article 83.5 of the RGPD that under the
The section “General conditions for the imposition of administrative fines” provides:

“Infractions of the following provisions will be sanctioned, in accordance with the

paragraph 2, with administrative fines of a maximum of EUR 20 000 000 or,
In the case of a company, an amount equivalent to a maximum of 4% of the
global total annual business volume of the previous financial year, opting for
the largest amount:
a) the basic principles for the treatment, including the conditions for the

consent under articles 5, 6, 7 and 9; (…)”

For the purposes of the limitation period, article 72 “Infringements considered very
“serious” of the LOPDGDD indicates:

"1. Based on what is established in article 83.5 of Regulation (EU) 2016/679,

considered very serious and will prescribe after three years the infractions that involve
a substantial violation of the articles mentioned therein and, in particular, the

following:

a) The processing of personal data violating the principles and guarantees
established in article 5 of Regulation (EU) 2016/679. (…)”

                                            V

           Proposed sanction for violation of article 5.1.f) of the RGPD

For the purposes of deciding on the imposition of an administrative fine and its amount,
in accordance with the evidence currently available
agreement to initiate the sanctioning procedure, and without prejudice to what results from the

instruction, it is considered that the balance of the circumstances contemplated in the
article 83.2 of the RGPD and 76.2 of the LOPDGDD, with respect to the infringement committed
By violating the provisions of article 5.1.f of the RGPD, it allows initially setting a
fine of €600 (six hundred euros).

                                            V

                                  Adoption of measures

If the violation is confirmed, in accordance with the provisions of the aforementioned article 58.2 d)
of the RGPD, according to which each supervisory authority may “order the person responsible or
processor that the processing operations comply with the

provisions of this Regulation, where applicable, in a certain manner
and within a specified period…”, in the resolution that is adopted, it may be
require the claimed party to prove to this party within a period of one month
Agency to adopt the necessary measures to prevent the data from being disseminated
personal data related to gas consumption, without prejudice to others that could

derived from the procedure instruction.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/9









It is warned that failure to comply with the possible order to adopt measures imposed by
This body in the sanctioning resolution may be considered as a

administrative offense in accordance with the provisions of the RGPD, classified as
infringement in its article 83.5 and 83.6, and such conduct may be motivated by the opening of a
subsequent administrative sanctioning procedure.

Therefore, in accordance with the above, by the Director of the Agency
Spanish Data Protection,


HE REMEMBERS:

FIRST: START SANCTIONING PROCEDURE for the COMMUNITY OF
OWNERS R.R.R., with NIF ***NIF.1, for the alleged violation of Article

5.1.f) of the RGPD, typified in Article 83.5.


SECOND: APPOINT B.B.B. as instructor. and, as secretary, to C.C.C.,
indicating that they may be challenged, if applicable, in accordance with the provisions of the
articles 23 and 24 of Law 40/2015, of October 1, on the Legal Regime of the Sector

Public (LRJSP).

THIRD: INCORPORATE into the sanctioning file, for evidentiary purposes, the
claim filed by the complaining party and its documentation, as well as the
documents obtained and generated by the General Subdirectorate of Inspection of

Data in the actions prior to the start of this sanctioning procedure.

FOURTH: THAT for the purposes provided for in art. 64.2 b) of the LPACAP, the sanction that
could correspond would be 600 euros, without prejudice to what results from the
instruction.


FIFTH: NOTIFY this agreement to the COMMUNITY OF OWNERS
R.R.R., with NIF ***NIF.1, granting a hearing period of ten business days to
to formulate the allegations and present the evidence that it considers appropriate. In
Your written allegations must provide your NIF and the file number that appears.
in the heading of this document.


If within the stipulated period you do not make allegations to this initial agreement, the same
may be considered a proposal for a resolution, as established in the article
64.2.f) of the LPACAP.


In accordance with the provisions of article 85 of the LPACAP, you may recognize your
responsibility within the period granted for the formulation of allegations to the
present initiation agreement; which will entail a 20% reduction in the
sanction that may be imposed in this procedure. With the application of this
reduction, the penalty would be established at 480.00 euros, resolving the

procedure with the imposition of this sanction.

Likewise, you may, at any time prior to the resolution of this
procedure, carry out the voluntary payment of the proposed sanction, which

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/9








will mean a 20% reduction in the amount. With the application of this reduction,
The penalty would be established at 480.00 euros and its payment will imply the termination of the

procedure, without prejudice to the imposition of the corresponding measures.

The reduction for the voluntary payment of the penalty is cumulative with that corresponding
apply for recognition of responsibility, provided that this recognition
of the responsibility becomes evident within the period granted to formulate

allegations at the opening of the procedure. The voluntary payment of the referred amount
in the previous paragraph may be done at any time prior to the resolution. In
In this case, if both reductions were to be applied, the amount of the penalty would remain
established at 360.00 euros.


In any case, the effectiveness of any of the two mentioned reductions will be
conditioned upon the withdrawal or waiver of any action or appeal pending.
administrative against the sanction.

In the event that you choose to proceed with the voluntary payment of any of the amounts

indicated above 480.00 euros or 360.00 euros, you must make it effective
by depositing it into the IBAN account number: ES00-0000-0000-0000-0000-0000
(BIC/SWIFT Code: CAIXESBBXXX) opened in the name of the Spanish Agency of
Data Protection in the banking entity CAIXABANK, S.A., indicating in the
concept the reference number of the procedure appearing in the heading

of this document and the reason for the reduction in the amount to which it applies.

Likewise, you must send proof of income to the General Subdirectorate of
Inspection to continue the procedure in accordance with the quantity
entered.


The procedure will have a maximum duration of twelve months from the date
of the initiation agreement. After that period has elapsed without it having been issued and notified
resolution will expire and, consequently, the proceedings will be archived;
in accordance with the provisions of article 64 of the LOPDGDD.


In compliance with articles 14, 41 and 43 of the LPACAP, it is noted that, as far as
Subsequently, the notifications sent to you will be made exclusively
electronically, through the Unique Enabled Electronic Address (dehu.redsara.es), and
that, if you do not access them, your rejection will be recorded in the file, considering

the procedure has been carried out and the procedure is followed. You are informed that you can
identify to this Agency an email address to receive the notice
of making notifications available and that the lack of practice of this notice does not
will prevent the notification from being considered fully valid.


Finally, it is noted that in accordance with the provisions of article 112.1 of the LPACAP,
There is no administrative appeal against this act.


                                                                               935-18032024
Sea Spain Martí
Director of the Spanish Data Protection Agency


>>
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 8/9









SECOND: On April 27, 2024, the claimed party has proceeded to pay
the penalty in the amount of 480 euros making use of one of the two reductions

provided for in the Initiation Agreement transcribed above. Therefore, it has not been left
accredited recognition of responsibility.

THIRD: The payment made entails the waiver of any action or resource pending.
administrative against the sanction, in relation to the facts referred to in the
Startup Agreement.


FOURTH: In the initiation Agreement transcribed previously it was indicated that it could
agree to impose on the person responsible the adoption of appropriate measures to adjust his
performance to the regulations mentioned in this act, in accordance with the provisions of the
cited article 58.2 d) of the RGPD, according to which each supervisory authority may

“order the person responsible or in charge of the treatment that the operations of
treatment comply with the provisions of this Regulation, where applicable,
in a certain way and within a specified period….”


                           FOUNDATIONS OF LAW


                                           Yo
                                     Competence


In accordance with the powers that article 58.2 of Regulation (EU) 2016/679
(General Data Protection Regulation, hereinafter RGPD), grants each
control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the
Organic Law 3/2018, of December 5, on Protection of Personal Data and

guarantee of digital rights (hereinafter, LOPDGDD), is competent to
initiate and resolve this procedure the Director of the Spanish Protection Agency
of data.

Likewise, article 63.2 of the LOPDGDD determines that: "The procedures

processed by the Spanish Data Protection Agency will be governed by the provisions
in Regulation (EU) 2016/679, in this organic law, by the provisions
regulations dictated in its development and, insofar as they do not contradict them, with a
subsidiary, by the general rules on administrative procedures."


                                           II
                            Termination of the procedure

Article 85 of Law 39/2015, of October 1, on Administrative Procedure

Common Public Administrations (hereinafter, LPACAP), under the heading
“Termination in sanctioning procedures” provides the following:

"1. A sanctioning procedure has been initiated, if the offender recognizes his responsibility,
The procedure may be resolved with the imposition of the appropriate sanction.


2. When the sanction has only a pecuniary nature or a penalty can be imposed
pecuniary sanction and another of a non-pecuniary nature but the
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 9/9








inadmissibility of the second, the voluntary payment by the alleged responsible, in
Any time prior to the resolution, will imply the termination of the procedure,

except in relation to the restoration of the altered situation or the determination of the
compensation for damages caused by the commission of the infringement.

3. In both cases, when the sanction has only a pecuniary nature, the
competent body to resolve the procedure will apply reductions of, at least,

20% of the amount of the proposed penalty, these being cumulative with each other.
The aforementioned reductions must be determined in the initiation notification.
of the procedure and its effectiveness will be conditioned on the withdrawal or resignation of
any administrative action or appeal against the sanction.


The reduction percentage provided for in this section may be increased
“regularly.”

Having proceeded to pay the pecuniary penalty, in accordance
With section 2 of this article, voluntary payment implies the termination of the

procedure, except in relation to the restoration of the altered situation. Therefore,
the imposition of the necessary measures is appropriate to stop the conduct or
correct the effects of the violation.

In accordance with what has been stated, the Director of the Spanish Agency for the Protection of

Data RESOLVES:

FIRST: DECLARE the termination of procedure EXP202304214, of
in accordance with the provisions of article 85 of the LPACAP.


SECOND: ORDER the COMMUNITY OF R.R.R. OWNERS. so that in the
within one month from when this resolution becomes final and enforceable, notify the
Agency the adoption of the measures described in the legal bases
of the Initiation Agreement transcribed in this resolution.


THIRD: NOTIFY this resolution to the COMMUNITY OF OWNERS
R.R.R.

In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.


Against this resolution, which puts an end to the administrative procedure as prescribed by
the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations, interested parties may file an appeal
administrative litigation before the Administrative Litigation Chamber of the

National Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-Administrative Jurisdiction, within a period of two months from the
day following the notification of this act, as provided for in article 46.1 of the
referred Law.

                                                                              1309-16012024

Sea Spain Martí
Director of the Spanish Data Protection Agency
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es